projects / strongswan.git / blob
? search:


9c50746ac714d135b88254609bb1e72d6ccc7850
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <daemon.h>
58 #include <utils/host.h>
59 #include <threading/thread.h>
60 #include <threading/mutex.h>
61 #include <processing/jobs/callback_job.h>
62 #include <processing/jobs/acquire_job.h>
63 #include <processing/jobs/migrate_job.h>
64 #include <processing/jobs/rekey_child_sa_job.h>
65 #include <processing/jobs/delete_child_sa_job.h>
66 #include <processing/jobs/update_sa_job.h>
67
68 /** non linux specific */
69 #ifndef IPPROTO_COMP
70 #define IPPROTO_COMP IPPROTO_IPCOMP
71 #endif
72
73 #ifndef SADB_X_AALG_SHA2_256HMAC
74 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
75 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
76 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
77 #endif
78
79 #ifndef SADB_X_EALG_AESCBC
80 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
81 #endif
82
83 #ifndef SADB_X_EALG_CASTCBC
84 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
85 #endif
86
87 #ifndef SOL_IP
88 #define SOL_IP IPPROTO_IP
89 #define SOL_IPV6 IPPROTO_IPV6
90 #endif
91
92 /** from linux/in.h */
93 #ifndef IP_IPSEC_POLICY
94 #define IP_IPSEC_POLICY 16
95 #endif
96
97 /** missing on uclibc */
98 #ifndef IPV6_IPSEC_POLICY
99 #define IPV6_IPSEC_POLICY 34
100 #endif
101
102 /** default priority of installed policies */
103 #define PRIO_LOW 3000
104 #define PRIO_HIGH 2000
105
106 #ifdef __APPLE__
107 /** from xnu/bsd/net/pfkeyv2.h */
108 #define SADB_X_EXT_NATT 0x002
109 struct sadb_sa_2 {
110 struct sadb_sa sa;
111 u_int16_t sadb_sa_natt_port;
112 u_int16_t sadb_reserved0;
113 u_int32_t sadb_reserved1;
114 };
115 #endif
116
117 /** buffer size for PF_KEY messages */
118 #define PFKEY_BUFFER_SIZE 4096
119
120 /** PF_KEY messages are 64 bit aligned */
121 #define PFKEY_ALIGNMENT 8
122 /** aligns len to 64 bits */
123 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
124 /** calculates the properly padded length in 64 bit chunks */
125 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
126 /** calculates user mode length i.e. in bytes */
127 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
128
129 /** given a PF_KEY message header and an extension this updates the length in the header */
130 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
131 /** given a PF_KEY message header this returns a pointer to the next extension */
132 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
133 /** copy an extension and append it to a PF_KEY message */
134 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
135 /** given a PF_KEY extension this returns a pointer to the next extension */
136 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
137 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
138 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
139 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
140 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
142 (ext)->sadb_ext_len <= (len))
143
144 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
145
146 /**
147 * Private variables and functions of kernel_pfkey class.
148 */
149 struct private_kernel_pfkey_ipsec_t
150 {
151 /**
152 * Public part of the kernel_pfkey_t object.
153 */
154 kernel_pfkey_ipsec_t public;
155
156 /**
157 * mutex to lock access to various lists
158 */
159 mutex_t *mutex;
160
161 /**
162 * List of installed policies (policy_entry_t)
163 */
164 linked_list_t *policies;
165
166 /**
167 * whether to install routes along policies
168 */
169 bool install_routes;
170
171 /**
172 * job receiving PF_KEY events
173 */
174 callback_job_t *job;
175
176 /**
177 * mutex to lock access to the PF_KEY socket
178 */
179 mutex_t *mutex_pfkey;
180
181 /**
182 * PF_KEY socket to communicate with the kernel
183 */
184 int socket;
185
186 /**
187 * PF_KEY socket to receive acquire and expire events
188 */
189 int socket_events;
190
191 /**
192 * sequence number for messages sent to the kernel
193 */
194 int seq;
195 };
196
197 typedef struct route_entry_t route_entry_t;
198
199 /**
200 * installed routing entry
201 */
202 struct route_entry_t {
203 /** Name of the interface the route is bound to */
204 char *if_name;
205
206 /** Source ip of the route */
207 host_t *src_ip;
208
209 /** gateway for this route */
210 host_t *gateway;
211
212 /** Destination net */
213 chunk_t dst_net;
214
215 /** Destination net prefixlen */
216 u_int8_t prefixlen;
217 };
218
219 /**
220 * destroy an route_entry_t object
221 */
222 static void route_entry_destroy(route_entry_t *this)
223 {
224 free(this->if_name);
225 DESTROY_IF(this->src_ip);
226 DESTROY_IF(this->gateway);
227 chunk_free(&this->dst_net);
228 free(this);
229 }
230
231 typedef struct policy_entry_t policy_entry_t;
232
233 /**
234 * installed kernel policy.
235 */
236 struct policy_entry_t {
237
238 /** reqid of this policy */
239 u_int32_t reqid;
240
241 /** index assigned by the kernel */
242 u_int32_t index;
243
244 /** direction of this policy: in, out, forward */
245 u_int8_t direction;
246
247 /** parameters of installed policy */
248 struct {
249 /** subnet and port */
250 host_t *net;
251 /** subnet mask */
252 u_int8_t mask;
253 /** protocol */
254 u_int8_t proto;
255 } src, dst;
256
257 /** associated route installed for this policy */
258 route_entry_t *route;
259
260 /** by how many CHILD_SA's this policy is used */
261 u_int refcount;
262 };
263
264 /**
265 * create a policy_entry_t object
266 */
267 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
268 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
269 {
270 policy_entry_t *policy = malloc_thing(policy_entry_t);
271 policy->reqid = reqid;
272 policy->index = 0;
273 policy->direction = dir;
274 policy->route = NULL;
275 policy->refcount = 0;
276
277 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
278 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
279
280 /* src or dest proto may be "any" (0), use more restrictive one */
281 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
282 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
283 policy->dst.proto = policy->src.proto;
284
285 return policy;
286 }
287
288 /**
289 * destroy a policy_entry_t object
290 */
291 static void policy_entry_destroy(policy_entry_t *this)
292 {
293 DESTROY_IF(this->src.net);
294 DESTROY_IF(this->dst.net);
295 if (this->route)
296 {
297 route_entry_destroy(this->route);
298 }
299 free(this);
300 }
301
302 /**
303 * compares two policy_entry_t
304 */
305 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
306 {
307 return current->direction == policy->direction &&
308 current->src.proto == policy->src.proto &&
309 current->dst.proto == policy->dst.proto &&
310 current->src.mask == policy->src.mask &&
311 current->dst.mask == policy->dst.mask &&
312 current->src.net->equals(current->src.net, policy->src.net) &&
313 current->dst.net->equals(current->dst.net, policy->dst.net);
314 }
315
316 /**
317 * compare the given kernel index with that of a policy
318 */
319 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
320 {
321 return current->index == *index;
322 }
323
324 typedef struct pfkey_msg_t pfkey_msg_t;
325
326 struct pfkey_msg_t
327 {
328 /**
329 * PF_KEY message base
