projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Check rng return value when generating COOKIE2 during MOBIKE
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / ike_mobike.c
1 /*
2 * Copyright (C) 2010-2012 Tobias Brunner
3 * Copyright (C) 2007 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "ike_mobike.h"
18
19 #include <string.h>
20
21 #include <hydra.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_natd.h>
24 #include <encoding/payloads/notify_payload.h>
25
26 #define COOKIE2_SIZE 16
27 #define MAX_ADDITIONAL_ADDRS 8
28
29 typedef struct private_ike_mobike_t private_ike_mobike_t;
30
31 /**
32 * Private members of a ike_mobike_t task.
33 */
34 struct private_ike_mobike_t {
35
36 /**
37 * Public methods and task_t interface.
38 */
39 ike_mobike_t public;
40
41 /**
42 * Assigned IKE_SA.
43 */
44 ike_sa_t *ike_sa;
45
46 /**
47 * Are we the initiator?
48 */
49 bool initiator;
50
51 /**
52 * cookie2 value to verify new addresses
53 */
54 chunk_t cookie2;
55
56 /**
57 * NAT discovery reusing the TASK_IKE_NATD task
58 */
59 ike_natd_t *natd;
60
61 /**
62 * use task to update addresses
63 */
64 bool update;
65
66 /**
67 * do routability check
68 */
69 bool check;
70
71 /**
72 * include address list update
73 */
74 bool address;
75
76 /**
77 * additional addresses got updated
78 */
79 bool addresses_updated;
80 };
81
82 /**
83 * read notifys from message and evaluate them
84 */
85 static void process_payloads(private_ike_mobike_t *this, message_t *message)
86 {
87 enumerator_t *enumerator;
88 payload_t *payload;
89 bool first = TRUE;
90
91 enumerator = message->create_payload_enumerator(message);
92 while (enumerator->enumerate(enumerator, &payload))
93 {
94 int family = AF_INET;
95 notify_payload_t *notify;
96 chunk_t data;
97 host_t *host;
98
99 if (payload->get_type(payload) != NOTIFY)
100 {
101 continue;
102 }
103 notify = (notify_payload_t*)payload;
104 switch (notify->get_notify_type(notify))
105 {
106 case MOBIKE_SUPPORTED:
107 {
108 peer_cfg_t *peer_cfg;
109
110 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
111 if (!this->initiator &&
112 peer_cfg && !peer_cfg->use_mobike(peer_cfg))
113 {
114 DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
115 }
116 else
117 {
118 DBG1(DBG_IKE, "peer supports MOBIKE");
119 this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
120 }
121 break;
122 }
123 case COOKIE2:
124 {
125 chunk_free(&this->cookie2);
126 this->cookie2 = chunk_clone(notify->get_notification_data(notify));
127 break;
128 }
129 case ADDITIONAL_IP6_ADDRESS:
130 {
131 family = AF_INET6;
132 /* fall through */
133 }
134 case ADDITIONAL_IP4_ADDRESS:
135 {
136 if (first)
137 { /* an ADDITIONAL_*_ADDRESS means replace, so flush once */
138 this->ike_sa->clear_peer_addresses(this->ike_sa);
139 first = FALSE;
140 /* add the peer's current address to the list */
141 host = message->get_source(message);
142 this->ike_sa->add_peer_address(this->ike_sa,
143 host->clone(host));
144 }
145 data = notify->get_notification_data(notify);
146 host = host_create_from_chunk(family, data, 0);
147 DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
148 this->ike_sa->add_peer_address(this->ike_sa, host);
149 this->addresses_updated = TRUE;
150 break;
151 }
152 case UPDATE_SA_ADDRESSES:
153 {
154 this->update = TRUE;
155 break;
156 }
157 case NO_ADDITIONAL_ADDRESSES:
158 {
159 this->ike_sa->clear_peer_addresses(this->ike_sa);
160 /* add the peer's current address to the list */
161 host = message->get_source(message);
162 this->ike_sa->add_peer_address(this->ike_sa, host->clone(host));
163 this->addresses_updated = TRUE;
164 break;
165 }
166 case NAT_DETECTION_SOURCE_IP:
167 case NAT_DETECTION_DESTINATION_IP:
168 {
169 /* NAT check in this MOBIKE exchange, create subtask for it */
170 if (this->natd == NULL)
171 {
172 this->natd = ike_natd_create(this->ike_sa, this->initiator);
173 }
174 break;
175 }
176 default:
177 break;
178 }
179 }
180 enumerator->destroy(enumerator);
181 }
182
183 /**
184 * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
185 */
