[thirdparty/strongswan.git] / src / libcharon / sa / tasks / ike_mobike.c

/*
 * Copyright (C) 2010-2012 Tobias Brunner
 * Copyright (C) 2007 Martin Willi
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "ike_mobike.h"

#include <string.h>

#include <hydra.h>
#include <daemon.h>
#include <sa/tasks/ike_natd.h>
#include <encoding/payloads/notify_payload.h>

#define COOKIE2_SIZE 16
#define MAX_ADDITIONAL_ADDRS 8

typedef struct private_ike_mobike_t private_ike_mobike_t;

/**
 * Private members of a ike_mobike_t task.
 */
struct private_ike_mobike_t {

	/**
	 * Public methods and task_t interface.
	 */
	ike_mobike_t public;

	/**
	 * Assigned IKE_SA.
	 */
	ike_sa_t *ike_sa;

	/**
	 * Are we the initiator?
	 */
	bool initiator;

	/**
	 * cookie2 value to verify new addresses
	 */
	chunk_t cookie2;

	/**
	 * NAT discovery reusing the IKE_NATD task
	 */
	ike_natd_t *natd;

	/**
	 * use task to update addresses
	 */
	bool update;

	/**
	 * do routability check
	 */
	bool check;

	/**
	 * include address list update
	 */
	bool address;

	/**
	 * additional addresses got updated
	 */
	bool addresses_updated;
};

/**
 * read notifys from message and evaluate them
 */
static void process_payloads(private_ike_mobike_t *this, message_t *message)
{
	enumerator_t *enumerator;
	payload_t *payload;
	bool first = TRUE;

	enumerator = message->create_payload_enumerator(message);
	while (enumerator->enumerate(enumerator, &payload))
	{
		int family = AF_INET;
		notify_payload_t *notify;
		chunk_t data;
		host_t *host;

		if (payload->get_type(payload) != NOTIFY)
		{
			continue;
		}
		notify = (notify_payload_t*)payload;
		switch (notify->get_notify_type(notify))
		{
			case MOBIKE_SUPPORTED:
			{
				peer_cfg_t *peer_cfg;

				peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
				if (!this->initiator &&
					peer_cfg && !peer_cfg->use_mobike(peer_cfg))
				{
					DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
				}
				else
				{
					DBG1(DBG_IKE, "peer supports MOBIKE");
					this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
				}
				break;
			}
			case COOKIE2:
			{
				chunk_free(&this->cookie2);
				this->cookie2 = chunk_clone(notify->get_notification_data(notify));
				break;
			}
			case ADDITIONAL_IP6_ADDRESS:
			{
				family = AF_INET6;
				/* fall through */
			}
			case ADDITIONAL_IP4_ADDRESS:
			{
				if (first)
				{	/* an ADDITIONAL_*_ADDRESS means replace, so flush once */
					this->ike_sa->clear_peer_addresses(this->ike_sa);
					first = FALSE;
					/* add the peer's current address to the list */
					host = this->ike_sa->get_other_host(this->ike_sa);
					this->ike_sa->add_peer_address(this->ike_sa,
												   host->clone(host));
				}
				data = notify->get_notification_data(notify);
				host = host_create_from_chunk(family, data, 0);
				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
				this->ike_sa->add_peer_address(this->ike_sa, host);
				this->addresses_updated = TRUE;
				break;
			}
			case UPDATE_SA_ADDRESSES:
			{
				this->update = TRUE;
				break;
			}
			case NO_ADDITIONAL_ADDRESSES:
			{
				this->ike_sa->clear_peer_addresses(this->ike_sa);
				/* add the peer's current address to the list */
				host = this->ike_sa->get_other_host(this->ike_sa);
				this->ike_sa->add_peer_address(this->ike_sa, host->clone(host));
				this->addresses_updated = TRUE;
				break;
			}
			case NAT_DETECTION_SOURCE_IP:
			case NAT_DETECTION_DESTINATION_IP:
			{
				/* NAT check in this MOBIKE exchange, create subtask for it */
				if (this->natd == NULL)
				{
					this->natd = ike_natd_create(this->ike_sa, this->initiator);
				}
				break;
			}
			default:
				break;
		}
	}
	enumerator->destroy(enumerator);
}

/**
 * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
 */
static void build_address_list(private_ike_mobike_t *this, message_t *message)
{
	enumerator_t *enumerator;
	host_t *host, *me;
	notify_type_t type;
	int added = 0;

	me = this->ike_sa->get_my_host(this->ike_sa);
	enumerator = hydra->kernel_interface->create_address_enumerator(
										hydra->kernel_interface, FALSE, FALSE);
	while (enumerator->enumerate(enumerator, (void**)&host))
	{
		if (me->ip_equals(me, host))
		{	/* "ADDITIONAL" means do not include IKE_SAs host */
			continue;
		}
		switch (host->get_family(host))
		{
			case AF_INET:
				type = ADDITIONAL_IP4_ADDRESS;
				break;
			case AF_INET6:
				type = ADDITIONAL_IP6_ADDRESS;
				break;
			default:
				continue;
		}
		message->add_notify(message, FALSE, type, host->get_address(host));
		if (++added >= MAX_ADDITIONAL_ADDRS)
		{	/* limit number of notifys, some implementations do not like too
			 * many of them (f.e. strongSwan ;-) */
			break;
		}
	}
	if (!added)
	{
		message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
	}
	enumerator->destroy(enumerator);
}

