[thirdparty/strongswan.git] / src / charon / sa / tasks / ike_mobike.c

/*
 * Copyright (C) 2007 Martin Willi
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 *
 * $Id$
 */

#include "ike_mobike.h"

#include <string.h>

#include <daemon.h>
#include <sa/tasks/ike_natd.h>
#include <encoding/payloads/notify_payload.h>

#define COOKIE2_SIZE 16

typedef struct private_ike_mobike_t private_ike_mobike_t;

/**
 * Private members of a ike_mobike_t task.
 */
struct private_ike_mobike_t {
	
	/**
	 * Public methods and task_t interface.
	 */
	ike_mobike_t public;
	
	/**
	 * Assigned IKE_SA.
	 */
	ike_sa_t *ike_sa;
	
	/**
	 * Are we the initiator?
	 */
	bool initiator;
	
	/**
	 * cookie2 value to verify new addresses
	 */
	chunk_t cookie2;
	
	/**
	 * NAT discovery reusing the IKE_NATD task
	 */
	ike_natd_t *natd;
	
	/**
	 * use task to update addresses
	 */
	bool update;
	
	/**
	 * do routability check
	 */
	bool check;
	
	/**
	 * include address list update
	 */
	bool address;
};

/**
 * flush the IKE_SAs list of additional addresses
 */
static void flush_additional_addresses(private_ike_mobike_t *this)
{
	iterator_t *iterator;
	host_t *host;
	
	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
	while (iterator->iterate(iterator, (void**)&host))
	{
		iterator->remove(iterator);
		host->destroy(host);
	}
	iterator->destroy(iterator);
}


/**
 * read notifys from message and evaluate them
 */
static void process_payloads(private_ike_mobike_t *this, message_t *message)
{
	iterator_t *iterator;
	payload_t *payload;
	bool first = TRUE;
	
	iterator = message->get_payload_iterator(message);
	while (iterator->iterate(iterator, (void**)&payload))
	{
		int family = AF_INET;
		notify_payload_t *notify;
		chunk_t data;
		host_t *host;
		
		if (payload->get_type(payload) != NOTIFY)
		{
			continue;
		}
		notify = (notify_payload_t*)payload;
		switch (notify->get_notify_type(notify))
		{
			case MOBIKE_SUPPORTED:
			{
				DBG1(DBG_IKE, "peer supports MOBIKE");
				this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
				break;
			}
			case COOKIE2:
			{
				chunk_free(&this->cookie2);
				this->cookie2 = chunk_clone(notify->get_notification_data(notify));
				break;
			}
			case ADDITIONAL_IP6_ADDRESS:
			{
				family = AF_INET6;
				/* fall through */
			}
			case ADDITIONAL_IP4_ADDRESS:
			{
				if (first)
				{	/* an ADDITIONAL_*_ADDRESS means replace, so flush once */
					flush_additional_addresses(this);
					first = FALSE;
				}
				data = notify->get_notification_data(notify);
				host = host_create_from_chunk(family, data, 0);
				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
				this->ike_sa->add_additional_address(this->ike_sa, host);
				break;
			}
			case UPDATE_SA_ADDRESSES:
			{
				this->update = TRUE;
				break;
			}
			case NO_ADDITIONAL_ADDRESSES:
			{
				flush_additional_addresses(this);
				break;
			}
			case NAT_DETECTION_SOURCE_IP:
			case NAT_DETECTION_DESTINATION_IP:
			{
				/* NAT check in this MOBIKE exchange, create subtask for it */
				if (this->natd == NULL)
				{
					this->natd = ike_natd_create(this->ike_sa, this->initiator);
				}
				break;
			}
			default:
				break;
		}
	}
	iterator->destroy(iterator);
}

