dpd.c

This a good VPN source

/* IPsec IKE Dead Peer Detection code.
 * Copyright (C) 2003 Ken Bantoft        <ken@xelerance.com>
 * Copyright (C) 2004 Michael Richardson <mcr@xelerance.com>
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 *
 * RCSID $Id: dpd.c,v 1.13 2004/12/09 04:47:03 mcr Exp $
 */

#include <stdio.h>
#include <string.h>
#include <stddef.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <resolv.h>
#include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
#include <sys/queue.h>
#include <sys/time.h>		/* for gettimeofday */

#include <openswan.h>
#include <openswan/ipsec_policy.h>

#include "constants.h"
#include "defs.h"
#include "state.h"
#include "id.h"
#include "x509.h"
#include "pgp.h"
#include "certs.h"
#include "smartcard.h"
#ifdef XAUTH_USEPAM
#include <security/pam_appl.h>
#endif
#include "connections.h"	/* needs id.h */
#include "keys.h"
#include "packet.h"
#include "demux.h"	/* needs packet.h */
#include "adns.h"	/* needs <resolv.h> */
#include "dnskey.h"	/* needs keys.h and adns.h */
#include "kernel.h"	/* needs connections.h */
#include "log.h"
#include "cookie.h"
#include "server.h"
#include "spdb.h"
#include "timer.h"
#include "rnd.h"
#include "ipsec_doi.h"	/* needs demux.h and state.h */
#include "whack.h"

#include "dpd.h"
#include "x509more.h"

/**
 * Initialize RFC 3706 Dead Peer Detection
 *
 * @param st An initialized state structure
 * @return void
 */ 
void
dpd_init(struct state *st)
{
    /**
    * Used to store the 1st state 
    */
    struct state *p1st;

    /* find the related Phase 1 state */
    p1st = find_state(st->st_icookie, st->st_rcookie,
            &st->st_connection->spd.that.host_addr, 0);
    if (p1st == NULL)
        loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
    else if (p1st->hidden_variables.st_dpd) {
            openswan_log("Dead Peer Detection (RFC 3706) enabled");
        event_schedule(EVENT_DPD, st->st_connection->dpd_delay, st);
    }
}

bool was_eroute_idle(struct state *st, time_t since_when);

/**
 * DPD Out Initiator
 *
 * @param p2st A state struct that is already in phase2 
 * @return void
 */
static void
dpd_outI(struct state *p1st, struct state *st, bool eroute_care
	 ,time_t delay, time_t timeout)
{
    time_t tm;
    u_int32_t seqno;
    bool   eroute_idle;

    /* If an R_U_THERE has been sent or received recently, then
     * base the resend time on that. */
    tm = now();
    
    DBG(DBG_DPD, DBG_log("processing dpd for state #%lu"
			 , st->st_serialno));

    /* If no DPD, then get out of here */
    if (!st->hidden_variables.st_dpd)
        return;

    /* If there is no state, there can be no DPD */         
    if (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state))
        return;
        
    /* if there is no reason to do anything, then just reschedule things */
    if((eroute_care && 
	(eroute_idle = was_eroute_idle(st, delay)) == FALSE) ||
       (tm < (p1st->st_last_dpd + delay)))
    {
	time_t nextdelay = p1st->st_last_dpd + delay - tm;
	time_t nexttimeout = p1st->st_last_dpd + timeout - tm;

	/* log reason */
	if(eroute_care && eroute_idle == FALSE) {
	    DBG(DBG_DPD, DBG_log("dpd out event not sent, phase 2 active"));
	}

	if (tm < (p1st->st_last_dpd + delay)) {
	    DBG(DBG_DPD, DBG_log("not yet time for dpd event: %lu < %lu"
				 , tm, (p1st->st_last_dpd + delay)));
	}

	/* now plan next check */
	if(nextdelay < 1) {
	    nextdelay = delay;
	}
	if(nexttimeout < 1) {
	    nexttimeout = timeout;
	}
	event_schedule(EVENT_DPD, nextdelay, st);

