[thirdparty/strongswan.git] / src / libcharon / sa / ikev2 / tasks / ike_mobike.c

/*
 * Copyright (C) 2010-2020 Tobias Brunner
 * Copyright (C) 2007 Martin Willi
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "ike_mobike.h"

#include <string.h>

#include <daemon.h>
#include <sa/ikev2/tasks/ike_natd.h>
#include <encoding/payloads/notify_payload.h>

#define COOKIE2_SIZE 16
#define MAX_ADDITIONAL_ADDRS 8

typedef struct private_ike_mobike_t private_ike_mobike_t;

/**
 * Private members of a ike_mobike_t task.
 */
struct private_ike_mobike_t {

	/**
	 * Public methods and task_t interface.
	 */
	ike_mobike_t public;

	/**
	 * Assigned IKE_SA.
	 */
	ike_sa_t *ike_sa;

	/**
	 * Are we the initiator?
	 */
	bool initiator;

	/**
	 * cookie2 value to verify new addresses
	 */
	chunk_t cookie2;

	/**
	 * NAT discovery reusing the TASK_IKE_NATD task
	 */
	ike_natd_t *natd;

	/**
	 * use task to update addresses
	 */
	bool update;

	/**
	 * do routability check
	 */
	bool check;

	/**
	 * include address list update
	 */
	bool address;

	/**
	 * additional addresses got updated
	 */
	bool addresses_updated;
};

/**
 * Check if a newer MOBIKE update task is queued
 */
static bool is_newer_update_queued(private_ike_mobike_t *this)
{
	enumerator_t *enumerator;
	private_ike_mobike_t *mobike;
	task_t *task;
	bool found = FALSE;

	enumerator = this->ike_sa->create_task_enumerator(this->ike_sa,
													  TASK_QUEUE_QUEUED);
	while (enumerator->enumerate(enumerator, &task))
	{
		if (task->get_type(task) == TASK_IKE_MOBIKE)
		{
			mobike = (private_ike_mobike_t*)task;
			/* a queued check or update might invalidate the results of the
			 * current task */
			found = mobike->check || mobike->update;
			break;
		}
	}
	enumerator->destroy(enumerator);
	return found;
}

/**
 * read notifys from message and evaluate them
 */
static void process_payloads(private_ike_mobike_t *this, message_t *message)
{
	enumerator_t *enumerator;
	payload_t *payload;
	bool first = TRUE;

	enumerator = message->create_payload_enumerator(message);
	while (enumerator->enumerate(enumerator, &payload))
	{
		int family = AF_INET;
		notify_payload_t *notify;
		chunk_t data;
		host_t *host;

		if (payload->get_type(payload) != PLV2_NOTIFY)
		{
			continue;
		}
		notify = (notify_payload_t*)payload;
		switch (notify->get_notify_type(notify))
		{
			case MOBIKE_SUPPORTED:
			{
				peer_cfg_t *peer_cfg;

				peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
				if (!this->initiator &&
					peer_cfg && !peer_cfg->use_mobike(peer_cfg))
				{
					DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
				}
				else
				{
					DBG1(DBG_IKE, "peer supports MOBIKE");
					this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
				}
				break;
			}
			case COOKIE2:
			{
				chunk_free(&this->cookie2);
				this->cookie2 = chunk_clone(notify->get_notification_data(notify));
				break;
			}
			case ADDITIONAL_IP6_ADDRESS:
			{
				family = AF_INET6;
				/* fall through */
			}
			case ADDITIONAL_IP4_ADDRESS:
			{
				if (first)
				{	/* an ADDITIONAL_*_ADDRESS means replace, so flush once */
					this->ike_sa->clear_peer_addresses(this->ike_sa);
					first = FALSE;
					/* add the peer's current address to the list */
					host = message->get_source(message);
					this->ike_sa->add_peer_address(this->ike_sa,
												   host->clone(host));
				}
				data = notify->get_notification_data(notify);
				host = host_create_from_chunk(family, data, 0);
				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
				this->ike_sa->add_peer_address(this->ike_sa, host);
				this->addresses_updated = TRUE;
				break;
			}
			case UPDATE_SA_ADDRESSES:
			{
				this->update = TRUE;
				break;
			}
			case NO_ADDITIONAL_ADDRESSES:
			{
				this->ike_sa->clear_peer_addresses(this->ike_sa);
				/* add the peer's current address to the list */
				host = message->get_source(message);
				this->ike_sa->add_peer_address(this->ike_sa, host->clone(host));
				this->addresses_updated = TRUE;
				break;
			}
			case NAT_DETECTION_SOURCE_IP:
			case NAT_DETECTION_DESTINATION_IP:
			{
				/* NAT check in this MOBIKE exchange, create subtask for it */
				if (!this->natd)
				{
					this->natd = ike_natd_create(this->ike_sa, this->initiator);
				}
				break;
			}
			default:
				break;
		}
	}
	enumerator->destroy(enumerator);
}

