projects / strongswan.git / blob
? search:


cb4d006caa387846115b2171f048d96cb97a8dcb
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <stdint.h>
21 #include <linux/ipsec.h>
22 #include <linux/pfkeyv2.h>
23 #include <linux/udp.h>
24 #include <unistd.h>
25 #include <pthread.h>
26 #include <errno.h>
27
28 #include "kernel_pfkey_ipsec.h"
29
30 #include <daemon.h>
31 #include <utils/host.h>
32 #include <processing/jobs/callback_job.h>
33 #include <processing/jobs/acquire_job.h>
34 #include <processing/jobs/rekey_child_sa_job.h>
35 #include <processing/jobs/delete_child_sa_job.h>
36 #include <processing/jobs/update_sa_job.h>
37
38 /** default priority of installed policies */
39 #define PRIO_LOW 3000
40 #define PRIO_HIGH 2000
41
42 /** buffer size for PF_KEY messages */
43 #define PFKEY_BUFFER_SIZE 4096
44
45 /** PF_KEY messages are 64 bit aligned */
46 #define PFKEY_ALIGNMENT 8
47 /** aligns len to 64 bits */
48 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
49 /** calculates the properly padded length in 64 bit chunks */
50 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
51 /** calculates user mode length i.e. in bytes */
52 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
53
54 /** given a PF_KEY message header and an extension this updates the length in the header */
55 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
56 /** given a PF_KEY message header this returns a pointer to the next extension */
57 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
58 /** copy an extension and append it to a PF_KEY message */
59 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
60 /** given a PF_KEY extension this returns a pointer to the next extension */
61 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
62 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
63 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
64 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
65 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
66 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
67 (ext)->sadb_ext_len <= (len))
68
69 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
70
71 /**
72 * Private variables and functions of kernel_pfkey class.
73 */
74 struct private_kernel_pfkey_ipsec_t
75 {
76 /**
77 * Public part of the kernel_pfkey_t object.
78 */
79 kernel_pfkey_ipsec_t public;
80
81 /**
82 * mutex to lock access to various lists
83 */
84 pthread_mutex_t mutex;
85
86 /**
87 * List of installed policies (policy_entry_t)
88 */
89 linked_list_t *policies;
90
91 /**
92 * whether to install routes along policies
93 */
94 bool install_routes;
95
96 /**
97 * job receiving PF_KEY events
98 */
99 callback_job_t *job;
100
101 /**
102 * mutex to lock access to the PF_KEY socket
103 */
104 pthread_mutex_t mutex_pfkey;
105
106
107 /**
108 * PF_KEY socket to communicate with the kernel
109 */
110 int socket;
111
112
113 /**
114 * PF_KEY socket to receive acquire and expire events
115 */
116 int socket_events;
117
118
119 /**
120 * sequence number for messages sent to the kernel
121 */
122 int seq;
123 };
124
125 typedef struct route_entry_t route_entry_t;
126
127 /**
128 * installed routing entry
129 */
130 struct route_entry_t {
131 /** Name of the interface the route is bound to */
132 char *if_name;
133
134 /** Source ip of the route */
135 host_t *src_ip;
136
137 /** gateway for this route */
138 host_t *gateway;
139
140 /** Destination net */
141 chunk_t dst_net;
142
143 /** Destination net prefixlen */
144 u_int8_t prefixlen;
145 };
146
147 /**
148 * destroy an route_entry_t object
149 */
150 static void route_entry_destroy(route_entry_t *this)
151 {
152 free(this->if_name);
153 this->src_ip->destroy(this->src_ip);
154 this->gateway->destroy(this->gateway);
155 chunk_free(&this->dst_net);
156 free(this);
157 }
158
159 typedef struct policy_entry_t policy_entry_t;
160
161 /**
162 * installed kernel policy.
