ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
strongswan/src/libcharon/sa/tasks/ike_mobike.c

653 lines
15 KiB
C
Raw Blame History

/*
* Copyright (C) 2007 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "ike_mobike.h"
#include <string.h>
#include <hydra.h>
#include <daemon.h>
#include <sa/tasks/ike_natd.h>
#include <encoding/payloads/notify_payload.h>
#define COOKIE2_SIZE 16
#define MAX_ADDITIONAL_ADDRS 8
typedef struct private_ike_mobike_t private_ike_mobike_t;
/**
* Private members of a ike_mobike_t task.
*/
struct private_ike_mobike_t {
/**
* Public methods and task_t interface.
*/
ike_mobike_t public;
/**
* Assigned IKE_SA.
*/
ike_sa_t *ike_sa;
/**
* Are we the initiator?
*/
bool initiator;
/**
* cookie2 value to verify new addresses
*/
chunk_t cookie2;
/**
* NAT discovery reusing the IKE_NATD task
*/
ike_natd_t *natd;
/**
* use task to update addresses
*/
bool update;
/**
* do routability check
*/
bool check;
/**
* include address list update
*/
bool address;
/**
* additional addresses got updated
*/
bool addresses_updated;
};
/**
* read notifys from message and evaluate them
*/
static void process_payloads(private_ike_mobike_t *this, message_t *message)
{
enumerator_t *enumerator;
payload_t *payload;
bool first = TRUE;
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
{
int family = AF_INET;
notify_payload_t *notify;
chunk_t data;
host_t *host;
if (payload->get_type(payload) != NOTIFY)
{
continue;
}
notify = (notify_payload_t*)payload;
switch (notify->get_notify_type(notify))
{
case MOBIKE_SUPPORTED:
{
peer_cfg_t *peer_cfg;
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
if (!this->initiator &&
peer_cfg && !peer_cfg->use_mobike(peer_cfg))
{
DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
}
else
{
DBG1(DBG_IKE, "peer supports MOBIKE");
this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
}
break;
}
case COOKIE2:
{
chunk_free(&this->cookie2);
this->cookie2 = chunk_clone(notify->get_notification_data(notify));
break;
}
case ADDITIONAL_IP6_ADDRESS:
{
family = AF_INET6;
/* fall through */
}
case ADDITIONAL_IP4_ADDRESS:
{
if (first)
{ /* an ADDITIONAL_*_ADDRESS means replace, so flush once */
this->ike_sa->remove_additional_addresses(this->ike_sa);
first = FALSE;
}
data = notify->get_notification_data(notify);
host = host_create_from_chunk(family, data, 0);
DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
this->ike_sa->add_additional_address(this->ike_sa, host);
this->addresses_updated = TRUE;
break;
}
case UPDATE_SA_ADDRESSES:
{
this->update = TRUE;
break;
}
case NO_ADDITIONAL_ADDRESSES:
{
this->ike_sa->remove_additional_addresses(this->ike_sa);
this->addresses_updated = TRUE;
break;
}
case NAT_DETECTION_SOURCE_IP:
case NAT_DETECTION_DESTINATION_IP:
{
/* NAT check in this MOBIKE exchange, create subtask for it */
if (this->natd == NULL)
{
this->natd = ike_natd_create(this->ike_sa, this->initiator);
}
break;
}
default:
break;
}
}
enumerator->destroy(enumerator);
}
/**
* Add ADDITIONAL_*_ADDRESS notifys depending on our address list
*/
static void build_address_list(private_ike_mobike_t *this, message_t *message)
{
enumerator_t *enumerator;
host_t *host, *me;
notify_type_t type;
int added = 0;
me = this->ike_sa->get_my_host(this->ike_sa);
enumerator = hydra->kernel_interface->create_address_enumerator(
hydra->kernel_interface, FALSE, FALSE);
while (enumerator->enumerate(enumerator, (void**)&host))
{
if (me->ip_equals(me, host))
{ /* "ADDITIONAL" means do not include IKE_SAs host */
continue;
}
switch (host->get_family(host))
{
case AF_INET:
type = ADDITIONAL_IP4_ADDRESS;
break;
case AF_INET6:
type = ADDITIONAL_IP6_ADDRESS;
break;
default:
continue;
}
message->add_notify(message, FALSE, type, host->get_address(host));
if (++added >= MAX_ADDITIONAL_ADDRS)
{ /* limit number of notifys, some implementations do not like too
* many of them (f.e. strongSwan ;-) */
break;
}
}
if (!added)
{
message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
}
enumerator->destroy(enumerator);
}
/**
* build a cookie and add it to the message
*/
static void build_cookie(private_ike_mobike_t *this, message_t *message)
{
rng_t *rng;
chunk_free(&this->cookie2);
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
if (rng)
{
rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
rng->destroy(rng);
message->add_notify(message, FALSE, COOKIE2, this->cookie2);
}
}
/**
* update addresses of associated CHILD_SAs
*/
static void update_children(private_ike_mobike_t *this)
{
enumerator_t *enumerator;
child_sa_t *child_sa;
enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
while (enumerator->enumerate(enumerator, (void**)&child_sa))
{
if (child_sa->update(child_sa,
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
{
this->ike_sa->rekey_child_sa(this->ike_sa,
child_sa->get_protocol(child_sa),
child_sa->get_spi(child_sa, TRUE));
}
}
enumerator->destroy(enumerator);
}
/**
* Apply the port of the old host, if its ip equals the new, use port otherwise.