/**
 * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
 */
static void build_address_list(private_ike_mobike_t *this, message_t *message)
{
	enumerator_t *enumerator;
	host_t *host, *me;
	notify_type_t type;
	int added = 0;

	me = this->ike_sa->get_my_host(this->ike_sa);
	enumerator = charon->kernel->create_address_enumerator(charon->kernel,
														   ADDR_TYPE_REGULAR);
	while (enumerator->enumerate(enumerator, (void**)&host))
	{
		if (me->ip_equals(me, host))
		{	/* "ADDITIONAL" means do not include IKE_SAs host */
			continue;
		}
		switch (host->get_family(host))
		{
			case AF_INET:
				type = ADDITIONAL_IP4_ADDRESS;
				break;
			case AF_INET6:
				type = ADDITIONAL_IP6_ADDRESS;
				break;
			default:
				continue;
		}
		message->add_notify(message, FALSE, type, host->get_address(host));
		if (++added >= MAX_ADDITIONAL_ADDRS)
		{	/* limit number of notifys, some implementations do not like too
			 * many of them (f.e. strongSwan ;-) */
			break;
		}
	}
	if (!added)
	{
		message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
	}
	enumerator->destroy(enumerator);
}

/**
 * build a cookie and add it to the message
 */
static bool build_cookie(private_ike_mobike_t *this, message_t *message)
{
	rng_t *rng;

	chunk_free(&this->cookie2);
	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
	if (!rng || !rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2))
	{
		DESTROY_IF(rng);
		return FALSE;
	}
	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	rng->destroy(rng);
	return TRUE;
}

/**
 * Apply the port of the old host, if its ip equals the new, use port otherwise.
 */
static void apply_port(host_t *host, host_t *old, uint16_t port, bool local)
{
	if (host->ip_equals(host, old))
	{
		port = old->get_port(old);
	}
	else if (local && port == charon->socket->get_port(charon->socket, FALSE))
	{
		port = charon->socket->get_port(charon->socket, TRUE);
	}
	else if (!local && port == IKEV2_UDP_PORT)
	{
		port = IKEV2_NATT_PORT;
	}
	host->set_port(host, port);
}

METHOD(ike_mobike_t, transmit, bool,
	   private_ike_mobike_t *this, packet_t *packet)
{
	host_t *me, *other, *me_old, *other_old;
	enumerator_t *enumerator;
	ike_cfg_t *ike_cfg;
	packet_t *copy;
	int family = AF_UNSPEC;
	bool found = FALSE;

	me_old = this->ike_sa->get_my_host(this->ike_sa);
	other_old = this->ike_sa->get_other_host(this->ike_sa);
	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);

	if (!this->check)
	{
		me = charon->kernel->get_source_addr(charon->kernel, other_old, me_old);
		if (me)
		{
			if (me->ip_equals(me, me_old))
			{
				copy = packet->clone(packet);
				/* hosts might have been updated by a peer's MOBIKE exchange */
				copy->set_source(copy, me_old->clone(me_old));
				copy->set_destination(copy, other_old->clone(other_old));
				charon->sender->send(charon->sender, copy);
				me->destroy(me);
				return TRUE;
			}
			me->destroy(me);
		}
		this->check = TRUE;
	}

	switch (charon->socket->supported_families(charon->socket))
	{
		case SOCKET_FAMILY_IPV4:
			family = AF_INET;
			break;
		case SOCKET_FAMILY_IPV6:
			family = AF_INET6;
			break;
		case SOCKET_FAMILY_BOTH:
		case SOCKET_FAMILY_NONE:
			break;
	}

	enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
	while (enumerator->enumerate(enumerator, (void**)&other))
	{
		if (family != AF_UNSPEC && other->get_family(other) != family)
		{
			continue;
		}
		me = charon->kernel->get_source_addr(charon->kernel, other, NULL);
		if (me)
		{
			/* reuse port for an active address, 4500 otherwise */
			apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg), TRUE);
			other = other->clone(other);
			apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg), FALSE);
			DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
			copy = packet->clone(packet);
			copy->set_source(copy, me);
			copy->set_destination(copy, other);
			charon->sender->send(charon->sender, copy);
			found = TRUE;
		}
	}
	enumerator->destroy(enumerator);
	return found;
}

METHOD(task_t, build_i, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		message->get_message_id(message) == 1)
	{	/* only in first IKE_AUTH */
		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
		build_address_list(this, message);
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		host_t *old, *new;

		/* this task might have been queued before we knew if MOBIKE will be
		 * supported */
		if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
		{
			message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
			return SUCCESS;
		}

		/* we check if the existing address is still valid */
		old = message->get_source(message);
		new = charon->kernel->get_source_addr(charon->kernel,
										message->get_destination(message), old);
		if (new)
		{
			if (!new->ip_equals(new, old))
			{
				new->set_port(new, old->get_port(old));
				message->set_source(message, new);
			}
			else
			{
				new->destroy(new);
			}
		}
		if (this->update)
		{
			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
								chunk_empty);
			if (!build_cookie(this, message))
			{
				return FAILED;
			}
		}
		if (this->address && !this->check)
		{
			build_address_list(this, message);
		}
		if (this->natd)
		{
			this->natd->task.build(&this->natd->task, message);
		}
	}
	return NEED_MORE;
}

METHOD(task_t, process_r, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		message->get_message_id(message) == 1)
	{	/* only first IKE_AUTH */
		process_payloads(this, message);
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		host_t *me_new = NULL, *other, *other_old, *other_new = NULL;

		process_payloads(this, message);

		if (this->natd)
		{
			this->natd->task.process(&this->natd->task, message);
		}

		if (this->update)
		{
			me_new = message->get_destination(message);
			other_new = message->get_source(message);
		}
		else if (this->addresses_updated &&
				 this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
		{
			other = message->get_source(message);
			other_old = this->ike_sa->get_other_host(this->ike_sa);
			if (!other->equals(other, other_old))
			{
				other_new = other;
				/* our address might have changed too if the responder used
				 * a different address from our list to reach us */
				me_new = message->get_destination(message);
			}
		}

		if (me_new || other_new)
		{
			this->ike_sa->update_hosts(this->ike_sa, me_new,
									   other_new, UPDATE_HOSTS_FORCE_ALL);
		}
	}
	return NEED_MORE;
}

