[thirdparty/strongswan.git] / src / libcharon / sa / tasks / ike_mobike.c

/*
 * Copyright (C) 2007 Martin Willi
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "ike_mobike.h"

#include <string.h>

#include <hydra.h>
#include <daemon.h>
#include <sa/tasks/ike_natd.h>
#include <encoding/payloads/notify_payload.h>

#define COOKIE2_SIZE 16
#define MAX_ADDITIONAL_ADDRS 8

typedef struct private_ike_mobike_t private_ike_mobike_t;

/**
 * Private members of a ike_mobike_t task.
 */
struct private_ike_mobike_t {

	/**
	 * Public methods and task_t interface.
	 */
	ike_mobike_t public;

	/**
	 * Assigned IKE_SA.
	 */
	ike_sa_t *ike_sa;

	/**
	 * Are we the initiator?
	 */
	bool initiator;

	/**
	 * cookie2 value to verify new addresses
	 */
	chunk_t cookie2;

	/**
	 * NAT discovery reusing the IKE_NATD task
	 */
	ike_natd_t *natd;

	/**
	 * use task to update addresses
	 */
	bool update;

	/**
	 * do routability check
	 */
	bool check;

	/**
	 * include address list update
	 */
	bool address;
};

/**
 * flush the IKE_SAs list of additional addresses
 */
static void flush_additional_addresses(private_ike_mobike_t *this)
{
	iterator_t *iterator;
	host_t *host;

	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
	while (iterator->iterate(iterator, (void**)&host))
	{
		iterator->remove(iterator);
		host->destroy(host);
	}
	iterator->destroy(iterator);
}


/**
 * read notifys from message and evaluate them
 */
static void process_payloads(private_ike_mobike_t *this, message_t *message)
{
	enumerator_t *enumerator;
	payload_t *payload;
	bool first = TRUE;

	enumerator = message->create_payload_enumerator(message);
	while (enumerator->enumerate(enumerator, &payload))
	{
		int family = AF_INET;
		notify_payload_t *notify;
		chunk_t data;
		host_t *host;

		if (payload->get_type(payload) != NOTIFY)
		{
			continue;
		}
		notify = (notify_payload_t*)payload;
		switch (notify->get_notify_type(notify))
		{
			case MOBIKE_SUPPORTED:
			{
				peer_cfg_t *peer_cfg;

				peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
				if (!this->initiator &&
					peer_cfg && !peer_cfg->use_mobike(peer_cfg))
				{
					DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
				}
				else
				{
					DBG1(DBG_IKE, "peer supports MOBIKE");
					this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
				}
				break;
			}
			case COOKIE2:
			{
				chunk_free(&this->cookie2);
				this->cookie2 = chunk_clone(notify->get_notification_data(notify));
				break;
			}
			case ADDITIONAL_IP6_ADDRESS:
			{
				family = AF_INET6;
				/* fall through */
			}
			case ADDITIONAL_IP4_ADDRESS:
			{
				if (first)
				{	/* an ADDITIONAL_*_ADDRESS means replace, so flush once */
					flush_additional_addresses(this);
					first = FALSE;
				}
				data = notify->get_notification_data(notify);
				host = host_create_from_chunk(family, data, 0);
				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
				this->ike_sa->add_additional_address(this->ike_sa, host);
				break;
			}
			case UPDATE_SA_ADDRESSES:
			{
				this->update = TRUE;
				break;
			}
			case NO_ADDITIONAL_ADDRESSES:
			{
				flush_additional_addresses(this);
				break;
			}
			case NAT_DETECTION_SOURCE_IP:
			case NAT_DETECTION_DESTINATION_IP:
			{
				/* NAT check in this MOBIKE exchange, create subtask for it */
				if (this->natd == NULL)
				{
					this->natd = ike_natd_create(this->ike_sa, this->initiator);
				}
				break;
			}
			default:
				break;
		}
	}
	enumerator->destroy(enumerator);
}

/**
 * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
 */
static void build_address_list(private_ike_mobike_t *this, message_t *message)
{
	enumerator_t *enumerator;
	host_t *host, *me;
	notify_type_t type;
	int added = 0;

	me = this->ike_sa->get_my_host(this->ike_sa);
	enumerator = hydra->kernel_interface->create_address_enumerator(
										hydra->kernel_interface, FALSE, FALSE);
	while (enumerator->enumerate(enumerator, (void**)&host))
	{
		if (me->ip_equals(me, host))
		{	/* "ADDITIONAL" means do not include IKE_SAs host */
			continue;
		}
		switch (host->get_family(host))
		{
			case AF_INET:
				type = ADDITIONAL_IP4_ADDRESS;
				break;
			case AF_INET6:
				type = ADDITIONAL_IP6_ADDRESS;
				break;
			default:
				continue;
		}
		message->add_notify(message, FALSE, type, host->get_address(host));
		if (++added >= MAX_ADDITIONAL_ADDRS)
		{	/* limit number of notifys, some implementations do not like too
			 * many of them (f.e. strongSwan ;-) */
			break;
		}
	}
	if (!added)
	{
		message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
	}
	enumerator->destroy(enumerator);
}