/**
 * build a cookie and add it to the message
 */
static void build_cookie(private_ike_mobike_t *this, message_t *message)
{
	rng_t *rng;

	chunk_free(&this->cookie2);
	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
	if (rng)
	{
		rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
		rng->destroy(rng);
		message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	}
}

/**
 * update addresses of associated CHILD_SAs
 */
static void update_children(private_ike_mobike_t *this)
{
	enumerator_t *enumerator;
	child_sa_t *child_sa;

	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
	while (enumerator->enumerate(enumerator, (void**)&child_sa))
	{
		if (child_sa->update(child_sa,
				this->ike_sa->get_my_host(this->ike_sa),
				this->ike_sa->get_other_host(this->ike_sa),
				this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
				this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
		{
			this->ike_sa->rekey_child_sa(this->ike_sa,
					child_sa->get_protocol(child_sa),
					child_sa->get_spi(child_sa, TRUE));
		}
	}
	enumerator->destroy(enumerator);
}

/**
 * Apply the port of the old host, if its ip equals the new, use port otherwise.
 */
static void apply_port(host_t *host, host_t *old, u_int16_t port)
{
	if (host->ip_equals(host, old))
	{
		port = old->get_port(old);
	}
	else if (port == IKEV2_UDP_PORT)
	{
		port = IKEV2_NATT_PORT;
	}
	host->set_port(host, port);
}

METHOD(ike_mobike_t, transmit, void,
	   private_ike_mobike_t *this, packet_t *packet)
{
	host_t *me, *other, *me_old, *other_old;
	enumerator_t *enumerator;
	ike_cfg_t *ike_cfg;
	packet_t *copy;

	if (!this->check)
	{
		return;
	}

	me_old = this->ike_sa->get_my_host(this->ike_sa);
	other_old = this->ike_sa->get_other_host(this->ike_sa);
	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);

	me = hydra->kernel_interface->get_source_addr(
									hydra->kernel_interface, other_old, NULL);
	if (me)
	{
		apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
		DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
		copy = packet->clone(packet);
		copy->set_source(copy, me);
		charon->sender->send(charon->sender, copy);
	}

	enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
	while (enumerator->enumerate(enumerator, (void**)&other))
	{
		me = hydra->kernel_interface->get_source_addr(
										hydra->kernel_interface, other, NULL);
		if (me)
		{
			if (me->get_family(me) != other->get_family(other))
			{
				me->destroy(me);
				continue;
			}
			/* reuse port for an active address, 4500 otherwise */
			apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
			other = other->clone(other);
			apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
			DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
			copy = packet->clone(packet);
			copy->set_source(copy, me);
			copy->set_destination(copy, other);
			charon->sender->send(charon->sender, copy);
		}
	}
	enumerator->destroy(enumerator);
}

METHOD(task_t, build_i, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		message->get_message_id(message) == 1)
	{	/* only in first IKE_AUTH */
		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
		build_address_list(this, message);
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		host_t *old, *new;

		/* we check if the existing address is still valid */
		old = message->get_source(message);
		new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
										message->get_destination(message), old);
		if (new)
		{
			if (!new->ip_equals(new, old))
			{
				new->set_port(new, old->get_port(old));
				message->set_source(message, new);
			}
			else
			{
				new->destroy(new);
			}
		}
		if (this->update)
		{
			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
								chunk_empty);
			build_cookie(this, message);
			update_children(this);
		}
		if (this->address && !this->check)
		{
			build_address_list(this, message);
		}
		if (this->natd)
		{
			this->natd->task.build(&this->natd->task, message);
		}
	}
	return NEED_MORE;
}

METHOD(task_t, process_r, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		message->get_message_id(message) == 1)
	{	/* only first IKE_AUTH */
		process_payloads(this, message);
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		process_payloads(this, message);
		if (this->update)
		{
			host_t *me, *other;

			me = message->get_destination(message);
			other = message->get_source(message);
			this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
			this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
		}

		if (this->natd)
		{
			this->natd->task.process(&this->natd->task, message);
		}
		if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
												COND_ORIGINAL_INITIATOR))
		{
			host_t *other = message->get_source(message);
			host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
			if (!other->equals(other, other_old))
			{
				DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
					 other);
				this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
				this->update = TRUE;
			}
		}
	}
	return NEED_MORE;
}

METHOD(task_t, build_r, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
	{
		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
		{
			message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
			build_address_list(this, message);
		}
		return SUCCESS;
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		if (this->natd)
		{
			this->natd->task.build(&this->natd->task, message);
		}
		if (this->cookie2.ptr)
		{
			message->add_notify(message, FALSE, COOKIE2, this->cookie2);
			chunk_free(&this->cookie2);
		}
		if (this->update)
		{
			update_children(this);
		}
		return SUCCESS;
	}
	return NEED_MORE;
}

