added retrieval of remote kmaddress via PF_KEY
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <stdint.h>
22 #include <linux/ipsec.h>
23 #include <linux/pfkeyv2.h>
24 #include <linux/udp.h>
25 #include <unistd.h>
26 #include <pthread.h>
27 #include <errno.h>
28
29 #include "kernel_pfkey_ipsec.h"
30
31 #include <daemon.h>
32 #include <utils/host.h>
33 #include <utils/mutex.h>
34 #include <processing/jobs/callback_job.h>
35 #include <processing/jobs/acquire_job.h>
36 #include <processing/jobs/migrate_job.h>
37 #include <processing/jobs/rekey_child_sa_job.h>
38 #include <processing/jobs/delete_child_sa_job.h>
39 #include <processing/jobs/update_sa_job.h>
40
41 /** default priority of installed policies */
42 #define PRIO_LOW 3000
43 #define PRIO_HIGH 2000
44
45 /** buffer size for PF_KEY messages */
46 #define PFKEY_BUFFER_SIZE 4096
47
48 /** PF_KEY messages are 64 bit aligned */
49 #define PFKEY_ALIGNMENT 8
50 /** aligns len to 64 bits */
51 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
52 /** calculates the properly padded length in 64 bit chunks */
53 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
54 /** calculates user mode length i.e. in bytes */
55 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
56
57 /** given a PF_KEY message header and an extension this updates the length in the header */
58 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
59 /** given a PF_KEY message header this returns a pointer to the next extension */
60 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
61 /** copy an extension and append it to a PF_KEY message */
62 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
63 /** given a PF_KEY extension this returns a pointer to the next extension */
64 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
65 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
66 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
67 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
68 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
69 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
70 (ext)->sadb_ext_len <= (len))
71
72 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
73
74 /**
75 * Private variables and functions of kernel_pfkey class.
76 */
77 struct private_kernel_pfkey_ipsec_t
78 {
79 /**
80 * Public part of the kernel_pfkey_t object.
81 */
82 kernel_pfkey_ipsec_t public;
83
84 /**
85 * mutex to lock access to various lists
86 */
87 mutex_t *mutex;
88
89 /**
90 * List of installed policies (policy_entry_t)
91 */
92 linked_list_t *policies;
93
94 /**
95 * whether to install routes along policies
96 */
97 bool install_routes;
98
99 /**
100 * job receiving PF_KEY events
101 */
102 callback_job_t *job;
103
104 /**
105 * mutex to lock access to the PF_KEY socket
106 */
107 mutex_t *mutex_pfkey;
108
109 /**
110 * PF_KEY socket to communicate with the kernel
111 */
112 int socket;
113
114 /**
115 * PF_KEY socket to receive acquire and expire events
116 */
117 int socket_events;
118
119 /**
120 * sequence number for messages sent to the kernel
121 */
122 int seq;
123 };
124
125 typedef struct route_entry_t route_entry_t;
126
127 /**
128 * installed routing entry
129 */
130 struct route_entry_t {
131 /** Name of the interface the route is bound to */
132 char *if_name;
133
134 /** Source ip of the route */
135 host_t *src_ip;
136
137 /** gateway for this route */
138 host_t *gateway;
139
140 /** Destination net */
141 chunk_t dst_net;
142
143 /** Destination net prefixlen */
144 u_int8_t prefixlen;
145 };
146
147 /**
148 * destroy an route_entry_t object
149 */
150 static void route_entry_destroy(route_entry_t *this)
151 {
152 free(this->if_name);
153 this->src_ip->destroy(this->src_ip);
154 this->gateway->destroy(this->gateway);
155 chunk_free(&this->dst_net);
156 free(this);
157 }
158
159 typedef struct policy_entry_t policy_entry_t;
160
161 /**
162 * installed kernel policy.
163 */
164 struct policy_entry_t {
165
166 /** reqid of this policy */
167 u_int32_t reqid;
168
169 /** index assigned by the kernel */
170 u_int32_t index;
171
172 /** direction of this policy: in, out, forward */
173 u_int8_t direction;
174
175 /** parameters of installed policy */
176 struct {
177 /** subnet and port */
178 host_t *net;
179 /** subnet mask */
180 u_int8_t mask;
181 /** protocol */
182 u_int8_t proto;
183 } src, dst;
184
185 /** associated route installed for this policy */
186 route_entry_t *route;
187
188 /** by how many CHILD_SA's this policy is used */
189 u_int refcount;
190 };
191
192 /**
193 * create a policy_entry_t object
194 */
195 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
196 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
197 {
198 policy_entry_t *policy = malloc_thing(policy_entry_t);
199 policy->reqid = reqid;
200 policy->index = 0;
201 policy->direction = dir;
202 policy->route = NULL;
203 policy->refcount = 0;
204
205 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
206 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
207
208 /* src or dest proto may be "any" (0), use more restrictive one */
209 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
210 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
211 policy->dst.proto = policy->src.proto;
212
213 return policy;
214 }
215
216 /**
217 * destroy a policy_entry_t object
218 */
219 static void policy_entry_destroy(policy_entry_t *this)
220 {
221 DESTROY_IF(this->src.net);
222 DESTROY_IF(this->dst.net);
223 if (this->route)
224 {
225 route_entry_destroy(this->route);
226 }
227 free(this);
228 }
229
230 /**
231 * compares two policy_entry_t
232 */
233 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
234 {
235 return current->direction == policy->direction &&
236 current->src.proto == policy->src.proto &&
237 current->dst.proto == policy->dst.proto &&
238 current->src.mask == policy->src.mask &&
239 current->dst.mask == policy->dst.mask &&
240 current->src.net->equals(current->src.net, policy->src.net) &&
241 current->dst.net->equals(current->dst.net, policy->dst.net);
242 }
243
244 /**
245 * compare the given kernel index with that of a policy
246 */
247 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
248 {
249 return current->index == *index;
250 }
251
252 typedef struct pfkey_msg_t pfkey_msg_t;
253
254 struct pfkey_msg_t
255 {
256 /**
257 * PF_KEY message base
258 */