/**
 * build a cookie and add it to the message
 */
static void build_cookie(private_ike_mobike_t *this, message_t *message)
{
	rng_t *rng;

	chunk_free(&this->cookie2);
	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
	if (rng)
	{
		rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
		rng->destroy(rng);
		message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	}
}

/**
 * update addresses of associated CHILD_SAs
 */
static void update_children(private_ike_mobike_t *this)
{
	iterator_t *iterator;
	child_sa_t *child_sa;

	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
	while (iterator->iterate(iterator, (void**)&child_sa))
	{
		if (child_sa->update(child_sa,
				this->ike_sa->get_my_host(this->ike_sa),
				this->ike_sa->get_other_host(this->ike_sa),
				this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
				this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
		{
			this->ike_sa->rekey_child_sa(this->ike_sa,
					child_sa->get_protocol(child_sa),
					child_sa->get_spi(child_sa, TRUE));
		}
	}
	iterator->destroy(iterator);
}

/**
 * Apply the port of the old host, if its ip equals the new, use port otherwise.
 */
static void apply_port(host_t *host, host_t *old, u_int16_t port)
{
	if (host->ip_equals(host, old))
	{
		port = old->get_port(old);
	}
	else if (port == IKEV2_UDP_PORT)
	{
		port = IKEV2_NATT_PORT;
	}
	host->set_port(host, port);
}

METHOD(ike_mobike_t, transmit, void,
	   private_ike_mobike_t *this, packet_t *packet)
{
	host_t *me, *other, *me_old, *other_old;
	iterator_t *iterator;
	ike_cfg_t *ike_cfg;
	packet_t *copy;

	if (!this->check)
	{
		return;
	}

	me_old = this->ike_sa->get_my_host(this->ike_sa);
	other_old = this->ike_sa->get_other_host(this->ike_sa);
	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);

	me = hydra->kernel_interface->get_source_addr(
									hydra->kernel_interface, other_old, NULL);
	if (me)
	{
		apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
		DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
		copy = packet->clone(packet);
		copy->set_source(copy, me);
		charon->sender->send(charon->sender, copy);
	}

	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
	while (iterator->iterate(iterator, (void**)&other))
	{
		me = hydra->kernel_interface->get_source_addr(
										hydra->kernel_interface, other, NULL);
		if (me)
		{
			if (me->get_family(me) != other->get_family(other))
			{
				me->destroy(me);
				continue;
			}
			/* reuse port for an active address, 4500 otherwise */
			apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
			other = other->clone(other);
			apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
			DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
			copy = packet->clone(packet);
			copy->set_source(copy, me);
			copy->set_destination(copy, other);
			charon->sender->send(charon->sender, copy);
		}
	}
	iterator->destroy(iterator);
}

METHOD(task_t, build_i, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		message->get_message_id(message) == 1)
	{	/* only in first IKE_AUTH */
		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
		build_address_list(this, message);
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		host_t *old, *new;

		/* we check if the existing address is still valid */
		old = message->get_source(message);
		new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
										message->get_destination(message), old);
		if (new)
		{
			if (!new->ip_equals(new, old))
			{
				new->set_port(new, old->get_port(old));
				message->set_source(message, new);
			}
			else
			{
				new->destroy(new);
			}
		}
		if (this->update)
		{
			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
								chunk_empty);
			build_cookie(this, message);
			update_children(this);
		}
		if (this->address)
		{
			build_address_list(this, message);
		}
		if (this->natd)
		{
			this->natd->task.build(&this->natd->task, message);
		}
	}
	return NEED_MORE;
}

METHOD(task_t, process_r, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		message->get_message_id(message) == 1)
	{	/* only first IKE_AUTH */
		process_payloads(this, message);
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		process_payloads(this, message);
		if (this->update)
		{
			host_t *me, *other;

			me = message->get_destination(message);
			other = message->get_source(message);
			this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
			this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
		}

		if (this->natd)
		{
			this->natd->task.process(&this->natd->task, message);
		}
	}
	return NEED_MORE;
}