METHOD(task_t, process_i, status_t,
	   private_ike_mobike_t *this, message_t *message)
{
	if (message->get_exchange_type(message) == IKE_AUTH &&
		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
	{
		process_payloads(this, message);
		return SUCCESS;
	}
	else if (message->get_exchange_type(message) == INFORMATIONAL)
	{
		u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
		this->ike_sa->set_pending_updates(this->ike_sa, updates);
		if (updates > 0)
		{
			/* newer update queued, ignore this one */
			return SUCCESS;
		}
		if (this->cookie2.ptr)
		{	/* check cookie if we included one */
			chunk_t cookie2;

			cookie2 = this->cookie2;
			this->cookie2 = chunk_empty;
			process_payloads(this, message);
			if (!chunk_equals(cookie2, this->cookie2))
			{
				chunk_free(&cookie2);
				DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
				return FAILED;
			}
			chunk_free(&cookie2);
		}
		else
		{
			process_payloads(this, message);
		}
		if (this->natd)
		{
			this->natd->task.process(&this->natd->task, message);
			if (this->natd->has_mapping_changed(this->natd))
			{
				/* force an update if mappings have changed */
				this->update = this->check = TRUE;
				DBG1(DBG_IKE, "detected changes in NAT mappings, "
					 "initiating MOBIKE update");
			}
		}
		if (this->update)
		{
			/* update again, as NAT state may have changed */
			update_children(this);
		}
		if (this->check)
		{
			host_t *me_new, *me_old, *other_new, *other_old;

			me_new = message->get_destination(message);
			other_new = message->get_source(message);
			me_old = this->ike_sa->get_my_host(this->ike_sa);
			other_old = this->ike_sa->get_other_host(this->ike_sa);

			if (!me_new->equals(me_new, me_old))
			{
				this->update = TRUE;
				this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
			}
			if (!other_new->equals(other_new, other_old))
			{
				this->update = TRUE;
				this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
			}
			if (this->update)
			{
				/* use the same task to ... */
				if (!this->ike_sa->has_condition(this->ike_sa,
												 COND_ORIGINAL_INITIATOR))
				{	/*... send an updated list of addresses as responder */
					update_children(this);
					this->update = FALSE;
				}
				else
				{	/* ... send the update as original initiator */
					if (this->natd)
					{
						this->natd->task.destroy(&this->natd->task);
					}
					this->natd = ike_natd_create(this->ike_sa, this->initiator);
				}
				this->check = FALSE;
				this->ike_sa->set_pending_updates(this->ike_sa, 1);
				return NEED_MORE;
			}
		}
		return SUCCESS;
	}
	return NEED_MORE;
}

METHOD(ike_mobike_t, addresses, void,
	   private_ike_mobike_t *this)
{
	this->address = TRUE;
	this->ike_sa->set_pending_updates(this->ike_sa,
						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}

METHOD(ike_mobike_t, roam, void,
	   private_ike_mobike_t *this, bool address)
{
	this->check = TRUE;
	this->address = address;
	this->ike_sa->set_pending_updates(this->ike_sa,
						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}

METHOD(ike_mobike_t, dpd, void,
	   private_ike_mobike_t *this)
{
	if (!this->natd)
	{
		this->natd = ike_natd_create(this->ike_sa, this->initiator);
	}
	this->ike_sa->set_pending_updates(this->ike_sa,
						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
}

METHOD(ike_mobike_t, is_probing, bool,
	   private_ike_mobike_t *this)
{
	return this->check;
}

METHOD(task_t, get_type, task_type_t,
	   private_ike_mobike_t *this)
{
	return IKE_MOBIKE;
}

METHOD(task_t, migrate, void,
	   private_ike_mobike_t *this, ike_sa_t *ike_sa)
{
	chunk_free(&this->cookie2);
	this->ike_sa = ike_sa;
	if (this->natd)
	{
		this->natd->task.migrate(&this->natd->task, ike_sa);
	}
}

METHOD(task_t, destroy, void,
	   private_ike_mobike_t *this)
{
	chunk_free(&this->cookie2);
	if (this->natd)
	{
		this->natd->task.destroy(&this->natd->task);
	}
	free(this);
}

/*
 * Described in header.
 */
ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
{
	private_ike_mobike_t *this;

	INIT(this,
		.public = {
			.task = {
				.get_type = _get_type,
				.migrate = _migrate,
				.destroy = _destroy,
			},
			.addresses = _addresses,
			.roam = _roam,
			.dpd = _dpd,
			.transmit = _transmit,
			.is_probing = _is_probing,
		},
		.ike_sa = ike_sa,
		.initiator = initiator,
	);

	if (initiator)
	{
		this->public.task.build = _build_i;
		this->public.task.process = _process_i;
	}
	else
	{
		this->public.task.build = _build_r;
		this->public.task.process = _process_r;
	}

