2b7bbe4a0b2e8c7d0f5f7533ef81b408c20b61cc
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef HAVE_NET_PFKEYV2_H
21 #include <net/pfkeyv2.h>
22 #else
23 #include <stdint.h>
24 #include <linux/pfkeyv2.h>
25 #endif
26
27 #ifdef SADB_X_EXT_NAT_T_TYPE
28 #define HAVE_NATT
29 #endif
30
31 #ifdef HAVE_NETIPSEC_IPSEC_H
32 #include <netipsec/ipsec.h>
33 #elif defined(HAVE_NETINET6_IPSEC_H)
34 #include <netinet6/ipsec.h>
35 #else
36 #include <linux/ipsec.h>
37 #endif
38
39 #ifdef HAVE_NATT
40 #ifdef HAVE_NETINET_UDP_H
41 #include <netinet/udp.h>
42 #else
43 #include <linux/udp.h>
44 #endif /*HAVE_NETINET_UDP_H*/
45 #endif /*HAVE_NATT*/
46
47 #include <unistd.h>
48 #include <pthread.h>
49 #include <errno.h>
50
51 #include "kernel_pfkey_ipsec.h"
52
53 #include <daemon.h>
54 #include <utils/host.h>
55 #include <utils/mutex.h>
56 #include <processing/jobs/callback_job.h>
57 #include <processing/jobs/acquire_job.h>
58 #include <processing/jobs/migrate_job.h>
59 #include <processing/jobs/rekey_child_sa_job.h>
60 #include <processing/jobs/delete_child_sa_job.h>
61 #include <processing/jobs/update_sa_job.h>
62
63 /** non linux specific */
64 #ifndef IPPROTO_COMP
65 #define IPPROTO_COMP IPPROTO_IPCOMP
66 #endif
67
68 #ifndef SADB_X_AALG_SHA2_256HMAC
69 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
70 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
71 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
72 #endif
73
74 #ifndef SADB_X_EALG_AESCBC
75 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
76 #endif
77
78 #ifndef SADB_X_EALG_CASTCBC
79 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
80 #endif
81
82 #ifndef SOL_IP
83 #define SOL_IP IPPROTO_IP
84 #define SOL_IPV6 IPPROTO_IPV6
85 #endif
86
87 /** from linux/in.h */
88 #ifndef IP_IPSEC_POLICY
89 #define IP_IPSEC_POLICY 16
90 #endif
91
92 /* missing on uclibc */
93 #ifndef IPV6_IPSEC_POLICY
94 #define IPV6_IPSEC_POLICY 34
95 #endif
96
97 /** default priority of installed policies */
98 #define PRIO_LOW 3000
99 #define PRIO_HIGH 2000
100
101 /** buffer size for PF_KEY messages */
102 #define PFKEY_BUFFER_SIZE 4096
103
104 /** PF_KEY messages are 64 bit aligned */
105 #define PFKEY_ALIGNMENT 8
106 /** aligns len to 64 bits */
107 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
108 /** calculates the properly padded length in 64 bit chunks */
109 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
110 /** calculates user mode length i.e. in bytes */
111 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
112
113 /** given a PF_KEY message header and an extension this updates the length in the header */
114 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
115 /** given a PF_KEY message header this returns a pointer to the next extension */
116 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
117 /** copy an extension and append it to a PF_KEY message */
118 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
119 /** given a PF_KEY extension this returns a pointer to the next extension */
120 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
121 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
122 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
123 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
124 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
125 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
126 (ext)->sadb_ext_len <= (len))
127
128 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
129
130 /**
131 * Private variables and functions of kernel_pfkey class.
132 */
133 struct private_kernel_pfkey_ipsec_t
134 {
135 /**
136 * Public part of the kernel_pfkey_t object.
137 */
138 kernel_pfkey_ipsec_t public;
139
140 /**
141 * mutex to lock access to various lists
142 */
143 mutex_t *mutex;
144
145 /**
146 * List of installed policies (policy_entry_t)
147 */
148 linked_list_t *policies;
149
150 /**
151 * whether to install routes along policies
152 */
153 bool install_routes;
154
155 /**
156 * job receiving PF_KEY events
157 */
158 callback_job_t *job;
159
160 /**
161 * mutex to lock access to the PF_KEY socket
162 */
163 mutex_t *mutex_pfkey;
164
165 /**
166 * PF_KEY socket to communicate with the kernel
167 */
168 int socket;
169
170 /**
171 * PF_KEY socket to receive acquire and expire events
172 */
173 int socket_events;
174
175 /**
176 * sequence number for messages sent to the kernel
177 */
178 int seq;
179 };
180
181 typedef struct route_entry_t route_entry_t;
182
183 /**
184 * installed routing entry
185 */
186 struct route_entry_t {
187 /** Name of the interface the route is bound to */
188 char *if_name;
189
190 /** Source ip of the route */
191 host_t *src_ip;
192
193 /** gateway for this route */
194 host_t *gateway;
195
196 /** Destination net */
197 chunk_t dst_net;
198
199 /** Destination net prefixlen */
200 u_int8_t prefixlen;
201 };
202
203 /**
204 * destroy an route_entry_t object
205 */
206 static void route_entry_destroy(route_entry_t *this)
207 {
208 free(this->if_name);
209 DESTROY_IF(this->src_ip);
210 DESTROY_IF(this->gateway);
211 chunk_free(&this->dst_net);
212 free(this);
213 }
214
215 typedef struct policy_entry_t policy_entry_t;
216
217 /**
218 * installed kernel policy.