METHOD(task_t, build_r, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
	{
		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
		{
			message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
			build_address_list(this, message);
		}
		return SUCCESS;
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		if (this->natd)
		{
			this->natd->task.build(&this->natd->task, message);
		}
		if (this->cookie2.ptr)
		{
			message->add_notify(message, FALSE, COOKIE2, this->cookie2);
			chunk_free(&this->cookie2);
		}
		if (this->update)
		{
			update_children(this);
		}
		return SUCCESS;
	}
	return NEED_MORE;
}

METHOD(task_t, process_i, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
	{
		process_payloads(this, message);
		return SUCCESS;
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
		this->ike_sa->set_pending_updates(this->ike_sa, updates);
		if (updates > 0)
		{
			/* newer update queued, ignore this one */
			return SUCCESS;
		}
		if (this->cookie2.ptr)
		{	/* check cookie if we included one */
			chunk_t cookie2;

			cookie2 = this->cookie2;
			this->cookie2 = chunk_empty;
			process_payloads(this, message);
			if (!chunk_equals(cookie2, this->cookie2))
			{
				chunk_free(&cookie2);
				DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
				return FAILED;
			}
			chunk_free(&cookie2);
		}
		else
		{
			process_payloads(this, message);
		}
		if (this->natd)
		{
			this->natd->task.process(&this->natd->task, message);
			if (this->natd->has_mapping_changed(this->natd))
			{
				/* force an update if mappings have changed */
				this->update = this->check = TRUE;
				DBG1(DBG_IKE, "detected changes in NAT mappings, "
					 "initiating MOBIKE update");
			}
		}
		if (this->update)
		{
			/* update again, as NAT state may have changed */
			update_children(this);
		}
		if (this->check)
		{
			host_t *me_new, *me_old, *other_new, *other_old;

			me_new = message->get_destination(message);
			other_new = message->get_source(message);
			me_old = this->ike_sa->get_my_host(this->ike_sa);
			other_old = this->ike_sa->get_other_host(this->ike_sa);

			if (!me_new->equals(me_new, me_old))
			{
				this->update = TRUE;
				this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
			}
			if (!other_new->equals(other_new, other_old))
			{
				this->update = TRUE;
				this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
			}
			if (this->update)
			{
				/* start the update with the same task */
				this->check = FALSE;
				this->address = FALSE;
				if (this->natd)
				{
					this->natd->task.destroy(&this->natd->task);
				}
				this->natd = ike_natd_create(this->ike_sa, this->initiator);
				this->ike_sa->set_pending_updates(this->ike_sa, 1);
				return NEED_MORE;
			}
		}
		return SUCCESS;
	}
	return NEED_MORE;
}

METHOD(ike_mobike_t, roam, void,
	   private_ike_mobike_t *this, bool address)
{
	this->check = TRUE;
	this->address = address;
	this->ike_sa->set_pending_updates(this->ike_sa,
						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}

METHOD(ike_mobike_t, dpd, void,
	   private_ike_mobike_t *this)
{
	if (!this->natd)
	{
		this->natd = ike_natd_create(this->ike_sa, this->initiator);
	}
	this->address = FALSE;
	this->ike_sa->set_pending_updates(this->ike_sa,
						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}

METHOD(ike_mobike_t, is_probing, bool,
	   private_ike_mobike_t *this)
{
	return this->check;
}

METHOD(task_t, get_type, task_type_t,
	   private_ike_mobike_t *this)
{
	return IKE_MOBIKE;
}

METHOD(task_t, migrate, void,
	   private_ike_mobike_t *this, ike_sa_t *ike_sa)
{
	chunk_free(&this->cookie2);
	this->ike_sa = ike_sa;
	if (this->natd)
	{
		this->natd->task.migrate(&this->natd->task, ike_sa);
	}
}

METHOD(task_t, destroy, void,
	   private_ike_mobike_t *this)
{
	chunk_free(&this->cookie2);
	if (this->natd)
	{
		this->natd->task.destroy(&this->natd->task);
	}
	free(this);
}

/*
 * Described in header.
 */
ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
{
	private_ike_mobike_t *this;

	INIT(this,
		.public = {
			.task = {
				.get_type = _get_type,
				.migrate = _migrate,
				.destroy = _destroy,
			},
			.roam = _roam,
			.dpd = _dpd,
			.transmit = _transmit,
			.is_probing = _is_probing,
		},
		.ike_sa = ike_sa,
		.initiator = initiator,
		.address = TRUE,
	);

	if (initiator)
	{
		this->public.task.build = _build_i;
		this->public.task.process = _process_i;
	}
	else
	{
		this->public.task.build = _build_r;
		this->public.task.process = _process_r;
	}