/**
 * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
 */
static void build_address_list(private_ike_mobike_t *this, message_t *message)
{
	iterator_t *iterator;
	host_t *host, *me;
	notify_type_t type;
	bool additional = FALSE;

	me = this->ike_sa->get_my_host(this->ike_sa);
	iterator = charon->kernel_interface->create_address_iterator(
												charon->kernel_interface);
	while (iterator->iterate(iterator, (void**)&host))
	{
		if (me->ip_equals(me, host))
		{	/* "ADDITIONAL" means do not include IKE_SAs host */
			continue;
		}
		switch (host->get_family(host))
		{
			case AF_INET:
				type = ADDITIONAL_IP4_ADDRESS;
				break;
			case AF_INET6:
				type = ADDITIONAL_IP6_ADDRESS;
				break;
			default:
				continue;
		}
		message->add_notify(message, FALSE, type, host->get_address(host));
		additional = TRUE;
	}
	if (!additional)
	{
		message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
	}
	iterator->destroy(iterator);
}

/**
 * build a cookie and add it to the message 
 */
static void build_cookie(private_ike_mobike_t *this, message_t *message)
{
	rng_t *rng;

	chunk_free(&this->cookie2);
	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
	if (rng)
	{
		rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
		rng->destroy(rng);
		message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	}
}

/**
 * update addresses of associated CHILD_SAs
 */
static void update_children(private_ike_mobike_t *this)
{
	iterator_t *iterator;
	child_sa_t *child_sa;
	
	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
	while (iterator->iterate(iterator, (void**)&child_sa))
	{
		child_sa->update_hosts(child_sa,
						this->ike_sa->get_my_host(this->ike_sa), 
						this->ike_sa->get_other_host(this->ike_sa),
						this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
	}
	iterator->destroy(iterator);
}

/**
 * Implementation of ike_mobike_t.transmit
 */
static void transmit(private_ike_mobike_t *this, packet_t *packet)
{
	host_t *me, *other, *me_old, *other_old;
	iterator_t *iterator;
	packet_t *copy;
	
	if (!this->check)
	{
		return;
	}

	me_old = this->ike_sa->get_my_host(this->ike_sa);
	other_old = this->ike_sa->get_other_host(this->ike_sa);
	
	me = charon->kernel_interface->get_source_addr(
										charon->kernel_interface, other_old);
	if (me)
	{
		me->set_port(me, me->ip_equals(me, me_old) ?
					 me_old->get_port(me_old) : IKEV2_NATT_PORT);
		packet->set_source(packet, me);
	}
	
	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
	while (iterator->iterate(iterator, (void**)&other))
	{
		me = charon->kernel_interface->get_source_addr(
											charon->kernel_interface, other);
		if (me)
		{
			if (me->get_family(me) != other->get_family(other))
			{
				me->destroy(me);
				continue;
			}
			/* reuse port for an active address, 4500 otherwise */
			me->set_port(me, me->ip_equals(me, me_old) ?
						 me_old->get_port(me_old) : IKEV2_NATT_PORT);
			other = other->clone(other);
			other->set_port(other, other->ip_equals(other, other_old) ?
							other_old->get_port(other_old) : IKEV2_NATT_PORT);
			DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
			copy = packet->clone(packet);
			copy->set_source(copy, me);
			copy->set_destination(copy, other);
			charon->sender->send(charon->sender, copy);
		}
	}
	iterator->destroy(iterator);
	me = packet->get_source(packet);
	other = packet->get_destination(packet);
	DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
}

/**
 * Implementation of task_t.process for initiator
 */
static status_t build_i(private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		message->get_payload(message, ID_INITIATOR))
	{
		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
		build_address_list(this, message);
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		if (this->update)
		{
			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
			build_cookie(this, message);
			update_children(this);
		}
		if (this->address)
		{
			build_address_list(this, message);
		}
		if (this->natd)
		{
			this->natd->task.build(&this->natd->task, message);
		}
	}
	return NEED_MORE;
}