	return &this->public;
}
Commit	Line	Data
17d92e97	1	/*
94bbc602	2	* Copyright (C) 2010-2012 Tobias Brunner
17d92e97 MW	3	* Copyright (C) 2007 Martin Willi
	4	* Hochschule fuer Technik Rapperswil
	5	*
	6	* This program is free software; you can redistribute it and/or modify it
	7	* under the terms of the GNU General Public License as published by the
	8	* Free Software Foundation; either version 2 of the License, or (at your
	9	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	10	*
	11	* This program is distributed in the hope that it will be useful, but
	12	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	13	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	14	* for more details.
	15	*/
	16
	17	#include "ike_mobike.h"
	18
	19	#include <string.h>
	20
f6659688	21	#include <hydra.h>
17d92e97	22	#include <daemon.h>
4cb9d7a7	23	#include <sa/tasks/ike_natd.h>
17d92e97 MW	24	#include <encoding/payloads/notify_payload.h>
17d92e97 MW	25
85a119bc	26	#define COOKIE2_SIZE 16
a1466a3e	27	#define MAX_ADDITIONAL_ADDRS 8
17d92e97 MW	28
	29	typedef struct private_ike_mobike_t private_ike_mobike_t;
	30
	31	/**
	32	* Private members of a ike_mobike_t task.
	33	*/
	34	struct private_ike_mobike_t {
7daf5226	35
17d92e97 MW	36	/**
	37	* Public methods and task_t interface.
	38	*/
	39	ike_mobike_t public;
7daf5226	40
17d92e97 MW	41	/**
	42	* Assigned IKE_SA.
	43	*/
	44	ike_sa_t *ike_sa;
7daf5226	45
17d92e97 MW	46	/**
	47	* Are we the initiator?
	48	*/
	49	bool initiator;
7daf5226	50
17d92e97	51	/**
3bc62fe7	52	* cookie2 value to verify new addresses
17d92e97	53	*/
3bc62fe7	54	chunk_t cookie2;
7daf5226	55
17d92e97	56	/**
3bc62fe7	57	* NAT discovery reusing the IKE_NATD task
17d92e97	58	*/
3bc62fe7	59	ike_natd_t *natd;
7daf5226	60
4cb9d7a7	61	/**
3bc62fe7	62	* use task to update addresses
4cb9d7a7	63	*/
5474dc65	64	bool update;
7daf5226	65
5474dc65 MW	66	/**
	67	* do routability check
	68	*/
	69	bool check;
7daf5226	70
4cb9d7a7	71	/**
3bc62fe7	72	* include address list update
4cb9d7a7	73	*/
3bc62fe7	74	bool address;
769c69fa TB	75
	76	/**
	77	* additional addresses got updated
	78	*/
	79	bool addresses_updated;
17d92e97 MW	80	};
17d92e97 MW	81
17d92e97 MW	82	/**
	83	* read notifys from message and evaluate them
	84	*/
	85	static void process_payloads(private_ike_mobike_t this, message_t message)
	86	{
a44bb934	87	enumerator_t *enumerator;
17d92e97 MW	88	payload_t *payload;
17d92e97 MW	89	bool first = TRUE;
7daf5226	90
a44bb934 MW	91	enumerator = message->create_payload_enumerator(message);
a44bb934 MW	92	while (enumerator->enumerate(enumerator, &payload))
17d92e97 MW	93	{
	94	int family = AF_INET;
	95	notify_payload_t *notify;
	96	chunk_t data;
	97	host_t *host;
7daf5226	98
17d92e97 MW	99	if (payload->get_type(payload) != NOTIFY)
	100	{
	101	continue;
	102	}
	103	notify = (notify_payload_t*)payload;
	104	switch (notify->get_notify_type(notify))
	105	{
	106	case MOBIKE_SUPPORTED:
	107	{
78279973	108	peer_cfg_t *peer_cfg;
7daf5226	109
78279973	110	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
7daf5226	111	if (!this->initiator &&
78279973 MW	112	peer_cfg && !peer_cfg->use_mobike(peer_cfg))
	113	{
	114	DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
	115	}
	116	else
	117	{
	118	DBG1(DBG_IKE, "peer supports MOBIKE");
	119	this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
	120	}
17d92e97 MW	121	break;
17d92e97 MW	122	}
85a119bc MW	123	case COOKIE2:
	124	{
	125	chunk_free(&this->cookie2);
	126	this->cookie2 = chunk_clone(notify->get_notification_data(notify));
	127	break;
	128	}
17d92e97 MW	129	case ADDITIONAL_IP6_ADDRESS:
	130	{
	131	family = AF_INET6;
	132	/* fall through */
	133	}
	134	case ADDITIONAL_IP4_ADDRESS:
	135	{
	136	if (first)
	137	{ /* an ADDITIONAL__ADDRESS means replace, so flush once /
94bbc602	138	this->ike_sa->clear_peer_addresses(this->ike_sa);
4cb9d7a7	139	first = FALSE;
2fe624cc TB	140	/* add the peer's current address to the list */
2fe624cc TB	141	host = this->ike_sa->get_other_host(this->ike_sa);
94bbc602 TB	142	this->ike_sa->add_peer_address(this->ike_sa,
94bbc602 TB	143	host->clone(host));
17d92e97 MW	144	}
	145	data = notify->get_notification_data(notify);
