![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ike_mobike.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev2 / tasks|
Return to ike_mobike.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev2 / tasks |
1.1 misho 1: /*
2: * Copyright (C) 2010-2018 Tobias Brunner
3: * Copyright (C) 2007 Martin Willi
4: * HSR Hochschule fuer Technik Rapperswil
5: *
6: * This program is free software; you can redistribute it and/or modify it
7: * under the terms of the GNU General Public License as published by the
8: * Free Software Foundation; either version 2 of the License, or (at your
9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10: *
11: * This program is distributed in the hope that it will be useful, but
12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14: * for more details.
15: */
16:
17: #include "ike_mobike.h"
18:
19: #include <string.h>
20:
21: #include <daemon.h>
22: #include <sa/ikev2/tasks/ike_natd.h>
23: #include <encoding/payloads/notify_payload.h>
24:
25: #define COOKIE2_SIZE 16
26: #define MAX_ADDITIONAL_ADDRS 8
27:
28: typedef struct private_ike_mobike_t private_ike_mobike_t;
29:
30: /**
31: * Private members of a ike_mobike_t task.
32: */
33: struct private_ike_mobike_t {
34:
35: /**
36: * Public methods and task_t interface.
37: */
38: ike_mobike_t public;
39:
40: /**
41: * Assigned IKE_SA.
42: */
43: ike_sa_t *ike_sa;
44:
45: /**
46: * Are we the initiator?
47: */
48: bool initiator;
49:
50: /**
51: * cookie2 value to verify new addresses
52: */
53: chunk_t cookie2;
54:
55: /**
56: * NAT discovery reusing the TASK_IKE_NATD task
57: */
58: ike_natd_t *natd;
59:
60: /**
61: * use task to update addresses
62: */
63: bool update;
64:
65: /**
66: * do routability check
67: */
68: bool check;
69:
70: /**
71: * include address list update
72: */
73: bool address;
74:
75: /**
76: * additional addresses got updated
77: */
78: bool addresses_updated;
79: };
80:
81: /**
82: * Check if a newer MOBIKE update task is queued
83: */
84: static bool is_newer_update_queued(private_ike_mobike_t *this)
85: {
86: enumerator_t *enumerator;
87: private_ike_mobike_t *mobike;
88: task_t *task;
89: bool found = FALSE;
90:
91: enumerator = this->ike_sa->create_task_enumerator(this->ike_sa,
92: TASK_QUEUE_QUEUED);
93: while (enumerator->enumerate(enumerator, &task))
94: {
95: if (task->get_type(task) == TASK_IKE_MOBIKE)
96: {
97: mobike = (private_ike_mobike_t*)task;
98: /* a queued check or update might invalidate the results of the
99: * current task */
100: found = mobike->check || mobike->update;
101: break;
102: }
103: }
104: enumerator->destroy(enumerator);
105: return found;
106: }
107:
108: /**
109: * read notifys from message and evaluate them
110: */
111: static void process_payloads(private_ike_mobike_t *this, message_t *message)
112: {
113: enumerator_t *enumerator;
114: payload_t *payload;
115: bool first = TRUE;
116:
117: enumerator = message->create_payload_enumerator(message);
118: while (enumerator->enumerate(enumerator, &payload))
119: {
120: int family = AF_INET;
121: notify_payload_t *notify;
122: chunk_t data;
123: host_t *host;
124:
125: if (payload->get_type(payload) != PLV2_NOTIFY)
126: {
127: continue;
128: }
129: notify = (notify_payload_t*)payload;
130: switch (notify->get_notify_type(notify))
131: {
132: case MOBIKE_SUPPORTED:
133: {
134: peer_cfg_t *peer_cfg;
135:
136: peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
137: if (!this->initiator &&
138: peer_cfg && !peer_cfg->use_mobike(peer_cfg))
139: {
140: DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
141: }
142: else
143: {
144: DBG1(DBG_IKE, "peer supports MOBIKE");
145: this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
146: }
147: break;
148: }
149: case COOKIE2:
150: {
151: chunk_free(&this->cookie2);
152: this->cookie2 = chunk_clone(notify->get_notification_data(notify));
153: break;
154: }
155: case ADDITIONAL_IP6_ADDRESS:
156: {
157: family = AF_INET6;
158: /* fall through */
159: }
160: case ADDITIONAL_IP4_ADDRESS:
161: {
162: if (first)
163: { /* an ADDITIONAL_*_ADDRESS means replace, so flush once */
164: this->ike_sa->clear_peer_addresses(this->ike_sa);
165: first = FALSE;
166: /* add the peer's current address to the list */
167: host = message->get_source(message);
168: this->ike_sa->add_peer_address(this->ike_sa,