METHOD(task_t, build_r, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
	{
		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
		{
			message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
			build_address_list(this, message);
		}
		return SUCCESS;
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		if (this->natd)
		{
			this->natd->task.build(&this->natd->task, message);
		}
		if (this->cookie2.ptr)
		{
			message->add_notify(message, FALSE, COOKIE2, this->cookie2);
			chunk_free(&this->cookie2);
		}
		return SUCCESS;
	}
	return NEED_MORE;
}

METHOD(task_t, process_i, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
	{
		process_payloads(this, message);
		return SUCCESS;
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		bool force = FALSE;

		if (is_newer_update_queued(this))
		{
			return SUCCESS;
		}
		if (this->cookie2.ptr)
		{	/* check cookie if we included one */
			chunk_t cookie2;

			cookie2 = this->cookie2;
			this->cookie2 = chunk_empty;
			process_payloads(this, message);
			if (!chunk_equals_const(cookie2, this->cookie2))
			{
				chunk_free(&cookie2);
				DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
				return FAILED;
			}
			chunk_free(&cookie2);
		}
		else
		{
			process_payloads(this, message);
		}
		if (this->natd)
		{
			this->natd->task.process(&this->natd->task, message);

			if (this->update)
			{	/* update children again, as NAT state may have changed */
				this->ike_sa->update_hosts(this->ike_sa, NULL, NULL,
										   UPDATE_HOSTS_FORCE_CHILDREN);
			}
			else if (this->natd->has_mapping_changed(this->natd))
			{	/* force a check/update if mappings have changed during a DPD */
				force = TRUE;
				this->check = TRUE;
				DBG1(DBG_IKE, "detected changes in NAT mappings, "
					 "initiating MOBIKE update");
			}
		}
		if (this->check)
		{
			host_t *me, *me_new = NULL, *other, *other_new = NULL;

			me = message->get_destination(message);
			other = message->get_source(message);

			if (!me->equals(me, this->ike_sa->get_my_host(this->ike_sa)))
			{
				me_new = me;
			}
			if (!other->equals(other, this->ike_sa->get_other_host(this->ike_sa)))
			{
				other_new = other;
			}
			if (me_new || other_new || force)
			{
				this->ike_sa->update_hosts(this->ike_sa, me_new, other_new,
										   UPDATE_HOSTS_FORCE_ALL);
				/* use the same task to ... */
				if (!this->ike_sa->has_condition(this->ike_sa,
												 COND_ORIGINAL_INITIATOR))
				{	/*... send an updated list of addresses as responder */
					this->address = TRUE;
				}
				else
				{	/* ... send the update as original initiator */
					this->update = TRUE;
					if (this->natd)
					{
						this->natd->task.destroy(&this->natd->task);
					}
					this->natd = ike_natd_create(this->ike_sa, this->initiator);
				}
				this->check = FALSE;
				return NEED_MORE;
			}
		}
		return SUCCESS;
	}
	return NEED_MORE;
}

METHOD(ike_mobike_t, addresses, void,
	   private_ike_mobike_t *this)
{
	this->address = TRUE;
}

METHOD(ike_mobike_t, roam, void,
	   private_ike_mobike_t *this, bool address)
{
	this->check = TRUE;
	this->address |= address;
}

METHOD(ike_mobike_t, dpd, void,
	   private_ike_mobike_t *this)
{
	if (!this->natd && this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
	{
		this->natd = ike_natd_create(this->ike_sa, this->initiator);
	}
}

METHOD(ike_mobike_t, is_probing, bool,
	   private_ike_mobike_t *this)
{
	return this->check;
}

METHOD(ike_mobike_t, enable_probing, void,
	private_ike_mobike_t *this)
{
	this->check = TRUE;
}

METHOD(task_t, get_type, task_type_t,
	   private_ike_mobike_t *this)
{
	return TASK_IKE_MOBIKE;
}

METHOD(task_t, migrate, void,
	   private_ike_mobike_t *this, ike_sa_t *ike_sa)
{
	chunk_free(&this->cookie2);
	this->ike_sa = ike_sa;
	if (this->natd)
	{
		this->natd->task.migrate(&this->natd->task, ike_sa);
	}
}

METHOD(task_t, destroy, void,
	   private_ike_mobike_t *this)
{
	chunk_free(&this->cookie2);
	if (this->natd)
	{
		this->natd->task.destroy(&this->natd->task);
	}
	free(this);
}

/*
 * Described in header.
 */
ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
{
	private_ike_mobike_t *this;

