/*
- * Copyright (C) 2010-2014 Tobias Brunner
+ * Copyright (C) 2010-2020 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) secunet Security Networks AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
#include <string.h>
-#include <hydra.h>
#include <daemon.h>
#include <sa/ikev2/tasks/ike_natd.h>
#include <encoding/payloads/notify_payload.h>
* additional addresses got updated
*/
bool addresses_updated;
-
- /**
- * whether the pending updates counter was increased
- */
- bool pending_update;
};
+/**
+ * Check if a newer MOBIKE update task is queued
+ */
+static bool is_newer_update_queued(private_ike_mobike_t *this)
+{
+ enumerator_t *enumerator;
+ private_ike_mobike_t *mobike;
+ task_t *task;
+ bool found = FALSE;
+
+ enumerator = this->ike_sa->create_task_enumerator(this->ike_sa,
+ TASK_QUEUE_QUEUED);
+ while (enumerator->enumerate(enumerator, &task))
+ {
+ if (task->get_type(task) == TASK_IKE_MOBIKE)
+ {
+ mobike = (private_ike_mobike_t*)task;
+ /* a queued check or update might invalidate the results of the
+ * current task */
+ found = mobike->check || mobike->update;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return found;
+}
+
/**
* read notifys from message and evaluate them
*/
case NAT_DETECTION_DESTINATION_IP:
{
/* NAT check in this MOBIKE exchange, create subtask for it */
- if (this->natd == NULL)
+ if (!this->natd)
{
this->natd = ike_natd_create(this->ike_sa, this->initiator);
}
int added = 0;
me = this->ike_sa->get_my_host(this->ike_sa);
- enumerator = hydra->kernel_interface->create_address_enumerator(
- hydra->kernel_interface, ADDR_TYPE_REGULAR);
+ enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+ ADDR_TYPE_REGULAR);
while (enumerator->enumerate(enumerator, (void**)&host))
{
if (me->ip_equals(me, host))
return TRUE;
}
-/**
- * update addresses of associated CHILD_SAs
- */
-static void update_children(private_ike_mobike_t *this)
-{
- enumerator_t *enumerator;
- child_sa_t *child_sa;
- linked_list_t *vips;
- host_t *host;
-
- vips = linked_list_create();
-
- enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
- while (enumerator->enumerate(enumerator, &host))
- {
- vips->insert_last(vips, host);
- }
- enumerator->destroy(enumerator);
-
- enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
- while (enumerator->enumerate(enumerator, (void**)&child_sa))
- {
- if (child_sa->update(child_sa,
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa), vips,
- this->ike_sa->has_condition(this->ike_sa,
- COND_NAT_ANY)) == NOT_SUPPORTED)
- {
- this->ike_sa->rekey_child_sa(this->ike_sa,
- child_sa->get_protocol(child_sa),
- child_sa->get_spi(child_sa, TRUE));
- }
- }
- enumerator->destroy(enumerator);
-
- vips->destroy(vips);
-}
-
/**
* Apply the port of the old host, if its ip equals the new, use port otherwise.
