68f777cb7b2ec6f73c51fd3065d90df6b4225f12
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <stdint.h>
22 #include <linux/ipsec.h>
23 #include <linux/pfkeyv2.h>
24 #include <linux/udp.h>
25 #include <unistd.h>
26 #include <pthread.h>
27 #include <errno.h>
28
29 #include "kernel_pfkey_ipsec.h"
30
31 #include <daemon.h>
32 #include <utils/host.h>
33 #include <utils/mutex.h>
34 #include <processing/jobs/callback_job.h>
35 #include <processing/jobs/acquire_job.h>
36 #include <processing/jobs/migrate_job.h>
37 #include <processing/jobs/rekey_child_sa_job.h>
38 #include <processing/jobs/delete_child_sa_job.h>
39 #include <processing/jobs/update_sa_job.h>
40
41 /** default priority of installed policies */
42 #define PRIO_LOW 3000
43 #define PRIO_HIGH 2000
44
45 /** buffer size for PF_KEY messages */
46 #define PFKEY_BUFFER_SIZE 4096
47
48 /** PF_KEY messages are 64 bit aligned */
49 #define PFKEY_ALIGNMENT 8
50 /** aligns len to 64 bits */
51 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
52 /** calculates the properly padded length in 64 bit chunks */
53 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
54 /** calculates user mode length i.e. in bytes */
55 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
56
57 /** given a PF_KEY message header and an extension this updates the length in the header */
58 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
59 /** given a PF_KEY message header this returns a pointer to the next extension */
60 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
61 /** copy an extension and append it to a PF_KEY message */
62 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
63 /** given a PF_KEY extension this returns a pointer to the next extension */
64 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
65 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
66 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
67 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
68 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
69 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
70 (ext)->sadb_ext_len <= (len))
71
72 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
73
74 /**
75 * Private variables and functions of kernel_pfkey class.
76 */
77 struct private_kernel_pfkey_ipsec_t
78 {
79 /**
80 * Public part of the kernel_pfkey_t object.
81 */
82 kernel_pfkey_ipsec_t public;
83
84 /**
85 * mutex to lock access to various lists
86 */
87 mutex_t *mutex;
88
89 /**
90 * List of installed policies (policy_entry_t)
91 */
92 linked_list_t *policies;
93
94 /**
95 * whether to install routes along policies
96 */
97 bool install_routes;
98
99 /**
100 * job receiving PF_KEY events
101 */
102 callback_job_t *job;
103
104 /**
105 * mutex to lock access to the PF_KEY socket
106 */
107 mutex_t *mutex_pfkey;
108
109 /**
110 * PF_KEY socket to communicate with the kernel
111 */
112 int socket;
113
114 /**
115 * PF_KEY socket to receive acquire and expire events
116 */
117 int socket_events;
118
119 /**
120 * sequence number for messages sent to the kernel
121 */
122 int seq;
123 };
124
125 typedef struct route_entry_t route_entry_t;
126
127 /**
128 * installed routing entry
129 */
130 struct route_entry_t {
131 /** Name of the interface the route is bound to */
132 char *if_name;
133
134 /** Source ip of the route */
135 host_t *src_ip;
136
137 /** gateway for this route */
138 host_t *gateway;
139
140 /** Destination net */
141 chunk_t dst_net;
142
143 /** Destination net prefixlen */
144 u_int8_t prefixlen;
145 };
146
147 /**
148 * destroy an route_entry_t object
149 */
150 static void route_entry_destroy(route_entry_t *this)
151 {
152 free(this->if_name);
153 this->src_ip->destroy(this->src_ip);
154 this->gateway->destroy(this->gateway);
155 chunk_free(&this->dst_net);
156 free(this);
157 }
158
159 typedef struct policy_entry_t policy_entry_t;
160
161 /**
162 * installed kernel policy.
163 */
164 struct policy_entry_t {
165
166 /** reqid of this policy */
167 u_int32_t reqid;
168
169 /** index assigned by the kernel */
170 u_int32_t index;
171
172 /** direction of this policy: in, out, forward */
173 u_int8_t direction;
174
175 /** parameters of installed policy */
176 struct {
177 /** subnet and port */
178 host_t *net;
179 /** subnet mask */
180 u_int8_t mask;
181 /** protocol */
182 u_int8_t proto;
183 } src, dst;
184
185 /** associated route installed for this policy */
186 route_entry_t *route;
187
188 /** by how many CHILD_SA's this policy is used */
189 u_int refcount;
190 };
191
192 /**
193 * create a policy_entry_t object
194 */
195 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
196 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
197 {
198 policy_entry_t *policy = malloc_thing(policy_entry_t);
199 policy->reqid = reqid;
200 policy->index = 0;
201 policy->direction = dir;
202 policy->route = NULL;
203 policy->refcount = 0;
204
205 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
206 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
207
208 /* src or dest proto may be "any" (0), use more restrictive one */
209 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
210 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
211 policy->dst.proto = policy->src.proto;
212
213 return policy;
214 }
215
216 /**
217 * destroy a policy_entry_t object
218 */
219 static void policy_entry_destroy(policy_entry_t *this)
220 {
221 DESTROY_IF(this->src.net);
222 DESTROY_IF(this->dst.net);
223 if (this->route)
224 {
225 route_entry_destroy(this->route);
226 }
227 free(this);
228 }
229
230 /**
231 * compares two policy_entry_t
232 */
233 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
234 {
235 return current->direction == policy->direction &&
236 current->src.proto == policy->src.proto &&
237 current->dst.proto == policy->dst.proto &&
238 current->src.mask == policy->src.mask &&
239 current->dst.mask == policy->dst.mask &&
240 current->src.net->equals(current->src.net, policy->src.net) &&
241 current->dst.net->equals(current->dst.net, policy->dst.net);
242 }
243
244 /**
245 * compare the given kernel index with that of a policy
246 */
247 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
248 {
249 return current->index == *index;
250 }
251
252 typedef struct pfkey_msg_t pfkey_msg_t;
253
254 struct pfkey_msg_t
255 {
256 /**
257 * PF_KEY message base
258 */
