]>
Commit | Line | Data |
---|---|---|
17d92e97 | 1 | /* |
2b255f01 | 2 | * Copyright (C) 2010-2020 Tobias Brunner |
17d92e97 | 3 | * Copyright (C) 2007 Martin Willi |
19ef2aec TB |
4 | * |
5 | * Copyright (C) secunet Security Networks AG | |
17d92e97 MW |
6 | * |
7 | * This program is free software; you can redistribute it and/or modify it | |
8 | * under the terms of the GNU General Public License as published by the | |
9 | * Free Software Foundation; either version 2 of the License, or (at your | |
10 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, but | |
13 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
14 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
15 | * for more details. | |
16 | */ | |
17 | ||
18 | #include "ike_mobike.h" | |
19 | ||
20 | #include <string.h> | |
21 | ||
22 | #include <daemon.h> | |
15a682f4 | 23 | #include <sa/ikev2/tasks/ike_natd.h> |
17d92e97 MW |
24 | #include <encoding/payloads/notify_payload.h> |
25 | ||
85a119bc | 26 | #define COOKIE2_SIZE 16 |
a1466a3e | 27 | #define MAX_ADDITIONAL_ADDRS 8 |
17d92e97 MW |
28 | |
29 | typedef struct private_ike_mobike_t private_ike_mobike_t; | |
30 | ||
31 | /** | |
32 | * Private members of a ike_mobike_t task. | |
33 | */ | |
34 | struct private_ike_mobike_t { | |
7daf5226 | 35 | |
17d92e97 MW |
36 | /** |
37 | * Public methods and task_t interface. | |
38 | */ | |
39 | ike_mobike_t public; | |
7daf5226 | 40 | |
17d92e97 MW |
41 | /** |
42 | * Assigned IKE_SA. | |
43 | */ | |
44 | ike_sa_t *ike_sa; | |
7daf5226 | 45 | |
17d92e97 MW |
46 | /** |
47 | * Are we the initiator? | |
48 | */ | |
49 | bool initiator; | |
7daf5226 | 50 | |
17d92e97 | 51 | /** |
3bc62fe7 | 52 | * cookie2 value to verify new addresses |
17d92e97 | 53 | */ |
3bc62fe7 | 54 | chunk_t cookie2; |
7daf5226 | 55 | |
17d92e97 | 56 | /** |
a09972df | 57 | * NAT discovery reusing the TASK_IKE_NATD task |
17d92e97 | 58 | */ |
3bc62fe7 | 59 | ike_natd_t *natd; |
7daf5226 | 60 | |
4cb9d7a7 | 61 | /** |
3bc62fe7 | 62 | * use task to update addresses |
4cb9d7a7 | 63 | */ |
5474dc65 | 64 | bool update; |
7daf5226 | 65 | |
5474dc65 MW |
66 | /** |
67 | * do routability check | |
68 | */ | |
69 | bool check; | |
7daf5226 | 70 | |
4cb9d7a7 | 71 | /** |
3bc62fe7 | 72 | * include address list update |
4cb9d7a7 | 73 | */ |
3bc62fe7 | 74 | bool address; |
769c69fa TB |
75 | |
76 | /** | |
77 | * additional addresses got updated | |
78 | */ | |
79 | bool addresses_updated; | |
17d92e97 MW |
80 | }; |
81 | ||
9f049781 TB |
82 | /** |
83 | * Check if a newer MOBIKE update task is queued | |
84 | */ | |
85 | static bool is_newer_update_queued(private_ike_mobike_t *this) | |
86 | { | |
87 | enumerator_t *enumerator; | |
88 | private_ike_mobike_t *mobike; | |
89 | task_t *task; | |
90 | bool found = FALSE; | |
91 | ||
92 | enumerator = this->ike_sa->create_task_enumerator(this->ike_sa, | |
93 | TASK_QUEUE_QUEUED); | |
94 | while (enumerator->enumerate(enumerator, &task)) | |
95 | { | |
96 | if (task->get_type(task) == TASK_IKE_MOBIKE) | |
97 | { | |
98 | mobike = (private_ike_mobike_t*)task; | |
