560654e14e093b4a1a901883122a578f3fc577ad
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <stdint.h>
22 #include <linux/ipsec.h>
23 #include <linux/pfkeyv2.h>
24 #include <linux/udp.h>
25 #include <unistd.h>
26 #include <pthread.h>
27 #include <errno.h>
28
29 #include "kernel_pfkey_ipsec.h"
30
31 #include <daemon.h>
32 #include <utils/host.h>
33 #include <utils/mutex.h>
34 #include <processing/jobs/callback_job.h>
35 #include <processing/jobs/acquire_job.h>
36 #include <processing/jobs/migrate_job.h>
37 #include <processing/jobs/rekey_child_sa_job.h>
38 #include <processing/jobs/delete_child_sa_job.h>
39 #include <processing/jobs/update_sa_job.h>
40
41 /** default priority of installed policies */
42 #define PRIO_LOW 3000
43 #define PRIO_HIGH 2000
44
45 /** buffer size for PF_KEY messages */
46 #define PFKEY_BUFFER_SIZE 4096
47
48 /** PF_KEY messages are 64 bit aligned */
49 #define PFKEY_ALIGNMENT 8
50 /** aligns len to 64 bits */
51 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
52 /** calculates the properly padded length in 64 bit chunks */
53 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
54 /** calculates user mode length i.e. in bytes */
55 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
56
57 /** given a PF_KEY message header and an extension this updates the length in the header */
58 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
59 /** given a PF_KEY message header this returns a pointer to the next extension */
60 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
61 /** copy an extension and append it to a PF_KEY message */
62 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
63 /** given a PF_KEY extension this returns a pointer to the next extension */
64 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
65 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
66 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
67 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
68 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
69 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
70 (ext)->sadb_ext_len <= (len))
71
72 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
73
74 /**
75 * Private variables and functions of kernel_pfkey class.
76 */
77 struct private_kernel_pfkey_ipsec_t
78 {
79 /**
80 * Public part of the kernel_pfkey_t object.
81 */
82 kernel_pfkey_ipsec_t public;
83
84 /**
85 * mutex to lock access to various lists
86 */
87 mutex_t *mutex;
88
89 /**
90 * List of installed policies (policy_entry_t)
91 */
92 linked_list_t *policies;
93
94 /**
95 * whether to install routes along policies
96 */
97 bool install_routes;
98
99 /**
100 * job receiving PF_KEY events
101 */
102 callback_job_t *job;
103
104 /**
105 * mutex to lock access to the PF_KEY socket
106 */
107 mutex_t *mutex_pfkey;
108
109 /**
110 * PF_KEY socket to communicate with the kernel
111 */
112 int socket;
113
114 /**
115 * PF_KEY socket to receive acquire and expire events
116 */
117 int socket_events;
118
119 /**
120 * sequence number for messages sent to the kernel
121 */
122 int seq;
123 };
124
125 typedef struct route_entry_t route_entry_t;
126
127 /**
128 * installed routing entry
129 */
130 struct route_entry_t {
131 /** Name of the interface the route is bound to */
132 char *if_name;
133
134 /** Source ip of the route */
135 host_t *src_ip;
136
137 /** gateway for this route */
138 host_t *gateway;
139
140 /** Destination net */
141 chunk_t dst_net;
142
143 /** Destination net prefixlen */
144 u_int8_t prefixlen;
145 };
146
147 /**
148 * destroy an route_entry_t object
149 */
150 static void route_entry_destroy(route_entry_t *this)
151 {
152 free(this->if_name);
153 this->src_ip->destroy(this->src_ip);
154 this->gateway->destroy(this->gateway);
155 chunk_free(&this->dst_net);
156 free(this);
157 }
158
159 typedef struct policy_entry_t policy_entry_t;
160
161 /**
162 * installed kernel policy.
163 */
164 struct policy_entry_t {
165
166 /** reqid of this policy */
167 u_int32_t reqid;
168
169 /** index assigned by the kernel */
170 u_int32_t index;
171
172 /** direction of this policy: in, out, forward */
173 u_int8_t direction;
174
175 /** parameters of installed policy */
176 struct {
177 /** subnet and port */
178 host_t *net;
179 /** subnet mask */
180 u_int8_t mask;
181 /** protocol */
182 u_int8_t proto;
183 } src, dst;
184
185 /** associated route installed for this policy */
186 route_entry_t *route;
187
188 /** by how many CHILD_SA's this policy is used */
189 u_int refcount;
190 };
191
192 /**
193 * create a policy_entry_t object
194 */
195 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
196 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
197 {
198 policy_entry_t *policy = malloc_thing(policy_entry_t);
199 policy->reqid = reqid;
200 policy->index = 0;
201 policy->direction = dir;
202 policy->route = NULL;
203 policy->refcount = 0;
204
205 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
206 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
207
208 /* src or dest proto may be "any" (0), use more restrictive one */
209 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
210 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
211 policy->dst.proto = policy->src.proto;
212
213 return policy;
214 }
215
216 /**
217 * destroy a policy_entry_t object
218 */
219 static void policy_entry_destroy(policy_entry_t *this)
220 {
221 DESTROY_IF(this->src.net);
222 DESTROY_IF(this->dst.net);
223 if (this->route)
224 {
225 route_entry_destroy(this->route);
226 }
227 free(this);
228 }
229
230 /**
231 * compares two policy_entry_t
232 */
233 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
234 {
235 return current->direction == policy->direction &&
236 current->src.proto == policy->src.proto &&
237 current->dst.proto == policy->dst.proto &&
238 current->src.mask == policy->src.mask &&
239 current->dst.mask == policy->dst.mask &&
240 current->src.net->equals(current->src.net, policy->src.net) &&
241 current->dst.net->equals(current->dst.net, policy->dst.net);
242 }
243
244 /**
245 * compare the given kernel index with that of a policy
246 */
247 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
248 {
249 return current->index == *index;
250 }
251
252 typedef struct pfkey_msg_t pfkey_msg_t;
253
254 struct pfkey_msg_t
255 {
256 /**
257 * PF_KEY message base
258 */