330 */
331 struct sadb_msg *msg;
332
333 /**
334 * PF_KEY message extensions
335 */
336 union {
337 struct sadb_ext *ext[SADB_EXT_MAX + 1];
338 struct {
339 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
340 struct sadb_sa *sa; /* SADB_EXT_SA */
341 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
342 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
343 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
344 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
345 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
346 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
347 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
348 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
349 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
350 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
351 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
352 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
353 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
354 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
355 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
356 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
357 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
358 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
359 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
360 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
361 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
362 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
363 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
364 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
365 } __attribute__((__packed__));
366 };
367 };
368
369 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
370 "SADB_EXT_RESERVED",
371 "SADB_EXT_SA",
372 "SADB_EXT_LIFETIME_CURRENT",
373 "SADB_EXT_LIFETIME_HARD",
374 "SADB_EXT_LIFETIME_SOFT",
375 "SADB_EXT_ADDRESS_SRC",
376 "SADB_EXT_ADDRESS_DST",
377 "SADB_EXT_ADDRESS_PROXY",
378 "SADB_EXT_KEY_AUTH",
379 "SADB_EXT_KEY_ENCRYPT",
380 "SADB_EXT_IDENTITY_SRC",
381 "SADB_EXT_IDENTITY_DST",
382 "SADB_EXT_SENSITIVITY",
383 "SADB_EXT_PROPOSAL",
384 "SADB_EXT_SUPPORTED_AUTH",
385 "SADB_EXT_SUPPORTED_ENCRYPT",
386 "SADB_EXT_SPIRANGE",
387 "SADB_X_EXT_KMPRIVATE",
388 "SADB_X_EXT_POLICY",
389 "SADB_X_EXT_SA2",
390 "SADB_X_EXT_NAT_T_TYPE",
391 "SADB_X_EXT_NAT_T_SPORT",
392 "SADB_X_EXT_NAT_T_DPORT",
393 "SADB_X_EXT_NAT_T_OA",
394 "SADB_X_EXT_SEC_CTX",
395 "SADB_X_EXT_KMADDRESS"
396 );
397
398 /**
399 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
400 */
401 static u_int8_t proto_ike2satype(protocol_id_t proto)
402 {
403 switch (proto)
404 {
405 case PROTO_ESP:
406 return SADB_SATYPE_ESP;
407 case PROTO_AH:
408 return SADB_SATYPE_AH;
409 case IPPROTO_COMP:
410 return SADB_X_SATYPE_IPCOMP;
411 default:
412 return proto;
413 }
414 }
415
416 /**
417 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
418 */
419 static protocol_id_t proto_satype2ike(u_int8_t proto)
420 {
421 switch (proto)
422 {
423 case SADB_SATYPE_ESP:
424 return PROTO_ESP;
425 case SADB_SATYPE_AH:
426 return PROTO_AH;
427 case SADB_X_SATYPE_IPCOMP:
428 return IPPROTO_COMP;
429 default:
430 return proto;
431 }
432 }
433
434 /**
435 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
436 */
437 static u_int8_t proto_ike2ip(protocol_id_t proto)
438 {
439 switch (proto)
440 {
441 case PROTO_ESP:
442 return IPPROTO_ESP;
443 case PROTO_AH:
444 return IPPROTO_AH;
445 default:
446 return proto;
447 }
448 }
449
450 /**
451 * convert the general ipsec mode to the one defined in ipsec.h
452 */
453 static u_int8_t mode2kernel(ipsec_mode_t mode)
454 {
455 switch (mode)
456 {
457 case MODE_TRANSPORT:
458 return IPSEC_MODE_TRANSPORT;
459 case MODE_TUNNEL:
460 return IPSEC_MODE_TUNNEL;
461 #ifdef HAVE_IPSEC_MODE_BEET
462 case MODE_BEET:
463 return IPSEC_MODE_BEET;
464 #endif
465 default:
466 return mode;
467 }
468 }
469
470 /**
471 * convert the general policy direction to the one defined in ipsec.h
472 */
473 static u_int8_t dir2kernel(policy_dir_t dir)
474 {
475 switch (dir)
476 {
477 case POLICY_IN:
478 return IPSEC_DIR_INBOUND;
479 case POLICY_OUT:
480 return IPSEC_DIR_OUTBOUND;
481 #ifdef HAVE_IPSEC_DIR_FWD
482 case POLICY_FWD:
483 return IPSEC_DIR_FWD;
484 #endif
485 default:
486 return IPSEC_DIR_INVALID;
487 }
488 }
489
490 #ifdef SADB_X_MIGRATE
491 /**
492 * convert the policy direction in ipsec.h to the general one.
493 */
494 static policy_dir_t kernel2dir(u_int8_t dir)
495 {
496 switch (dir)
497 {
498 case IPSEC_DIR_INBOUND:
499 return POLICY_IN;
500 case IPSEC_DIR_OUTBOUND:
501 return POLICY_OUT;
502 #ifdef HAVE_IPSEC_DIR_FWD
503 case IPSEC_DIR_FWD:
504 return POLICY_FWD;
505 #endif
506 default:
507 return dir;
508 }
509 }
510 #endif /*SADB_X_MIGRATE*/
511
512 typedef struct kernel_algorithm_t kernel_algorithm_t;
513
514 /**
515 * Mapping of IKEv2 algorithms to PF_KEY algorithms
516 */
517 struct kernel_algorithm_t {
518 /**
519 * Identifier specified in IKEv2
520 */
521 int ikev2;
522
523 /**
524 * Identifier as defined in pfkeyv2.h
525 */
526 int kernel;
527 };
528
529 #define END_OF_LIST -1
530
531 /**
532 * Algorithms for encryption
533 */
534 static kernel_algorithm_t encryption_algs[] = {
535 /* {ENCR_DES_IV64, 0 }, */
536 {ENCR_DES, SADB_EALG_DESCBC },
537 {ENCR_3DES, SADB_EALG_3DESCBC },
538 /* {ENCR_RC5, 0 }, */
539 /* {ENCR_IDEA, 0 }, */
540 {ENCR_CAST, SADB_X_EALG_CASTCBC },
541 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
542 /* {ENCR_3IDEA, 0 }, */
543 /* {ENCR_DES_IV32, 0 }, */
544 {ENCR_NULL, SADB_EALG_NULL },
545 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
546 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
547 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
548 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
549 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
550 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
551 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
552 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
553 {END_OF_LIST, 0 },
554 };
555
556 /**
557 * Algorithms for integrity protection
558 */
559 static kernel_algorithm_t integrity_algs[] = {
560 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
561 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
562 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
563 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
564 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
565 /* {AUTH_DES_MAC, 0, }, */
566 /* {AUTH_KPDK_MD5, 0, }, */
567 #ifdef SADB_X_AALG_AES_XCBC_MAC
568 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
569 #endif
570 {END_OF_LIST, 0, },
571 };
572
573 #if 0
574 /**
575 * Algorithms for IPComp, unused yet
576 */
577 static kernel_algorithm_t compression_algs[] = {
578 /* {IPCOMP_OUI, 0 }, */
579 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
580 {IPCOMP_LZS, SADB_X_CALG_LZS },
581 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
582 {END_OF_LIST, 0 },
583 };
584 #endif
585
586 /**
587 * Look up a kernel algorithm ID and its key size
588 */
589 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
590 {
591 while (list->ikev2 != END_OF_LIST)
592 {
593 if (ikev2 == list->ikev2)
594 {
595 return list->kernel;
596 }
597 list++;