163 */
164 struct policy_entry_t {
165
166 /** reqid of this policy */
167 u_int32_t reqid;
168
169 /** index assigned by the kernel */
170 u_int32_t index;
171
172 /** direction of this policy: in, out, forward */
173 u_int8_t direction;
174
175 /** parameters of installed policy */
176 struct {
177 /** subnet and port */
178 host_t *net;
179 /** subnet mask */
180 u_int8_t mask;
181 /** protocol */
182 u_int8_t proto;
183 } src, dst;
184
185 /** associated route installed for this policy */
186 route_entry_t *route;
187
188 /** by how many CHILD_SA's this policy is used */
189 u_int refcount;
190 };
191
192 /**
193 * create a policy_entry_t object
194 */
195 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
196 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
197 {
198 policy_entry_t *policy = malloc_thing(policy_entry_t);
199 policy->reqid = reqid;
200 policy->index = 0;
201 policy->direction = dir;
202 policy->route = NULL;
203 policy->refcount = 0;
204
205 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
206 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
207
208 /* src or dest proto may be "any" (0), use more restrictive one */
209 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
210 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
211 policy->dst.proto = policy->src.proto;
212
213 return policy;
214 }
215
216 /**
217 * destroy a policy_entry_t object
218 */
219 static void policy_entry_destroy(policy_entry_t *this)
220 {
221 DESTROY_IF(this->src.net);
222 DESTROY_IF(this->dst.net);
223 if (this->route)
224 {
225 route_entry_destroy(this->route);
226 }
227 free(this);
228 }
229
230 /**
231 * compares two policy_entry_t
232 */
233 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
234 {
235 return current->direction == policy->direction &&
236 current->src.proto == policy->src.proto &&
237 current->dst.proto == policy->dst.proto &&
238 current->src.mask == policy->src.mask &&
239 current->dst.mask == policy->dst.mask &&
240 current->src.net->equals(current->src.net, policy->src.net) &&
241 current->dst.net->equals(current->dst.net, policy->dst.net);
242 }
243
244 /**
245 * compare the given kernel index with that of a policy
246 */
247 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
248 {
249 return current->index == *index;
250 }
251
252 typedef struct pfkey_msg_t pfkey_msg_t;
253
254 struct pfkey_msg_t
255 {
256 /**
257 * PF_KEY message base
258 */
259 struct sadb_msg *msg;
260
261
262 /**
263 * PF_KEY message extensions
264 */
265 union {
266 struct sadb_ext *ext[SADB_EXT_MAX + 1];
267 struct {
268 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
269 struct sadb_sa *sa; /* SADB_EXT_SA */
270 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
271 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
272 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
273 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
274 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
275 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
276 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
277 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
278 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
279 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
280 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
281 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
282 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
283 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
284 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
285 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
286 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
287 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
288 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
289 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
290 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
291 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
292 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
293 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
294 } __attribute__((__packed__));
295 };
296 };
297
298 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
299 "SADB_EXT_RESERVED",
300 "SADB_EXT_SA",