	return &this->public;
}
Commit	Line	Data
17d92e97 MW	1	/*
	2	* Copyright (C) 2007 Martin Willi
	3	* Hochschule fuer Technik Rapperswil
	4	*
	5	* This program is free software; you can redistribute it and/or modify it
	6	* under the terms of the GNU General Public License as published by the
	7	* Free Software Foundation; either version 2 of the License, or (at your
	8	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	9	*
	10	* This program is distributed in the hope that it will be useful, but
	11	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	12	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	13	* for more details.
	14	*/
	15
	16	#include "ike_mobike.h"
	17
	18	#include <string.h>
	19
f6659688	20	#include <hydra.h>
17d92e97	21	#include <daemon.h>
4cb9d7a7	22	#include <sa/tasks/ike_natd.h>
17d92e97 MW	23	#include <encoding/payloads/notify_payload.h>
17d92e97 MW	24
85a119bc	25	#define COOKIE2_SIZE 16
a1466a3e	26	#define MAX_ADDITIONAL_ADDRS 8
17d92e97 MW	27
	28	typedef struct private_ike_mobike_t private_ike_mobike_t;
	29
	30	/**
	31	* Private members of a ike_mobike_t task.
	32	*/
	33	struct private_ike_mobike_t {
7daf5226	34
17d92e97 MW	35	/**
	36	* Public methods and task_t interface.
	37	*/
	38	ike_mobike_t public;
7daf5226	39
17d92e97 MW	40	/**
	41	* Assigned IKE_SA.
	42	*/
	43	ike_sa_t *ike_sa;
7daf5226	44
17d92e97 MW	45	/**
	46	* Are we the initiator?
	47	*/
	48	bool initiator;
7daf5226	49
17d92e97	50	/**
3bc62fe7	51	* cookie2 value to verify new addresses
17d92e97	52	*/
3bc62fe7	53	chunk_t cookie2;
7daf5226	54
17d92e97	55	/**
3bc62fe7	56	* NAT discovery reusing the IKE_NATD task
17d92e97	57	*/
3bc62fe7	58	ike_natd_t *natd;
7daf5226	59
4cb9d7a7	60	/**
3bc62fe7	61	* use task to update addresses
4cb9d7a7	62	*/
5474dc65	63	bool update;
7daf5226	64
5474dc65 MW	65	/**
	66	* do routability check
	67	*/
	68	bool check;
7daf5226	69
4cb9d7a7	70	/**
3bc62fe7	71	* include address list update
4cb9d7a7	72	*/
3bc62fe7	73	bool address;
17d92e97 MW	74	};
	75
	76	/**
	77	* flush the IKE_SAs list of additional addresses
	78	*/
	79	static void flush_additional_addresses(private_ike_mobike_t *this)
	80	{
	81	iterator_t *iterator;
	82	host_t *host;
7daf5226	83
17d92e97 MW	84	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
	85	while (iterator->iterate(iterator, (void**)&host))
	86	{
	87	iterator->remove(iterator);
	88	host->destroy(host);
	89	}
	90	iterator->destroy(iterator);
	91	}
	92
	93
	94	/**
	95	* read notifys from message and evaluate them
	96	*/
	97	static void process_payloads(private_ike_mobike_t this, message_t message)
	98	{
a44bb934	99	enumerator_t *enumerator;
17d92e97 MW	100	payload_t *payload;
17d92e97 MW	101	bool first = TRUE;
7daf5226	102
a44bb934 MW	103	enumerator = message->create_payload_enumerator(message);
a44bb934 MW	104	while (enumerator->enumerate(enumerator, &payload))
17d92e97 MW	105	{
	106	int family = AF_INET;
	107	notify_payload_t *notify;
	108	chunk_t data;
	109	host_t *host;
7daf5226	110
17d92e97 MW	111	if (payload->get_type(payload) != NOTIFY)
	112	{
	113	continue;
	114	}
	115	notify = (notify_payload_t*)payload;
	116	switch (notify->get_notify_type(notify))
	117	{
	118	case MOBIKE_SUPPORTED:
	119	{
78279973	120	peer_cfg_t *peer_cfg;
7daf5226	121
78279973	122	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
7daf5226	123	if (!this->initiator &&
78279973 MW	124	peer_cfg && !peer_cfg->use_mobike(peer_cfg))
	125	{
	126	DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
	127	}
	128	else
	129	{
	130	DBG1(DBG_IKE, "peer supports MOBIKE");
	131	this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
	132	}
17d92e97 MW	133	break;
17d92e97 MW	134	}
85a119bc MW	135	case COOKIE2:
	136	{
	137	chunk_free(&this->cookie2);
	138	this->cookie2 = chunk_clone(notify->get_notification_data(notify));
	139	break;
	140	}