	146	host = host_create_from_chunk(family, data, 0);
	147	DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
94bbc602	148	this->ike_sa->add_peer_address(this->ike_sa, host);
769c69fa	149	this->addresses_updated = TRUE;
17d92e97 MW	150	break;
17d92e97 MW	151	}
3bc62fe7 MW	152	case UPDATE_SA_ADDRESSES:
3bc62fe7 MW	153	{
5474dc65	154	this->update = TRUE;
3bc62fe7 MW	155	break;
3bc62fe7 MW	156	}
17d92e97 MW	157	case NO_ADDITIONAL_ADDRESSES:
17d92e97 MW	158	{
94bbc602	159	this->ike_sa->clear_peer_addresses(this->ike_sa);
2fe624cc TB	160	/* add the peer's current address to the list */
2fe624cc TB	161	host = this->ike_sa->get_other_host(this->ike_sa);
94bbc602	162	this->ike_sa->add_peer_address(this->ike_sa, host->clone(host));
769c69fa	163	this->addresses_updated = TRUE;
17d92e97 MW	164	break;
17d92e97 MW	165	}
fc2d1c42 MW	166	case NAT_DETECTION_SOURCE_IP:
	167	case NAT_DETECTION_DESTINATION_IP:
	168	{
	169	/* NAT check in this MOBIKE exchange, create subtask for it */
	170	if (this->natd == NULL)
	171	{
	172	this->natd = ike_natd_create(this->ike_sa, this->initiator);
	173	}
	174	break;
	175	}
17d92e97 MW	176	default:
	177	break;
	178	}
	179	}
a44bb934	180	enumerator->destroy(enumerator);
17d92e97 MW	181	}
	182
	183	/**
	184	* Add ADDITIONAL_*_ADDRESS notifys depending on our address list
	185	*/
	186	static void build_address_list(private_ike_mobike_t this, message_t message)
	187	{
507f26f6	188	enumerator_t *enumerator;
17d92e97 MW	189	host_t host, me;
17d92e97 MW	190	notify_type_t type;
a1466a3e	191	int added = 0;
7daf5226	192
17d92e97	193	me = this->ike_sa->get_my_host(this->ike_sa);
f6659688 TB	194	enumerator = hydra->kernel_interface->create_address_enumerator(
f6659688 TB	195	hydra->kernel_interface, FALSE, FALSE);
507f26f6	196	while (enumerator->enumerate(enumerator, (void**)&host))
17d92e97 MW	197	{
	198	if (me->ip_equals(me, host))
	199	{ /* "ADDITIONAL" means do not include IKE_SAs host */
	200	continue;
	201	}
	202	switch (host->get_family(host))
	203	{
	204	case AF_INET:
	205	type = ADDITIONAL_IP4_ADDRESS;
	206	break;
	207	case AF_INET6:
	208	type = ADDITIONAL_IP6_ADDRESS;
	209	break;
	210	default:
	211	continue;
	212	}
	213	message->add_notify(message, FALSE, type, host->get_address(host));
a1466a3e MW	214	if (++added >= MAX_ADDITIONAL_ADDRS)
	215	{ /* limit number of notifys, some implementations do not like too
	216	* many of them (f.e. strongSwan ;-) */
	217	break;
	218	}
17d92e97	219	}
a1466a3e	220	if (!added)
17d92e97 MW	221	{
	222	message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
	223	}
507f26f6	224	enumerator->destroy(enumerator);
17d92e97 MW	225	}
17d92e97 MW	226
85a119bc	227	/**
7daf5226	228	* build a cookie and add it to the message
85a119bc MW	229	*/
	230	static void build_cookie(private_ike_mobike_t this, message_t message)
	231	{
	232	rng_t *rng;
	233
	234	chunk_free(&this->cookie2);
	235	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
	236	if (rng)
	237	{
	238	rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2);
	239	rng->destroy(rng);
	240	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	241	}
	242	}
	243
3bc62fe7 MW	244	/**
	245	* update addresses of associated CHILD_SAs
	246	*/
	247	static void update_children(private_ike_mobike_t *this)
	248	{
4bbce1ef	249	enumerator_t *enumerator;
3bc62fe7	250	child_sa_t *child_sa;
7daf5226	251
4bbce1ef TB	252	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
4bbce1ef TB	253	while (enumerator->enumerate(enumerator, (void**)&child_sa))
3bc62fe7	254	{
3aaf7908	255	if (child_sa->update(child_sa,
7daf5226	256	this->ike_sa->get_my_host(this->ike_sa),
ea625fab TB	257	this->ike_sa->get_other_host(this->ike_sa),
	258	this->ike_sa->get_virtual_ip(this->ike_sa, TRUE),
	259	this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
	260	{
	261	this->ike_sa->rekey_child_sa(this->ike_sa,
	262	child_sa->get_protocol(child_sa),
	263	child_sa->get_spi(child_sa, TRUE));
	264	}
3bc62fe7	265	}
4bbce1ef	266	enumerator->destroy(enumerator);
3bc62fe7 MW	267	}
3bc62fe7 MW	268
cc2eadde	269	/**
be901342	270	* Apply the port of the old host, if its ip equals the new, use port otherwise.