259 struct sadb_msg *msg;
260
261
262 /**
263 * PF_KEY message extensions
264 */
265 union {
266 struct sadb_ext *ext[SADB_EXT_MAX + 1];
267 struct {
268 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
269 struct sadb_sa *sa; /* SADB_EXT_SA */
270 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
271 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
272 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
273 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
274 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
275 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
276 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
277 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
278 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
279 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
280 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
281 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
282 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
283 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
284 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
285 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
286 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
287 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
288 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
289 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
290 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
291 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
292 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
293 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
294 } __attribute__((__packed__));
295 };
296 };
297
298 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
299 "SADB_EXT_RESERVED",
300 "SADB_EXT_SA",
301 "SADB_EXT_LIFETIME_CURRENT",
302 "SADB_EXT_LIFETIME_HARD",
303 "SADB_EXT_LIFETIME_SOFT",
304 "SADB_EXT_ADDRESS_SRC",
305 "SADB_EXT_ADDRESS_DST",
306 "SADB_EXT_ADDRESS_PROXY",
307 "SADB_EXT_KEY_AUTH",
308 "SADB_EXT_KEY_ENCRYPT",
309 "SADB_EXT_IDENTITY_SRC",
310 "SADB_EXT_IDENTITY_DST",
311 "SADB_EXT_SENSITIVITY",
312 "SADB_EXT_PROPOSAL",
313 "SADB_EXT_SUPPORTED_AUTH",
314 "SADB_EXT_SUPPORTED_ENCRYPT",
315 "SADB_EXT_SPIRANGE",
316 "SADB_X_EXT_KMPRIVATE",
317 "SADB_X_EXT_POLICY",
318 "SADB_X_EXT_SA2",
319 "SADB_X_EXT_NAT_T_TYPE",
320 "SADB_X_EXT_NAT_T_SPORT",
321 "SADB_X_EXT_NAT_T_DPORT",
322 "SADB_X_EXT_NAT_T_OA",
323 "SADB_X_EXT_SEC_CTX",
324 "SADB_X_EXT_KMADDRESS"
325 );
326 /**
327 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
328 */
329 static u_int8_t proto_ike2satype(protocol_id_t proto)
330 {
331 switch (proto)
332 {
333 case PROTO_ESP:
334 return SADB_SATYPE_ESP;
335 case PROTO_AH:
336 return SADB_SATYPE_AH;
337 case IPPROTO_COMP:
338 return SADB_X_SATYPE_IPCOMP;
339 default:
340 return proto;
341 }
342 }
343
344 /**
345 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
346 */
347 static protocol_id_t proto_satype2ike(u_int8_t proto)
348 {
349 switch (proto)
350 {
351 case SADB_SATYPE_ESP:
352 return PROTO_ESP;
353 case SADB_SATYPE_AH:
354 return PROTO_AH;
355 case SADB_X_SATYPE_IPCOMP:
356 return IPPROTO_COMP;
357 default:
358 return proto;
359 }
360 }
361
362 /**
363 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
364 */
365 static u_int8_t proto_ike2ip(protocol_id_t proto)
366 {
367 switch (proto)
368 {
369 case PROTO_ESP:
370 return IPPROTO_ESP;
371 case PROTO_AH:
372 return IPPROTO_AH;
373 default:
374 return proto;
375 }
376 }
377
378 /**
379 * convert the general ipsec mode to the one defined in ipsec.h
380 */
381 static u_int8_t mode2kernel(ipsec_mode_t mode)
382 {
383 switch (mode)
384 {
385 case MODE_TRANSPORT:
386 return IPSEC_MODE_TRANSPORT;
387 case MODE_TUNNEL:
388 return IPSEC_MODE_TUNNEL;
389 case MODE_BEET:
390 return IPSEC_MODE_BEET;
391 default:
392 return mode;
393 }
394 }
395
396 /**
397 * convert the general policy direction to the one defined in ipsec.h
398 */
399 static u_int8_t dir2kernel(policy_dir_t dir)
400 {
401 switch (dir)
402 {
403 case POLICY_IN:
404 return IPSEC_DIR_INBOUND;
405 case POLICY_OUT:
406 return IPSEC_DIR_OUTBOUND;
407 case POLICY_FWD:
408 return IPSEC_DIR_FWD;
409 default:
410 return dir;
411 }
412 }
413
414 /**
415 * convert the policy direction in ipsec.h to the general one.
416 */
417 static policy_dir_t kernel2dir(u_int8_t dir)
418 {
419 switch (dir)
420 {
421 case IPSEC_DIR_INBOUND:
422 return POLICY_IN;
423 case IPSEC_DIR_OUTBOUND:
424 return POLICY_OUT;
425 case IPSEC_DIR_FWD:
426 return POLICY_FWD;
427 default:
428 return dir;
429 }
430 }
431 typedef struct kernel_algorithm_t kernel_algorithm_t;
432
433 /**
434 * Mapping of IKEv2 algorithms to PF_KEY algorithms
435 */
436 struct kernel_algorithm_t {
437 /**
438 * Identifier specified in IKEv2
439 */
440 int ikev2;
441
442 /**
443 * Identifier as defined in pfkeyv2.h
444 */
445 int kernel;
446 };
447
448 #define END_OF_LIST -1
449
450 /**
451 * Algorithms for encryption
452 */
453 static kernel_algorithm_t encryption_algs[] = {
454 /* {ENCR_DES_IV64, 0 }, */
455 {ENCR_DES, SADB_EALG_DESCBC },
456 {ENCR_3DES, SADB_EALG_3DESCBC },
457 /* {ENCR_RC5, 0 }, */
458 /* {ENCR_IDEA, 0 }, */
459 {ENCR_CAST, SADB_X_EALG_CASTCBC },
460 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
461 /* {ENCR_3IDEA, 0 }, */
462 /* {ENCR_DES_IV32, 0 }, */
463 {ENCR_NULL, SADB_EALG_NULL },
464 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
465 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
466 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
467 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
468 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
469 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
470 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
471 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
472 {END_OF_LIST, 0 },
473 };
474
475 /**
476 * Algorithms for integrity protection
477 */
478 static kernel_algorithm_t integrity_algs[] = {
479 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
480 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
481 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
482 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
483 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
484 /* {AUTH_DES_MAC, 0, }, */
485 /* {AUTH_KPDK_MD5, 0, }, */
486 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