99 | /* a queued check or update might invalidate the results of the | |
100 | * current task */ | |
101 | found = mobike->check || mobike->update; | |
102 | break; | |
103 | } | |
104 | } | |
105 | enumerator->destroy(enumerator); | |
106 | return found; | |
107 | } | |
108 | ||
17d92e97 MW |
109 | /** |
110 | * read notifys from message and evaluate them | |
111 | */ | |
112 | static void process_payloads(private_ike_mobike_t *this, message_t *message) | |
113 | { | |
a44bb934 | 114 | enumerator_t *enumerator; |
17d92e97 MW |
115 | payload_t *payload; |
116 | bool first = TRUE; | |
7daf5226 | 117 | |
a44bb934 MW |
118 | enumerator = message->create_payload_enumerator(message); |
119 | while (enumerator->enumerate(enumerator, &payload)) | |
17d92e97 MW |
120 | { |
121 | int family = AF_INET; | |
122 | notify_payload_t *notify; | |
123 | chunk_t data; | |
124 | host_t *host; | |
7daf5226 | 125 | |
3ecfc83c | 126 | if (payload->get_type(payload) != PLV2_NOTIFY) |
17d92e97 MW |
127 | { |
128 | continue; | |
129 | } | |
130 | notify = (notify_payload_t*)payload; | |
131 | switch (notify->get_notify_type(notify)) | |
132 | { | |
133 | case MOBIKE_SUPPORTED: | |
134 | { | |
78279973 | 135 | peer_cfg_t *peer_cfg; |
7daf5226 | 136 | |
78279973 | 137 | peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); |
7daf5226 | 138 | if (!this->initiator && |
78279973 MW |
139 | peer_cfg && !peer_cfg->use_mobike(peer_cfg)) |
140 | { | |
141 | DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config"); | |
142 | } | |
143 | else | |
144 | { | |
145 | DBG1(DBG_IKE, "peer supports MOBIKE"); | |
146 | this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE); | |
147 | } | |
17d92e97 MW |
148 | break; |
149 | } | |
85a119bc MW |
150 | case COOKIE2: |
151 | { | |
152 | chunk_free(&this->cookie2); | |
153 | this->cookie2 = chunk_clone(notify->get_notification_data(notify)); | |
154 | break; | |
155 | } | |
17d92e97 MW |
156 | case ADDITIONAL_IP6_ADDRESS: |
157 | { | |
158 | family = AF_INET6; | |
159 | /* fall through */ | |
160 | } | |
161 | case ADDITIONAL_IP4_ADDRESS: | |
162 | { | |
163 | if (first) | |
164 | { /* an ADDITIONAL_*_ADDRESS means replace, so flush once */ | |
94bbc602 | 165 | this->ike_sa->clear_peer_addresses(this->ike_sa); |
4cb9d7a7 | 166 | first = FALSE; |
2fe624cc | 167 | /* add the peer's current address to the list */ |
53915f14 | 168 | host = message->get_source(message); |
94bbc602 TB |
169 | this->ike_sa->add_peer_address(this->ike_sa, |
170 | host->clone(host)); | |
17d92e97 MW |
171 | } |
172 | data = notify->get_notification_data(notify); | |
173 | host = host_create_from_chunk(family, data, 0); | |
174 | DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host); | |
94bbc602 | 175 | this->ike_sa->add_peer_address(this->ike_sa, host); |
769c69fa | 176 | this->addresses_updated = TRUE; |
17d92e97 MW |
177 | break; |
178 | } | |
3bc62fe7 MW |
179 | case UPDATE_SA_ADDRESSES: |
180 | { | |
5474dc65 | 181 | this->update = TRUE; |
3bc62fe7 MW |
182 | break; |
183 | } | |
17d92e97 MW |
184 | case NO_ADDITIONAL_ADDRESSES: |
185 | { | |