598 }
599 return 0;
600 }
601
602 /**
603 * add a host behind a sadb_address extension
604 */
605 static void host2ext(host_t *host, struct sadb_address *ext)
606 {
607 sockaddr_t *host_addr = host->get_sockaddr(host);
608 socklen_t *len = host->get_sockaddr_len(host);
609 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
610 host_addr->sa_len = *len;
611 #endif
612 memcpy((char*)(ext + 1), host_addr, *len);
613 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
614 }
615
616 /**
617 * add a host to the given sadb_msg
618 */
619 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
620 u_int8_t proto, u_int8_t prefixlen)
621 {
622 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
623 addr->sadb_address_exttype = type;
624 addr->sadb_address_proto = proto;
625 addr->sadb_address_prefixlen = prefixlen;
626 host2ext(host, addr);
627 PFKEY_EXT_ADD(msg, addr);
628 }
629
630 /**
631 * adds an empty address extension to the given sadb_msg
632 */
633 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
634 {
635 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
636 sizeof(struct sockaddr_in6);
637 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
638 addr->sadb_address_exttype = type;
639 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
640 saddr->sa_family = family;
641 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
642 saddr->sa_len = len;
643 #endif
644 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
645 PFKEY_EXT_ADD(msg, addr);
646 }
647
648 #ifdef HAVE_NATT
649 /**
650 * add udp encap extensions to a sadb_msg
651 */
652 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
653 {
654 struct sadb_x_nat_t_type* nat_type;
655 struct sadb_x_nat_t_port* nat_port;
656
657 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
658 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
659 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
660 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
661 PFKEY_EXT_ADD(msg, nat_type);
662
663 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
664 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
665 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
666 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
667 PFKEY_EXT_ADD(msg, nat_port);
668
669 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
670 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
671 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
672 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
673 PFKEY_EXT_ADD(msg, nat_port);
674 }
675 #endif /*HAVE_NATT*/
676
677 /**
678 * Convert a sadb_address to a traffic_selector
679 */
680 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
681 {
682 traffic_selector_t *ts;
683 host_t *host;
684
685 /* The Linux 2.6 kernel does not set the protocol and port information
686 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
687 */
688 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
689 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
690 address->sadb_address_proto, host->get_port(host));
691 return ts;
692 }
693
694 /**
695 * Parses a pfkey message received from the kernel
696 */
697 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
698 {
699 struct sadb_ext* ext;
700 size_t len;
701
702 memset(out, 0, sizeof(pfkey_msg_t));
703 out->msg = msg;
704
705 len = msg->sadb_msg_len;
706 len -= PFKEY_LEN(sizeof(struct sadb_msg));
707
708 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
709
710 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
711 {
712 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
713 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
714 ext->sadb_ext_len > len)
715 {
716 DBG1(DBG_KNL, "length of %N extension is invalid",
717 sadb_ext_type_names, ext->sadb_ext_type);
718 break;
719 }
720
721 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
722 {
723 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
724 break;
725 }
726
727 if (out->ext[ext->sadb_ext_type])
728 {
729 DBG1(DBG_KNL, "duplicate %N extension",
730 sadb_ext_type_names, ext->sadb_ext_type);
731 break;
732 }
733
734 out->ext[ext->sadb_ext_type] = ext;
735 ext = PFKEY_EXT_NEXT_LEN(ext, len);
736 }
737
738 if (len)
739 {
740 DBG1(DBG_KNL, "PF_KEY message length is invalid");
741 return FAILED;
742 }
743
744 return SUCCESS;
745 }
746
747 /**
748 * Send a message to a specific PF_KEY socket and handle the response.
749 */
750 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
751 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
752 {
753 unsigned char buf[PFKEY_BUFFER_SIZE];
754 struct sadb_msg *msg;
755 int in_len, len;
756
757 this->mutex_pfkey->lock(this->mutex_pfkey);
758
759 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
760 * in particular the behavior in response to an SADB_ACQUIRE. */
761 in->sadb_msg_seq = ++this->seq;
762 in->sadb_msg_pid = getpid();
763
764 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
765
766 while (TRUE)
767 {
768 len = send(socket, in, in_len, 0);
769
770 if (len != in_len)
771 {
772 if (errno == EINTR)
773 {
774 /* interrupted, try again */
775 continue;
776 }
777 this->mutex_pfkey->unlock(this->mutex_pfkey);
778 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
779 return FAILED;
780 }
781 break;
782 }
783
784 while (TRUE)
785 {
786 msg = (struct sadb_msg*)buf;
787
788 len = recv(socket, buf, sizeof(buf), 0);
789
790 if (len < 0)
791 {
792 if (errno == EINTR)
793 {
794 DBG1(DBG_KNL, "got interrupted");
795 /* interrupted, try again */
796 continue;
797 }
798 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
799 this->mutex_pfkey->unlock(this->mutex_pfkey);
800 return FAILED;
801 }
802 if (len < sizeof(struct sadb_msg) ||
803 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
804 {
805 DBG1(DBG_KNL, "received corrupted PF_KEY message");
806 this->mutex_pfkey->unlock(this->mutex_pfkey);
807 return FAILED;
808 }
809 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
810 {
811 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
812 this->mutex_pfkey->unlock(this->mutex_pfkey);
813 return FAILED;
814 }
815 if (msg->sadb_msg_pid != in->sadb_msg_pid)
816 {
817 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
818 continue;
819 }
820 if (msg->sadb_msg_seq != this->seq)
821 {
822 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
823 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
824 if (msg->sadb_msg_seq == 0)
825 {
826 /* FreeBSD and Mac OS X do this for the response to
827 * SADB_X_SPDGET (but not for the response to SADB_GET).
828 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
829 }
830 else if (msg->sadb_msg_seq < this->seq)
831 {
832 continue;
833 }
834 else
835 {
836 this->mutex_pfkey->unlock(this->mutex_pfkey);
837 return FAILED;
838 }
839 }
840 if (msg->sadb_msg_type != in->sadb_msg_type)
841 {
842 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
843 "was %d expected %d, ignoring",
844 msg->sadb_msg_type, in->sadb_msg_type);
845 }
846 break;
847 }
848
849 *out_len = len;
850 *out = (struct sadb_msg*)malloc(len);
851 memcpy(*out, buf, len);
852
853 this->mutex_pfkey->unlock(this->mutex_pfkey);
854
855 return SUCCESS;
856 }
857
858 /**
859 * Send a message to the default PF_KEY socket and handle the response.