*/
static void apply_port(host_t *host, host_t *old, u_int16_t port)
{
if (host->ip_equals(host, old))
{
port = old->get_port(old);
}
else if (port == IKEV2_UDP_PORT)
{
port = IKEV2_NATT_PORT;
}
host->set_port(host, port);
}
METHOD(ike_mobike_t, transmit, void,
private_ike_mobike_t *this, packet_t *packet)
{
host_t *me, *other, *me_old, *other_old;
enumerator_t *enumerator;
ike_cfg_t *ike_cfg;
packet_t *copy;
if (!this->check)
{
return;
}
me_old = this->ike_sa->get_my_host(this->ike_sa);
other_old = this->ike_sa->get_other_host(this->ike_sa);
ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
me = hydra->kernel_interface->get_source_addr(
hydra->kernel_interface, other_old, NULL);
if (me)
{
apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
copy = packet->clone(packet);
copy->set_source(copy, me);
charon->sender->send(charon->sender, copy);
}
enumerator = this->ike_sa->create_additional_address_enumerator(this->ike_sa);
while (enumerator->enumerate(enumerator, (void**)&other))
{
me = hydra->kernel_interface->get_source_addr(
hydra->kernel_interface, other, NULL);
if (me)
{
if (me->get_family(me) != other->get_family(other))
{
me->destroy(me);
continue;
}
/* reuse port for an active address, 4500 otherwise */
apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
other = other->clone(other);
apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
copy = packet->clone(packet);
copy->set_source(copy, me);
copy->set_destination(copy, other);
charon->sender->send(charon->sender, copy);
}
}
enumerator->destroy(enumerator);
}
METHOD(task_t, build_i, status_t,
private_ike_mobike_t *this, message_t *message)
{
if (message->get_exchange_type(message) == IKE_AUTH &&
message->get_message_id(message) == 1)
{ /* only in first IKE_AUTH */
message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
build_address_list(this, message);
}
else if (message->get_exchange_type(message) == INFORMATIONAL)
{
host_t *old, *new;
/* we check if the existing address is still valid */
old = message->get_source(message);
new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
message->get_destination(message), old);
if (new)
{
if (!new->ip_equals(new, old))
{
new->set_port(new, old->get_port(old));
message->set_source(message, new);
}
else
{
new->destroy(new);
}
}
if (this->update)
{
message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
chunk_empty);
build_cookie(this, message);
update_children(this);
}
if (this->address && !this->check)
{
build_address_list(this, message);
}
if (this->natd)
{
this->natd->task.build(&this->natd->task, message);
}
}
return NEED_MORE;
}
METHOD(task_t, process_r, status_t,
private_ike_mobike_t *this, message_t *message)
{
if (message->get_exchange_type(message) == IKE_AUTH &&
message->get_message_id(message) == 1)
{ /* only first IKE_AUTH */
process_payloads(this, message);
}
else if (message->get_exchange_type(message) == INFORMATIONAL)
{
process_payloads(this, message);
if (this->update)
{
host_t *me, *other;
me = message->get_destination(message);
other = message->get_source(message);
this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
}
if (this->natd)
{
this->natd->task.process(&this->natd->task, message);
}
if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
COND_ORIGINAL_INITIATOR))
{
host_t *other = message->get_source(message);
host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
if (!other->equals(other, other_old))
{
DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
other);
this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
this->update = TRUE;
}
}
}
return NEED_MORE;
}
METHOD(task_t, build_r, status_t,
private_ike_mobike_t *this, message_t *message)
{
if (message->get_exchange_type(message) == IKE_AUTH &&
this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
{
if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
{
message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
build_address_list(this, message);
}
return SUCCESS;
}
else if (message->get_exchange_type(message) == INFORMATIONAL)
{
if (this->natd)
{
this->natd->task.build(&this->natd->task, message);
}
if (this->cookie2.ptr)
{
message->add_notify(message, FALSE, COOKIE2, this->cookie2);
chunk_free(&this->cookie2);
}