259 struct sadb_msg *msg;
260
261
262 /**
263 * PF_KEY message extensions
264 */
265 union {
266 struct sadb_ext *ext[SADB_EXT_MAX + 1];
267 struct {
268 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
269 struct sadb_sa *sa; /* SADB_EXT_SA */
270 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
271 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
272 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
273 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
274 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
275 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
276 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
277 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
278 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
279 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
280 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
281 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
282 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
283 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
284 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
285 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
286 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
287 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
288 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
289 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
290 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
291 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
292 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
293 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
294 } __attribute__((__packed__));
295 };
296 };
297
298 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
299 "SADB_EXT_RESERVED",
300 "SADB_EXT_SA",
301 "SADB_EXT_LIFETIME_CURRENT",
302 "SADB_EXT_LIFETIME_HARD",
303 "SADB_EXT_LIFETIME_SOFT",
304 "SADB_EXT_ADDRESS_SRC",
305 "SADB_EXT_ADDRESS_DST",
306 "SADB_EXT_ADDRESS_PROXY",
307 "SADB_EXT_KEY_AUTH",
308 "SADB_EXT_KEY_ENCRYPT",
309 "SADB_EXT_IDENTITY_SRC",
310 "SADB_EXT_IDENTITY_DST",
311 "SADB_EXT_SENSITIVITY",
312 "SADB_EXT_PROPOSAL",
313 "SADB_EXT_SUPPORTED_AUTH",
314 "SADB_EXT_SUPPORTED_ENCRYPT",
315 "SADB_EXT_SPIRANGE",
316 "SADB_X_EXT_KMPRIVATE",
317 "SADB_X_EXT_POLICY",
318 "SADB_X_EXT_SA2",
319 "SADB_X_EXT_NAT_T_TYPE",
320 "SADB_X_EXT_NAT_T_SPORT",
321 "SADB_X_EXT_NAT_T_DPORT",
322 "SADB_X_EXT_NAT_T_OA",
323 "SADB_X_EXT_SEC_CTX",
324 "SADB_X_EXT_KMADDRESS"
325 );
326 /**
327 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
328 */
329 static u_int8_t proto_ike2satype(protocol_id_t proto)
330 {
331 switch (proto)
332 {
333 case PROTO_ESP:
334 return SADB_SATYPE_ESP;
335 case PROTO_AH:
336 return SADB_SATYPE_AH;
337 case IPPROTO_COMP:
338 return SADB_X_SATYPE_IPCOMP;
339 default:
340 return proto;
341 }
342 }
343
344 /**
345 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
346 */
347 static protocol_id_t proto_satype2ike(u_int8_t proto)
348 {
349 switch (proto)
350 {
351 case SADB_SATYPE_ESP:
352 return PROTO_ESP;
353 case SADB_SATYPE_AH:
354 return PROTO_AH;
355 case SADB_X_SATYPE_IPCOMP:
356 return IPPROTO_COMP;
357 default:
358 return proto;
359 }
360 }
361
362 /**
363 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
364 */
365 static u_int8_t proto_ike2ip(protocol_id_t proto)
366 {
367 switch (proto)
368 {
369 case PROTO_ESP:
370 return IPPROTO_ESP;
371 case PROTO_AH:
372 return IPPROTO_AH;
373 default:
374 return proto;
375 }
376 }
377
378 /**
379 * convert the general ipsec mode to the one defined in ipsec.h
380 */
381 static u_int8_t mode2kernel(ipsec_mode_t mode)
382 {
383 switch (mode)
384 {
385 case MODE_TRANSPORT:
386 return IPSEC_MODE_TRANSPORT;
387 case MODE_TUNNEL:
388 return IPSEC_MODE_TUNNEL;
389 case MODE_BEET:
390 return IPSEC_MODE_BEET;
391 default:
392 return mode;
393 }
394 }
395
396 /**
397 * convert the general policy direction to the one defined in ipsec.h
398 */
399 static u_int8_t dir2kernel(policy_dir_t dir)
400 {
401 switch (dir)
402 {
403 case POLICY_IN:
404 return IPSEC_DIR_INBOUND;
405 case POLICY_OUT:
406 return IPSEC_DIR_OUTBOUND;
407 case POLICY_FWD:
408 return IPSEC_DIR_FWD;
409 default:
410 return dir;
411 }
412 }
413
414 /**
415 * convert the policy direction in ipsec.h to the general one.
416 */
417 static policy_dir_t kernel2dir(u_int8_t dir)
418 {
419 switch (dir)
420 {
421 case IPSEC_DIR_INBOUND:
422 return POLICY_IN;
423 case IPSEC_DIR_OUTBOUND:
424 return POLICY_OUT;
425 case IPSEC_DIR_FWD:
426 return POLICY_FWD;
427 default:
428 return dir;
429 }
430 }
431 typedef struct kernel_algorithm_t kernel_algorithm_t;
432
433 /**
434 * Mapping of IKEv2 algorithms to PF_KEY algorithms
435 */
436 struct kernel_algorithm_t {
437 /**
438 * Identifier specified in IKEv2
439 */
440 int ikev2;
441
442 /**
443 * Identifier as defined in pfkeyv2.h
444 */
445 int kernel;
446 };
447
448 #define END_OF_LIST -1
449
450 /**
451 * Algorithms for encryption
452 */
453 static kernel_algorithm_t encryption_algs[] = {
454 /* {ENCR_DES_IV64, 0 }, */
455 {ENCR_DES, SADB_EALG_DESCBC },
456 {ENCR_3DES, SADB_EALG_3DESCBC },
457 /* {ENCR_RC5, 0 }, */
458 /* {ENCR_IDEA, 0 }, */
459 {ENCR_CAST, SADB_X_EALG_CASTCBC },
460 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
461 /* {ENCR_3IDEA, 0 }, */
462 /* {ENCR_DES_IV32, 0 }, */
463 {ENCR_NULL, SADB_EALG_NULL },
464 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
465 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
466 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
467 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
468 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
469 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
470 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
471 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
472 {END_OF_LIST, 0 },
473 };
474
475 /**
476 * Algorithms for integrity protection
477 */
478 static kernel_algorithm_t integrity_algs[] = {
479 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
480 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
481 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
482 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
483 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
484 /* {AUTH_DES_MAC, 0, }, */
485 /* {AUTH_KPDK_MD5, 0, }, */
486 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