219 */
220 struct policy_entry_t {
221
222 /** reqid of this policy */
223 u_int32_t reqid;
224
225 /** index assigned by the kernel */
226 u_int32_t index;
227
228 /** direction of this policy: in, out, forward */
229 u_int8_t direction;
230
231 /** parameters of installed policy */
232 struct {
233 /** subnet and port */
234 host_t *net;
235 /** subnet mask */
236 u_int8_t mask;
237 /** protocol */
238 u_int8_t proto;
239 } src, dst;
240
241 /** associated route installed for this policy */
242 route_entry_t *route;
243
244 /** by how many CHILD_SA's this policy is used */
245 u_int refcount;
246 };
247
248 /**
249 * create a policy_entry_t object
250 */
251 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
252 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
253 {
254 policy_entry_t *policy = malloc_thing(policy_entry_t);
255 policy->reqid = reqid;
256 policy->index = 0;
257 policy->direction = dir;
258 policy->route = NULL;
259 policy->refcount = 0;
260
261 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
262 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
263
264 /* src or dest proto may be "any" (0), use more restrictive one */
265 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
266 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
267 policy->dst.proto = policy->src.proto;
268
269 return policy;
270 }
271
272 /**
273 * destroy a policy_entry_t object
274 */
275 static void policy_entry_destroy(policy_entry_t *this)
276 {
277 DESTROY_IF(this->src.net);
278 DESTROY_IF(this->dst.net);
279 if (this->route)
280 {
281 route_entry_destroy(this->route);
282 }
283 free(this);
284 }
285
286 /**
287 * compares two policy_entry_t
288 */
289 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
290 {
291 return current->direction == policy->direction &&
292 current->src.proto == policy->src.proto &&
293 current->dst.proto == policy->dst.proto &&
294 current->src.mask == policy->src.mask &&
295 current->dst.mask == policy->dst.mask &&
296 current->src.net->equals(current->src.net, policy->src.net) &&
297 current->dst.net->equals(current->dst.net, policy->dst.net);
298 }
299
300 /**
301 * compare the given kernel index with that of a policy
302 */
303 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
304 {
305 return current->index == *index;
306 }
307
308 typedef struct pfkey_msg_t pfkey_msg_t;
309
310 struct pfkey_msg_t
311 {
312 /**
313 * PF_KEY message base
314 */
315 struct sadb_msg *msg;
316
317 /**
318 * PF_KEY message extensions
319 */
320 union {
321 struct sadb_ext *ext[SADB_EXT_MAX + 1];
322 struct {
323 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
324 struct sadb_sa *sa; /* SADB_EXT_SA */
325 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
326 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
327 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
328 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
329 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
330 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
331 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
332 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
333 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
334 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
335 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
336 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
337 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
338 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
339 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
340 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
341 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
342 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
343 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
344 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
345 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
346 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
347 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
348 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
349 } __attribute__((__packed__));
350 };
351 };
352
353 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
354 "SADB_EXT_RESERVED",
355 "SADB_EXT_SA",
356 "SADB_EXT_LIFETIME_CURRENT",
357 "SADB_EXT_LIFETIME_HARD",
358 "SADB_EXT_LIFETIME_SOFT",
359 "SADB_EXT_ADDRESS_SRC",
360 "SADB_EXT_ADDRESS_DST",
361 "SADB_EXT_ADDRESS_PROXY",
362 "SADB_EXT_KEY_AUTH",
363 "SADB_EXT_KEY_ENCRYPT",
364 "SADB_EXT_IDENTITY_SRC",
365 "SADB_EXT_IDENTITY_DST",
366 "SADB_EXT_SENSITIVITY",
367 "SADB_EXT_PROPOSAL",
368 "SADB_EXT_SUPPORTED_AUTH",
369 "SADB_EXT_SUPPORTED_ENCRYPT",
370 "SADB_EXT_SPIRANGE",
371 "SADB_X_EXT_KMPRIVATE",
372 "SADB_X_EXT_POLICY",
373 "SADB_X_EXT_SA2",
374 "SADB_X_EXT_NAT_T_TYPE",
375 "SADB_X_EXT_NAT_T_SPORT",
376 "SADB_X_EXT_NAT_T_DPORT",
377 "SADB_X_EXT_NAT_T_OA",
378 "SADB_X_EXT_SEC_CTX",
379 "SADB_X_EXT_KMADDRESS"
380 );
381
382 /**
383 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
384 */
385 static u_int8_t proto_ike2satype(protocol_id_t proto)
386 {
387 switch (proto)
388 {
389 case PROTO_ESP:
390 return SADB_SATYPE_ESP;
391 case PROTO_AH:
392 return SADB_SATYPE_AH;
393 case IPPROTO_COMP:
394 return SADB_X_SATYPE_IPCOMP;
395 default:
396 return proto;
397 }
398 }
399
400 /**
401 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
402 */
403 static protocol_id_t proto_satype2ike(u_int8_t proto)
404 {
405 switch (proto)
406 {
407 case SADB_SATYPE_ESP:
408 return PROTO_ESP;
409 case SADB_SATYPE_AH:
410 return PROTO_AH;
411 case SADB_X_SATYPE_IPCOMP:
412 return IPPROTO_COMP;
413 default:
414 return proto;
415 }
416 }
417
418 /**
419 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
420 */
421 static u_int8_t proto_ike2ip(protocol_id_t proto)
422 {
423 switch (proto)
424 {
425 case PROTO_ESP:
426 return IPPROTO_ESP;
427 case PROTO_AH:
428 return IPPROTO_AH;
429 default:
430 return proto;
431 }
432 }
433
434 /**
435 * convert the general ipsec mode to the one defined in ipsec.h
436 */
437 static u_int8_t mode2kernel(ipsec_mode_t mode)
438 {
439 switch (mode)
440 {
441 case MODE_TRANSPORT:
442 return IPSEC_MODE_TRANSPORT;
443 case MODE_TUNNEL:
444 return IPSEC_MODE_TUNNEL;
445 #ifdef IPSEC_MODE_BEET
446 case MODE_BEET:
447 return IPSEC_MODE_BEET;
448 #endif
449 default:
450 return mode;
451 }
452 }
453
454 /**
455 * convert the general policy direction to the one defined in ipsec.h
456 */
457 static u_int8_t dir2kernel(policy_dir_t dir)
458 {
459 switch (dir)
460 {
461 case POLICY_IN:
462 return IPSEC_DIR_INBOUND;
463 case POLICY_OUT:
464 return IPSEC_DIR_OUTBOUND;
465 #ifdef IPSEC_DIR_FWD
466 case POLICY_FWD:
467 return IPSEC_DIR_FWD;
468 #endif
469 default:
470 return dir;
471 }
472 }
473
474 #ifdef SADB_X_MIGRATE
475 /**
476 * convert the policy direction in ipsec.h to the general one.