259 struct sadb_msg *msg;
260
261
262 /**
263 * PF_KEY message extensions
264 */
265 union {
266 struct sadb_ext *ext[SADB_EXT_MAX + 1];
267 struct {
268 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
269 struct sadb_sa *sa; /* SADB_EXT_SA */
270 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
271 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
272 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
273 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
274 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
275 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
276 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
277 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
278 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
279 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
280 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
281 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
282 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
283 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
284 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
285 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
286 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
287 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
288 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
289 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
290 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
291 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
292 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
293 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
294 } __attribute__((__packed__));
295 };
296 };
297
298 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
299 "SADB_EXT_RESERVED",
300 "SADB_EXT_SA",
301 "SADB_EXT_LIFETIME_CURRENT",
302 "SADB_EXT_LIFETIME_HARD",
303 "SADB_EXT_LIFETIME_SOFT",
304 "SADB_EXT_ADDRESS_SRC",
305 "SADB_EXT_ADDRESS_DST",
306 "SADB_EXT_ADDRESS_PROXY",
307 "SADB_EXT_KEY_AUTH",
308 "SADB_EXT_KEY_ENCRYPT",
309 "SADB_EXT_IDENTITY_SRC",
310 "SADB_EXT_IDENTITY_DST",
311 "SADB_EXT_SENSITIVITY",
312 "SADB_EXT_PROPOSAL",
313 "SADB_EXT_SUPPORTED_AUTH",
314 "SADB_EXT_SUPPORTED_ENCRYPT",
315 "SADB_EXT_SPIRANGE",
316 "SADB_X_EXT_KMPRIVATE",
317 "SADB_X_EXT_POLICY",
318 "SADB_X_EXT_SA2",
319 "SADB_X_EXT_NAT_T_TYPE",
320 "SADB_X_EXT_NAT_T_SPORT",
321 "SADB_X_EXT_NAT_T_DPORT",
322 "SADB_X_EXT_NAT_T_OA",
323 "SADB_X_EXT_SEC_CTX",
324 "SADB_X_EXT_KMADDRESS"
325 );
326 /**
327 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
328 */
329 static u_int8_t proto_ike2satype(protocol_id_t proto)
330 {
331 switch (proto)
332 {
333 case PROTO_ESP:
334 return SADB_SATYPE_ESP;
335 case PROTO_AH:
336 return SADB_SATYPE_AH;
337 case IPPROTO_COMP:
338 return SADB_X_SATYPE_IPCOMP;
339 default:
340 return proto;
341 }
342 }
343
344 /**
345 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
346 */
347 static protocol_id_t proto_satype2ike(u_int8_t proto)
348 {
349 switch (proto)
350 {
351 case SADB_SATYPE_ESP:
352 return PROTO_ESP;
353 case SADB_SATYPE_AH:
354 return PROTO_AH;
355 case SADB_X_SATYPE_IPCOMP:
356 return IPPROTO_COMP;
357 default:
358 return proto;
359 }
360 }
361
362 /**
363 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
364 */
365 static u_int8_t proto_ike2ip(protocol_id_t proto)
366 {
367 switch (proto)
368 {
369 case PROTO_ESP:
370 return IPPROTO_ESP;
371 case PROTO_AH:
372 return IPPROTO_AH;
373 default:
374 return proto;
375 }
376 }
377
378 /**
379 * convert the general ipsec mode to the one defined in ipsec.h
380 */
381 static u_int8_t mode2kernel(ipsec_mode_t mode)
382 {
383 switch (mode)
384 {
385 case MODE_TRANSPORT:
386 return IPSEC_MODE_TRANSPORT;
387 case MODE_TUNNEL:
388 return IPSEC_MODE_TUNNEL;
389 case MODE_BEET:
390 return IPSEC_MODE_BEET;
391 default:
392 return mode;
393 }
394 }
395
396 /**
397 * convert the general policy direction to the one defined in ipsec.h
398 */
399 static u_int8_t dir2kernel(policy_dir_t dir)
400 {
401 switch (dir)
402 {
403 case POLICY_IN:
404 return IPSEC_DIR_INBOUND;
405 case POLICY_OUT:
406 return IPSEC_DIR_OUTBOUND;
407 case POLICY_FWD:
408 return IPSEC_DIR_FWD;
409 default:
410 return dir;
411 }
412 }
413
414 /**
415 * convert the policy direction in ipsec.h to the general one.
416 */
417 static policy_dir_t kernel2dir(u_int8_t dir)
418 {
419 switch (dir)
420 {
421 case IPSEC_DIR_INBOUND:
422 return POLICY_IN;
423 case IPSEC_DIR_OUTBOUND:
424 return POLICY_OUT;
425 case IPSEC_DIR_FWD:
426 return POLICY_FWD;
427 default:
428 return dir;
429 }
430 }
431 typedef struct kernel_algorithm_t kernel_algorithm_t;
432
433 /**
434 * Mapping of IKEv2 algorithms to PF_KEY algorithms
435 */
436 struct kernel_algorithm_t {
437 /**
438 * Identifier specified in IKEv2
439 */
440 int ikev2;
441
442 /**
443 * Identifier as defined in pfkeyv2.h
444 */
445 int kernel;
446 };
447
448 #define END_OF_LIST -1
449
450 /**
451 * Algorithms for encryption
452 */
453 static kernel_algorithm_t encryption_algs[] = {
454 /* {ENCR_DES_IV64, 0 }, */
455 {ENCR_DES, SADB_EALG_DESCBC },
456 {ENCR_3DES, SADB_EALG_3DESCBC },
457 /* {ENCR_RC5, 0 }, */
458 /* {ENCR_IDEA, 0 }, */
459 {ENCR_CAST, SADB_X_EALG_CASTCBC },
460 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
461 /* {ENCR_3IDEA, 0 }, */
462 /* {ENCR_DES_IV32, 0 }, */
463 {ENCR_NULL, SADB_EALG_NULL },
464 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
465 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
466 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
467 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
468 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
469 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
470 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
471 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
472 {END_OF_LIST, 0 },
473 };
474
475 /**
476 * Algorithms for integrity protection
477 */
478 static kernel_algorithm_t integrity_algs[] = {
479 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
480 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
481 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
482 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
483 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
484 /* {AUTH_DES_MAC, 0, }, */
485 /* {AUTH_KPDK_MD5, 0, }, */
486 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