17d92e97 MW	141	case ADDITIONAL_IP6_ADDRESS:
	142	{
	143	family = AF_INET6;
	144	/* fall through */
	145	}
	146	case ADDITIONAL_IP4_ADDRESS:
	147	{
	148	if (first)
	149	{ /* an ADDITIONAL__ADDRESS means replace, so flush once /
	150	flush_additional_addresses(this);
4cb9d7a7	151	first = FALSE;
17d92e97 MW	152	}
	153	data = notify->get_notification_data(notify);
	154	host = host_create_from_chunk(family, data, 0);
	155	DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
	156	this->ike_sa->add_additional_address(this->ike_sa, host);
	157	break;
	158	}
3bc62fe7 MW	159	case UPDATE_SA_ADDRESSES:
3bc62fe7 MW	160	{
5474dc65	161	this->update = TRUE;
3bc62fe7 MW	162	break;
3bc62fe7 MW	163	}
17d92e97 MW	164	case NO_ADDITIONAL_ADDRESSES:
	165	{
	166	flush_additional_addresses(this);
	167	break;
	168	}
fc2d1c42 MW	169	case NAT_DETECTION_SOURCE_IP:
	170	case NAT_DETECTION_DESTINATION_IP:
	171	{
	172	/* NAT check in this MOBIKE exchange, create subtask for it */
	173	if (this->natd == NULL)
	174	{
	175	this->natd = ike_natd_create(this->ike_sa, this->initiator);
	176	}
	177	break;
	178	}
17d92e97 MW	179	default:
	180	break;
	181	}
	182	}
a44bb934	183	enumerator->destroy(enumerator);
17d92e97 MW	184	}
	185
	186	/**
	187	* Add ADDITIONAL_*_ADDRESS notifys depending on our address list
	188	*/
	189	static void build_address_list(private_ike_mobike_t this, message_t message)
	190	{
507f26f6	191	enumerator_t *enumerator;
17d92e97 MW	192	host_t host, me;
17d92e97 MW	193	notify_type_t type;
a1466a3e	194	int added = 0;
7daf5226	195
17d92e97	196	me = this->ike_sa->get_my_host(this->ike_sa);
f6659688 TB	197	enumerator = hydra->kernel_interface->create_address_enumerator(
f6659688 TB	198	hydra->kernel_interface, FALSE, FALSE);
507f26f6	199	while (enumerator->enumerate(enumerator, (void**)&host))
17d92e97 MW	200	{
	201	if (me->ip_equals(me, host))
	202	{ /* "ADDITIONAL" means do not include IKE_SAs host */
	203	continue;
	204	}
	205	switch (host->get_family(host))
	206	{
	207	case AF_INET:
	208	type = ADDITIONAL_IP4_ADDRESS;
	209	break;
	210	case AF_INET6:
	211	type = ADDITIONAL_IP6_ADDRESS;
	212	break;
	213	default:
	214	continue;
	215	}
	216	message->add_notify(message, FALSE, type, host->get_address(host));
a1466a3e MW	217	if (++added >= MAX_ADDITIONAL_ADDRS)
	218	{ /* limit number of notifys, some implementations do not like too
	219	* many of them (f.e. strongSwan ;-) */
	220	break;
	221	}
17d92e97	222	}
a1466a3e	223	if (!added)
17d92e97 MW	224	{
	225	message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
	226	}
507f26f6	227	enumerator->destroy(enumerator);
17d92e97 MW	228	}
17d92e97 MW	229
85a119bc	230	/**
7daf5226	231	* build a cookie and add it to the message
85a119bc MW	232	*/
	233	static void build_cookie(private_ike_mobike_t this, message_t message)
	234	{
	235	rng_t *rng;
	236
	237	chunk_free(&this->cookie2);
	238	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
	239	if (rng)
	240	{
	241	rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
	242	rng->destroy(rng);
	243	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	244	}
	245	}
	246
3bc62fe7 MW	247	/**
	248	* update addresses of associated CHILD_SAs
	249	*/
	250	static void update_children(private_ike_mobike_t *this)
	251	{
	252	iterator_t *iterator;
	253	child_sa_t *child_sa;
7daf5226	254
3bc62fe7 MW	255	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
	256	while (iterator->iterate(iterator, (void**)&child_sa))
	257	{
3aaf7908	258	if (child_sa->update(child_sa,
7daf5226	259	this->ike_sa->get_my_host(this->ike_sa),
ea625fab TB	260	this->ike_sa->get_other_host(this->ike_sa),
	261	this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
	262	this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
	263	{
	264	this->ike_sa->rekey_child_sa(this->ike_sa,
	265	child_sa->get_protocol(child_sa),