	INIT(this,
		.public = {
			.task = {
				.get_type = _get_type,
				.migrate = _migrate,
				.destroy = _destroy,
			},
			.addresses = _addresses,
			.roam = _roam,
			.dpd = _dpd,
			.transmit = _transmit,
			.is_probing = _is_probing,
			.enable_probing = _enable_probing,
		},
		.ike_sa = ike_sa,
		.initiator = initiator,
	);

	if (initiator)
	{
		this->public.task.build = _build_i;
		this->public.task.process = _process_i;
	}
	else
	{
		this->public.task.build = _build_r;
		this->public.task.process = _process_r;
	}

	return &this->public;
}
Commit	Line	Data
17d92e97	1	/*
2b255f01	2	* Copyright (C) 2010-2020 Tobias Brunner
17d92e97	3	* Copyright (C) 2007 Martin Willi
19ef2aec TB	4	*
19ef2aec TB	5	* Copyright (C) secunet Security Networks AG
17d92e97 MW	6	*
	7	* This program is free software; you can redistribute it and/or modify it
	8	* under the terms of the GNU General Public License as published by the
	9	* Free Software Foundation; either version 2 of the License, or (at your
	10	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	11	*
	12	* This program is distributed in the hope that it will be useful, but
	13	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	14	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	15	* for more details.
	16	*/
	17
	18	#include "ike_mobike.h"
	19
	20	#include <string.h>
	21
	22	#include <daemon.h>
15a682f4	23	#include <sa/ikev2/tasks/ike_natd.h>
17d92e97 MW	24	#include <encoding/payloads/notify_payload.h>
17d92e97 MW	25
85a119bc	26	#define COOKIE2_SIZE 16
a1466a3e	27	#define MAX_ADDITIONAL_ADDRS 8
17d92e97 MW	28
	29	typedef struct private_ike_mobike_t private_ike_mobike_t;
	30
	31	/**
	32	* Private members of a ike_mobike_t task.
	33	*/
	34	struct private_ike_mobike_t {
7daf5226	35
17d92e97 MW	36	/**
	37	* Public methods and task_t interface.
	38	*/
	39	ike_mobike_t public;
7daf5226	40
17d92e97 MW	41	/**
	42	* Assigned IKE_SA.
	43	*/
	44	ike_sa_t *ike_sa;
7daf5226	45
17d92e97 MW	46	/**
	47	* Are we the initiator?
	48	*/
	49	bool initiator;
7daf5226	50
17d92e97	51	/**
3bc62fe7	52	* cookie2 value to verify new addresses
17d92e97	53	*/
3bc62fe7	54	chunk_t cookie2;
7daf5226	55
17d92e97	56	/**
a09972df	57	* NAT discovery reusing the TASK_IKE_NATD task
17d92e97	58	*/
3bc62fe7	59	ike_natd_t *natd;
7daf5226	60
4cb9d7a7	61	/**
3bc62fe7	62	* use task to update addresses
4cb9d7a7	63	*/
5474dc65	64	bool update;
7daf5226	65
5474dc65 MW	66	/**
	67	* do routability check
	68	*/
	69	bool check;
7daf5226	70
4cb9d7a7	71	/**
3bc62fe7	72	* include address list update
4cb9d7a7	73	*/
3bc62fe7	74	bool address;
769c69fa TB	75
	76	/**
	77	* additional addresses got updated
	78	*/
	79	bool addresses_updated;
17d92e97 MW	80	};
17d92e97 MW	81
9f049781 TB	82	/**
	83	* Check if a newer MOBIKE update task is queued
	84	*/
	85	static bool is_newer_update_queued(private_ike_mobike_t *this)
	86	{
	87	enumerator_t *enumerator;
	88	private_ike_mobike_t *mobike;
	89	task_t *task;
	90	bool found = FALSE;
	91
	92	enumerator = this->ike_sa->create_task_enumerator(this->ike_sa,
	93	TASK_QUEUE_QUEUED);
	94	while (enumerator->enumerate(enumerator, &task))
	95	{
	96	if (task->get_type(task) == TASK_IKE_MOBIKE)
	97	{
	98	mobike = (private_ike_mobike_t*)task;
	99	/* a queued check or update might invalidate the results of the
	100	* current task */
	101	found = mobike->check \|\| mobike->update;
	102	break;
	103	}
	104	}
	105	enumerator->destroy(enumerator);
	106	return found;
	107	}
	108
17d92e97 MW	109	/**
	110	* read notifys from message and evaluate them
	111	*/
	112	static void process_payloads(private_ike_mobike_t this, message_t message)
	113	{
a44bb934	114	enumerator_t *enumerator;
17d92e97 MW	115	payload_t *payload;
17d92e97 MW	116	bool first = TRUE;
7daf5226	117
a44bb934 MW	118	enumerator = message->create_payload_enumerator(message);
a44bb934 MW	119	while (enumerator->enumerate(enumerator, &payload))
17d92e97 MW	120	{
	121	int family = AF_INET;
	122	notify_payload_t *notify;
	123	chunk_t data;
	124	host_t *host;
7daf5226	125
3ecfc83c	126	if (payload->get_type(payload) != PLV2_NOTIFY)
17d92e97 MW	127	{
	128	continue;
	129	}
	130	notify = (notify_payload_t*)payload;
	131	switch (notify->get_notify_type(notify))
	132	{
	133	case MOBIKE_SUPPORTED:
	134	{
78279973	135	peer_cfg_t *peer_cfg;
7daf5226	136
78279973	137	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
7daf5226	138	if (!this->initiator &&
78279973 MW	139	peer_cfg && !peer_cfg->use_mobike(peer_cfg))