487 {END_OF_LIST, 0, },
488 };
489
490 /**
491 * Algorithms for IPComp
492 */
493 static kernel_algorithm_t compression_algs[] = {
494 /* {IPCOMP_OUI, 0 }, */
495 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
496 {IPCOMP_LZS, SADB_X_CALG_LZS },
497 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
498 {END_OF_LIST, 0 },
499 };
500
501 /**
502 * Look up a kernel algorithm ID and its key size
503 */
504 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
505 {
506 while (list->ikev2 != END_OF_LIST)
507 {
508 if (ikev2 == list->ikev2)
509 {
510 return list->kernel;
511 }
512 list++;
513 }
514 return 0;
515 }
516
517 /**
518 * add a host behind a sadb_address extension
519 */
520 static void host2ext(host_t *host, struct sadb_address *ext)
521 {
522 sockaddr_t *host_addr = host->get_sockaddr(host);
523 socklen_t *len = host->get_sockaddr_len(host);
524 memcpy((char*)(ext + 1), host_addr, *len);
525 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
526 }
527
528 /**
529 * add udp encap extensions to a sadb_msg
530 */
531 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
532 {
533 struct sadb_x_nat_t_type* nat_type;
534 struct sadb_x_nat_t_port* nat_port;
535
536 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
537 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
538 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
539 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
540 PFKEY_EXT_ADD(msg, nat_type);
541
542 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
543 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
544 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
545 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
546 PFKEY_EXT_ADD(msg, nat_port);
547
548 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
549 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
550 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
551 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
552 PFKEY_EXT_ADD(msg, nat_port);
553 }
554
555 /**
556 * Convert a sadb_address to a traffic_selector
557 */
558 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
559 {
560 traffic_selector_t *ts;
561 host_t *host;
562
563 /* The Linux 2.6 kernel does not set the protocol and port information
564 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
565 */
566 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
567 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
568 address->sadb_address_proto, host->get_port(host));
569 host->destroy(host);
570 return ts;
571 }
572
573 /**
574 * Parses a pfkey message received from the kernel
575 */
576 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
577 {
578 struct sadb_ext* ext;
579 size_t len;
580
581 memset(out, 0, sizeof(pfkey_msg_t));
582 out->msg = msg;
583
584 len = msg->sadb_msg_len;
585 len -= PFKEY_LEN(sizeof(struct sadb_msg));
586
587 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
588
589 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
590 {
591 DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
592 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
593 ext->sadb_ext_len > len)
594 {
595 DBG1(DBG_KNL, "length of %N extension is invalid",
596 sadb_ext_type_names, ext->sadb_ext_type);
597 break;
598 }
599
600 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
601 {
602 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
603 break;
604 }
605
606 if (out->ext[ext->sadb_ext_type])
607 {
608 DBG1(DBG_KNL, "duplicate %N extension",
609 sadb_ext_type_names, ext->sadb_ext_type);
610 break;
611 }
612
613 out->ext[ext->sadb_ext_type] = ext;
614 ext = PFKEY_EXT_NEXT_LEN(ext, len);
615 }
616
617 if (len)
618 {
619 DBG1(DBG_KNL, "PF_KEY message length is invalid");
620 return FAILED;
621 }
622
623 return SUCCESS;
624 }
625
626 /**
627 * Send a message to a specific PF_KEY socket and handle the response.
628 */
629 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
630 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
631 {
632 unsigned char buf[PFKEY_BUFFER_SIZE];
633 struct sadb_msg *msg;
634 int in_len, len;
635
636 this->mutex_pfkey->lock(this->mutex_pfkey);
637
638 in->sadb_msg_seq = ++this->seq;
639 in->sadb_msg_pid = getpid();
640
641 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
642
643 while (TRUE)
644 {
645 len = send(socket, in, in_len, 0);
646
647 if (len != in_len)
648 {
649 if (errno == EINTR)
650 {
651 /* interrupted, try again */
652 continue;
653 }
654 this->mutex_pfkey->unlock(this->mutex_pfkey);
655 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
656 return FAILED;
657 }
658 break;
659 }
660
661 while (TRUE)
662 {
663 msg = (struct sadb_msg*)buf;
664
665 len = recv(socket, buf, sizeof(buf), 0);
666
667 if (len < 0)
668 {
669 if (errno == EINTR)
670 {
671 DBG1(DBG_KNL, "got interrupted");
672 /* interrupted, try again */
673 continue;
674 }
675 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
676 this->mutex_pfkey->unlock(this->mutex_pfkey);
677 return FAILED;
678 }
679 if (len < sizeof(struct sadb_msg) ||
680 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
681 {
682 DBG1(DBG_KNL, "received corrupted PF_KEY message");
683 this->mutex_pfkey->unlock(this->mutex_pfkey);
684 return FAILED;
685 }
686 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
687 {
688 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
689 this->mutex_pfkey->unlock(this->mutex_pfkey);
690 return FAILED;
691 }
692 if (msg->sadb_msg_pid != in->sadb_msg_pid)
693 {
694 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
695 continue;
696 }
697 if (msg->sadb_msg_seq != this->seq)
698 {
699 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
700 "was %d expected %d", msg->sadb_msg_seq, this->seq);
701 if (msg->sadb_msg_seq < this->seq)
702 {
703 continue;
704 }
705 this->mutex_pfkey->unlock(this->mutex_pfkey);
706 return FAILED;
707 }
708 if (msg->sadb_msg_type != in->sadb_msg_type)
709 {
710 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
711 "was %d expected %d, ignoring",
712 msg->sadb_msg_type, in->sadb_msg_type);
713 }
714 break;
715 }
716
717 *out_len = len;
718 *out = (struct sadb_msg*)malloc(len);
719 memcpy(*out, buf, len);
720
721 this->mutex_pfkey->unlock(this->mutex_pfkey);
722
723 return SUCCESS;
724 }
725
726 /**
727 * Send a message to the default PF_KEY socket and handle the response.
