1f2c6516def77a0308f3ddaa4b5f6065115fccbb
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <stdint.h>
22 #include <linux/ipsec.h>
23 #include <linux/pfkeyv2.h>
24 #include <linux/udp.h>
25 #include <unistd.h>
26 #include <pthread.h>
27 #include <errno.h>
28
29 #include "kernel_pfkey_ipsec.h"
30
31 #include <daemon.h>
32 #include <utils/host.h>
33 #include <utils/mutex.h>
34 #include <processing/jobs/callback_job.h>
35 #include <processing/jobs/acquire_job.h>
36 #include <processing/jobs/migrate_job.h>
37 #include <processing/jobs/rekey_child_sa_job.h>
38 #include <processing/jobs/delete_child_sa_job.h>
39 #include <processing/jobs/update_sa_job.h>
40
41 /** from linux/in.h */
42 #ifndef IP_IPSEC_POLICY
43 #define IP_IPSEC_POLICY 16
44 #endif
45
46 /** default priority of installed policies */
47 #define PRIO_LOW 3000
48 #define PRIO_HIGH 2000
49
50 /** buffer size for PF_KEY messages */
51 #define PFKEY_BUFFER_SIZE 4096
52
53 /** PF_KEY messages are 64 bit aligned */
54 #define PFKEY_ALIGNMENT 8
55 /** aligns len to 64 bits */
56 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
57 /** calculates the properly padded length in 64 bit chunks */
58 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
59 /** calculates user mode length i.e. in bytes */
60 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
61
62 /** given a PF_KEY message header and an extension this updates the length in the header */
63 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
64 /** given a PF_KEY message header this returns a pointer to the next extension */
65 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
66 /** copy an extension and append it to a PF_KEY message */
67 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
68 /** given a PF_KEY extension this returns a pointer to the next extension */
69 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
70 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
71 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
72 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
73 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
74 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
75 (ext)->sadb_ext_len <= (len))
76
77 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
78
79 /**
80 * Private variables and functions of kernel_pfkey class.
81 */
82 struct private_kernel_pfkey_ipsec_t
83 {
84 /**
85 * Public part of the kernel_pfkey_t object.
86 */
87 kernel_pfkey_ipsec_t public;
88
89 /**
90 * mutex to lock access to various lists
91 */
92 mutex_t *mutex;
93
94 /**
95 * List of installed policies (policy_entry_t)
96 */
97 linked_list_t *policies;
98
99 /**
100 * whether to install routes along policies
101 */
102 bool install_routes;
103
104 /**
105 * job receiving PF_KEY events
106 */
107 callback_job_t *job;
108
109 /**
110 * mutex to lock access to the PF_KEY socket
111 */
112 mutex_t *mutex_pfkey;
113
114 /**
115 * PF_KEY socket to communicate with the kernel
116 */
117 int socket;
118
119 /**
120 * PF_KEY socket to receive acquire and expire events
121 */
122 int socket_events;
123
124 /**
125 * sequence number for messages sent to the kernel
126 */
127 int seq;
128 };
129
130 typedef struct route_entry_t route_entry_t;
131
132 /**
133 * installed routing entry
134 */
135 struct route_entry_t {
136 /** Name of the interface the route is bound to */
137 char *if_name;
138
139 /** Source ip of the route */
140 host_t *src_ip;
141
142 /** gateway for this route */
143 host_t *gateway;
144
145 /** Destination net */
146 chunk_t dst_net;
147
148 /** Destination net prefixlen */
149 u_int8_t prefixlen;
150 };
151
152 /**
153 * destroy an route_entry_t object
154 */
155 static void route_entry_destroy(route_entry_t *this)
156 {
157 free(this->if_name);
158 this->src_ip->destroy(this->src_ip);
159 this->gateway->destroy(this->gateway);
160 chunk_free(&this->dst_net);
161 free(this);
162 }
163
164 typedef struct policy_entry_t policy_entry_t;
165
166 /**
167 * installed kernel policy.
168 */
169 struct policy_entry_t {
170
171 /** reqid of this policy */
172 u_int32_t reqid;
173
174 /** index assigned by the kernel */
175 u_int32_t index;
176
177 /** direction of this policy: in, out, forward */
178 u_int8_t direction;
179
180 /** parameters of installed policy */
181 struct {
182 /** subnet and port */
183 host_t *net;
184 /** subnet mask */
185 u_int8_t mask;
186 /** protocol */
187 u_int8_t proto;
188 } src, dst;
189
190 /** associated route installed for this policy */
191 route_entry_t *route;
192
193 /** by how many CHILD_SA's this policy is used */
194 u_int refcount;
195 };
196
197 /**
198 * create a policy_entry_t object
199 */
200 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
201 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
202 {
203 policy_entry_t *policy = malloc_thing(policy_entry_t);
204 policy->reqid = reqid;
205 policy->index = 0;
206 policy->direction = dir;
207 policy->route = NULL;
208 policy->refcount = 0;
209
210 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
211 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
212
213 /* src or dest proto may be "any" (0), use more restrictive one */
214 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
215 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
216 policy->dst.proto = policy->src.proto;
217
218 return policy;
219 }
220
221 /**
222 * destroy a policy_entry_t object
223 */
224 static void policy_entry_destroy(policy_entry_t *this)
225 {
226 DESTROY_IF(this->src.net);
227 DESTROY_IF(this->dst.net);
228 if (this->route)
229 {
230 route_entry_destroy(this->route);
231 }
232 free(this);
233 }
234
235 /**
236 * compares two policy_entry_t
237 */
238 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
239 {
240 return current->direction == policy->direction &&
241 current->src.proto == policy->src.proto &&
242 current->dst.proto == policy->dst.proto &&
243 current->src.mask == policy->src.mask &&
244 current->dst.mask == policy->dst.mask &&
245 current->src.net->equals(current->src.net, policy->src.net) &&
246 current->dst.net->equals(current->dst.net, policy->dst.net);
247 }
248
249 /**
250 * compare the given kernel index with that of a policy
251 */
252 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
253 {
254 return current->index == *index;
255 }
256
257 typedef struct pfkey_msg_t pfkey_msg_t;
258
259 struct pfkey_msg_t