487 {END_OF_LIST, 0, },
488 };
489
490 /**
491 * Algorithms for IPComp
492 */
493 static kernel_algorithm_t compression_algs[] = {
494 /* {IPCOMP_OUI, 0 }, */
495 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
496 {IPCOMP_LZS, SADB_X_CALG_LZS },
497 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
498 {END_OF_LIST, 0 },
499 };
500
501 /**
502 * Look up a kernel algorithm ID and its key size
503 */
504 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
505 {
506 while (list->ikev2 != END_OF_LIST)
507 {
508 if (ikev2 == list->ikev2)
509 {
510 return list->kernel;
511 }
512 list++;
513 }
514 return 0;
515 }
516
517 /**
518 * add a host behind a sadb_address extension
519 */
520 static void host2ext(host_t *host, struct sadb_address *ext)
521 {
522 sockaddr_t *host_addr = host->get_sockaddr(host);
523 socklen_t *len = host->get_sockaddr_len(host);
524 memcpy((char*)(ext + 1), host_addr, *len);
525 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
526 }
527
528 /**
529 * add udp encap extensions to a sadb_msg
530 */
531 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
532 {
533 struct sadb_x_nat_t_type* nat_type;
534 struct sadb_x_nat_t_port* nat_port;
535
536 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
537 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
538 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
539 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
540 PFKEY_EXT_ADD(msg, nat_type);
541
542 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
543 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
544 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
545 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
546 PFKEY_EXT_ADD(msg, nat_port);
547
548 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
549 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
550 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
551 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
552 PFKEY_EXT_ADD(msg, nat_port);
553 }
554
555 /**
556 * Convert a sadb_address to a traffic_selector
557 */
558 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
559 {
560 traffic_selector_t *ts;
561 host_t *host;
562
563 /* The Linux 2.6 kernel does not set the protocol and port information
564 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
565 */
566 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
567 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
568 address->sadb_address_proto, host->get_port(host));
569 host->destroy(host);
570 return ts;
571 }
572
573 /**
574 * Parses a pfkey message received from the kernel
575 */
576 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
577 {
578 struct sadb_ext* ext;
579 size_t len;
580
581 memset(out, 0, sizeof(pfkey_msg_t));
582 out->msg = msg;
583
584 len = msg->sadb_msg_len;
585 len -= PFKEY_LEN(sizeof(struct sadb_msg));
586
587 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
588
589 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
590 {
591 DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
592 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
593 ext->sadb_ext_len > len)
594 {
595 DBG1(DBG_KNL, "length of %N extension is invalid",
596 sadb_ext_type_names, ext->sadb_ext_type);
597 break;
598 }
599
600 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
601 {
602 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
603 break;
604 }
605
606 if (out->ext[ext->sadb_ext_type])
607 {
608 DBG1(DBG_KNL, "duplicate %N extension",
609 sadb_ext_type_names, ext->sadb_ext_type);
610 break;
611 }
612
613 out->ext[ext->sadb_ext_type] = ext;
614 ext = PFKEY_EXT_NEXT_LEN(ext, len);
615 }
616
617 if (len)
618 {
619 DBG1(DBG_KNL, "PF_KEY message length is invalid");
620 return FAILED;
621 }
622
623 return SUCCESS;
624 }
625
626 /**
627 * Send a message to a specific PF_KEY socket and handle the response.
628 */
629 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
630 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
631 {
632 unsigned char buf[PFKEY_BUFFER_SIZE];
633 struct sadb_msg *msg;
634 int in_len, len;
635
636 this->mutex_pfkey->lock(this->mutex_pfkey);
637
638 in->sadb_msg_seq = ++this->seq;
639 in->sadb_msg_pid = getpid();
640
641 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
642
643 while (TRUE)
644 {
645 len = send(socket, in, in_len, 0);
646
647 if (len != in_len)
648 {
649 if (errno == EINTR)
650 {
651 /* interrupted, try again */
652 continue;
653 }
654 this->mutex_pfkey->unlock(this->mutex_pfkey);
655 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
656 return FAILED;
657 }
658 break;
659 }
660
661 while (TRUE)
662 {
663 msg = (struct sadb_msg*)buf;
664
665 len = recv(socket, buf, sizeof(buf), 0);
666
667 if (len < 0)
668 {
669 if (errno == EINTR)
670 {
671 DBG1(DBG_KNL, "got interrupted");
672 /* interrupted, try again */
673 continue;
674 }
675 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
676 this->mutex_pfkey->unlock(this->mutex_pfkey);
677 return FAILED;
678 }
679 if (len < sizeof(struct sadb_msg) ||
680 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
681 {
682 DBG1(DBG_KNL, "received corrupted PF_KEY message");
683 this->mutex_pfkey->unlock(this->mutex_pfkey);
684 return FAILED;
685 }
686 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
687 {
688 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
689 this->mutex_pfkey->unlock(this->mutex_pfkey);
690 return FAILED;
691 }
692 if (msg->sadb_msg_pid != in->sadb_msg_pid)
693 {
694 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
695 continue;
696 }
697 if (msg->sadb_msg_seq != this->seq)
698 {
699 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
700 "was %d expected %d", msg->sadb_msg_seq, this->seq);
701 if (msg->sadb_msg_seq < this->seq)
702 {
703 continue;
704 }
705 this->mutex_pfkey->unlock(this->mutex_pfkey);
706 return FAILED;
707 }
708 if (msg->sadb_msg_type != in->sadb_msg_type)
709 {
710 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
711 "was %d expected %d, ignoring",
712 msg->sadb_msg_type, in->sadb_msg_type);
713 }
714 break;
715 }
716
717 *out_len = len;
718 *out = (struct sadb_msg*)malloc(len);
719 memcpy(*out, buf, len);
720
721 this->mutex_pfkey->unlock(this->mutex_pfkey);
722
723 return SUCCESS;
724 }
725
726 /**
727 * Send a message to the default PF_KEY socket and handle the response.