94bbc602 | 186 | this->ike_sa->clear_peer_addresses(this->ike_sa); |
2fe624cc | 187 | /* add the peer's current address to the list */ |
53915f14 | 188 | host = message->get_source(message); |
94bbc602 | 189 | this->ike_sa->add_peer_address(this->ike_sa, host->clone(host)); |
769c69fa | 190 | this->addresses_updated = TRUE; |
17d92e97 MW |
191 | break; |
192 | } | |
fc2d1c42 MW |
193 | case NAT_DETECTION_SOURCE_IP: |
194 | case NAT_DETECTION_DESTINATION_IP: | |
195 | { | |
196 | /* NAT check in this MOBIKE exchange, create subtask for it */ | |
3a05566d | 197 | if (!this->natd) |
fc2d1c42 MW |
198 | { |
199 | this->natd = ike_natd_create(this->ike_sa, this->initiator); | |
200 | } | |
201 | break; | |
202 | } | |
17d92e97 MW |
203 | default: |
204 | break; | |
205 | } | |
206 | } | |
a44bb934 | 207 | enumerator->destroy(enumerator); |
17d92e97 MW |
208 | } |
209 | ||
210 | /** | |
211 | * Add ADDITIONAL_*_ADDRESS notifys depending on our address list | |
212 | */ | |
213 | static void build_address_list(private_ike_mobike_t *this, message_t *message) | |
214 | { | |
507f26f6 | 215 | enumerator_t *enumerator; |
17d92e97 MW |
216 | host_t *host, *me; |
217 | notify_type_t type; | |
a1466a3e | 218 | int added = 0; |
7daf5226 | 219 | |
17d92e97 | 220 | me = this->ike_sa->get_my_host(this->ike_sa); |
8394ea2a TB |
221 | enumerator = charon->kernel->create_address_enumerator(charon->kernel, |
222 | ADDR_TYPE_REGULAR); | |
507f26f6 | 223 | while (enumerator->enumerate(enumerator, (void**)&host)) |
17d92e97 MW |
224 | { |
225 | if (me->ip_equals(me, host)) | |
226 | { /* "ADDITIONAL" means do not include IKE_SAs host */ | |
227 | continue; | |
228 | } | |
229 | switch (host->get_family(host)) | |
230 | { | |
231 | case AF_INET: | |
232 | type = ADDITIONAL_IP4_ADDRESS; | |
233 | break; | |
234 | case AF_INET6: | |
235 | type = ADDITIONAL_IP6_ADDRESS; | |
236 | break; | |
237 | default: | |
238 | continue; | |
239 | } | |
240 | message->add_notify(message, FALSE, type, host->get_address(host)); | |
a1466a3e MW |
241 | if (++added >= MAX_ADDITIONAL_ADDRS) |
242 | { /* limit number of notifys, some implementations do not like too | |
243 | * many of them (f.e. strongSwan ;-) */ | |
244 | break; | |
245 | } | |
17d92e97 | 246 | } |
a1466a3e | 247 | if (!added) |
17d92e97 MW |
248 | { |
249 | message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty); | |
250 | } | |
507f26f6 | 251 | enumerator->destroy(enumerator); |
17d92e97 MW |
252 | } |
253 | ||
85a119bc | 254 | /** |
7daf5226 | 255 | * build a cookie and add it to the message |
85a119bc | 256 | */ |
50491834 | 257 | static bool build_cookie(private_ike_mobike_t *this, message_t *message) |
85a119bc MW |
258 | { |
259 | rng_t *rng; | |
260 | ||
261 | chunk_free(&this->cookie2); | |
262 | rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); | |
50491834 | 263 | if (!rng || !rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2)) |
85a119bc | 264 | { |
50491834 TB |
265 | DESTROY_IF(rng); |
266 | return FALSE; | |
85a119bc | 267 | } |
50491834 TB |
268 | message->add_notify(message, FALSE, COOKIE2, this->cookie2); |