/**
 * Implementation of task_t.process for responder
 */
static status_t process_r(private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		message->get_payload(message, ID_INITIATOR))
	{
		process_payloads(this, message);
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		process_payloads(this, message);
		if (this->update)
		{
			host_t *me, *other;
			
			me = message->get_destination(message);
			other = message->get_source(message);
			this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
			this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
		}
		
		if (this->natd)
		{
			this->natd->task.process(&this->natd->task, message);
		}
	}
	return NEED_MORE;
}

/**
 * Implementation of task_t.build for responder
 */
static status_t build_r(private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
	{
		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
		{
			message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
			build_address_list(this, message);
		}
		return SUCCESS;
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		if (this->natd)
		{
			this->natd->task.build(&this->natd->task, message);
		}
		if (this->cookie2.ptr)
		{
			message->add_notify(message, FALSE, COOKIE2, this->cookie2);
			chunk_free(&this->cookie2);
		}
		if (this->update)
		{
			update_children(this);
		}
		return SUCCESS;
	}
	return NEED_MORE;
}

/**
 * Implementation of task_t.process for initiator
 */
static status_t process_i(private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
	{
		process_payloads(this, message);
		return SUCCESS;
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
		this->ike_sa->set_pending_updates(this->ike_sa, updates);
		if (updates > 0)
		{
			/* newer update queued, ignore this one */
			return SUCCESS;
		}
		if (this->cookie2.ptr)
		{	/* check cookie if we included none */
			chunk_t cookie2;
			
			cookie2 = this->cookie2;
			this->cookie2 = chunk_empty;
			process_payloads(this, message);
			if (!chunk_equals(cookie2, this->cookie2))
			{
				chunk_free(&cookie2);
				DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
				return FAILED;
			}
			chunk_free(&cookie2);
		}
		else
		{
			process_payloads(this, message);
		}
		if (this->natd)
		{
			this->natd->task.process(&this->natd->task, message);
		}
		if (this->update)
		{
			/* update again, as NAT state may have changed */
			update_children(this);
		}
		if (this->check)
		{
			host_t *me_new, *me_old, *other_new, *other_old;
			
			me_new = message->get_destination(message);
			other_new = message->get_source(message);
			me_old = this->ike_sa->get_my_host(this->ike_sa);
			other_old = this->ike_sa->get_other_host(this->ike_sa);
			
			if (!me_new->equals(me_new, me_old))
			{
				this->update = TRUE;
				this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
			}			
			if (!other_new->equals(other_new, other_old))
			{
				this->update = TRUE;
				this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
			}
			if (this->update)
			{
				/* start the update with the same task */
				this->check = FALSE;
				this->address = FALSE;
				this->natd = ike_natd_create(this->ike_sa, this->initiator);
				this->ike_sa->set_pending_updates(this->ike_sa, 1);
				return NEED_MORE;
			}
		}
		return SUCCESS;
	}
	return NEED_MORE;
}

/**
 * Implementation of ike_mobike_t.roam.
 */
static void roam(private_ike_mobike_t *this, bool address)
{
	this->check = TRUE;
	this->address = address;
	this->ike_sa->set_pending_updates(this->ike_sa, 
							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}

/**
 * Implementation of ike_mobike_t.is_probing.
 */
static bool is_probing(private_ike_mobike_t *this)
{
	return this->check;
}

/**
 * Implementation of task_t.get_type
 */
static task_type_t get_type(private_ike_mobike_t *this)
{
	return IKE_MOBIKE;
}

/**
 * Implementation of task_t.migrate
 */
static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa)
{
	chunk_free(&this->cookie2);
	this->ike_sa = ike_sa;
	if (this->natd)
	{
		this->natd->task.migrate(&this->natd->task, ike_sa);
	}
}

/**
 * Implementation of task_t.destroy
 */
static void destroy(private_ike_mobike_t *this)
{
	chunk_free(&this->cookie2);
	if (this->natd)
	{
		this->natd->task.destroy(&this->natd->task);
	}
	free(this);
}