	266	child_sa->get_spi(child_sa, TRUE));
	267	}
3bc62fe7 MW	268	}
	269	iterator->destroy(iterator);
	270	}
	271
cc2eadde	272	/**
be901342	273	* Apply the port of the old host, if its ip equals the new, use port otherwise.
cc2eadde	274	*/
be901342	275	static void apply_port(host_t host, host_t old, u_int16_t port)
cc2eadde MW	276	{
	277	if (host->ip_equals(host, old))
	278	{
be901342	279	port = old->get_port(old);
cc2eadde	280	}
be901342	281	else if (port == IKEV2_UDP_PORT)
cc2eadde	282	{
be901342	283	port = IKEV2_NATT_PORT;
cc2eadde	284	}
be901342	285	host->set_port(host, port);
cc2eadde MW	286	}
cc2eadde MW	287
c817e7bb TB	288	METHOD(ike_mobike_t, transmit, void,
c817e7bb TB	289	private_ike_mobike_t this, packet_t packet)
5474dc65 MW	290	{
	291	host_t me, other, me_old, other_old;
	292	iterator_t *iterator;
cc2eadde	293	ike_cfg_t *ike_cfg;
5474dc65	294	packet_t *copy;
7daf5226	295
5474dc65 MW	296	if (!this->check)
	297	{
	298	return;
	299	}
	300
	301	me_old = this->ike_sa->get_my_host(this->ike_sa);
	302	other_old = this->ike_sa->get_other_host(this->ike_sa);
cc2eadde	303	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
7daf5226	304
f6659688 TB	305	me = hydra->kernel_interface->get_source_addr(
f6659688 TB	306	hydra->kernel_interface, other_old, NULL);
5474dc65 MW	307	if (me)
5474dc65 MW	308	{
be901342	309	apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
387a6e6c MW	310	DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
	311	copy = packet->clone(packet);
	312	copy->set_source(copy, me);
	313	charon->sender->send(charon->sender, copy);
5474dc65	314	}
7daf5226	315
5474dc65 MW	316	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
	317	while (iterator->iterate(iterator, (void**)&other))
	318	{
f6659688 TB	319	me = hydra->kernel_interface->get_source_addr(
f6659688 TB	320	hydra->kernel_interface, other, NULL);
5474dc65 MW	321	if (me)
5474dc65 MW	322	{
de3d65a1 MW	323	if (me->get_family(me) != other->get_family(other))
	324	{
	325	me->destroy(me);
	326	continue;
	327	}
5474dc65	328	/* reuse port for an active address, 4500 otherwise */
be901342	329	apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
5474dc65	330	other = other->clone(other);
be901342	331	apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
d9d69536	332	DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
5474dc65 MW	333	copy = packet->clone(packet);
	334	copy->set_source(copy, me);
	335	copy->set_destination(copy, other);
	336	charon->sender->send(charon->sender, copy);
	337	}
	338	}
	339	iterator->destroy(iterator);
	340	}
	341
c817e7bb TB	342	METHOD(task_t, build_i, status_t,
c817e7bb TB	343	private_ike_mobike_t this, message_t message)
17d92e97	344	{
31e7dc4d TB	345	if (message->get_exchange_type(message) == IKE_AUTH &&
31e7dc4d TB	346	message->get_message_id(message) == 1)
a44bb934	347	{ /* only in first IKE_AUTH */
17d92e97 MW	348	message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
	349	build_address_list(this, message);
	350	}
c8739590	351	else if (message->get_exchange_type(message) == INFORMATIONAL)
3bc62fe7	352	{
f0974eb2	353	host_t old, new;
7daf5226 MW	354
7daf5226 MW	355	/* we check if the existing address is still valid */
f0974eb2	356	old = message->get_source(message);
f6659688	357	new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
f0974eb2 MW	358	message->get_destination(message), old);
	359	if (new)
	360	{
	361	if (!new->ip_equals(new, old))
	362	{
	363	new->set_port(new, old->get_port(old));
	364	message->set_source(message, new);
	365	}
	366	else
	367	{
	368	new->destroy(new);
	369	}
	370	}
5474dc65	371	if (this->update)
fc2d1c42	372	{
31e7dc4d TB	373	message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
31e7dc4d TB	374	chunk_empty);
85a119bc	375	build_cookie(this, message);
5474dc65	376	update_children(this);
fc2d1c42	377	}
3bc62fe7 MW	378	if (this->address)
