diff options
Diffstat (limited to 'src/libcharon/sa')
28 files changed, 1112 insertions, 315 deletions
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 1245734c9..f02d836cf 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -824,8 +824,15 @@ METHOD(child_sa_t, add_policies, status_t, */ static void reinstall_vip(host_t *vip, host_t *me) { - hydra->kernel_interface->del_ip(hydra->kernel_interface, vip); - hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, me); + char *iface; + + if (hydra->kernel_interface->get_interface(hydra->kernel_interface, + me, &iface)) + { + hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE); + hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, -1, iface); + free(iface); + } } METHOD(child_sa_t, update, status_t, diff --git a/src/libcharon/sa/eap/eap_manager.c b/src/libcharon/sa/eap/eap_manager.c index 520c0ce56..1886307e9 100644 --- a/src/libcharon/sa/eap/eap_manager.c +++ b/src/libcharon/sa/eap/eap_manager.c @@ -16,7 +16,7 @@ #include "eap_manager.h" -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <threading/rwlock.h> typedef struct private_eap_manager_t private_eap_manager_t; diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 1d49acb52..4029db11d 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -26,7 +26,7 @@ #include <library.h> #include <hydra.h> #include <daemon.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <utils/lexparser.h> #include <processing/jobs/retransmit_job.h> #include <processing/jobs/delete_ike_sa_job.h> @@ -741,15 +741,26 @@ METHOD(ike_sa_t, add_virtual_ip, void, { if (local) { - DBG1(DBG_IKE, "installing new virtual IP %H", ip); - if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip, - this->my_host) == SUCCESS) + char *iface; + + if (hydra->kernel_interface->get_interface(hydra->kernel_interface, + this->my_host, &iface)) { - this->my_vips->insert_last(this->my_vips, ip->clone(ip)); + DBG1(DBG_IKE, "installing new virtual IP %H", ip); + if (hydra->kernel_interface->add_ip(hydra->kernel_interface, + ip, -1, iface) == SUCCESS) + { + this->my_vips->insert_last(this->my_vips, ip->clone(ip)); + } + else + { + DBG1(DBG_IKE, "installing virtual IP %H failed", ip); + } + free(iface); } else { - DBG1(DBG_IKE, "installing virtual IP %H failed", ip); + DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip); } } else @@ -769,7 +780,8 @@ METHOD(ike_sa_t, clear_virtual_ips, void, { if (local) { - hydra->kernel_interface->del_ip(hydra->kernel_interface, vip); + hydra->kernel_interface->del_ip(hydra->kernel_interface, + vip, -1, TRUE); } vip->destroy(vip); } @@ -1220,7 +1232,8 @@ METHOD(ike_sa_t, process_message, status_t, case IKE_SA_INIT: case IKE_AUTH: if (this->state != IKE_CREATED && - this->state != IKE_CONNECTING) + this->state != IKE_CONNECTING && + message->get_first_payload_type(message) != FRAGMENT_V1) { DBG1(DBG_IKE, "ignoring %N in established IKE_SA state", exchange_type_names, message->get_exchange_type(message)); @@ -1690,6 +1703,8 @@ METHOD(ike_sa_t, retransmit, status_t, { /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */ u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg); + charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE, + this->keyingtry); this->keyingtry++; if (tries == 0 || tries > this->keyingtry) { @@ -1965,14 +1980,14 @@ METHOD(ike_sa_t, inherit, void, this->other_id = other->other_id->clone(other->other_id); /* apply assigned virtual IPs... */ - while (this->my_vips->remove_last(this->my_vips, (void**)&vip) == SUCCESS) + while (other->my_vips->remove_last(other->my_vips, (void**)&vip) == SUCCESS) { - other->my_vips->insert_first(other->my_vips, vip); + this->my_vips->insert_first(this->my_vips, vip); } - while (this->other_vips->remove_last(this->other_vips, - (void**)&vip) == SUCCESS) + while (other->other_vips->remove_last(other->other_vips, + (void**)&vip) == SUCCESS) { - other->other_vips->insert_first(other->other_vips, vip); + this->other_vips->insert_first(this->other_vips, vip); } /* authentication information */ @@ -2074,7 +2089,7 @@ METHOD(ike_sa_t, destroy, void, while (this->my_vips->remove_last(this->my_vips, (void**)&vip) == SUCCESS) { - hydra->kernel_interface->del_ip(hydra->kernel_interface, vip); + hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE); vip->destroy(vip); } this->my_vips->destroy(this->my_vips); diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index af741c799..625859a3f 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -43,7 +43,7 @@ typedef struct ike_sa_t ike_sa_t; #include <config/peer_cfg.h> #include <config/ike_cfg.h> #include <credentials/auth_cfg.h> -#include <utils/packet.h> +#include <networking/packet.h> /** * Timeout in seconds after that a half open IKE_SA gets deleted. @@ -72,6 +72,7 @@ enum ike_extension_t { /** * peer supports NAT traversal as specified in RFC4306 or RFC3947 + * including some RFC3947 drafts */ EXT_NATT = (1<<0), @@ -119,6 +120,17 @@ enum ike_extension_t { * peer supports Cisco Unity configuration attributes */ EXT_CISCO_UNITY = (1<<9), + + /** + * peer supports NAT traversal as specified in + * draft-ietf-ipsec-nat-t-ike-02 .. -03 + */ + EXT_NATT_DRAFT_02_03 = (1<<10), + + /** + * peer support proprietary IKE fragmentation + */ + EXT_IKE_FRAGMENTATION = (1<<11), }; /** @@ -1014,9 +1026,8 @@ struct ike_sa_t { * * When rekeying is completed, all CHILD_SAs, the virtual IP and all * outstanding tasks are moved from other to this. - * As this call may initiate inherited tasks, a status is returned. * - * @param other other task to inherit from + * @param other other IKE SA to inherit from */ void (*inherit) (ike_sa_t *this, ike_sa_t *other); diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index a396235c2..2ac8c3123 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -26,7 +26,7 @@ #include <threading/condvar.h> #include <threading/mutex.h> #include <threading/rwlock.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <crypto/hashers/hasher.h> /* the default size of the hash table (MUST be a power of 2) */ @@ -397,6 +397,11 @@ struct private_ike_sa_manager_t { * reuse existing IKE_SAs in checkout_by_config */ bool reuse_ikesa; + + /** + * Configured IKE_SA limit, if any + */ + u_int ikesa_limit; }; /** @@ -963,14 +968,37 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this) static bool get_init_hash(private_ike_sa_manager_t *this, message_t *message, chunk_t *hash) { + host_t *src; + if (!this->hasher) { /* this might be the case when flush() has been called */ return FALSE; } + if (message->get_first_payload_type(message) == FRAGMENT_V1) + { /* only hash the source IP, port and SPI for fragmented init messages */ + u_int16_t port; + u_int64_t spi; + + src = message->get_source(message); + if (!this->hasher->allocate_hash(this->hasher, + src->get_address(src), NULL)) + { + return FALSE; + } + port = src->get_port(src); + if (!this->hasher->allocate_hash(this->hasher, + chunk_from_thing(port), NULL)) + { + return FALSE; + } + spi = message->get_initiator_spi(message); + return this->hasher->allocate_hash(this->hasher, + chunk_from_thing(spi), hash); + } if (message->get_exchange_type(message) == ID_PROT) { /* include the source for Main Mode as the hash will be the same if * SPIs are reused by two initiators that use the same proposal */ - host_t *src = message->get_source(message); + src = message->get_source(message); if (!this->hasher->allocate_hash(this->hasher, src->get_address(src), NULL)) @@ -1203,34 +1231,46 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, { case NOT_FOUND: { /* we've not seen this packet yet, create a new IKE_SA */ - id->set_responder_spi(id, our_spi); - ike_sa = ike_sa_create(id, FALSE, ike_version); - if (ike_sa) + if (!this->ikesa_limit || + this->public.get_count(&this->public) < this->ikesa_limit) { - entry = entry_create(); - entry->ike_sa = ike_sa; - entry->ike_sa_id = id->clone(id); + id->set_responder_spi(id, our_spi); + ike_sa = ike_sa_create(id, FALSE, ike_version); + if (ike_sa) + { + entry = entry_create(); + entry->ike_sa = ike_sa; + entry->ike_sa_id = id; - segment = put_entry(this, entry); - entry->checked_out = TRUE; - unlock_single_segment(this, segment); + segment = put_entry(this, entry); + entry->checked_out = TRUE; + unlock_single_segment(this, segment); - entry->message_id = message->get_message_id(message); - entry->init_hash = hash; + entry->message_id = message->get_message_id(message); + entry->init_hash = hash; - DBG2(DBG_MGR, "created IKE_SA %s[%u]", - ike_sa->get_name(ike_sa), - ike_sa->get_unique_id(ike_sa)); + DBG2(DBG_MGR, "created IKE_SA %s[%u]", + ike_sa->get_name(ike_sa), + ike_sa->get_unique_id(ike_sa)); + + charon->bus->set_sa(charon->bus, ike_sa); + return ike_sa; + } + else + { + DBG1(DBG_MGR, "creating IKE_SA failed, ignoring message"); + } } else { - remove_init_hash(this, hash); - chunk_free(&hash); - DBG1(DBG_MGR, "ignoring message, no such IKE_SA"); + DBG1(DBG_MGR, "ignoring %N, hitting IKE_SA