	140	{
	141	DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
	142	}
	143	else
	144	{
	145	DBG1(DBG_IKE, "peer supports MOBIKE");
	146	this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
	147	}
17d92e97 MW	148	break;
17d92e97 MW	149	}
85a119bc MW	150	case COOKIE2:
	151	{
	152	chunk_free(&this->cookie2);
	153	this->cookie2 = chunk_clone(notify->get_notification_data(notify));
	154	break;
	155	}
17d92e97 MW	156	case ADDITIONAL_IP6_ADDRESS:
	157	{
	158	family = AF_INET6;
	159	/* fall through */
	160	}
	161	case ADDITIONAL_IP4_ADDRESS:
	162	{
	163	if (first)
	164	{ /* an ADDITIONAL__ADDRESS means replace, so flush once /
94bbc602	165	this->ike_sa->clear_peer_addresses(this->ike_sa);
4cb9d7a7	166	first = FALSE;
2fe624cc	167	/* add the peer's current address to the list */
53915f14	168	host = message->get_source(message);
94bbc602 TB	169	this->ike_sa->add_peer_address(this->ike_sa,
94bbc602 TB	170	host->clone(host));
17d92e97 MW	171	}
	172	data = notify->get_notification_data(notify);
	173	host = host_create_from_chunk(family, data, 0);
	174	DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
94bbc602	175	this->ike_sa->add_peer_address(this->ike_sa, host);
769c69fa	176	this->addresses_updated = TRUE;
17d92e97 MW	177	break;
17d92e97 MW	178	}
3bc62fe7 MW	179	case UPDATE_SA_ADDRESSES:
3bc62fe7 MW	180	{
5474dc65	181	this->update = TRUE;
3bc62fe7 MW	182	break;
3bc62fe7 MW	183	}
17d92e97 MW	184	case NO_ADDITIONAL_ADDRESSES:
17d92e97 MW	185	{
94bbc602	186	this->ike_sa->clear_peer_addresses(this->ike_sa);
2fe624cc	187	/* add the peer's current address to the list */
53915f14	188	host = message->get_source(message);
94bbc602	189	this->ike_sa->add_peer_address(this->ike_sa, host->clone(host));
769c69fa	190	this->addresses_updated = TRUE;
17d92e97 MW	191	break;
17d92e97 MW	192	}
fc2d1c42 MW	193	case NAT_DETECTION_SOURCE_IP:
	194	case NAT_DETECTION_DESTINATION_IP:
	195	{
	196	/* NAT check in this MOBIKE exchange, create subtask for it */
3a05566d	197	if (!this->natd)
fc2d1c42 MW	198	{
	199	this->natd = ike_natd_create(this->ike_sa, this->initiator);
	200	}
	201	break;
	202	}
17d92e97 MW	203	default:
	204	break;
	205	}
	206	}
a44bb934	207	enumerator->destroy(enumerator);
17d92e97 MW	208	}
	209
	210	/**
	211	* Add ADDITIONAL_*_ADDRESS notifys depending on our address list
	212	*/
	213	static void build_address_list(private_ike_mobike_t this, message_t message)
	214	{
507f26f6	215	enumerator_t *enumerator;
17d92e97 MW	216	host_t host, me;
17d92e97 MW	217	notify_type_t type;
a1466a3e	218	int added = 0;
7daf5226	219
17d92e97	220	me = this->ike_sa->get_my_host(this->ike_sa);
8394ea2a TB	221	enumerator = charon->kernel->create_address_enumerator(charon->kernel,
8394ea2a TB	222	ADDR_TYPE_REGULAR);
507f26f6	223	while (enumerator->enumerate(enumerator, (void**)&host))
17d92e97 MW	224	{
	225	if (me->ip_equals(me, host))
	226	{ /* "ADDITIONAL" means do not include IKE_SAs host */
	227	continue;
	228	}
	229	switch (host->get_family(host))
	230	{
	231	case AF_INET:
	232	type = ADDITIONAL_IP4_ADDRESS;
	233	break;
	234	case AF_INET6:
	235	type = ADDITIONAL_IP6_ADDRESS;
	236	break;
	237	default:
	238	continue;
	239	}
	240	message->add_notify(message, FALSE, type, host->get_address(host));
a1466a3e MW	241	if (++added >= MAX_ADDITIONAL_ADDRS)
	242	{ /* limit number of notifys, some implementations do not like too
	243	* many of them (f.e. strongSwan ;-) */
	244	break;
	245	}
17d92e97	246	}
a1466a3e	247	if (!added)
17d92e97 MW	248	{
	249	message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
	250	}
507f26f6	251	enumerator->destroy(enumerator);
17d92e97 MW	252	}
17d92e97 MW	253
85a119bc	254	/**
7daf5226	255	* build a cookie and add it to the message
85a119bc	256	*/
50491834	257	static bool build_cookie(private_ike_mobike_t this, message_t message)
85a119bc MW	258	{
	259	rng_t *rng;
	260
	261	chunk_free(&this->cookie2);
	262	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
50491834	263	if (!rng \|\| !rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2))
85a119bc	264	{
50491834 TB	265	DESTROY_IF(rng);
50491834 TB	266	return FALSE;
85a119bc	267	}
50491834 TB	268	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	269	rng->destroy(rng);
	270	return TRUE;
85a119bc MW	271	}
85a119bc MW	272
cc2eadde	273	/**
be901342	274	* Apply the port of the old host, if its ip equals the new, use port otherwise.
cc2eadde	275	*/
b12c53ce	276	static void apply_port(host_t host, host_t old, uint16_t port, bool local)