169: host->clone(host));
170: }
171: data = notify->get_notification_data(notify);
172: host = host_create_from_chunk(family, data, 0);
173: DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
174: this->ike_sa->add_peer_address(this->ike_sa, host);
175: this->addresses_updated = TRUE;
176: break;
177: }
178: case UPDATE_SA_ADDRESSES:
179: {
180: this->update = TRUE;
181: break;
182: }
183: case NO_ADDITIONAL_ADDRESSES:
184: {
185: this->ike_sa->clear_peer_addresses(this->ike_sa);
186: /* add the peer's current address to the list */
187: host = message->get_source(message);
188: this->ike_sa->add_peer_address(this->ike_sa, host->clone(host));
189: this->addresses_updated = TRUE;
190: break;
191: }
192: case NAT_DETECTION_SOURCE_IP:
193: case NAT_DETECTION_DESTINATION_IP:
194: {
195: /* NAT check in this MOBIKE exchange, create subtask for it */
196: if (!this->natd)
197: {
198: this->natd = ike_natd_create(this->ike_sa, this->initiator);
199: }
200: break;
201: }
202: default:
203: break;
204: }
205: }
206: enumerator->destroy(enumerator);
207: }
208:
209: /**
210: * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
211: */
212: static void build_address_list(private_ike_mobike_t *this, message_t *message)
213: {
214: enumerator_t *enumerator;
215: host_t *host, *me;
216: notify_type_t type;
217: int added = 0;
218:
219: me = this->ike_sa->get_my_host(this->ike_sa);
220: enumerator = charon->kernel->create_address_enumerator(charon->kernel,
221: ADDR_TYPE_REGULAR);
222: while (enumerator->enumerate(enumerator, (void**)&host))
223: {
224: if (me->ip_equals(me, host))
225: { /* "ADDITIONAL" means do not include IKE_SAs host */
226: continue;
227: }
228: switch (host->get_family(host))
229: {
230: case AF_INET:
231: type = ADDITIONAL_IP4_ADDRESS;
232: break;
233: case AF_INET6:
234: type = ADDITIONAL_IP6_ADDRESS;
235: break;
236: default:
237: continue;
238: }
239: message->add_notify(message, FALSE, type, host->get_address(host));
240: if (++added >= MAX_ADDITIONAL_ADDRS)
241: { /* limit number of notifys, some implementations do not like too
242: * many of them (f.e. strongSwan ;-) */
243: break;
244: }
245: }
246: if (!added)
247: {
248: message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
249: }
250: enumerator->destroy(enumerator);
251: }
252:
253: /**
254: * build a cookie and add it to the message
255: */
256: static bool build_cookie(private_ike_mobike_t *this, message_t *message)
257: {
258: rng_t *rng;
259:
260: chunk_free(&this->cookie2);
261: rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
262: if (!rng || !rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2))
263: {
264: DESTROY_IF(rng);
265: return FALSE;
266: }
267: message->add_notify(message, FALSE, COOKIE2, this->cookie2);
268: rng->destroy(rng);
269: return TRUE;
270: }
271:
272: /**
273: * update addresses of associated CHILD_SAs
274: */
275: static void update_children(private_ike_mobike_t *this)
276: {
277: enumerator_t *enumerator;
278: child_sa_t *child_sa;
279: linked_list_t *vips;
280: status_t status;
281: host_t *host;
282:
283: vips = linked_list_create();
284:
285: enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
286: while (enumerator->enumerate(enumerator, &host))
287: {
288: vips->insert_last(vips, host);
289: }
290: enumerator->destroy(enumerator);
291:
292: enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
293: while (enumerator->enumerate(enumerator, (void**)&child_sa))
294: {
295: status = child_sa->update(child_sa,
296: this->ike_sa->get_my_host(this->ike_sa),
297: this->ike_sa->get_other_host(this->ike_sa), vips,
298: this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
299: switch (status)
300: {
301: case NOT_SUPPORTED:
302: this->ike_sa->rekey_child_sa(this->ike_sa,
303: child_sa->get_protocol(child_sa),
304: child_sa->get_spi(child_sa, TRUE));
305: break;
306: case SUCCESS:
307: charon->child_sa_manager->remove(charon->child_sa_manager,
308: child_sa);
309: charon->child_sa_manager->add(charon->child_sa_manager,
310: child_sa, this->ike_sa);
311: break;
312: default:
313: break;
314: }
315: }
316: enumerator->destroy(enumerator);
317:
318: vips->destroy(vips);
319: }
320:
321: /**
322: * Apply the port of the old host, if its ip equals the new, use port otherwise.