/*
 * Described in header.
 */
ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
{
	private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);

	this->public.roam = (void(*)(ike_mobike_t*,bool))roam;
	this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit;
	this->public.is_probing = (bool(*)(ike_mobike_t*))is_probing;
	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
	this->public.task.destroy = (void(*)(task_t*))destroy;
	
	if (initiator)
	{
		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
	}
	else
	{
		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
	}
	
	this->ike_sa = ike_sa;
	this->initiator = initiator;
	this->update = FALSE;
	this->check = FALSE;
	this->address = TRUE;
	this->cookie2 = chunk_empty;
	this->natd = NULL;
	
	return &this->public;
}
Commit	Line	Data
17d92e97 MW	1	/*
	2	* Copyright (C) 2007 Martin Willi
	3	* Hochschule fuer Technik Rapperswil
	4	*
	5	* This program is free software; you can redistribute it and/or modify it
	6	* under the terms of the GNU General Public License as published by the
	7	* Free Software Foundation; either version 2 of the License, or (at your
	8	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	9	*
	10	* This program is distributed in the hope that it will be useful, but
	11	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	12	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	13	* for more details.
552cc11b MW	14	*
552cc11b MW	15	* $Id$
17d92e97 MW	16	*/
	17
	18	#include "ike_mobike.h"
	19
	20	#include <string.h>
	21
	22	#include <daemon.h>
4cb9d7a7	23	#include <sa/tasks/ike_natd.h>
17d92e97 MW	24	#include <encoding/payloads/notify_payload.h>
17d92e97 MW	25
85a119bc	26	#define COOKIE2_SIZE 16
17d92e97 MW	27
	28	typedef struct private_ike_mobike_t private_ike_mobike_t;
	29
	30	/**
	31	* Private members of a ike_mobike_t task.
	32	*/
	33	struct private_ike_mobike_t {
	34
	35	/**
	36	* Public methods and task_t interface.
	37	*/
	38	ike_mobike_t public;
	39
	40	/**
	41	* Assigned IKE_SA.
	42	*/
	43	ike_sa_t *ike_sa;
	44
	45	/**
	46	* Are we the initiator?
	47	*/
	48	bool initiator;
	49
	50	/**
3bc62fe7	51	* cookie2 value to verify new addresses
17d92e97	52	*/
3bc62fe7	53	chunk_t cookie2;
17d92e97 MW	54
17d92e97 MW	55	/**
3bc62fe7	56	* NAT discovery reusing the IKE_NATD task
17d92e97	57	*/
3bc62fe7	58	ike_natd_t *natd;
4cb9d7a7 MW	59
4cb9d7a7 MW	60	/**
3bc62fe7	61	* use task to update addresses
4cb9d7a7	62	*/
5474dc65 MW	63	bool update;
	64
	65	/**
	66	* do routability check
	67	*/
	68	bool check;
4cb9d7a7 MW	69
4cb9d7a7 MW	70	/**
3bc62fe7	71	* include address list update
4cb9d7a7	72	*/
3bc62fe7	73	bool address;
17d92e97 MW	74	};
	75
	76	/**
	77	* flush the IKE_SAs list of additional addresses
	78	*/
	79	static void flush_additional_addresses(private_ike_mobike_t *this)
	80	{
	81	iterator_t *iterator;
	82	host_t *host;
	83
	84	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
	85	while (iterator->iterate(iterator, (void**)&host))
	86	{
	87	iterator->remove(iterator);
	88	host->destroy(host);
	89	}
	90	iterator->destroy(iterator);
	91	}
	92
	93
	94	/**
	95	* read notifys from message and evaluate them
	96	*/
	97	static void process_payloads(private_ike_mobike_t this, message_t message)
	98	{
	99	iterator_t *iterator;
	100	payload_t *payload;
	101	bool first = TRUE;
	102
	103	iterator = message->get_payload_iterator(message);
	104	while (iterator->iterate(iterator, (void**)&payload))