728 */
729 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
730 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
731 {
732 return pfkey_send_socket(this, this->socket, in, out, out_len);
733 }
734
735 /**
736 * Process a SADB_ACQUIRE message from the kernel
737 */
738 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
739 {
740 pfkey_msg_t response;
741 u_int32_t index, reqid = 0;
742 traffic_selector_t *src_ts, *dst_ts;
743 policy_entry_t *policy;
744 job_t *job;
745
746 switch (msg->sadb_msg_satype)
747 {
748 case SADB_SATYPE_UNSPEC:
749 case SADB_SATYPE_ESP:
750 case SADB_SATYPE_AH:
751 break;
752 default:
753 /* acquire for AH/ESP only */
754 return;
755 }
756 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
757
758 if (parse_pfkey_message(msg, &response) != SUCCESS)
759 {
760 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
761 return;
762 }
763
764 index = response.x_policy->sadb_x_policy_id;
765 this->mutex->lock(this->mutex);
766 if (this->policies->find_first(this->policies,
767 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
768 {
769 reqid = policy->reqid;
770 }
771 else
772 {
773 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
774 index);
775 }
776 src_ts = sadb_address2ts(response.src);
777 dst_ts = sadb_address2ts(response.dst);
778 this->mutex->unlock(this->mutex);
779
780 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
781 src_ts, dst_ts, reqid);
782 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
783 charon->processor->queue_job(charon->processor, job);
784 }
785
786 /**
787 * Process a SADB_EXPIRE message from the kernel
788 */
789 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
790 {
791 pfkey_msg_t response;
792 protocol_id_t protocol;
793 u_int32_t spi, reqid;
794 bool hard;
795 job_t *job;
796
797 DBG2(DBG_KNL, "received an SADB_EXPIRE");
798
799 if (parse_pfkey_message(msg, &response) != SUCCESS)
800 {
801 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
802 return;
803 }
804
805 protocol = proto_satype2ike(msg->sadb_msg_satype);
806 spi = response.sa->sadb_sa_spi;
807 reqid = response.x_sa2->sadb_x_sa2_reqid;
808 hard = response.lft_hard != NULL;
809
810 if (protocol != PROTO_ESP && protocol != PROTO_AH)
811 {
812 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
813 "which is not a CHILD_SA", ntohl(spi), reqid);
814 return;
815 }
816
817 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
818 hard ? "delete" : "rekey", protocol_id_names,
819 protocol, ntohl(spi), reqid);
820 if (hard)
821 {
822 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
823 }
824 else
825 {
826 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
827 }
828 charon->processor->queue_job(charon->processor, job);
829 }
830
831 /**
832 * Process a SADB_MIGRATE message from the kernel
833 */
834 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
835 {
836 pfkey_msg_t response;
837 sockaddr_t *local_addr, *remote_addr;
838 traffic_selector_t *src_ts, *dst_ts;
839 policy_dir_t dir;
840 u_int32_t local_len, reqid = 0;
841 host_t *local, *remote;
842 job_t *job;
843
844 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
845
846 if (parse_pfkey_message(msg, &response) != SUCCESS)
847 {
848 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
849 return;
850 }
851 src_ts = sadb_address2ts(response.src);
852 dst_ts = sadb_address2ts(response.dst);
853 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
854 local = host_create_from_sockaddr(local_addr);
855 local_len = (local_addr->sa_family == AF_INET6)?
856 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
857 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
858 remote = host_create_from_sockaddr(remote_addr);
859 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
860 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
861 policy_dir_names, dir, response.x_policy->sadb_x_policy_id);
862 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
863
864 if (src_ts && dst_ts)
865 {
866 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
867 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
868 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
869 local, remote);
870 charon->processor->queue_job(charon->processor, job);
871 }
872 else
873 {
874 DESTROY_IF(src_ts);
875 DESTROY_IF(dst_ts);
876 DESTROY_IF(local);
877 DESTROY_IF(remote);
878 }
879 }
880
881 /**
882 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
883 */
884 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
885 {
886 pfkey_msg_t response;
887 u_int32_t spi, reqid;
888 host_t *host;
889 job_t *job;
890
891 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
892
893 if (parse_pfkey_message(msg, &response) != SUCCESS)
894 {
895 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
896 return;
897 }
898
899 if (!response.x_sa2)
900 {
901 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
902 return;
903 }
904
905 spi = response.sa->sadb_sa_spi;
906 reqid = response.x_sa2->sadb_x_sa2_reqid;
907
908 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
909 {
910 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
911 switch (sa->sa_family)
912 {
913 case AF_INET:
914 {
915 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
916 sin->sin_port = response.x_natt_dport->sadb_x_nat_t_port_port;
917 }
918 case AF_INET6:
919 {
920 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
921 sin6->sin6_port = response.x_natt_dport->sadb_x_nat_t_port_port;
922 }
923 default:
924 break;
925 }
926 host = host_create_from_sockaddr(sa);
927 if (host)
928 {
929 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
930 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
931 job = (job_t*)update_sa_job_create(reqid, host);
932 charon->processor->queue_job(charon->processor, job);
933 }
934 }
935 }
936
937 /**
938 * Receives events from kernel
939 */
940 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
941 {
942 unsigned char buf[PFKEY_BUFFER_SIZE];
943 struct sadb_msg *msg = (struct sadb_msg*)buf;
944 int len, oldstate;
945
946 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
947 len = recv(this->socket_events, buf, sizeof(buf), 0);
948 pthread_setcancelstate(oldstate, NULL);
949
950 if (len < 0)
951 {
952 switch (errno)
953 {
954 case EINTR:
955 /* interrupted, try again */
956 return JOB_REQUEUE_DIRECT;
957 case EAGAIN:
958 /* no data ready, select again */
959 return JOB_REQUEUE_DIRECT;
960 default:
961 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
962 sleep(1);
963 return JOB_REQUEUE_FAIR;
964 }
965 }
966
967 if (len < sizeof(struct sadb_msg) ||
968 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
969 {
970 DBG2(DBG_KNL, "received corrupted PF_KEY message");
971 return JOB_REQUEUE_DIRECT;
972 }
973 if (msg->sadb_msg_pid != 0)
974 { /* not from kernel. not interested, try another one */
975 return JOB_REQUEUE_DIRECT;
976 }
977 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
978 {
979 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
980 return JOB_REQUEUE_DIRECT;
981 }
982
983 switch (msg->sadb_msg_type)
984 {
985 case SADB_ACQUIRE:
986 process_acquire(this, msg);
987 break;
988 case SADB_EXPIRE:
989 process_expire(this, msg);
990 break;
991 case SADB_X_MIGRATE:
992 process_migrate(this, msg);
993 break;
994 case SADB_X_NAT_T_NEW_MAPPING:
995 process_mapping(this, msg);
996 break;
997 default:
998 break;
999 }
1000
1001 return JOB_REQUEUE_DIRECT;
1002 }
1003
1004 /**
1005 * Implementation of kernel_interface_t.get_spi.