323: */
324: static void apply_port(host_t *host, host_t *old, uint16_t port, bool local)
325: {
326: if (host->ip_equals(host, old))
327: {
328: port = old->get_port(old);
329: }
330: else if (local && port == charon->socket->get_port(charon->socket, FALSE))
331: {
332: port = charon->socket->get_port(charon->socket, TRUE);
333: }
334: else if (!local && port == IKEV2_UDP_PORT)
335: {
336: port = IKEV2_NATT_PORT;
337: }
338: host->set_port(host, port);
339: }
340:
341: METHOD(ike_mobike_t, transmit, bool,
342: private_ike_mobike_t *this, packet_t *packet)
343: {
344: host_t *me, *other, *me_old, *other_old;
345: enumerator_t *enumerator;
346: ike_cfg_t *ike_cfg;
347: packet_t *copy;
348: int family = AF_UNSPEC;
349: bool found = FALSE;
350:
351: me_old = this->ike_sa->get_my_host(this->ike_sa);
352: other_old = this->ike_sa->get_other_host(this->ike_sa);
353: ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
354:
355: if (!this->check)
356: {
357: me = charon->kernel->get_source_addr(charon->kernel, other_old, me_old);
358: if (me)
359: {
360: if (me->ip_equals(me, me_old))
361: {
362: copy = packet->clone(packet);
363: /* hosts might have been updated by a peer's MOBIKE exchange */
364: copy->set_source(copy, me_old->clone(me_old));
365: copy->set_destination(copy, other_old->clone(other_old));
366: charon->sender->send(charon->sender, copy);
367: me->destroy(me);
368: return TRUE;
369: }
370: me->destroy(me);
371: }
372: this->check = TRUE;
373: }
374:
375: switch (charon->socket->supported_families(charon->socket))
376: {
377: case SOCKET_FAMILY_IPV4:
378: family = AF_INET;
379: break;
380: case SOCKET_FAMILY_IPV6:
381: family = AF_INET6;
382: break;
383: case SOCKET_FAMILY_BOTH:
384: case SOCKET_FAMILY_NONE:
385: break;
386: }
387:
388: enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
389: while (enumerator->enumerate(enumerator, (void**)&other))
390: {
391: if (family != AF_UNSPEC && other->get_family(other) != family)
392: {
393: continue;
394: }
395: me = charon->kernel->get_source_addr(charon->kernel, other, NULL);
396: if (me)
397: {
398: /* reuse port for an active address, 4500 otherwise */
399: apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg), TRUE);
400: other = other->clone(other);
401: apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg), FALSE);
402: DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
403: copy = packet->clone(packet);
404: copy->set_source(copy, me);
405: copy->set_destination(copy, other);
406: charon->sender->send(charon->sender, copy);
407: found = TRUE;
408: }
409: }
410: enumerator->destroy(enumerator);
411: return found;
412: }
413:
414: METHOD(task_t, build_i, status_t,
415: private_ike_mobike_t *this, message_t *message)
416: {
417: if (message->get_exchange_type(message) == IKE_AUTH &&
418: message->get_message_id(message) == 1)
419: { /* only in first IKE_AUTH */
420: message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
421: build_address_list(this, message);
422: }
423: else if (message->get_exchange_type(message) == INFORMATIONAL)
424: {
425: host_t *old, *new;
426:
427: /* we check if the existing address is still valid */
428: old = message->get_source(message);
429: new = charon->kernel->get_source_addr(charon->kernel,
430: message->get_destination(message), old);
431: if (new)
432: {
433: if (!new->ip_equals(new, old))
434: {
435: new->set_port(new, old->get_port(old));
436: message->set_source(message, new);
437: }
438: else
439: {
440: new->destroy(new);
441: }
442: }
443: if (this->update)
444: {
445: message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
446: chunk_empty);