728 */
729 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
730 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
731 {
732 return pfkey_send_socket(this, this->socket, in, out, out_len);
733 }
734
735 /**
736 * Process a SADB_ACQUIRE message from the kernel
737 */
738 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
739 {
740 pfkey_msg_t response;
741 u_int32_t index, reqid = 0;
742 traffic_selector_t *src_ts, *dst_ts;
743 policy_entry_t *policy;
744 job_t *job;
745
746 switch (msg->sadb_msg_satype)
747 {
748 case SADB_SATYPE_UNSPEC:
749 case SADB_SATYPE_ESP:
750 case SADB_SATYPE_AH:
751 break;
752 default:
753 /* acquire for AH/ESP only */
754 return;
755 }
756 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
757
758 if (parse_pfkey_message(msg, &response) != SUCCESS)
759 {
760 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
761 return;
762 }
763
764 index = response.x_policy->sadb_x_policy_id;
765 this->mutex->lock(this->mutex);
766 if (this->policies->find_first(this->policies,
767 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
768 {
769 reqid = policy->reqid;
770 }
771 else
772 {
773 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
774 index);
775 }
776 src_ts = sadb_address2ts(response.src);
777 dst_ts = sadb_address2ts(response.dst);
778 this->mutex->unlock(this->mutex);
779
780 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
781 src_ts, dst_ts, reqid);
782 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
783 charon->processor->queue_job(charon->processor, job);
784 }
785
786 /**
787 * Process a SADB_EXPIRE message from the kernel
788 */
789 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
790 {
791 pfkey_msg_t response;
792 protocol_id_t protocol;
793 u_int32_t spi, reqid;
794 bool hard;
795 job_t *job;
796
797 DBG2(DBG_KNL, "received an SADB_EXPIRE");
798
799 if (parse_pfkey_message(msg, &response) != SUCCESS)
800 {
801 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
802 return;
803 }
804
805 protocol = proto_satype2ike(msg->sadb_msg_satype);
806 spi = response.sa->sadb_sa_spi;
807 reqid = response.x_sa2->sadb_x_sa2_reqid;
808 hard = response.lft_hard != NULL;
809
810 if (protocol != PROTO_ESP && protocol != PROTO_AH)
811 {
812 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
813 "which is not a CHILD_SA", ntohl(spi), reqid);
814 return;
815 }
816
817 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
818 hard ? "delete" : "rekey", protocol_id_names,
819 protocol, ntohl(spi), reqid);
820 if (hard)
821 {
822 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
823 }
824 else
825 {
826 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
827 }
828 charon->processor->queue_job(charon->processor, job);
829 }
830
831 /**
832 * Process a SADB_MIGRATE message from the kernel
833 */
834 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
835 {
836 pfkey_msg_t response;
837 traffic_selector_t *src_ts, *dst_ts;
838 policy_dir_t dir;
839 u_int32_t reqid = 0;
840 host_t *local;
841 job_t *job;
842
843 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
844
845 if (parse_pfkey_message(msg, &response) != SUCCESS)
846 {
847 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
848 return;
849 }
850 src_ts = sadb_address2ts(response.src);
851 dst_ts = sadb_address2ts(response.dst);
852 local = host_create_from_sockaddr((sockaddr_t*)&response.x_kmaddress[1]);
853 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
854 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
855 policy_dir_names, dir, response.x_policy->sadb_x_policy_id);
856 DBG2(DBG_KNL, " kmaddress: %H", local);
857
858 if (src_ts && dst_ts)
859 {
860 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
861 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
862 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
863 local, NULL);
864 charon->processor->queue_job(charon->processor, job);
865 }
866 else
867 {
868 DESTROY_IF(src_ts);
869 DESTROY_IF(dst_ts);
870 DESTROY_IF(local);
871 }
872 }
873
874 /**
875 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
876 */
877 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
878 {
879 pfkey_msg_t response;
880 u_int32_t spi, reqid;
881 host_t *host;
882 job_t *job;
883
884 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
885
886 if (parse_pfkey_message(msg, &response) != SUCCESS)
887 {
888 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
889 return;
890 }
891
892 if (!response.x_sa2)
893 {
894 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
895 return;
896 }
897
898 spi = response.sa->sadb_sa_spi;
899 reqid = response.x_sa2->sadb_x_sa2_reqid;
900
901 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
902 {
903 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
904 switch (sa->sa_family)
905 {
906 case AF_INET:
907 {
908 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
909 sin->sin_port = response.x_natt_dport->sadb_x_nat_t_port_port;
910 }
911 case AF_INET6:
912 {
913 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
914 sin6->sin6_port = response.x_natt_dport->sadb_x_nat_t_port_port;
915 }
916 default:
917 break;
918 }
919 host = host_create_from_sockaddr(sa);
920 if (host)
921 {
922 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
923 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
924 job = (job_t*)update_sa_job_create(reqid, host);
925 charon->processor->queue_job(charon->processor, job);
926 }
927 }
928 }
929
930 /**
931 * Receives events from kernel
932 */
933 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
934 {
935 unsigned char buf[PFKEY_BUFFER_SIZE];
936 struct sadb_msg *msg = (struct sadb_msg*)buf;
937 int len, oldstate;
938
939 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
940 len = recv(this->socket_events, buf, sizeof(buf), 0);
941 pthread_setcancelstate(oldstate, NULL);
942
943 if (len < 0)
944 {
945 switch (errno)
946 {
947 case EINTR:
948 /* interrupted, try again */
949 return JOB_REQUEUE_DIRECT;
950 case EAGAIN:
951 /* no data ready, select again */
952 return JOB_REQUEUE_DIRECT;
953 default:
954 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
955 sleep(1);
956 return JOB_REQUEUE_FAIR;
957 }
958 }
959
960 if (len < sizeof(struct sadb_msg) ||
961 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
962 {
963 DBG2(DBG_KNL, "received corrupted PF_KEY message");
964 return JOB_REQUEUE_DIRECT;
965 }
966 if (msg->sadb_msg_pid != 0)
967 { /* not from kernel. not interested, try another one */
968 return JOB_REQUEUE_DIRECT;
969 }
970 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
971 {
972 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
973 return JOB_REQUEUE_DIRECT;
974 }
975
976 switch (msg->sadb_msg_type)
977 {
978 case SADB_ACQUIRE:
979 process_acquire(this, msg);
980 break;
981 case SADB_EXPIRE:
982 process_expire(this, msg);
983 break;
984 case SADB_X_MIGRATE:
985 process_migrate(this, msg);
986 break;
987 case SADB_X_NAT_T_NEW_MAPPING:
988 process_mapping(this, msg);
989 break;
990 default:
991 break;
992 }
993
994 return JOB_REQUEUE_DIRECT;
995 }
996
997 /**
998 * Implementation of kernel_interface_t.get_spi.