*/
-static void apply_port(host_t *host, host_t *old, u_int16_t port, bool local)
+static void apply_port(host_t *host, host_t *old, uint16_t port, bool local)
{
if (host->ip_equals(host, old))
{
host->set_port(host, port);
}
-METHOD(ike_mobike_t, transmit, void,
+METHOD(ike_mobike_t, transmit, bool,
private_ike_mobike_t *this, packet_t *packet)
{
host_t *me, *other, *me_old, *other_old;
ike_cfg_t *ike_cfg;
packet_t *copy;
int family = AF_UNSPEC;
+ bool found = FALSE;
+
+ me_old = this->ike_sa->get_my_host(this->ike_sa);
+ other_old = this->ike_sa->get_other_host(this->ike_sa);
+ ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
if (!this->check)
{
- return;
+ me = charon->kernel->get_source_addr(charon->kernel, other_old, me_old);
+ if (me)
+ {
+ if (me->ip_equals(me, me_old))
+ {
+ copy = packet->clone(packet);
+ /* hosts might have been updated by a peer's MOBIKE exchange */
+ copy->set_source(copy, me_old->clone(me_old));
+ copy->set_destination(copy, other_old->clone(other_old));
+ charon->sender->send(charon->sender, copy);
+ me->destroy(me);
+ return TRUE;
+ }
+ me->destroy(me);
+ }
+ this->check = TRUE;
}
switch (charon->socket->supported_families(charon->socket))
break;
}
- me_old = this->ike_sa->get_my_host(this->ike_sa);
- other_old = this->ike_sa->get_other_host(this->ike_sa);
- ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
-
enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
while (enumerator->enumerate(enumerator, (void**)&other))
{
{
continue;
}
- me = hydra->kernel_interface->get_source_addr(
- hydra->kernel_interface, other, NULL);
+ me = charon->kernel->get_source_addr(charon->kernel, other, NULL);
if (me)
{
/* reuse port for an active address, 4500 otherwise */
copy->set_source(copy, me);
copy->set_destination(copy, other);
charon->sender->send(charon->sender, copy);
+ found = TRUE;
}
}
enumerator->destroy(enumerator);
+ return found;
}
METHOD(task_t, build_i, status_t,
{
host_t *old, *new;
+ /* this task might have been queued before we knew if MOBIKE will be
+ * supported */
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+ {
+ message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+ return SUCCESS;
+ }
+
/* we check if the existing address is still valid */
old = message->get_source(message);
- new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+ new = charon->kernel->get_source_addr(charon->kernel,
message->get_destination(message), old);
if (new)
{
{
return FAILED;
}
- update_children(this);
}
if (this->address && !this->check)
{
}
else if (message->get_exchange_type(message) == INFORMATIONAL)
{
- process_payloads(this, message);
- if (this->update)
- {
- host_t *me, *other;
+ host_t *me_new = NULL, *other, *other_old, *other_new = NULL;
- me = message->get_destination(message);
- other = message->get_source(message);
- this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
- this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
- }
+ process_payloads(this, message);
if (this->natd)
{
this->natd->task.process(&this->natd->task, message);
}
- if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
- COND_ORIGINAL_INITIATOR))
+
+ if (this->update)
+ {
+ me_new = message->get_destination(message);
+ other_new = message->get_source(message);
+ }
+ else if (this->addresses_updated &&
+ this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
{
- host_t *other = message->get_source(message);
- host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
+ other = message->get_source(message);
+ other_old = this->ike_sa->get_other_host(this->ike_sa);
if (!other->equals(other, other_old))
{
- DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
- other);
- this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
- this->update = TRUE;
+ other_new = other;
+ /* our address might have changed too if the responder used
+ * a different address from our list to reach us */
+ me_new = message->get_destination(message);
}
}
+
+ if (me_new || other_new)
+ {
+ this->ike_sa->update_hosts(this->ike_sa, me_new,
+ other_new, UPDATE_HOSTS_FORCE_ALL);
+ }
}
return NEED_MORE;
}
message->add_notify(message, FALSE, COOKIE2, this->cookie2);
chunk_free(&this->cookie2);
}
- if (this->update)
- {
- update_children(this);
- }
return SUCCESS;
}
return NEED_MORE;
}