860 */
861 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
862 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
863 {
864 return pfkey_send_socket(this, this->socket, in, out, out_len);
865 }
866
867 /**
868 * Process a SADB_ACQUIRE message from the kernel
869 */
870 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
871 {
872 pfkey_msg_t response;
873 u_int32_t index, reqid = 0;
874 traffic_selector_t *src_ts, *dst_ts;
875 policy_entry_t *policy;
876 job_t *job;
877
878 switch (msg->sadb_msg_satype)
879 {
880 case SADB_SATYPE_UNSPEC:
881 case SADB_SATYPE_ESP:
882 case SADB_SATYPE_AH:
883 break;
884 default:
885 /* acquire for AH/ESP only */
886 return;
887 }
888 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
889
890 if (parse_pfkey_message(msg, &response) != SUCCESS)
891 {
892 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
893 return;
894 }
895
896 index = response.x_policy->sadb_x_policy_id;
897 this->mutex->lock(this->mutex);
898 if (this->policies->find_first(this->policies,
899 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
900 {
901 reqid = policy->reqid;
902 }
903 else
904 {
905 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
906 index);
907 }
908 src_ts = sadb_address2ts(response.src);
909 dst_ts = sadb_address2ts(response.dst);
910 this->mutex->unlock(this->mutex);
911
912 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
913 src_ts, dst_ts, reqid);
914 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
915 charon->processor->queue_job(charon->processor, job);
916 }
917
918 /**
919 * Process a SADB_EXPIRE message from the kernel
920 */
921 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
922 {
923 pfkey_msg_t response;
924 protocol_id_t protocol;
925 u_int32_t spi, reqid;
926 bool hard;
927 job_t *job;
928
929 DBG2(DBG_KNL, "received an SADB_EXPIRE");
930
931 if (parse_pfkey_message(msg, &response) != SUCCESS)
932 {
933 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
934 return;
935 }
936
937 protocol = proto_satype2ike(msg->sadb_msg_satype);
938 spi = response.sa->sadb_sa_spi;
939 reqid = response.x_sa2->sadb_x_sa2_reqid;
940 hard = response.lft_hard != NULL;
941
942 if (protocol != PROTO_ESP && protocol != PROTO_AH)
943 {
944 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
945 "which is not a CHILD_SA", ntohl(spi), reqid);
946 return;
947 }
948
949 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
950 hard ? "delete" : "rekey", protocol_id_names,
951 protocol, ntohl(spi), reqid);
952 if (hard)
953 {
954 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
955 }
956 else
957 {
958 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
959 }
960 charon->processor->queue_job(charon->processor, job);
961 }
962
963 #ifdef SADB_X_MIGRATE
964 /**
965 * Process a SADB_X_MIGRATE message from the kernel
966 */
967 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
968 {
969 pfkey_msg_t response;
970 traffic_selector_t *src_ts, *dst_ts;
971 policy_dir_t dir;
972 u_int32_t reqid = 0;
973 host_t *local = NULL, *remote = NULL;
974 job_t *job;
975
976 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
977
978 if (parse_pfkey_message(msg, &response) != SUCCESS)
979 {
980 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
981 return;
982 }
983 src_ts = sadb_address2ts(response.src);
984 dst_ts = sadb_address2ts(response.dst);
985 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
986 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
987 policy_dir_names, dir);
988
989 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
990 if (response.x_kmaddress)
991 {
992 sockaddr_t *local_addr, *remote_addr;
993 u_int32_t local_len;
994
995 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
996 local = host_create_from_sockaddr(local_addr);
997 local_len = (local_addr->sa_family == AF_INET6)?
998 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
999 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1000 remote = host_create_from_sockaddr(remote_addr);
1001 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1002 }
1003
1004 if (src_ts && dst_ts && local && remote)
1005 {
1006 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
1007 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
1008 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
1009 local, remote);
1010 charon->processor->queue_job(charon->processor, job);
1011 }
1012 else
1013 {
1014 DESTROY_IF(src_ts);
1015 DESTROY_IF(dst_ts);
1016 DESTROY_IF(local);
1017 DESTROY_IF(remote);
1018 }
1019 }
1020 #endif /*SADB_X_MIGRATE*/
1021
1022 #ifdef HAVE_NATT
1023 /**
1024 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1025 */
1026 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
1027 {
1028 pfkey_msg_t response;
1029 u_int32_t spi, reqid;
1030 host_t *host;
1031 job_t *job;
1032
1033 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1034
1035 if (parse_pfkey_message(msg, &response) != SUCCESS)
1036 {
1037 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1038 return;
1039 }
1040
1041 if (!response.x_sa2)
1042 {
1043 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
1044 return;
1045 }
1046
1047 spi = response.sa->sadb_sa_spi;
1048 reqid = response.x_sa2->sadb_x_sa2_reqid;
1049
1050 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
1051 {
1052 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
1053 switch (sa->sa_family)
1054 {
1055 case AF_INET:
1056 {
1057 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1058 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1059 }
1060 case AF_INET6:
1061 {
1062 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1063 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1064 }
1065 default:
1066 break;
1067 }
1068 host = host_create_from_sockaddr(sa);
1069 if (host)
1070 {
1071 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
1072 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
1073 job = (job_t*)update_sa_job_create(reqid, host);
1074 charon->processor->queue_job(charon->processor, job);
1075 }
1076 }
1077 }
1078 #endif /*HAVE_NATT*/
1079
1080 /**
1081 * Receives events from kernel
1082 */
1083 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1084 {
1085 unsigned char buf[PFKEY_BUFFER_SIZE];
1086 struct sadb_msg *msg = (struct sadb_msg*)buf;
1087 int len;
1088 bool oldstate;
1089
1090 oldstate = thread_cancelability(TRUE);
1091 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1092 thread_cancelability(oldstate);
1093
1094 if (len < 0)
1095 {
1096 switch (errno)
1097 {
1098 case EINTR:
1099 /* interrupted, try again */
1100 return JOB_REQUEUE_DIRECT;
1101 case EAGAIN:
1102 /* no data ready, select again */
1103 return JOB_REQUEUE_DIRECT;
1104 default:
1105 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1106 sleep(1);
1107 return JOB_REQUEUE_FAIR;
1108 }
1109 }
1110
1111 if (len < sizeof(struct sadb_msg) ||
1112 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1113 {
1114 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1115 return JOB_REQUEUE_DIRECT;
1116 }
1117 if (msg->sadb_msg_pid != 0)
1118 { /* not from kernel. not interested, try another one */
1119 return JOB_REQUEUE_DIRECT;
1120 }
1121 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1122 {
1123 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
1124 return JOB_REQUEUE_DIRECT;
1125 }
1126
1127 switch (msg->sadb_msg_type)
1128 {
1129 case SADB_ACQUIRE:
1130 process_acquire(this, msg);
1131 break;
1132 case SADB_EXPIRE:
1133 process_expire(this, msg);
1134 break;
1135 #ifdef SADB_X_MIGRATE
1136 case SADB_X_MIGRATE:
1137 process_migrate(this, msg);
1138 break;
1139 #endif /*SADB_X_MIGRATE*/
1140 #ifdef HAVE_NATT
1141 case SADB_X_NAT_T_NEW_MAPPING:
1142 process_mapping(this, msg);
1143 break;
1144 #endif /*HAVE_NATT*/
1145 default:
1146 break;
1147 }
1148
1149 return JOB_REQUEUE_DIRECT;
1150 }
1151
1152 /**
1153 * Implementation of kernel_interface_t.get_spi.