	/* If there is still a timeout for the last R_U_THERE sent,
	 * and the timeout is greater than ours, then reduce it. */
	if (p1st->st_dpd_event != NULL
	    && p1st->st_dpd_event->ev_time > (p1st->st_last_dpd + timeout))
	    {
		DBG(DBG_DPD, DBG_log("shortening timeout to %lu"
				     , timeout));
		delete_dpd_event(p1st);
		event_schedule(EVENT_DPD_TIMEOUT, timeout, p1st);
	    }
	return;
    }
        
    event_schedule(EVENT_DPD, delay, st);
        
    if (!p1st->st_dpd_seqno)
    {   
        /* Get a non-zero random value that has room to grow */
        get_rnd_bytes((u_char *)&p1st->st_dpd_seqno
		      , sizeof(p1st->st_dpd_seqno));
        p1st->st_dpd_seqno &= 0x7fff;
        p1st->st_dpd_seqno++;
    }    
    seqno = htonl(p1st->st_dpd_seqno);

    DBG(DBG_DPD, DBG_log("sending R_U_THERE %u", seqno));
    if (send_isakmp_notification(p1st, R_U_THERE
				 , &seqno, sizeof(seqno)) != STF_IGNORE)
    {   
        loglog(RC_LOG_SERIOUS, "DPD Error: could not send R_U_THERE");
        return;
    }
        
    st->st_last_dpd = tm;
    p1st->st_last_dpd = tm;
    p1st->st_dpd_expectseqno = p1st->st_dpd_seqno++;

    /* Only schedule a new timeout if there isn't one currently,
     * or if it would be sooner than the current timeout. */
    if (p1st->st_dpd_event == NULL
	|| p1st->st_dpd_event->ev_time > tm + timeout)
    {
        delete_dpd_event(p1st);
        event_schedule(EVENT_DPD_TIMEOUT, timeout, p1st);
    }   
}

void
p1_dpd_outI1(struct state *p1st)
{
    time_t delay = p1st->st_connection->dpd_delay;
    time_t timeout = p1st->st_connection->dpd_timeout;

    dpd_outI(p1st, p1st, FALSE, delay, timeout);
}

void
p2_dpd_outI1(struct state *p2st)
{
    struct state *st;
    time_t delay = p2st->st_connection->dpd_delay;
    time_t timeout = p2st->st_connection->dpd_timeout;

    /* find the related Phase 1 state */
    st = find_phase1_state(p2st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);

    if (st == NULL)
    {
        loglog(RC_LOG_SERIOUS, "DPD Error: could not find newest phase 1 state");
        return;
    }

    dpd_outI(st, p2st, TRUE, delay, timeout);
}

void
dpd_event(struct state *st)
{
    if(st==NULL) return;

    if(IS_PHASE1(st->st_state)) {
	p1_dpd_outI1(st);
    } else {
	p2_dpd_outI1(st);
    }
}


/**
 * DPD in Initiator, out Responder
 *
 * @param st A state structure
 * @param n A notification (isakmp_notification)
 * @param pbs A PB Stream
 * @return stf_status 
 */
stf_status
dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
{
    time_t tm = now();
    u_int32_t seqno;
        
    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
    {   
        loglog(RC_LOG_SERIOUS, "DPD Error: received R_U_THERE for unestablished ISKAMP SA");
        return STF_IGNORE;
    }
    if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
    {
        loglog(RC_LOG_SERIOUS, "DPD Error: R_U_THERE has invalid SPI length (%d)", n->isan_spisize);
        return STF_FAIL + PAYLOAD_MALFORMED;
    }
        
    if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
    {
        /* RFC states we *SHOULD* check cookies, not MUST.  So invalid
           cookies are technically valid, as per Geoffrey Huang */
        loglog(RC_LOG_SERIOUS, "DPD Error: R_U_THERE has invalid icookie (broken Cisco?)");
    }
    pbs->cur += COOKIE_SIZE;
    
    if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
    {
        loglog(RC_LOG_SERIOUS, "DPD Error: R_U_THERE has invalid rcookie (broken Cisco?)");      
	return STF_FAIL + INVALID_COOKIE;
    }
    pbs->cur += COOKIE_SIZE;

    if (pbs_left(pbs) != sizeof(seqno))
    {
        loglog(RC_LOG_SERIOUS, "DPD Error: R_U_THERE has invalid data length (%d)", (int) pbs_left(pbs));
        return STF_FAIL + PAYLOAD_MALFORMED;
    }

    seqno = ntohl(*(u_int32_t *)pbs->cur);
    if (st->st_dpd_peerseqno && seqno <= st->st_dpd_peerseqno) {
        loglog(RC_LOG_SERIOUS, "DPD Info: received old or duplicate R_U_THERE");
        return STF_IGNORE;
    }
     