if (this->update)
{
update_children(this);
}
return SUCCESS;
}
return NEED_MORE;
}
METHOD(task_t, process_i, status_t,
private_ike_mobike_t *this, message_t *message)
{
if (message->get_exchange_type(message) == IKE_AUTH &&
this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
{
process_payloads(this, message);
return SUCCESS;
}
else if (message->get_exchange_type(message) == INFORMATIONAL)
{
u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
this->ike_sa->set_pending_updates(this->ike_sa, updates);
if (updates > 0)
{
/* newer update queued, ignore this one */
return SUCCESS;
}
if (this->cookie2.ptr)
{ /* check cookie if we included one */
chunk_t cookie2;
cookie2 = this->cookie2;
this->cookie2 = chunk_empty;
process_payloads(this, message);
if (!chunk_equals(cookie2, this->cookie2))
{
chunk_free(&cookie2);
DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
return FAILED;
}
chunk_free(&cookie2);
}
else
{
process_payloads(this, message);
}
if (this->natd)
{
this->natd->task.process(&this->natd->task, message);
if (this->natd->has_mapping_changed(this->natd))
{
/* force an update if mappings have changed */
this->update = this->check = TRUE;
DBG1(DBG_IKE, "detected changes in NAT mappings, "
"initiating MOBIKE update");
}
}
if (this->update)
{
/* update again, as NAT state may have changed */
update_children(this);
}
if (this->check)
{
host_t *me_new, *me_old, *other_new, *other_old;
me_new = message->get_destination(message);
other_new = message->get_source(message);
me_old = this->ike_sa->get_my_host(this->ike_sa);
other_old = this->ike_sa->get_other_host(this->ike_sa);
if (!me_new->equals(me_new, me_old))
{
this->update = TRUE;
this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
}
if (!other_new->equals(other_new, other_old))
{
this->update = TRUE;
this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
}
if (this->update)
{
/* use the same task to ... */
if (!this->ike_sa->has_condition(this->ike_sa,
COND_ORIGINAL_INITIATOR))
{ /*... send an updated list of addresses as responder */
update_children(this);
this->update = FALSE;
}
else
{ /* ... send the update as original initiator */
if (this->natd)
{
this->natd->task.destroy(&this->natd->task);
}
this->natd = ike_natd_create(this->ike_sa, this->initiator);
}
this->check = FALSE;
this->ike_sa->set_pending_updates(this->ike_sa, 1);
return NEED_MORE;
}
}
return SUCCESS;
}
return NEED_MORE;
}
METHOD(ike_mobike_t, addresses, void,
private_ike_mobike_t *this)
{
this->address = TRUE;
this->ike_sa->set_pending_updates(this->ike_sa,
this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}
METHOD(ike_mobike_t, roam, void,
private_ike_mobike_t *this, bool address)
{
this->check = TRUE;
this->address = address;
this->ike_sa->set_pending_updates(this->ike_sa,
this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}
METHOD(ike_mobike_t, dpd, void,
private_ike_mobike_t *this)
{
if (!this->natd)
{
this->natd = ike_natd_create(this->ike_sa, this->initiator);
}
this->ike_sa->set_pending_updates(this->ike_sa,
this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}
METHOD(ike_mobike_t, is_probing, bool,
private_ike_mobike_t *this)
{
return this->check;
}
METHOD(task_t, get_type, task_type_t,
private_ike_mobike_t *this)
{
return IKE_MOBIKE;
}
METHOD(task_t, migrate, void,
private_ike_mobike_t *this, ike_sa_t *ike_sa)
{
chunk_free(&this->cookie2);
this->ike_sa = ike_sa;
if (this->natd)
{
this->natd->task.migrate(&this->natd->task, ike_sa);
}
}
METHOD(task_t, destroy, void,
private_ike_mobike_t *this)
{
chunk_free(&this->cookie2);
if (this->natd)
{
this->natd->task.destroy(&this->natd->task);
}
free(this);
}
/*
* Described in header.
*/
ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
{
private_ike_mobike_t *this;
INIT(this,
.public = {
.task = {
.get_type = _get_type,
.migrate = _migrate,
.destroy = _destroy,
},
.addresses = _addresses,
.roam = _roam,
.dpd = _dpd,
.transmit = _transmit,
.is_probing = _is_probing,
},
.ike_sa = ike_sa,
.initiator = initiator,
);
if (initiator)
{
this->public.task.build = _build_i;
this->public.task.process = _process_i;
}
else
{
this->public.task.build = _build_r;
this->public.task.process = _process_r;
}
return &this->public;
}
View Git Blame Copy Permalink