301 "SADB_EXT_LIFETIME_CURRENT",
302 "SADB_EXT_LIFETIME_HARD",
303 "SADB_EXT_LIFETIME_SOFT",
304 "SADB_EXT_ADDRESS_SRC",
305 "SADB_EXT_ADDRESS_DST",
306 "SADB_EXT_ADDRESS_PROXY",
307 "SADB_EXT_KEY_AUTH",
308 "SADB_EXT_KEY_ENCRYPT",
309 "SADB_EXT_IDENTITY_SRC",
310 "SADB_EXT_IDENTITY_DST",
311 "SADB_EXT_SENSITIVITY",
312 "SADB_EXT_PROPOSAL",
313 "SADB_EXT_SUPPORTED_AUTH",
314 "SADB_EXT_SUPPORTED_ENCRYPT",
315 "SADB_EXT_SPIRANGE",
316 "SADB_X_EXT_KMPRIVATE",
317 "SADB_X_EXT_POLICY",
318 "SADB_X_EXT_SA2",
319 "SADB_X_EXT_NAT_T_TYPE",
320 "SADB_X_EXT_NAT_T_SPORT",
321 "SADB_X_EXT_NAT_T_DPORT",
322 "SADB_X_EXT_NAT_T_OA",
323 "SADB_X_EXT_SEC_CTX",
324 "SADB_X_EXT_KMADDRESS"
325 );
326 /**
327 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
328 */
329 static u_int8_t proto_ike2satype(protocol_id_t proto)
330 {
331 switch (proto)
332 {
333 case PROTO_ESP:
334 return SADB_SATYPE_ESP;
335 case PROTO_AH:
336 return SADB_SATYPE_AH;
337 case IPPROTO_COMP:
338 return SADB_X_SATYPE_IPCOMP;
339 default:
340 return proto;
341 }
342 }
343
344 /**
345 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
346 */
347 static protocol_id_t proto_satype2ike(u_int8_t proto)
348 {
349 switch (proto)
350 {
351 case SADB_SATYPE_ESP:
352 return PROTO_ESP;
353 case SADB_SATYPE_AH:
354 return PROTO_AH;
355 case SADB_X_SATYPE_IPCOMP:
356 return IPPROTO_COMP;
357 default:
358 return proto;
359 }
360 }
361
362 /**
363 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
364 */
365 static u_int8_t proto_ike2ip(protocol_id_t proto)
366 {
367 switch (proto)
368 {
369 case PROTO_ESP:
370 return IPPROTO_ESP;
371 case PROTO_AH:
372 return IPPROTO_AH;
373 default:
374 return proto;
375 }
376 }
377
378 /**
379 * convert the general ipsec mode to the one defined in ipsec.h
380 */
381 static u_int8_t mode2kernel(ipsec_mode_t mode)
382 {
383 switch (mode)
384 {
385 case MODE_TRANSPORT:
386 return IPSEC_MODE_TRANSPORT;
387 case MODE_TUNNEL:
388 return IPSEC_MODE_TUNNEL;
389 case MODE_BEET:
390 return IPSEC_MODE_BEET;
391 default:
392 return mode;
393 }
394 }
395
396 /**
397 * convert the general policy direction to the one defined in ipsec.h
398 */
399 static u_int8_t dir2kernel(policy_dir_t dir)
400 {
401 switch (dir)
402 {
403 case POLICY_IN:
404 return IPSEC_DIR_INBOUND;
405 case POLICY_OUT:
406 return IPSEC_DIR_OUTBOUND;
407 case POLICY_FWD:
408 return IPSEC_DIR_FWD;
409 default:
410 return dir;
411 }
412 }
413
414 typedef struct kernel_algorithm_t kernel_algorithm_t;
415
416 /**
417 * Mapping of IKEv2 algorithms to PF_KEY algorithms
418 */
419 struct kernel_algorithm_t {
420 /**
421 * Identifier specified in IKEv2
422 */
423 int ikev2;
424
425 /**
426 * Identifier as defined in pfkeyv2.h
427 */
428 int kernel;
429 };
430
431 #define END_OF_LIST -1
432
433 /**
434 * Algorithms for encryption
435 */
436 static kernel_algorithm_t encryption_algs[] = {
437 /* {ENCR_DES_IV64, 0 }, */
438 {ENCR_DES, SADB_EALG_DESCBC },
439 {ENCR_3DES, SADB_EALG_3DESCBC },
440 /* {ENCR_RC5, 0 }, */
441 /* {ENCR_IDEA, 0 }, */
442 {ENCR_CAST, SADB_X_EALG_CASTCBC },
443 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
444 /* {ENCR_3IDEA, 0 }, */
445 /* {ENCR_DES_IV32, 0 }, */
446 {ENCR_NULL, SADB_EALG_NULL },
447 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
448 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
449 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
450 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
451 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
452 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
453 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
454 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
455 {END_OF_LIST, 0 },
456 };
457
458 /**
459 * Algorithms for integrity protection
460 */
461 static kernel_algorithm_t integrity_algs[] = {
462 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
463 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
464 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
465 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
466 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
467 /* {AUTH_DES_MAC, 0, }, */
468 /* {AUTH_KPDK_MD5, 0, }, */
469 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