cc2eadde	271	*/
be901342	272	static void apply_port(host_t host, host_t old, u_int16_t port)
cc2eadde MW	273	{
	274	if (host->ip_equals(host, old))
	275	{
be901342	276	port = old->get_port(old);
cc2eadde	277	}
be901342	278	else if (port == IKEV2_UDP_PORT)
cc2eadde	279	{
be901342	280	port = IKEV2_NATT_PORT;
cc2eadde	281	}
be901342	282	host->set_port(host, port);
cc2eadde MW	283	}
cc2eadde MW	284
c817e7bb TB	285	METHOD(ike_mobike_t, transmit, void,
c817e7bb TB	286	private_ike_mobike_t this, packet_t packet)
5474dc65 MW	287	{
5474dc65 MW	288	host_t me, other, me_old, other_old;
572abc6c	289	enumerator_t *enumerator;
cc2eadde	290	ike_cfg_t *ike_cfg;
5474dc65	291	packet_t *copy;
7daf5226	292
5474dc65 MW	293	if (!this->check)
	294	{
	295	return;
	296	}
	297
	298	me_old = this->ike_sa->get_my_host(this->ike_sa);
	299	other_old = this->ike_sa->get_other_host(this->ike_sa);
cc2eadde	300	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
7daf5226	301
f6659688 TB	302	me = hydra->kernel_interface->get_source_addr(
f6659688 TB	303	hydra->kernel_interface, other_old, NULL);
5474dc65 MW	304	if (me)
5474dc65 MW	305	{
be901342	306	apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
387a6e6c MW	307	DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
	308	copy = packet->clone(packet);
	309	copy->set_source(copy, me);
	310	charon->sender->send(charon->sender, copy);
5474dc65	311	}
7daf5226	312
94bbc602	313	enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
572abc6c	314	while (enumerator->enumerate(enumerator, (void**)&other))
5474dc65	315	{
f6659688 TB	316	me = hydra->kernel_interface->get_source_addr(
f6659688 TB	317	hydra->kernel_interface, other, NULL);
5474dc65 MW	318	if (me)
5474dc65 MW	319	{
de3d65a1 MW	320	if (me->get_family(me) != other->get_family(other))
	321	{
	322	me->destroy(me);
	323	continue;
	324	}
5474dc65	325	/* reuse port for an active address, 4500 otherwise */
be901342	326	apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
5474dc65	327	other = other->clone(other);
be901342	328	apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
d9d69536	329	DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
5474dc65 MW	330	copy = packet->clone(packet);
	331	copy->set_source(copy, me);
	332	copy->set_destination(copy, other);
	333	charon->sender->send(charon->sender, copy);
	334	}
	335	}
572abc6c	336	enumerator->destroy(enumerator);
5474dc65 MW	337	}
5474dc65 MW	338
c817e7bb TB	339	METHOD(task_t, build_i, status_t,
c817e7bb TB	340	private_ike_mobike_t this, message_t message)
17d92e97	341	{
31e7dc4d TB	342	if (message->get_exchange_type(message) == IKE_AUTH &&
31e7dc4d TB	343	message->get_message_id(message) == 1)
a44bb934	344	{ /* only in first IKE_AUTH */
17d92e97 MW	345	message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
	346	build_address_list(this, message);
	347	}
c8739590	348	else if (message->get_exchange_type(message) == INFORMATIONAL)
3bc62fe7	349	{
f0974eb2	350	host_t old, new;
7daf5226 MW	351
7daf5226 MW	352	/* we check if the existing address is still valid */
f0974eb2	353	old = message->get_source(message);
f6659688	354	new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
f0974eb2 MW	355	message->get_destination(message), old);
	356	if (new)
	357	{
	358	if (!new->ip_equals(new, old))
	359	{
	360	new->set_port(new, old->get_port(old));
	361	message->set_source(message, new);
	362	}
	363	else
	364	{
	365	new->destroy(new);
	366	}
	367	}
5474dc65	368	if (this->update)
fc2d1c42	369	{
31e7dc4d TB	370	message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
31e7dc4d TB	371	chunk_empty);
85a119bc	372	build_cookie(this, message);
5474dc65	373	update_children(this);
fc2d1c42	374	}
1dbf0ed9	375	if (this->address && !this->check)
3bc62fe7 MW	376	{
	377	build_address_list(this, message);
	378	}
5474dc65 MW	379	if (this->natd)
	380	{
	381	this->natd->task.build(&this->natd->task, message);
	382	}
4cb9d7a7	383	}
17d92e97 MW	384	return NEED_MORE;
	385	}
	386
c817e7bb TB	387	METHOD(task_t, process_r, status_t,
c817e7bb TB	388	private_ike_mobike_t this, message_t message)
4cb9d7a7	389	{
31e7dc4d TB	390	if (message->get_exchange_type(message) == IKE_AUTH &&