186 static void build_address_list(private_ike_mobike_t *this, message_t *message)
187 {
188 enumerator_t *enumerator;
189 host_t *host, *me;
190 notify_type_t type;
191 int added = 0;
192
193 me = this->ike_sa->get_my_host(this->ike_sa);
194 enumerator = hydra->kernel_interface->create_address_enumerator(
195 hydra->kernel_interface, FALSE, FALSE);
196 while (enumerator->enumerate(enumerator, (void**)&host))
197 {
198 if (me->ip_equals(me, host))
199 { /* "ADDITIONAL" means do not include IKE_SAs host */
200 continue;
201 }
202 switch (host->get_family(host))
203 {
204 case AF_INET:
205 type = ADDITIONAL_IP4_ADDRESS;
206 break;
207 case AF_INET6:
208 type = ADDITIONAL_IP6_ADDRESS;
209 break;
210 default:
211 continue;
212 }
213 message->add_notify(message, FALSE, type, host->get_address(host));
214 if (++added >= MAX_ADDITIONAL_ADDRS)
215 { /* limit number of notifys, some implementations do not like too
216 * many of them (f.e. strongSwan ;-) */
217 break;
218 }
219 }
220 if (!added)
221 {
222 message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
223 }
224 enumerator->destroy(enumerator);
225 }
226
227 /**
228 * build a cookie and add it to the message
229 */
230 static bool build_cookie(private_ike_mobike_t *this, message_t *message)
231 {
232 rng_t *rng;
233
234 chunk_free(&this->cookie2);
235 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
236 if (!rng || !rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2))
237 {
238 DESTROY_IF(rng);
239 return FALSE;
240 }
241 message->add_notify(message, FALSE, COOKIE2, this->cookie2);
242 rng->destroy(rng);
243 return TRUE;
244 }
245
246 /**
247 * update addresses of associated CHILD_SAs
248 */
249 static void update_children(private_ike_mobike_t *this)
250 {
251 enumerator_t *enumerator;
252 child_sa_t *child_sa;
253
254 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
255 while (enumerator->enumerate(enumerator, (void**)&child_sa))
256 {
257 if (child_sa->update(child_sa,
258 this->ike_sa->get_my_host(this->ike_sa),
259 this->ike_sa->get_other_host(this->ike_sa),
260 this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
261 this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
262 {
263 this->ike_sa->rekey_child_sa(this->ike_sa,
264 child_sa->get_protocol(child_sa),
265 child_sa->get_spi(child_sa, TRUE));
266 }
267 }
268 enumerator->destroy(enumerator);
269 }
270
271 /**
272 * Apply the port of the old host, if its ip equals the new, use port otherwise.
273 */
274 static void apply_port(host_t *host, host_t *old, u_int16_t port)
275 {
276 if (host->ip_equals(host, old))
277 {
278 port = old->get_port(old);
279 }
280 else if (port == IKEV2_UDP_PORT)
281 {
282 port = IKEV2_NATT_PORT;
283 }
284 host->set_port(host, port);
285 }
286
287 METHOD(ike_mobike_t, transmit, void,
288 private_ike_mobike_t *this, packet_t *packet)
289 {
290 host_t *me, *other, *me_old, *other_old;
291 enumerator_t *enumerator;
292 ike_cfg_t *ike_cfg;
293 packet_t *copy;
294
295 if (!this->check)
296 {
297 return;
298 }
299
300 me_old = this->ike_sa->get_my_host(this->ike_sa);
301 other_old = this->ike_sa->get_other_host(this->ike_sa);
302 ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
303
304 enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
305 while (enumerator->enumerate(enumerator, (void**)&other))
306 {
307 me = hydra->kernel_interface->get_source_addr(
308 hydra->kernel_interface, other, NULL);
309 if (me)
310 {
311 if (me->get_family(me) != other->get_family(other))
312 {
313 me->destroy(me);
314 continue;
315 }
316 /* reuse port for an active address, 4500 otherwise */
317 apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
318 other = other->clone(other);
319 apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
320 DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
321 copy = packet->clone(packet);
322 copy->set_source(copy, me);
323 copy->set_destination(copy, other);
324 charon->sender->send(charon->sender, copy);
325 }
326 }
327 enumerator->destroy(enumerator);
328 }
329
330 METHOD(task_t, build_i, status_t,
331 private_ike_mobike_t *this, message_t *message)