1006 */
1007 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1008 host_t *src, host_t *dst,
1009 protocol_id_t protocol, u_int32_t reqid,
1010 u_int32_t *spi)
1011 {
1012 unsigned char request[PFKEY_BUFFER_SIZE];
1013 struct sadb_msg *msg, *out;
1014 struct sadb_x_sa2 *sa2;
1015 struct sadb_address *addr;
1016 struct sadb_spirange *range;
1017 pfkey_msg_t response;
1018 u_int32_t received_spi = 0;
1019 size_t len;
1020
1021 memset(&request, 0, sizeof(request));
1022
1023 msg = (struct sadb_msg*)request;
1024 msg->sadb_msg_version = PF_KEY_V2;
1025 msg->sadb_msg_type = SADB_GETSPI;
1026 msg->sadb_msg_satype = proto_ike2satype(protocol);
1027 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1028
1029 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1030 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1031 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1032 sa2->sadb_x_sa2_reqid = reqid;
1033 PFKEY_EXT_ADD(msg, sa2);
1034
1035 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1036 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1037 host2ext(src, addr);
1038 PFKEY_EXT_ADD(msg, addr);
1039
1040 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1041 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1042 host2ext(dst, addr);
1043 PFKEY_EXT_ADD(msg, addr);
1044
1045 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1046 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1047 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1048 range->sadb_spirange_min = 0xc0000000;
1049 range->sadb_spirange_max = 0xcFFFFFFF;
1050 PFKEY_EXT_ADD(msg, range);
1051
1052 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1053 {
1054 if (out->sadb_msg_errno)
1055 {
1056 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1057 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1058 }
1059 else if (parse_pfkey_message(out, &response) == SUCCESS)
1060 {
1061 received_spi = response.sa->sadb_sa_spi;
1062 }
1063 free(out);
1064 }
1065
1066 if (received_spi == 0)
1067 {
1068 return FAILED;
1069 }
1070
1071 *spi = received_spi;
1072 return SUCCESS;
1073 }
1074
1075 /**
1076 * Implementation of kernel_interface_t.get_cpi.
1077 */
1078 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1079 host_t *src, host_t *dst,
1080 u_int32_t reqid, u_int16_t *cpi)
1081 {
1082 return FAILED;
1083 }
1084
1085 /**
1086 * Implementation of kernel_interface_t.add_sa.
1087 */
1088 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1089 host_t *src, host_t *dst, u_int32_t spi,
1090 protocol_id_t protocol, u_int32_t reqid,
1091 u_int64_t expire_soft, u_int64_t expire_hard,
1092 u_int16_t enc_alg, chunk_t enc_key,
1093 u_int16_t int_alg, chunk_t int_key,
1094 ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
1095 bool replace)
1096 {
1097 unsigned char request[PFKEY_BUFFER_SIZE];
1098 struct sadb_msg *msg, *out;
1099 struct sadb_sa *sa;
1100 struct sadb_x_sa2 *sa2;
1101 struct sadb_address *addr;
1102 struct sadb_lifetime *lft;
1103 struct sadb_key *key;
1104 size_t len;
1105
1106 memset(&request, 0, sizeof(request));
1107
1108 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1109
1110 msg = (struct sadb_msg*)request;
1111 msg->sadb_msg_version = PF_KEY_V2;
1112 msg->sadb_msg_type = replace ? SADB_UPDATE : SADB_ADD;
1113 msg->sadb_msg_satype = proto_ike2satype(protocol);
1114 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1115
1116 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1117 sa->sadb_sa_exttype = SADB_EXT_SA;
1118 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1119 sa->sadb_sa_spi = spi;
1120 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1121 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1122 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1123 PFKEY_EXT_ADD(msg, sa);
1124
1125 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1126 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1127 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1128 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1129 sa2->sadb_x_sa2_reqid = reqid;
1130 PFKEY_EXT_ADD(msg, sa2);
1131
1132 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1133 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1134 host2ext(src, addr);
1135 PFKEY_EXT_ADD(msg, addr);
1136
1137 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1138 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1139 host2ext(dst, addr);
1140 PFKEY_EXT_ADD(msg, addr);
1141
1142 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1143 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1144 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1145 lft->sadb_lifetime_addtime = expire_soft;
1146 PFKEY_EXT_ADD(msg, lft);
1147
1148 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1149 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1150 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1151 lft->sadb_lifetime_addtime = expire_hard;
1152 PFKEY_EXT_ADD(msg, lft);
1153
1154 if (enc_alg != ENCR_UNDEFINED)
1155 {
1156 if (!sa->sadb_sa_encrypt)
1157 {
1158 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1159 encryption_algorithm_names, enc_alg);
1160 return FAILED;
1161 }
1162 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1163 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1164
1165 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1166 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1167 key->sadb_key_bits = enc_key.len * 8;
1168 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1169 memcpy(key + 1, enc_key.ptr, enc_key.len);
1170
1171 PFKEY_EXT_ADD(msg, key);
1172 }
1173
1174 if (int_alg != AUTH_UNDEFINED)
1175 {
1176 if (!sa->sadb_sa_auth)
1177 {
1178 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1179 integrity_algorithm_names, int_alg);
1180 return FAILED;
1181 }
1182 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1183 integrity_algorithm_names, int_alg, int_key.len * 8);
1184
1185 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1186 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1187 key->sadb_key_bits = int_key.len * 8;
1188 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1189 memcpy(key + 1, int_key.ptr, int_key.len);
1190
1191 PFKEY_EXT_ADD(msg, key);
1192 }
1193
1194 if (ipcomp != IPCOMP_NONE)
1195 {
1196 /*TODO*/
1197 }
1198
1199 if (encap)
1200 {
1201 add_encap_ext(msg, src, dst);
1202 }
1203
1204 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1205 {
1206 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1207 return FAILED;
1208 }
1209 else if (out->sadb_msg_errno)
1210 {
1211 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1212 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1213 free(out);
1214 return FAILED;
1215 }
1216
1217 free(out);
1218 return SUCCESS;
1219 }
1220
1221 /**
1222 * Implementation of kernel_interface_t.update_sa.