269 | rng->destroy(rng); | |
270 | return TRUE; | |
85a119bc MW |
271 | } |
272 | ||
cc2eadde | 273 | /** |
be901342 | 274 | * Apply the port of the old host, if its ip equals the new, use port otherwise. |
cc2eadde | 275 | */ |
b12c53ce | 276 | static void apply_port(host_t *host, host_t *old, uint16_t port, bool local) |
cc2eadde MW |
277 | { |
278 | if (host->ip_equals(host, old)) | |
279 | { | |
be901342 | 280 | port = old->get_port(old); |
cc2eadde | 281 | } |
b223d517 | 282 | else if (local && port == charon->socket->get_port(charon->socket, FALSE)) |
cc2eadde | 283 | { |
b223d517 TB |
284 | port = charon->socket->get_port(charon->socket, TRUE); |
285 | } | |
286 | else if (!local && port == IKEV2_UDP_PORT) | |
287 | { | |
288 | port = IKEV2_NATT_PORT; | |
cc2eadde | 289 | } |
be901342 | 290 | host->set_port(host, port); |
cc2eadde MW |
291 | } |
292 | ||
7840952e | 293 | METHOD(ike_mobike_t, transmit, bool, |
c817e7bb | 294 | private_ike_mobike_t *this, packet_t *packet) |
5474dc65 MW |
295 | { |
296 | host_t *me, *other, *me_old, *other_old; | |
572abc6c | 297 | enumerator_t *enumerator; |
cc2eadde | 298 | ike_cfg_t *ike_cfg; |
5474dc65 | 299 | packet_t *copy; |
c5a5bc85 | 300 | int family = AF_UNSPEC; |
7840952e | 301 | bool found = FALSE; |
7daf5226 | 302 | |
8956dcec TB |
303 | me_old = this->ike_sa->get_my_host(this->ike_sa); |
304 | other_old = this->ike_sa->get_other_host(this->ike_sa); | |
305 | ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); | |
306 | ||
5474dc65 MW |
307 | if (!this->check) |
308 | { | |
8394ea2a | 309 | me = charon->kernel->get_source_addr(charon->kernel, other_old, me_old); |
8956dcec TB |
310 | if (me) |
311 | { | |
312 | if (me->ip_equals(me, me_old)) | |
313 | { | |
72cc029e TB |
314 | copy = packet->clone(packet); |
315 | /* hosts might have been updated by a peer's MOBIKE exchange */ | |
316 | copy->set_source(copy, me_old->clone(me_old)); | |
317 | copy->set_destination(copy, other_old->clone(other_old)); | |
318 | charon->sender->send(charon->sender, copy); | |
8956dcec TB |
319 | me->destroy(me); |
320 | return TRUE; | |
321 | } | |
322 | me->destroy(me); | |
323 | } | |
324 | this->check = TRUE; | |
5474dc65 MW |
325 | } |
326 | ||
c5a5bc85 TB |
327 | switch (charon->socket->supported_families(charon->socket)) |
328 | { | |
329 | case SOCKET_FAMILY_IPV4: | |
330 | family = AF_INET; | |
331 | break; | |
332 | case SOCKET_FAMILY_IPV6: | |
333 | family = AF_INET6; | |
334 | break; | |
335 | case SOCKET_FAMILY_BOTH: | |
336 | case SOCKET_FAMILY_NONE: | |
337 | break; | |
338 | } | |
339 | ||
94bbc602 | 340 | enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa); |
572abc6c | 341 | while (enumerator->enumerate(enumerator, (void**)&other)) |
5474dc65 | 342 | { |
c5a5bc85 TB |
343 | if (family != AF_UNSPEC && other->get_family(other) != family) |
344 | { | |
345 | continue; | |
346 | } | |
8394ea2a | 347 | me = charon->kernel->get_source_addr(charon->kernel, other, NULL); |
5474dc65 MW |
348 | if (me) |
349 | { | |
350 | /* reuse port for an active address, 4500 otherwise */ | |