487 {END_OF_LIST, 0, },
488 };
489
490 /**
491 * Algorithms for IPComp
492 */
493 static kernel_algorithm_t compression_algs[] = {
494 /* {IPCOMP_OUI, 0 }, */
495 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
496 {IPCOMP_LZS, SADB_X_CALG_LZS },
497 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
498 {END_OF_LIST, 0 },
499 };
500
501 /**
502 * Look up a kernel algorithm ID and its key size
503 */
504 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
505 {
506 while (list->ikev2 != END_OF_LIST)
507 {
508 if (ikev2 == list->ikev2)
509 {
510 return list->kernel;
511 }
512 list++;
513 }
514 return 0;
515 }
516
517 /**
518 * add a host behind a sadb_address extension
519 */
520 static void host2ext(host_t *host, struct sadb_address *ext)
521 {
522 sockaddr_t *host_addr = host->get_sockaddr(host);
523 socklen_t *len = host->get_sockaddr_len(host);
524 memcpy((char*)(ext + 1), host_addr, *len);
525 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
526 }
527
528 /**
529 * add udp encap extensions to a sadb_msg
530 */
531 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
532 {
533 struct sadb_x_nat_t_type* nat_type;
534 struct sadb_x_nat_t_port* nat_port;
535
536 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
537 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
538 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
539 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
540 PFKEY_EXT_ADD(msg, nat_type);
541
542 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
543 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
544 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
545 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
546 PFKEY_EXT_ADD(msg, nat_port);
547
548 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
549 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
550 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
551 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
552 PFKEY_EXT_ADD(msg, nat_port);
553 }
554
555 /**
556 * Convert a sadb_address to a traffic_selector
557 */
558 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
559 {
560 traffic_selector_t *ts;
561 host_t *host;
562
563 /* The Linux 2.6 kernel does not set the protocol and port information
564 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
565 */
566 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
567 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
568 address->sadb_address_proto, host->get_port(host));
569 host->destroy(host);
570 return ts;
571 }
572
573 /**
574 * Parses a pfkey message received from the kernel
575 */
576 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
577 {
578 struct sadb_ext* ext;
579 size_t len;
580
581 memset(out, 0, sizeof(pfkey_msg_t));
582 out->msg = msg;
583
584 len = msg->sadb_msg_len;
585 len -= PFKEY_LEN(sizeof(struct sadb_msg));
586
587 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
588
589 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
590 {
591 DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
592 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
593 ext->sadb_ext_len > len)
594 {
595 DBG1(DBG_KNL, "length of %N extension is invalid",
596 sadb_ext_type_names, ext->sadb_ext_type);
597 break;
598 }
599
600 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
601 {
602 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
603 break;
604 }
605
606 if (out->ext[ext->sadb_ext_type])
607 {
608 DBG1(DBG_KNL, "duplicate %N extension",
609 sadb_ext_type_names, ext->sadb_ext_type);
610 break;
611 }
612
613 out->ext[ext->sadb_ext_type] = ext;
614 ext = PFKEY_EXT_NEXT_LEN(ext, len);
615 }
616
617 if (len)
618 {
619 DBG1(DBG_KNL, "PF_KEY message length is invalid");
620 return FAILED;
621 }
622
623 return SUCCESS;
624 }
625
626 /**
627 * Send a message to a specific PF_KEY socket and handle the response.
628 */
629 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
630 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
631 {
632 unsigned char buf[PFKEY_BUFFER_SIZE];
633 struct sadb_msg *msg;
634 int in_len, len;
635
636 this->mutex_pfkey->lock(this->mutex_pfkey);
637
638 in->sadb_msg_seq = ++this->seq;
639 in->sadb_msg_pid = getpid();
640
641 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
642
643 while (TRUE)
644 {
645 len = send(socket, in, in_len, 0);
646
647 if (len != in_len)
648 {
649 if (errno == EINTR)
650 {
651 /* interrupted, try again */
652 continue;
653 }
654 this->mutex_pfkey->unlock(this->mutex_pfkey);
655 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
656 return FAILED;
657 }
658 break;
659 }
660
661 while (TRUE)
662 {
663 msg = (struct sadb_msg*)buf;
664
665 len = recv(socket, buf, sizeof(buf), 0);
666
667 if (len < 0)
668 {
669 if (errno == EINTR)
670 {
671 DBG1(DBG_KNL, "got interrupted");
672 /* interrupted, try again */
673 continue;
674 }
675 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
676 this->mutex_pfkey->unlock(this->mutex_pfkey);
677 return FAILED;
678 }
679 if (len < sizeof(struct sadb_msg) ||
680 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
681 {
682 DBG1(DBG_KNL, "received corrupted PF_KEY message");
683 this->mutex_pfkey->unlock(this->mutex_pfkey);
684 return FAILED;
685 }
686 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
687 {
688 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
689 this->mutex_pfkey->unlock(this->mutex_pfkey);
690 return FAILED;
691 }
692 if (msg->sadb_msg_pid != in->sadb_msg_pid)
693 {
694 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
695 continue;
696 }
697 if (msg->sadb_msg_seq != this->seq)
698 {
699 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
700 "was %d expected %d", msg->sadb_msg_seq, this->seq);
701 if (msg->sadb_msg_seq < this->seq)
702 {
703 continue;
704 }
705 this->mutex_pfkey->unlock(this->mutex_pfkey);
706 return FAILED;
707 }
708 if (msg->sadb_msg_type != in->sadb_msg_type)
709 {
710 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
711 "was %d expected %d, ignoring",
712 msg->sadb_msg_type, in->sadb_msg_type);
713 }
714 break;
715 }
716
717 *out_len = len;
718 *out = (struct sadb_msg*)malloc(len);
719 memcpy(*out, buf, len);
720
721 this->mutex_pfkey->unlock(this->mutex_pfkey);
722
723 return SUCCESS;
724 }
725
726 /**
727 * Send a message to the default PF_KEY socket and handle the response.