332 {
333 if (message->get_exchange_type(message) == IKE_AUTH &&
334 message->get_message_id(message) == 1)
335 { /* only in first IKE_AUTH */
336 message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
337 build_address_list(this, message);
338 }
339 else if (message->get_exchange_type(message) == INFORMATIONAL)
340 {
341 host_t *old, *new;
342
343 /* we check if the existing address is still valid */
344 old = message->get_source(message);
345 new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
346 message->get_destination(message), old);
347 if (new)
348 {
349 if (!new->ip_equals(new, old))
350 {
351 new->set_port(new, old->get_port(old));
352 message->set_source(message, new);
353 }
354 else
355 {
356 new->destroy(new);
357 }
358 }
359 if (this->update)
360 {
361 message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
362 chunk_empty);
363 if (!build_cookie(this, message))
364 {
365 return FAILED;
366 }
367 update_children(this);
368 }
369 if (this->address && !this->check)
370 {
371 build_address_list(this, message);
372 }
373 if (this->natd)
374 {
375 this->natd->task.build(&this->natd->task, message);
376 }
377 }
378 return NEED_MORE;
379 }
380
381 METHOD(task_t, process_r, status_t,
382 private_ike_mobike_t *this, message_t *message)
383 {
384 if (message->get_exchange_type(message) == IKE_AUTH &&
385 message->get_message_id(message) == 1)
386 { /* only first IKE_AUTH */
387 process_payloads(this, message);
388 }
389 else if (message->get_exchange_type(message) == INFORMATIONAL)
390 {
391 process_payloads(this, message);
392 if (this->update)
393 {
394 host_t *me, *other;
395
396 me = message->get_destination(message);
397 other = message->get_source(message);
398 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
399 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
400 }
401
402 if (this->natd)
403 {
404 this->natd->task.process(&this->natd->task, message);
405 }
406 if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
407 COND_ORIGINAL_INITIATOR))
408 {
409 host_t *other = message->get_source(message);
410 host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
411 if (!other->equals(other, other_old))
412 {
413 DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
414 other);
415 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
416 this->update = TRUE;
417 }
418 }
419 }
420 return NEED_MORE;
421 }
422
423 METHOD(task_t, build_r, status_t,
424 private_ike_mobike_t *this, message_t *message)
425 {
426 if (message->get_exchange_type(message) == IKE_AUTH &&
427 this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
428 {
429 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
430 {
431 message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
432 build_address_list(this, message);
433 }
434 return SUCCESS;
435 }
436 else if (message->get_exchange_type(message) == INFORMATIONAL)
437 {
438 if (this->natd)
439 {
440 this->natd->task.build(&this->natd->task, message);
441 }
442 if (this->cookie2.ptr)
443 {
444 message->add_notify(message, FALSE, COOKIE2, this->cookie2);
445 chunk_free(&this->cookie2);
446 }
447 if (this->update)
448 {
449 update_children(this);
450 }
451 return SUCCESS;
452 }
453 return NEED_MORE;
454 }
455
456 METHOD(task_t, process_i, status_t,
457 private_ike_mobike_t *this, message_t *message)
458 {
459 if (message->get_exchange_type(message) == IKE_AUTH &&
460 this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
461 {
462 process_payloads(this, message);
463 return SUCCESS;
464 }
465 else if (message->get_exchange_type(message) == INFORMATIONAL)
466 {
467 u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
468 this->ike_sa->set_pending_updates(this->ike_sa, updates);
469 if (updates > 0)
470 {
471 /* newer update queued, ignore this one */
472 return SUCCESS;
473 }
474 if (this->cookie2.ptr)
475 { /* check cookie if we included one */
476 chunk_t cookie2;
477
478 cookie2 = this->cookie2;
479 this->cookie2 = chunk_empty;
480 process_payloads(this, message);
481 if (!chunk_equals(cookie2, this->cookie2))
482 {
483 chunk_free(&cookie2);