999 */
1000 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1001 host_t *src, host_t *dst,
1002 protocol_id_t protocol, u_int32_t reqid,
1003 u_int32_t *spi)
1004 {
1005 unsigned char request[PFKEY_BUFFER_SIZE];
1006 struct sadb_msg *msg, *out;
1007 struct sadb_x_sa2 *sa2;
1008 struct sadb_address *addr;
1009 struct sadb_spirange *range;
1010 pfkey_msg_t response;
1011 u_int32_t received_spi = 0;
1012 size_t len;
1013
1014 memset(&request, 0, sizeof(request));
1015
1016 msg = (struct sadb_msg*)request;
1017 msg->sadb_msg_version = PF_KEY_V2;
1018 msg->sadb_msg_type = SADB_GETSPI;
1019 msg->sadb_msg_satype = proto_ike2satype(protocol);
1020 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1021
1022 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1023 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1024 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1025 sa2->sadb_x_sa2_reqid = reqid;
1026 PFKEY_EXT_ADD(msg, sa2);
1027
1028 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1029 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1030 host2ext(src, addr);
1031 PFKEY_EXT_ADD(msg, addr);
1032
1033 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1034 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1035 host2ext(dst, addr);
1036 PFKEY_EXT_ADD(msg, addr);
1037
1038 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1039 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1040 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1041 range->sadb_spirange_min = 0xc0000000;
1042 range->sadb_spirange_max = 0xcFFFFFFF;
1043 PFKEY_EXT_ADD(msg, range);
1044
1045 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1046 {
1047 if (out->sadb_msg_errno)
1048 {
1049 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1050 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1051 }
1052 else if (parse_pfkey_message(out, &response) == SUCCESS)
1053 {
1054 received_spi = response.sa->sadb_sa_spi;
1055 }
1056 free(out);
1057 }
1058
1059 if (received_spi == 0)
1060 {
1061 return FAILED;
1062 }
1063
1064 *spi = received_spi;
1065 return SUCCESS;
1066 }
1067
1068 /**
1069 * Implementation of kernel_interface_t.get_cpi.
1070 */
1071 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1072 host_t *src, host_t *dst,
1073 u_int32_t reqid, u_int16_t *cpi)
1074 {
1075 return FAILED;
1076 }
1077
1078 /**
1079 * Implementation of kernel_interface_t.add_sa.
1080 */
1081 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1082 host_t *src, host_t *dst, u_int32_t spi,
1083 protocol_id_t protocol, u_int32_t reqid,
1084 u_int64_t expire_soft, u_int64_t expire_hard,
1085 u_int16_t enc_alg, chunk_t enc_key,
1086 u_int16_t int_alg, chunk_t int_key,
1087 ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
1088 bool replace)
1089 {
1090 unsigned char request[PFKEY_BUFFER_SIZE];
1091 struct sadb_msg *msg, *out;
1092 struct sadb_sa *sa;
1093 struct sadb_x_sa2 *sa2;
1094 struct sadb_address *addr;
1095 struct sadb_lifetime *lft;
1096 struct sadb_key *key;
1097 size_t len;
1098
1099 memset(&request, 0, sizeof(request));
1100
1101 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1102
1103 msg = (struct sadb_msg*)request;
1104 msg->sadb_msg_version = PF_KEY_V2;
1105 msg->sadb_msg_type = replace ? SADB_UPDATE : SADB_ADD;
1106 msg->sadb_msg_satype = proto_ike2satype(protocol);
1107 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1108
1109 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1110 sa->sadb_sa_exttype = SADB_EXT_SA;
1111 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1112 sa->sadb_sa_spi = spi;
1113 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1114 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1115 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1116 PFKEY_EXT_ADD(msg, sa);
1117
1118 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1119 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1120 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1121 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1122 sa2->sadb_x_sa2_reqid = reqid;
1123 PFKEY_EXT_ADD(msg, sa2);
1124
1125 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1126 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1127 host2ext(src, addr);
1128 PFKEY_EXT_ADD(msg, addr);
1129
1130 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1131 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1132 host2ext(dst, addr);
1133 PFKEY_EXT_ADD(msg, addr);
1134
1135 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1136 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1137 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1138 lft->sadb_lifetime_addtime = expire_soft;
1139 PFKEY_EXT_ADD(msg, lft);
1140
1141 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1142 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1143 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1144 lft->sadb_lifetime_addtime = expire_hard;
1145 PFKEY_EXT_ADD(msg, lft);
1146
1147 if (enc_alg != ENCR_UNDEFINED)
1148 {
1149 if (!sa->sadb_sa_encrypt)
1150 {
1151 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1152 encryption_algorithm_names, enc_alg);
1153 return FAILED;
1154 }
1155 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1156 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1157
1158 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1159 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1160 key->sadb_key_bits = enc_key.len * 8;
1161 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1162 memcpy(key + 1, enc_key.ptr, enc_key.len);
1163
1164 PFKEY_EXT_ADD(msg, key);
1165 }
1166
1167 if (int_alg != AUTH_UNDEFINED)
1168 {
1169 if (!sa->sadb_sa_auth)
1170 {
1171 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1172 integrity_algorithm_names, int_alg);
1173 return FAILED;
1174 }
1175 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1176 integrity_algorithm_names, int_alg, int_key.len * 8);
1177
1178 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1179 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1180 key->sadb_key_bits = int_key.len * 8;
1181 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1182 memcpy(key + 1, int_key.ptr, int_key.len);
1183
1184 PFKEY_EXT_ADD(msg, key);
1185 }
1186
1187 if (ipcomp != IPCOMP_NONE)
1188 {
1189 /*TODO*/
1190 }
1191
1192 if (encap)
1193 {
1194 add_encap_ext(msg, src, dst);
1195 }
1196
1197 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1198 {
1199 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1200 return FAILED;
1201 }
1202 else if (out->sadb_msg_errno)
1203 {
1204 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1205 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1206 free(out);
1207 return FAILED;
1208 }
1209
1210 free(out);
1211 return SUCCESS;
1212 }
1213
1214 /**
1215 * Implementation of kernel_interface_t.update_sa.