728 */
729 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
730 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
731 {
732 return pfkey_send_socket(this, this->socket, in, out, out_len);
733 }
734
735 /**
736 * Process a SADB_ACQUIRE message from the kernel
737 */
738 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
739 {
740 pfkey_msg_t response;
741 u_int32_t index, reqid = 0;
742 traffic_selector_t *src_ts, *dst_ts;
743 policy_entry_t *policy;
744 job_t *job;
745
746 switch (msg->sadb_msg_satype)
747 {
748 case SADB_SATYPE_UNSPEC:
749 case SADB_SATYPE_ESP:
750 case SADB_SATYPE_AH:
751 break;
752 default:
753 /* acquire for AH/ESP only */
754 return;
755 }
756 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
757
758 if (parse_pfkey_message(msg, &response) != SUCCESS)
759 {
760 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
761 return;
762 }
763
764 index = response.x_policy->sadb_x_policy_id;
765 this->mutex->lock(this->mutex);
766 if (this->policies->find_first(this->policies,
767 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
768 {
769 reqid = policy->reqid;
770 }
771 else
772 {
773 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
774 index);
775 }
776 src_ts = sadb_address2ts(response.src);
777 dst_ts = sadb_address2ts(response.dst);
778 this->mutex->unlock(this->mutex);
779
780 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
781 src_ts, dst_ts, reqid);
782 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
783 charon->processor->queue_job(charon->processor, job);
784 }
785
786 /**
787 * Process a SADB_EXPIRE message from the kernel
788 */
789 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
790 {
791 pfkey_msg_t response;
792 protocol_id_t protocol;
793 u_int32_t spi, reqid;
794 bool hard;
795 job_t *job;
796
797 DBG2(DBG_KNL, "received an SADB_EXPIRE");
798
799 if (parse_pfkey_message(msg, &response) != SUCCESS)
800 {
801 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
802 return;
803 }
804
805 protocol = proto_satype2ike(msg->sadb_msg_satype);
806 spi = response.sa->sadb_sa_spi;
807 reqid = response.x_sa2->sadb_x_sa2_reqid;
808 hard = response.lft_hard != NULL;
809
810 if (protocol != PROTO_ESP && protocol != PROTO_AH)
811 {
812 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
813 "which is not a CHILD_SA", ntohl(spi), reqid);
814 return;
815 }
816
817 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
818 hard ? "delete" : "rekey", protocol_id_names,
819 protocol, ntohl(spi), reqid);
820 if (hard)
821 {
822 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
823 }
824 else
825 {
826 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
827 }
828 charon->processor->queue_job(charon->processor, job);
829 }
830
831 /**
832 * Process a SADB_MIGRATE message from the kernel
833 */
834 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
835 {
836 pfkey_msg_t response;
837 traffic_selector_t *src_ts, *dst_ts;
838 policy_dir_t dir;
839 u_int32_t reqid = 0;
840 host_t *local = NULL, *remote = NULL;
841 job_t *job;
842
843 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
844
845 if (parse_pfkey_message(msg, &response) != SUCCESS)
846 {
847 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
848 return;
849 }
850 src_ts = sadb_address2ts(response.src);
851 dst_ts = sadb_address2ts(response.dst);
852 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
853 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
854 policy_dir_names, dir, response.x_policy->sadb_x_policy_id);
855
856 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
857 if (response.x_kmaddress)
858 {
859 sockaddr_t *local_addr, *remote_addr;
860 u_int32_t local_len;
861
862 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
863 local = host_create_from_sockaddr(local_addr);
864 local_len = (local_addr->sa_family == AF_INET6)?
865 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
866 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
867 remote = host_create_from_sockaddr(remote_addr);
868 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
869 }
870
871 if (src_ts && dst_ts)
872 {
873 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
874 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
875 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
876 local, remote);
877 charon->processor->queue_job(charon->processor, job);
878 }
879 else
880 {
881 DESTROY_IF(src_ts);
882 DESTROY_IF(dst_ts);
883 DESTROY_IF(local);
884 DESTROY_IF(remote);
885 }
886 }
887
888 /**
889 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
890 */
891 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
892 {
893 pfkey_msg_t response;
894 u_int32_t spi, reqid;
895 host_t *host;
896 job_t *job;
897
898 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
899
900 if (parse_pfkey_message(msg, &response) != SUCCESS)
901 {
902 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
903 return;
904 }
905
906 if (!response.x_sa2)
907 {
908 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
909 return;
910 }
911
912 spi = response.sa->sadb_sa_spi;
913 reqid = response.x_sa2->sadb_x_sa2_reqid;
914
915 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
916 {
917 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
918 switch (sa->sa_family)
919 {
920 case AF_INET:
921 {
922 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
923 sin->sin_port = response.x_natt_dport->sadb_x_nat_t_port_port;
924 }
925 case AF_INET6:
926 {
927 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
928 sin6->sin6_port = response.x_natt_dport->sadb_x_nat_t_port_port;
929 }
930 default:
931 break;
932 }
933 host = host_create_from_sockaddr(sa);
934 if (host)
935 {
936 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
937 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
938 job = (job_t*)update_sa_job_create(reqid, host);
939 charon->processor->queue_job(charon->processor, job);
940 }
941 }
942 }
943
944 /**
945 * Receives events from kernel
946 */
947 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
948 {
949 unsigned char buf[PFKEY_BUFFER_SIZE];
950 struct sadb_msg *msg = (struct sadb_msg*)buf;
951 int len, oldstate;
952
953 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
954 len = recv(this->socket_events, buf, sizeof(buf), 0);
955 pthread_setcancelstate(oldstate, NULL);
956
957 if (len < 0)
958 {
959 switch (errno)
960 {
961 case EINTR:
962 /* interrupted, try again */
963 return JOB_REQUEUE_DIRECT;
964 case EAGAIN:
965 /* no data ready, select again */
966 return JOB_REQUEUE_DIRECT;
967 default:
968 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
969 sleep(1);
970 return JOB_REQUEUE_FAIR;
971 }
972 }
973
974 if (len < sizeof(struct sadb_msg) ||
975 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
976 {
977 DBG2(DBG_KNL, "received corrupted PF_KEY message");
978 return JOB_REQUEUE_DIRECT;
979 }
980 if (msg->sadb_msg_pid != 0)
981 { /* not from kernel. not interested, try another one */
982 return JOB_REQUEUE_DIRECT;
983 }
984 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
985 {
986 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
987 return JOB_REQUEUE_DIRECT;
988 }
989
990 switch (msg->sadb_msg_type)
991 {
992 case SADB_ACQUIRE:
993 process_acquire(this, msg);
994 break;
995 case SADB_EXPIRE:
996 process_expire(this, msg);
997 break;
998 case SADB_X_MIGRATE:
999 process_migrate(this, msg);
1000 break;
1001 case SADB_X_NAT_T_NEW_MAPPING:
1002 process_mapping(this, msg);
1003 break;
1004 default:
1005 break;
1006 }
1007
1008 return JOB_REQUEUE_DIRECT;
1009 }
1010
1011 /**
1012 * Implementation of kernel_interface_t.get_spi.