1223 */
1224 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1225 u_int32_t spi, protocol_id_t protocol,
1226 host_t *src, host_t *dst,
1227 host_t *new_src, host_t *new_dst, bool encap)
1228 {
1229 unsigned char request[PFKEY_BUFFER_SIZE];
1230 struct sadb_msg *msg, *out;
1231 struct sadb_sa *sa;
1232 struct sadb_address *addr;
1233 pfkey_msg_t response;
1234 size_t len;
1235
1236 memset(&request, 0, sizeof(request));
1237
1238 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1239
1240 msg = (struct sadb_msg*)request;
1241 msg->sadb_msg_version = PF_KEY_V2;
1242 msg->sadb_msg_type = SADB_GET;
1243 msg->sadb_msg_satype = proto_ike2satype(protocol);
1244 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1245
1246 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1247 sa->sadb_sa_exttype = SADB_EXT_SA;
1248 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1249 sa->sadb_sa_spi = spi;
1250 PFKEY_EXT_ADD(msg, sa);
1251
1252 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1253 * it is not used for anything, so we just send dst twice */
1254 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1255 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1256 host2ext(dst, addr);
1257 PFKEY_EXT_ADD(msg, addr);
1258
1259 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1260 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1261 host2ext(dst, addr);
1262 PFKEY_EXT_ADD(msg, addr);
1263
1264 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1265 {
1266 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1267 ntohl(spi));
1268 return FAILED;
1269 }
1270 else if (out->sadb_msg_errno)
1271 {
1272 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1273 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1274 free(out);
1275 return FAILED;
1276 }
1277 else if (parse_pfkey_message(out, &response) != SUCCESS)
1278 {
1279 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1280 "from kernel failed", ntohl(spi));
1281 free(out);
1282 return FAILED;
1283 }
1284
1285 /* delete the old SA */
1286 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1287 {
1288 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1289 free(out);
1290 return FAILED;
1291 }
1292
1293 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1294 ntohl(spi), src, dst, new_src, new_dst);
1295
1296 memset(&request, 0, sizeof(request));
1297
1298 msg = (struct sadb_msg*)request;
1299 msg->sadb_msg_version = PF_KEY_V2;
1300 msg->sadb_msg_type = SADB_ADD;
1301 msg->sadb_msg_satype = proto_ike2satype(protocol);
1302 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1303
1304 PFKEY_EXT_COPY(msg, response.sa);
1305 PFKEY_EXT_COPY(msg, response.x_sa2);
1306
1307 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1308 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1309 host2ext(new_src, addr);
1310 PFKEY_EXT_ADD(msg, addr);
1311
1312 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1313 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1314 host2ext(new_dst, addr);
1315 PFKEY_EXT_ADD(msg, addr);
1316
1317 PFKEY_EXT_COPY(msg, response.lft_soft);
1318 PFKEY_EXT_COPY(msg, response.lft_hard);
1319
1320 if (response.key_encr)
1321 {
1322 PFKEY_EXT_COPY(msg, response.key_encr);
1323 }
1324
1325 if (response.key_auth)
1326 {
1327 PFKEY_EXT_COPY(msg, response.key_auth);
1328 }
1329
1330 if (encap)
1331 {
1332 add_encap_ext(msg, new_src, new_dst);
1333 }
1334
1335 free(out);
1336
1337 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1338 {
1339 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1340 return FAILED;
1341 }
1342 else if (out->sadb_msg_errno)
1343 {
1344 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1345 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1346 free(out);
1347 return FAILED;
1348 }
1349 free(out);
1350
1351 return SUCCESS;
1352 }
1353
1354 /**
1355 * Implementation of kernel_interface_t.del_sa.
1356 */
1357 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
1358 u_int32_t spi, protocol_id_t protocol)
1359 {
1360 unsigned char request[PFKEY_BUFFER_SIZE];
1361 struct sadb_msg *msg, *out;
1362 struct sadb_sa *sa;
1363 struct sadb_address *addr;
1364 size_t len;
1365
1366 memset(&request, 0, sizeof(request));
1367
1368 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1369
1370 msg = (struct sadb_msg*)request;
1371 msg->sadb_msg_version = PF_KEY_V2;
1372 msg->sadb_msg_type = SADB_DELETE;
1373 msg->sadb_msg_satype = proto_ike2satype(protocol);
1374 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1375
1376 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1377 sa->sadb_sa_exttype = SADB_EXT_SA;
1378 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1379 sa->sadb_sa_spi = spi;
1380 PFKEY_EXT_ADD(msg, sa);
1381
1382 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1383 * it is not used for anything, so we just send dst twice */
1384 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1385 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1386 host2ext(dst, addr);
1387 PFKEY_EXT_ADD(msg, addr);
1388
1389 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1390 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1391 host2ext(dst, addr);
1392 PFKEY_EXT_ADD(msg, addr);
1393
1394 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1395 {
1396 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1397 return FAILED;
1398 }
1399 else if (out->sadb_msg_errno)
1400 {
1401 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1402 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1403 free(out);
1404 return FAILED;
1405 }
1406
1407 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1408 free(out);
1409 return SUCCESS;
1410 }
1411
1412 /**
1413 * Implementation of kernel_interface_t.add_policy.