260 {
261 /**
262 * PF_KEY message base
263 */
264 struct sadb_msg *msg;
265
266
267 /**
268 * PF_KEY message extensions
269 */
270 union {
271 struct sadb_ext *ext[SADB_EXT_MAX + 1];
272 struct {
273 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
274 struct sadb_sa *sa; /* SADB_EXT_SA */
275 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
276 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
277 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
278 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
279 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
280 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
281 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
282 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
283 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
284 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
285 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
286 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
287 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
288 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
289 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
290 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
291 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
292 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
293 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
294 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
295 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
296 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
297 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
298 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
299 } __attribute__((__packed__));
300 };
301 };
302
303 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
304 "SADB_EXT_RESERVED",
305 "SADB_EXT_SA",
306 "SADB_EXT_LIFETIME_CURRENT",
307 "SADB_EXT_LIFETIME_HARD",
308 "SADB_EXT_LIFETIME_SOFT",
309 "SADB_EXT_ADDRESS_SRC",
310 "SADB_EXT_ADDRESS_DST",
311 "SADB_EXT_ADDRESS_PROXY",
312 "SADB_EXT_KEY_AUTH",
313 "SADB_EXT_KEY_ENCRYPT",
314 "SADB_EXT_IDENTITY_SRC",
315 "SADB_EXT_IDENTITY_DST",
316 "SADB_EXT_SENSITIVITY",
317 "SADB_EXT_PROPOSAL",
318 "SADB_EXT_SUPPORTED_AUTH",
319 "SADB_EXT_SUPPORTED_ENCRYPT",
320 "SADB_EXT_SPIRANGE",
321 "SADB_X_EXT_KMPRIVATE",
322 "SADB_X_EXT_POLICY",
323 "SADB_X_EXT_SA2",
324 "SADB_X_EXT_NAT_T_TYPE",
325 "SADB_X_EXT_NAT_T_SPORT",
326 "SADB_X_EXT_NAT_T_DPORT",
327 "SADB_X_EXT_NAT_T_OA",
328 "SADB_X_EXT_SEC_CTX",
329 "SADB_X_EXT_KMADDRESS"
330 );
331 /**
332 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
333 */
334 static u_int8_t proto_ike2satype(protocol_id_t proto)
335 {
336 switch (proto)
337 {
338 case PROTO_ESP:
339 return SADB_SATYPE_ESP;
340 case PROTO_AH:
341 return SADB_SATYPE_AH;
342 case IPPROTO_COMP:
343 return SADB_X_SATYPE_IPCOMP;
344 default:
345 return proto;
346 }
347 }
348
349 /**
350 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
351 */
352 static protocol_id_t proto_satype2ike(u_int8_t proto)
353 {
354 switch (proto)
355 {
356 case SADB_SATYPE_ESP:
357 return PROTO_ESP;
358 case SADB_SATYPE_AH:
359 return PROTO_AH;
360 case SADB_X_SATYPE_IPCOMP:
361 return IPPROTO_COMP;
362 default:
363 return proto;
364 }
365 }
366
367 /**
368 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
369 */
370 static u_int8_t proto_ike2ip(protocol_id_t proto)
371 {
372 switch (proto)
373 {
374 case PROTO_ESP:
375 return IPPROTO_ESP;
376 case PROTO_AH:
377 return IPPROTO_AH;
378 default:
379 return proto;
380 }
381 }
382
383 /**
384 * convert the general ipsec mode to the one defined in ipsec.h
385 */
386 static u_int8_t mode2kernel(ipsec_mode_t mode)
387 {
388 switch (mode)
389 {
390 case MODE_TRANSPORT:
391 return IPSEC_MODE_TRANSPORT;
392 case MODE_TUNNEL:
393 return IPSEC_MODE_TUNNEL;
394 case MODE_BEET:
395 return IPSEC_MODE_BEET;
396 default:
397 return mode;
398 }
399 }
400
401 /**
402 * convert the general policy direction to the one defined in ipsec.h
403 */
404 static u_int8_t dir2kernel(policy_dir_t dir)
405 {
406 switch (dir)
407 {
408 case POLICY_IN:
409 return IPSEC_DIR_INBOUND;
410 case POLICY_OUT:
411 return IPSEC_DIR_OUTBOUND;
412 case POLICY_FWD:
413 return IPSEC_DIR_FWD;
414 default:
415 return dir;
416 }
417 }
418
419 /**
420 * convert the policy direction in ipsec.h to the general one.
421 */
422 static policy_dir_t kernel2dir(u_int8_t dir)
423 {
424 switch (dir)
425 {
426 case IPSEC_DIR_INBOUND:
427 return POLICY_IN;
428 case IPSEC_DIR_OUTBOUND:
429 return POLICY_OUT;
430 case IPSEC_DIR_FWD:
431 return POLICY_FWD;
432 default:
433 return dir;
434 }
435 }
436 typedef struct kernel_algorithm_t kernel_algorithm_t;
437
438 /**
439 * Mapping of IKEv2 algorithms to PF_KEY algorithms
440 */
441 struct kernel_algorithm_t {
442 /**
443 * Identifier specified in IKEv2
444 */
445 int ikev2;
446
447 /**
448 * Identifier as defined in pfkeyv2.h
449 */
450 int kernel;
451 };
452
453 #define END_OF_LIST -1
454
455 /**
456 * Algorithms for encryption
457 */
458 static kernel_algorithm_t encryption_algs[] = {
459 /* {ENCR_DES_IV64, 0 }, */
460 {ENCR_DES, SADB_EALG_DESCBC },
461 {ENCR_3DES, SADB_EALG_3DESCBC },
462 /* {ENCR_RC5, 0 }, */
463 /* {ENCR_IDEA, 0 }, */
464 {ENCR_CAST, SADB_X_EALG_CASTCBC },
465 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
466 /* {ENCR_3IDEA, 0 }, */
467 /* {ENCR_DES_IV32, 0 }, */
468 {ENCR_NULL, SADB_EALG_NULL },
469 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
470 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
471 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
472 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
473 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
474 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
475 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
476 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
477 {END_OF_LIST, 0 },
478 };
479
480 /**
481 * Algorithms for integrity protection
482 */
483 static kernel_algorithm_t integrity_algs[] = {
484 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
485 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
486 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
487 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
488 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
489 /* {AUTH_DES_MAC, 0, }, */
490 /* {AUTH_KPDK_MD5, 0, }, */
