projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'ikev1-clean' into ikev1-master
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / ike_mobike.c
1 /*
2 * Copyright (C) 2010-2012 Tobias Brunner
3 * Copyright (C) 2007 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "ike_mobike.h"
18
19 #include <string.h>
20
21 #include <hydra.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_natd.h>
24 #include <encoding/payloads/notify_payload.h>
25
26 #define COOKIE2_SIZE 16
27 #define MAX_ADDITIONAL_ADDRS 8
28
29 typedef struct private_ike_mobike_t private_ike_mobike_t;
30
31 /**
32 * Private members of a ike_mobike_t task.
33 */
34 struct private_ike_mobike_t {
35
36 /**
37 * Public methods and task_t interface.
38 */
39 ike_mobike_t public;
40
41 /**
42 * Assigned IKE_SA.
43 */
44 ike_sa_t *ike_sa;
45
46 /**
47 * Are we the initiator?
48 */
49 bool initiator;
50
51 /**
52 * cookie2 value to verify new addresses
53 */
54 chunk_t cookie2;
55
56 /**
57 * NAT discovery reusing the TASK_IKE_NATD task
58 */
59 ike_natd_t *natd;
60
61 /**
62 * use task to update addresses
63 */
64 bool update;
65
66 /**
67 * do routability check
68 */
69 bool check;
70
71 /**
72 * include address list update
73 */
74 bool address;
75
76 /**
77 * additional addresses got updated
78 */
79 bool addresses_updated;
80 };
81
82 /**
83 * read notifys from message and evaluate them
84 */
85 static void process_payloads(private_ike_mobike_t *this, message_t *message)
86 {
87 enumerator_t *enumerator;
88 payload_t *payload;
89 bool first = TRUE;
90
91 enumerator = message->create_payload_enumerator(message);
92 while (enumerator->enumerate(enumerator, &payload))
93 {
94 int family = AF_INET;
95 notify_payload_t *notify;
96 chunk_t data;
97 host_t *host;
98
99 if (payload->get_type(payload) != NOTIFY)
100 {
101 continue;
102 }
103 notify = (notify_payload_t*)payload;
104 switch (notify->get_notify_type(notify))
105 {
106 case MOBIKE_SUPPORTED:
107 {
108 peer_cfg_t *peer_cfg;
109
110 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
111 if (!this->initiator &&
112 peer_cfg && !peer_cfg->use_mobike(peer_cfg))
113 {
114 DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
115 }
116 else
117 {
118 DBG1(DBG_IKE, "peer supports MOBIKE");
119 this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
120 }
121 break;
122 }
123 case COOKIE2:
124 {
125 chunk_free(&this->cookie2);
126 this->cookie2 = chunk_clone(notify->get_notification_data(notify));
127 break;
128 }
129 case ADDITIONAL_IP6_ADDRESS:
130 {
131 family = AF_INET6;
132 /* fall through */
133 }
134 case ADDITIONAL_IP4_ADDRESS:
135 {
136 if (first)
137 { /* an ADDITIONAL_*_ADDRESS means replace, so flush once */
138 this->ike_sa->clear_peer_addresses(this->ike_sa);
139 first = FALSE;
140 /* add the peer's current address to the list */
141 host = this->ike_sa->get_other_host(this->ike_sa);
142 this->ike_sa->add_peer_address(this->ike_sa,
143 host->clone(host));
144 }
145 data = notify->get_notification_data(notify);
146 host = host_create_from_chunk(family, data, 0);
147 DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
148 this->ike_sa->add_peer_address(this->ike_sa, host);
149 this->addresses_updated = TRUE;
150 break;
151 }
152 case UPDATE_SA_ADDRESSES:
153 {
154 this->update = TRUE;
155 break;
156 }
157 case NO_ADDITIONAL_ADDRESSES:
158 {
159 this->ike_sa->clear_peer_addresses(this->ike_sa);
160 /* add the peer's current address to the list */
161 host = this->ike_sa->get_other_host(this->ike_sa);
162 this->ike_sa->add_peer_address(this->ike_sa, host->clone(host));
163 this->addresses_updated = TRUE;
164 break;
165 }
166 case NAT_DETECTION_SOURCE_IP:
167 case NAT_DETECTION_DESTINATION_IP:
168 {
169 /* NAT check in this MOBIKE exchange, create subtask for it */
170 if (this->natd == NULL)
171 {
172 this->natd = ike_natd_create(this->ike_sa, this->initiator);
173 }
174 break;
175 }
176 default:
177 break;
178 }
179 }
180 enumerator->destroy(enumerator);
181 }
182
183 /**
184 * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
185 */