470 {END_OF_LIST, 0, },
471 };
472
473 /**
474 * Algorithms for IPComp
475 */
476 static kernel_algorithm_t compression_algs[] = {
477 /* {IPCOMP_OUI, 0 }, */
478 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
479 {IPCOMP_LZS, SADB_X_CALG_LZS },
480 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
481 {END_OF_LIST, 0 },
482 };
483
484 /**
485 * Look up a kernel algorithm ID and its key size
486 */
487 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
488 {
489 while (list->ikev2 != END_OF_LIST)
490 {
491 if (ikev2 == list->ikev2)
492 {
493 return list->kernel;
494 }
495 list++;
496 }
497 return 0;
498 }
499
500 /**
501 * add a host behind a sadb_address extension
502 */
503 static void host2ext(host_t *host, struct sadb_address *ext)
504 {
505 sockaddr_t *host_addr = host->get_sockaddr(host);
506 socklen_t *len = host->get_sockaddr_len(host);
507 memcpy((char*)(ext + 1), host_addr, *len);
508 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
509 }
510
511 /**
512 * add udp encap extensions to a sadb_msg
513 */
514 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
515 {
516 struct sadb_x_nat_t_type* nat_type;
517 struct sadb_x_nat_t_port* nat_port;
518
519 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
520 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
521 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
522 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
523 PFKEY_EXT_ADD(msg, nat_type);
524
525 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
526 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
527 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
528 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
529 PFKEY_EXT_ADD(msg, nat_port);
530
531 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
532 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
533 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
534 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
535 PFKEY_EXT_ADD(msg, nat_port);
536 }
537
538 /**
539 * Convert a sadb_address to a traffic_selector
540 */
541 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
542 {
543 traffic_selector_t *ts;
544 ts_type_t type;
545 chunk_t addr;
546 host_t *host;
547 u_int16_t port, from_port, to_port;
548
549 /* The Linux 2.6 kernel does not set the protocol and port information
550 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
551 */
552 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
553 type = (host->get_family(host) == AF_INET) ? TS_IPV4_ADDR_RANGE :
554 TS_IPV6_ADDR_RANGE;
555 addr = host->get_address(host);
556 port = host->get_port(host);
557 if (port == 0)
558 {
559 from_port = 0;
560 to_port = 65535;
561 }
562 else
563 {
564 from_port = to_port = port;
565 }
566 ts = traffic_selector_create_from_bytes(address->sadb_address_proto, type,
567 addr, from_port, addr, to_port);
568 host->destroy(host);
569 return ts;
570 }
571
572 /**
573 * Parses a pfkey message received from the kernel
574 */
575 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
576 {
577 struct sadb_ext* ext;
578 size_t len;
579
580 memset(out, 0, sizeof(pfkey_msg_t));
581 out->msg = msg;
582
583 len = msg->sadb_msg_len;
584 len -= PFKEY_LEN(sizeof(struct sadb_msg));
585
586 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
587
588 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
589 {
590 DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
591 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
592 ext->sadb_ext_len > len)
593 {
594 DBG1(DBG_KNL, "length of %N extension is invalid",
595 sadb_ext_type_names, ext->sadb_ext_type);
596 break;
597 }
598
599 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
600 {
601 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
602 break;
603 }
604
605 if (out->ext[ext->sadb_ext_type])
606 {
607 DBG1(DBG_KNL, "duplicate %N extension",
608 sadb_ext_type_names, ext->sadb_ext_type);
609 break;
610 }
611
612 out->ext[ext->sadb_ext_type] = ext;
613 ext = PFKEY_EXT_NEXT_LEN(ext, len);
614 }
615
616 if (len)
617 {
618 DBG1(DBG_KNL, "PF_KEY message length is invalid");
619 return FAILED;
620 }
621
622 return SUCCESS;
623 }
624
625 /**
626 * Send a message to a specific PF_KEY socket and handle the response.