484 DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
485 return FAILED;
486 }
487 chunk_free(&cookie2);
488 }
489 else
490 {
491 process_payloads(this, message);
492 }
493 if (this->natd)
494 {
495 this->natd->task.process(&this->natd->task, message);
496 if (this->natd->has_mapping_changed(this->natd))
497 {
498 /* force an update if mappings have changed */
499 this->update = this->check = TRUE;
500 DBG1(DBG_IKE, "detected changes in NAT mappings, "
501 "initiating MOBIKE update");
502 }
503 }
504 if (this->update)
505 {
506 /* update again, as NAT state may have changed */
507 update_children(this);
508 }
509 if (this->check)
510 {
511 host_t *me_new, *me_old, *other_new, *other_old;
512
513 me_new = message->get_destination(message);
514 other_new = message->get_source(message);
515 me_old = this->ike_sa->get_my_host(this->ike_sa);
516 other_old = this->ike_sa->get_other_host(this->ike_sa);
517
518 if (!me_new->equals(me_new, me_old))
519 {
520 this->update = TRUE;
521 this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
522 }
523 if (!other_new->equals(other_new, other_old))
524 {
525 this->update = TRUE;
526 this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
527 }
528 if (this->update)
529 {
530 /* use the same task to ... */
531 if (!this->ike_sa->has_condition(this->ike_sa,
532 COND_ORIGINAL_INITIATOR))
533 { /*... send an updated list of addresses as responder */
534 update_children(this);
535 this->update = FALSE;
536 }
537 else
538 { /* ... send the update as original initiator */
539 if (this->natd)
540 {
541 this->natd->task.destroy(&this->natd->task);
542 }
543 this->natd = ike_natd_create(this->ike_sa, this->initiator);
544 }
545 this->check = FALSE;
546 this->ike_sa->set_pending_updates(this->ike_sa, 1);
547 return NEED_MORE;
548 }
549 }
550 return SUCCESS;
551 }
552 return NEED_MORE;
553 }
554
555 METHOD(ike_mobike_t, addresses, void,
556 private_ike_mobike_t *this)
557 {
558 this->address = TRUE;
559 this->ike_sa->set_pending_updates(this->ike_sa,
560 this->ike_sa->get_pending_updates(this->ike_sa) + 1);
561 }
562
563 METHOD(ike_mobike_t, roam, void,
564 private_ike_mobike_t *this, bool address)
565 {
566 this->check = TRUE;
567 this->address = address;
568 this->ike_sa->set_pending_updates(this->ike_sa,
569 this->ike_sa->get_pending_updates(this->ike_sa) + 1);
570 }
571
572 METHOD(ike_mobike_t, dpd, void,
573 private_ike_mobike_t *this)
574 {
575 if (!this->natd)
576 {
577 this->natd = ike_natd_create(this->ike_sa, this->initiator);
578 }
579 this->ike_sa->set_pending_updates(this->ike_sa,
580 this->ike_sa->get_pending_updates(this->ike_sa) + 1);
581 }
582
583 METHOD(ike_mobike_t, is_probing, bool,
584 private_ike_mobike_t *this)
585 {
586 return this->check;
587 }
588
589 METHOD(task_t, get_type, task_type_t,
590 private_ike_mobike_t *this)
591 {
592 return TASK_IKE_MOBIKE;
593 }
594
595 METHOD(task_t, migrate, void,
596 private_ike_mobike_t *this, ike_sa_t *ike_sa)
597 {
598 chunk_free(&this->cookie2);
599 this->ike_sa = ike_sa;
600 if (this->natd)
601 {
602 this->natd->task.migrate(&this->natd->task, ike_sa);
603 }
604 }
605
606 METHOD(task_t, destroy, void,
607 private_ike_mobike_t *this)
608 {
609 chunk_free(&this->cookie2);
610 if (this->natd)
611 {
612 this->natd->task.destroy(&this->natd->task);
613 }
614 free(this);
615 }
616
617 /*
618 * Described in header.
619 */
620 ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
621 {
622 private_ike_mobike_t *this;
623
624 INIT(this,
625 .public = {
626 .task = {
627 .get_type = _get_type,
628 .migrate = _migrate,
629 .destroy = _destroy,
630 },
631 .addresses = _addresses,
632 .roam = _roam,
633 .dpd = _dpd,
634 .transmit = _transmit,
635 .is_probing = _is_probing,
636 },
637 .ike_sa = ike_sa,
638 .initiator = initiator,
639 );
640
641 if (initiator)
642 {
643 this->public.task.build = _build_i;
644 this->public.task.process = _process_i;
645 }
646 else
647 {
648 this->public.task.build = _build_r;
649 this->public.task.process = _process_r;
650 }
651
652 return &this->public;
653 }
strongSwan - IPsec VPN