186 static void build_address_list(private_ike_mobike_t *this, message_t *message)
187 {
188 enumerator_t *enumerator;
189 host_t *host, *me;
190 notify_type_t type;
191 int added = 0;
192
193 me = this->ike_sa->get_my_host(this->ike_sa);
194 enumerator = hydra->kernel_interface->create_address_enumerator(
195 hydra->kernel_interface, FALSE, FALSE);
196 while (enumerator->enumerate(enumerator, (void**)&host))
197 {
198 if (me->ip_equals(me, host))
199 { /* "ADDITIONAL" means do not include IKE_SAs host */
200 continue;
201 }
202 switch (host->get_family(host))
203 {
204 case AF_INET:
205 type = ADDITIONAL_IP4_ADDRESS;
206 break;
207 case AF_INET6:
208 type = ADDITIONAL_IP6_ADDRESS;
209 break;
210 default:
211 continue;
212 }
213 message->add_notify(message, FALSE, type, host->get_address(host));
214 if (++added >= MAX_ADDITIONAL_ADDRS)
215 { /* limit number of notifys, some implementations do not like too
216 * many of them (f.e. strongSwan ;-) */
217 break;
218 }
219 }
220 if (!added)
221 {
222 message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
223 }
224 enumerator->destroy(enumerator);
225 }
226
227 /**
228 * build a cookie and add it to the message
229 */
230 static void build_cookie(private_ike_mobike_t *this, message_t *message)
231 {
232 rng_t *rng;
233
234 chunk_free(&this->cookie2);
235 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
236 if (rng)
237 {
238 rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
239 rng->destroy(rng);
240 message->add_notify(message, FALSE, COOKIE2, this->cookie2);
241 }
242 }
243
244 /**
245 * update addresses of associated CHILD_SAs
246 */
247 static void update_children(private_ike_mobike_t *this)
248 {
249 enumerator_t *enumerator;
250 child_sa_t *child_sa;
251
252 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
253 while (enumerator->enumerate(enumerator, (void**)&child_sa))
254 {
255 if (child_sa->update(child_sa,
256 this->ike_sa->get_my_host(this->ike_sa),
257 this->ike_sa->get_other_host(this->ike_sa),
258 this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
259 this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
260 {
261 this->ike_sa->rekey_child_sa(this->ike_sa,
262 child_sa->get_protocol(child_sa),
263 child_sa->get_spi(child_sa, TRUE));
264 }
265 }
266 enumerator->destroy(enumerator);
267 }
268
269 /**
270 * Apply the port of the old host, if its ip equals the new, use port otherwise.
271 */
272 static void apply_port(host_t *host, host_t *old, u_int16_t port)
273 {
274 if (host->ip_equals(host, old))
275 {
276 port = old->get_port(old);
277 }
278 else if (port == IKEV2_UDP_PORT)
279 {
280 port = IKEV2_NATT_PORT;
281 }
282 host->set_port(host, port);
283 }
284
285 METHOD(ike_mobike_t, transmit, void,
286 private_ike_mobike_t *this, packet_t *packet)
287 {
288 host_t *me, *other, *me_old, *other_old;
289 enumerator_t *enumerator;
290 ike_cfg_t *ike_cfg;
291 packet_t *copy;
292
293 if (!this->check)
294 {
295 return;
296 }
297
298 me_old = this->ike_sa->get_my_host(this->ike_sa);
299 other_old = this->ike_sa->get_other_host(this->ike_sa);
300 ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
301
302 enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
303 while (enumerator->enumerate(enumerator, (void**)&other))
304 {
305 me = hydra->kernel_interface->get_source_addr(
306 hydra->kernel_interface, other, NULL);
307 if (me)
308 {
309 if (me->get_family(me) != other->get_family(other))
310 {
311 me->destroy(me);
312 continue;
313 }
314 /* reuse port for an active address, 4500 otherwise */
315 apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
316 other = other->clone(other);
317 apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
318 DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
319 copy = packet->clone(packet);
320 copy->set_source(copy, me);
321 copy->set_destination(copy, other);
322 charon->sender->send(charon->sender, copy);
323 }
324 }
325 enumerator->destroy(enumerator);
326 }
327
328 METHOD(task_t, build_i, status_t,
329 private_ike_mobike_t *this, message_t *message)
330 {