491 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
492 {END_OF_LIST, 0, },
493 };
494
495 /**
496 * Algorithms for IPComp
497 */
498 static kernel_algorithm_t compression_algs[] = {
499 /* {IPCOMP_OUI, 0 }, */
500 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
501 {IPCOMP_LZS, SADB_X_CALG_LZS },
502 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
503 {END_OF_LIST, 0 },
504 };
505
506 /**
507 * Look up a kernel algorithm ID and its key size
508 */
509 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
510 {
511 while (list->ikev2 != END_OF_LIST)
512 {
513 if (ikev2 == list->ikev2)
514 {
515 return list->kernel;
516 }
517 list++;
518 }
519 return 0;
520 }
521
522 /**
523 * add a host behind a sadb_address extension
524 */
525 static void host2ext(host_t *host, struct sadb_address *ext)
526 {
527 sockaddr_t *host_addr = host->get_sockaddr(host);
528 socklen_t *len = host->get_sockaddr_len(host);
529 memcpy((char*)(ext + 1), host_addr, *len);
530 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
531 }
532
533 /**
534 * add udp encap extensions to a sadb_msg
535 */
536 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
537 {
538 struct sadb_x_nat_t_type* nat_type;
539 struct sadb_x_nat_t_port* nat_port;
540
541 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
542 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
543 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
544 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
545 PFKEY_EXT_ADD(msg, nat_type);
546
547 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
548 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
549 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
550 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
551 PFKEY_EXT_ADD(msg, nat_port);
552
553 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
554 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
555 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
556 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
557 PFKEY_EXT_ADD(msg, nat_port);
558 }
559
560 /**
561 * Convert a sadb_address to a traffic_selector
562 */
563 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
564 {
565 traffic_selector_t *ts;
566 host_t *host;
567
568 /* The Linux 2.6 kernel does not set the protocol and port information
569 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
570 */
571 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
572 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
573 address->sadb_address_proto, host->get_port(host));
574 host->destroy(host);
575 return ts;
576 }
577
578 /**
579 * Parses a pfkey message received from the kernel
580 */
581 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
582 {
583 struct sadb_ext* ext;
584 size_t len;
585
586 memset(out, 0, sizeof(pfkey_msg_t));
587 out->msg = msg;
588
589 len = msg->sadb_msg_len;
590 len -= PFKEY_LEN(sizeof(struct sadb_msg));
591
592 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
593
594 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
595 {
596 DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
597 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
598 ext->sadb_ext_len > len)
599 {
600 DBG1(DBG_KNL, "length of %N extension is invalid",
601 sadb_ext_type_names, ext->sadb_ext_type);
602 break;
603 }
604
605 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
606 {
607 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
608 break;
609 }
610
611 if (out->ext[ext->sadb_ext_type])
612 {
613 DBG1(DBG_KNL, "duplicate %N extension",
614 sadb_ext_type_names, ext->sadb_ext_type);
615 break;
616 }
617
618 out->ext[ext->sadb_ext_type] = ext;
619 ext = PFKEY_EXT_NEXT_LEN(ext, len);
620 }
621
622 if (len)
623 {
624 DBG1(DBG_KNL, "PF_KEY message length is invalid");
625 return FAILED;
626 }
627
628 return SUCCESS;
629 }
630
631 /**
632 * Send a message to a specific PF_KEY socket and handle the response.
633 */
634 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
635 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
636 {
637 unsigned char buf[PFKEY_BUFFER_SIZE];
638 struct sadb_msg *msg;
639 int in_len, len;
640
641 this->mutex_pfkey->lock(this->mutex_pfkey);
642
643 in->sadb_msg_seq = ++this->seq;
644 in->sadb_msg_pid = getpid();
645
646 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
647
648 while (TRUE)
649 {
650 len = send(socket, in, in_len, 0);
651
652 if (len != in_len)
653 {
654 if (errno == EINTR)
655 {
656 /* interrupted, try again */
657 continue;
658 }
659 this->mutex_pfkey->unlock(this->mutex_pfkey);
660 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
661 return FAILED;
662 }
663 break;
664 }
665
666 while (TRUE)
667 {
668 msg = (struct sadb_msg*)buf;
669
670 len = recv(socket, buf, sizeof(buf), 0);
671
672 if (len < 0)
673 {
674 if (errno == EINTR)
675 {
676 DBG1(DBG_KNL, "got interrupted");
677 /* interrupted, try again */
678 continue;
679 }
680 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
681 this->mutex_pfkey->unlock(this->mutex_pfkey);
682 return FAILED;
683 }
684 if (len < sizeof(struct sadb_msg) ||
685 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
686 {
687 DBG1(DBG_KNL, "received corrupted PF_KEY message");
688 this->mutex_pfkey->unlock(this->mutex_pfkey);
689 return FAILED;
690 }
691 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
692 {
693 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
694 this->mutex_pfkey->unlock(this->mutex_pfkey);
695 return FAILED;
696 }
697 if (msg->sadb_msg_pid != in->sadb_msg_pid)
698 {
699 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
700 continue;
701 }
702 if (msg->sadb_msg_seq != this->seq)
703 {
704 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
705 "was %d expected %d", msg->sadb_msg_seq, this->seq);
706 if (msg->sadb_msg_seq < this->seq)
707 {
708 continue;
709 }
710 this->mutex_pfkey->unlock(this->mutex_pfkey);
711 return FAILED;
712 }
713 if (msg->sadb_msg_type != in->sadb_msg_type)
714 {
715 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
716 "was %d expected %d, ignoring",
717 msg->sadb_msg_type, in->sadb_msg_type);
718 }
719 break;
720 }
721
722 *out_len = len;
723 *out = (struct sadb_msg*)malloc(len);
724 memcpy(*out, buf, len);
725
726 this->mutex_pfkey->unlock(this->mutex_pfkey);
727
728 return SUCCESS;
729 }
730
731 /**
732 * Send a message to the default PF_KEY socket and handle the response.