e7ea057f | 351 | apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg), TRUE); |
5474dc65 | 352 | other = other->clone(other); |
e7ea057f | 353 | apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg), FALSE); |
d9d69536 | 354 | DBG1(DBG_IKE, "checking path %#H - %#H", me, other); |
5474dc65 MW |
355 | copy = packet->clone(packet); |
356 | copy->set_source(copy, me); | |
357 | copy->set_destination(copy, other); | |
358 | charon->sender->send(charon->sender, copy); | |
7840952e | 359 | found = TRUE; |
5474dc65 MW |
360 | } |
361 | } | |
572abc6c | 362 | enumerator->destroy(enumerator); |
7840952e | 363 | return found; |
5474dc65 MW |
364 | } |
365 | ||
c817e7bb TB |
366 | METHOD(task_t, build_i, status_t, |
367 | private_ike_mobike_t *this, message_t *message) | |
17d92e97 | 368 | { |
31e7dc4d TB |
369 | if (message->get_exchange_type(message) == IKE_AUTH && |
370 | message->get_message_id(message) == 1) | |
a44bb934 | 371 | { /* only in first IKE_AUTH */ |
17d92e97 MW |
372 | message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty); |
373 | build_address_list(this, message); | |
374 | } | |
c8739590 | 375 | else if (message->get_exchange_type(message) == INFORMATIONAL) |
3bc62fe7 | 376 | { |
f0974eb2 | 377 | host_t *old, *new; |
7daf5226 | 378 | |
90b1d09e TB |
379 | /* this task might have been queued before we knew if MOBIKE will be |
380 | * supported */ | |
381 | if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) | |
382 | { | |
383 | message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); | |
384 | return SUCCESS; | |
385 | } | |
386 | ||
7daf5226 | 387 | /* we check if the existing address is still valid */ |
f0974eb2 | 388 | old = message->get_source(message); |
8394ea2a | 389 | new = charon->kernel->get_source_addr(charon->kernel, |
f0974eb2 MW |
390 | message->get_destination(message), old); |
391 | if (new) | |
392 | { | |
393 | if (!new->ip_equals(new, old)) | |
394 | { | |
395 | new->set_port(new, old->get_port(old)); | |
396 | message->set_source(message, new); | |
397 | } | |
398 | else | |
399 | { | |
400 | new->destroy(new); | |
401 | } | |
402 | } | |
5474dc65 | 403 | if (this->update) |
fc2d1c42 | 404 | { |
31e7dc4d TB |
405 | message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, |
406 | chunk_empty); | |
50491834 TB |
407 | if (!build_cookie(this, message)) |
408 | { | |
409 | return FAILED; | |
410 | } | |
fc2d1c42 | 411 | } |
1dbf0ed9 | 412 | if (this->address && !this->check) |
3bc62fe7 MW |
413 | { |
414 | build_address_list(this, message); | |
415 | } | |
5474dc65 MW |
416 | if (this->natd) |
417 | { | |
418 | this->natd->task.build(&this->natd->task, message); | |
419 | } | |
4cb9d7a7 | 420 | } |
17d92e97 MW |
421 | return NEED_MORE; |
422 | } | |
423 | ||
c817e7bb TB |
424 | METHOD(task_t, process_r, status_t, |
425 | private_ike_mobike_t *this, message_t *message) | |
4cb9d7a7 | 426 | { |
31e7dc4d TB |
427 | if (message->get_exchange_type(message) == IKE_AUTH && |
428 | message->get_message_id(message) == 1) | |
a44bb934 | 429 | { /* only first IKE_AUTH */ |
4cb9d7a7 MW |
430 | process_payloads(this, message); |