331 if (message->get_exchange_type(message) == IKE_AUTH &&
332 message->get_message_id(message) == 1)
333 { /* only in first IKE_AUTH */
334 message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
335 build_address_list(this, message);
336 }
337 else if (message->get_exchange_type(message) == INFORMATIONAL)
338 {
339 host_t *old, *new;
340
341 /* we check if the existing address is still valid */
342 old = message->get_source(message);
343 new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
344 message->get_destination(message), old);
345 if (new)
346 {
347 if (!new->ip_equals(new, old))
348 {
349 new->set_port(new, old->get_port(old));
350 message->set_source(message, new);
351 }
352 else
353 {
354 new->destroy(new);
355 }
356 }
357 if (this->update)
358 {
359 message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
360 chunk_empty);
361 build_cookie(this, message);
362 update_children(this);
363 }
364 if (this->address && !this->check)
365 {
366 build_address_list(this, message);
367 }
368 if (this->natd)
369 {
370 this->natd->task.build(&this->natd->task, message);
371 }
372 }
373 return NEED_MORE;
374 }
375
376 METHOD(task_t, process_r, status_t,
377 private_ike_mobike_t *this, message_t *message)
378 {
379 if (message->get_exchange_type(message) == IKE_AUTH &&
380 message->get_message_id(message) == 1)
381 { /* only first IKE_AUTH */
382 process_payloads(this, message);
383 }
384 else if (message->get_exchange_type(message) == INFORMATIONAL)
385 {
386 process_payloads(this, message);
387 if (this->update)
388 {
389 host_t *me, *other;
390
391 me = message->get_destination(message);
392 other = message->get_source(message);
393 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
394 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
395 }
396
397 if (this->natd)
398 {
399 this->natd->task.process(&this->natd->task, message);
400 }
401 if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
402 COND_ORIGINAL_INITIATOR))
403 {
404 host_t *other = message->get_source(message);
405 host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
406 if (!other->equals(other, other_old))
407 {
408 DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
409 other);
410 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
411 this->update = TRUE;
412 }
413 }
414 }
415 return NEED_MORE;
416 }
417
418 METHOD(task_t, build_r, status_t,
419 private_ike_mobike_t *this, message_t *message)
420 {
421 if (message->get_exchange_type(message) == IKE_AUTH &&
422 this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
423 {
424 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
425 {
426 message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
427 build_address_list(this, message);
428 }
429 return SUCCESS;
430 }
431 else if (message->get_exchange_type(message) == INFORMATIONAL)
432 {
433 if (this->natd)
434 {
435 this->natd->task.build(&this->natd->task, message);
436 }
437 if (this->cookie2.ptr)
438 {
439 message->add_notify(message, FALSE, COOKIE2, this->cookie2);
440 chunk_free(&this->cookie2);
441 }
442 if (this->update)
443 {
444 update_children(this);
445 }
446 return SUCCESS;
447 }
448 return NEED_MORE;
449 }
450
451 METHOD(task_t, process_i, status_t,
452 private_ike_mobike_t *this, message_t *message)
453 {
454 if (message->get_exchange_type(message) == IKE_AUTH &&
455 this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
456 {
457 process_payloads(this, message);
458 return SUCCESS;
459 }
460 else if (message->get_exchange_type(message) == INFORMATIONAL)
461 {
462 u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
463 this->ike_sa->set_pending_updates(this->ike_sa, updates);
464 if (updates > 0)
465 {
466 /* newer update queued, ignore this one */
467 return SUCCESS;
468 }
469 if (this->cookie2.ptr)
470 { /* check cookie if we included one */
471 chunk_t cookie2;
472
473 cookie2 = this->cookie2;
474 this->cookie2 = chunk_empty;
475 process_payloads(this, message);
476 if (!chunk_equals(cookie2, this->cookie2))
477 {
478 chunk_free(&cookie2);