1414 */
1415 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1416 host_t *src, host_t *dst,
1417 traffic_selector_t *src_ts,
1418 traffic_selector_t *dst_ts,
1419 policy_dir_t direction, protocol_id_t protocol,
1420 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1421 u_int16_t ipcomp)
1422 {
1423 unsigned char request[PFKEY_BUFFER_SIZE];
1424 struct sadb_msg *msg, *out;
1425 struct sadb_x_policy *pol;
1426 struct sadb_address *addr;
1427 struct sadb_x_ipsecrequest *req;
1428 policy_entry_t *policy, *found = NULL;
1429 pfkey_msg_t response;
1430 size_t len;
1431
1432 /* create a policy */
1433 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1434
1435 /* find a matching policy */
1436 this->mutex->lock(this->mutex);
1437 if (this->policies->find_first(this->policies,
1438 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1439 {
1440 /* use existing policy */
1441 found->refcount++;
1442 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1443 "refcount", src_ts, dst_ts,
1444 policy_dir_names, direction);
1445 policy_entry_destroy(policy);
1446 policy = found;
1447 }
1448 else
1449 {
1450 /* apply the new one, if we have no such policy */
1451 this->policies->insert_last(this->policies, policy);
1452 policy->refcount = 1;
1453 }
1454
1455 memset(&request, 0, sizeof(request));
1456
1457 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1458 policy_dir_names, direction);
1459
1460 msg = (struct sadb_msg*)request;
1461 msg->sadb_msg_version = PF_KEY_V2;
1462 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1463 msg->sadb_msg_satype = 0;
1464 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1465
1466 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1467 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1468 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1469 pol->sadb_x_policy_id = 0;
1470 pol->sadb_x_policy_dir = dir2kernel(direction);
1471 /* calculate priority based on source selector size, small size = high prio */
1472 pol->sadb_x_policy_priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1473 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1474 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1475 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1476 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1477
1478 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1479 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1480 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1481 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1482 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1483 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1484 req->sadb_x_ipsecrequest_reqid = reqid;
1485 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1486 if (mode == MODE_TUNNEL)
1487 {
1488 sockaddr_t *sa;
1489 socklen_t sl;
1490 sa = src->get_sockaddr(src);
1491 sl = *src->get_sockaddr_len(src);
1492 memcpy(req + 1, sa, sl);
1493 sa = dst->get_sockaddr(dst);
1494 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1495 req->sadb_x_ipsecrequest_len += sl * 2;
1496 }
1497
1498 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1499 PFKEY_EXT_ADD(msg, pol);
1500
1501 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1502 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1503 addr->sadb_address_proto = policy->src.proto;
1504 addr->sadb_address_prefixlen = policy->src.mask;
1505 host2ext(policy->src.net, addr);
1506 PFKEY_EXT_ADD(msg, addr);
1507
1508 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1509 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1510 addr->sadb_address_proto = policy->dst.proto;
1511 addr->sadb_address_prefixlen = policy->dst.mask;
1512 host2ext(policy->dst.net, addr);
1513 PFKEY_EXT_ADD(msg, addr);
1514
1515 this->mutex->unlock(this->mutex);
1516
1517 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1518 {
1519 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1520 policy_dir_names, direction);
1521 return FAILED;
1522 }
1523 else if (out->sadb_msg_errno)
1524 {
1525 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1526 policy_dir_names, direction,
1527 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1528 free(out);
1529 return FAILED;
1530 }
1531 else if (parse_pfkey_message(out, &response) != SUCCESS)
1532 {
1533 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1534 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1535 free(out);
1536 return FAILED;
1537 }
1538
1539 this->mutex->lock(this->mutex);
1540
1541 /* we try to find the policy again and update the kernel index */
1542 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1543 {
1544 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1545 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1546 this->mutex->unlock(this->mutex);
1547 free(out);
1548 return SUCCESS;
1549 }
1550 policy->index = response.x_policy->sadb_x_policy_id;
1551 free(out);
1552
1553 /* install a route, if:
1554 * - we are NOT updating a policy
1555 * - this is a forward policy (to just get one for each child)
1556 * - we are in tunnel mode
1557 * - we are not using IPv6 (does not work correctly yet!)
1558 * - routing is not disabled via strongswan.conf
1559 */
1560 if (policy->route == NULL && direction == POLICY_FWD &&
1561 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1562 this->install_routes)
1563 {
1564 route_entry_t *route = malloc_thing(route_entry_t);
1565
1566 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1567 dst_ts, &route->src_ip) == SUCCESS)
1568 {
1569 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1570 route->gateway = charon->kernel_interface->get_nexthop(
1571 charon->kernel_interface, src);
1572 route->if_name = charon->kernel_interface->get_interface(
1573 charon->kernel_interface, dst);
1574 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1575 route->prefixlen = policy->src.mask;
1576
1577 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1578 route->dst_net, route->prefixlen, route->gateway,
1579 route->src_ip, route->if_name))
1580 {
1581 default:
1582 DBG1(DBG_KNL, "unable to install source route for %H",
1583 route->src_ip);
1584 /* FALL */
1585 case ALREADY_DONE:
1586 /* route exists, do not uninstall */
1587 route_entry_destroy(route);
1588 break;
1589 case SUCCESS:
1590 /* cache the installed route */
1591 policy->route = route;
1592 break;
1593 }
1594 }
1595 else
1596 {
1597 free(route);
1598 }
1599 }
1600
1601 this->mutex->unlock(this->mutex);
1602
1603 return SUCCESS;
1604 }
1605
1606 /**
1607 * Implementation of kernel_interface_t.query_policy.
1608 */
1609 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1610 traffic_selector_t *src_ts,
1611 traffic_selector_t *dst_ts,
1612 policy_dir_t direction, u_int32_t *use_time)
1613 {
1614 unsigned char request[PFKEY_BUFFER_SIZE];
1615 struct sadb_msg *msg, *out;
1616 struct sadb_x_policy *pol;
1617 struct sadb_address *addr;
1618 policy_entry_t *policy, *found = NULL;
1619 pfkey_msg_t response;
1620 size_t len;
1621
1622 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1623 policy_dir_names, direction);
1624
1625 /* create a policy */
1626 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1627
1628 /* find a matching policy */
1629 this->mutex->lock(this->mutex);
1630 if (this->policies->find_first(this->policies,
1631 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1632 {
1633 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1634 dst_ts, policy_dir_names, direction);
1635 policy_entry_destroy(policy);
1636 this->mutex->unlock(this->mutex);
1637 return NOT_FOUND;
1638 }
1639 policy_entry_destroy(policy);
1640 policy = found;
1641
1642 memset(&request, 0, sizeof(request));
1643
1644 msg = (struct sadb_msg*)request;
1645 msg->sadb_msg_version = PF_KEY_V2;
1646 msg->sadb_msg_type = SADB_X_SPDGET;
1647 msg->sadb_msg_satype = 0;
1648 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1649
1650 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1651 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1652 pol->sadb_x_policy_id = policy->index;
1653 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1654 pol->sadb_x_policy_dir = dir2kernel(direction);
1655 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1656 PFKEY_EXT_ADD(msg, pol);
1657
1658 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1659 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1660 addr->sadb_address_proto = policy->src.proto;
1661 addr->sadb_address_prefixlen = policy->src.mask;
1662 host2ext(policy->src.net, addr);
1663 PFKEY_EXT_ADD(msg, addr);
1664
1665 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1666 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1667 addr->sadb_address_proto = policy->dst.proto;
1668 addr->sadb_address_prefixlen = policy->dst.mask;
1669 host2ext(policy->dst.net, addr);
1670 PFKEY_EXT_ADD(msg, addr);
1671
1672 this->mutex->unlock(this->mutex);
1673
1674 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1675 {
1676 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1677 policy_dir_names, direction);
1678 return FAILED;
1679 }
1680 else if (out->sadb_msg_errno)
1681 {
1682 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1683 dst_ts, policy_dir_names, direction,
1684 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1685 free(out);
1686 return FAILED;
1687 }
1688 else if (parse_pfkey_message(out, &response) != SUCCESS)
1689 {
1690 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1691 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1692 free(out);
1693 return FAILED;
1694 }
1695
1696 *use_time = response.lft_current->sadb_lifetime_usetime;
1697
1698 free(out);
1699
1700 return SUCCESS;
1701 }
1702
1703 /**
1704 * Implementation of kernel_interface_t.del_policy.