1013 */
1014 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1015 host_t *src, host_t *dst,
1016 protocol_id_t protocol, u_int32_t reqid,
1017 u_int32_t *spi)
1018 {
1019 unsigned char request[PFKEY_BUFFER_SIZE];
1020 struct sadb_msg *msg, *out;
1021 struct sadb_x_sa2 *sa2;
1022 struct sadb_address *addr;
1023 struct sadb_spirange *range;
1024 pfkey_msg_t response;
1025 u_int32_t received_spi = 0;
1026 size_t len;
1027
1028 memset(&request, 0, sizeof(request));
1029
1030 msg = (struct sadb_msg*)request;
1031 msg->sadb_msg_version = PF_KEY_V2;
1032 msg->sadb_msg_type = SADB_GETSPI;
1033 msg->sadb_msg_satype = proto_ike2satype(protocol);
1034 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1035
1036 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1037 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1038 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1039 sa2->sadb_x_sa2_reqid = reqid;
1040 PFKEY_EXT_ADD(msg, sa2);
1041
1042 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1043 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1044 host2ext(src, addr);
1045 PFKEY_EXT_ADD(msg, addr);
1046
1047 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1048 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1049 host2ext(dst, addr);
1050 PFKEY_EXT_ADD(msg, addr);
1051
1052 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1053 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1054 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1055 range->sadb_spirange_min = 0xc0000000;
1056 range->sadb_spirange_max = 0xcFFFFFFF;
1057 PFKEY_EXT_ADD(msg, range);
1058
1059 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1060 {
1061 if (out->sadb_msg_errno)
1062 {
1063 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1064 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1065 }
1066 else if (parse_pfkey_message(out, &response) == SUCCESS)
1067 {
1068 received_spi = response.sa->sadb_sa_spi;
1069 }
1070 free(out);
1071 }
1072
1073 if (received_spi == 0)
1074 {
1075 return FAILED;
1076 }
1077
1078 *spi = received_spi;
1079 return SUCCESS;
1080 }
1081
1082 /**
1083 * Implementation of kernel_interface_t.get_cpi.
1084 */
1085 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1086 host_t *src, host_t *dst,
1087 u_int32_t reqid, u_int16_t *cpi)
1088 {
1089 return FAILED;
1090 }
1091
1092 /**
1093 * Implementation of kernel_interface_t.add_sa.
1094 */
1095 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1096 host_t *src, host_t *dst, u_int32_t spi,
1097 protocol_id_t protocol, u_int32_t reqid,
1098 u_int64_t expire_soft, u_int64_t expire_hard,
1099 u_int16_t enc_alg, chunk_t enc_key,
1100 u_int16_t int_alg, chunk_t int_key,
1101 ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
1102 bool replace)
1103 {
1104 unsigned char request[PFKEY_BUFFER_SIZE];
1105 struct sadb_msg *msg, *out;
1106 struct sadb_sa *sa;
1107 struct sadb_x_sa2 *sa2;
1108 struct sadb_address *addr;
1109 struct sadb_lifetime *lft;
1110 struct sadb_key *key;
1111 size_t len;
1112
1113 memset(&request, 0, sizeof(request));
1114
1115 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1116
1117 msg = (struct sadb_msg*)request;
1118 msg->sadb_msg_version = PF_KEY_V2;
1119 msg->sadb_msg_type = replace ? SADB_UPDATE : SADB_ADD;
1120 msg->sadb_msg_satype = proto_ike2satype(protocol);
1121 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1122
1123 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1124 sa->sadb_sa_exttype = SADB_EXT_SA;
1125 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1126 sa->sadb_sa_spi = spi;
1127 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1128 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1129 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1130 PFKEY_EXT_ADD(msg, sa);
1131
1132 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1133 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1134 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1135 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1136 sa2->sadb_x_sa2_reqid = reqid;
1137 PFKEY_EXT_ADD(msg, sa2);
1138
1139 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1140 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1141 host2ext(src, addr);
1142 PFKEY_EXT_ADD(msg, addr);
1143
1144 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1145 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1146 host2ext(dst, addr);
1147 PFKEY_EXT_ADD(msg, addr);
1148
1149 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1150 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1151 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1152 lft->sadb_lifetime_addtime = expire_soft;
1153 PFKEY_EXT_ADD(msg, lft);
1154
1155 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1156 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1157 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1158 lft->sadb_lifetime_addtime = expire_hard;
1159 PFKEY_EXT_ADD(msg, lft);
1160
1161 if (enc_alg != ENCR_UNDEFINED)
1162 {
1163 if (!sa->sadb_sa_encrypt)
1164 {
1165 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1166 encryption_algorithm_names, enc_alg);
1167 return FAILED;
1168 }
1169 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1170 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1171
1172 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1173 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1174 key->sadb_key_bits = enc_key.len * 8;
1175 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1176 memcpy(key + 1, enc_key.ptr, enc_key.len);
1177
1178 PFKEY_EXT_ADD(msg, key);
1179 }
1180
1181 if (int_alg != AUTH_UNDEFINED)
1182 {
1183 if (!sa->sadb_sa_auth)
1184 {
1185 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1186 integrity_algorithm_names, int_alg);
1187 return FAILED;
1188 }
1189 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1190 integrity_algorithm_names, int_alg, int_key.len * 8);
1191
1192 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1193 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1194 key->sadb_key_bits = int_key.len * 8;
1195 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1196 memcpy(key + 1, int_key.ptr, int_key.len);
1197
1198 PFKEY_EXT_ADD(msg, key);
1199 }
1200
1201 if (ipcomp != IPCOMP_NONE)
1202 {
1203 /*TODO*/
1204 }
1205
1206 if (encap)
1207 {
1208 add_encap_ext(msg, src, dst);
1209 }
1210
1211 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1212 {
1213 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1214 return FAILED;
1215 }
1216 else if (out->sadb_msg_errno)
1217 {
1218 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1219 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1220 free(out);
1221 return FAILED;
1222 }
1223
1224 free(out);
1225 return SUCCESS;
1226 }
1227
1228 /**
1229 * Implementation of kernel_interface_t.update_sa.