	379	{
	380	build_address_list(this, message);
	381	}
5474dc65 MW	382	if (this->natd)
	383	{
	384	this->natd->task.build(&this->natd->task, message);
	385	}
4cb9d7a7	386	}
17d92e97 MW	387	return NEED_MORE;
	388	}
	389
c817e7bb TB	390	METHOD(task_t, process_r, status_t,
c817e7bb TB	391	private_ike_mobike_t this, message_t message)
4cb9d7a7	392	{
31e7dc4d TB	393	if (message->get_exchange_type(message) == IKE_AUTH &&
31e7dc4d TB	394	message->get_message_id(message) == 1)
a44bb934	395	{ /* only first IKE_AUTH */
4cb9d7a7 MW	396	process_payloads(this, message);
4cb9d7a7 MW	397	}
fc2d1c42 MW	398	else if (message->get_exchange_type(message) == INFORMATIONAL)
	399	{
	400	process_payloads(this, message);
5474dc65	401	if (this->update)
3bc62fe7 MW	402	{
3bc62fe7 MW	403	host_t me, other;
7daf5226	404
3bc62fe7 MW	405	me = message->get_destination(message);
	406	other = message->get_source(message);
	407	this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
	408	this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
	409	}
7daf5226	410
fc2d1c42 MW	411	if (this->natd)
	412	{
	413	this->natd->task.process(&this->natd->task, message);
	414	}
	415	}
17d92e97 MW	416	return NEED_MORE;
	417	}
	418
c817e7bb TB	419	METHOD(task_t, build_r, status_t,
c817e7bb TB	420	private_ike_mobike_t this, message_t message)
17d92e97 MW	421	{
17d92e97 MW	422	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	423	this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
17d92e97 MW	424	{
	425	if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
	426	{
	427	message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
	428	build_address_list(this, message);
	429	}
	430	return SUCCESS;
	431	}
2b3100b5 MW	432	else if (message->get_exchange_type(message) == INFORMATIONAL)
2b3100b5 MW	433	{
fc2d1c42 MW	434	if (this->natd)
	435	{
	436	this->natd->task.build(&this->natd->task, message);
	437	}
85a119bc MW	438	if (this->cookie2.ptr)
	439	{
	440	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	441	chunk_free(&this->cookie2);
	442	}
5474dc65	443	if (this->update)
3bc62fe7 MW	444	{
	445	update_children(this);
	446	}
2b3100b5 MW	447	return SUCCESS;
2b3100b5 MW	448	}
17d92e97 MW	449	return NEED_MORE;
	450	}
	451
c817e7bb TB	452	METHOD(task_t, process_i, status_t,
c817e7bb TB	453	private_ike_mobike_t this, message_t message)
17d92e97 MW	454	{
17d92e97 MW	455	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	456	this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
17d92e97 MW	457	{
	458	process_payloads(this, message);
	459	return SUCCESS;
	460	}
2b3100b5 MW	461	else if (message->get_exchange_type(message) == INFORMATIONAL)
2b3100b5 MW	462	{
3bc62fe7 MW	463	u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
	464	this->ike_sa->set_pending_updates(this->ike_sa, updates);
	465	if (updates > 0)
	466	{
	467	/* newer update queued, ignore this one */
	468	return SUCCESS;
	469	}
85a119bc	470	if (this->cookie2.ptr)
9d9a772e	471	{ /* check cookie if we included one */
85a119bc	472	chunk_t cookie2;
7daf5226	473
85a119bc MW	474	cookie2 = this->cookie2;
	475	this->cookie2 = chunk_empty;
	476	process_payloads(this, message);
	477	if (!chunk_equals(cookie2, this->cookie2))
	478	{
	479	chunk_free(&cookie2);
	480	DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
	481	return FAILED;
	482	}
	483	chunk_free(&cookie2);
	484	}
	485	else
	486	{
	487	process_payloads(this, message);
	488	}
fc2d1c42 MW	489	if (this->natd)
	490	{
	491	this->natd->task.process(&this->natd->task, message);
9d9a772e MW	492	if (this->natd->has_mapping_changed(this->natd))
	493	{
	494	/* force an update if mappings have changed */
	495	this->update = this->check = TRUE;
	496	DBG1(DBG_IKE, "detected changes in NAT mappings, "
	497	"initiating MOBIKE update");
	498	}
fc2d1c42	499	}
5474dc65	500	if (this->update)