31e7dc4d TB	391	message->get_message_id(message) == 1)
a44bb934	392	{ /* only first IKE_AUTH */
4cb9d7a7 MW	393	process_payloads(this, message);
4cb9d7a7 MW	394	}
fc2d1c42 MW	395	else if (message->get_exchange_type(message) == INFORMATIONAL)
	396	{
	397	process_payloads(this, message);
5474dc65	398	if (this->update)
3bc62fe7 MW	399	{
3bc62fe7 MW	400	host_t me, other;
7daf5226	401
3bc62fe7 MW	402	me = message->get_destination(message);
	403	other = message->get_source(message);
	404	this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
	405	this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
	406	}
7daf5226	407
fc2d1c42 MW	408	if (this->natd)
	409	{
	410	this->natd->task.process(&this->natd->task, message);
	411	}
769c69fa TB	412	if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
	413	COND_ORIGINAL_INITIATOR))
	414	{
	415	host_t *other = message->get_source(message);
	416	host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
	417	if (!other->equals(other, other_old))
	418	{
	419	DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
	420	other);
	421	this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
	422	this->update = TRUE;
	423	}
	424	}
fc2d1c42	425	}
17d92e97 MW	426	return NEED_MORE;
	427	}
	428
c817e7bb TB	429	METHOD(task_t, build_r, status_t,
c817e7bb TB	430	private_ike_mobike_t this, message_t message)
17d92e97 MW	431	{
17d92e97 MW	432	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	433	this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
17d92e97 MW	434	{
	435	if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
	436	{
	437	message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
	438	build_address_list(this, message);
	439	}
	440	return SUCCESS;
	441	}
2b3100b5 MW	442	else if (message->get_exchange_type(message) == INFORMATIONAL)
2b3100b5 MW	443	{
fc2d1c42 MW	444	if (this->natd)
	445	{
	446	this->natd->task.build(&this->natd->task, message);
	447	}
85a119bc MW	448	if (this->cookie2.ptr)
	449	{
	450	message->add_notify(message, FALSE, COOKIE2, this->cookie2);
	451	chunk_free(&this->cookie2);
	452	}
5474dc65	453	if (this->update)
3bc62fe7 MW	454	{
	455	update_children(this);
	456	}
2b3100b5 MW	457	return SUCCESS;
2b3100b5 MW	458	}
17d92e97 MW	459	return NEED_MORE;
	460	}
	461
c817e7bb TB	462	METHOD(task_t, process_i, status_t,
c817e7bb TB	463	private_ike_mobike_t this, message_t message)
17d92e97 MW	464	{
17d92e97 MW	465	if (message->get_exchange_type(message) == IKE_AUTH &&
b8249ff5	466	this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
17d92e97 MW	467	{
	468	process_payloads(this, message);
	469	return SUCCESS;
	470	}
2b3100b5 MW	471	else if (message->get_exchange_type(message) == INFORMATIONAL)
2b3100b5 MW	472	{
3bc62fe7 MW	473	u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
	474	this->ike_sa->set_pending_updates(this->ike_sa, updates);
	475	if (updates > 0)
	476	{
	477	/* newer update queued, ignore this one */
	478	return SUCCESS;
	479	}
85a119bc	480	if (this->cookie2.ptr)
9d9a772e	481	{ /* check cookie if we included one */
85a119bc	482	chunk_t cookie2;
7daf5226	483
85a119bc MW	484	cookie2 = this->cookie2;
	485	this->cookie2 = chunk_empty;
	486	process_payloads(this, message);
	487	if (!chunk_equals(cookie2, this->cookie2))
	488	{
	489	chunk_free(&cookie2);
	490	DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
	491	return FAILED;
	492	}
	493	chunk_free(&cookie2);
	494	}
	495	else
	496	{
	497	process_payloads(this, message);
	498	}
fc2d1c42 MW	499	if (this->natd)
	500	{
	501	this->natd->task.process(&this->natd->task, message);
9d9a772e MW	502	if (this->natd->has_mapping_changed(this->natd))
	503	{
	504	/* force an update if mappings have changed */
	505	this->update = this->check = TRUE;
	506	DBG1(DBG_IKE, "detected changes in NAT mappings, "
	507	"initiating MOBIKE update");
	508	}
fc2d1c42	509	}
5474dc65	510	if (this->update)
3bc62fe7 MW	511	{
	512	/* update again, as NAT state may have changed */
	513	update_children(this);
	514	}
5474dc65 MW	515	if (this->check)
	516	{
	517	host_t me_new, me_old, other_new, other_old;
7daf5226	518
5474dc65 MW	519	me_new = message->get_destination(message);
