ikev1: Adopt virtual IPs on new IKE_SA during re-authentication
Some clients like iOS/Mac OS X don't do a mode config exchange on the new SA during re-authentication. If we don't adopt the previous virtual IP Quick Mode rekeying will later fail. If a client does do Mode Config we directly reassign the VIPs we migrated from the old SA, without querying the attributes framework. Fixes #807, #810.
This commit is contained in:
parent
5c6a62ceb6
commit
31be582399
|
@ -1,4 +1,7 @@
|
|||
/*
|
||||
* Copyright (C) 2015 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* Copyright (C) 2012 Martin Willi
|
||||
* Copyright (C) 2012 revosec AG
|
||||
*
|
||||
|
@ -54,10 +57,10 @@ METHOD(job_t, execute, job_requeue_t,
|
|||
private_adopt_children_job_t *this)
|
||||
{
|
||||
identification_t *my_id, *other_id, *xauth;
|
||||
host_t *me, *other;
|
||||
host_t *me, *other, *vip;
|
||||
peer_cfg_t *cfg;
|
||||
linked_list_t *children;
|
||||
enumerator_t *enumerator, *childenum;
|
||||
linked_list_t *children, *vips;
|
||||
enumerator_t *enumerator, *subenum;
|
||||
ike_sa_id_t *id;
|
||||
ike_sa_t *ike_sa;
|
||||
child_sa_t *child_sa;
|
||||
|
@ -81,7 +84,8 @@ METHOD(job_t, execute, job_requeue_t,
|
|||
|
||||
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
||||
|
||||
/* find old SA to adopt children from */
|
||||
/* find old SA to adopt children and virtual IPs from */
|
||||
vips = linked_list_create();
|
||||
children = linked_list_create();
|
||||
enumerator = charon->ike_sa_manager->create_id_enumerator(
|
||||
charon->ike_sa_manager, my_id, xauth,
|
||||
|
@ -102,18 +106,29 @@ METHOD(job_t, execute, job_requeue_t,
|
|||
other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) &&
|
||||
cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))
|
||||
{
|
||||
childenum = ike_sa->create_child_sa_enumerator(ike_sa);
|
||||
while (childenum->enumerate(childenum, &child_sa))
|
||||
subenum = ike_sa->create_child_sa_enumerator(ike_sa);
|
||||
while (subenum->enumerate(subenum, &child_sa))
|
||||
{
|
||||
ike_sa->remove_child_sa(ike_sa, childenum);
|
||||
ike_sa->remove_child_sa(ike_sa, subenum);
|
||||
children->insert_last(children, child_sa);
|
||||
}
|
||||
childenum->destroy(childenum);
|
||||
if (children->get_count(children))
|
||||
subenum->destroy(subenum);
|
||||
|
||||
subenum = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
|
||||
while (subenum->enumerate(subenum, &vip))
|
||||
{
|
||||
vips->insert_last(vips, vip->clone(vip));
|
||||
}
|
||||
subenum->destroy(subenum);
|
||||
/* this does not release the addresses, which is good, but
|
||||
* it does trigger an assign_vips(FALSE) event, so we also
|
||||
* trigger one below */
|
||||
ike_sa->clear_virtual_ips(ike_sa, FALSE);
|
||||
if (children->get_count(children) || vips->get_count(vips))
|
||||
{
|
||||
DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
|
||||
"adopting %d children",
|
||||
children->get_count(children));
|
||||
"adopting %d children and %d virtual IPs",
|
||||
children->get_count(children), vips->get_count(vips));
|
||||
}
|
||||
ike_sa->set_state(ike_sa, IKE_DELETING);
|
||||
charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
|
||||
|
@ -125,7 +140,7 @@ METHOD(job_t, execute, job_requeue_t,
|
|||
charon->ike_sa_manager->checkin(
|
||||
charon->ike_sa_manager, ike_sa);
|
||||
}
|
||||
if (children->get_count(children))
|
||||
if (children->get_count(children) || vips->get_count(vips))
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
@ -140,7 +155,7 @@ METHOD(job_t, execute, job_requeue_t,
|
|||
xauth->destroy(xauth);
|
||||
cfg->destroy(cfg);
|
||||
|
||||
if (children->get_count(children))
|
||||
if (children->get_count(children) || vips->get_count(vips))
|
||||
{
|
||||
/* adopt children by new SA */
|
||||
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
|
||||
|
@ -152,10 +167,27 @@ METHOD(job_t, execute, job_requeue_t,
|
|||
{
|
||||
ike_sa->add_child_sa(ike_sa, child_sa);
|
||||
}
|
||||
if (vips->get_count(vips))
|
||||
{
|
||||
while (vips->remove_first(vips, (void**)&vip) == SUCCESS)
|
||||
{
|
||||
ike_sa->add_virtual_ip(ike_sa, FALSE, vip);
|
||||
vip->destroy(vip);
|
||||
}
|
||||
charon->bus->assign_vips(charon->bus, ike_sa, TRUE);
|
||||
}
|
||||
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
||||
}
|
||||
}
|
||||
children->destroy_offset(children, offsetof(child_sa_t, destroy));
|
||||
/* FIXME: If we still have addresses here it means we weren't able to
|
||||