	105	{
	106	int family = AF_INET;
	107	notify_payload_t *notify;
	108	chunk_t data;
	109	host_t *host;
	110
	111	if (payload->get_type(payload) != NOTIFY)
	112	{
	113	continue;
	114	}
	115	notify = (notify_payload_t*)payload;
	116	switch (notify->get_notify_type(notify))
	117	{
	118	case MOBIKE_SUPPORTED:
	119	{
bcac22f3	120	DBG1(DBG_IKE, "peer supports MOBIKE");
17d92e97 MW	121	this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
	122	break;
	123	}
85a119bc MW	124	case COOKIE2:
	125	{
	126	chunk_free(&this->cookie2);
	127	this->cookie2 = chunk_clone(notify->get_notification_data(notify));
	128	break;
	129	}
17d92e97 MW	130	case ADDITIONAL_IP6_ADDRESS:
	131	{
	132	family = AF_INET6;
	133	/* fall through */
	134	}
	135	case ADDITIONAL_IP4_ADDRESS:
	136	{
	137	if (first)
	138	{ /* an ADDITIONAL__ADDRESS means replace, so flush once /
	139	flush_additional_addresses(this);
4cb9d7a7	140	first = FALSE;
17d92e97 MW	141	}
	142	data = notify->get_notification_data(notify);
	143	host = host_create_from_chunk(family, data, 0);
	144	DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
	145	this->ike_sa->add_additional_address(this->ike_sa, host);
	146	break;
	147	}
3bc62fe7 MW	148	case UPDATE_SA_ADDRESSES:
3bc62fe7 MW	149	{
5474dc65	150	this->update = TRUE;
3bc62fe7 MW	151	break;
3bc62fe7 MW	152	}
17d92e97 MW	153	case NO_ADDITIONAL_ADDRESSES:
	154	{
	155	flush_additional_addresses(this);
	156	break;
	157	}
fc2d1c42 MW	158	case NAT_DETECTION_SOURCE_IP:
	159	case NAT_DETECTION_DESTINATION_IP:
	160	{
	161	/* NAT check in this MOBIKE exchange, create subtask for it */
	162	if (this->natd == NULL)
	163	{
	164	this->natd = ike_natd_create(this->ike_sa, this->initiator);
	165	}
	166	break;
	167	}
17d92e97 MW	168	default:
	169	break;
	170	}
	171	}
	172	iterator->destroy(iterator);
	173	}
	174
	175	/**
	176	* Add ADDITIONAL_*_ADDRESS notifys depending on our address list
	177	*/
	178	static void build_address_list(private_ike_mobike_t this, message_t message)
	179	{
	180	iterator_t *iterator;
	181	host_t host, me;
	182	notify_type_t type;
	183	bool additional = FALSE;
	184
	185	me = this->ike_sa->get_my_host(this->ike_sa);
	186	iterator = charon->kernel_interface->create_address_iterator(
	187	charon->kernel_interface);
	188	while (iterator->iterate(iterator, (void**)&host))
	189	{
	190	if (me->ip_equals(me, host))
	191	{ /* "ADDITIONAL" means do not include IKE_SAs host */
	192	continue;
	193	}
	194	switch (host->get_family(host))
	195	{
	196	case AF_INET:
	197	type = ADDITIONAL_IP4_ADDRESS;
	198	break;
	199	case AF_INET6:
	200	type = ADDITIONAL_IP6_ADDRESS;
	201	break;
	202	default:
	203	continue;
	204	}
	205	message->add_notify(message, FALSE, type, host->get_address(host));
	206	additional = TRUE;
	207	}
	208	if (!additional)
	209	{
	210	message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
	211	}
	212	iterator->destroy(iterator);
	213	}
	214
85a119bc MW	215	/**
	216	* build a cookie and add it to the message
	217	*/
	218	static void build_cookie(private_ike_mobike_t this, message_t message)
	219	{
	220	rng_t *rng;
	221
	222	chunk_free(&this->cookie2);
	223	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
	224	if (rng)
	225	{
	226	rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
	227	rng->destroy(rng);
	228	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	229	}
	230	}
	231
3bc62fe7 MW	232	/**
	233	* update addresses of associated CHILD_SAs
	234	*/