1216 */
1217 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1218 u_int32_t spi, protocol_id_t protocol,
1219 host_t *src, host_t *dst,
1220 host_t *new_src, host_t *new_dst, bool encap)
1221 {
1222 unsigned char request[PFKEY_BUFFER_SIZE];
1223 struct sadb_msg *msg, *out;
1224 struct sadb_sa *sa;
1225 struct sadb_address *addr;
1226 pfkey_msg_t response;
1227 size_t len;
1228
1229 memset(&request, 0, sizeof(request));
1230
1231 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1232
1233 msg = (struct sadb_msg*)request;
1234 msg->sadb_msg_version = PF_KEY_V2;
1235 msg->sadb_msg_type = SADB_GET;
1236 msg->sadb_msg_satype = proto_ike2satype(protocol);
1237 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1238
1239 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1240 sa->sadb_sa_exttype = SADB_EXT_SA;
1241 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1242 sa->sadb_sa_spi = spi;
1243 PFKEY_EXT_ADD(msg, sa);
1244
1245 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1246 * it is not used for anything, so we just send dst twice */
1247 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1248 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1249 host2ext(dst, addr);
1250 PFKEY_EXT_ADD(msg, addr);
1251
1252 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1253 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1254 host2ext(dst, addr);
1255 PFKEY_EXT_ADD(msg, addr);
1256
1257 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1258 {
1259 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1260 ntohl(spi));
1261 return FAILED;
1262 }
1263 else if (out->sadb_msg_errno)
1264 {
1265 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1266 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1267 free(out);
1268 return FAILED;
1269 }
1270 else if (parse_pfkey_message(out, &response) != SUCCESS)
1271 {
1272 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1273 "from kernel failed", ntohl(spi));
1274 free(out);
1275 return FAILED;
1276 }
1277
1278 /* delete the old SA */
1279 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1280 {
1281 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1282 free(out);
1283 return FAILED;
1284 }
1285
1286 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1287 ntohl(spi), src, dst, new_src, new_dst);
1288
1289 memset(&request, 0, sizeof(request));
1290
1291 msg = (struct sadb_msg*)request;
1292 msg->sadb_msg_version = PF_KEY_V2;
1293 msg->sadb_msg_type = SADB_ADD;
1294 msg->sadb_msg_satype = proto_ike2satype(protocol);
1295 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1296
1297 PFKEY_EXT_COPY(msg, response.sa);
1298 PFKEY_EXT_COPY(msg, response.x_sa2);
1299
1300 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1301 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1302 host2ext(new_src, addr);
1303 PFKEY_EXT_ADD(msg, addr);
1304
1305 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1306 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1307 host2ext(new_dst, addr);
1308 PFKEY_EXT_ADD(msg, addr);
1309
1310 PFKEY_EXT_COPY(msg, response.lft_soft);
1311 PFKEY_EXT_COPY(msg, response.lft_hard);
1312
1313 if (response.key_encr)
1314 {
1315 PFKEY_EXT_COPY(msg, response.key_encr);
1316 }
1317
1318 if (response.key_auth)
1319 {
1320 PFKEY_EXT_COPY(msg, response.key_auth);
1321 }
1322
1323 if (encap)
1324 {
1325 add_encap_ext(msg, new_src, new_dst);
1326 }
1327
1328 free(out);
1329
1330 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1331 {
1332 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1333 return FAILED;
1334 }
1335 else if (out->sadb_msg_errno)
1336 {
1337 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1338 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1339 free(out);
1340 return FAILED;
1341 }
1342 free(out);
1343
1344 return SUCCESS;
1345 }
1346
1347 /**
1348 * Implementation of kernel_interface_t.del_sa.
1349 */
1350 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
1351 u_int32_t spi, protocol_id_t protocol)
1352 {
1353 unsigned char request[PFKEY_BUFFER_SIZE];
1354 struct sadb_msg *msg, *out;
1355 struct sadb_sa *sa;
1356 struct sadb_address *addr;
1357 size_t len;
1358
1359 memset(&request, 0, sizeof(request));
1360
1361 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1362
1363 msg = (struct sadb_msg*)request;
1364 msg->sadb_msg_version = PF_KEY_V2;
1365 msg->sadb_msg_type = SADB_DELETE;
1366 msg->sadb_msg_satype = proto_ike2satype(protocol);
1367 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1368
1369 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1370 sa->sadb_sa_exttype = SADB_EXT_SA;
1371 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1372 sa->sadb_sa_spi = spi;
1373 PFKEY_EXT_ADD(msg, sa);
1374
1375 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1376 * it is not used for anything, so we just send dst twice */
1377 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1378 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1379 host2ext(dst, addr);
1380 PFKEY_EXT_ADD(msg, addr);
1381
1382 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1383 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1384 host2ext(dst, addr);
1385 PFKEY_EXT_ADD(msg, addr);
1386
1387 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1388 {
1389 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1390 return FAILED;
1391 }
1392 else if (out->sadb_msg_errno)
1393 {
1394 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1395 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1396 free(out);
1397 return FAILED;
1398 }
1399
1400 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1401 free(out);
1402 return SUCCESS;
1403 }
1404
1405 /**
1406 * Implementation of kernel_interface_t.add_policy.