1705 */
1706 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1707 traffic_selector_t *src_ts,
1708 traffic_selector_t *dst_ts,
1709 policy_dir_t direction)
1710 {
1711 unsigned char request[PFKEY_BUFFER_SIZE];
1712 struct sadb_msg *msg, *out;
1713 struct sadb_x_policy *pol;
1714 struct sadb_address *addr;
1715 policy_entry_t *policy, *found = NULL;
1716 route_entry_t *route;
1717 size_t len;
1718
1719 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1720 policy_dir_names, direction);
1721
1722 /* create a policy */
1723 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1724
1725 /* find a matching policy */
1726 this->mutex->lock(this->mutex);
1727 if (this->policies->find_first(this->policies,
1728 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1729 {
1730 if (--found->refcount > 0)
1731 {
1732 /* is used by more SAs, keep in kernel */
1733 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1734 policy_entry_destroy(policy);
1735 this->mutex->unlock(this->mutex);
1736 return SUCCESS;
1737 }
1738 /* remove if last reference */
1739 this->policies->remove(this->policies, found, NULL);
1740 policy_entry_destroy(policy);
1741 policy = found;
1742 }
1743 else
1744 {
1745 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1746 dst_ts, policy_dir_names, direction);
1747 policy_entry_destroy(policy);
1748 this->mutex->unlock(this->mutex);
1749 return NOT_FOUND;
1750 }
1751 this->mutex->unlock(this->mutex);
1752
1753 memset(&request, 0, sizeof(request));
1754
1755 msg = (struct sadb_msg*)request;
1756 msg->sadb_msg_version = PF_KEY_V2;
1757 msg->sadb_msg_type = SADB_X_SPDDELETE;
1758 msg->sadb_msg_satype = 0;
1759 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1760
1761 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1762 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1763 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1764 pol->sadb_x_policy_dir = dir2kernel(direction);
1765 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1766 PFKEY_EXT_ADD(msg, pol);
1767
1768 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1769 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1770 addr->sadb_address_proto = policy->src.proto;
1771 addr->sadb_address_prefixlen = policy->src.mask;
1772 host2ext(policy->src.net, addr);
1773 PFKEY_EXT_ADD(msg, addr);
1774
1775 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1776 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1777 addr->sadb_address_proto = policy->dst.proto;
1778 addr->sadb_address_prefixlen = policy->dst.mask;
1779 host2ext(policy->dst.net, addr);
1780 PFKEY_EXT_ADD(msg, addr);
1781
1782 route = policy->route;
1783 policy->route = NULL;
1784 policy_entry_destroy(policy);
1785
1786 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1787 {
1788 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1789 policy_dir_names, direction);
1790 return FAILED;
1791 }
1792 else if (out->sadb_msg_errno)
1793 {
1794 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1795 dst_ts, policy_dir_names, direction,
1796 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1797 free(out);
1798 return FAILED;
1799 }
1800 free(out);
1801
1802 if (route)
1803 {
1804 if (charon->kernel_interface->del_route(charon->kernel_interface,
1805 route->dst_net, route->prefixlen, route->gateway,
1806 route->src_ip, route->if_name) != SUCCESS)
1807 {
1808 DBG1(DBG_KNL, "error uninstalling route installed with "
1809 "policy %R === %R %N", src_ts, dst_ts,
1810 policy_dir_names, direction);
1811 }
1812 route_entry_destroy(route);
1813 }
1814
1815 return SUCCESS;
1816 }
1817
1818 /**
1819 * Register a socket for AQUIRE/EXPIRE messages
1820 */
1821 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1822 {
1823 unsigned char request[PFKEY_BUFFER_SIZE];
1824 struct sadb_msg *msg, *out;
1825 size_t len;
1826
1827 memset(&request, 0, sizeof(request));
1828
1829 msg = (struct sadb_msg*)request;
1830 msg->sadb_msg_version = PF_KEY_V2;
1831 msg->sadb_msg_type = SADB_REGISTER;
1832 msg->sadb_msg_satype = satype;
1833 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1834
1835 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1836 {
1837 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1838 return FAILED;
1839 }
1840 else if (out->sadb_msg_errno)
1841 {
1842 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1843 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1844 free(out);
1845 return FAILED;
1846 }
1847 free(out);
1848 return SUCCESS;
1849 }
1850
1851 /**
1852 * Implementation of kernel_interface_t.destroy.
1853 */
1854 static void destroy(private_kernel_pfkey_ipsec_t *this)
1855 {
1856 this->job->cancel(this->job);
1857 close(this->socket);
1858 close(this->socket_events);
1859 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1860 this->mutex->destroy(this->mutex);
1861 this->mutex_pfkey->destroy(this->mutex_pfkey);
1862 free(this);
1863 }
1864
1865 /*
1866 * Described in header.
1867 */
1868 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1869 {
1870 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1871
1872 /* public functions */
1873 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1874 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1875 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1876 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1877 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1878 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1879 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1880 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1881
1882 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1883
1884 /* private members */
1885 this->policies = linked_list_create();
1886 this->mutex = mutex_create(MUTEX_DEFAULT);
1887 this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
1888 this->install_routes = lib->settings->get_bool(lib->settings,
1889 "charon.install_routes", TRUE);
1890 this->seq = 0;
1891
1892 /* create a PF_KEY socket to communicate with the kernel */
1893 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1894 if (this->socket <= 0)
1895 {
1896 charon->kill(charon, "unable to create PF_KEY socket");
1897 }
1898
1899 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1900 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1901 if (this->socket_events <= 0)
1902 {
1903 charon->kill(charon, "unable to create PF_KEY event socket");
1904 }
1905
1906 /* register the event socket */
1907 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
1908 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
1909 {
1910 charon->kill(charon, "unable to register PF_KEY event socket");
1911 }
1912
1913 this->job = callback_job_create((callback_job_cb_t)receive_events,
1914 this, NULL, NULL);
1915 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1916
1917 return &this->public;
1918 }