477 */
478 static policy_dir_t kernel2dir(u_int8_t dir)
479 {
480 switch (dir)
481 {
482 case IPSEC_DIR_INBOUND:
483 return POLICY_IN;
484 case IPSEC_DIR_OUTBOUND:
485 return POLICY_OUT;
486 #ifdef IPSEC_DIR_FWD
487 case IPSEC_DIR_FWD:
488 return POLICY_FWD;
489 #endif
490 default:
491 return dir;
492 }
493 }
494 #endif /*SADB_X_MIGRATE*/
495
496 typedef struct kernel_algorithm_t kernel_algorithm_t;
497
498 /**
499 * Mapping of IKEv2 algorithms to PF_KEY algorithms
500 */
501 struct kernel_algorithm_t {
502 /**
503 * Identifier specified in IKEv2
504 */
505 int ikev2;
506
507 /**
508 * Identifier as defined in pfkeyv2.h
509 */
510 int kernel;
511 };
512
513 #define END_OF_LIST -1
514
515 /**
516 * Algorithms for encryption
517 */
518 static kernel_algorithm_t encryption_algs[] = {
519 /* {ENCR_DES_IV64, 0 }, */
520 {ENCR_DES, SADB_EALG_DESCBC },
521 {ENCR_3DES, SADB_EALG_3DESCBC },
522 /* {ENCR_RC5, 0 }, */
523 /* {ENCR_IDEA, 0 }, */
524 {ENCR_CAST, SADB_X_EALG_CASTCBC },
525 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
526 /* {ENCR_3IDEA, 0 }, */
527 /* {ENCR_DES_IV32, 0 }, */
528 {ENCR_NULL, SADB_EALG_NULL },
529 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
530 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
531 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
532 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
533 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
534 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
535 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
536 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
537 {END_OF_LIST, 0 },
538 };
539
540 /**
541 * Algorithms for integrity protection
542 */
543 static kernel_algorithm_t integrity_algs[] = {
544 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
545 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
546 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
547 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
548 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
549 /* {AUTH_DES_MAC, 0, }, */
550 /* {AUTH_KPDK_MD5, 0, }, */
551 #ifdef SADB_X_AALG_AES_XCBC_MAC
552 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
553 #endif
554 {END_OF_LIST, 0, },
555 };
556
557 #if 0
558 /**
559 * Algorithms for IPComp, unused yet
560 */
561 static kernel_algorithm_t compression_algs[] = {
562 /* {IPCOMP_OUI, 0 }, */
563 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
564 {IPCOMP_LZS, SADB_X_CALG_LZS },
565 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
566 {END_OF_LIST, 0 },
567 };
568 #endif
569
570 /**
571 * Look up a kernel algorithm ID and its key size
572 */
573 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
574 {
575 while (list->ikev2 != END_OF_LIST)
576 {
577 if (ikev2 == list->ikev2)
578 {
579 return list->kernel;
580 }
581 list++;
582 }
583 return 0;
584 }
585
586 /**
587 * add a host behind a sadb_address extension
588 */
589 static void host2ext(host_t *host, struct sadb_address *ext)
590 {
591 sockaddr_t *host_addr = host->get_sockaddr(host);
592 socklen_t *len = host->get_sockaddr_len(host);
593 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
594 host_addr->sa_len = *len;
595 #endif
596 memcpy((char*)(ext + 1), host_addr, *len);
597 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
598 }
599
600 /**
601 * add a host to the given sadb_msg
602 */
603 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
604 u_int8_t proto, u_int8_t prefixlen)
605 {
606 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
607 addr->sadb_address_exttype = type;
608 addr->sadb_address_proto = proto;
609 addr->sadb_address_prefixlen = prefixlen;
610 host2ext(host, addr);
611 PFKEY_EXT_ADD(msg, addr);
612 }
613
614 /**
615 * adds an empty address extension to the given sadb_msg
616 */
617 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
618 {
619 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
620 sizeof(struct sockaddr_in6);
621 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
622 addr->sadb_address_exttype = type;
623 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
624 saddr->sa_family = family;
625 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
626 saddr->sa_len = len;
627 #endif
628 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
629 PFKEY_EXT_ADD(msg, addr);
630 }
631
632 #ifdef HAVE_NATT
633 /**
634 * add udp encap extensions to a sadb_msg
635 */
636 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
637 {
638 struct sadb_x_nat_t_type* nat_type;
639 struct sadb_x_nat_t_port* nat_port;
640
641 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
642 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
643 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
644 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
645 PFKEY_EXT_ADD(msg, nat_type);
646
647 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
648 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
649 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
650 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
651 PFKEY_EXT_ADD(msg, nat_port);
652
653 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
654 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
655 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
656 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
657 PFKEY_EXT_ADD(msg, nat_port);
658 }
659 #endif /*HAVE_NATT*/
660
661 /**
662 * Convert a sadb_address to a traffic_selector
663 */
664 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
665 {
666 traffic_selector_t *ts;
667 host_t *host;
668
669 /* The Linux 2.6 kernel does not set the protocol and port information
670 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
671 */
672 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
673 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
674 address->sadb_address_proto, host->get_port(host));
675 return ts;
676 }
677
678 /**
679 * Parses a pfkey message received from the kernel
680 */
681 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
682 {
683 struct sadb_ext* ext;
684 size_t len;
685
686 memset(out, 0, sizeof(pfkey_msg_t));
687 out->msg = msg;
688
689 len = msg->sadb_msg_len;
690 len -= PFKEY_LEN(sizeof(struct sadb_msg));
691
692 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
693
694 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
695 {
696 DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
697 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
698 ext->sadb_ext_len > len)
699 {
700 DBG1(DBG_KNL, "length of %N extension is invalid",
701 sadb_ext_type_names, ext->sadb_ext_type);
702 break;
703 }
704
705 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
706 {
707 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
708 break;
709 }
710
711 if (out->ext[ext->sadb_ext_type])
712 {
713 DBG1(DBG_KNL, "duplicate %N extension",
714 sadb_ext_type_names, ext->sadb_ext_type);
715 break;
716 }
717
718 out->ext[ext->sadb_ext_type] = ext;
719 ext = PFKEY_EXT_NEXT_LEN(ext, len);
720 }
721
722 if (len)
723 {
724 DBG1(DBG_KNL, "PF_KEY message length is invalid");
725 return FAILED;
726 }
727
728 return SUCCESS;
729 }
730
731 /**
732 * Send a message to a specific PF_KEY socket and handle the response.
733 */
734 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
735 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
736 {
737 unsigned char buf[PFKEY_BUFFER_SIZE];
738 struct sadb_msg *msg;
739 int in_len, len;
740
741 this->mutex_pfkey->lock(this->mutex_pfkey);
742
743 in->sadb_msg_seq = ++this->seq;
744 in->sadb_msg_pid = getpid();
745
746 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
747
748 while (TRUE)
749 {
750 len = send(socket, in, in_len, 0);
751
752 if (len != in_len)
753 {
754 if (errno == EINTR)
755 {
756 /* interrupted, try again */
757 continue;
758 }
759 this->mutex_pfkey->unlock(this->mutex_pfkey);
760 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
761 return FAILED;
762 }
763 break;
764 }
765
766 while (TRUE)
767 {
768 msg = (struct sadb_msg*)buf;
769
770 len = recv(socket, buf, sizeof(buf), 0);
771
772 if (len < 0)
773 {
774 if (errno == EINTR)
775 {
776 DBG1(DBG_KNL, "got interrupted");
777 /* interrupted, try again */
778 continue;
779 }
780 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
781 this->mutex_pfkey->unlock(this->mutex_pfkey);
782 return FAILED;
783 }
784 if (len < sizeof(struct sadb_msg) ||
785 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
786 {
787 DBG1(DBG_KNL, "received corrupted PF_KEY message");
788 this->mutex_pfkey->unlock(this->mutex_pfkey);
789 return FAILED;
790 }
791 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
792 {
793 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
794 this->mutex_pfkey->unlock(this->mutex_pfkey);
795 return FAILED;
796 }
797 if (msg->sadb_msg_pid != in->sadb_msg_pid)
798 {
799 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
800 continue;
801 }
802 if (msg->sadb_msg_seq != this->seq)
803 {
804 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
805 "was %d expected %d", msg->sadb_msg_seq, this->seq);
806 if (msg->sadb_msg_seq < this->seq)
807 {
808 continue;
809 }
810 this->mutex_pfkey->unlock(this->mutex_pfkey);
811 return FAILED;
812 }
813 if (msg->sadb_msg_type != in->sadb_msg_type)
814 {
815 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
816 "was %d expected %d, ignoring",
817 msg->sadb_msg_type, in->sadb_msg_type);
818 }
819 break;
820 }
821
822 *out_len = len;
823 *out = (struct sadb_msg*)malloc(len);
824 memcpy(*out, buf, len);
825
826 this->mutex_pfkey->unlock(this->mutex_pfkey);
827
828 return SUCCESS;
829 }
830
831 /**
832 * Send a message to the default PF_KEY socket and handle the response.