1407 */
1408 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1409 host_t *src, host_t *dst,
1410 traffic_selector_t *src_ts,
1411 traffic_selector_t *dst_ts,
1412 policy_dir_t direction, protocol_id_t protocol,
1413 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1414 u_int16_t ipcomp)
1415 {
1416 unsigned char request[PFKEY_BUFFER_SIZE];
1417 struct sadb_msg *msg, *out;
1418 struct sadb_x_policy *pol;
1419 struct sadb_address *addr;
1420 struct sadb_x_ipsecrequest *req;
1421 policy_entry_t *policy, *found = NULL;
1422 pfkey_msg_t response;
1423 size_t len;
1424
1425 /* create a policy */
1426 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1427
1428 /* find a matching policy */
1429 this->mutex->lock(this->mutex);
1430 if (this->policies->find_first(this->policies,
1431 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1432 {
1433 /* use existing policy */
1434 found->refcount++;
1435 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1436 "refcount", src_ts, dst_ts,
1437 policy_dir_names, direction);
1438 policy_entry_destroy(policy);
1439 policy = found;
1440 }
1441 else
1442 {
1443 /* apply the new one, if we have no such policy */
1444 this->policies->insert_last(this->policies, policy);
1445 policy->refcount = 1;
1446 }
1447
1448 memset(&request, 0, sizeof(request));
1449
1450 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1451 policy_dir_names, direction);
1452
1453 msg = (struct sadb_msg*)request;
1454 msg->sadb_msg_version = PF_KEY_V2;
1455 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1456 msg->sadb_msg_satype = 0;
1457 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1458
1459 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1460 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1461 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1462 pol->sadb_x_policy_id = 0;
1463 pol->sadb_x_policy_dir = dir2kernel(direction);
1464 /* calculate priority based on source selector size, small size = high prio */
1465 pol->sadb_x_policy_priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1466 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1467 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1468 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1469 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1470
1471 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1472 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1473 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1474 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1475 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1476 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1477 req->sadb_x_ipsecrequest_reqid = reqid;
1478 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1479 if (mode == MODE_TUNNEL)
1480 {
1481 sockaddr_t *sa;
1482 socklen_t sl;
1483 sa = src->get_sockaddr(src);
1484 sl = *src->get_sockaddr_len(src);
1485 memcpy(req + 1, sa, sl);
1486 sa = dst->get_sockaddr(dst);
1487 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1488 req->sadb_x_ipsecrequest_len += sl * 2;
1489 }
1490
1491 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1492 PFKEY_EXT_ADD(msg, pol);
1493
1494 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1495 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1496 addr->sadb_address_proto = policy->src.proto;
1497 addr->sadb_address_prefixlen = policy->src.mask;
1498 host2ext(policy->src.net, addr);
1499 PFKEY_EXT_ADD(msg, addr);
1500
1501 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1502 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1503 addr->sadb_address_proto = policy->dst.proto;
1504 addr->sadb_address_prefixlen = policy->dst.mask;
1505 host2ext(policy->dst.net, addr);
1506 PFKEY_EXT_ADD(msg, addr);
1507
1508 this->mutex->unlock(this->mutex);
1509
1510 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1511 {
1512 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1513 policy_dir_names, direction);
1514 return FAILED;
1515 }
1516 else if (out->sadb_msg_errno)
1517 {
1518 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1519 policy_dir_names, direction,
1520 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1521 free(out);
1522 return FAILED;
1523 }
1524 else if (parse_pfkey_message(out, &response) != SUCCESS)
1525 {
1526 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1527 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1528 free(out);
1529 return FAILED;
1530 }
1531
1532 this->mutex->lock(this->mutex);
1533
1534 /* we try to find the policy again and update the kernel index */
1535 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1536 {
1537 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1538 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1539 this->mutex->unlock(this->mutex);
1540 free(out);
1541 return SUCCESS;
1542 }
1543 policy->index = response.x_policy->sadb_x_policy_id;
1544 free(out);
1545
1546 /* install a route, if:
1547 * - we are NOT updating a policy
1548 * - this is a forward policy (to just get one for each child)
1549 * - we are in tunnel mode
1550 * - we are not using IPv6 (does not work correctly yet!)
1551 * - routing is not disabled via strongswan.conf
1552 */
1553 if (policy->route == NULL && direction == POLICY_FWD &&
1554 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1555 this->install_routes)
1556 {
1557 route_entry_t *route = malloc_thing(route_entry_t);
1558
1559 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1560 dst_ts, &route->src_ip) == SUCCESS)
1561 {
1562 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1563 route->gateway = charon->kernel_interface->get_nexthop(
1564 charon->kernel_interface, src);
1565 route->if_name = charon->kernel_interface->get_interface(
1566 charon->kernel_interface, dst);
1567 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1568 route->prefixlen = policy->src.mask;
1569
1570 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1571 route->dst_net, route->prefixlen, route->gateway,
1572 route->src_ip, route->if_name))
1573 {
1574 default:
1575 DBG1(DBG_KNL, "unable to install source route for %H",
1576 route->src_ip);
1577 /* FALL */
1578 case ALREADY_DONE:
1579 /* route exists, do not uninstall */
1580 route_entry_destroy(route);
1581 break;
1582 case SUCCESS:
1583 /* cache the installed route */
1584 policy->route = route;
1585 break;
1586 }
1587 }
1588 else
1589 {
1590 free(route);
1591 }
1592 }
1593
1594 this->mutex->unlock(this->mutex);
1595
1596 return SUCCESS;
1597 }
1598
1599 /**
1600 * Implementation of kernel_interface_t.query_policy.
1601 */
1602 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1603 traffic_selector_t *src_ts,
1604 traffic_selector_t *dst_ts,
1605 policy_dir_t direction, u_int32_t *use_time)
1606 {
1607 unsigned char request[PFKEY_BUFFER_SIZE];
1608 struct sadb_msg *msg, *out;
1609 struct sadb_x_policy *pol;
1610 struct sadb_address *addr;
1611 policy_entry_t *policy, *found = NULL;
1612 pfkey_msg_t response;
1613 size_t len;
1614
1615 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1616 policy_dir_names, direction);
1617
1618 /* create a policy */
1619 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1620
1621 /* find a matching policy */
1622 this->mutex->lock(this->mutex);
1623 if (this->policies->find_first(this->policies,
1624 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1625 {
1626 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1627 dst_ts, policy_dir_names, direction);
1628 policy_entry_destroy(policy);
1629 this->mutex->unlock(this->mutex);
1630 return NOT_FOUND;
1631 }
1632 policy_entry_destroy(policy);
1633 policy = found;
1634
1635 memset(&request, 0, sizeof(request));
1636
1637 msg = (struct sadb_msg*)request;
1638 msg->sadb_msg_version = PF_KEY_V2;
1639 msg->sadb_msg_type = SADB_X_SPDGET;
1640 msg->sadb_msg_satype = 0;
1641 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1642
1643 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1644 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1645 pol->sadb_x_policy_id = policy->index;
1646 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1647 pol->sadb_x_policy_dir = dir2kernel(direction);
1648 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1649 PFKEY_EXT_ADD(msg, pol);
1650
1651 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1652 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1653 addr->sadb_address_proto = policy->src.proto;
1654 addr->sadb_address_prefixlen = policy->src.mask;
1655 host2ext(policy->src.net, addr);
1656 PFKEY_EXT_ADD(msg, addr);
1657
1658 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1659 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1660 addr->sadb_address_proto = policy->dst.proto;
1661 addr->sadb_address_prefixlen = policy->dst.mask;
1662 host2ext(policy->dst.net, addr);
1663 PFKEY_EXT_ADD(msg, addr);
1664
1665 this->mutex->unlock(this->mutex);
1666
1667 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1668 {
1669 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1670 policy_dir_names, direction);
1671 return FAILED;
1672 }
1673 else if (out->sadb_msg_errno)
1674 {
1675 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1676 dst_ts, policy_dir_names, direction,
1677 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1678 free(out);
1679 return FAILED;
1680 }
1681 else if (parse_pfkey_message(out, &response) != SUCCESS)
1682 {
1683 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1684 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1685 free(out);
1686 return FAILED;
1687 }
1688
1689 *use_time = response.lft_current->sadb_lifetime_usetime;
1690
1691 free(out);
1692
1693 return SUCCESS;
1694 }
1695
1696 /**
1697 * Implementation of kernel_interface_t.del_policy.