limit (%u)", + exchange_type_names, message->get_exchange_type(message), + this->ikesa_limit); } + remove_init_hash(this, hash); + chunk_free(&hash); id->destroy(id); - charon->bus->set_sa(charon->bus, ike_sa); - return ike_sa; + return NULL; } case FAILED: { /* we failed to allocate an SPI */ @@ -1263,7 +1303,10 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, ike_id = entry->ike_sa->get_id(entry->ike_sa); entry->checked_out = TRUE; - entry->message_id = message->get_message_id(message); + if (message->get_first_payload_type(message) != FRAGMENT_V1) + { + entry->message_id = message->get_message_id(message); + } if (ike_id->get_responder_spi(ike_id) == 0) { ike_id->set_responder_spi(ike_id, id->get_responder_spi(id)); @@ -1274,6 +1317,10 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, } unlock_single_segment(this, segment); } + else + { + charon->bus->alert(charon->bus, ALERT_INVALID_IKE_SPI, message); + } id->destroy(id); charon->bus->set_sa(charon->bus, ike_sa); return ike_sa; @@ -1748,6 +1795,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, switch (policy) { case UNIQUE_REPLACE: + charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE); DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer " "'%Y' due to uniqueness policy", other); status = duplicate->delete(duplicate); @@ -2045,6 +2093,9 @@ ike_sa_manager_t *ike_sa_manager_create() return NULL; } + this->ikesa_limit = lib->settings->get_int(lib->settings, + "%s.ikesa_limit", 0, charon->name); + this->table_size = get_nearest_powerof2(lib->settings->get_int( lib->settings, "%s.ikesa_table_size", DEFAULT_HASHTABLE_SIZE, charon->name)); diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index cff344a34..eb642109b 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -18,7 +18,7 @@ #include <daemon.h> #include <encoding/generator.h> #include <encoding/payloads/nonce_payload.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> typedef struct private_keymat_v1_t private_keymat_v1_t; diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index 4096141ec..1189d3c69 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -22,7 +22,7 @@ #include <sa/ikev1/keymat_v1.h> #include <encoding/payloads/ke_payload.h> #include <encoding/payloads/nonce_payload.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> typedef struct private_phase1_t private_phase1_t; @@ -186,7 +186,7 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this, } } enumerator->destroy(enumerator); - if (!peer_cfg) + if (!shared_key) { DBG1(DBG_IKE, "no shared key found for %H - %H", me, other); } diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c index fd0ad235a..8a4761d5c 100644 --- a/src/libcharon/sa/ikev1/task_manager_v1.c +++ b/src/libcharon/sa/ikev1/task_manager_v1.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2011 Tobias Brunner + * Copyright (C) 2007-2013 Tobias Brunner * Copyright (C) 2007-2011 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -36,6 +36,10 @@ #include <processing/jobs/retransmit_job.h> #include <processing/jobs/delete_ike_sa_job.h> #include <processing/jobs/dpd_timeout_job.h> +#include <processing/jobs/process_message_job.h> + +#include <encoding/payloads/fragment_payload.h> +#include <bio/bio_writer.h> /** * Number of old messages hashes we keep for retransmission. @@ -47,6 +51,20 @@ #define MAX_OLD_HASHES 2 /** + * Maximum packet size for fragmented packets (same as in sockets) + */ +#define MAX_PACKET 10000 + +/** + * Maximum size of fragment data when sending packets (currently the same is + * used for IPv4 and IPv6, even though the latter has a higher minimum datagram + * size). 576 (= min. IPv4) - 20 (= IP header) - 8 (= UDP header) - + * - 28 (= IKE header) - 8 (= fragment header) = 512 + * This is reduced by 4 in case of NAT-T (due to the non-ESP marker). + */ +#define MAX_FRAGMENT_SIZE 512 + +/** * First sequence number of responding packets. * * To distinguish retransmission jobs for initiating and responding packets, @@ -160,19 +178,65 @@ struct private_task_manager_t { packet_t *packet; /** - * type of the initated exchange + * type of the initiated exchange */ exchange_type_t type; } initiating; /** + * Data used to reassemble a fragmented message + */ + struct { + + /** + * Fragment ID (currently only one is supported at a time) + */ + u_int16_t id; + + /** + * The number of the last fragment (in case we receive the fragments out + * of order), since the first starts with 1 this defines the number of + * fragments we expect + */ + u_int8_t last; + + /** + * List of fragments (fragment_t*) + */ + linked_list_t *list; + + /** + * Length of all currently received fragments + */ + size_t len; + + /** + * Maximum length of a fragmented packet + */ + size_t max_packet; + + /** + * Maximum length of a single fragment (when sending) + */ + size_t size; + + /** + * The exchange type we use for fragments. Always the initial type even + * for fragmented quick mode or transaction messages (i.e. either + * ID_PROT or AGGRESSIVE) + */ + exchange_type_t exchange; + + } frag; + + /** * List of queued tasks not yet in action */ linked_list_t *queued_tasks; /** - * List of active tasks, initiated by ourselve + * List of active tasks, initiated by ourselves */ linked_list_t *active_tasks; @@ -212,6 +276,34 @@ struct private_task_manager_t { u_int32_t dpd_recv; }; +/** + * A single fragment within a fragmented message + */ +typedef struct { + + /** fragment number */ + u_int8_t num; + + /** fragment data */ + chunk_t data; + +} fragment_t; + +static void fragment_destroy(fragment_t *this) +{ + chunk_free(&this->data); + free(this); +} + +static void clear_fragments(private_task_manager_t *this, u_int16_t id) +{ + DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy); + this->frag.list = NULL; + this->frag.last = 0; + this->frag.len = 0; + this->frag.id = id; +} + METHOD(task_manager_t, flush_queue, void, private_task_manager_t *this, task_queue_t queue) { @@ -283,16 +375,103 @@ static bool activate_task(private_task_manager_t *this, task_type_t type) } /** + * Send a single fragment with the given data + */ +static bool send_fragment(private_task_manager_t *this, bool request, + host_t *src, host_t *dst, fragment_payload_t *fragment) +{ + message_t *message; + packet_t *packet; + status_t status; + + message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION); + /* other implementations seem to just use 0 as message ID, so here we go */ + message->set_message_id(message, 0); + message->set_request(message, request); + message->set_source(message, src->clone(src)); + message->set_destination(message, dst->clone(dst)); + message->set_exchange_type(message, this->frag.exchange); + message->add_payload(message, (payload_t*)fragment); + + status = this->ike_sa->generate_message(this->ike_sa, message, &packet); + if (status != SUCCESS) + { + DBG1(DBG_IKE, "failed to generate IKE fragment"); + message->destroy(message); + return FALSE; + } + charon->sender->send(charon->sender, packet); + message->destroy(message); + return TRUE; +} + +/** + * Send a packet, if supported and required do so in fragments + */ +static bool send_packet(private_task_manager_t *this, bool request, + packet_t *packet) +{ + fragmentation_t fragmentation = FRAGMENTATION_NO; + ike_cfg_t *ike_cfg; + host_t *src, *dst; + chunk_t data; + + ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); + if (ike_cfg) + { + fragmentation = ike_cfg->fragmentation(ike_cfg); + } + data = packet->get_data(packet); + if (data.len > this->frag.size && (fragmentation == FRAGMENTATION_FORCE || + (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_FRAGMENTATION) && + fragmentation == FRAGMENTATION_YES))) + { + fragment_payload_t *fragment; + u_int8_t num, count; + size_t len, frag_size; + bool nat; + + /* reduce size due to non-ESP marker */ + nat = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY); + frag_size = this->frag.size - (nat ? 