* find the new SA anymore (while not very likely during a proper
|
||||
* reauthentication, this theoretically could happen because the SA is
|
||||
* not locked while we search for the old one). So the addresses here
|
||||
* should be released properly to avoid leaking these leases. This is
|
||||
* currently not possible, though, due to the changed interface of
|
||||
* release_address(), which now takes a complete IKE_SA object. */
|
||||
vips->destroy_offset(vips, offsetof(host_t, destroy));
|
||||
|
||||
if (array_count(this->tasks))
|
||||
{
|
||||
|
|
|
@ -1728,20 +1728,45 @@ METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
|
|||
}
|
||||
|
||||
/**
|
||||
* Move all CHILD_SAs from old to new
|
||||
* Move all CHILD_SAs and virtual IPs from old to new
|
||||
*/
|
||||
static void adopt_children(ike_sa_t *old, ike_sa_t *new)
|
||||
static void adopt_children_and_vips(ike_sa_t *old, ike_sa_t *new)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
child_sa_t *child_sa;
|
||||
host_t *vip;
|
||||
int chcount = 0, vipcount = 0;
|
||||
|
||||
|
||||
enumerator = old->create_child_sa_enumerator(old);
|
||||
while (enumerator->enumerate(enumerator, &child_sa))
|
||||
{
|
||||
old->remove_child_sa(old, enumerator);
|
||||
new->add_child_sa(new, child_sa);
|
||||
chcount++;
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
enumerator = old->create_virtual_ip_enumerator(old, FALSE);
|
||||
while (enumerator->enumerate(enumerator, &vip))
|
||||
{
|
||||
new->add_virtual_ip(new, FALSE, vip);
|
||||
vipcount++;
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
/* this does not release the addresses, which is good, but it does trigger
|
||||
* an assign_vips(FALSE) event... */
|
||||
old->clear_virtual_ips(old, FALSE);
|
||||
/* ...trigger the analogous event on the new SA */
|
||||
charon->bus->set_sa(charon->bus, new);
|
||||
charon->bus->assign_vips(charon->bus, new, TRUE);
|
||||
charon->bus->set_sa(charon->bus, old);
|
||||
|
||||
if (chcount || vipcount)
|
||||
{
|
||||
DBG1(DBG_IKE, "detected reauth of existing IKE_SA, adopting %d "
|
||||
"children and %d virtual IPs", chcount, vipcount);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1761,7 +1786,7 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
|
|||
{
|
||||
/* IKEv1 implicitly takes over children, IKEv2 recreates them
|
||||
* explicitly. */
|
||||
adopt_children(duplicate, new);
|
||||
adopt_children_and_vips(duplicate, new);
|
||||
}
|
||||
/* For IKEv1 we have to delay the delete for the old IKE_SA. Some
|
||||
* peers need to complete the new SA first, otherwise the quick modes
|
||||
|
|
|
@ -350,7 +350,7 @@ static status_t build_set(private_mode_config_t *this, message_t *message)
|
|||
cp_payload_t *cp;
|
||||
peer_cfg_t *config;
|
||||
identification_t *id;
|
||||
linked_list_t *pools;
|
||||
linked_list_t *pools, *migrated, *vips;
|
||||
host_t *any4, *any6, *found;
|
||||
char *name;
|
||||
|
||||
|
@ -358,37 +358,54 @@ static status_t build_set(private_mode_config_t *this, message_t *message)
|
|||
|
||||
id = this->ike_sa->get_other_eap_id(this->ike_sa);
|
||||
config = this->ike_sa->get_peer_cfg(this->ike_sa);
|
||||
any4 = host_create_any(AF_INET);
|
||||
any6 = host_create_any(AF_INET6);
|
||||
|
||||
/* if we migrated virtual IPs during reauthentication, reassign them */
|
||||
migrated = linked_list_create_from_enumerator(
|
||||
this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
|
||||
FALSE));
|
||||
vips = migrated->clone_offset(migrated, offsetof(host_t, clone));
|
||||
migrated->destroy(migrated);
|
||||
this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
|
||||
|
||||
/* in push mode, we ask each configured pool for an address */
|
||||
enumerator = config->create_pool_enumerator(config);
|
||||
while (enumerator->enumerate(enumerator, &name))
|
||||
if (!vips->get_count(vips))
|
||||
{
|
||||
pools = linked_list_create_with_items(name, NULL);
|
||||
/* try IPv4, then IPv6 */
|
||||
found = charon->attributes->acquire_address(charon->attributes,
|
||||
pools, this->ike_sa, any4);
|
||||
if (!found)
|
||||
any4 = host_create_any(AF_INET);
|
||||
any6 = host_create_any(AF_INET6);
|
||||
enumerator = config->create_pool_enumerator(config);
|
||||
while (enumerator->enumerate(enumerator, &name))
|
||||
{
|
||||
pools = linked_list_create_with_items(name, NULL);
|
||||
/* try IPv4, then IPv6 */
|
||||
found = charon->attributes->acquire_address(charon->attributes,
|
||||
pools, this->ike_sa, any4);
|
||||