627 */
628 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
629 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
630 {
631 unsigned char buf[PFKEY_BUFFER_SIZE];
632 struct sadb_msg *msg;
633 int in_len, len;
634
635 pthread_mutex_lock(&this->mutex_pfkey);
636
637 in->sadb_msg_seq = ++this->seq;
638 in->sadb_msg_pid = getpid();
639
640 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
641
642 while (TRUE)
643 {
644 len = send(socket, in, in_len, 0);
645
646 if (len != in_len)
647 {
648 if (errno == EINTR)
649 {
650 /* interrupted, try again */
651 continue;
652 }
653 pthread_mutex_unlock(&this->mutex_pfkey);
654 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
655 return FAILED;
656 }
657 break;
658 }
659
660 while (TRUE)
661 {
662 msg = (struct sadb_msg*)buf;
663
664 len = recv(socket, buf, sizeof(buf), 0);
665
666 if (len < 0)
667 {
668 if (errno == EINTR)
669 {
670 DBG1(DBG_KNL, "got interrupted");
671 /* interrupted, try again */
672 continue;
673 }
674 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
675 pthread_mutex_unlock(&this->mutex_pfkey);
676 return FAILED;
677 }
678 if (len < sizeof(struct sadb_msg) ||
679 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
680 {
681 DBG1(DBG_KNL, "received corrupted PF_KEY message");
682 pthread_mutex_unlock(&this->mutex_pfkey);
683 return FAILED;
684 }
685 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
686 {
687 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
688 pthread_mutex_unlock(&this->mutex_pfkey);
689 return FAILED;
690 }
691 if (msg->sadb_msg_pid != in->sadb_msg_pid)
692 {
693 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
694 continue;
695 }
696 if (msg->sadb_msg_seq != this->seq)
697 {
698 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
699 "was %d expected %d", msg->sadb_msg_seq, this->seq);
700 if (msg->sadb_msg_seq < this->seq)
701 {
702 continue;
703 }
704 pthread_mutex_unlock(&this->mutex_pfkey);
705 return FAILED;
706 }
707 if (msg->sadb_msg_type != in->sadb_msg_type)
708 {
709 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
710 "was %d expected %d, ignoring",
711 msg->sadb_msg_type, in->sadb_msg_type);
712 }
713 break;
714 }
715
716 *out_len = len;
717 *out = (struct sadb_msg*)malloc(len);
718 memcpy(*out, buf, len);
719
720 pthread_mutex_unlock(&this->mutex_pfkey);
721
722 return SUCCESS;
723 }
724
725 /**
726 * Send a message to the default PF_KEY socket and handle the response.
727 */
728 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
729 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
730 {
731 return pfkey_send_socket(this, this->socket, in, out, out_len);
732 }
733
734 /**
735 * Process a SADB_ACQUIRE message from the kernel
736 */
737 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
738 {
739 pfkey_msg_t response;
740 u_int32_t index, reqid = 0;
741 traffic_selector_t *src_ts, *dst_ts;
742 policy_entry_t *policy;
743 job_t *job;
744
745 switch (msg->sadb_msg_satype)
746 {
747 case SADB_SATYPE_UNSPEC:
748 case SADB_SATYPE_ESP:
749 case SADB_SATYPE_AH:
750 break;
751 default:
752 /* acquire for AH/ESP only */
753 return;
754 }
755 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
756
757 if (parse_pfkey_message(msg, &response) != SUCCESS)
758 {
759 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
760 return;
761 }
762
763 index = response.x_policy->sadb_x_policy_id;
764 pthread_mutex_lock(&this->mutex);
765 if (this->policies->find_first(this->policies,
766 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
767 {
768 reqid = policy->reqid;
769 }
770 else
771 {
772 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
773 index);
774 }
775 src_ts = sadb_address2ts(response.src);
776 dst_ts = sadb_address2ts(response.dst);
777 pthread_mutex_unlock(&this->mutex);
778
779 DBG1(DBG_KNL, "creating acquire job %R === %R for CHILD_SA with reqid {%d}",
780 src_ts, dst_ts, reqid);
781 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
782 charon->processor->queue_job(charon->processor, job);
783 }
784
785 /**
786 * Process a SADB_EXPIRE message from the kernel
787 */
788 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
789 {
790 pfkey_msg_t response;
791 protocol_id_t protocol;
792 u_int32_t spi, reqid;
793 bool hard;
794 job_t *job;
795
796 DBG2(DBG_KNL, "received an SADB_EXPIRE");
797
798 if (parse_pfkey_message(msg, &response) != SUCCESS)
799 {
800 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
801 return;
802 }
803
804 protocol = proto_satype2ike(msg->sadb_msg_satype);
805 spi = response.sa->sadb_sa_spi;
806 reqid = response.x_sa2->sadb_x_sa2_reqid;
807 hard = response.lft_hard != NULL;
808
809 if (protocol != PROTO_ESP && protocol != PROTO_AH)
810 {
811 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%d} "
812 "which is not a CHILD_SA", ntohl(spi), reqid);