4 : 0); + + src = packet->get_source(packet); + dst = packet->get_destination(packet); + count = (data.len / (frag_size + 1)) + 1; + + DBG1(DBG_IKE, "sending IKE message with length of %zu bytes in " + "%hhu fragments", data.len, count); + for (num = 1; num <= count; num++) + { + len = min(data.len, frag_size); + fragment = fragment_payload_create_from_data(num, num == count, + chunk_create(data.ptr, len)); + if (!send_fragment(this, request, src, dst, fragment)) + { + packet->destroy(packet); + return FALSE; + } + data = chunk_skip(data, len); + } + packet->destroy(packet); + return TRUE; + } + charon->sender->send(charon->sender, packet); + return TRUE; +} + +/** * Retransmit a packet, either as initiator or as responder */ -static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr, - u_int mid, u_int retransmitted, packet_t *packet) +static status_t retransmit_packet(private_task_manager_t *this, bool request, + u_int32_t seqnr, u_int mid, u_int retransmitted, packet_t *packet) { u_int32_t t; if (retransmitted > this->retransmit_tries) { DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1); + charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet); return DESTROY_ME; } t = (u_int32_t)(this->retransmit_timeout * 1000.0 * @@ -302,8 +481,12 @@ static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr, DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u", retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response", mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ); + charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet); + } + if (!send_packet(this, request, packet->clone(packet))) + { + return DESTROY_ME; } - charon->sender->send(charon->sender, packet->clone(packet)); lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*) retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t); return NEED_MORE; @@ -316,7 +499,7 @@ METHOD(task_manager_t, retransmit, status_t, if (seqnr == this->initiating.seqnr && this->initiating.packet) { - status = retransmit_packet(this, seqnr, this->initiating.mid, + status = retransmit_packet(this, TRUE, seqnr, this->initiating.mid, this->initiating.retransmitted, this->initiating.packet); if (status == NEED_MORE) { @@ -326,7 +509,7 @@ METHOD(task_manager_t, retransmit, status_t, } if (seqnr == this->responding.seqnr && this->responding.packet) { - status = retransmit_packet(this, seqnr, this->responding.mid, + status = retransmit_packet(this, FALSE, seqnr, this->responding.mid, this->responding.retransmitted, this->responding.packet); if (status == NEED_MORE) { @@ -602,12 +785,12 @@ METHOD(task_manager_t, initiate, status_t, } if (keep) { /* keep the packet for retransmission, the responder might request it */ - charon->sender->send(charon->sender, + send_packet(this, TRUE, this->initiating.packet->clone(this->initiating.packet)); } else { - charon->sender->send(charon->sender, this->initiating.packet); + send_packet(this, TRUE, this->initiating.packet); this->initiating.packet = NULL; } message->destroy(message); @@ -711,8 +894,8 @@ static status_t build_response(private_task_manager_t *this, message_t *request) { return retransmit(this, this->responding.seqnr); } - charon->sender->send(charon->sender, - this->responding.packet->clone(this->responding.packet)); + send_packet(this, FALSE, + this->responding.packet->clone(this->responding.packet)); if (delete) { return DESTROY_ME; @@ -767,7 +950,7 @@ static void send_notify(private_task_manager_t *this, message_t *request, if (this->ike_sa->generate_message(this->ike_sa, response, &packet) == SUCCESS) { - charon->sender->send(charon->sender, packet); + send_packet(this, TRUE, packet); } response->destroy(response); } @@ -866,6 +1049,7 @@ static status_t process_request(private_task_manager_t *this, this->passive_tasks->insert_last(this->passive_tasks, task); task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE); this->passive_tasks->insert_last(this->passive_tasks, task); + this->frag.exchange = AGGRESSIVE; break; case QUICK_MODE: if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED) @@ -1036,6 +1220,114 @@ static status_t process_response(private_task_manager_t *this, return initiate(this); } +static status_t handle_fragment(private_task_manager_t *this, message_t *msg) +{ + fragment_payload_t *payload; + enumerator_t *enumerator; + fragment_t *fragment; + status_t status = SUCCESS; + chunk_t data; + u_int8_t num; + + payload = (fragment_payload_t*)msg->get_payload(msg, FRAGMENT_V1); + if (!payload) + { + return FAILED; + } + + if (this->frag.id != payload->get_id(payload)) + { + clear_fragments(this, payload->get_id(payload)); + this->frag.list = linked_list_create(); + } + + num = payload->get_number(payload); + if (!this->frag.last && payload->is_last(payload)) + { + this->frag.last = num; + } + + enumerator = this->frag.list->create_enumerator(this->frag.list); + while (enumerator->enumerate(enumerator, &fragment)) + { + if (fragment->num == num) + { /* ignore a duplicate fragment */ + DBG1(DBG_IKE, "received duplicate fragment #%hhu", num); + enumerator->destroy(enumerator); + return NEED_MORE; + } + if (fragment->num > num) + { + break; + } + } + + data = payload->get_data(payload); + this->frag.len += data.len; + if (this->frag.len > this->frag.max_packet) + { + DBG1(DBG_IKE, "fragmented IKE message is too large"); + enumerator->destroy(enumerator); + clear_fragments(this, 0); + return FAILED; + } + + INIT(fragment, + .num = num, + .data = chunk_clone(data), + ); + + this->frag.list->insert_before(this->frag.list, enumerator, fragment); + enumerator->destroy(enumerator); + + if (this->frag.list->get_count(this->frag.list) == this->frag.last) + { + message_t *message; + packet_t *pkt; + host_t *src, *dst; + bio_writer_t *writer; + + writer = bio_writer_create(this->frag.len); + DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE " + "message", num); + enumerator = this->frag.list->create_enumerator(this->frag.list); + while (enumerator->enumerate(enumerator, &fragment)) + { + writer->write_data(writer, fragment->data); + } + enumerator->destroy(enumerator); + + src = msg->get_source(msg); + dst = msg->get_destination(msg); + pkt = packet_create_from_data(src->clone(src), dst->clone(dst), + writer->extract_buf(writer)); + writer->destroy(writer); + + message = message_create_from_packet(pkt); + if (message->parse_header(message) != SUCCESS) + { + DBG1(DBG_IKE, "failed to parse header of reassembled IKE message"); + message->destroy(message); + status = FAILED; + } + else + { + lib->processor->queue_job(lib->processor, + (job_t*)process_message_job_create(message)); + status = NEED_MORE; + + } + clear_fragments(this, 0); + } + else + { /* there are some fragments missing */ + DBG1(DBG_IKE, "received fragment #%hhu, waiting for complete IKE " + "message", num); + status = NEED_MORE; + } + return status; +} + /** * Parse the given message and verify that it is valid. */ @@ -1076,11 +1368,18 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg) msg->get_request(msg) ? "request" : "response", msg->get_message_id(msg)); + charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status); + if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED) { /* invalid initiation attempt, close SA */ return DESTROY_ME; } } + + if (msg->get_first_payload_type(msg) == FRAGMENT_V1) + { + return handle_fragment(this, msg); + } return status; } @@ -1107,8 +1406,8 @@ METHOD(task_manager_t, process_message, status_t, { DBG1(DBG_IKE, "received retransmit of response with ID %u, " "resending last request", mid); - charon->sender->send(charon->sender, - this->initiating.packet->clone(this->initiating.packet)); + send_packet(this, TRUE, + this->initiating.packet->clone(this->initiating.packet)); return SUCCESS; } DBG1(DBG_IKE, "received retransmit of response with ID %u, " @@ -1125,6 +1424,10 @@ METHOD(task_manager_t, process_message, status_t, msg->set_request(msg, FALSE); charon->bus->message(charon->bus, msg, TRUE, FALSE); status = parse_message(this, msg); + if (status == NEED_MORE) + { + return SUCCESS; + } if (status != SUCCESS) { return status; @@ -1149,7 +1452,7 @@ METHOD(task_manager_t, process_message, status_t, { DBG1(DBG_IKE, "received retransmit of request with ID %u, " "retransmitting response", mid); - charon->sender->send(charon->sender, + send_packet(this, FALSE, this->responding.packet->clone(this->responding.packet)); } else if (this->initiating.packet && @@ -1157,7 +1460,7 @@ METHOD(task_manager_t, process_message, status_t, { DBG1(DBG_IKE, "received retransmit of DPD request, " "retransmitting response"); - charon->sender->send(charon->sender, + send_packet(this, TRUE, this->initiating.packet->clone(this->initiating.packet)); } else @@ -1165,6 +1468,7 @@ METHOD(task_manager_t, process_message, status_t, DBG1(DBG_IKE, "received retransmit of request with ID %u, " "but no response to retransmit", mid); } + charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg); return SUCCESS; } if (msg->get_exchange_type(msg) == TRANSACTION && @@ -1191,6 +1495,10 @@ METHOD(task_manager_t, process_message, status_t, msg->set_request(msg, TRUE); charon->bus->message(charon->bus, msg, TRUE, FALSE); status = parse_message(this, msg); + if (status == NEED_MORE) + { + return SUCCESS; + } if (status != SUCCESS) { return status; @@ -1202,7 +1510,8 @@ METHOD(task_manager_t, process_message, status_t, ike_cfg_t *ike_cfg; job_t *job; - ike_cfg = charon->backends->get_ike_cfg(charon->backends, me, other); + ike_cfg = charon->backends->get_ike_cfg(charon->backends, + me, other, IKEV1); if (ike_cfg == NULL) { /* no config found for these hosts, destroy */ @@ -1282,6 +1591,7 @@ METHOD(task_manager_t, queue_ike, void, { queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE)); } + this->frag.exchange = AGGRESSIVE; } else { @@ -1585,6 +1895,7 @@ METHOD(task_manager_t, reset, void, this->initiating.seqnr = 0; this->initiating.retransmitted = 0; this->initiating.type = EXCHANGE_TYPE_UNDEFINED; + clear_fragments(this, 0); if (initiate != UINT_MAX) { this->dpd_send = initiate; @@ -1635,6 +1946,7 @@ METHOD(task_manager_t, destroy, void, this->active_tasks->destroy(this->active_tasks); this->queued_tasks->destroy(this->queued_tasks); this->passive_tasks->destroy(this->passive_tasks); + clear_fragments(this, 0); DESTROY_IF(this->queued); DESTROY_IF(this->responding.packet); @@ -1681,6 +1993,13 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa) .responding = { .seqnr = RESPONDING_SEQ, }, + .frag = { + .exchange = ID_PROT, + .max_packet = lib->settings->get_int(lib->settings, + "%s.max_packet", MAX_PACKET, charon->name), + .size = lib->settings->get_int(lib->settings, + "%s.fragment_size", MAX_FRAGMENT_SIZE, charon->name), + }, .ike_sa = ike_sa, .