3bc62fe7 MW	501	{
	502	/* update again, as NAT state may have changed */
	503	update_children(this);
	504	}
5474dc65 MW	505	if (this->check)
	506	{
	507	host_t me_new, me_old, other_new, other_old;
7daf5226	508
5474dc65 MW	509	me_new = message->get_destination(message);
	510	other_new = message->get_source(message);
	511	me_old = this->ike_sa->get_my_host(this->ike_sa);
	512	other_old = this->ike_sa->get_other_host(this->ike_sa);
7daf5226	513
5474dc65 MW	514	if (!me_new->equals(me_new, me_old))
	515	{
	516	this->update = TRUE;
	517	this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
7daf5226	518	}
5474dc65 MW	519	if (!other_new->equals(other_new, other_old))
	520	{
	521	this->update = TRUE;
	522	this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
	523	}
	524	if (this->update)
	525	{
	526	/* start the update with the same task */
	527	this->check = FALSE;
	528	this->address = FALSE;
12d4186f MW	529	if (this->natd)
	530	{
	531	this->natd->task.destroy(&this->natd->task);
	532	}
12fa4387	533	this->natd = ike_natd_create(this->ike_sa, this->initiator);
5474dc65 MW	534	this->ike_sa->set_pending_updates(this->ike_sa, 1);
	535	return NEED_MORE;
	536	}
	537	}
2b3100b5 MW	538	return SUCCESS;
2b3100b5 MW	539	}
17d92e97 MW	540	return NEED_MORE;
	541	}
	542
c817e7bb TB	543	METHOD(ike_mobike_t, roam, void,
c817e7bb TB	544	private_ike_mobike_t *this, bool address)
17d92e97	545	{
5474dc65	546	this->check = TRUE;
3bc62fe7	547	this->address = address;
7daf5226	548	this->ike_sa->set_pending_updates(this->ike_sa,
c817e7bb	549	this->ike_sa->get_pending_updates(this->ike_sa) + 1);
17d92e97 MW	550	}
17d92e97 MW	551
c817e7bb TB	552	METHOD(ike_mobike_t, dpd, void,
c817e7bb TB	553	private_ike_mobike_t *this)
9d9a772e MW	554	{
	555	if (!this->natd)
	556	{
	557	this->natd = ike_natd_create(this->ike_sa, this->initiator);
	558	}
	559	this->address = FALSE;
7daf5226	560	this->ike_sa->set_pending_updates(this->ike_sa,
c817e7bb	561	this->ike_sa->get_pending_updates(this->ike_sa) + 1);
9d9a772e MW	562	}
9d9a772e MW	563
c817e7bb TB	564	METHOD(ike_mobike_t, is_probing, bool,
c817e7bb TB	565	private_ike_mobike_t *this)
f215e919 MW	566	{
	567	return this->check;
	568	}
	569
c817e7bb TB	570	METHOD(task_t, get_type, task_type_t,
c817e7bb TB	571	private_ike_mobike_t *this)
17d92e97 MW	572	{
	573	return IKE_MOBIKE;
	574	}
	575
c817e7bb TB	576	METHOD(task_t, migrate, void,
c817e7bb TB	577	private_ike_mobike_t this, ike_sa_t ike_sa)
17d92e97	578	{
4cb9d7a7	579	chunk_free(&this->cookie2);
17d92e97	580	this->ike_sa = ike_sa;
4cb9d7a7 MW	581	if (this->natd)
	582	{
	583	this->natd->task.migrate(&this->natd->task, ike_sa);
	584	}
17d92e97 MW	585	}
17d92e97 MW	586
c817e7bb TB	587	METHOD(task_t, destroy, void,
c817e7bb TB	588	private_ike_mobike_t *this)
17d92e97	589	{
4cb9d7a7 MW	590	chunk_free(&this->cookie2);
	591	if (this->natd)
	592	{
	593	this->natd->task.destroy(&this->natd->task);
	594	}
17d92e97 MW	595	free(this);
	596	}
	597
	598	/*
	599	* Described in header.
	600	*/
	601	ike_mobike_t ike_mobike_create(ike_sa_t ike_sa, bool initiator)
	602	{
c817e7bb TB	603	private_ike_mobike_t *this;
	604
	605	INIT(this,
	606	.public = {
	607	.task = {
	608	.get_type = _get_type,
	609	.migrate = _migrate,
	610	.destroy = _destroy,
	611	},
	612	.roam = _roam,
	613	.dpd = _dpd,
	614	.transmit = _transmit,
	615	.is_probing = _is_probing,
	616	},
	617	.ike_sa = ike_sa,
	618	.initiator = initiator,
	619	.address = TRUE,
	620	);
7daf5226	621
17d92e97 MW	622	if (initiator)
17d92e97 MW	623	{
c817e7bb TB	624	this->public.task.build = _build_i;
c817e7bb TB	625	this->public.task.process = _process_i;
17d92e97 MW	626	}
	627	else
	628	{
c817e7bb TB	629	this->public.task.build = _build_r;
c817e7bb TB	630	this->public.task.process = _process_r;
17d92e97	631	}
7daf5226	632
17d92e97 MW	633	return &this->public;
	634	}
	635