else if (message->get_exchange_type(message) == INFORMATIONAL)
{
- if (this->ike_sa->get_pending_updates(this->ike_sa) > 1)
+ bool force = FALSE;
+
+ if (is_newer_update_queued(this))
{
- /* newer update queued, ignore this one */
return SUCCESS;
}
if (this->cookie2.ptr)
cookie2 = this->cookie2;
this->cookie2 = chunk_empty;
process_payloads(this, message);
- if (!chunk_equals(cookie2, this->cookie2))
+ if (!chunk_equals_const(cookie2, this->cookie2))
{
chunk_free(&cookie2);
DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
if (this->natd)
{
this->natd->task.process(&this->natd->task, message);
- if (this->natd->has_mapping_changed(this->natd))
- {
- /* force an update if mappings have changed */
- this->update = this->check = TRUE;
+
+ if (this->update)
+ { /* update children again, as NAT state may have changed */
+ this->ike_sa->update_hosts(this->ike_sa, NULL, NULL,
+ UPDATE_HOSTS_FORCE_CHILDREN);
+ }
+ else if (this->natd->has_mapping_changed(this->natd))
+ { /* force a check/update if mappings have changed during a DPD */
+ force = TRUE;
+ this->check = TRUE;
DBG1(DBG_IKE, "detected changes in NAT mappings, "
"initiating MOBIKE update");
}
}
- if (this->update)
- {
- /* update again, as NAT state may have changed */
- update_children(this);
- }
if (this->check)
{
- host_t *me_new, *me_old, *other_new, *other_old;
+ host_t *me, *me_new = NULL, *other, *other_new = NULL;
- me_new = message->get_destination(message);
- other_new = message->get_source(message);
- me_old = this->ike_sa->get_my_host(this->ike_sa);
- other_old = this->ike_sa->get_other_host(this->ike_sa);
+ me = message->get_destination(message);
+ other = message->get_source(message);
- if (!me_new->equals(me_new, me_old))
+ if (!me->equals(me, this->ike_sa->get_my_host(this->ike_sa)))
{
- this->update = TRUE;
- this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
+ me_new = me;
}
- if (!other_new->equals(other_new, other_old))
+ if (!other->equals(other, this->ike_sa->get_other_host(this->ike_sa)))
{
- this->update = TRUE;
- this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
+ other_new = other;
}
- if (this->update)
+ if (me_new || other_new || force)
{
+ this->ike_sa->update_hosts(this->ike_sa, me_new, other_new,
+ UPDATE_HOSTS_FORCE_ALL);
/* use the same task to ... */
if (!this->ike_sa->has_condition(this->ike_sa,
COND_ORIGINAL_INITIATOR))
{ /*... send an updated list of addresses as responder */
- update_children(this);
- this->update = FALSE;
+ this->address = TRUE;
}
else
{ /* ... send the update as original initiator */
+ this->update = TRUE;
if (this->natd)
{
this->natd->task.destroy(&this->natd->task);
private_ike_mobike_t *this)
{
this->address = TRUE;
- if (!this->pending_update)
- {
- this->pending_update = TRUE;
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) + 1);
- }
}
METHOD(ike_mobike_t, roam, void,
private_ike_mobike_t *this, bool address)
{
this->check = TRUE;
- this->address = address;
- if (!this->pending_update)
- {
- this->pending_update = TRUE;
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) + 1);
- }
+ this->address |= address;
}
METHOD(ike_mobike_t, dpd, void,
private_ike_mobike_t *this)
{
- if (!this->natd)
+ if (!this->natd && this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
{
this->natd = ike_natd_create(this->ike_sa, this->initiator);
}
- if (!this->pending_update)
- {
- this->pending_update = TRUE;
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) + 1);
- }
}
METHOD(ike_mobike_t, is_probing, bool,
return this->check;
}
+METHOD(ike_mobike_t, enable_probing, void,
+ private_ike_mobike_t *this)
+{
+ this->check = TRUE;
+}
+
METHOD(task_t, get_type, task_type_t,
private_ike_mobike_t *this)
{
{
this->natd->task.migrate(&this->natd->task, ike_sa);
}
- if (this->pending_update)
- {
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) + 1);
- }
}
METHOD(task_t, destroy, void,
private_ike_mobike_t *this)
{
- if (this->pending_update)
- {
- this->ike_sa->set_pending_updates(this->ike_sa,
- this->ike_sa->get_pending_updates(this->ike_sa) - 1);
- }
chunk_free(&this->cookie2);
if (this->natd)
{
.dpd = _dpd,
.transmit = _transmit,
.is_probing = _is_probing,
+ .enable_probing = _enable_probing,
},
.ike_sa = ike_sa,
.initiator = initiator,
projects / thirdparty / strongswan.git / blobdiff