833 */
834 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
835 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
836 {
837 return pfkey_send_socket(this, this->socket, in, out, out_len);
838 }
839
840 /**
841 * Process a SADB_ACQUIRE message from the kernel
842 */
843 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
844 {
845 pfkey_msg_t response;
846 u_int32_t index, reqid = 0;
847 traffic_selector_t *src_ts, *dst_ts;
848 policy_entry_t *policy;
849 job_t *job;
850
851 switch (msg->sadb_msg_satype)
852 {
853 case SADB_SATYPE_UNSPEC:
854 case SADB_SATYPE_ESP:
855 case SADB_SATYPE_AH:
856 break;
857 default:
858 /* acquire for AH/ESP only */
859 return;
860 }
861 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
862
863 if (parse_pfkey_message(msg, &response) != SUCCESS)
864 {
865 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
866 return;
867 }
868
869 index = response.x_policy->sadb_x_policy_id;
870 this->mutex->lock(this->mutex);
871 if (this->policies->find_first(this->policies,
872 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
873 {
874 reqid = policy->reqid;
875 }
876 else
877 {
878 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
879 index);
880 }
881 src_ts = sadb_address2ts(response.src);
882 dst_ts = sadb_address2ts(response.dst);
883 this->mutex->unlock(this->mutex);
884
885 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
886 src_ts, dst_ts, reqid);
887 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
888 charon->processor->queue_job(charon->processor, job);
889 }
890
891 /**
892 * Process a SADB_EXPIRE message from the kernel
893 */
894 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
895 {
896 pfkey_msg_t response;
897 protocol_id_t protocol;
898 u_int32_t spi, reqid;
899 bool hard;
900 job_t *job;
901
902 DBG2(DBG_KNL, "received an SADB_EXPIRE");
903
904 if (parse_pfkey_message(msg, &response) != SUCCESS)
905 {
906 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
907 return;
908 }
909
910 protocol = proto_satype2ike(msg->sadb_msg_satype);
911 spi = response.sa->sadb_sa_spi;
912 reqid = response.x_sa2->sadb_x_sa2_reqid;
913 hard = response.lft_hard != NULL;
914
915 if (protocol != PROTO_ESP && protocol != PROTO_AH)
916 {
917 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
918 "which is not a CHILD_SA", ntohl(spi), reqid);
919 return;
920 }
921
922 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
923 hard ? "delete" : "rekey", protocol_id_names,
924 protocol, ntohl(spi), reqid);
925 if (hard)
926 {
927 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
928 }
929 else
930 {
931 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
932 }
933 charon->processor->queue_job(charon->processor, job);
934 }
935
936 #ifdef SADB_X_MIGRATE
937 /**
938 * Process a SADB_X_MIGRATE message from the kernel
939 */
940 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
941 {
942 pfkey_msg_t response;
943 traffic_selector_t *src_ts, *dst_ts;
944 policy_dir_t dir;
945 u_int32_t reqid = 0;
946 host_t *local = NULL, *remote = NULL;
947 job_t *job;
948
949 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
950
951 if (parse_pfkey_message(msg, &response) != SUCCESS)
952 {
953 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
954 return;
955 }
956 src_ts = sadb_address2ts(response.src);
957 dst_ts = sadb_address2ts(response.dst);
958 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
959 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
960 policy_dir_names, dir);
961
962 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
963 if (response.x_kmaddress)
964 {
965 sockaddr_t *local_addr, *remote_addr;
966 u_int32_t local_len;
967
968 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
969 local = host_create_from_sockaddr(local_addr);
970 local_len = (local_addr->sa_family == AF_INET6)?