if (!found)
|
||||
{
|
||||
found = charon->attributes->acquire_address(charon->attributes,
|
||||
pools, this->ike_sa, any6);
|
||||
}
|
||||
pools->destroy(pools);
|
||||
if (found)
|
||||
{
|
||||
vips->insert_last(vips, found);
|
||||
}
|
||||
}
|
||||
pools->destroy(pools);
|
||||
if (found)
|
||||
{
|
||||
DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
|
||||
this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
|
||||
cp->add_attribute(cp, build_vip(found));
|
||||
this->vips->insert_last(this->vips, found);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
any4->destroy(any4);
|
||||
any6->destroy(any6);
|
||||
}
|
||||
|
||||
enumerator = vips->create_enumerator(vips);
|
||||
while (enumerator->enumerate(enumerator, &found))
|
||||
{
|
||||
DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
|
||||
this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
|
||||
cp->add_attribute(cp, build_vip(found));
|
||||
this->vips->insert_last(this->vips, found);
|
||||
vips->remove_at(vips, enumerator);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
any4->destroy(any4);
|
||||
any6->destroy(any6);
|
||||
vips->destroy(vips);
|
||||
|
||||
charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE);
|
||||
|
||||
|
@ -454,6 +471,28 @@ METHOD(task_t, process_r, status_t,
|
|||
return NEED_MORE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Assign a migrated virtual IP
|
||||
*/
|
||||
static host_t *assign_migrated_vip(linked_list_t *migrated, host_t *requested)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
host_t *found = NULL, *vip;
|
||||
|
||||
enumerator = migrated->create_enumerator(migrated);
|
||||
while (enumerator->enumerate(enumerator, &vip))
|
||||
{
|
||||
if (vip->ip_equals(vip, requested))
|
||||
{
|
||||
migrated->remove_at(migrated, enumerator);
|
||||
found = vip;
|
||||
break;
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
return found;
|
||||
}
|
||||
|
||||
/**
|
||||
* Build CFG_REPLY message after receiving CFG_REQUEST
|
||||
*/
|
||||
|
@ -465,29 +504,35 @@ static status_t build_reply(private_mode_config_t *this, message_t *message)
|
|||
cp_payload_t *cp;
|
||||
peer_cfg_t *config;
|
||||
identification_t *id;
|
||||
linked_list_t *vips, *pools;
|
||||
host_t *requested;
|
||||
linked_list_t *vips, *pools, *migrated;
|
||||
host_t *requested, *found;
|
||||
|
||||
cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REPLY);
|
||||
|
||||
id = this->ike_sa->get_other_eap_id(this->ike_sa);
|
||||
config = this->ike_sa->get_peer_cfg(this->ike_sa);
|
||||
vips = linked_list_create();
|
||||
pools = linked_list_create_from_enumerator(
|
||||
config->create_pool_enumerator(config));
|
||||
|
||||
/* if we migrated virtual IPs during reauthentication, reassign them */
|
||||
vips = linked_list_create_from_enumerator(
|
||||
this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
|
||||
FALSE));
|
||||
migrated = vips->clone_offset(vips, offsetof(host_t, clone));
|
||||
vips->destroy(vips);
|
||||
this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
|
||||
|
||||
vips = linked_list_create();
|
||||
enumerator = this->vips->create_enumerator(this->vips);
|
||||
while (enumerator->enumerate(enumerator, &requested))
|
||||
{
|
||||
host_t *found = NULL;
|
||||
|
||||
/* query all pools until we get an address */
|
||||
DBG1(DBG_IKE, "peer requested virtual IP %H", requested);
|
||||
|
||||
found = charon->attributes->acquire_address(charon->attributes,
|
||||
found = assign_migrated_vip(migrated, requested);
|
||||
if (!found)
|
||||
{
|
||||
found = charon->attributes->acquire_address(charon->attributes,
|
||||
pools, this->ike_sa, requested);
|
||||
}
|
||||
if (found)
|
||||
{
|
||||
DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
|
||||
|
@ -515,6 +560,15 @@ static status_t build_reply(private_mode_config_t *this, message_t *message)
|
|||
type, value));
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
/* if a client did not re-request all adresses, release them */
|
||||
enumerator = migrated->create_enumerator(migrated);
|
||||
while (enumerator->enumerate(enumerator, &found))
|
||||
{
|
||||
charon->attributes->release_address(charon->attributes,
|
||||
pools, found, this->ike_sa);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
migrated->destroy_offset(migrated, offsetof(host_t, destroy));
|
||||
vips->destroy_offset(vips, offsetof(host_t, destroy));
|
||||
pools->destroy(pools);
|
||||
|
||||
|
|
Loading…
Reference in New Issue