    DBG(DBG_DPD, DBG_log("received R_U_THERE seq:%u time:%lu", seqno, tm));

    st->st_dpd_peerseqno = seqno;
    delete_dpd_event(st); 
     
    if (send_isakmp_notification(st, R_U_THERE_ACK
				 , pbs->cur, pbs_left(pbs)) != STF_IGNORE)
    {
        loglog(RC_LOG_SERIOUS, "DPD Info: could not send R_U_THERE_ACK"); 
        return STF_IGNORE;
    }
     
    st->st_last_dpd = tm;
    return STF_IGNORE;
}

/**
 * DPD out Responder
 *
 * @param st A state structure
 * @param n A notification (isakmp_notification)
 * @param pbs A PB Stream
 * @return stf_status 
 */
stf_status
dpd_inR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
{
    u_int32_t seqno;
     
    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
    {
        loglog(RC_LOG_SERIOUS, "recevied R_U_THERE_ACK for unestablished ISKAMP SA");
        return STF_FAIL;
    }

   if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
    {
        loglog(RC_LOG_SERIOUS, "R_U_THERE_ACK has invalid SPI length (%d)", n->isan_spisize);
        return STF_FAIL + PAYLOAD_MALFORMED;
    }
     
    if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
    {
        /* RFC states we *SHOULD* check cookies, not MUST.  So invalid
           cookies are technically valid, as per Geoffrey Huang */
        loglog(RC_LOG_SERIOUS, "R_U_THERE_ACK has invalid icookie");
    }
    pbs->cur += COOKIE_SIZE;
    
    if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
    {
        /* RFC states we *SHOULD* check cookies, not MUST.  So invalid
           cookies are technically valid, as per Geoffrey Huang */
        loglog(RC_LOG_SERIOUS, "R_U_THERE_ACK has invalid rcookie");
    }
    pbs->cur += COOKIE_SIZE;
    
    if (pbs_left(pbs) != sizeof(seqno))
    {
        loglog(RC_LOG_SERIOUS, "R_U_THERE_ACK has invalid data length (%d)", (int) pbs_left(pbs));
        return STF_FAIL + PAYLOAD_MALFORMED;
    }
        
    seqno = ntohl(*(u_int32_t *)pbs->cur);
    DBG(DBG_DPD, DBG_log("R_U_THERE_ACK, seqno received: %u expected: %u",
			 seqno, st->st_dpd_expectseqno));
    if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno) {
        loglog(RC_LOG_SERIOUS, "R_U_THERE_ACK has unexpected sequence number");
        return STF_FAIL + PAYLOAD_MALFORMED;
    }
     
    st->st_dpd_expectseqno = 0;
    delete_dpd_event(st);
    return STF_IGNORE;
}       
    
/**
 * DPD Timeout Function
 *
 * This function is called when a timeout DPD_EVENT occurs.  We set clear/trap
 * both the SA and the eroutes, depending on what the connection definition
 * tells us (either 'hold' or 'clear')
 *
 * @param st A state structure that is fully negotiated
 * @return void
 */
void
dpd_timeout(struct state *st)
{
    int action;
    struct connection *c = st->st_connection;
    action = st->st_connection->dpd_action;
    
    passert(action == DPD_ACTION_HOLD || action == DPD_ACTION_CLEAR);
        
    loglog(RC_LOG_SERIOUS, "DPD: Info: No response from peer - declaring peer dead");

    /** delete the state, which is probably in phase 2 */
    set_cur_connection(c);
    openswan_log("terminating SAs using this connection");
    delete_states_by_connection(c, TRUE);  
    reset_cur_connection();
    
    if(action == DPD_ACTION_HOLD) {
        /** dpdaction=hold - Wipe the SA's but %trap the eroute so we don't
           leak traffic.  Also, being in %trap means new packets will
           force an initiation of the conn again.  */
        loglog(RC_LOG_SERIOUS, "DPD: Info: Putting connection into %%trap");
    
    } else {
        /** dpdaction=clear - Wipe the SA & eroute - everything */
    
        loglog(RC_LOG_SERIOUS, "DPD: Info: Clearing Connection");
        unroute_connection(c);
    }
}


/*
 * Local Variables:
 * c-basic-offset:4
 * c-style: pluto
 * End:
 */