733 */
734 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
735 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
736 {
737 return pfkey_send_socket(this, this->socket, in, out, out_len);
738 }
739
740 /**
741 * Process a SADB_ACQUIRE message from the kernel
742 */
743 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
744 {
745 pfkey_msg_t response;
746 u_int32_t index, reqid = 0;
747 traffic_selector_t *src_ts, *dst_ts;
748 policy_entry_t *policy;
749 job_t *job;
750
751 switch (msg->sadb_msg_satype)
752 {
753 case SADB_SATYPE_UNSPEC:
754 case SADB_SATYPE_ESP:
755 case SADB_SATYPE_AH:
756 break;
757 default:
758 /* acquire for AH/ESP only */
759 return;
760 }
761 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
762
763 if (parse_pfkey_message(msg, &response) != SUCCESS)
764 {
765 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
766 return;
767 }
768
769 index = response.x_policy->sadb_x_policy_id;
770 this->mutex->lock(this->mutex);
771 if (this->policies->find_first(this->policies,
772 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
773 {
774 reqid = policy->reqid;
775 }
776 else
777 {
778 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
779 index);
780 }
781 src_ts = sadb_address2ts(response.src);
782 dst_ts = sadb_address2ts(response.dst);
783 this->mutex->unlock(this->mutex);
784
785 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
786 src_ts, dst_ts, reqid);
787 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
788 charon->processor->queue_job(charon->processor, job);
789 }
790
791 /**
792 * Process a SADB_EXPIRE message from the kernel
793 */
794 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
795 {
796 pfkey_msg_t response;
797 protocol_id_t protocol;
798 u_int32_t spi, reqid;
799 bool hard;
800 job_t *job;
801
802 DBG2(DBG_KNL, "received an SADB_EXPIRE");
803
804 if (parse_pfkey_message(msg, &response) != SUCCESS)
805 {
806 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
807 return;
808 }
809
810 protocol = proto_satype2ike(msg->sadb_msg_satype);
811 spi = response.sa->sadb_sa_spi;
812 reqid = response.x_sa2->sadb_x_sa2_reqid;
813 hard = response.lft_hard != NULL;
814
815 if (protocol != PROTO_ESP && protocol != PROTO_AH)
816 {
817 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
818 "which is not a CHILD_SA", ntohl(spi), reqid);
819 return;
820 }
821
822 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
823 hard ? "delete" : "rekey", protocol_id_names,
824 protocol, ntohl(spi), reqid);
825 if (hard)
826 {
827 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
828 }
829 else
830 {
831 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
832 }
833 charon->processor->queue_job(charon->processor, job);
834 }
835
836 /**
837 * Process a SADB_MIGRATE message from the kernel
838 */
839 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
840 {
841 pfkey_msg_t response;
842 traffic_selector_t *src_ts, *dst_ts;
843 policy_dir_t dir;
844 u_int32_t reqid = 0;
845 host_t *local = NULL, *remote = NULL;
846 job_t *job;
847
848 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
849
850 if (parse_pfkey_message(msg, &response) != SUCCESS)
851 {
852 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
853 return;
854 }
855 src_ts = sadb_address2ts(response.src);
856 dst_ts = sadb_address2ts(response.dst);
857 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
858 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
859 policy_dir_names, dir, response.x_policy->sadb_x_policy_id);
860
861 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
862 if (response.x_kmaddress)
863 {
864 sockaddr_t *local_addr, *remote_addr;
865 u_int32_t local_len;
866
867 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
868 local = host_create_from_sockaddr(local_addr);
869 local_len = (local_addr->sa_family == AF_INET6)?
870 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
871 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
872 remote = host_create_from_sockaddr(remote_addr);
873 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
874 }
875
876 if (src_ts && dst_ts)
877 {
878 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
879 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
880 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
881 local, remote);
882 charon->processor->queue_job(charon->processor, job);
883 }
884 else
885 {
886 DESTROY_IF(src_ts);
887 DESTROY_IF(dst_ts);
888 DESTROY_IF(local);
889 DESTROY_IF(remote);
890 }
891 }
892
893 /**
894 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
895 */
896 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
897 {
898 pfkey_msg_t response;
899 u_int32_t spi, reqid;
900 host_t *host;
901 job_t *job;
902
903 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
904
905 if (parse_pfkey_message(msg, &response) != SUCCESS)
906 {
907 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
908 return;
909 }
910
911 if (!response.x_sa2)
912 {
913 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
914 return;
915 }
916
917 spi = response.sa->sadb_sa_spi;
918 reqid = response.x_sa2->sadb_x_sa2_reqid;
919
920 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
921 {
922 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
923 switch (sa->sa_family)
924 {
925 case AF_INET:
926 {
927 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
928 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
929 }
930 case AF_INET6:
931 {
932 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
933 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
934 }
935 default:
936 break;
937 }
938 host = host_create_from_sockaddr(sa);
939 if (host)
940 {
941 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
942 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
943 job = (job_t*)update_sa_job_create(reqid, host);
944 charon->processor->queue_job(charon->processor, job);
945 }
946 }
947 }
948
949 /**
950 * Receives events from kernel
951 */
952 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
953 {
954 unsigned char buf[PFKEY_BUFFER_SIZE];
955 struct sadb_msg *msg = (struct sadb_msg*)buf;
956 int len, oldstate;
957
958 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
959 len = recv(this->socket_events, buf, sizeof(buf), 0);
960 pthread_setcancelstate(oldstate, NULL);
961
962 if (len < 0)
963 {
964 switch (errno)
965 {
966 case EINTR:
967 /* interrupted, try again */
968 return JOB_REQUEUE_DIRECT;
969 case EAGAIN:
970 /* no data ready, select again */
971 return JOB_REQUEUE_DIRECT;
972 default:
973 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
974 sleep(1);
975 return JOB_REQUEUE_FAIR;
976 }
977 }
978
979 if (len < sizeof(struct sadb_msg) ||
980 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
981 {
982 DBG2(DBG_KNL, "received corrupted PF_KEY message");
983 return JOB_REQUEUE_DIRECT;
984 }
985 if (msg->sadb_msg_pid != 0)
986 { /* not from kernel. not interested, try another one */
987 return JOB_REQUEUE_DIRECT;
988 }
989 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
990 {
991 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
992 return JOB_REQUEUE_DIRECT;
993 }
994
995 switch (msg->sadb_msg_type)
996 {
997 case SADB_ACQUIRE:
998 process_acquire(this, msg);
999 break;
1000 case SADB_EXPIRE:
1001 process_expire(this, msg);
1002 break;
1003 case SADB_X_MIGRATE:
1004 process_migrate(this, msg);
1005 break;
1006 case SADB_X_NAT_T_NEW_MAPPING:
1007 process_mapping(this, msg);
1008 break;
1009 default:
1010 break;
1011 }
1012
1013 return JOB_REQUEUE_DIRECT;
1014 }
1015
1016 /**
1017 * Implementation of kernel_interface_t.get_spi.