479 DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
480 return FAILED;
481 }
482 chunk_free(&cookie2);
483 }
484 else
485 {
486 process_payloads(this, message);
487 }
488 if (this->natd)
489 {
490 this->natd->task.process(&this->natd->task, message);
491 if (this->natd->has_mapping_changed(this->natd))
492 {
493 /* force an update if mappings have changed */
494 this->update = this->check = TRUE;
495 DBG1(DBG_IKE, "detected changes in NAT mappings, "
496 "initiating MOBIKE update");
497 }
498 }
499 if (this->update)
500 {
501 /* update again, as NAT state may have changed */
502 update_children(this);
503 }
504 if (this->check)
505 {
506 host_t *me_new, *me_old, *other_new, *other_old;
507
508 me_new = message->get_destination(message);
509 other_new = message->get_source(message);
510 me_old = this->ike_sa->get_my_host(this->ike_sa);
511 other_old = this->ike_sa->get_other_host(this->ike_sa);
512
513 if (!me_new->equals(me_new, me_old))
514 {
515 this->update = TRUE;
516 this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
517 }
518 if (!other_new->equals(other_new, other_old))
519 {
520 this->update = TRUE;
521 this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
522 }
523 if (this->update)
524 {
525 /* use the same task to ... */
526 if (!this->ike_sa->has_condition(this->ike_sa,
527 COND_ORIGINAL_INITIATOR))
528 { /*... send an updated list of addresses as responder */
529 update_children(this);
530 this->update = FALSE;
531 }
532 else
533 { /* ... send the update as original initiator */
534 if (this->natd)
535 {
536 this->natd->task.destroy(&this->natd->task);
537 }
538 this->natd = ike_natd_create(this->ike_sa, this->initiator);
539 }
540 this->check = FALSE;
541 this->ike_sa->set_pending_updates(this->ike_sa, 1);
542 return NEED_MORE;
543 }
544 }
545 return SUCCESS;
546 }
547 return NEED_MORE;
548 }
549
550 METHOD(ike_mobike_t, addresses, void,
551 private_ike_mobike_t *this)
552 {
553 this->address = TRUE;
554 this->ike_sa->set_pending_updates(this->ike_sa,
555 this->ike_sa->get_pending_updates(this->ike_sa) + 1);
556 }
557
558 METHOD(ike_mobike_t, roam, void,
559 private_ike_mobike_t *this, bool address)
560 {
561 this->check = TRUE;
562 this->address = address;
563 this->ike_sa->set_pending_updates(this->ike_sa,
564 this->ike_sa->get_pending_updates(this->ike_sa) + 1);
565 }
566
567 METHOD(ike_mobike_t, dpd, void,
568 private_ike_mobike_t *this)
569 {
570 if (!this->natd)
571 {
572 this->natd = ike_natd_create(this->ike_sa, this->initiator);
573 }
574 this->ike_sa->set_pending_updates(this->ike_sa,
575 this->ike_sa->get_pending_updates(this->ike_sa) + 1);
576 }
577
578 METHOD(ike_mobike_t, is_probing, bool,
579 private_ike_mobike_t *this)
580 {
581 return this->check;
582 }
583
584 METHOD(task_t, get_type, task_type_t,
585 private_ike_mobike_t *this)
586 {
587 return TASK_IKE_MOBIKE;
588 }
589
590 METHOD(task_t, migrate, void,
591 private_ike_mobike_t *this, ike_sa_t *ike_sa)
592 {
593 chunk_free(&this->cookie2);
594 this->ike_sa = ike_sa;
595 if (this->natd)
596 {
597 this->natd->task.migrate(&this->natd->task, ike_sa);
598 }
599 }
600
601 METHOD(task_t, destroy, void,
602 private_ike_mobike_t *this)
603 {
604 chunk_free(&this->cookie2);
605 if (this->natd)
606 {
607 this->natd->task.destroy(&this->natd->task);
608 }
609 free(this);
610 }
611
612 /*
613 * Described in header.
614 */
615 ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
616 {
617 private_ike_mobike_t *this;
618
619 INIT(this,
620 .public = {
621 .task = {
622 .get_type = _get_type,
623 .migrate = _migrate,
624 .destroy = _destroy,
625 },
626 .addresses = _addresses,
627 .roam = _roam,
628 .dpd = _dpd,
629 .transmit = _transmit,
630 .is_probing = _is_probing,
631 },
632 .ike_sa = ike_sa,
633 .initiator = initiator,
634 );
635
636 if (initiator)
637 {
638 this->public.task.build = _build_i;
639 this->public.task.process = _process_i;
640 }
641 else
642 {
643 this->public.task.build = _build_r;
644 this->public.task.process = _process_r;
645 }
646
647 return &this->public;
648 }
strongSwan - IPsec VPN