971 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
972 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
973 remote = host_create_from_sockaddr(remote_addr);
974 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
975 }
976
977 if (src_ts && dst_ts && local && remote)
978 {
979 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
980 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
981 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
982 local, remote);
983 charon->processor->queue_job(charon->processor, job);
984 }
985 else
986 {
987 DESTROY_IF(src_ts);
988 DESTROY_IF(dst_ts);
989 DESTROY_IF(local);
990 DESTROY_IF(remote);
991 }
992 }
993 #endif /*SADB_X_MIGRATE*/
994
995 #ifdef HAVE_NATT
996 /**
997 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
998 */
999 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
1000 {
1001 pfkey_msg_t response;
1002 u_int32_t spi, reqid;
1003 host_t *host;
1004 job_t *job;
1005
1006 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1007
1008 if (parse_pfkey_message(msg, &response) != SUCCESS)
1009 {
1010 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1011 return;
1012 }
1013
1014 if (!response.x_sa2)
1015 {
1016 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
1017 return;
1018 }
1019
1020 spi = response.sa->sadb_sa_spi;
1021 reqid = response.x_sa2->sadb_x_sa2_reqid;
1022
1023 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
1024 {
1025 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
1026 switch (sa->sa_family)
1027 {
1028 case AF_INET:
1029 {
1030 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1031 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1032 }
1033 case AF_INET6:
1034 {
1035 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1036 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1037 }
1038 default:
1039 break;
1040 }
1041 host = host_create_from_sockaddr(sa);
1042 if (host)
1043 {
1044 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
1045 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
1046 job = (job_t*)update_sa_job_create(reqid, host);
1047 charon->processor->queue_job(charon->processor, job);
1048 }
1049 }
1050 }
1051 #endif /*HAVE_NATT*/
1052
1053 /**
1054 * Receives events from kernel
1055 */
1056 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1057 {
1058 unsigned char buf[PFKEY_BUFFER_SIZE];
1059 struct sadb_msg *msg = (struct sadb_msg*)buf;
1060 int len, oldstate;
1061
1062 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
1063 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1064 pthread_setcancelstate(oldstate, NULL);
1065
1066 if (len < 0)
1067 {
1068 switch (errno)
1069 {
1070 case EINTR:
1071 /* interrupted, try again */
1072 return JOB_REQUEUE_DIRECT;
1073 case EAGAIN:
1074 /* no data ready, select again */
1075 return JOB_REQUEUE_DIRECT;
1076 default:
1077 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1078 sleep(1);
1079 return JOB_REQUEUE_FAIR;
1080 }
1081 }
1082
1083 if (len < sizeof(struct sadb_msg) ||
1084 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1085 {
1086 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1087 return JOB_REQUEUE_DIRECT;
1088 }
1089 if (msg->sadb_msg_pid != 0)
1090 { /* not from kernel. not interested, try another one */
1091 return JOB_REQUEUE_DIRECT;
1092 }
1093 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1094 {
1095 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
1096 return JOB_REQUEUE_DIRECT;
1097 }
1098
1099 switch (msg->sadb_msg_type)
1100 {
1101 case SADB_ACQUIRE:
1102 process_acquire(this, msg);
1103 break;
1104 case SADB_EXPIRE:
1105 process_expire(this, msg);
1106 break;
1107 #ifdef SADB_X_MIGRATE
1108 case SADB_X_MIGRATE:
1109 process_migrate(this, msg);
1110 break;
1111 #endif /*SADB_X_MIGRATE*/
1112 #ifdef HAVE_NATT
1113 case SADB_X_NAT_T_NEW_MAPPING:
1114 process_mapping(this, msg);
1115 break;
1116 #endif /*HAVE_NATT*/
1117 default:
1118 break;
1119 }
1120
1121 return JOB_REQUEUE_DIRECT;
1122 }
1123
1124 /**
1125 * Implementation of kernel_interface_t.get_spi.
1126 */
1127 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1128 host_t *src, host_t *dst,
1129 protocol_id_t protocol, u_int32_t reqid,
1130 u_int32_t *spi)
1131 {
1132 unsigned char request[PFKEY_BUFFER_SIZE];
1133 struct sadb_msg *msg, *out;
1134 struct sadb_x_sa2 *sa2;
1135 struct sadb_spirange *range;
1136 pfkey_msg_t response;
1137 u_int32_t received_spi = 0;
1138 size_t len;
1139
1140 memset(&request, 0, sizeof(request));
1141
1142 msg = (struct sadb_msg*)request;
1143 msg->sadb_msg_version = PF_KEY_V2;
1144 msg->sadb_msg_type = SADB_GETSPI;
1145 msg->sadb_msg_satype = proto_ike2satype(protocol);
1146 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1147
1148 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1149 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1150 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1151 sa2->sadb_x_sa2_reqid = reqid;
1152 PFKEY_EXT_ADD(msg, sa2);
1153
1154 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1155 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1156
1157 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1158 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1159 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1160 range->sadb_spirange_min = 0xc0000000;
1161 range->sadb_spirange_max = 0xcFFFFFFF;
1162 PFKEY_EXT_ADD(msg, range);
1163
1164 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1165 {
1166 if (out->sadb_msg_errno)
1167 {
1168 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1169 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1170 }
1171 else if (parse_pfkey_message(out, &response) == SUCCESS)
1172 {
1173 received_spi = response.sa->sadb_sa_spi;
1174 }
1175 free(out);
1176 }
1177
1178 if (received_spi == 0)
1179 {
1180 return FAILED;
1181 }
1182
1183 *spi = received_spi;
1184 return SUCCESS;
1185 }
1186
1187 /**
1188 * Implementation of kernel_interface_t.get_cpi.
1189 */
1190 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1191 host_t *src, host_t *dst,
1192 u_int32_t reqid, u_int16_t *cpi)
1193 {
1194 return FAILED;
1195 }
1196
1197 /**
1198 * Implementation of kernel_interface_t.add_sa.
1199 */
1200 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1201 host_t *src, host_t *dst, u_int32_t spi,
1202 protocol_id_t protocol, u_int32_t reqid,
1203 u_int64_t expire_soft, u_int64_t expire_hard,
1204 u_int16_t enc_alg, chunk_t enc_key,
1205 u_int16_t int_alg, chunk_t int_key,
1206 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1207 bool encap, bool inbound)
1208 {
1209 unsigned char request[PFKEY_BUFFER_SIZE];
1210 struct sadb_msg *msg, *out;
1211 struct sadb_sa *sa;
1212 struct sadb_x_sa2 *sa2;
1213 struct sadb_lifetime *lft;
1214 struct sadb_key *key;
1215 size_t len;
1216
1217 memset(&request, 0, sizeof(request));
1218
1219 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1220
1221 msg = (struct sadb_msg*)request;
1222 msg->sadb_msg_version = PF_KEY_V2;
1223 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1224 msg->sadb_msg_satype = proto_ike2satype(protocol);
1225 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1226
1227 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1228 sa->sadb_sa_exttype = SADB_EXT_SA;
1229 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1230 sa->sadb_sa_spi = spi;
1231 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1232 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1233 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1234 PFKEY_EXT_ADD(msg, sa);
1235
1236 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1237 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1238 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1239 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1240 sa2->sadb_x_sa2_reqid = reqid;
1241 PFKEY_EXT_ADD(msg, sa2);
1242
1243 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1244 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1245
1246 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1247 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1248 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1249 lft->sadb_lifetime_addtime = expire_soft;
1250 PFKEY_EXT_ADD(msg, lft);
1251
1252 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1253 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1254 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1255 lft->sadb_lifetime_addtime = expire_hard;
1256 PFKEY_EXT_ADD(msg, lft);
1257
1258 if (enc_alg != ENCR_UNDEFINED)
1259 {
1260 if (!sa->sadb_sa_encrypt)
1261 {
1262 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1263 encryption_algorithm_names, enc_alg);
1264 return FAILED;
1265 }
1266 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1267 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1268
1269 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1270 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1271 key->sadb_key_bits = enc_key.len * 8;
1272 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1273 memcpy(key + 1, enc_key.ptr, enc_key.len);
1274
1275 PFKEY_EXT_ADD(msg, key);
1276 }
1277
1278 if (int_alg != AUTH_UNDEFINED)
1279 {
1280 if (!sa->sadb_sa_auth)
1281 {
1282 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1283 integrity_algorithm_names, int_alg);
1284 return FAILED;
1285 }
1286 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1287 integrity_algorithm_names, int_alg, int_key.len * 8);
1288
1289 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1290 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1291 key->sadb_key_bits = int_key.len * 8;
1292 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1293 memcpy(key + 1, int_key.ptr, int_key.len);
1294
1295 PFKEY_EXT_ADD(msg, key);
1296 }
1297
1298 if (ipcomp != IPCOMP_NONE)
1299 {
1300 /*TODO*/
1301 }
1302
1303 #ifdef HAVE_NATT
1304 if (encap)
1305 {
1306 add_encap_ext(msg, src, dst);
1307 }
1308 #endif /*HAVE_NATT*/
1309
1310 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1311 {
1312 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1313 return FAILED;
1314 }
1315 else if (out->sadb_msg_errno)
1316 {
1317 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1318 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1319 free(out);
1320 return FAILED;
1321 }
1322
1323 free(out);
1324 return SUCCESS;
1325 }
1326
1327 /**
1328 * Implementation of kernel_interface_t.update_sa.