	235	static void update_children(private_ike_mobike_t *this)
	236	{
	237	iterator_t *iterator;
	238	child_sa_t *child_sa;
	239
	240	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
	241	while (iterator->iterate(iterator, (void**)&child_sa))
	242	{
	243	child_sa->update_hosts(child_sa,
	244	this->ike_sa->get_my_host(this->ike_sa),
	245	this->ike_sa->get_other_host(this->ike_sa),
	246	this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
	247	}
	248	iterator->destroy(iterator);
	249	}
	250
5474dc65 MW	251	/**
	252	* Implementation of ike_mobike_t.transmit
	253	*/
	254	static void transmit(private_ike_mobike_t this, packet_t packet)
	255	{
	256	host_t me, other, me_old, other_old;
	257	iterator_t *iterator;
	258	packet_t *copy;
	259
	260	if (!this->check)
	261	{
	262	return;
	263	}
	264
	265	me_old = this->ike_sa->get_my_host(this->ike_sa);
	266	other_old = this->ike_sa->get_other_host(this->ike_sa);
	267
	268	me = charon->kernel_interface->get_source_addr(
	269	charon->kernel_interface, other_old);
	270	if (me)
	271	{
	272	me->set_port(me, me->ip_equals(me, me_old) ?
	273	me_old->get_port(me_old) : IKEV2_NATT_PORT);
	274	packet->set_source(packet, me);
	275	}
	276
	277	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
	278	while (iterator->iterate(iterator, (void**)&other))
	279	{
	280	me = charon->kernel_interface->get_source_addr(
	281	charon->kernel_interface, other);
	282	if (me)
	283	{
de3d65a1 MW	284	if (me->get_family(me) != other->get_family(other))
	285	{
	286	me->destroy(me);
	287	continue;
	288	}
5474dc65 MW	289	/* reuse port for an active address, 4500 otherwise */
	290	me->set_port(me, me->ip_equals(me, me_old) ?
	291	me_old->get_port(me_old) : IKEV2_NATT_PORT);
	292	other = other->clone(other);
	293	other->set_port(other, other->ip_equals(other, other_old) ?
	294	other_old->get_port(other_old) : IKEV2_NATT_PORT);
d9d69536	295	DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
5474dc65 MW	296	copy = packet->clone(packet);
	297	copy->set_source(copy, me);
	298	copy->set_destination(copy, other);
	299	charon->sender->send(charon->sender, copy);
	300	}
	301	}
	302	iterator->destroy(iterator);
d9d69536 MW	303	me = packet->get_source(packet);
	304	other = packet->get_destination(packet);
	305	DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
5474dc65 MW	306	}
5474dc65 MW	307
17d92e97 MW	308	/**
	309	* Implementation of task_t.process for initiator
	310	*/
	311	static status_t build_i(private_ike_mobike_t this, message_t message)
	312	{
	313	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	314	message->get_payload(message, ID_INITIATOR))
4cb9d7a7	315	{
17d92e97 MW	316	message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
	317	build_address_list(this, message);
	318	}
c8739590	319	else if (message->get_exchange_type(message) == INFORMATIONAL)
3bc62fe7	320	{
5474dc65	321	if (this->update)
fc2d1c42	322	{
3bc62fe7	323	message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
85a119bc	324	build_cookie(this, message);
5474dc65	325	update_children(this);
fc2d1c42	326	}
3bc62fe7 MW	327	if (this->address)
	328	{
	329	build_address_list(this, message);
	330	}
5474dc65 MW	331	if (this->natd)
	332	{
	333	this->natd->task.build(&this->natd->task, message);
	334	}
4cb9d7a7	335	}
17d92e97 MW	336	return NEED_MORE;
	337	}
	338
	339	/**
	340	* Implementation of task_t.process for responder
	341	*/
	342	static status_t process_r(private_ike_mobike_t this, message_t message)