cc2eadde MW	277	{
	278	if (host->ip_equals(host, old))
	279	{
be901342	280	port = old->get_port(old);
cc2eadde	281	}
b223d517	282	else if (local && port == charon->socket->get_port(charon->socket, FALSE))
cc2eadde	283	{
b223d517 TB	284	port = charon->socket->get_port(charon->socket, TRUE);
	285	}
	286	else if (!local && port == IKEV2_UDP_PORT)
	287	{
	288	port = IKEV2_NATT_PORT;
cc2eadde	289	}
be901342	290	host->set_port(host, port);
cc2eadde MW	291	}
cc2eadde MW	292
7840952e	293	METHOD(ike_mobike_t, transmit, bool,
c817e7bb	294	private_ike_mobike_t this, packet_t packet)
5474dc65 MW	295	{
5474dc65 MW	296	host_t me, other, me_old, other_old;
572abc6c	297	enumerator_t *enumerator;
cc2eadde	298	ike_cfg_t *ike_cfg;
5474dc65	299	packet_t *copy;
c5a5bc85	300	int family = AF_UNSPEC;
7840952e	301	bool found = FALSE;
7daf5226	302
8956dcec TB	303	me_old = this->ike_sa->get_my_host(this->ike_sa);
	304	other_old = this->ike_sa->get_other_host(this->ike_sa);
	305	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
	306
5474dc65 MW	307	if (!this->check)
5474dc65 MW	308	{
8394ea2a	309	me = charon->kernel->get_source_addr(charon->kernel, other_old, me_old);
8956dcec TB	310	if (me)
	311	{
	312	if (me->ip_equals(me, me_old))
	313	{
72cc029e TB	314	copy = packet->clone(packet);
	315	/* hosts might have been updated by a peer's MOBIKE exchange */
	316	copy->set_source(copy, me_old->clone(me_old));
	317	copy->set_destination(copy, other_old->clone(other_old));
	318	charon->sender->send(charon->sender, copy);
8956dcec TB	319	me->destroy(me);
	320	return TRUE;
	321	}
	322	me->destroy(me);
	323	}
	324	this->check = TRUE;
5474dc65 MW	325	}
5474dc65 MW	326
c5a5bc85 TB	327	switch (charon->socket->supported_families(charon->socket))
	328	{
	329	case SOCKET_FAMILY_IPV4:
	330	family = AF_INET;
	331	break;
	332	case SOCKET_FAMILY_IPV6:
	333	family = AF_INET6;
	334	break;
	335	case SOCKET_FAMILY_BOTH:
	336	case SOCKET_FAMILY_NONE:
	337	break;
	338	}
	339
94bbc602	340	enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
572abc6c	341	while (enumerator->enumerate(enumerator, (void**)&other))
5474dc65	342	{
c5a5bc85 TB	343	if (family != AF_UNSPEC && other->get_family(other) != family)
	344	{
	345	continue;
	346	}
8394ea2a	347	me = charon->kernel->get_source_addr(charon->kernel, other, NULL);
5474dc65 MW	348	if (me)
	349	{
	350	/* reuse port for an active address, 4500 otherwise */
e7ea057f	351	apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg), TRUE);
5474dc65	352	other = other->clone(other);
e7ea057f	353	apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg), FALSE);
d9d69536	354	DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
5474dc65 MW	355	copy = packet->clone(packet);
	356	copy->set_source(copy, me);
	357	copy->set_destination(copy, other);
	358	charon->sender->send(charon->sender, copy);
7840952e	359	found = TRUE;
5474dc65 MW	360	}
5474dc65 MW	361	}
572abc6c	362	enumerator->destroy(enumerator);
7840952e	363	return found;
5474dc65 MW	364	}
5474dc65 MW	365
c817e7bb TB	366	METHOD(task_t, build_i, status_t,
c817e7bb TB	367	private_ike_mobike_t this, message_t message)
17d92e97	368	{
31e7dc4d TB	369	if (message->get_exchange_type(message) == IKE_AUTH &&
31e7dc4d TB	370	message->get_message_id(message) == 1)
a44bb934	371	{ /* only in first IKE_AUTH */
17d92e97 MW	372	message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
	373	build_address_list(this, message);
	374	}
c8739590	375	else if (message->get_exchange_type(message) == INFORMATIONAL)
3bc62fe7	376	{
f0974eb2	377	host_t old, new;
7daf5226	378
90b1d09e TB	379	/* this task might have been queued before we knew if MOBIKE will be
	380	* supported */
	381	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
	382	{
	383	message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
	384	return SUCCESS;
	385	}
	386
7daf5226	387	/* we check if the existing address is still valid */
f0974eb2	388	old = message->get_source(message);
8394ea2a	389	new = charon->kernel->get_source_addr(charon->kernel,
f0974eb2 MW	390	message->get_destination(message), old);
	391	if (new)
	392	{
	393	if (!new->ip_equals(new, old))
	394	{
	395	new->set_port(new, old->get_port(old));
	396	message->set_source(message, new);
	397	}
	398	else
	399	{
	400	new->destroy(new);
	401	}
	402	}
5474dc65	403	if (this->update)
fc2d1c42	404	{
31e7dc4d TB	405	message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
31e7dc4d TB	406	chunk_empty);