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK), .queued_tasks = linked_list_create(), diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c index 954dea880..7336d5d64 100644 --- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c +++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c @@ -235,7 +235,8 @@ METHOD(task_t, build_i, status_t, this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg); proposals = this->ike_cfg->get_proposals(this->ike_cfg); sa_payload = sa_payload_create_from_proposals_v1(proposals, - this->lifetime, 0, this->method, MODE_NONE, FALSE, 0); + this->lifetime, 0, this->method, MODE_NONE, + ENCAP_NONE, 0); proposals->destroy_offset(proposals, offsetof(proposal_t, destroy)); message->add_payload(message, &sa_payload->payload_interface); @@ -520,7 +521,8 @@ METHOD(task_t, build_r, status_t, identification_t *id; sa_payload = sa_payload_create_from_proposal_v1(this->proposal, - this->lifetime, 0, this->method, MODE_NONE, FALSE, 0); + this->lifetime, 0, this->method, MODE_NONE, + ENCAP_NONE, 0); message->add_payload(message, &sa_payload->payload_interface); if (!this->ph1->add_nonce_ke(this->ph1, message)) diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c index d48484f09..43a0aaa36 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c @@ -13,6 +13,28 @@ * for more details. */ +/* + * Copyright (C) 2013 Volker RĂ¼melin + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #include "isakmp_cert_pre.h" #include <daemon.h> @@ -21,6 +43,7 @@ #include <encoding/payloads/sa_payload.h> #include <encoding/payloads/certreq_payload.h> #include <credentials/certificates/x509.h> +#include <credentials/containers/pkcs7.h> typedef struct private_isakmp_cert_pre_t private_isakmp_cert_pre_t; @@ -132,7 +155,106 @@ static void process_certreqs(private_isakmp_cert_pre_t *this, message_t *message } /** - * Import receuved certificates + * Process an X509 certificate payload + */ +static void process_x509(cert_payload_t *payload, auth_cfg_t *auth, bool *first) +{ + certificate_t *cert; + + cert = payload->get_cert(payload); + if (cert) + { + if (*first) + { /* the first is an end entity certificate */ + DBG1(DBG_IKE, "received end entity cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert); + *first = FALSE; + } + else + { + DBG1(DBG_IKE, "received issuer cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_IM_CERT, cert); + } + } +} + +/** + * Process a CRL certificate payload + */ +static void process_crl(cert_payload_t *payload, auth_cfg_t *auth) +{ + certificate_t *cert; + + cert = payload->get_cert(payload); + if (cert) + { + DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); + } +} + +/** + * Process a PKCS7 certificate payload + */ +static void process_pkcs7(cert_payload_t *payload, auth_cfg_t *auth) +{ + enumerator_t *enumerator; + container_t *container; + certificate_t *cert; + pkcs7_t *pkcs7; + + container = payload->get_container(payload); + if (!container) + { + return; + } + switch (container->get_type(container)) + { + case CONTAINER_PKCS7_DATA: + case CONTAINER_PKCS7_SIGNED_DATA: + case CONTAINER_PKCS7_ENVELOPED_DATA: + break; + default: + container->destroy(container); + return; + } + + pkcs7 = (pkcs7_t *)container; + enumerator = pkcs7->create_cert_enumerator(pkcs7); + while (enumerator->enumerate(enumerator, &cert)) + { + if (cert->get_type(cert) == CERT_X509) + { + x509_t *x509 = (x509_t*)cert; + + if (x509->get_flags(x509) & X509_CA) + { + DBG1(DBG_IKE, "received issuer cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_IM_CERT, cert->get_ref(cert)); + } + else + { + DBG1(DBG_IKE, "received end entity cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert->get_ref(cert)); + } + } + else + { + DBG1(DBG_IKE, "received unsupported cert type %N", + certificate_type_names, cert->get_type(cert)); + } + } + enumerator->destroy(enumerator); + + container->destroy(container); +} + +/** + * Import received certificates */ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message) { @@ -150,7 +272,6 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message) { cert_payload_t *cert_payload; cert_encoding_t encoding; - certificate_t *cert; cert_payload = (cert_payload_t*)payload; encoding = cert_payload->get_cert_encoding(cert_payload); @@ -158,36 +279,14 @@ static void process_certs(private_isakmp_cert_pre_t *this, message_t *message) switch (encoding) { case ENC_X509_SIGNATURE: - { - cert = cert_payload->get_cert(cert_payload); - if (cert) - { - if (first) - { /* the first is an end entity certificate */ - DBG1(DBG_IKE, "received end entity cert \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert); - first = FALSE; - } - else - { - DBG1(DBG_IKE, "received issuer cert \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_HELPER_IM_CERT, cert); - } - } + process_x509(cert_payload, auth, &first); break; - } case ENC_CRL: - cert = cert_payload->get_cert(cert_payload); - if (cert) - { - DBG1(DBG_IKE, "received CRL \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); - } + process_crl(cert_payload, auth); break; case ENC_PKCS7_WRAPPED_X509: + process_pkcs7(cert_payload, auth); + break; case ENC_PGP: case ENC_DNS_SIGNED_KEY: case ENC_KERBEROS_TOKEN: diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c index 50bf1612d..5a779ff62 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c @@ -15,6 +15,28 @@ * for more details. */ +/* + * Copyright (C) 2012 Volker RĂ¼melin + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #include "isakmp_natd.h" #include <string.h> @@ -75,6 +97,18 @@ struct private_isakmp_natd_t { }; /** + * Get NAT-D payload type (RFC 3947 or RFC 3947 drafts). + */ +static payload_type_t get_nat_d_payload_type(ike_sa_t *ike_sa) +{ + if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03)) + { + return NAT_D_DRAFT_00_03_V1; + } + return NAT_D_V1; +} + +/** * Build NAT detection hash for a host. */ static chunk_t generate_natd_hash(private_isakmp_natd_t *this, @@ -162,7 +196,7 @@ static hash_payload_t *build_natd_payload(private_isakmp_natd_t *this, bool src, { return NULL; } - payload = hash_payload_create(NAT_D_V1); + payload = hash_payload_create(get_nat_d_payload_type(this->ike_sa)); payload->set_hash(payload, hash); chunk_free(&hash); return payload; @@ -221,7 +255,8 @@ static void process_payloads(private_isakmp_natd_t *this, message_t *message) enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) != NAT_D_V1) + if (payload->get_type(payload) != NAT_D_V1 && + payload->get_type(payload) != NAT_D_DRAFT_00_03_V1) { continue; } @@ -350,7 +385,7 @@ METHOD(task_t, process_r, status_t, switch (message->get_exchange_type(message)) { case AGGRESSIVE: - { /* proccess NAT-D payloads in the second request, already added ours + { /* process NAT-D payloads in the second request, already added ours * in the first response */ result = SUCCESS; /* fall */ diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c index 4fd0ef39b..2ff2b55e9 100644 --- a/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c +++ b/src/libcharon/sa/ikev1/tasks/isakmp_vendor.