1154 */
1155 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1156 host_t *src, host_t *dst,
1157 protocol_id_t protocol, u_int32_t reqid,
1158 u_int32_t *spi)
1159 {
1160 unsigned char request[PFKEY_BUFFER_SIZE];
1161 struct sadb_msg *msg, *out;
1162 struct sadb_x_sa2 *sa2;
1163 struct sadb_spirange *range;
1164 pfkey_msg_t response;
1165 u_int32_t received_spi = 0;
1166 size_t len;
1167
1168 memset(&request, 0, sizeof(request));
1169
1170 msg = (struct sadb_msg*)request;
1171 msg->sadb_msg_version = PF_KEY_V2;
1172 msg->sadb_msg_type = SADB_GETSPI;
1173 msg->sadb_msg_satype = proto_ike2satype(protocol);
1174 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1175
1176 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1177 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1178 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1179 sa2->sadb_x_sa2_reqid = reqid;
1180 PFKEY_EXT_ADD(msg, sa2);
1181
1182 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1183 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1184
1185 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1186 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1187 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1188 range->sadb_spirange_min = 0xc0000000;
1189 range->sadb_spirange_max = 0xcFFFFFFF;
1190 PFKEY_EXT_ADD(msg, range);
1191
1192 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1193 {
1194 if (out->sadb_msg_errno)
1195 {
1196 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1197 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1198 }
1199 else if (parse_pfkey_message(out, &response) == SUCCESS)
1200 {
1201 received_spi = response.sa->sadb_sa_spi;
1202 }
1203 free(out);
1204 }
1205
1206 if (received_spi == 0)
1207 {
1208 return FAILED;
1209 }
1210
1211 *spi = received_spi;
1212 return SUCCESS;
1213 }
1214
1215 /**
1216 * Implementation of kernel_interface_t.get_cpi.
1217 */
1218 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1219 host_t *src, host_t *dst,
1220 u_int32_t reqid, u_int16_t *cpi)
1221 {
1222 return FAILED;
1223 }
1224
1225 /**
1226 * Implementation of kernel_interface_t.add_sa.
1227 */
1228 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1229 host_t *src, host_t *dst, u_int32_t spi,
1230 protocol_id_t protocol, u_int32_t reqid,
1231 lifetime_cfg_t *lifetime,
1232 u_int16_t enc_alg, chunk_t enc_key,
1233 u_int16_t int_alg, chunk_t int_key,
1234 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1235 bool encap, bool inbound, traffic_selector_t *src_ts,
1236 traffic_selector_t *dst_ts)
1237 {
1238 unsigned char request[PFKEY_BUFFER_SIZE];
1239 struct sadb_msg *msg, *out;
1240 struct sadb_sa *sa;
1241 struct sadb_x_sa2 *sa2;
1242 struct sadb_lifetime *lft;
1243 struct sadb_key *key;
1244 size_t len;
1245
1246 memset(&request, 0, sizeof(request));
1247
1248 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1249
1250 msg = (struct sadb_msg*)request;
1251 msg->sadb_msg_version = PF_KEY_V2;
1252 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1253 msg->sadb_msg_satype = proto_ike2satype(protocol);
1254 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1255
1256 #ifdef __APPLE__
1257 if (encap)
1258 {
1259 struct sadb_sa_2 *sa_2;
1260 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1261 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1262 sa = &sa_2->sa;
1263 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1264 len = sizeof(struct sadb_sa_2);
1265 }
1266 else
1267 #endif
1268 {
1269 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1270 len = sizeof(struct sadb_sa);
1271 }
1272 sa->sadb_sa_exttype = SADB_EXT_SA;
1273 sa->sadb_sa_len = PFKEY_LEN(len);
1274 sa->sadb_sa_spi = spi;
1275 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1276 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1277 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1278 PFKEY_EXT_ADD(msg, sa);
1279
1280 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1281 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1282 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1283 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1284 sa2->sadb_x_sa2_reqid = reqid;
1285 PFKEY_EXT_ADD(msg, sa2);
1286
1287 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1288 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1289
1290 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1291 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1292 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1293 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1294 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1295 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1296 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1297 PFKEY_EXT_ADD(msg, lft);
1298
1299 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1300 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1301 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1302 lft->sadb_lifetime_allocations = lifetime->packets.life;
1303 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1304 lft->sadb_lifetime_addtime = lifetime->time.life;
1305 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1306 PFKEY_EXT_ADD(msg, lft);
1307
1308 if (enc_alg != ENCR_UNDEFINED)
1309 {
1310 if (!sa->sadb_sa_encrypt)
1311 {
1312 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1313 encryption_algorithm_names, enc_alg);
1314 return FAILED;
1315 }
1316 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1317 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1318
1319 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1320 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1321 key->sadb_key_bits = enc_key.len * 8;
1322 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1323 memcpy(key + 1, enc_key.ptr, enc_key.len);
1324
1325 PFKEY_EXT_ADD(msg, key);
1326 }
1327
1328 if (int_alg != AUTH_UNDEFINED)
1329 {
1330 if (!sa->sadb_sa_auth)
1331 {
1332 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1333 integrity_algorithm_names, int_alg);
1334 return FAILED;
1335 }
1336 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1337 integrity_algorithm_names, int_alg, int_key.len * 8);
1338
1339 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1340 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1341 key->sadb_key_bits = int_key.len * 8;
1342 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1343 memcpy(key + 1, int_key.ptr, int_key.len);
1344
1345 PFKEY_EXT_ADD(msg, key);
1346 }
1347
1348 if (ipcomp != IPCOMP_NONE)
1349 {
1350 /*TODO*/
1351 }
1352
1353 #ifdef HAVE_NATT
1354 if (encap)
1355 {
1356 add_encap_ext(msg, src, dst);
1357 }
1358 #endif /*HAVE_NATT*/
1359
1360 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1361 {
1362 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1363 return FAILED;
1364 }
1365 else if (out->sadb_msg_errno)
1366 {
1367 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1368 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1369 free(out);
1370 return FAILED;
1371 }
1372
1373 free(out);
1374 return SUCCESS;
1375 }
1376
1377 /**
1378 * Implementation of kernel_interface_t.update_sa.
1379 */
1380 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1381 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1382 host_t *src, host_t *dst,
1383 host_t *new_src, host_t *new_dst,
1384 bool encap, bool new_encap)
1385 {
1386 unsigned char request[PFKEY_BUFFER_SIZE];
1387 struct sadb_msg *msg, *out;
1388 struct sadb_sa *sa;
1389 pfkey_msg_t response;
1390 size_t len;
1391
1392 /* we can't update the SA if any of the ip addresses have changed.