1329 */
1330 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1331 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1332 host_t *src, host_t *dst,
1333 host_t *new_src, host_t *new_dst,
1334 bool encap, bool new_encap)
1335 {
1336 unsigned char request[PFKEY_BUFFER_SIZE];
1337 struct sadb_msg *msg, *out;
1338 struct sadb_sa *sa;
1339 pfkey_msg_t response;
1340 size_t len;
1341
1342 /* we can't update the SA if any of the ip addresses have changed.
1343 * that's because we can't use SADB_UPDATE and by deleting and readding the
1344 * SA the sequence numbers would get lost */
1345 if (!src->ip_equals(src, new_src) ||
1346 !dst->ip_equals(dst, new_dst))
1347 {
1348 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1349 " are not supported", ntohl(spi));
1350 return NOT_SUPPORTED;
1351 }
1352
1353 memset(&request, 0, sizeof(request));
1354
1355 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1356
1357 msg = (struct sadb_msg*)request;
1358 msg->sadb_msg_version = PF_KEY_V2;
1359 msg->sadb_msg_type = SADB_GET;
1360 msg->sadb_msg_satype = proto_ike2satype(protocol);
1361 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1362
1363 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1364 sa->sadb_sa_exttype = SADB_EXT_SA;
1365 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1366 sa->sadb_sa_spi = spi;
1367 PFKEY_EXT_ADD(msg, sa);
1368
1369 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1370 * it is not used for anything. */
1371 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1372 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1373
1374 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1375 {
1376 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1377 ntohl(spi));
1378 return FAILED;
1379 }
1380 else if (out->sadb_msg_errno)
1381 {
1382 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1383 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1384 free(out);
1385 return FAILED;
1386 }
1387 else if (parse_pfkey_message(out, &response) != SUCCESS)
1388 {
1389 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1390 "from kernel failed", ntohl(spi));
1391 free(out);
1392 return FAILED;
1393 }
1394
1395 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1396 ntohl(spi), src, dst, new_src, new_dst);
1397
1398 memset(&request, 0, sizeof(request));
1399
1400 msg = (struct sadb_msg*)request;
1401 msg->sadb_msg_version = PF_KEY_V2;
1402 msg->sadb_msg_type = SADB_UPDATE;
1403 msg->sadb_msg_satype = proto_ike2satype(protocol);
1404 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1405
1406 PFKEY_EXT_COPY(msg, response.sa);
1407 PFKEY_EXT_COPY(msg, response.x_sa2);
1408
1409 PFKEY_EXT_COPY(msg, response.src);
1410 PFKEY_EXT_COPY(msg, response.dst);
1411
1412 PFKEY_EXT_COPY(msg, response.lft_soft);
1413 PFKEY_EXT_COPY(msg, response.lft_hard);
1414
1415 if (response.key_encr)
1416 {
1417 PFKEY_EXT_COPY(msg, response.key_encr);
1418 }
1419
1420 if (response.key_auth)
1421 {
1422 PFKEY_EXT_COPY(msg, response.key_auth);
1423 }
1424
1425 #ifdef HAVE_NATT
1426 if (new_encap)
1427 {
1428 add_encap_ext(msg, new_src, new_dst);
1429 }
1430 #endif /*HAVE_NATT*/
1431
1432 free(out);
1433
1434 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1435 {
1436 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1437 return FAILED;
1438 }
1439 else if (out->sadb_msg_errno)
1440 {
1441 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1442 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1443 free(out);
1444 return FAILED;
1445 }
1446 free(out);
1447
1448 return SUCCESS;
1449 }
1450
1451 /**
1452 * Implementation of kernel_interface_t.del_sa.
1453 */
1454 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
1455 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1456 u_int16_t cpi)
1457 {
1458 unsigned char request[PFKEY_BUFFER_SIZE];
1459 struct sadb_msg *msg, *out;
1460 struct sadb_sa *sa;
1461 size_t len;
1462
1463 memset(&request, 0, sizeof(request));
1464
1465 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1466
1467 msg = (struct sadb_msg*)request;
1468 msg->sadb_msg_version = PF_KEY_V2;
1469 msg->sadb_msg_type = SADB_DELETE;
1470 msg->sadb_msg_satype = proto_ike2satype(protocol);
1471 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1472
1473 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1474 sa->sadb_sa_exttype = SADB_EXT_SA;
1475 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1476 sa->sadb_sa_spi = spi;
1477 PFKEY_EXT_ADD(msg, sa);
1478
1479 /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */
1480 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1481 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1482
1483 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1484 {
1485 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1486 return FAILED;
1487 }
1488 else if (out->sadb_msg_errno)
1489 {
1490 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1491 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1492 free(out);
1493 return FAILED;
1494 }
1495
1496 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1497 free(out);
1498 return SUCCESS;
1499 }
1500
1501 /**
1502 * Implementation of kernel_interface_t.add_policy.