1230 */
1231 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1232 u_int32_t spi, protocol_id_t protocol,
1233 host_t *src, host_t *dst,
1234 host_t *new_src, host_t *new_dst, bool encap)
1235 {
1236 unsigned char request[PFKEY_BUFFER_SIZE];
1237 struct sadb_msg *msg, *out;
1238 struct sadb_sa *sa;
1239 struct sadb_address *addr;
1240 pfkey_msg_t response;
1241 size_t len;
1242
1243 memset(&request, 0, sizeof(request));
1244
1245 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1246
1247 msg = (struct sadb_msg*)request;
1248 msg->sadb_msg_version = PF_KEY_V2;
1249 msg->sadb_msg_type = SADB_GET;
1250 msg->sadb_msg_satype = proto_ike2satype(protocol);
1251 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1252
1253 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1254 sa->sadb_sa_exttype = SADB_EXT_SA;
1255 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1256 sa->sadb_sa_spi = spi;
1257 PFKEY_EXT_ADD(msg, sa);
1258
1259 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1260 * it is not used for anything, so we just send dst twice */
1261 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1262 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1263 host2ext(dst, addr);
1264 PFKEY_EXT_ADD(msg, addr);
1265
1266 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1267 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1268 host2ext(dst, addr);
1269 PFKEY_EXT_ADD(msg, addr);
1270
1271 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1272 {
1273 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1274 ntohl(spi));
1275 return FAILED;
1276 }
1277 else if (out->sadb_msg_errno)
1278 {
1279 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1280 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1281 free(out);
1282 return FAILED;
1283 }
1284 else if (parse_pfkey_message(out, &response) != SUCCESS)
1285 {
1286 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1287 "from kernel failed", ntohl(spi));
1288 free(out);
1289 return FAILED;
1290 }
1291
1292 /* delete the old SA */
1293 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1294 {
1295 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1296 free(out);
1297 return FAILED;
1298 }
1299
1300 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1301 ntohl(spi), src, dst, new_src, new_dst);
1302
1303 memset(&request, 0, sizeof(request));
1304
1305 msg = (struct sadb_msg*)request;
1306 msg->sadb_msg_version = PF_KEY_V2;
1307 msg->sadb_msg_type = SADB_ADD;
1308 msg->sadb_msg_satype = proto_ike2satype(protocol);
1309 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1310
1311 PFKEY_EXT_COPY(msg, response.sa);
1312 PFKEY_EXT_COPY(msg, response.x_sa2);
1313
1314 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1315 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1316 host2ext(new_src, addr);
1317 PFKEY_EXT_ADD(msg, addr);
1318
1319 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1320 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1321 host2ext(new_dst, addr);
1322 PFKEY_EXT_ADD(msg, addr);
1323
1324 PFKEY_EXT_COPY(msg, response.lft_soft);
1325 PFKEY_EXT_COPY(msg, response.lft_hard);
1326
1327 if (response.key_encr)
1328 {
1329 PFKEY_EXT_COPY(msg, response.key_encr);
1330 }
1331
1332 if (response.key_auth)
1333 {
1334 PFKEY_EXT_COPY(msg, response.key_auth);
1335 }
1336
1337 if (encap)
1338 {
1339 add_encap_ext(msg, new_src, new_dst);
1340 }
1341
1342 free(out);
1343
1344 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1345 {
1346 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1347 return FAILED;
1348 }
1349 else if (out->sadb_msg_errno)
1350 {
1351 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1352 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1353 free(out);
1354 return FAILED;
1355 }
1356 free(out);
1357
1358 return SUCCESS;
1359 }
1360
1361 /**
1362 * Implementation of kernel_interface_t.del_sa.
1363 */
1364 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
1365 u_int32_t spi, protocol_id_t protocol)
1366 {
1367 unsigned char request[PFKEY_BUFFER_SIZE];
1368 struct sadb_msg *msg, *out;
1369 struct sadb_sa *sa;
1370 struct sadb_address *addr;
1371 size_t len;
1372
1373 memset(&request, 0, sizeof(request));
1374
1375 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1376
1377 msg = (struct sadb_msg*)request;
1378 msg->sadb_msg_version = PF_KEY_V2;
1379 msg->sadb_msg_type = SADB_DELETE;
1380 msg->sadb_msg_satype = proto_ike2satype(protocol);
1381 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1382
1383 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1384 sa->sadb_sa_exttype = SADB_EXT_SA;
1385 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1386 sa->sadb_sa_spi = spi;
1387 PFKEY_EXT_ADD(msg, sa);
1388
1389 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1390 * it is not used for anything, so we just send dst twice */
1391 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1392 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1393 host2ext(dst, addr);
1394 PFKEY_EXT_ADD(msg, addr);
1395
1396 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1397 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1398 host2ext(dst, addr);
1399 PFKEY_EXT_ADD(msg, addr);
1400
1401 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1402 {
1403 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1404 return FAILED;
1405 }
1406 else if (out->sadb_msg_errno)
1407 {
1408 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1409 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1410 free(out);
1411 return FAILED;
1412 }
1413
1414 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1415 free(out);
1416 return SUCCESS;
1417 }
1418
1419 /**
1420 * Implementation of kernel_interface_t.add_policy.