1393 * that's because we can't use SADB_UPDATE and by deleting and readding the
1394 * SA the sequence numbers would get lost */
1395 if (!src->ip_equals(src, new_src) ||
1396 !dst->ip_equals(dst, new_dst))
1397 {
1398 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1399 " are not supported", ntohl(spi));
1400 return NOT_SUPPORTED;
1401 }
1402
1403 memset(&request, 0, sizeof(request));
1404
1405 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1406
1407 msg = (struct sadb_msg*)request;
1408 msg->sadb_msg_version = PF_KEY_V2;
1409 msg->sadb_msg_type = SADB_GET;
1410 msg->sadb_msg_satype = proto_ike2satype(protocol);
1411 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1412
1413 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1414 sa->sadb_sa_exttype = SADB_EXT_SA;
1415 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1416 sa->sadb_sa_spi = spi;
1417 PFKEY_EXT_ADD(msg, sa);
1418
1419 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1420 * it is not used for anything. */
1421 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1422 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1423
1424 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1425 {
1426 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1427 ntohl(spi));
1428 return FAILED;
1429 }
1430 else if (out->sadb_msg_errno)
1431 {
1432 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1433 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1434 free(out);
1435 return FAILED;
1436 }
1437 else if (parse_pfkey_message(out, &response) != SUCCESS)
1438 {
1439 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1440 "from kernel failed", ntohl(spi));
1441 free(out);
1442 return FAILED;
1443 }
1444
1445 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1446 ntohl(spi), src, dst, new_src, new_dst);
1447
1448 memset(&request, 0, sizeof(request));
1449
1450 msg = (struct sadb_msg*)request;
1451 msg->sadb_msg_version = PF_KEY_V2;
1452 msg->sadb_msg_type = SADB_UPDATE;
1453 msg->sadb_msg_satype = proto_ike2satype(protocol);
1454 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1455
1456 #ifdef __APPLE__
1457 {
1458 struct sadb_sa_2 *sa_2;
1459 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1460 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1461 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1462 if (encap)
1463 {
1464 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1465 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1466 }
1467 }
1468 #else
1469 PFKEY_EXT_COPY(msg, response.sa);
1470 #endif
1471 PFKEY_EXT_COPY(msg, response.x_sa2);
1472
1473 PFKEY_EXT_COPY(msg, response.src);
1474 PFKEY_EXT_COPY(msg, response.dst);
1475
1476 PFKEY_EXT_COPY(msg, response.lft_soft);
1477 PFKEY_EXT_COPY(msg, response.lft_hard);
1478
1479 if (response.key_encr)
1480 {
1481 PFKEY_EXT_COPY(msg, response.key_encr);
1482 }
1483
1484 if (response.key_auth)
1485 {
1486 PFKEY_EXT_COPY(msg, response.key_auth);
1487 }
1488
1489 #ifdef HAVE_NATT
1490 if (new_encap)
1491 {
1492 add_encap_ext(msg, new_src, new_dst);
1493 }
1494 #endif /*HAVE_NATT*/
1495
1496 free(out);
1497
1498 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1499 {
1500 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1501 return FAILED;
1502 }
1503 else if (out->sadb_msg_errno)
1504 {
1505 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1506 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1507 free(out);
1508 return FAILED;
1509 }
1510 free(out);
1511
1512 return SUCCESS;
1513 }
1514
1515 /**
1516 * Implementation of kernel_interface_t.query_sa.
1517 */
1518 static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
1519 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1520 u_int64_t *bytes)
1521 {
1522 unsigned char request[PFKEY_BUFFER_SIZE];
1523 struct sadb_msg *msg, *out;
1524 struct sadb_sa *sa;
1525 pfkey_msg_t response;
1526 size_t len;
1527
1528 memset(&request, 0, sizeof(request));
1529
1530 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1531
1532 msg = (struct sadb_msg*)request;
1533 msg->sadb_msg_version = PF_KEY_V2;
1534 msg->sadb_msg_type = SADB_GET;
1535 msg->sadb_msg_satype = proto_ike2satype(protocol);
1536 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1537
1538 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1539 sa->sadb_sa_exttype = SADB_EXT_SA;
1540 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1541 sa->sadb_sa_spi = spi;
1542 PFKEY_EXT_ADD(msg, sa);
1543
1544 /* the Linux Kernel doesn't care for the src address, but other systems do
1545 * (e.g. FreeBSD)
1546 */
1547 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1548 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1549
1550 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1551 {
1552 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1553 return FAILED;
1554 }
1555 else if (out->sadb_msg_errno)
1556 {
1557 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1558 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1559 free(out);
1560 return FAILED;
1561 }
1562 else if (parse_pfkey_message(out, &response) != SUCCESS)
1563 {
1564 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1565 free(out);
1566 return FAILED;
1567 }
1568 *bytes = response.lft_current->sadb_lifetime_bytes;
1569
1570 free(out);
1571 return SUCCESS;
1572 }
1573
1574 /**
1575 * Implementation of kernel_interface_t.del_sa.
1576 */
1577 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
1578 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1579 u_int16_t cpi)
1580 {
1581 unsigned char request[PFKEY_BUFFER_SIZE];
1582 struct sadb_msg *msg, *out;
1583 struct sadb_sa *sa;
1584 size_t len;
1585
1586 memset(&request, 0, sizeof(request));
1587
1588 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1589
1590 msg = (struct sadb_msg*)request;
1591 msg->sadb_msg_version = PF_KEY_V2;
1592 msg->sadb_msg_type = SADB_DELETE;
1593 msg->sadb_msg_satype = proto_ike2satype(protocol);
1594 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1595
1596 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1597 sa->sadb_sa_exttype = SADB_EXT_SA;
1598 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1599 sa->sadb_sa_spi = spi;
1600 PFKEY_EXT_ADD(msg, sa);
1601
1602 /* the Linux Kernel doesn't care for the src address, but other systems do
1603 * (e.g. FreeBSD)
1604 */
1605 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1606 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1607
1608 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1609 {
1610 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1611 return FAILED;
1612 }
1613 else if (out->sadb_msg_errno)
1614 {
1615 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1616 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1617 free(out);
1618 return FAILED;
1619 }
1620
1621 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1622 free(out);
1623 return SUCCESS;
1624 }
1625
1626 /**
1627 * Implementation of kernel_interface_t.add_policy.