1503 */
1504 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1505 host_t *src, host_t *dst,
1506 traffic_selector_t *src_ts,
1507 traffic_selector_t *dst_ts,
1508 policy_dir_t direction, u_int32_t spi,
1509 protocol_id_t protocol, u_int32_t reqid,
1510 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1511 bool routed)
1512 {
1513 unsigned char request[PFKEY_BUFFER_SIZE];
1514 struct sadb_msg *msg, *out;
1515 struct sadb_x_policy *pol;
1516 struct sadb_x_ipsecrequest *req;
1517 policy_entry_t *policy, *found = NULL;
1518 pfkey_msg_t response;
1519 size_t len;
1520
1521 /* create a policy */
1522 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1523
1524 /* find a matching policy */
1525 this->mutex->lock(this->mutex);
1526 if (this->policies->find_first(this->policies,
1527 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1528 {
1529 /* use existing policy */
1530 found->refcount++;
1531 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1532 "refcount", src_ts, dst_ts,
1533 policy_dir_names, direction);
1534 policy_entry_destroy(policy);
1535 policy = found;
1536 }
1537 else
1538 {
1539 /* apply the new one, if we have no such policy */
1540 this->policies->insert_last(this->policies, policy);
1541 policy->refcount = 1;
1542 }
1543
1544 memset(&request, 0, sizeof(request));
1545
1546 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1547 policy_dir_names, direction);
1548
1549 msg = (struct sadb_msg*)request;
1550 msg->sadb_msg_version = PF_KEY_V2;
1551 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1552 msg->sadb_msg_satype = 0;
1553 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1554
1555 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1556 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1557 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1558 pol->sadb_x_policy_id = 0;
1559 pol->sadb_x_policy_dir = dir2kernel(direction);
1560 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1561 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1562 /* calculate priority based on source selector size, small size = high prio */
1563 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1564 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1565 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1566 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1567 #endif
1568
1569 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1570 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1571 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1572 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1573 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1574 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1575 req->sadb_x_ipsecrequest_reqid = reqid;
1576 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1577 if (mode == MODE_TUNNEL)
1578 {
1579 sockaddr_t *sa;
1580 socklen_t sl;
1581 sa = src->get_sockaddr(src);
1582 sl = *src->get_sockaddr_len(src);
1583 memcpy(req + 1, sa, sl);
1584 sa = dst->get_sockaddr(dst);
1585 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1586 req->sadb_x_ipsecrequest_len += sl * 2;
1587 }
1588
1589 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1590 PFKEY_EXT_ADD(msg, pol);
1591
1592 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1593 policy->src.mask);
1594 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1595 policy->dst.mask);
1596
1597 this->mutex->unlock(this->mutex);
1598
1599 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1600 {
1601 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1602 policy_dir_names, direction);
1603 return FAILED;
1604 }
1605 else if (out->sadb_msg_errno)
1606 {
1607 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1608 policy_dir_names, direction,
1609 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1610 free(out);
1611 return FAILED;
1612 }
1613 else if (parse_pfkey_message(out, &response) != SUCCESS)
1614 {
1615 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1616 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1617 free(out);
1618 return FAILED;
1619 }
1620
1621 this->mutex->lock(this->mutex);
1622
1623 /* we try to find the policy again and update the kernel index */
1624 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1625 {
1626 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1627 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1628 this->mutex->unlock(this->mutex);
1629 free(out);
1630 return SUCCESS;
1631 }
1632 policy->index = response.x_policy->sadb_x_policy_id;
1633 free(out);
1634
1635 /* install a route, if:
1636 * - we are NOT updating a policy
1637 * - this is a forward policy (to just get one for each child)
1638 * - we are in tunnel mode
1639 * - we are not using IPv6 (does not work correctly yet!)
1640 * - routing is not disabled via strongswan.conf
1641 */
1642 if (policy->route == NULL && direction == POLICY_FWD &&
1643 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1644 this->install_routes)
1645 {
1646 route_entry_t *route = malloc_thing(route_entry_t);
1647
1648 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1649 dst_ts, &route->src_ip) == SUCCESS)
1650 {
1651 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1652 route->gateway = charon->kernel_interface->get_nexthop(
1653 charon->kernel_interface, src);
1654 route->if_name = charon->kernel_interface->get_interface(
1655 charon->kernel_interface, dst);
1656 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1657 route->prefixlen = policy->src.mask;
1658
1659 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1660 route->dst_net, route->prefixlen, route->gateway,
1661 route->src_ip, route->if_name))
1662 {
1663 default:
1664 DBG1(DBG_KNL, "unable to install source route for %H",
1665 route->src_ip);
1666 /* FALL */
1667 case ALREADY_DONE:
1668 /* route exists, do not uninstall */
1669 route_entry_destroy(route);
1670 break;
1671 case SUCCESS:
1672 /* cache the installed route */
1673 policy->route = route;
1674 break;
1675 }
1676 }
1677 else
1678 {
1679 free(route);
1680 }
1681 }
1682
1683 this->mutex->unlock(this->mutex);
1684
1685 return SUCCESS;
1686 }
1687
1688 /**
1689 * Implementation of kernel_interface_t.query_policy.
1690 */
1691 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1692 traffic_selector_t *src_ts,
1693 traffic_selector_t *dst_ts,
1694 policy_dir_t direction, u_int32_t *use_time)
1695 {
1696 unsigned char request[PFKEY_BUFFER_SIZE];
1697 struct sadb_msg *msg, *out;
1698 struct sadb_x_policy *pol;
1699 policy_entry_t *policy, *found = NULL;
1700 pfkey_msg_t response;
1701 size_t len;
1702
1703 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1704 policy_dir_names, direction);
1705
1706 /* create a policy */
1707 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1708
1709 /* find a matching policy */
1710 this->mutex->lock(this->mutex);
1711 if (this->policies->find_first(this->policies,
1712 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1713 {
1714 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1715 dst_ts, policy_dir_names, direction);
1716 policy_entry_destroy(policy);
1717 this->mutex->unlock(this->mutex);
1718 return NOT_FOUND;
1719 }
1720 policy_entry_destroy(policy);
1721 policy = found;
1722
1723 memset(&request, 0, sizeof(request));
1724
1725 msg = (struct sadb_msg*)request;
1726 msg->sadb_msg_version = PF_KEY_V2;
1727 msg->sadb_msg_type = SADB_X_SPDGET;
1728 msg->sadb_msg_satype = 0;
1729 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1730
1731 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1732 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1733 pol->sadb_x_policy_id = policy->index;
1734 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1735 pol->sadb_x_policy_dir = dir2kernel(direction);
1736 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1737 PFKEY_EXT_ADD(msg, pol);
1738
1739 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1740 policy->src.mask);
1741 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1742 policy->dst.mask);
1743
1744 this->mutex->unlock(this->mutex);
1745
1746 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1747 {
1748 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1749 policy_dir_names, direction);
1750 return FAILED;
1751 }
1752 else if (out->sadb_msg_errno)
1753 {
1754 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1755 dst_ts, policy_dir_names, direction,
1756 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1757 free(out);
1758 return FAILED;
1759 }
1760 else if (parse_pfkey_message(out, &response) != SUCCESS)
1761 {
1762 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1763 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1764 free(out);
1765 return FAILED;
1766 }
1767
1768 *use_time = response.lft_current->sadb_lifetime_usetime;
1769
1770 free(out);
1771
1772 return SUCCESS;
1773 }
1774
1775 /**
1776 * Implementation of kernel_interface_t.del_policy.