50491834 TB	407	if (!build_cookie(this, message))
	408	{
	409	return FAILED;
	410	}
fc2d1c42	411	}
1dbf0ed9	412	if (this->address && !this->check)
3bc62fe7 MW	413	{
	414	build_address_list(this, message);
	415	}
5474dc65 MW	416	if (this->natd)
	417	{
	418	this->natd->task.build(&this->natd->task, message);
	419	}
4cb9d7a7	420	}
17d92e97 MW	421	return NEED_MORE;
	422	}
	423
c817e7bb TB	424	METHOD(task_t, process_r, status_t,
c817e7bb TB	425	private_ike_mobike_t this, message_t message)
4cb9d7a7	426	{
31e7dc4d TB	427	if (message->get_exchange_type(message) == IKE_AUTH &&
31e7dc4d TB	428	message->get_message_id(message) == 1)
a44bb934	429	{ /* only first IKE_AUTH */
4cb9d7a7 MW	430	process_payloads(this, message);
4cb9d7a7 MW	431	}
fc2d1c42 MW	432	else if (message->get_exchange_type(message) == INFORMATIONAL)
fc2d1c42 MW	433	{
2b255f01	434	host_t me_new = NULL, other, other_old, other_new = NULL;
7daf5226	435
2b255f01	436	process_payloads(this, message);
7daf5226	437
fc2d1c42 MW	438	if (this->natd)
	439	{
	440	this->natd->task.process(&this->natd->task, message);
	441	}
2b255f01 TB	442
	443	if (this->update)
	444	{
	445	me_new = message->get_destination(message);
	446	other_new = message->get_source(message);
	447	}
	448	else if (this->addresses_updated &&
	449	this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
769c69fa	450	{
2b255f01 TB	451	other = message->get_source(message);
2b255f01 TB	452	other_old = this->ike_sa->get_other_host(this->ike_sa);
769c69fa TB	453	if (!other->equals(other, other_old))
769c69fa TB	454	{
2b255f01 TB	455	other_new = other;
	456	/* our address might have changed too if the responder used
	457	* a different address from our list to reach us */
	458	me_new = message->get_destination(message);
769c69fa TB	459	}
769c69fa TB	460	}
2b255f01 TB	461
	462	if (me_new \|\| other_new)
	463	{
	464	this->ike_sa->update_hosts(this->ike_sa, me_new,
	465	other_new, UPDATE_HOSTS_FORCE_ALL);
	466	}
fc2d1c42	467	}
17d92e97 MW	468	return NEED_MORE;
	469	}
	470
c817e7bb TB	471	METHOD(task_t, build_r, status_t,
c817e7bb TB	472	private_ike_mobike_t this, message_t message)
17d92e97 MW	473	{
17d92e97 MW	474	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	475	this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
17d92e97 MW	476	{
	477	if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
	478	{
	479	message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
	480	build_address_list(this, message);
	481	}
	482	return SUCCESS;
	483	}
2b3100b5 MW	484	else if (message->get_exchange_type(message) == INFORMATIONAL)
2b3100b5 MW	485	{
fc2d1c42 MW	486	if (this->natd)
	487	{
	488	this->natd->task.build(&this->natd->task, message);
	489	}
85a119bc MW	490	if (this->cookie2.ptr)
	491	{
	492	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	493	chunk_free(&this->cookie2);
	494	}
2b3100b5 MW	495	return SUCCESS;
2b3100b5 MW	496	}
17d92e97 MW	497	return NEED_MORE;
	498	}
	499
c817e7bb TB	500	METHOD(task_t, process_i, status_t,
c817e7bb TB	501	private_ike_mobike_t this, message_t message)
17d92e97 MW	502	{
17d92e97 MW	503	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	504	this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
17d92e97 MW	505	{
	506	process_payloads(this, message);
	507	return SUCCESS;
	508	}
2b3100b5 MW	509	else if (message->get_exchange_type(message) == INFORMATIONAL)
2b3100b5 MW	510	{
abe51389 TB	511	bool force = FALSE;
abe51389 TB	512
9f049781	513	if (is_newer_update_queued(this))
3bc62fe7	514	{
3bc62fe7 MW	515	return SUCCESS;
3bc62fe7 MW	516	}
85a119bc	517	if (this->cookie2.ptr)
9d9a772e	518	{ /* check cookie if we included one */
85a119bc	519	chunk_t cookie2;
7daf5226	520
85a119bc MW	521	cookie2 = this->cookie2;
	522	this->cookie2 = chunk_empty;
	523	process_payloads(this, message);
161a0157	524	if (!chunk_equals_const(cookie2, this->cookie2))
85a119bc MW	525	{
	526	chunk_free(&cookie2);
	527	DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
	528	return FAILED;
	529	}
	530	chunk_free(&cookie2);
	531	}
	532	else
	533	{
	534	process_payloads(this, message);
	535	}
fc2d1c42 MW	536	if (this->natd)
	537	{
	538	this->natd->task.process(&this->natd->task, message);
2b255f01 TB	539
	540	if (this->update)
	541	{ /* update children again, as NAT state may have changed */
	542	this->ike_sa->update_hosts(this->ike_sa, NULL, NULL,
	543	UPDATE_HOSTS_FORCE_CHILDREN);
	544	}
	545	else if (this->natd->has_mapping_changed(this->natd))