4cb9d7a7	343	{
fc2d1c42	344	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	345	message->get_payload(message, ID_INITIATOR))
4cb9d7a7 MW	346	{
	347	process_payloads(this, message);
	348	}
fc2d1c42 MW	349	else if (message->get_exchange_type(message) == INFORMATIONAL)
	350	{
	351	process_payloads(this, message);
5474dc65	352	if (this->update)
3bc62fe7 MW	353	{
	354	host_t me, other;
	355
	356	me = message->get_destination(message);
	357	other = message->get_source(message);
	358	this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
	359	this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
	360	}
	361
fc2d1c42 MW	362	if (this->natd)
	363	{
	364	this->natd->task.process(&this->natd->task, message);
	365	}
	366	}
17d92e97 MW	367	return NEED_MORE;
	368	}
	369
	370	/**
	371	* Implementation of task_t.build for responder
	372	*/
	373	static status_t build_r(private_ike_mobike_t this, message_t message)
	374	{
	375	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	376	this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
17d92e97 MW	377	{
	378	if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
	379	{
	380	message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
	381	build_address_list(this, message);
	382	}
	383	return SUCCESS;
	384	}
2b3100b5 MW	385	else if (message->get_exchange_type(message) == INFORMATIONAL)
2b3100b5 MW	386	{
fc2d1c42 MW	387	if (this->natd)
	388	{
	389	this->natd->task.build(&this->natd->task, message);
	390	}
85a119bc MW	391	if (this->cookie2.ptr)
	392	{
	393	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	394	chunk_free(&this->cookie2);
	395	}
5474dc65	396	if (this->update)
3bc62fe7 MW	397	{
	398	update_children(this);
	399	}
2b3100b5 MW	400	return SUCCESS;
2b3100b5 MW	401	}
17d92e97 MW	402	return NEED_MORE;
	403	}
	404
	405	/**
	406	* Implementation of task_t.process for initiator
	407	*/
	408	static status_t process_i(private_ike_mobike_t this, message_t message)
	409	{
	410	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	411	this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
17d92e97 MW	412	{
	413	process_payloads(this, message);
	414	return SUCCESS;
	415	}
2b3100b5 MW	416	else if (message->get_exchange_type(message) == INFORMATIONAL)
2b3100b5 MW	417	{
3bc62fe7 MW	418	u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
	419	this->ike_sa->set_pending_updates(this->ike_sa, updates);
	420	if (updates > 0)
	421	{
	422	/* newer update queued, ignore this one */
	423	return SUCCESS;
	424	}
85a119bc MW	425	if (this->cookie2.ptr)
	426	{ /* check cookie if we included none */
	427	chunk_t cookie2;
	428
	429	cookie2 = this->cookie2;
	430	this->cookie2 = chunk_empty;
	431	process_payloads(this, message);
	432	if (!chunk_equals(cookie2, this->cookie2))
	433	{
	434	chunk_free(&cookie2);
	435	DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
	436	return FAILED;
	437	}
	438	chunk_free(&cookie2);
	439	}
	440	else
	441	{
	442	process_payloads(this, message);
	443	}
fc2d1c42 MW	444	if (this->natd)
	445	{
	446	this->natd->task.process(&this->natd->task, message);
	447	}
5474dc65	448	if (this->update)
3bc62fe7 MW	449	{
	450	/* update again, as NAT state may have changed */
	451	update_children(this);
	452	}
5474dc65 MW	453	if (this->check)
	454	{
	455	host_t me_new, me_old, other_new, other_old;
	456
	457	me_new = message->get_destination(message);
	458	other_new = message->get_source(message);