1421 */
1422 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1423 host_t *src, host_t *dst,
1424 traffic_selector_t *src_ts,
1425 traffic_selector_t *dst_ts,
1426 policy_dir_t direction, protocol_id_t protocol,
1427 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1428 u_int16_t ipcomp)
1429 {
1430 unsigned char request[PFKEY_BUFFER_SIZE];
1431 struct sadb_msg *msg, *out;
1432 struct sadb_x_policy *pol;
1433 struct sadb_address *addr;
1434 struct sadb_x_ipsecrequest *req;
1435 policy_entry_t *policy, *found = NULL;
1436 pfkey_msg_t response;
1437 size_t len;
1438
1439 /* create a policy */
1440 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1441
1442 /* find a matching policy */
1443 this->mutex->lock(this->mutex);
1444 if (this->policies->find_first(this->policies,
1445 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1446 {
1447 /* use existing policy */
1448 found->refcount++;
1449 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1450 "refcount", src_ts, dst_ts,
1451 policy_dir_names, direction);
1452 policy_entry_destroy(policy);
1453 policy = found;
1454 }
1455 else
1456 {
1457 /* apply the new one, if we have no such policy */
1458 this->policies->insert_last(this->policies, policy);
1459 policy->refcount = 1;
1460 }
1461
1462 memset(&request, 0, sizeof(request));
1463
1464 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1465 policy_dir_names, direction);
1466
1467 msg = (struct sadb_msg*)request;
1468 msg->sadb_msg_version = PF_KEY_V2;
1469 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1470 msg->sadb_msg_satype = 0;
1471 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1472
1473 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1474 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1475 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1476 pol->sadb_x_policy_id = 0;
1477 pol->sadb_x_policy_dir = dir2kernel(direction);
1478 /* calculate priority based on source selector size, small size = high prio */
1479 pol->sadb_x_policy_priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1480 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1481 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1482 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1483 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1484
1485 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1486 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1487 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1488 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1489 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1490 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1491 req->sadb_x_ipsecrequest_reqid = reqid;
1492 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1493 if (mode == MODE_TUNNEL)
1494 {
1495 sockaddr_t *sa;
1496 socklen_t sl;
1497 sa = src->get_sockaddr(src);
1498 sl = *src->get_sockaddr_len(src);
1499 memcpy(req + 1, sa, sl);
1500 sa = dst->get_sockaddr(dst);
1501 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1502 req->sadb_x_ipsecrequest_len += sl * 2;
1503 }
1504
1505 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1506 PFKEY_EXT_ADD(msg, pol);
1507
1508 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1509 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1510 addr->sadb_address_proto = policy->src.proto;
1511 addr->sadb_address_prefixlen = policy->src.mask;
1512 host2ext(policy->src.net, addr);
1513 PFKEY_EXT_ADD(msg, addr);
1514
1515 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1516 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1517 addr->sadb_address_proto = policy->dst.proto;
1518 addr->sadb_address_prefixlen = policy->dst.mask;
1519 host2ext(policy->dst.net, addr);
1520 PFKEY_EXT_ADD(msg, addr);
1521
1522 this->mutex->unlock(this->mutex);
1523
1524 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1525 {
1526 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1527 policy_dir_names, direction);
1528 return FAILED;
1529 }
1530 else if (out->sadb_msg_errno)
1531 {
1532 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1533 policy_dir_names, direction,
1534 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1535 free(out);
1536 return FAILED;
1537 }
1538 else if (parse_pfkey_message(out, &response) != SUCCESS)
1539 {
1540 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1541 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1542 free(out);
1543 return FAILED;
1544 }
1545
1546 this->mutex->lock(this->mutex);
1547
1548 /* we try to find the policy again and update the kernel index */
1549 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1550 {
1551 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1552 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1553 this->mutex->unlock(this->mutex);
1554 free(out);
1555 return SUCCESS;
1556 }
1557 policy->index = response.x_policy->sadb_x_policy_id;
1558 free(out);
1559
1560 /* install a route, if:
1561 * - we are NOT updating a policy
1562 * - this is a forward policy (to just get one for each child)
1563 * - we are in tunnel mode
1564 * - we are not using IPv6 (does not work correctly yet!)
1565 * - routing is not disabled via strongswan.conf
1566 */
1567 if (policy->route == NULL && direction == POLICY_FWD &&
1568 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1569 this->install_routes)
1570 {
1571 route_entry_t *route = malloc_thing(route_entry_t);
1572
1573 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1574 dst_ts, &route->src_ip) == SUCCESS)
1575 {
1576 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1577 route->gateway = charon->kernel_interface->get_nexthop(
1578 charon->kernel_interface, src);
1579 route->if_name = charon->kernel_interface->get_interface(
1580 charon->kernel_interface, dst);
1581 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1582 route->prefixlen = policy->src.mask;
1583
1584 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1585 route->dst_net, route->prefixlen, route->gateway,
1586 route->src_ip, route->if_name))
1587 {
1588 default:
1589 DBG1(DBG_KNL, "unable to install source route for %H",
1590 route->src_ip);
1591 /* FALL */
1592 case ALREADY_DONE:
1593 /* route exists, do not uninstall */
1594 route_entry_destroy(route);
1595 break;
1596 case SUCCESS:
1597 /* cache the installed route */
1598 policy->route = route;
1599 break;
1600 }
1601 }
1602 else
1603 {
1604 free(route);
1605 }
1606 }
1607
1608 this->mutex->unlock(this->mutex);
1609
1610 return SUCCESS;
1611 }
1612
1613 /**
1614 * Implementation of kernel_interface_t.query_policy.
1615 */
1616 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1617 traffic_selector_t *src_ts,
1618 traffic_selector_t *dst_ts,
1619 policy_dir_t direction, u_int32_t *use_time)
1620 {
1621 unsigned char request[PFKEY_BUFFER_SIZE];
1622 struct sadb_msg *msg, *out;
1623 struct sadb_x_policy *pol;
1624 struct sadb_address *addr;
1625 policy_entry_t *policy, *found = NULL;
1626 pfkey_msg_t response;
1627 size_t len;
1628
1629 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1630 policy_dir_names, direction);
1631
1632 /* create a policy */
1633 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1634
1635 /* find a matching policy */
1636 this->mutex->lock(this->mutex);
1637 if (this->policies->find_first(this->policies,
1638 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1639 {
1640 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1641 dst_ts, policy_dir_names, direction);
1642 policy_entry_destroy(policy);
1643 this->mutex->unlock(this->mutex);
1644 return NOT_FOUND;
1645 }
1646 policy_entry_destroy(policy);
1647 policy = found;
1648
1649 memset(&request, 0, sizeof(request));
1650
1651 msg = (struct sadb_msg*)request;
1652 msg->sadb_msg_version = PF_KEY_V2;
1653 msg->sadb_msg_type = SADB_X_SPDGET;
1654 msg->sadb_msg_satype = 0;
1655 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1656
1657 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1658 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1659 pol->sadb_x_policy_id = policy->index;
1660 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1661 pol->sadb_x_policy_dir = dir2kernel(direction);
1662 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1663 PFKEY_EXT_ADD(msg, pol);
1664
1665 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1666 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1667 addr->sadb_address_proto = policy->src.proto;
1668 addr->sadb_address_prefixlen = policy->src.mask;
1669 host2ext(policy->src.net, addr);
1670 PFKEY_EXT_ADD(msg, addr);
1671
1672 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1673 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1674 addr->sadb_address_proto = policy->dst.proto;
1675 addr->sadb_address_prefixlen = policy->dst.mask;
1676 host2ext(policy->dst.net, addr);
1677 PFKEY_EXT_ADD(msg, addr);
1678
1679 this->mutex->unlock(this->mutex);
1680
1681 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1682 {
1683 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1684 policy_dir_names, direction);
1685 return FAILED;
1686 }
1687 else if (out->sadb_msg_errno)
1688 {
1689 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1690 dst_ts, policy_dir_names, direction,
1691 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1692 free(out);
1693 return FAILED;
1694 }
1695 else if (parse_pfkey_message(out, &response) != SUCCESS)
1696 {
1697 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1698 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1699 free(out);
1700 return FAILED;
1701 }
1702
1703 *use_time = response.lft_current->sadb_lifetime_usetime;
1704
1705 free(out);
1706
1707 return SUCCESS;
1708 }
1709
1710 /**
1711 * Implementation of kernel_interface_t.del_policy.