1628 */
1629 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1630 host_t *src, host_t *dst,
1631 traffic_selector_t *src_ts,
1632 traffic_selector_t *dst_ts,
1633 policy_dir_t direction, u_int32_t spi,
1634 protocol_id_t protocol, u_int32_t reqid,
1635 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1636 bool routed)
1637 {
1638 unsigned char request[PFKEY_BUFFER_SIZE];
1639 struct sadb_msg *msg, *out;
1640 struct sadb_x_policy *pol;
1641 struct sadb_x_ipsecrequest *req;
1642 policy_entry_t *policy, *found = NULL;
1643 pfkey_msg_t response;
1644 size_t len;
1645
1646 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1647 {
1648 /* FWD policies are not supported on all platforms */
1649 return SUCCESS;
1650 }
1651
1652 /* create a policy */
1653 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1654
1655 /* find a matching policy */
1656 this->mutex->lock(this->mutex);
1657 if (this->policies->find_first(this->policies,
1658 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1659 {
1660 /* use existing policy */
1661 found->refcount++;
1662 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1663 "refcount", src_ts, dst_ts,
1664 policy_dir_names, direction);
1665 policy_entry_destroy(policy);
1666 policy = found;
1667 }
1668 else
1669 {
1670 /* apply the new one, if we have no such policy */
1671 this->policies->insert_last(this->policies, policy);
1672 policy->refcount = 1;
1673 }
1674
1675 memset(&request, 0, sizeof(request));
1676
1677 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1678 policy_dir_names, direction);
1679
1680 msg = (struct sadb_msg*)request;
1681 msg->sadb_msg_version = PF_KEY_V2;
1682 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1683 msg->sadb_msg_satype = 0;
1684 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1685
1686 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1687 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1688 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1689 pol->sadb_x_policy_id = 0;
1690 pol->sadb_x_policy_dir = dir2kernel(direction);
1691 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1692 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1693 /* calculate priority based on source selector size, small size = high prio */
1694 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1695 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1696 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1697 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1698 #endif
1699
1700 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1701 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1702 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1703 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1704 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1705 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1706 req->sadb_x_ipsecrequest_reqid = reqid;
1707 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1708 if (mode == MODE_TUNNEL)
1709 {
1710 sockaddr_t *sa;
1711 socklen_t sl;
1712 sa = src->get_sockaddr(src);
1713 sl = *src->get_sockaddr_len(src);
1714 memcpy(req + 1, sa, sl);
1715 sa = dst->get_sockaddr(dst);
1716 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1717 req->sadb_x_ipsecrequest_len += sl * 2;
1718 }
1719
1720 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1721 PFKEY_EXT_ADD(msg, pol);
1722
1723 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1724 policy->src.mask);
1725 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1726 policy->dst.mask);
1727
1728 #ifdef __FreeBSD__
1729 { /* on FreeBSD a lifetime has to be defined to be able to later query
1730 * the current use time. */
1731 struct sadb_lifetime *lft;
1732 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1733 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1734 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1735 lft->sadb_lifetime_addtime = LONG_MAX;
1736 PFKEY_EXT_ADD(msg, lft);
1737 }
1738 #endif
1739
1740 this->mutex->unlock(this->mutex);
1741
1742 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1743 {
1744 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1745 policy_dir_names, direction);
1746 return FAILED;
1747 }
1748 else if (out->sadb_msg_errno)
1749 {
1750 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1751 policy_dir_names, direction,
1752 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1753 free(out);
1754 return FAILED;
1755 }
1756 else if (parse_pfkey_message(out, &response) != SUCCESS)
1757 {
1758 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1759 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1760 free(out);
1761 return FAILED;
1762 }
1763
1764 this->mutex->lock(this->mutex);
1765
1766 /* we try to find the policy again and update the kernel index */
1767 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1768 {
1769 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1770 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1771 this->mutex->unlock(this->mutex);
1772 free(out);
1773 return SUCCESS;
1774 }
1775 policy->index = response.x_policy->sadb_x_policy_id;
1776 free(out);
1777
1778 /* install a route, if:
1779 * - we are NOT updating a policy
1780 * - this is a forward policy (to just get one for each child)
1781 * - we are in tunnel mode
1782 * - we are not using IPv6 (does not work correctly yet!)
1783 * - routing is not disabled via strongswan.conf
1784 */
1785 if (policy->route == NULL && direction == POLICY_FWD &&
1786 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1787 this->install_routes)
1788 {
1789 route_entry_t *route = malloc_thing(route_entry_t);
1790
1791 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1792 dst_ts, &route->src_ip) == SUCCESS)
1793 {
1794 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1795 route->gateway = charon->kernel_interface->get_nexthop(
1796 charon->kernel_interface, src);
1797 route->if_name = charon->kernel_interface->get_interface(
1798 charon->kernel_interface, dst);
1799 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1800 route->prefixlen = policy->src.mask;
1801
1802 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1803 route->dst_net, route->prefixlen, route->gateway,
1804 route->src_ip, route->if_name))
1805 {
1806 default:
1807 DBG1(DBG_KNL, "unable to install source route for %H",
1808 route->src_ip);
1809 /* FALL */
1810 case ALREADY_DONE:
1811 /* route exists, do not uninstall */
1812 route_entry_destroy(route);
1813 break;
1814 case SUCCESS:
1815 /* cache the installed route */
1816 policy->route = route;
1817 break;
1818 }
1819 }
1820 else
1821 {
1822 free(route);
1823 }
1824 }
1825
1826 this->mutex->unlock(this->mutex);
1827
1828 return SUCCESS;
1829 }
1830
1831 /**
1832 * Implementation of kernel_interface_t.query_policy.
1833 */
1834 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1835 traffic_selector_t *src_ts,
1836 traffic_selector_t *dst_ts,
1837 policy_dir_t direction, u_int32_t *use_time)
1838 {
1839 unsigned char request[PFKEY_BUFFER_SIZE];
1840 struct sadb_msg *msg, *out;
1841 struct sadb_x_policy *pol;
1842 policy_entry_t *policy, *found = NULL;
1843 pfkey_msg_t response;
1844 size_t len;
1845
1846 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1847 {
1848 /* FWD policies are not supported on all platforms */
1849 return NOT_FOUND;
1850 }
1851
1852 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1853 policy_dir_names, direction);
1854
1855 /* create a policy */
1856 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1857
1858 /* find a matching policy */
1859 this->mutex->lock(this->mutex);
1860 if (this->policies->find_first(this->policies,
1861 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1862 {
1863 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1864 dst_ts, policy_dir_names, direction);
1865 policy_entry_destroy(policy);
1866 this->mutex->unlock(this->mutex);
1867 return NOT_FOUND;
1868 }
1869 policy_entry_destroy(policy);
1870 policy = found;
1871
1872 memset(&request, 0, sizeof(request));
1873
1874 msg = (struct sadb_msg*)request;
1875 msg->sadb_msg_version = PF_KEY_V2;
1876 msg->sadb_msg_type = SADB_X_SPDGET;
1877 msg->sadb_msg_satype = 0;
1878 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1879
1880 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1881 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1882 pol->sadb_x_policy_id = policy->index;
1883 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1884 pol->sadb_x_policy_dir = dir2kernel(direction);
1885 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1886 PFKEY_EXT_ADD(msg, pol);
1887
1888 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1889 policy->src.mask);
1890 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1891 policy->dst.mask);
1892
1893 this->mutex->unlock(this->mutex);
1894
1895 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1896 {
1897 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1898 policy_dir_names, direction);
1899 return FAILED;
1900 }
1901 else if (out->sadb_msg_errno)
1902 {
1903 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1904 dst_ts, policy_dir_names, direction,
1905 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1906 free(out);
1907 return FAILED;
1908 }
1909 else if (parse_pfkey_message(out, &response) != SUCCESS)
1910 {
1911 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1912 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1913 free(out);
1914 return FAILED;
1915 }
1916 else if (response.lft_current == NULL)
1917 {
1918 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
1919 "use time", src_ts, dst_ts, policy_dir_names, direction);
1920 free(out);
1921 return FAILED;
1922 }
1923 /* we need the monotonic time, but the kernel returns system time. */
1924 if (response.lft_current->sadb_lifetime_usetime)
1925 {
1926 *use_time = time_monotonic(NULL) -
1927 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
1928 }
1929 else
1930 {
1931 *use_time = 0;
1932 }
1933 free(out);
1934
1935 return SUCCESS;
1936 }
1937
1938 /**
1939 * Implementation of kernel_interface_t.del_policy.