	459	me_old = this->ike_sa->get_my_host(this->ike_sa);
	460	other_old = this->ike_sa->get_other_host(this->ike_sa);
	461
	462	if (!me_new->equals(me_new, me_old))
	463	{
	464	this->update = TRUE;
	465	this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
	466	}
	467	if (!other_new->equals(other_new, other_old))
	468	{
	469	this->update = TRUE;
	470	this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
	471	}
	472	if (this->update)
	473	{
	474	/* start the update with the same task */
	475	this->check = FALSE;
	476	this->address = FALSE;
12fa4387	477	this->natd = ike_natd_create(this->ike_sa, this->initiator);
5474dc65 MW	478	this->ike_sa->set_pending_updates(this->ike_sa, 1);
	479	return NEED_MORE;
	480	}
	481	}
2b3100b5 MW	482	return SUCCESS;
2b3100b5 MW	483	}
17d92e97 MW	484	return NEED_MORE;
	485	}
	486
	487	/**
	488	* Implementation of ike_mobike_t.roam.
	489	*/
3bc62fe7	490	static void roam(private_ike_mobike_t *this, bool address)
17d92e97	491	{
5474dc65	492	this->check = TRUE;
3bc62fe7 MW	493	this->address = address;
	494	this->ike_sa->set_pending_updates(this->ike_sa,
	495	this->ike_sa->get_pending_updates(this->ike_sa) + 1);
17d92e97 MW	496	}
17d92e97 MW	497
f215e919 MW	498	/**
	499	* Implementation of ike_mobike_t.is_probing.
	500	*/
	501	static bool is_probing(private_ike_mobike_t *this)
	502	{
	503	return this->check;
	504	}
	505
17d92e97 MW	506	/**
	507	* Implementation of task_t.get_type
	508	*/
	509	static task_type_t get_type(private_ike_mobike_t *this)
	510	{
	511	return IKE_MOBIKE;
	512	}
	513
	514	/**
	515	* Implementation of task_t.migrate
	516	*/
	517	static void migrate(private_ike_mobike_t this, ike_sa_t ike_sa)
	518	{
4cb9d7a7	519	chunk_free(&this->cookie2);
17d92e97	520	this->ike_sa = ike_sa;
4cb9d7a7 MW	521	if (this->natd)
	522	{
	523	this->natd->task.migrate(&this->natd->task, ike_sa);
	524	}
17d92e97 MW	525	}
	526
	527	/**
	528	* Implementation of task_t.destroy
	529	*/
	530	static void destroy(private_ike_mobike_t *this)
	531	{
4cb9d7a7 MW	532	chunk_free(&this->cookie2);
	533	if (this->natd)
	534	{
	535	this->natd->task.destroy(&this->natd->task);
	536	}
17d92e97 MW	537	free(this);
	538	}
	539
	540	/*
	541	* Described in header.
	542	*/
	543	ike_mobike_t ike_mobike_create(ike_sa_t ike_sa, bool initiator)
	544	{
	545	private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);
	546
3bc62fe7	547	this->public.roam = (void()(ike_mobike_t,bool))roam;
5474dc65	548	this->public.transmit = (void()(ike_mobike_t,packet_t*))transmit;
f215e919	549	this->public.is_probing = (bool()(ike_mobike_t))is_probing;
17d92e97 MW	550	this->public.task.get_type = (task_type_t()(task_t))get_type;
	551	this->public.task.migrate = (void()(task_t,ike_sa_t*))migrate;
	552	this->public.task.destroy = (void()(task_t))destroy;
	553
	554	if (initiator)
	555	{
	556	this->public.task.build = (status_t()(task_t,message_t*))build_i;
	557	this->public.task.process = (status_t()(task_t,message_t*))process_i;
	558	}
	559	else
	560	{
	561	this->public.task.build = (status_t()(task_t,message_t*))build_r;
	562	this->public.task.process = (status_t()(task_t,message_t*))process_r;
	563	}
	564
	565	this->ike_sa = ike_sa;
	566	this->initiator = initiator;
5474dc65 MW	567	this->update = FALSE;
5474dc65 MW	568	this->check = FALSE;
3bc62fe7	569	this->address = TRUE;
4cb9d7a7 MW	570	this->cookie2 = chunk_empty;
4cb9d7a7 MW	571	this->natd = NULL;
17d92e97 MW	572
	573	return &this->public;
	574	}
	575