431 | } | |
fc2d1c42 MW |
432 | else if (message->get_exchange_type(message) == INFORMATIONAL) |
433 | { | |
2b255f01 | 434 | host_t *me_new = NULL, *other, *other_old, *other_new = NULL; |
7daf5226 | 435 | |
2b255f01 | 436 | process_payloads(this, message); |
7daf5226 | 437 | |
fc2d1c42 MW |
438 | if (this->natd) |
439 | { | |
440 | this->natd->task.process(&this->natd->task, message); | |
441 | } | |
2b255f01 TB |
442 | |
443 | if (this->update) | |
444 | { | |
445 | me_new = message->get_destination(message); | |
446 | other_new = message->get_source(message); | |
447 | } | |
448 | else if (this->addresses_updated && | |
449 | this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) | |
769c69fa | 450 | { |
2b255f01 TB |
451 | other = message->get_source(message); |
452 | other_old = this->ike_sa->get_other_host(this->ike_sa); | |
769c69fa TB |
453 | if (!other->equals(other, other_old)) |
454 | { | |
2b255f01 TB |
455 | other_new = other; |
456 | /* our address might have changed too if the responder used | |
457 | * a different address from our list to reach us */ | |
458 | me_new = message->get_destination(message); | |
769c69fa TB |
459 | } |
460 | } | |
2b255f01 TB |
461 | |
462 | if (me_new || other_new) | |
463 | { | |
464 | this->ike_sa->update_hosts(this->ike_sa, me_new, | |
465 | other_new, UPDATE_HOSTS_FORCE_ALL); | |
466 | } | |
fc2d1c42 | 467 | } |
17d92e97 MW |
468 | return NEED_MORE; |
469 | } | |
470 | ||
c817e7bb TB |
471 | METHOD(task_t, build_r, status_t, |
472 | private_ike_mobike_t *this, message_t *message) | |
17d92e97 MW |
473 | { |
474 | if (message->get_exchange_type(message) == IKE_AUTH && | |
b8249ff5 | 475 | this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED) |
17d92e97 MW |
476 | { |
477 | if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) | |
478 | { | |
479 | message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty); | |
480 | build_address_list(this, message); | |
481 | } | |
482 | return SUCCESS; | |
483 | } | |
2b3100b5 MW |
484 | else if (message->get_exchange_type(message) == INFORMATIONAL) |
485 | { | |
fc2d1c42 MW |
486 | if (this->natd) |
487 | { | |
488 | this->natd->task.build(&this->natd->task, message); | |
489 | } | |
85a119bc MW |
490 | if (this->cookie2.ptr) |
491 | { | |
492 | message->add_notify(message, FALSE, COOKIE2, this->cookie2); | |
493 | chunk_free(&this->cookie2); | |
494 | } | |
2b3100b5 MW |
495 | return SUCCESS; |
496 | } | |
17d92e97 MW |
497 | return NEED_MORE; |
498 | } | |
499 | ||
c817e7bb TB |
500 | METHOD(task_t, process_i, status_t, |
501 | private_ike_mobike_t *this, message_t *message) | |
17d92e97 MW |
502 | { |
503 | if (message->get_exchange_type(message) == IKE_AUTH && | |
b8249ff5 | 504 | this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED) |
17d92e97 MW |
505 | { |
506 | process_payloads(this, message); | |
507 | return SUCCESS; | |
508 | } | |
2b3100b5 MW |
509 | else if (message->get_exchange_type(message) == INFORMATIONAL) |
510 | { | |
abe51389 TB |
511 | bool force = FALSE; |
512 | ||
9f049781 | 513 | if (is_newer_update_queued(this)) |