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012-2013 Tobias Brunner * Copyright (C) 2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -13,6 +14,28 @@ * for more details. */ +/* + * Copyright (C) 2012 Volker RĂ¼melin + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #include "isakmp_vendor.h" #include <daemon.h> @@ -39,6 +62,11 @@ struct private_isakmp_vendor_t { * Are we the inititator of this task */ bool initiator; + + /** + * Index of best nat traversal VID found + */ + int best_natt_ext; }; /** @@ -65,76 +93,132 @@ static struct { { "XAuth", EXT_XAUTH, TRUE, 8, "\x09\x00\x26\x89\xdf\xd6\xb7\x12"}, - /* NAT-Traversal, MD5("RFC 3947") */ - { "NAT-T (RFC 3947)", EXT_NATT, TRUE, 16, - "\x4a\x13\x1c\x81\x07\x03\x58\x45\x5c\x57\x28\xf2\x0e\x95\x45\x2f"}, - /* Dead peer detection, RFC 3706 */ { "DPD", EXT_DPD, TRUE, 16, "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00"}, - { "draft-stenberg-ipsec-nat-traversal-01", 0, FALSE, 16, - "\x27\xba\xb5\xdc\x01\xea\x07\x60\xea\x4e\x31\x90\xac\x27\xc0\xd0"}, + { "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16, + "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"}, - { "draft-stenberg-ipsec-nat-traversal-02", 0, FALSE, 16, - "\x61\x05\xc4\x22\xe7\x68\x47\xe4\x3f\x96\x84\x80\x12\x92\xae\xcd"}, + /* Proprietary IKE fragmentation extension. Capabilities are handled + * specially on receipt of this VID. */ + { "FRAGMENTATION", EXT_IKE_FRAGMENTATION, FALSE, 20, + "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3\x80\x00\x00\x00"}, - { "draft-ietf-ipsec-nat-t-ike", 0, FALSE, 16, - "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62"}, +}, vendor_natt_ids[] = { - { "draft-ietf-ipsec-nat-t-ike-00", 0, FALSE, 16, - "\x44\x85\x15\x2d\x18\xb6\xbb\xcd\x0b\xe8\xa8\x46\x95\x79\xdd\xcc"}, + /* NAT-Traversal VIDs ordered by preference */ + + /* NAT-Traversal, MD5("RFC 3947") */ + { "NAT-T (RFC 3947)", EXT_NATT, TRUE, 16, + "\x4a\x13\x1c\x81\x07\x03\x58\x45\x5c\x57\x28\xf2\x0e\x95\x45\x2f"}, - { "draft-ietf-ipsec-nat-t-ike-02", 0, FALSE, 16, + { "draft-ietf-ipsec-nat-t-ike-03", EXT_NATT | EXT_NATT_DRAFT_02_03, + FALSE, 16, + "\x7d\x94\x19\xa6\x53\x10\xca\x6f\x2c\x17\x9d\x92\x15\x52\x9d\x56"}, + + { "draft-ietf-ipsec-nat-t-ike-02", EXT_NATT | EXT_NATT_DRAFT_02_03, + FALSE, 16, "\xcd\x60\x46\x43\x35\xdf\x21\xf8\x7c\xfd\xb2\xfc\x68\xb6\xa4\x48"}, - { "draft-ietf-ipsec-nat-t-ike-02\\n", 0, FALSE, 16, + { "draft-ietf-ipsec-nat-t-ike-02\\n", EXT_NATT | EXT_NATT_DRAFT_02_03, + TRUE, 16, "\x90\xcb\x80\x91\x3e\xbb\x69\x6e\x08\x63\x81\xb5\xec\x42\x7b\x1f"}, - { "draft-ietf-ipsec-nat-t-ike-03", 0, FALSE, 16, - "\x7d\x94\x19\xa6\x53\x10\xca\x6f\x2c\x17\x9d\x92\x15\x52\x9d\x56"}, + { "draft-ietf-ipsec-nat-t-ike-08", 0, FALSE, 16, + "\x8f\x8d\x83\x82\x6d\x24\x6b\x6f\xc7\xa8\xa6\xa4\x28\xc1\x1d\xe8"}, - { "draft-ietf-ipsec-nat-t-ike-04", 0, FALSE, 16, - "\x99\x09\xb6\x4e\xed\x93\x7c\x65\x73\xde\x52\xac\xe9\x52\xfa\x6b"}, + { "draft-ietf-ipsec-nat-t-ike-07", 0, FALSE, 16, + "\x43\x9b\x59\xf8\xba\x67\x6c\x4c\x77\x37\xae\x22\xea\xb8\xf5\x82"}, + + { "draft-ietf-ipsec-nat-t-ike-06", 0, FALSE, 16, + "\x4d\x1e\x0e\x13\x6d\xea\xfa\x34\xc4\xf3\xea\x9f\x02\xec\x72\x85"}, { "draft-ietf-ipsec-nat-t-ike-05", 0, FALSE, 16, "\x80\xd0\xbb\x3d\xef\x54\x56\x5e\xe8\x46\x45\xd4\xc8\x5c\xe3\xee"}, - { "draft-ietf-ipsec-nat-t-ike-06", 0, FALSE, 16, - "\x4d\x1e\x0e\x13\x6d\xea\xfa\x34\xc4\xf3\xea\x9f\x02\xec\x72\x85"}, + { "draft-ietf-ipsec-nat-t-ike-04", 0, FALSE, 16, + "\x99\x09\xb6\x4e\xed\x93\x7c\x65\x73\xde\x52\xac\xe9\x52\xfa\x6b"}, - { "draft-ietf-ipsec-nat-t-ike-07", 0, FALSE, 16, - "\x43\x9b\x59\xf8\xba\x67\x6c\x4c\x77\x37\xae\x22\xea\xb8\xf5\x82"}, + { "draft-ietf-ipsec-nat-t-ike-00", 0, FALSE, 16, + "\x44\x85\x15\x2d\x18\xb6\xbb\xcd\x0b\xe8\xa8\x46\x95\x79\xdd\xcc"}, - { "draft-ietf-ipsec-nat-t-ike-08", 0, FALSE, 16, - "\x8f\x8d\x83\x82\x6d\x24\x6b\x6f\xc7\xa8\xa6\xa4\x28\xc1\x1d\xe8"}, + { "draft-ietf-ipsec-nat-t-ike", 0, FALSE, 16, + "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62"}, + + { "draft-stenberg-ipsec-nat-traversal-02", 0, FALSE, 16, + "\x61\x05\xc4\x22\xe7\x68\x47\xe4\x3f\x96\x84\x80\x12\x92\xae\xcd"}, + + { "draft-stenberg-ipsec-nat-traversal-01", 0, FALSE, 16, + "\x27\xba\xb5\xdc\x01\xea\x07\x60\xea\x4e\x31\x90\xac\x27\xc0\xd0"}, - { "Cisco Unity", EXT_CISCO_UNITY, FALSE, 16, - "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00"}, }; +/** + * According to racoon 0x80000000 seems to indicate support for fragmentation + * of Aggressive and Main mode messages. 0x40000000 seems to indicate support + * for fragmentation of base ISAKMP messages (Cisco adds that and thus sends + * 0xc0000000) + */ +static const u_int32_t fragmentation_ike = 0x80000000; + +/** + * Check if the given vendor ID indicate support for fragmentation + */ +static bool fragmentation_supported(chunk_t data, int i) +{ + if (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION && + data.len == 20 && memeq(data.ptr, vendor_ids[i].id, 16)) + { + return untoh32(&data.ptr[16]) & fragmentation_ike; + } + return FALSE; +} + METHOD(task_t, build, status_t, private_isakmp_vendor_t *this, message_t *message) { vendor_id_payload_t *vid_payload; - bool strongswan, cisco_unity; + bool strongswan, cisco_unity, fragmentation; + ike_cfg_t *ike_cfg; int i; strongswan = lib->settings->get_bool(lib->settings, - "%s.send_vendor_id", FALSE, charon->name); + "%s.send_vendor_id", FALSE, charon->name); cisco_unity = lib->settings->get_bool(lib->settings, - "%s.cisco_unity", FALSE, charon->name); + "%s.cisco_unity", FALSE, charon->name); + ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); + fragmentation = ike_cfg->fragmentation(ike_cfg) != FRAGMENTATION_NO; + if (!this->initiator && fragmentation) + { + fragmentation = this->ike_sa->supports_extension(this->ike_sa, + EXT_IKE_FRAGMENTATION); + } for (i = 0; i < countof(vendor_ids); i++) { if (vendor_ids[i].send || (vendor_ids[i].extension == EXT_STRONGSWAN && strongswan) || - (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity)) + (vendor_ids[i].extension == EXT_CISCO_UNITY && cisco_unity) || + (vendor_ids[i].extension == EXT_IKE_FRAGMENTATION && fragmentation)) { + DBG2(DBG_IKE, "sending %s vendor ID", vendor_ids[i].desc); vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1, chunk_clone(chunk_create(vendor_ids[i].id, vendor_ids[i].len))); message->add_payload(message, &vid_payload->payload_interface); } } + for (i = 0; i < countof(vendor_natt_ids); i++) + { + if ((this->initiator && vendor_natt_ids[i].send) || + this->best_natt_ext == i) + { + DBG2(DBG_IKE, "sending %s vendor ID", vendor_natt_ids[i].desc); + vid_payload = vendor_id_payload_create_data(VENDOR_ID_V1, + chunk_clone(chunk_create(vendor_natt_ids[i].id, + vendor_natt_ids[i].len))); + message->add_payload(message, &vid_payload->payload_interface); + } + } return this->initiator ? NEED_MORE : SUCCESS; } @@ -160,7 +244,8 @@ METHOD(task_t, process, status_t, for (i = 0; i < countof(vendor_ids); i++) { if (chunk_equals(data, chunk_create(vendor_ids[i].id, - vendor_ids[i].len))) + vendor_ids[i].len)) || + fragmentation_supported(data, i)) { DBG1(DBG_IKE, "received %s vendor ID", vendor_ids[i].desc); if (vendor_ids[i].extension) @@ -169,6 +254,26 @@ METHOD(task_t, process, status_t, vendor_ids[i].extension); } found = TRUE; + break; + } + } + if (!found) + { + for (i = 0; i < countof(vendor_natt_ids); i++) + { + if (chunk_equals(data, chunk_create(vendor_natt_ids[i].id, + vendor_natt_ids[i].len))) + { + DBG1(DBG_IKE, "received %s vendor ID", + vendor_natt_ids[i].desc); + if (vendor_natt_ids[i].extension && + (i < this->best_natt_ext || this->best_natt_ext < 0)) + { + this->best_natt_ext = i; + } + found = TRUE; + break; + } } } if (!found) @@ -179,6 +284,12 @@ METHOD(task_t, process, status_t, } enumerator->destroy(enumerator); + if (this->best_natt_ext >= 0) + { + this->ike_sa->enable_extension(this->ike_sa, + vendor_natt_ids[this->best_natt_ext].extension); + } + return this->initiator ? SUCCESS : NEED_MORE; } @@ -219,6 +330,7 @@ isakmp_vendor_t *isakmp_vendor_create(ike_sa_t *ike_sa, bool initiator) }, .initiator = initiator, .ike_sa = ike_sa, + .best_natt_ext = -1, ); return &this->public; diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index 9ccf9abf5..bc9d4bbc3 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -241,7 +241,8 @@ METHOD(task_t, build_i, status_t, this->lifetime += this->peer_cfg->get_over_time(this->peer_cfg); proposals = this->ike_cfg->get_proposals(this->ike_cfg); sa_payload = sa_payload_create_from_proposals_v1(proposals, - this->lifetime, 0, this->method, MODE_NONE, FALSE, 0); + this->lifetime, 0, this->method, MODE_NONE, + ENCAP_NONE, 0); proposals->destroy_offset(proposals, offsetof(proposal_t, destroy)); message->add_payload(message, &sa_payload->payload_interface); @@ -455,7 +456,8 @@ METHOD(task_t, build_r, status_t, sa_payload_t *sa_payload; sa_payload = sa_payload_create_from_proposal_v1(this->proposal, - this->lifetime, 0, this->method, MODE_NONE, FALSE, 0); + this->lifetime, 0, this->method, MODE_NONE, + ENCAP_NONE, 0); message->add_payload(message, &sa_payload->payload_interface); return NEED_MORE; diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 82a7238c3..1eae6aa93 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -16,6 +16,28 @@ * for more details. */ +/* + * Copyright (C) 2012 Volker RĂ¼melin + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + #include "quick_mode.h" #include <string.h> @@ -561,7 +583,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) tsr = traffic_selector_create_from_subnet(hsr->clone(hsr), hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0); } - if (!this->initiator && this->mode == MODE_TRANSPORT && this->udp && + if (this->mode == MODE_TRANSPORT && this->udp && (!