	520	other_new = message->get_source(message);
	521	me_old = this->ike_sa->get_my_host(this->ike_sa);
	522	other_old = this->ike_sa->get_other_host(this->ike_sa);
7daf5226	523
5474dc65 MW	524	if (!me_new->equals(me_new, me_old))
	525	{
	526	this->update = TRUE;
	527	this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
7daf5226	528	}
5474dc65 MW	529	if (!other_new->equals(other_new, other_old))
	530	{
	531	this->update = TRUE;
	532	this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
	533	}
	534	if (this->update)
	535	{
1dbf0ed9	536	/* use the same task to ... */
c5770f86 TB	537	if (!this->ike_sa->has_condition(this->ike_sa,
c5770f86 TB	538	COND_ORIGINAL_INITIATOR))
1dbf0ed9	539	{ /... send an updated list of addresses as responder /
c5770f86	540	update_children(this);
1dbf0ed9	541	this->update = FALSE;
c5770f86	542	}
1dbf0ed9 TB	543	else
	544	{ /* ... send the update as original initiator */
	545	if (this->natd)
	546	{
	547	this->natd->task.destroy(&this->natd->task);
	548	}
	549	this->natd = ike_natd_create(this->ike_sa, this->initiator);
12d4186f	550	}
1dbf0ed9	551	this->check = FALSE;
5474dc65 MW	552	this->ike_sa->set_pending_updates(this->ike_sa, 1);
	553	return NEED_MORE;
	554	}
	555	}
2b3100b5 MW	556	return SUCCESS;
2b3100b5 MW	557	}
17d92e97 MW	558	return NEED_MORE;
	559	}
	560
13876431 TB	561	METHOD(ike_mobike_t, addresses, void,
	562	private_ike_mobike_t *this)
	563	{
	564	this->address = TRUE;
	565	this->ike_sa->set_pending_updates(this->ike_sa,
	566	this->ike_sa->get_pending_updates(this->ike_sa) + 1);
	567	}
	568
c817e7bb TB	569	METHOD(ike_mobike_t, roam, void,
c817e7bb TB	570	private_ike_mobike_t *this, bool address)
17d92e97	571	{
5474dc65	572	this->check = TRUE;
3bc62fe7	573	this->address = address;
7daf5226	574	this->ike_sa->set_pending_updates(this->ike_sa,
c817e7bb	575	this->ike_sa->get_pending_updates(this->ike_sa) + 1);
17d92e97 MW	576	}
17d92e97 MW	577
c817e7bb TB	578	METHOD(ike_mobike_t, dpd, void,
c817e7bb TB	579	private_ike_mobike_t *this)
9d9a772e MW	580	{
	581	if (!this->natd)
	582	{
	583	this->natd = ike_natd_create(this->ike_sa, this->initiator);
	584	}
7daf5226	585	this->ike_sa->set_pending_updates(this->ike_sa,
c817e7bb	586	this->ike_sa->get_pending_updates(this->ike_sa) + 1);
9d9a772e MW	587	}
9d9a772e MW	588
c817e7bb TB	589	METHOD(ike_mobike_t, is_probing, bool,
c817e7bb TB	590	private_ike_mobike_t *this)
f215e919 MW	591	{
	592	return this->check;
	593	}
	594
c817e7bb TB	595	METHOD(task_t, get_type, task_type_t,
c817e7bb TB	596	private_ike_mobike_t *this)
17d92e97 MW	597	{
	598	return IKE_MOBIKE;
	599	}
	600
c817e7bb TB	601	METHOD(task_t, migrate, void,
c817e7bb TB	602	private_ike_mobike_t this, ike_sa_t ike_sa)
17d92e97	603	{
4cb9d7a7	604	chunk_free(&this->cookie2);
17d92e97	605	this->ike_sa = ike_sa;
4cb9d7a7 MW	606	if (this->natd)
	607	{
	608	this->natd->task.migrate(&this->natd->task, ike_sa);
	609	}
17d92e97 MW	610	}
17d92e97 MW	611
c817e7bb TB	612	METHOD(task_t, destroy, void,
c817e7bb TB	613	private_ike_mobike_t *this)
17d92e97	614	{
4cb9d7a7 MW	615	chunk_free(&this->cookie2);
	616	if (this->natd)
	617	{
	618	this->natd->task.destroy(&this->natd->task);
	619	}
17d92e97 MW	620	free(this);
	621	}
	622
	623	/*
	624	* Described in header.
	625	*/
	626	ike_mobike_t ike_mobike_create(ike_sa_t ike_sa, bool initiator)
	627	{
c817e7bb TB	628	private_ike_mobike_t *this;
	629
	630	INIT(this,
	631	.public = {
	632	.task = {
	633	.get_type = _get_type,
	634	.migrate = _migrate,
	635	.destroy = _destroy,
	636	},
13876431	637	.addresses = _addresses,
c817e7bb TB	638	.roam = _roam,
	639	.dpd = _dpd,
	640	.transmit = _transmit,
	641	.is_probing = _is_probing,
	642	},
	643	.ike_sa = ike_sa,
	644	.initiator = initiator,
c817e7bb	645	);
7daf5226	646
17d92e97 MW	647	if (initiator)
17d92e97 MW	648	{
c817e7bb TB	649	this->public.task.build = _build_i;
c817e7bb TB	650	this->public.task.process = _process_i;
17d92e97 MW	651	}
	652	else
	653	{
c817e7bb TB	654	this->public.task.build = _build_r;
c817e7bb TB	655	this->public.task.process = _process_r;
17d92e97	656	}
7daf5226	657
17d92e97 MW	658	return &this->public;
	659	}
	660