1018 */
1019 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1020 host_t *src, host_t *dst,
1021 protocol_id_t protocol, u_int32_t reqid,
1022 u_int32_t *spi)
1023 {
1024 unsigned char request[PFKEY_BUFFER_SIZE];
1025 struct sadb_msg *msg, *out;
1026 struct sadb_x_sa2 *sa2;
1027 struct sadb_address *addr;
1028 struct sadb_spirange *range;
1029 pfkey_msg_t response;
1030 u_int32_t received_spi = 0;
1031 size_t len;
1032
1033 memset(&request, 0, sizeof(request));
1034
1035 msg = (struct sadb_msg*)request;
1036 msg->sadb_msg_version = PF_KEY_V2;
1037 msg->sadb_msg_type = SADB_GETSPI;
1038 msg->sadb_msg_satype = proto_ike2satype(protocol);
1039 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1040
1041 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1042 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1043 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1044 sa2->sadb_x_sa2_reqid = reqid;
1045 PFKEY_EXT_ADD(msg, sa2);
1046
1047 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1048 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1049 host2ext(src, addr);
1050 PFKEY_EXT_ADD(msg, addr);
1051
1052 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1053 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1054 host2ext(dst, addr);
1055 PFKEY_EXT_ADD(msg, addr);
1056
1057 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1058 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1059 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1060 range->sadb_spirange_min = 0xc0000000;
1061 range->sadb_spirange_max = 0xcFFFFFFF;
1062 PFKEY_EXT_ADD(msg, range);
1063
1064 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1065 {
1066 if (out->sadb_msg_errno)
1067 {
1068 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1069 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1070 }
1071 else if (parse_pfkey_message(out, &response) == SUCCESS)
1072 {
1073 received_spi = response.sa->sadb_sa_spi;
1074 }
1075 free(out);
1076 }
1077
1078 if (received_spi == 0)
1079 {
1080 return FAILED;
1081 }
1082
1083 *spi = received_spi;
1084 return SUCCESS;
1085 }
1086
1087 /**
1088 * Implementation of kernel_interface_t.get_cpi.
1089 */
1090 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1091 host_t *src, host_t *dst,
1092 u_int32_t reqid, u_int16_t *cpi)
1093 {
1094 return FAILED;
1095 }
1096
1097 /**
1098 * Implementation of kernel_interface_t.add_sa.
1099 */
1100 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1101 host_t *src, host_t *dst, u_int32_t spi,
1102 protocol_id_t protocol, u_int32_t reqid,
1103 u_int64_t expire_soft, u_int64_t expire_hard,
1104 u_int16_t enc_alg, chunk_t enc_key,
1105 u_int16_t int_alg, chunk_t int_key,
1106 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1107 bool encap, bool inbound)
1108 {
1109 unsigned char request[PFKEY_BUFFER_SIZE];
1110 struct sadb_msg *msg, *out;
1111 struct sadb_sa *sa;
1112 struct sadb_x_sa2 *sa2;
1113 struct sadb_address *addr;
1114 struct sadb_lifetime *lft;
1115 struct sadb_key *key;
1116 size_t len;
1117
1118 memset(&request, 0, sizeof(request));
1119
1120 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1121
1122 msg = (struct sadb_msg*)request;
1123 msg->sadb_msg_version = PF_KEY_V2;
1124 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1125 msg->sadb_msg_satype = proto_ike2satype(protocol);
1126 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1127
1128 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1129 sa->sadb_sa_exttype = SADB_EXT_SA;
1130 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1131 sa->sadb_sa_spi = spi;
1132 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1133 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1134 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1135 PFKEY_EXT_ADD(msg, sa);
1136
1137 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1138 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1139 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1140 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1141 sa2->sadb_x_sa2_reqid = reqid;
1142 PFKEY_EXT_ADD(msg, sa2);
1143
1144 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1145 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1146 host2ext(src, addr);
1147 PFKEY_EXT_ADD(msg, addr);
1148
1149 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1150 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1151 host2ext(dst, addr);
1152 PFKEY_EXT_ADD(msg, addr);
1153
1154 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1155 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1156 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1157 lft->sadb_lifetime_addtime = expire_soft;
1158 PFKEY_EXT_ADD(msg, lft);
1159
1160 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1161 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1162 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1163 lft->sadb_lifetime_addtime = expire_hard;
1164 PFKEY_EXT_ADD(msg, lft);
1165
1166 if (enc_alg != ENCR_UNDEFINED)
1167 {
1168 if (!sa->sadb_sa_encrypt)
1169 {
1170 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1171 encryption_algorithm_names, enc_alg);
1172 return FAILED;
1173 }
1174 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1175 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1176
1177 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1178 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1179 key->sadb_key_bits = enc_key.len * 8;
1180 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1181 memcpy(key + 1, enc_key.ptr, enc_key.len);
1182
1183 PFKEY_EXT_ADD(msg, key);
1184 }
1185
1186 if (int_alg != AUTH_UNDEFINED)
1187 {
1188 if (!sa->sadb_sa_auth)
1189 {
1190 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1191 integrity_algorithm_names, int_alg);
1192 return FAILED;
1193 }
1194 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1195 integrity_algorithm_names, int_alg, int_key.len * 8);
1196
1197 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1198 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1199 key->sadb_key_bits = int_key.len * 8;
1200 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1201 memcpy(key + 1, int_key.ptr, int_key.len);
1202
1203 PFKEY_EXT_ADD(msg, key);
1204 }
1205
1206 if (ipcomp != IPCOMP_NONE)
1207 {
1208 /*TODO*/
1209 }
1210
1211 if (encap)
1212 {
1213 add_encap_ext(msg, src, dst);
1214 }
1215
1216 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1217 {
1218 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1219 return FAILED;
1220 }
1221 else if (out->sadb_msg_errno)
1222 {
1223 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1224 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1225 free(out);
1226 return FAILED;
1227 }
1228
1229 free(out);
1230 return SUCCESS;
1231 }
1232
1233 /**
1234 * Implementation of kernel_interface_t.update_sa.
1235 */
1236 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1237 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1238 host_t *src, host_t *dst,
1239 host_t *new_src, host_t *new_dst,
1240 bool encap, bool new_encap)
1241 {
1242 unsigned char request[PFKEY_BUFFER_SIZE];
1243 struct sadb_msg *msg, *out;
1244 struct sadb_sa *sa;
1245 struct sadb_address *addr;
1246 pfkey_msg_t response;
1247 size_t len;
1248
1249 /* we can't update the SA if any of the ip addresses have changed.