1712 */
1713 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1714 traffic_selector_t *src_ts,
1715 traffic_selector_t *dst_ts,
1716 policy_dir_t direction)
1717 {
1718 unsigned char request[PFKEY_BUFFER_SIZE];
1719 struct sadb_msg *msg, *out;
1720 struct sadb_x_policy *pol;
1721 struct sadb_address *addr;
1722 policy_entry_t *policy, *found = NULL;
1723 route_entry_t *route;
1724 size_t len;
1725
1726 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1727 policy_dir_names, direction);
1728
1729 /* create a policy */
1730 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1731
1732 /* find a matching policy */
1733 this->mutex->lock(this->mutex);
1734 if (this->policies->find_first(this->policies,
1735 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1736 {
1737 if (--found->refcount > 0)
1738 {
1739 /* is used by more SAs, keep in kernel */
1740 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1741 policy_entry_destroy(policy);
1742 this->mutex->unlock(this->mutex);
1743 return SUCCESS;
1744 }
1745 /* remove if last reference */
1746 this->policies->remove(this->policies, found, NULL);
1747 policy_entry_destroy(policy);
1748 policy = found;
1749 }
1750 else
1751 {
1752 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1753 dst_ts, policy_dir_names, direction);
1754 policy_entry_destroy(policy);
1755 this->mutex->unlock(this->mutex);
1756 return NOT_FOUND;
1757 }
1758 this->mutex->unlock(this->mutex);
1759
1760 memset(&request, 0, sizeof(request));
1761
1762 msg = (struct sadb_msg*)request;
1763 msg->sadb_msg_version = PF_KEY_V2;
1764 msg->sadb_msg_type = SADB_X_SPDDELETE;
1765 msg->sadb_msg_satype = 0;
1766 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1767
1768 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1769 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1770 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1771 pol->sadb_x_policy_dir = dir2kernel(direction);
1772 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1773 PFKEY_EXT_ADD(msg, pol);
1774
1775 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1776 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1777 addr->sadb_address_proto = policy->src.proto;
1778 addr->sadb_address_prefixlen = policy->src.mask;
1779 host2ext(policy->src.net, addr);
1780 PFKEY_EXT_ADD(msg, addr);
1781
1782 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1783 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1784 addr->sadb_address_proto = policy->dst.proto;
1785 addr->sadb_address_prefixlen = policy->dst.mask;
1786 host2ext(policy->dst.net, addr);
1787 PFKEY_EXT_ADD(msg, addr);
1788
1789 route = policy->route;
1790 policy->route = NULL;
1791 policy_entry_destroy(policy);
1792
1793 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1794 {
1795 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1796 policy_dir_names, direction);
1797 return FAILED;
1798 }
1799 else if (out->sadb_msg_errno)
1800 {
1801 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1802 dst_ts, policy_dir_names, direction,
1803 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1804 free(out);
1805 return FAILED;
1806 }
1807 free(out);
1808
1809 if (route)
1810 {
1811 if (charon->kernel_interface->del_route(charon->kernel_interface,
1812 route->dst_net, route->prefixlen, route->gateway,
1813 route->src_ip, route->if_name) != SUCCESS)
1814 {
1815 DBG1(DBG_KNL, "error uninstalling route installed with "
1816 "policy %R === %R %N", src_ts, dst_ts,
1817 policy_dir_names, direction);
1818 }
1819 route_entry_destroy(route);
1820 }
1821
1822 return SUCCESS;
1823 }
1824
1825 /**
1826 * Register a socket for AQUIRE/EXPIRE messages
1827 */
1828 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1829 {
1830 unsigned char request[PFKEY_BUFFER_SIZE];
1831 struct sadb_msg *msg, *out;
1832 size_t len;
1833
1834 memset(&request, 0, sizeof(request));
1835
1836 msg = (struct sadb_msg*)request;
1837 msg->sadb_msg_version = PF_KEY_V2;
1838 msg->sadb_msg_type = SADB_REGISTER;
1839 msg->sadb_msg_satype = satype;
1840 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1841
1842 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1843 {
1844 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1845 return FAILED;
1846 }
1847 else if (out->sadb_msg_errno)
1848 {
1849 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1850 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1851 free(out);
1852 return FAILED;
1853 }
1854 free(out);
1855 return SUCCESS;
1856 }
1857
1858 /**
1859 * Implementation of kernel_interface_t.destroy.
1860 */
1861 static void destroy(private_kernel_pfkey_ipsec_t *this)
1862 {
1863 this->job->cancel(this->job);
1864 close(this->socket);
1865 close(this->socket_events);
1866 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1867 this->mutex->destroy(this->mutex);
1868 this->mutex_pfkey->destroy(this->mutex_pfkey);
1869 free(this);
1870 }
1871
1872 /*
1873 * Described in header.
1874 */
1875 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1876 {
1877 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1878
1879 /* public functions */
1880 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1881 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1882 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1883 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1884 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1885 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1886 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1887 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1888
1889 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1890
1891 /* private members */
1892 this->policies = linked_list_create();
1893 this->mutex = mutex_create(MUTEX_DEFAULT);
1894 this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
1895 this->install_routes = lib->settings->get_bool(lib->settings,
1896 "charon.install_routes", TRUE);
1897 this->seq = 0;
1898
1899 /* create a PF_KEY socket to communicate with the kernel */
1900 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1901 if (this->socket <= 0)
1902 {
1903 charon->kill(charon, "unable to create PF_KEY socket");
1904 }
1905
1906 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1907 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1908 if (this->socket_events <= 0)
1909 {
1910 charon->kill(charon, "unable to create PF_KEY event socket");
1911 }
1912
1913 /* register the event socket */
1914 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
1915 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
1916 {
1917 charon->kill(charon, "unable to register PF_KEY event socket");
1918 }
1919
1920 this->job = callback_job_create((callback_job_cb_t)receive_events,
1921 this, NULL, NULL);
1922 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1923
1924 return &this->public;
1925 }