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr))) { /* change TS in case of a NAT in transport mode */ DBG2(DBG_IKE, "changing received traffic selectors %R=== %R due to NAT", @@ -572,11 +594,11 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) if (this->initiator) { - /* check if peer selection valid */ + /* check if peer selection is valid */ if (!tsr->is_contained_in(tsr, this->tsr) || !tsi->is_contained_in(tsi, this->tsi)) { - DBG1(DBG_IKE, "peer selected invalid traffic selectors: ", + DBG1(DBG_IKE, "peer selected invalid traffic selectors: " "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr); tsi->destroy(tsi); tsr->destroy(tsr); @@ -596,6 +618,34 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) } /** + * Get encap + */ +static encap_t get_encap(ike_sa_t* ike_sa, bool udp) +{ + if (!udp) + { + return ENCAP_NONE; + } + if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03)) + { + return ENCAP_UDP_DRAFT_00_03; + } + return ENCAP_UDP; +} + +/** + * Get NAT-OA payload type (RFC 3947 or RFC 3947 drafts). + */ +static payload_type_t get_nat_oa_payload_type(ike_sa_t *ike_sa) +{ + if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03)) + { + return NAT_OA_DRAFT_00_03_V1; + } + return NAT_OA_V1; +} + +/** * Add NAT-OA payloads */ static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message) @@ -603,6 +653,7 @@ static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message) identification_t *id; id_payload_t *nat_oa; host_t *src, *dst; + payload_type_t nat_oa_payload_type; src = message->get_source(message); dst = message->get_destination(message); @@ -610,15 +661,17 @@ static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message) src = this->initiator ? src : dst; dst = this->initiator ? dst : src; + nat_oa_payload_type = get_nat_oa_payload_type(this->ike_sa); + /* first NAT-OA is the initiator's address */ id = identification_create_from_sockaddr(src->get_sockaddr(src)); - nat_oa = id_payload_create_from_identification(NAT_OA_V1, id); + nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id); message->add_payload(message, (payload_t*)nat_oa); id->destroy(id); /* second NAT-OA is that of the responder */ id = identification_create_from_sockaddr(dst->get_sockaddr(dst)); - nat_oa = id_payload_create_from_identification(NAT_OA_V1, id); + nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id); message->add_payload(message, (payload_t*)nat_oa); id->destroy(id); } @@ -697,6 +750,7 @@ METHOD(task_t, build_i, status_t, linked_list_t *list, *tsi, *tsr; proposal_t *proposal; diffie_hellman_group_t group; + encap_t encap; this->udp = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY); this->mode = this->config->get_mode(this->config); @@ -735,19 +789,42 @@ METHOD(task_t, build_i, status_t, DBG1(DBG_IKE, "allocating SPI from kernel failed"); return FAILED; } + group = this->config->get_dh_group(this->config); + if (group != MODP_NONE) + { + this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, + group); + if (!this->dh) + { + DBG1(DBG_IKE, "configured DH group %N not supported", + diffie_hellman_group_names, group); + return FAILED; + } + } list = this->config->get_proposals(this->config, FALSE); enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &proposal)) { + if (group != MODP_NONE) + { + if (!proposal->has_dh_group(proposal, group)) + { + list->remove_at(list, enumerator); + proposal->destroy(proposal); + continue; + } + proposal->strip_dh(proposal, group); + } proposal->set_spi(proposal, this->spi_i); } enumerator->destroy(enumerator); get_lifetimes(this); + encap = get_encap(this->ike_sa, this->udp); sa_payload = sa_payload_create_from_proposals_v1(list, this->lifetime, this->lifebytes, AUTH_NONE, - this->mode, this->udp, this->cpi_i); + this->mode, encap, this->cpi_i); list->destroy_offset(list, offsetof(proposal_t, destroy)); message->add_payload(message, &sa_payload->payload_interface); @@ -755,18 +832,8 @@ METHOD(task_t, build_i, status_t, { return FAILED; } - - group = this->config->get_dh_group(this->config); if (group != MODP_NONE) { - this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, - group); - if (!this->dh) - { - DBG1(DBG_IKE, "configured DH group %N not supported", - diffie_hellman_group_names, group); - return FAILED; - } add_ke(this, message); } if (!this->tsi) @@ -1048,6 +1115,7 @@ METHOD(task_t, build_r, status_t, case QM_INIT: { sa_payload_t *sa_payload; + encap_t encap; this->spi_r = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP); if (!this->spi_r) @@ -1074,9 +1142,10 @@ METHOD(task_t, build_r, status_t, add_nat_oa_payloads(this, message); } + encap = get_encap(this->ike_sa, this->udp); sa_payload = sa_payload_create_from_proposal_v1(this->proposal, this->lifetime, this->lifebytes, AUTH_NONE, - this->mode, this->udp, this->cpi_r); + this->mode, encap, this->cpi_r); message->add_payload(message, &sa_payload->payload_interface); if (!add_nonce(this, &this->nonce_r, message)) diff --git a/src/libcharon/sa/ikev2/connect_manager.c b/src/libcharon/sa/ikev2/connect_manager.c index 5fdcea1ab..c4e5ea7a0 100644 --- a/src/libcharon/sa/ikev2/connect_manager.c +++ b/src/libcharon/sa/ikev2/connect_manager.c @@ -19,7 +19,7 @@ #include <daemon.h> #include <threading/mutex.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <crypto/hashers/hasher.h> #include <processing/jobs/callback_job.h> diff --git a/src/libcharon/sa/ikev2/mediation_manager.c b/src/libcharon/sa/ikev2/mediation_manager.c index 60eeb5d4b..bf5b2f4b3 100644 --- a/src/libcharon/sa/ikev2/mediation_manager.c +++ b/src/libcharon/sa/ikev2/mediation_manager.c @@ -17,7 +17,7 @@ #include <daemon.h> #include <threading/mutex.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <processing/jobs/mediation_job.h> typedef struct peer_t peer_t; diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index 53051fab4..ea0117c54 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -257,6 +257,8 @@ METHOD(task_manager_t, retransmit, status_t, { DBG1(DBG_IKE, "giving up after %d retransmits", this->initiating.retransmitted - 1); + charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, + this->initiating.packet); return DESTROY_ME; } @@ -264,6 +266,8 @@ METHOD(task_manager_t, retransmit, status_t, { DBG1(DBG_IKE, "retransmit %d of request with message ID %d", this->initiating.retransmitted, message_id); + charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, + this->initiating.packet); } packet = this->initiating.packet->clone(this->initiating.packet); charon->sender->send(charon->sender, packet); @@ -626,6 +630,8 @@ static status_t build_response(private_task_manager_t *this, message_t *request) message_t *message; host_t *me, *other; bool delete = FALSE, hook = FALSE; + ike_sa_id_t *id = NULL; + u_int64_t responder_spi; status_t status; me = request->get_destination(request); @@ -676,10 +682,15 @@ static status_t build_response(private_task_manager_t *this, message_t *request) } enumerator->destroy(enumerator); - /* remove resonder SPI if IKE_SA_INIT failed */ + /* RFC 5996, section 2.6 mentions that in the event of a failure during + * IKE_SA_INIT the responder's SPI will be 0 in the response, while it + * actually explicitly allows it to be non-zero. Since we use the responder + * SPI to create hashes in the IKE_SA manager we can only set the SPI to + * zero temporarily, otherwise checking the SA in would fail. */ if (delete && request->get_exchange_type(request) == IKE_SA_INIT) { - ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa); + id = this->ike_sa->get_id(this->ike_sa); + responder_spi = id->get_responder_spi(id); id->set_responder_spi(id, 0); } @@ -689,6 +700,10 @@ static status_t build_response(private_task_manager_t *this, message_t *request) status = this->ike_sa->generate_message(this->ike_sa, message, &this->responding.packet); message->destroy(message); + if (id) + { + id->set_responder_spi(id, responder_spi); + } if (status != SUCCESS) { charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); @@ -1045,6 +1060,8 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg) is_request ? "request" : "response", msg->get_message_id(msg)); + charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status); + if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED) { /* invalid initiation attempt, close SA */ return DESTROY_ME; @@ -1077,7 +1094,8 @@ METHOD(task_manager_t, process_message, status_t, ike_sa_id_t *ike_sa_id; ike_cfg_t *ike_cfg; job_t *job; - ike_cfg = charon->backends->get_ike_cfg(charon->backends, me, other); + ike_cfg = charon->backends->get_ike_cfg(charon->backends, + me, other, IKEV2); if (ike_cfg == NULL) { /* no config found for these hosts, destroy */ @@ -1133,6 +1151,7 @@ METHOD(task_manager_t, process_message, status_t, DBG1(DBG_IKE, "received retransmit of request with ID %d, " "retransmitting response", mid); + charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg); clone = this->responding.packet->clone(this->responding.packet); host = msg->get_destination(msg); clone->set_source(clone, host->clone(host)); diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index 46a165546..eb3972c29 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -377,6 +377,8 @@ static status_t select_and_install(private_child_create_t *this, if (this->proposal == NULL) { DBG1(DBG_IKE, "no acceptable proposal found"); + charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD, + this->proposals); return FAILED; } this->other_spi = this->proposal->get_spi(this->proposal); @@ -452,6 +454,7 @@ static status_t select_and_install(private_child_create_t *this, if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0) { + charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr); my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); DBG1(DBG_IKE, "no acceptable traffic selectors found"); @@ -549,6 +552,8 @@ static status_t select_and_install(private_child_create_t *this, (status_i != SUCCESS) ? "inbound " : "", (status_i != SUCCESS && status_o != SUCCESS) ? "and ": "", (status_o != SUCCESS) ? "outbound " : ""); + charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_SA_FAILED, + this->child_sa); return FAILED; } @@ -581,6 +586,8 @@ static status_t select_and_install(private_child_create_t *this, if (status != SUCCESS) { DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel"); + charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_POLICY_FAILED, + this->child_sa); return NOT_FOUND; } @@ -982,6 +989,7 @@ static void handle_child_sa_failure(private_child_create_t *this, else { DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA"); + charon->bus->alert(charon->bus, ALERT_KEEP_ON_CHILD_SA_FAILURE); } } @@ -1040,6 +1048,7 @@ METHOD(task_t, build_r, status_t, { DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable", this->tsr, this->tsi); + charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr); message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty); handle_child_sa_failure(this, message); return SUCCESS; @@ -1154,7 +1163,7 @@ METHOD(task_t, process_i, status_t, break; } - /* check for erronous notifies */ + /* check for erroneous notifies */ enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index cd94ccd9e..70efcd7af 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -12,7 +12,7 @@ * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details + * for more details. */ #include "ike_auth.h" @@ -457,6 +457,7 @@ METHOD(task_t, build_i, status_t, this->reserved); if (!this->my_auth) { + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return FAILED; } } @@ -473,6 +474,7 @@ METHOD(task_t, build_i, status_t, case NEED_MORE: break; default: + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return FAILED; } @@ -748,7 +750,7 @@ METHOD(task_t, build_r, status_t, this->reserved); if (!this->my_auth) { - goto peer_auth_failed; + goto local_auth_failed; } } } @@ -786,9 +788,7 @@ METHOD(task_t, build_r, status_t, case NEED_MORE: break; default: - message->add_notify(message, TRUE, AUTHENTICATION_FAILED, - chunk_empty); - return FAILED; + goto local_auth_failed; } } @@ -807,6 +807,7 @@ METHOD(task_t, build_r, status_t, this->ike_sa, FALSE)) { DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy"); + charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); return FAILED; @@ -830,11 +831,14 @@ METHOD(task_t, build_r, status_t, return NEED_MORE; peer_auth_failed: - message->add_notify(message, TRUE, AUTHENTICATION_FAILED, - chunk_empty); + message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); peer_auth_failed_no_notify: charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED); return FAILED; +local_auth_failed: + message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); + return FAILED; } METHOD(task_t, process_i, status_t, @@ -987,6 +991,7 @@ METHOD(task_t, process_i, status_t, case NEED_MORE: break; default: + charon->bus->alert(charon->bus, ALERT_LOCAL_AUTH_FAILED); return FAILED; } } diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c index 60e878777..2cbe8f8c5 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c @@ -57,6 +57,72 @@ struct private_ike_cert_pre_t { }; /** + * Process a single certificate request payload + */ +static void process_certreq(private_ike_cert_pre_t *this, + certreq_payload_t *certreq, auth_cfg_t *auth) +{ + enumerator_t *enumerator; + u_int unknown = 0; + chunk_t keyid; + + this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE); + + if (certreq->get_cert_type(certreq) != CERT_X509) + { + DBG1(DBG_IKE, "cert payload %N not supported - ignored", + certificate_type_names, certreq->get_cert_type(certreq)); + return; + } + + enumerator = certreq->create_keyid_enumerator(certreq); + while (enumerator->enumerate(enumerator, &keyid)) + { + identification_t *id; + certificate_t *cert; + + id = identification_create_from_encoding(ID_KEY_ID, keyid); + cert = lib->credmgr->get_cert(lib->credmgr, + CERT_X509, KEY_ANY, id, TRUE); + if (cert) + { + DBG1(DBG_IKE, "received cert request for \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_RULE_CA_CERT, cert); + } + else + { + DBG2(DBG_IKE, "received cert request for unknown ca with keyid %Y", + id); + unknown++; + } + id->destroy(id); + } + enumerator->destroy(enumerator); + if (unknown) + { + DBG1(DBG_IKE, "received %u cert requests for an unknown ca", + unknown); + } +} + +/** + * Process a single notify payload + */ +static void process_notify(private_ike_cert_pre_t *this, + notify_payload_t *notify) +{ + switch (notify->get_notify_type(notify)) + { + case HTTP_CERT_LOOKUP_SUPPORTED: + this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL); + break; + default: + break; + } +} + +/** * read certificate requests */ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) @@ -73,62 +139,11 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) switch (payload->get_type(payload)) { case CERTIFICATE_REQUEST: - { - certreq_payload_t *certreq = (certreq_payload_t*)payload; - enumerator_t *enumerator; - u_int unknown = 0; - chunk_t keyid; - - this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE); - - if (certreq->get_cert_type(certreq) != CERT_X509) - { - DBG1(DBG_IKE, "cert payload %N not supported - ignored", - certificate_type_names, certreq->get_cert_type(certreq)); - break; - } - enumerator = certreq->create_keyid_enumerator(certreq); - while (enumerator->enumerate(enumerator, &keyid)) - { - identification_t *id; - certificate_t *cert; - - id = identification_create_from_encoding(ID_KEY_ID, keyid); - cert = lib->credmgr->get_cert(lib->credmgr, - CERT_X509, KEY_ANY, id, TRUE); - if (cert) - { - DBG1(DBG_IKE, "received cert request for \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_RULE_CA_CERT, cert); - } - else - { - DBG2(DBG_IKE, "received cert request for unknown ca " - "with keyid %Y", id); - unknown++; - } - id->destroy(id); - } - enumerator->destroy(enumerator); - if (unknown) - { - DBG1(DBG_IKE, "received %u cert requests for an unknown ca", - unknown); - } + process_certreq(this, (certreq_payload_t*)payload, auth); break; - } case NOTIFY: - { - notify_payload_t *notify = (notify_payload_t*)payload; - - /* we only handle one type of notify here */ - if (notify->get_notify_type(notify) == HTTP_CERT_LOOKUP_SUPPORTED) - { - this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL); - } + process_notify(this, (notify_payload_t*)payload); break; - } default: /* ignore other payloads here, these are handled elsewhere */ break; @@ -177,7 +192,75 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload) } /** - * import certificates + * Process a X509 certificate payload + */ +static void process_x509(cert_payload_t *payload, auth_cfg_t *auth, + cert_encoding_t encoding, bool *first) +{ + certificate_t *cert; + char *url; + + cert = try_get_cert(payload); + if (cert) + { + if (*first) + { /* the first is an end entity certificate */ + DBG1(DBG_IKE, "received end entity cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert); + *first = FALSE; + } + else + { + DBG1(DBG_IKE, "received issuer cert \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_IM_CERT, cert); + } + } + else if (encoding == ENC_X509_HASH_AND_URL) + { + /* we fetch the certificate not yet, but only if + * it is really needed during authentication */ + url = payload->get_url(payload); + if (!url) + { + DBG1(DBG_IKE, "received invalid hash-and-url " + "encoded cert, ignore"); + return; + } + url = strdup(url); + if (first) + { /* first URL is for an end entity certificate */ + DBG1(DBG_IKE, "received hash-and-url for end entity cert \"%s\"", + url); + auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url); + first = FALSE; + } + else + { + DBG1(DBG_IKE, "received hash-and-url for issuer cert \"%s\"", url); + auth->add(auth, AUTH_HELPER_IM_HASH_URL, url); + } + } +} + +/** + * Process a CRL certificate payload + */ +static void process_crl(cert_payload_t *payload, auth_cfg_t *auth) +{ + certificate_t *cert; + + cert = payload->get_cert(payload); + if (cert) + { + DBG1(DBG_IKE, "received CRL \"%Y\"", cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); + } +} + +/** + * Process certificate payloads */ static void process_certs(private_ike_cert_pre_t *this, message_t *message) { @@ -195,8 +278,6 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) { cert_payload_t *cert_payload; cert_encoding_t encoding; - certificate_t *cert; - char *url; cert_payload = (cert_payload_t*)payload; encoding = cert_payload->get_cert_encoding(cert_payload); @@ -204,70 +285,18 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) switch (encoding) { case ENC_X509_HASH_AND_URL: - { if (!this->do_http_lookup) { - DBG1(DBG_IKE, "received hash-and-url encoded cert, but" - " we don't accept them, ignore"); + DBG1(DBG_IKE, "received hash-and-url encoded cert, but " + "we don't accept them, ignore"); break; } /* FALL */ - } case ENC_X509_SIGNATURE: - { - cert = try_get_cert(cert_payload); - if (cert) - { - if (first) - { /* the first is an end entity certificate */ - DBG1(DBG_IKE, "received end entity cert \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert); - first = FALSE; - } - else - { - DBG1(DBG_IKE, "received issuer cert \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_HELPER_IM_CERT, cert); - } - } - else if (encoding == ENC_X509_HASH_AND_URL) - { - /* we fetch the certificate not yet, but only if - * it is really needed during authentication */ - url = cert_payload->get_url(cert_payload); - if (!url) - { - DBG1(DBG_IKE, "received invalid hash-and-url " - "encoded cert, ignore"); - break; - } - url = strdup(url); - if (first) - { /* first URL is for an end entity certificate */ - DBG1(DBG_IKE, "received hash-and-url for end" - " entity cert \"%s\"", url); - auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url); - first = FALSE; - } - else - { - DBG1(DBG_IKE, "received hash-and-url for issuer" - " cert \"%s\"", url); - auth->add(auth, AUTH_HELPER_IM_HASH_URL, url); - } - } + process_x509(cert_payload, auth, encoding, &first); break; - } case ENC_CRL: - cert = cert_payload->get_cert(cert_payload); - if (cert) - { - DBG1(DBG_IKE, "received CRL \"%Y\"", - cert->get_subject(cert)); - auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); - } + process_crl(cert_payload, auth); break; case ENC_PKCS7_WRAPPED_X509: case ENC_PGP: diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c index c44f0452c..d637c26fe 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_config.c +++ b/src/libcharon/sa/ikev2/tasks/ike_config.c @@ -380,6 +380,7 @@ METHOD(task_t, build_r, status_t, { DBG1(DBG_IKE, "no virtual IP found, sending %N", notify_type_names, INTERNAL_ADDRESS_FAILURE); + charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips); message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE, chunk_empty); vips->destroy_offset(vips, offsetof(host_t, destroy)); @@ -390,6 +391,7 @@ METHOD(task_t, build_r, status_t, { DBG1(DBG_IKE, "expected a virtual IP request, sending %N", notify_type_names, FAILED_CP_REQUIRED); + charon->bus->alert(charon->bus, ALERT_VIP_FAILURE, this->vips); message->add_notify(message, FALSE, FAILED_CP_REQUIRED, chunk_empty); vips->destroy_offset(vips, offsetof(host_t, destroy)); pools->destroy(pools); diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index f2a06735e..7542937b3 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -187,6 +187,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message) EXT_STRONGSWAN); this->proposal = this->config->select_proposal(this->config, proposal_list, private); + if (!this->proposal) + { + charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE, + proposal_list); + } proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy)); break; @@ -421,7 +426,7 @@ METHOD(task_t, process_i, status_t, enumerator_t *enumerator; payload_t *payload; - /* check for erronous notifies */ + /* check for erroneous notifies */ enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.h b/src/libcharon/sa/ikev2/tasks/ike_mobike.h index 3b447af51..b145a9a8b 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.h +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.h @@ -26,7 +26,7 @@ typedef struct ike_mobike_t ike_mobike_t; #include <library.h> #include <sa/ike_sa.h> #include <sa/task.h> -#include <utils/packet.h> +#include <networking/packet.h> /** * Task of type ike_mobike, detects and handles MOBIKE extension. diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c index 5af43fb91..94be7d433 100644 --- a/src/libcharon/sa/shunt_manager.c +++ b/src/libcharon/sa/shunt_manager.c @@ -18,7 +18,7 @@ #include <hydra.h> #include <daemon.h> #include <threading/rwlock.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> typedef struct private_shunt_manager_t private_shunt_manager_t; diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h index 12ff08558..28a795dc9 100644 --- a/src/libcharon/sa/shunt_manager.h +++ b/src/libcharon/sa/shunt_manager.h @@ -22,7 +22,7 @@ #define SHUNT_MANAGER_H_ #include <library.h> -#include <utils/enumerator.h> +#include <collections/enumerator.h> #include <config/child_cfg.h> typedef struct shunt_manager_t shunt_manager_t; diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index fdcfa0a20..6c0ae19c7 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Tobias Brunner + * Copyright (C) 2011-2012 Tobias Brunner * Copyright (C) 2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -19,7 +19,7 @@ #include <hydra.h> #include <daemon.h> #include <threading/rwlock.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> typedef struct private_trap_manager_t private_trap_manager_t; @@ -94,36 +94,14 @@ static void destroy_entry(entry_t *entry) METHOD(trap_manager_t, install, u_int32_t, private_trap_manager_t *this, peer_cfg_t *peer, child_cfg_t *child) { - entry_t *entry; + entry_t *entry, *found = NULL; ike_cfg_t *ike_cfg; child_sa_t *child_sa; host_t *me, *other; linked_list_t *my_ts, *other_ts, *list; enumerator_t *enumerator; - bool found = FALSE; status_t status; - u_int32_t reqid; - - /* check if not already done */ - this->lock->read_lock(this->lock); - enumerator = this->traps->create_enumerator(this->traps); - while (enumerator->enumerate(enumerator, &entry)) - { - if (streq(entry->child_sa->get_name(entry->child_sa), - child->get_name(child))) - { - found = TRUE; - break; - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - if (found) - { - DBG1(DBG_CFG, "CHILD_SA named '%s' already routed", - child->get_name(child)); - return 0; - } + u_int32_t reqid = 0; /* try to resolve addresses */ ike_cfg = peer->get_ike_cfg(peer); @@ -150,8 +128,28 @@ METHOD(trap_manager_t, install, u_int32_t, me->set_port(me, ike_cfg->get_my_port(ike_cfg)); } + this->lock->write_lock(this->lock); + enumerator = this->traps->create_enumerator(this->traps); + while (enumerator->enumerate(enumerator, &entry)) + { + if (streq(entry->child_sa->get_name(entry->child_sa), + child->get_name(child))) + { + this->traps->remove_at(this->traps, enumerator); + found = entry; + break; + } + } + enumerator->destroy(enumerator); + if (found) + { /* config might have changed so update everything */ + DBG1(DBG_CFG, "updating already routed CHILD_SA '%s'", + child->get_name(child)); + reqid = found->child_sa->get_reqid(found->child_sa); + } + /* create and route CHILD_SA */ - child_sa = child_sa_create(me, other, child, 0, FALSE); + child_sa = child_sa_create(me, other, child, reqid, FALSE); list = linked_list_create_with_items(me, NULL); my_ts = child->get_traffic_selectors(child, TRUE, NULL, list); @@ -171,21 +169,29 @@ METHOD(trap_manager_t, install, u_int32_t, other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); if (status != SUCCESS) { - child_sa->destroy(child_sa); DBG1(DBG_CFG, "installing trap failed"); - return 0; + reqid = 0; + /* hold off destroying the CHILD_SA until we released the lock */ + } + else + { + INIT(entry, + .child_sa = child_sa, + .peer_cfg = peer->get_ref(peer), + ); + this->traps->insert_last(this->traps, entry); + reqid = child_sa->get_reqid(child_sa); } - - reqid = child_sa->get_reqid(child_sa); - INIT(entry, - .child_sa = child_sa, - .peer_cfg = peer->get_ref(peer), - ); - - this->lock->write_lock(this->lock); - this->traps->insert_last(this->traps, entry); this->lock->unlock(this->lock); + if (status != SUCCESS) + { + child_sa->destroy(child_sa); + } + if (found) + { + destroy_entry(found); + } return reqid; } diff --git a/src/libcharon/sa/trap_manager.h b/src/libcharon/sa/trap_manager.h index 928b2a49f..e3d355662 100644 --- a/src/libcharon/sa/trap_manager.h +++ b/src/libcharon/sa/trap_manager.h @@ -22,7 +22,7 @@ #define TRAP_MANAGER_H_ #include <library.h> -#include <utils/enumerator.h> +#include <collections/enumerator.h> #include <config/peer_cfg.h> typedef struct trap_manager_t trap_manager_t; diff --git a/src/libcharon/sa/xauth/xauth_manager.c b/src/libcharon/sa/xauth/xauth_manager.c index 432c9c0ab..f0602a673 100644 --- a/src/libcharon/sa/xauth/xauth_manager.c +++ b/src/libcharon/sa/xauth/xauth_manager.c @@ -15,7 +15,7 @@ #include "xauth_manager.h" -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <threading/rwlock.h> typedef struct private_xauth_manager_t private_xauth_manager_t; |