3bc62fe7 | 514 | { |
3bc62fe7 MW |
515 | return SUCCESS; |
516 | } | |
85a119bc | 517 | if (this->cookie2.ptr) |
9d9a772e | 518 | { /* check cookie if we included one */ |
85a119bc | 519 | chunk_t cookie2; |
7daf5226 | 520 | |
85a119bc MW |
521 | cookie2 = this->cookie2; |
522 | this->cookie2 = chunk_empty; | |
523 | process_payloads(this, message); | |
161a0157 | 524 | if (!chunk_equals_const(cookie2, this->cookie2)) |
85a119bc MW |
525 | { |
526 | chunk_free(&cookie2); | |
527 | DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA"); | |
528 | return FAILED; | |
529 | } | |
530 | chunk_free(&cookie2); | |
531 | } | |
532 | else | |
533 | { | |
534 | process_payloads(this, message); | |
535 | } | |
fc2d1c42 MW |
536 | if (this->natd) |
537 | { | |
538 | this->natd->task.process(&this->natd->task, message); | |
2b255f01 TB |
539 | |
540 | if (this->update) | |
541 | { /* update children again, as NAT state may have changed */ | |
542 | this->ike_sa->update_hosts(this->ike_sa, NULL, NULL, | |
543 | UPDATE_HOSTS_FORCE_CHILDREN); | |
544 | } | |
545 | else if (this->natd->has_mapping_changed(this->natd)) | |
546 | { /* force a check/update if mappings have changed during a DPD */ | |
abe51389 | 547 | force = TRUE; |
2b255f01 | 548 | this->check = TRUE; |
9d9a772e MW |
549 | DBG1(DBG_IKE, "detected changes in NAT mappings, " |
550 | "initiating MOBIKE update"); | |
551 | } | |
fc2d1c42 | 552 | } |
5474dc65 MW |
553 | if (this->check) |
554 | { | |
2b255f01 | 555 | host_t *me, *me_new = NULL, *other, *other_new = NULL; |
7daf5226 | 556 | |
2b255f01 TB |
557 | me = message->get_destination(message); |
558 | other = message->get_source(message); | |
7daf5226 | 559 | |
2b255f01 | 560 | if (!me->equals(me, this->ike_sa->get_my_host(this->ike_sa))) |
5474dc65 | 561 | { |
2b255f01 | 562 | me_new = me; |
7daf5226 | 563 | } |
2b255f01 | 564 | if (!other->equals(other, this->ike_sa->get_other_host(this->ike_sa))) |
5474dc65 | 565 | { |
2b255f01 | 566 | other_new = other; |
5474dc65 | 567 | } |
abe51389 | 568 | if (me_new || other_new || force) |
5474dc65 | 569 | { |
2b255f01 TB |
570 | this->ike_sa->update_hosts(this->ike_sa, me_new, other_new, |
571 | UPDATE_HOSTS_FORCE_ALL); | |
1dbf0ed9 | 572 | /* use the same task to ... */ |
c5770f86 TB |
573 | if (!this->ike_sa->has_condition(this->ike_sa, |
574 | COND_ORIGINAL_INITIATOR)) | |
1dbf0ed9 | 575 | { /*... send an updated list of addresses as responder */ |
2b255f01 | 576 | this->address = TRUE; |
c5770f86 | 577 | } |
1dbf0ed9 TB |
578 | else |
579 | { /* ... send the update as original initiator */ | |
2b255f01 | 580 | this->update = TRUE; |
1dbf0ed9 TB |
581 | if (this->natd) |
582 | { | |
583 | this->natd->task.destroy(&this->natd->task); | |
584 | } | |
585 | this->natd = ike_natd_create(this->ike_sa, this->initiator); | |
12d4186f | 586 | } |
1dbf0ed9 | 587 | this->check = FALSE; |
5474dc65 MW |
588 | return NEED_MORE; |
589 | } | |
590 | } | |
2b3100b5 MW |
591 | return SUCCESS; |
592 | } | |
17d92e97 MW |
593 | return NEED_MORE; |
594 | } | |
595 | ||
13876431 TB |