	546	{ /* force a check/update if mappings have changed during a DPD */
abe51389	547	force = TRUE;
2b255f01	548	this->check = TRUE;
9d9a772e MW	549	DBG1(DBG_IKE, "detected changes in NAT mappings, "
	550	"initiating MOBIKE update");
	551	}
fc2d1c42	552	}
5474dc65 MW	553	if (this->check)
5474dc65 MW	554	{
2b255f01	555	host_t me, me_new = NULL, other, other_new = NULL;
7daf5226	556
2b255f01 TB	557	me = message->get_destination(message);
2b255f01 TB	558	other = message->get_source(message);
7daf5226	559
2b255f01	560	if (!me->equals(me, this->ike_sa->get_my_host(this->ike_sa)))
5474dc65	561	{
2b255f01	562	me_new = me;
7daf5226	563	}
2b255f01	564	if (!other->equals(other, this->ike_sa->get_other_host(this->ike_sa)))
5474dc65	565	{
2b255f01	566	other_new = other;
5474dc65	567	}
abe51389	568	if (me_new \|\| other_new \|\| force)
5474dc65	569	{
2b255f01 TB	570	this->ike_sa->update_hosts(this->ike_sa, me_new, other_new,
2b255f01 TB	571	UPDATE_HOSTS_FORCE_ALL);
1dbf0ed9	572	/* use the same task to ... */
c5770f86 TB	573	if (!this->ike_sa->has_condition(this->ike_sa,
c5770f86 TB	574	COND_ORIGINAL_INITIATOR))
1dbf0ed9	575	{ /... send an updated list of addresses as responder /
2b255f01	576	this->address = TRUE;
c5770f86	577	}
1dbf0ed9 TB	578	else
1dbf0ed9 TB	579	{ /* ... send the update as original initiator */
2b255f01	580	this->update = TRUE;
1dbf0ed9 TB	581	if (this->natd)
	582	{
	583	this->natd->task.destroy(&this->natd->task);
	584	}
	585	this->natd = ike_natd_create(this->ike_sa, this->initiator);
12d4186f	586	}
1dbf0ed9	587	this->check = FALSE;
5474dc65 MW	588	return NEED_MORE;
	589	}
	590	}
2b3100b5 MW	591	return SUCCESS;
2b3100b5 MW	592	}
17d92e97 MW	593	return NEED_MORE;
	594	}
	595
13876431 TB	596	METHOD(ike_mobike_t, addresses, void,
	597	private_ike_mobike_t *this)
	598	{
	599	this->address = TRUE;
13876431 TB	600	}
13876431 TB	601
c817e7bb TB	602	METHOD(ike_mobike_t, roam, void,
c817e7bb TB	603	private_ike_mobike_t *this, bool address)
17d92e97	604	{
5474dc65	605	this->check = TRUE;
43bbe070	606	this->address \|= address;
17d92e97 MW	607	}
17d92e97 MW	608
c817e7bb TB	609	METHOD(ike_mobike_t, dpd, void,
c817e7bb TB	610	private_ike_mobike_t *this)
9d9a772e	611	{
3a05566d	612	if (!this->natd && this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
9d9a772e MW	613	{
	614	this->natd = ike_natd_create(this->ike_sa, this->initiator);
	615	}
9d9a772e MW	616	}
9d9a772e MW	617
c817e7bb TB	618	METHOD(ike_mobike_t, is_probing, bool,
c817e7bb TB	619	private_ike_mobike_t *this)
f215e919 MW	620	{
	621	return this->check;
	622	}
	623
2180ace9 TB	624	METHOD(ike_mobike_t, enable_probing, void,
	625	private_ike_mobike_t *this)
	626	{
	627	this->check = TRUE;
	628	}
	629
c817e7bb TB	630	METHOD(task_t, get_type, task_type_t,
c817e7bb TB	631	private_ike_mobike_t *this)
17d92e97	632	{
a09972df	633	return TASK_IKE_MOBIKE;
17d92e97 MW	634	}
17d92e97 MW	635
c817e7bb TB	636	METHOD(task_t, migrate, void,
c817e7bb TB	637	private_ike_mobike_t this, ike_sa_t ike_sa)
17d92e97	638	{
4cb9d7a7	639	chunk_free(&this->cookie2);
17d92e97	640	this->ike_sa = ike_sa;
4cb9d7a7 MW	641	if (this->natd)
	642	{
	643	this->natd->task.migrate(&this->natd->task, ike_sa);
	644	}
17d92e97 MW	645	}
17d92e97 MW	646
c817e7bb TB	647	METHOD(task_t, destroy, void,
c817e7bb TB	648	private_ike_mobike_t *this)
17d92e97	649	{
4cb9d7a7 MW	650	chunk_free(&this->cookie2);
	651	if (this->natd)
	652	{
	653	this->natd->task.destroy(&this->natd->task);
	654	}
17d92e97 MW	655	free(this);
	656	}
	657
	658	/*
	659	* Described in header.
	660	*/
	661	ike_mobike_t ike_mobike_create(ike_sa_t ike_sa, bool initiator)
	662	{
c817e7bb TB	663	private_ike_mobike_t *this;
	664
	665	INIT(this,
	666	.public = {
	667	.task = {
	668	.get_type = _get_type,
	669	.migrate = _migrate,
	670	.destroy = _destroy,
	671	},
13876431	672	.addresses = _addresses,
c817e7bb TB	673	.roam = _roam,
	674	.dpd = _dpd,
	675	.transmit = _transmit,
	676	.is_probing = _is_probing,
2180ace9	677	.enable_probing = _enable_probing,
c817e7bb TB	678	},
	679	.ike_sa = ike_sa,
	680	.initiator = initiator,
c817e7bb	681	);
7daf5226	682
17d92e97 MW	683	if (initiator)
17d92e97 MW	684	{
c817e7bb TB	685	this->public.task.build = _build_i;
c817e7bb TB	686	this->public.task.process = _process_i;
17d92e97 MW	687	}
	688	else
	689	{
c817e7bb TB	690	this->public.task.build = _build_r;
c817e7bb TB	691	this->public.task.process = _process_r;
17d92e97	692	}
7daf5226	693
17d92e97 MW	694	return &this->public;
17d92e97 MW	695	}