1940 */
1941 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1942 traffic_selector_t *src_ts,
1943 traffic_selector_t *dst_ts,
1944 policy_dir_t direction, bool unrouted)
1945 {
1946 unsigned char request[PFKEY_BUFFER_SIZE];
1947 struct sadb_msg *msg, *out;
1948 struct sadb_x_policy *pol;
1949 policy_entry_t *policy, *found = NULL;
1950 route_entry_t *route;
1951 size_t len;
1952
1953 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1954 {
1955 /* FWD policies are not supported on all platforms */
1956 return SUCCESS;
1957 }
1958
1959 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1960 policy_dir_names, direction);
1961
1962 /* create a policy */
1963 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1964
1965 /* find a matching policy */
1966 this->mutex->lock(this->mutex);
1967 if (this->policies->find_first(this->policies,
1968 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1969 {
1970 if (--found->refcount > 0)
1971 {
1972 /* is used by more SAs, keep in kernel */
1973 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1974 policy_entry_destroy(policy);
1975 this->mutex->unlock(this->mutex);
1976 return SUCCESS;
1977 }
1978 /* remove if last reference */
1979 this->policies->remove(this->policies, found, NULL);
1980 policy_entry_destroy(policy);
1981 policy = found;
1982 }
1983 else
1984 {
1985 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1986 dst_ts, policy_dir_names, direction);
1987 policy_entry_destroy(policy);
1988 this->mutex->unlock(this->mutex);
1989 return NOT_FOUND;
1990 }
1991 this->mutex->unlock(this->mutex);
1992
1993 memset(&request, 0, sizeof(request));
1994
1995 msg = (struct sadb_msg*)request;
1996 msg->sadb_msg_version = PF_KEY_V2;
1997 msg->sadb_msg_type = SADB_X_SPDDELETE;
1998 msg->sadb_msg_satype = 0;
1999 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2000
2001 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2002 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2003 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2004 pol->sadb_x_policy_dir = dir2kernel(direction);
2005 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2006 PFKEY_EXT_ADD(msg, pol);
2007
2008 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2009 policy->src.mask);
2010 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2011 policy->dst.mask);
2012
2013 route = policy->route;
2014 policy->route = NULL;
2015 policy_entry_destroy(policy);
2016
2017 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2018 {
2019 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2020 policy_dir_names, direction);
2021 return FAILED;
2022 }
2023 else if (out->sadb_msg_errno)
2024 {
2025 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2026 dst_ts, policy_dir_names, direction,
2027 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2028 free(out);
2029 return FAILED;
2030 }
2031 free(out);
2032
2033 if (route)
2034 {
2035 if (charon->kernel_interface->del_route(charon->kernel_interface,
2036 route->dst_net, route->prefixlen, route->gateway,
2037 route->src_ip, route->if_name) != SUCCESS)
2038 {
2039 DBG1(DBG_KNL, "error uninstalling route installed with "
2040 "policy %R === %R %N", src_ts, dst_ts,
2041 policy_dir_names, direction);
2042 }
2043 route_entry_destroy(route);
2044 }
2045
2046 return SUCCESS;
2047 }
2048
2049 /**
2050 * Register a socket for AQUIRE/EXPIRE messages
2051 */
2052 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
2053 {
2054 unsigned char request[PFKEY_BUFFER_SIZE];
2055 struct sadb_msg *msg, *out;
2056 size_t len;
2057
2058 memset(&request, 0, sizeof(request));
2059
2060 msg = (struct sadb_msg*)request;
2061 msg->sadb_msg_version = PF_KEY_V2;
2062 msg->sadb_msg_type = SADB_REGISTER;
2063 msg->sadb_msg_satype = satype;
2064 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2065
2066 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2067 {
2068 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2069 return FAILED;
2070 }
2071 else if (out->sadb_msg_errno)
2072 {
2073 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2074 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2075 free(out);
2076 return FAILED;
2077 }
2078 free(out);
2079 return SUCCESS;
2080 }
2081
2082 /**
2083 * Implementation of kernel_interface_t.destroy.
2084 */
2085 static void destroy(private_kernel_pfkey_ipsec_t *this)
2086 {
2087 this->job->cancel(this->job);
2088 close(this->socket);
2089 close(this->socket_events);
2090 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
2091 this->mutex->destroy(this->mutex);
2092 this->mutex_pfkey->destroy(this->mutex_pfkey);
2093 free(this);
2094 }
2095
2096 /**
2097 * Add bypass policies for IKE on the sockets of charon
2098 */
2099 static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
2100 {
2101 int fd, family, port;
2102 enumerator_t *sockets;
2103 bool status = TRUE;
2104
2105 sockets = charon->socket->create_enumerator(charon->socket);
2106 while (sockets->enumerate(sockets, &fd, &family, &port))
2107 {
2108 struct sadb_x_policy policy;
2109 u_int sol, ipsec_policy;
2110
2111 switch (family)
2112 {
2113 case AF_INET:
2114 {
2115 sol = SOL_IP;
2116 ipsec_policy = IP_IPSEC_POLICY;
2117 break;
2118 }
2119 case AF_INET6:
2120 {
2121 sol = SOL_IPV6;
2122 ipsec_policy = IPV6_IPSEC_POLICY;
2123 break;
2124 }
2125 default:
2126 continue;
2127 }
2128
2129 memset(&policy, 0, sizeof(policy));
2130 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2131 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2132 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2133
2134 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2135 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2136 {
2137 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2138 strerror(errno));
2139 status = FALSE;
2140 break;
2141 }
2142 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2143 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2144 {
2145 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2146 strerror(errno));
2147 status = FALSE;
2148 break;
2149 }
2150 }
2151 sockets->destroy(sockets);
2152 return status;
2153 }
2154
2155 /*
2156 * Described in header.
2157 */
2158 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2159 {
2160 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
2161
2162 /* public functions */
2163 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2164 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
2165 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
2166 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
2167 this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
2168 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
2169 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
2170 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2171 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
2172
2173 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
2174
2175 /* private members */
2176 this->policies = linked_list_create();
2177 this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
2178 this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
2179 this->install_routes = lib->settings->get_bool(lib->settings,
2180 "charon.install_routes", TRUE);
2181 this->seq = 0;
2182
2183 /* create a PF_KEY socket to communicate with the kernel */
2184 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2185 if (this->socket <= 0)
2186 {
2187 charon->kill(charon, "unable to create PF_KEY socket");
2188 }
2189
2190 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2191 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2192 if (this->socket_events <= 0)
2193 {
2194 charon->kill(charon, "unable to create PF_KEY event socket");
2195 }
2196
2197 /* add bypass policies on the sockets used by charon */
2198 if (!add_bypass_policies(this))
2199 {
2200 charon->kill(charon, "unable to add bypass policies on sockets");
2201 }
2202
2203 /* register the event socket */
2204 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2205 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2206 {
2207 charon->kill(charon, "unable to register PF_KEY event socket");
2208 }
2209
2210 this->job = callback_job_create((callback_job_cb_t)receive_events,
2211 this, NULL, NULL);
2212 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2213
2214 return &this->public;
2215 }
strongSwan - IPsec VPN