596 | METHOD(ike_mobike_t, addresses, void, |
597 | private_ike_mobike_t *this) | |
598 | { | |
599 | this->address = TRUE; | |
13876431 TB |
600 | } |
601 | ||
c817e7bb TB |
602 | METHOD(ike_mobike_t, roam, void, |
603 | private_ike_mobike_t *this, bool address) | |
17d92e97 | 604 | { |
5474dc65 | 605 | this->check = TRUE; |
43bbe070 | 606 | this->address |= address; |
17d92e97 MW |
607 | } |
608 | ||
c817e7bb TB |
609 | METHOD(ike_mobike_t, dpd, void, |
610 | private_ike_mobike_t *this) | |
9d9a772e | 611 | { |
3a05566d | 612 | if (!this->natd && this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE)) |
9d9a772e MW |
613 | { |
614 | this->natd = ike_natd_create(this->ike_sa, this->initiator); | |
615 | } | |
9d9a772e MW |
616 | } |
617 | ||
c817e7bb TB |
618 | METHOD(ike_mobike_t, is_probing, bool, |
619 | private_ike_mobike_t *this) | |
f215e919 MW |
620 | { |
621 | return this->check; | |
622 | } | |
623 | ||
2180ace9 TB |
624 | METHOD(ike_mobike_t, enable_probing, void, |
625 | private_ike_mobike_t *this) | |
626 | { | |
627 | this->check = TRUE; | |
628 | } | |
629 | ||
c817e7bb TB |
630 | METHOD(task_t, get_type, task_type_t, |
631 | private_ike_mobike_t *this) | |
17d92e97 | 632 | { |
a09972df | 633 | return TASK_IKE_MOBIKE; |
17d92e97 MW |
634 | } |
635 | ||
c817e7bb TB |
636 | METHOD(task_t, migrate, void, |
637 | private_ike_mobike_t *this, ike_sa_t *ike_sa) | |
17d92e97 | 638 | { |
4cb9d7a7 | 639 | chunk_free(&this->cookie2); |
17d92e97 | 640 | this->ike_sa = ike_sa; |
4cb9d7a7 MW |
641 | if (this->natd) |
642 | { | |
643 | this->natd->task.migrate(&this->natd->task, ike_sa); | |
644 | } | |
17d92e97 MW |
645 | } |
646 | ||
c817e7bb TB |
647 | METHOD(task_t, destroy, void, |
648 | private_ike_mobike_t *this) | |
17d92e97 | 649 | { |
4cb9d7a7 MW |
650 | chunk_free(&this->cookie2); |
651 | if (this->natd) | |
652 | { | |
653 | this->natd->task.destroy(&this->natd->task); | |
654 | } | |
17d92e97 MW |
655 | free(this); |
656 | } | |
657 | ||
658 | /* | |
659 | * Described in header. | |
660 | */ | |
661 | ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator) | |
662 | { | |
c817e7bb TB |
663 | private_ike_mobike_t *this; |
664 | ||
665 | INIT(this, | |
666 | .public = { | |
667 | .task = { | |
668 | .get_type = _get_type, | |
669 | .migrate = _migrate, | |
670 | .destroy = _destroy, | |
671 | }, | |
13876431 | 672 | .addresses = _addresses, |
c817e7bb TB |
673 | .roam = _roam, |
674 | .dpd = _dpd, | |
675 | .transmit = _transmit, | |
676 | .is_probing = _is_probing, | |
2180ace9 | 677 | .enable_probing = _enable_probing, |
c817e7bb TB |
678 | }, |
679 | .ike_sa = ike_sa, | |
680 | .initiator = initiator, | |
c817e7bb | 681 | ); |
7daf5226 | 682 | |
17d92e97 MW |
683 | if (initiator) |
684 | { | |
c817e7bb TB |
685 | this->public.task.build = _build_i; |
686 | this->public.task.process = _process_i; | |
17d92e97 MW |
687 | } |
688 | else | |
689 | { | |
c817e7bb TB |
690 | this->public.task.build = _build_r; |
691 | this->public.task.process = _process_r; | |
17d92e97 | 692 | } |
7daf5226 | 693 | |
17d92e97 MW |
694 | return &this->public; |
695 | } |