1250 * that's because we can't use SADB_UPDATE and by deleting and readding the
1251 * SA the sequence numbers would get lost */
1252 if (!src->ip_equals(src, new_src) ||
1253 !dst->ip_equals(dst, new_dst))
1254 {
1255 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1256 " are not supported", ntohl(spi));
1257 return NOT_SUPPORTED;
1258 }
1259
1260 memset(&request, 0, sizeof(request));
1261
1262 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1263
1264 msg = (struct sadb_msg*)request;
1265 msg->sadb_msg_version = PF_KEY_V2;
1266 msg->sadb_msg_type = SADB_GET;
1267 msg->sadb_msg_satype = proto_ike2satype(protocol);
1268 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1269
1270 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1271 sa->sadb_sa_exttype = SADB_EXT_SA;
1272 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1273 sa->sadb_sa_spi = spi;
1274 PFKEY_EXT_ADD(msg, sa);
1275
1276 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1277 * it is not used for anything, so we just send dst twice */
1278 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1279 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1280 host2ext(dst, addr);
1281 PFKEY_EXT_ADD(msg, addr);
1282
1283 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1284 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1285 host2ext(dst, addr);
1286 PFKEY_EXT_ADD(msg, addr);
1287
1288 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1289 {
1290 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1291 ntohl(spi));
1292 return FAILED;
1293 }
1294 else if (out->sadb_msg_errno)
1295 {
1296 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1297 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1298 free(out);
1299 return FAILED;
1300 }
1301 else if (parse_pfkey_message(out, &response) != SUCCESS)
1302 {
1303 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1304 "from kernel failed", ntohl(spi));
1305 free(out);
1306 return FAILED;
1307 }
1308
1309 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1310 ntohl(spi), src, dst, new_src, new_dst);
1311
1312 memset(&request, 0, sizeof(request));
1313
1314 msg = (struct sadb_msg*)request;
1315 msg->sadb_msg_version = PF_KEY_V2;
1316 msg->sadb_msg_type = SADB_UPDATE;
1317 msg->sadb_msg_satype = proto_ike2satype(protocol);
1318 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1319
1320 PFKEY_EXT_COPY(msg, response.sa);
1321 PFKEY_EXT_COPY(msg, response.x_sa2);
1322
1323 PFKEY_EXT_COPY(msg, response.src);
1324 PFKEY_EXT_COPY(msg, response.dst);
1325
1326 PFKEY_EXT_COPY(msg, response.lft_soft);
1327 PFKEY_EXT_COPY(msg, response.lft_hard);
1328
1329 if (response.key_encr)
1330 {
1331 PFKEY_EXT_COPY(msg, response.key_encr);
1332 }
1333
1334 if (response.key_auth)
1335 {
1336 PFKEY_EXT_COPY(msg, response.key_auth);
1337 }
1338
1339 if (encap)
1340 {
1341 add_encap_ext(msg, new_src, new_dst);
1342 }
1343
1344 free(out);
1345
1346 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1347 {
1348 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1349 return FAILED;
1350 }
1351 else if (out->sadb_msg_errno)
1352 {
1353 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1354 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1355 free(out);
1356 return FAILED;
1357 }
1358 free(out);
1359
1360 return SUCCESS;
1361 }
1362
1363 /**
1364 * Implementation of kernel_interface_t.del_sa.
1365 */
1366 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
1367 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1368 {
1369 unsigned char request[PFKEY_BUFFER_SIZE];
1370 struct sadb_msg *msg, *out;
1371 struct sadb_sa *sa;
1372 struct sadb_address *addr;
1373 size_t len;
1374
1375 memset(&request, 0, sizeof(request));
1376
1377 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1378
1379 msg = (struct sadb_msg*)request;
1380 msg->sadb_msg_version = PF_KEY_V2;
1381 msg->sadb_msg_type = SADB_DELETE;
1382 msg->sadb_msg_satype = proto_ike2satype(protocol);
1383 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1384
1385 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1386 sa->sadb_sa_exttype = SADB_EXT_SA;
1387 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1388 sa->sadb_sa_spi = spi;
1389 PFKEY_EXT_ADD(msg, sa);
1390
1391 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1392 * it is not used for anything, so we just send dst twice */
1393 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1394 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1395 host2ext(dst, addr);
1396 PFKEY_EXT_ADD(msg, addr);
1397
1398 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1399 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1400 host2ext(dst, addr);
1401 PFKEY_EXT_ADD(msg, addr);
1402
1403 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1404 {
1405 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1406 return FAILED;
1407 }
1408 else if (out->sadb_msg_errno)
1409 {
1410 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1411 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1412 free(out);
1413 return FAILED;
1414 }
1415
1416 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1417 free(out);
1418 return SUCCESS;
1419 }
1420
1421 /**
1422 * Implementation of kernel_interface_t.add_policy.
1423 */
1424 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1425 host_t *src, host_t *dst,
1426 traffic_selector_t *src_ts,
1427 traffic_selector_t *dst_ts,
1428 policy_dir_t direction, u_int32_t spi,
1429 protocol_id_t protocol, u_int32_t reqid,
1430 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1431 bool routed)
1432 {
1433 unsigned char request[PFKEY_BUFFER_SIZE];
1434 struct sadb_msg *msg, *out;
1435 struct sadb_x_policy *pol;
1436 struct sadb_address *addr;
1437 struct sadb_x_ipsecrequest *req;
1438 policy_entry_t *policy, *found = NULL;
1439 pfkey_msg_t response;
1440 size_t len;
1441
1442 /* create a policy */
1443 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1444
1445 /* find a matching policy */
1446 this->mutex->lock(this->mutex);
1447 if (this->policies->find_first(this->policies,
1448 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1449 {
1450 /* use existing policy */
1451 found->refcount++;
1452 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1453 "refcount", src_ts, dst_ts,
1454 policy_dir_names, direction);
1455 policy_entry_destroy(policy);
1456 policy = found;
1457 }
1458 else
1459 {
1460 /* apply the new one, if we have no such policy */
1461 this->policies->insert_last(this->policies, policy);
1462 policy->refcount = 1;
1463 }
1464
1465 memset(&request, 0, sizeof(request));
1466
1467 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1468 policy_dir_names, direction);
1469
1470 msg = (struct sadb_msg*)request;
1471 msg->sadb_msg_version = PF_KEY_V2;
1472 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1473 msg->sadb_msg_satype = 0;
1474 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1475
1476 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1477 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1478 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1479 pol->sadb_x_policy_id = 0;
1480 pol->sadb_x_policy_dir = dir2kernel(direction);
1481 /* calculate priority based on source selector size, small size = high prio */
1482 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1483 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1484 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1485 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1486 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1487
1488 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1489 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1490 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1491 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1492 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1493 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1494 req->sadb_x_ipsecrequest_reqid = reqid;
1495 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1496 if (mode == MODE_TUNNEL)
1497 {
1498 sockaddr_t *sa;
1499 socklen_t sl;
1500 sa = src->get_sockaddr(src);
1501 sl = *src->get_sockaddr_len(src);
1502 memcpy(req + 1, sa, sl);
1503 sa = dst->get_sockaddr(dst);
1504 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1505 req->sadb_x_ipsecrequest_len += sl * 2;
1506 }
1507
1508 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1509 PFKEY_EXT_ADD(msg, pol);
1510
1511 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1512 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1513 addr->sadb_address_proto = policy->src.proto;
1514 addr->sadb_address_prefixlen = policy->src.mask;
1515 host2ext(policy->src.net, addr);
1516 PFKEY_EXT_ADD(msg, addr);
1517
1518 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1519 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1520 addr->sadb_address_proto = policy->dst.proto;
1521 addr->sadb_address_prefixlen = policy->dst.mask;
1522 host2ext(policy->dst.net, addr);
1523 PFKEY_EXT_ADD(msg, addr);
1524
1525 this->mutex->unlock(this->mutex);
1526
1527 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1528 {
1529 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1530 policy_dir_names, direction);
1531 return FAILED;
1532 }
1533 else if (out->sadb_msg_errno)
1534 {
1535 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1536 policy_dir_names, direction,
1537 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1538 free(out);
1539 return FAILED;
1540 }
1541 else if (parse_pfkey_message(out, &response) != SUCCESS)
1542 {
1543 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1544 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1545 free(out);
1546 return FAILED;
1547 }
1548
1549 this->mutex->lock(this->mutex);
1550
1551 /* we try to find the policy again and update the kernel index */
1552 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1553 {
1554 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1555 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1556 this->mutex->unlock(this->mutex);
1557 free(out);
1558 return SUCCESS;
1559 }
1560 policy->index = response.x_policy->sadb_x_policy_id;
1561 free(out);
1562
1563 /* install a route, if:
1564 * - we are NOT updating a policy
1565 * - this is a forward policy (to just get one for each child)
1566 * - we are in tunnel mode
1567 * - we are not using IPv6 (does not work correctly yet!)