1698 */
1699 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1700 traffic_selector_t *src_ts,
1701 traffic_selector_t *dst_ts,
1702 policy_dir_t direction)
1703 {
1704 unsigned char request[PFKEY_BUFFER_SIZE];
1705 struct sadb_msg *msg, *out;
1706 struct sadb_x_policy *pol;
1707 struct sadb_address *addr;
1708 policy_entry_t *policy, *found = NULL;
1709 route_entry_t *route;
1710 size_t len;
1711
1712 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1713 policy_dir_names, direction);
1714
1715 /* create a policy */
1716 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1717
1718 /* find a matching policy */
1719 this->mutex->lock(this->mutex);
1720 if (this->policies->find_first(this->policies,
1721 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1722 {
1723 if (--found->refcount > 0)
1724 {
1725 /* is used by more SAs, keep in kernel */
1726 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1727 policy_entry_destroy(policy);
1728 this->mutex->unlock(this->mutex);
1729 return SUCCESS;
1730 }
1731 /* remove if last reference */
1732 this->policies->remove(this->policies, found, NULL);
1733 policy_entry_destroy(policy);
1734 policy = found;
1735 }
1736 else
1737 {
1738 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1739 dst_ts, policy_dir_names, direction);
1740 policy_entry_destroy(policy);
1741 this->mutex->unlock(this->mutex);
1742 return NOT_FOUND;
1743 }
1744 this->mutex->unlock(this->mutex);
1745
1746 memset(&request, 0, sizeof(request));
1747
1748 msg = (struct sadb_msg*)request;
1749 msg->sadb_msg_version = PF_KEY_V2;
1750 msg->sadb_msg_type = SADB_X_SPDDELETE;
1751 msg->sadb_msg_satype = 0;
1752 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1753
1754 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1755 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1756 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1757 pol->sadb_x_policy_dir = dir2kernel(direction);
1758 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1759 PFKEY_EXT_ADD(msg, pol);
1760
1761 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1762 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1763 addr->sadb_address_proto = policy->src.proto;
1764 addr->sadb_address_prefixlen = policy->src.mask;
1765 host2ext(policy->src.net, addr);
1766 PFKEY_EXT_ADD(msg, addr);
1767
1768 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1769 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1770 addr->sadb_address_proto = policy->dst.proto;
1771 addr->sadb_address_prefixlen = policy->dst.mask;
1772 host2ext(policy->dst.net, addr);
1773 PFKEY_EXT_ADD(msg, addr);
1774
1775 route = policy->route;
1776 policy->route = NULL;
1777 policy_entry_destroy(policy);
1778
1779 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1780 {
1781 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1782 policy_dir_names, direction);
1783 return FAILED;
1784 }
1785 else if (out->sadb_msg_errno)
1786 {
1787 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1788 dst_ts, policy_dir_names, direction,
1789 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1790 free(out);
1791 return FAILED;
1792 }
1793 free(out);
1794
1795 if (route)
1796 {
1797 if (charon->kernel_interface->del_route(charon->kernel_interface,
1798 route->dst_net, route->prefixlen, route->gateway,
1799 route->src_ip, route->if_name) != SUCCESS)
1800 {
1801 DBG1(DBG_KNL, "error uninstalling route installed with "
1802 "policy %R === %R %N", src_ts, dst_ts,
1803 policy_dir_names, direction);
1804 }
1805 route_entry_destroy(route);
1806 }
1807
1808 return SUCCESS;
1809 }
1810
1811 /**
1812 * Register a socket for AQUIRE/EXPIRE messages
1813 */
1814 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1815 {
1816 unsigned char request[PFKEY_BUFFER_SIZE];
1817 struct sadb_msg *msg, *out;
1818 size_t len;
1819
1820 memset(&request, 0, sizeof(request));
1821
1822 msg = (struct sadb_msg*)request;
1823 msg->sadb_msg_version = PF_KEY_V2;
1824 msg->sadb_msg_type = SADB_REGISTER;
1825 msg->sadb_msg_satype = satype;
1826 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1827
1828 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1829 {
1830 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1831 return FAILED;
1832 }
1833 else if (out->sadb_msg_errno)
1834 {
1835 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1836 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1837 free(out);
1838 return FAILED;
1839 }
1840 free(out);
1841 return SUCCESS;
1842 }
1843
1844 /**
1845 * Implementation of kernel_interface_t.destroy.
1846 */
1847 static void destroy(private_kernel_pfkey_ipsec_t *this)
1848 {
1849 this->job->cancel(this->job);
1850 close(this->socket);
1851 close(this->socket_events);
1852 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1853 this->mutex->destroy(this->mutex);
1854 this->mutex_pfkey->destroy(this->mutex_pfkey);
1855 free(this);
1856 }
1857
1858 /*
1859 * Described in header.
1860 */
1861 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1862 {
1863 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1864
1865 /* public functions */
1866 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1867 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1868 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1869 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1870 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1871 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1872 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1873 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1874
1875 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1876
1877 /* private members */
1878 this->policies = linked_list_create();
1879 this->mutex = mutex_create(MUTEX_DEFAULT);
1880 this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
1881 this->install_routes = lib->settings->get_bool(lib->settings,
1882 "charon.install_routes", TRUE);
1883 this->seq = 0;
1884
1885 /* create a PF_KEY socket to communicate with the kernel */
1886 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1887 if (this->socket <= 0)
1888 {
1889 charon->kill(charon, "unable to create PF_KEY socket");
1890 }
1891
1892 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1893 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1894 if (this->socket_events <= 0)
1895 {
1896 charon->kill(charon, "unable to create PF_KEY event socket");
1897 }
1898
1899 /* register the event socket */
1900 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
1901 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
1902 {
1903 charon->kill(charon, "unable to register PF_KEY event socket");
1904 }
1905
1906 this->job = callback_job_create((callback_job_cb_t)receive_events,
1907 this, NULL, NULL);
1908 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1909
1910 return &this->public;
1911 }