447: if (!build_cookie(this, message))
448: {
449: return FAILED;
450: }
451: update_children(this);
452: }
453: if (this->address && !this->check)
454: {
455: build_address_list(this, message);
456: }
457: if (this->natd)
458: {
459: this->natd->task.build(&this->natd->task, message);
460: }
461: }
462: return NEED_MORE;
463: }
464:
465: METHOD(task_t, process_r, status_t,
466: private_ike_mobike_t *this, message_t *message)
467: {
468: if (message->get_exchange_type(message) == IKE_AUTH &&
469: message->get_message_id(message) == 1)
470: { /* only first IKE_AUTH */
471: process_payloads(this, message);
472: }
473: else if (message->get_exchange_type(message) == INFORMATIONAL)
474: {
475: process_payloads(this, message);
476: if (this->update)
477: {
478: host_t *me, *other;
479:
480: me = message->get_destination(message);
481: other = message->get_source(message);
482: this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
483: this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
484: }
485:
486: if (this->natd)
487: {
488: this->natd->task.process(&this->natd->task, message);
489: }
490: if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
491: COND_ORIGINAL_INITIATOR))
492: {
493: host_t *other = message->get_source(message);
494: host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
495: if (!other->equals(other, other_old))
496: {
497: DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
498: other);
499: this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
500: this->update = TRUE;
501: }
502: }
503: }
504: return NEED_MORE;
505: }
506:
507: METHOD(task_t, build_r, status_t,
508: private_ike_mobike_t *this, message_t *message)
509: {
510: if (message->get_exchange_type(message) == IKE_AUTH &&
511: this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
512: {
513: if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
514: {
515: message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
516: build_address_list(this, message);
517: }
518: return SUCCESS;
519: }
520: else if (message->get_exchange_type(message) == INFORMATIONAL)
521: {
522: if (this->natd)
523: {
524: this->natd->task.build(&this->natd->task, message);
525: }
526: if (this->cookie2.ptr)
527: {
528: message->add_notify(message, FALSE, COOKIE2, this->cookie2);
529: chunk_free(&this->cookie2);
530: }
531: if (this->update)
532: {
533: update_children(this);
534: }
535: return SUCCESS;
536: }
537: return NEED_MORE;
538: }
539:
540: METHOD(task_t, process_i, status_t,
541: private_ike_mobike_t *this, message_t *message)
542: {
543: if (message->get_exchange_type(message) == IKE_AUTH &&
544: this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
545: {
546: process_payloads(this, message);
547: return SUCCESS;
548: }
549: else if (message->get_exchange_type(message) == INFORMATIONAL)
550: {
551: if (is_newer_update_queued(this))
552: {
553: return SUCCESS;
554: }
555: if (this->cookie2.ptr)
556: { /* check cookie if we included one */
557: chunk_t cookie2;
558:
559: cookie2 = this->cookie2;
560: this->cookie2 = chunk_empty;
561: process_payloads(this, message);
562: if (!chunk_equals_const(cookie2, this->cookie2))
563: {
564: chunk_free(&cookie2);
565: DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
566: return FAILED;
567: }
568: chunk_free(&cookie2);
569: }
570: else
571: {
572: process_payloads(this, message);
573: }
574: if (this->natd)
575: {
576: this->natd->task.process(&this->natd->task, message);
577: if (!this->update && this->natd->has_mapping_changed(this->natd))
578: {
579: /* force an update if mappings have changed */
580: this->update = this->check = TRUE;