1568 * - routing is not disabled via strongswan.conf
1569 */
1570 if (policy->route == NULL && direction == POLICY_FWD &&
1571 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1572 this->install_routes)
1573 {
1574 route_entry_t *route = malloc_thing(route_entry_t);
1575
1576 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1577 dst_ts, &route->src_ip) == SUCCESS)
1578 {
1579 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1580 route->gateway = charon->kernel_interface->get_nexthop(
1581 charon->kernel_interface, src);
1582 route->if_name = charon->kernel_interface->get_interface(
1583 charon->kernel_interface, dst);
1584 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1585 route->prefixlen = policy->src.mask;
1586
1587 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1588 route->dst_net, route->prefixlen, route->gateway,
1589 route->src_ip, route->if_name))
1590 {
1591 default:
1592 DBG1(DBG_KNL, "unable to install source route for %H",
1593 route->src_ip);
1594 /* FALL */
1595 case ALREADY_DONE:
1596 /* route exists, do not uninstall */
1597 route_entry_destroy(route);
1598 break;
1599 case SUCCESS:
1600 /* cache the installed route */
1601 policy->route = route;
1602 break;
1603 }
1604 }
1605 else
1606 {
1607 free(route);
1608 }
1609 }
1610
1611 this->mutex->unlock(this->mutex);
1612
1613 return SUCCESS;
1614 }
1615
1616 /**
1617 * Implementation of kernel_interface_t.query_policy.
1618 */
1619 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1620 traffic_selector_t *src_ts,
1621 traffic_selector_t *dst_ts,
1622 policy_dir_t direction, u_int32_t *use_time)
1623 {
1624 unsigned char request[PFKEY_BUFFER_SIZE];
1625 struct sadb_msg *msg, *out;
1626 struct sadb_x_policy *pol;
1627 struct sadb_address *addr;
1628 policy_entry_t *policy, *found = NULL;
1629 pfkey_msg_t response;
1630 size_t len;
1631
1632 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1633 policy_dir_names, direction);
1634
1635 /* create a policy */
1636 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1637
1638 /* find a matching policy */
1639 this->mutex->lock(this->mutex);
1640 if (this->policies->find_first(this->policies,
1641 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1642 {
1643 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1644 dst_ts, policy_dir_names, direction);
1645 policy_entry_destroy(policy);
1646 this->mutex->unlock(this->mutex);
1647 return NOT_FOUND;
1648 }
1649 policy_entry_destroy(policy);
1650 policy = found;
1651
1652 memset(&request, 0, sizeof(request));
1653
1654 msg = (struct sadb_msg*)request;
1655 msg->sadb_msg_version = PF_KEY_V2;
1656 msg->sadb_msg_type = SADB_X_SPDGET;
1657 msg->sadb_msg_satype = 0;
1658 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1659
1660 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1661 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1662 pol->sadb_x_policy_id = policy->index;
1663 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1664 pol->sadb_x_policy_dir = dir2kernel(direction);
1665 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1666 PFKEY_EXT_ADD(msg, pol);
1667
1668 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1669 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1670 addr->sadb_address_proto = policy->src.proto;
1671 addr->sadb_address_prefixlen = policy->src.mask;
1672 host2ext(policy->src.net, addr);
1673 PFKEY_EXT_ADD(msg, addr);
1674
1675 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1676 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1677 addr->sadb_address_proto = policy->dst.proto;
1678 addr->sadb_address_prefixlen = policy->dst.mask;
1679 host2ext(policy->dst.net, addr);
1680 PFKEY_EXT_ADD(msg, addr);
1681
1682 this->mutex->unlock(this->mutex);
1683
1684 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1685 {
1686 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1687 policy_dir_names, direction);
1688 return FAILED;
1689 }
1690 else if (out->sadb_msg_errno)
1691 {
1692 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1693 dst_ts, policy_dir_names, direction,
1694 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1695 free(out);
1696 return FAILED;
1697 }
1698 else if (parse_pfkey_message(out, &response) != SUCCESS)
1699 {
1700 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1701 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1702 free(out);
1703 return FAILED;
1704 }
1705
1706 *use_time = response.lft_current->sadb_lifetime_usetime;
1707
1708 free(out);
1709
1710 return SUCCESS;
1711 }
1712
1713 /**
1714 * Implementation of kernel_interface_t.del_policy.