1777 */
1778 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1779 traffic_selector_t *src_ts,
1780 traffic_selector_t *dst_ts,
1781 policy_dir_t direction, bool unrouted)
1782 {
1783 unsigned char request[PFKEY_BUFFER_SIZE];
1784 struct sadb_msg *msg, *out;
1785 struct sadb_x_policy *pol;
1786 policy_entry_t *policy, *found = NULL;
1787 route_entry_t *route;
1788 size_t len;
1789
1790 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1791 policy_dir_names, direction);
1792
1793 /* create a policy */
1794 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1795
1796 /* find a matching policy */
1797 this->mutex->lock(this->mutex);
1798 if (this->policies->find_first(this->policies,
1799 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1800 {
1801 if (--found->refcount > 0)
1802 {
1803 /* is used by more SAs, keep in kernel */
1804 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1805 policy_entry_destroy(policy);
1806 this->mutex->unlock(this->mutex);
1807 return SUCCESS;
1808 }
1809 /* remove if last reference */
1810 this->policies->remove(this->policies, found, NULL);
1811 policy_entry_destroy(policy);
1812 policy = found;
1813 }
1814 else
1815 {
1816 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1817 dst_ts, policy_dir_names, direction);
1818 policy_entry_destroy(policy);
1819 this->mutex->unlock(this->mutex);
1820 return NOT_FOUND;
1821 }
1822 this->mutex->unlock(this->mutex);
1823
1824 memset(&request, 0, sizeof(request));
1825
1826 msg = (struct sadb_msg*)request;
1827 msg->sadb_msg_version = PF_KEY_V2;
1828 msg->sadb_msg_type = SADB_X_SPDDELETE;
1829 msg->sadb_msg_satype = 0;
1830 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1831
1832 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1833 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1834 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1835 pol->sadb_x_policy_dir = dir2kernel(direction);
1836 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1837 PFKEY_EXT_ADD(msg, pol);
1838
1839 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1840 policy->src.mask);
1841 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1842 policy->dst.mask);
1843
1844 route = policy->route;
1845 policy->route = NULL;
1846 policy_entry_destroy(policy);
1847
1848 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1849 {
1850 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1851 policy_dir_names, direction);
1852 return FAILED;
1853 }
1854 else if (out->sadb_msg_errno)
1855 {
1856 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1857 dst_ts, policy_dir_names, direction,
1858 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1859 free(out);
1860 return FAILED;
1861 }
1862 free(out);
1863
1864 if (route)
1865 {
1866 if (charon->kernel_interface->del_route(charon->kernel_interface,
1867 route->dst_net, route->prefixlen, route->gateway,
1868 route->src_ip, route->if_name) != SUCCESS)
1869 {
1870 DBG1(DBG_KNL, "error uninstalling route installed with "
1871 "policy %R === %R %N", src_ts, dst_ts,
1872 policy_dir_names, direction);
1873 }
1874 route_entry_destroy(route);
1875 }
1876
1877 return SUCCESS;
1878 }
1879
1880 /**
1881 * Register a socket for AQUIRE/EXPIRE messages
1882 */
1883 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1884 {
1885 unsigned char request[PFKEY_BUFFER_SIZE];
1886 struct sadb_msg *msg, *out;
1887 size_t len;
1888
1889 memset(&request, 0, sizeof(request));
1890
1891 msg = (struct sadb_msg*)request;
1892 msg->sadb_msg_version = PF_KEY_V2;
1893 msg->sadb_msg_type = SADB_REGISTER;
1894 msg->sadb_msg_satype = satype;
1895 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1896
1897 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1898 {
1899 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1900 return FAILED;
1901 }
1902 else if (out->sadb_msg_errno)
1903 {
1904 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1905 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1906 free(out);
1907 return FAILED;
1908 }
1909 free(out);
1910 return SUCCESS;
1911 }
1912
1913 /**
1914 * Implementation of kernel_interface_t.destroy.
1915 */
1916 static void destroy(private_kernel_pfkey_ipsec_t *this)
1917 {
1918 this->job->cancel(this->job);
1919 close(this->socket);
1920 close(this->socket_events);
1921 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1922 this->mutex->destroy(this->mutex);
1923 this->mutex_pfkey->destroy(this->mutex_pfkey);
1924 free(this);
1925 }
1926
1927 /**
1928 * Add bypass policies for IKE on the sockets of charon
1929 */
1930 static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
1931 {
1932 int fd, family, port;
1933 enumerator_t *sockets;
1934 bool status = TRUE;
1935
1936 sockets = charon->socket->create_enumerator(charon->socket);
1937 while (sockets->enumerate(sockets, &fd, &family, &port))
1938 {
1939 struct sadb_x_policy policy;
1940 u_int sol, ipsec_policy;
1941
1942 switch (family)
1943 {
1944 case AF_INET:
1945 {
1946 sol = SOL_IP;
1947 ipsec_policy = IP_IPSEC_POLICY;
1948 break;
1949 }
1950 case AF_INET6:
1951 {
1952 sol = SOL_IPV6;
1953 ipsec_policy = IPV6_IPSEC_POLICY;
1954 break;
1955 }
1956 default:
1957 continue;
1958 }
1959
1960 memset(&policy, 0, sizeof(policy));
1961 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
1962 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1963 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
1964
1965 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
1966 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1967 {
1968 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1969 strerror(errno));
1970 status = FALSE;
1971 break;
1972 }
1973 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1974 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1975 {
1976 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1977 strerror(errno));
1978 status = FALSE;
1979 break;
1980 }
1981 }
1982 sockets->destroy(sockets);
1983 return status;
1984 }
1985
1986 /*
1987 * Described in header.
1988 */
1989 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1990 {
1991 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1992
1993 /* public functions */
1994 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1995 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1996 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1997 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1998 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1999 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
2000 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2001 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
2002
2003 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
2004
2005 /* private members */
2006 this->policies = linked_list_create();
2007 this->mutex = mutex_create(MUTEX_DEFAULT);
2008 this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
2009 this->install_routes = lib->settings->get_bool(lib->settings,
2010 "charon.install_routes", TRUE);
2011 this->seq = 0;
2012
2013 /* create a PF_KEY socket to communicate with the kernel */
2014 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2015 if (this->socket <= 0)
2016 {
2017 charon->kill(charon, "unable to create PF_KEY socket");
2018 }
2019
2020 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2021 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2022 if (this->socket_events <= 0)
2023 {
2024 charon->kill(charon, "unable to create PF_KEY event socket");
2025 }
2026
2027 /* add bypass policies on the sockets used by charon */
2028 if (!add_bypass_policies(this))
2029 {
2030 charon->kill(charon, "unable to add bypass policies on sockets");
2031 }
2032
2033 /* register the event socket */
2034 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2035 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2036 {
2037 charon->kill(charon, "unable to register PF_KEY event socket");
2038 }
2039
2040 this->job = callback_job_create((callback_job_cb_t)receive_events,
2041 this, NULL, NULL);
2042 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2043
2044 return &this->public;
2045 }