581: DBG1(DBG_IKE, "detected changes in NAT mappings, "
582: "initiating MOBIKE update");
583: }
584: }
585: if (this->update)
586: {
587: /* update again, as NAT state may have changed */
588: update_children(this);
589: }
590: if (this->check)
591: {
592: host_t *me_new, *me_old, *other_new, *other_old;
593:
594: me_new = message->get_destination(message);
595: other_new = message->get_source(message);
596: me_old = this->ike_sa->get_my_host(this->ike_sa);
597: other_old = this->ike_sa->get_other_host(this->ike_sa);
598:
599: if (!me_new->equals(me_new, me_old))
600: {
601: this->update = TRUE;
602: this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
603: }
604: if (!other_new->equals(other_new, other_old))
605: {
606: this->update = TRUE;
607: this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
608: }
609: if (this->update)
610: {
611: /* use the same task to ... */
612: if (!this->ike_sa->has_condition(this->ike_sa,
613: COND_ORIGINAL_INITIATOR))
614: { /*... send an updated list of addresses as responder */
615: update_children(this);
616: this->update = FALSE;
617: }
618: else
619: { /* ... send the update as original initiator */
620: if (this->natd)
621: {
622: this->natd->task.destroy(&this->natd->task);
623: }
624: this->natd = ike_natd_create(this->ike_sa, this->initiator);
625: }
626: this->check = FALSE;
627: return NEED_MORE;
628: }
629: }
630: return SUCCESS;
631: }
632: return NEED_MORE;
633: }
634:
635: METHOD(ike_mobike_t, addresses, void,
636: private_ike_mobike_t *this)
637: {
638: this->address = TRUE;
639: }
640:
641: METHOD(ike_mobike_t, roam, void,
642: private_ike_mobike_t *this, bool address)
643: {
644: this->check = TRUE;
645: this->address |= address;
646: }
647:
648: METHOD(ike_mobike_t, dpd, void,
649: private_ike_mobike_t *this)
650: {
651: if (!this->natd && this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
652: {
653: this->natd = ike_natd_create(this->ike_sa, this->initiator);
654: }
655: }
656:
657: METHOD(ike_mobike_t, is_probing, bool,
658: private_ike_mobike_t *this)
659: {
660: return this->check;
661: }
662:
663: METHOD(ike_mobike_t, enable_probing, void,
664: private_ike_mobike_t *this)
665: {
666: this->check = TRUE;
667: }
668:
669: METHOD(task_t, get_type, task_type_t,
670: private_ike_mobike_t *this)
671: {
672: return TASK_IKE_MOBIKE;
673: }
674:
675: METHOD(task_t, migrate, void,
676: private_ike_mobike_t *this, ike_sa_t *ike_sa)
677: {
678: chunk_free(&this->cookie2);
679: this->ike_sa = ike_sa;
680: if (this->natd)
681: {
682: this->natd->task.migrate(&this->natd->task, ike_sa);
683: }
684: }
685:
686: METHOD(task_t, destroy, void,
687: private_ike_mobike_t *this)
688: {
689: chunk_free(&this->cookie2);
690: if (this->natd)
691: {
692: this->natd->task.destroy(&this->natd->task);
693: }
694: free(this);
695: }
696:
697: /*
698: * Described in header.
699: */
700: ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
701: {
702: private_ike_mobike_t *this;
703:
704: INIT(this,
705: .public = {
706: .task = {
707: .get_type = _get_type,
708: .migrate = _migrate,
709: .destroy = _destroy,
710: },
711: .addresses = _addresses,
712: .roam = _roam,
713: .dpd = _dpd,
714: .transmit = _transmit,
715: .is_probing = _is_probing,
716: .enable_probing = _enable_probing,
717: },
718: .ike_sa = ike_sa,
719: .initiator = initiator,
720: );
721:
722: if (initiator)
723: {
724: this->public.task.build = _build_i;
725: this->public.task.process = _process_i;
726: }
727: else
728: {
729: this->public.task.build = _build_r;
730: this->public.task.process = _process_r;
731: }
732:
733: return &this->public;
734: }