1715 */
1716 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1717 traffic_selector_t *src_ts,
1718 traffic_selector_t *dst_ts,
1719 policy_dir_t direction, bool unrouted)
1720 {
1721 unsigned char request[PFKEY_BUFFER_SIZE];
1722 struct sadb_msg *msg, *out;
1723 struct sadb_x_policy *pol;
1724 struct sadb_address *addr;
1725 policy_entry_t *policy, *found = NULL;
1726 route_entry_t *route;
1727 size_t len;
1728
1729 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1730 policy_dir_names, direction);
1731
1732 /* create a policy */
1733 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1734
1735 /* find a matching policy */
1736 this->mutex->lock(this->mutex);
1737 if (this->policies->find_first(this->policies,
1738 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1739 {
1740 if (--found->refcount > 0)
1741 {
1742 /* is used by more SAs, keep in kernel */
1743 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1744 policy_entry_destroy(policy);
1745 this->mutex->unlock(this->mutex);
1746 return SUCCESS;
1747 }
1748 /* remove if last reference */
1749 this->policies->remove(this->policies, found, NULL);
1750 policy_entry_destroy(policy);
1751 policy = found;
1752 }
1753 else
1754 {
1755 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1756 dst_ts, policy_dir_names, direction);
1757 policy_entry_destroy(policy);
1758 this->mutex->unlock(this->mutex);
1759 return NOT_FOUND;
1760 }
1761 this->mutex->unlock(this->mutex);
1762
1763 memset(&request, 0, sizeof(request));
1764
1765 msg = (struct sadb_msg*)request;
1766 msg->sadb_msg_version = PF_KEY_V2;
1767 msg->sadb_msg_type = SADB_X_SPDDELETE;
1768 msg->sadb_msg_satype = 0;
1769 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1770
1771 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1772 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1773 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1774 pol->sadb_x_policy_dir = dir2kernel(direction);
1775 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1776 PFKEY_EXT_ADD(msg, pol);
1777
1778 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1779 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1780 addr->sadb_address_proto = policy->src.proto;
1781 addr->sadb_address_prefixlen = policy->src.mask;
1782 host2ext(policy->src.net, addr);
1783 PFKEY_EXT_ADD(msg, addr);
1784
1785 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1786 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1787 addr->sadb_address_proto = policy->dst.proto;
1788 addr->sadb_address_prefixlen = policy->dst.mask;
1789 host2ext(policy->dst.net, addr);
1790 PFKEY_EXT_ADD(msg, addr);
1791
1792 route = policy->route;
1793 policy->route = NULL;
1794 policy_entry_destroy(policy);
1795
1796 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1797 {
1798 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1799 policy_dir_names, direction);
1800 return FAILED;
1801 }
1802 else if (out->sadb_msg_errno)
1803 {
1804 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1805 dst_ts, policy_dir_names, direction,
1806 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1807 free(out);
1808 return FAILED;
1809 }
1810 free(out);
1811
1812 if (route)
1813 {
1814 if (charon->kernel_interface->del_route(charon->kernel_interface,
1815 route->dst_net, route->prefixlen, route->gateway,
1816 route->src_ip, route->if_name) != SUCCESS)
1817 {
1818 DBG1(DBG_KNL, "error uninstalling route installed with "
1819 "policy %R === %R %N", src_ts, dst_ts,
1820 policy_dir_names, direction);
1821 }
1822 route_entry_destroy(route);
1823 }
1824
1825 return SUCCESS;
1826 }
1827
1828 /**
1829 * Register a socket for AQUIRE/EXPIRE messages
1830 */
1831 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1832 {
1833 unsigned char request[PFKEY_BUFFER_SIZE];
1834 struct sadb_msg *msg, *out;
1835 size_t len;
1836
1837 memset(&request, 0, sizeof(request));
1838
1839 msg = (struct sadb_msg*)request;
1840 msg->sadb_msg_version = PF_KEY_V2;
1841 msg->sadb_msg_type = SADB_REGISTER;
1842 msg->sadb_msg_satype = satype;
1843 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1844
1845 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1846 {
1847 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1848 return FAILED;
1849 }
1850 else if (out->sadb_msg_errno)
1851 {
1852 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1853 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1854 free(out);
1855 return FAILED;
1856 }
1857 free(out);
1858 return SUCCESS;
1859 }
1860
1861 /**
1862 * Implementation of kernel_interface_t.destroy.
1863 */
1864 static void destroy(private_kernel_pfkey_ipsec_t *this)
1865 {
1866 this->job->cancel(this->job);
1867 close(this->socket);
1868 close(this->socket_events);
1869 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1870 this->mutex->destroy(this->mutex);
1871 this->mutex_pfkey->destroy(this->mutex_pfkey);
1872 free(this);
1873 }
1874
1875 /**
1876 * Add bypass policies for IKE on the sockets of charon
1877 */
1878 static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
1879 {
1880 int fd, family, port;
1881 enumerator_t *sockets;
1882
1883 sockets = charon->socket->create_enumerator(charon->socket);
1884 while (sockets->enumerate(sockets, &fd, &family, &port))
1885 {
1886 struct sadb_x_policy policy;
1887 u_int sol, ipsec_policy;
1888
1889 switch (family)
1890 {
1891 case AF_INET:
1892 sol = SOL_IP;
1893 ipsec_policy = IP_IPSEC_POLICY;
1894 break;
1895 case AF_INET6:
1896 {
1897 sol = SOL_IPV6;
1898 ipsec_policy = IPV6_IPSEC_POLICY;
1899 break;
1900 }
1901 }
1902
1903 memset(&policy, 0, sizeof(policy));
1904 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
1905 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1906 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
1907
1908 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
1909 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1910 {
1911 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1912 strerror(errno));
1913 return FALSE;
1914 }
1915 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1916 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1917 {
1918 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1919 strerror(errno));
1920 return FALSE;
1921 }
1922 }
1923 return TRUE;
1924 }
1925
1926 /*
1927 * Described in header.
1928 */
1929 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1930 {
1931 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1932
1933 /* public functions */
1934 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1935 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1936 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1937 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1938 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1939 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
1940 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1941 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
1942
1943 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1944
1945 /* private members */
1946 this->policies = linked_list_create();
1947 this->mutex = mutex_create(MUTEX_DEFAULT);
1948 this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
1949 this->install_routes = lib->settings->get_bool(lib->settings,
1950 "charon.install_routes", TRUE);
1951 this->seq = 0;
1952
1953 /* create a PF_KEY socket to communicate with the kernel */
1954 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1955 if (this->socket <= 0)
1956 {
1957 charon->kill(charon, "unable to create PF_KEY socket");
1958 }
1959
1960 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1961 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1962 if (this->socket_events <= 0)
1963 {
1964 charon->kill(charon, "unable to create PF_KEY event socket");
1965 }
1966
1967 /* add bypass policies on the sockets used by charon */
1968 if (!add_bypass_policies(this))
1969 {
1970 charon->kill(charon, "unable to add bypass policies on sockets");
1971 }
1972
1973 /* register the event socket */
1974 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
1975 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
1976 {
1977 charon->kill(charon, "unable to register PF_KEY event socket");
1978 }
1979
1980 this->job = callback_job_create((callback_job_cb_t)receive_events,
1981 this, NULL, NULL);
1982 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1983
1984 return &this->public;
1985 }