813 return;
814 }
815
816 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
817 hard ? "delete" : "rekey", protocol_id_names,
818 protocol, ntohl(spi), reqid);
819 if (hard)
820 {
821 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
822 }
823 else
824 {
825 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
826 }
827 charon->processor->queue_job(charon->processor, job);
828 }
829
830 /**
831 * Process a SADB_MIGRATE message from the kernel
832 */
833 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
834 {
835 pfkey_msg_t response;
836
837 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
838
839 if (parse_pfkey_message(msg, &response) != SUCCESS)
840 {
841 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
842 return;
843 }
844 }
845
846 /**
847 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
848 */
849 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
850 {
851 pfkey_msg_t response;
852 u_int32_t spi, reqid;
853 host_t *host;
854 job_t *job;
855
856 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
857
858 if (parse_pfkey_message(msg, &response) != SUCCESS)
859 {
860 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
861 return;
862 }
863
864 if (!response.x_sa2)
865 {
866 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
867 return;
868 }
869
870 spi = response.sa->sadb_sa_spi;
871 reqid = response.x_sa2->sadb_x_sa2_reqid;
872
873 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
874 {
875 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
876 switch (sa->sa_family)
877 {
878 case AF_INET:
879 {
880 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
881 sin->sin_port = response.x_natt_dport->sadb_x_nat_t_port_port;
882 }
883 case AF_INET6:
884 {
885 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
886 sin6->sin6_port = response.x_natt_dport->sadb_x_nat_t_port_port;
887 }
888 default:
889 break;
890 }
891 host = host_create_from_sockaddr(sa);
892 if (host)
893 {
894 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
895 "reqid {%d} changed, queuing update job", ntohl(spi), reqid);
896 job = (job_t*)update_sa_job_create(reqid, host);
897 charon->processor->queue_job(charon->processor, job);
898 }
899 }
900 }
901
902 /**
903 * Receives events from kernel
904 */
905 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
906 {
907 unsigned char buf[PFKEY_BUFFER_SIZE];
908 struct sadb_msg *msg = (struct sadb_msg*)buf;
909 int len, oldstate;
910
911 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
912 len = recv(this->socket_events, buf, sizeof(buf), 0);
913 pthread_setcancelstate(oldstate, NULL);
914
915 if (len < 0)
916 {
917 switch (errno)
918 {
919 case EINTR:
920 /* interrupted, try again */
921 return JOB_REQUEUE_DIRECT;
922 case EAGAIN:
923 /* no data ready, select again */
924 return JOB_REQUEUE_DIRECT;
925 default:
926 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
927 sleep(1);
928 return JOB_REQUEUE_FAIR;
929 }
930 }
931
932 if (len < sizeof(struct sadb_msg) ||
933 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
934 {
935 DBG2(DBG_KNL, "received corrupted PF_KEY message");
936 return JOB_REQUEUE_DIRECT;
937 }
938 if (msg->sadb_msg_pid != 0)
939 { /* not from kernel. not interested, try another one */
940 return JOB_REQUEUE_DIRECT;
941 }
942 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
943 {
944 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
945 return JOB_REQUEUE_DIRECT;
946 }
947
948 switch (msg->sadb_msg_type)
949 {
950 case SADB_ACQUIRE:
951 process_acquire(this, msg);
952 break;
953 case SADB_EXPIRE:
954 process_expire(this, msg);
955 break;
956 case SADB_X_MIGRATE:
957 process_migrate(this, msg);
958 break;
959 case SADB_X_NAT_T_NEW_MAPPING:
960 process_mapping(this, msg);
961 break;
962 default:
963 break;
964 }
965
966 return JOB_REQUEUE_DIRECT;
967 }
968
969 /**
970 * Implementation of kernel_interface_t.get_spi.
971 */
972 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
973 host_t *src, host_t *dst,
974 protocol_id_t protocol, u_int32_t reqid,
975 u_int32_t *spi)
976 {
977 unsigned char request[PFKEY_BUFFER_SIZE];
978 struct sadb_msg *msg, *out;
979 struct sadb_sa *sa;
980 struct sadb_x_sa2 *sa2;
981 struct sadb_address *addr;
982 struct sadb_spirange *range;
983 pfkey_msg_t response;
984 u_int32_t received_spi = 0;
985 size_t len;
986
987 memset(&request, 0, sizeof(request));
988
989 msg = (struct sadb_msg*)request;
990 msg->sadb_msg_version = PF_KEY_V2;
991 msg->sadb_msg_type = SADB_GETSPI;
992 msg->sadb_msg_satype = proto_ike2satype(protocol);
993 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
994
995 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
996 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
997 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
998 sa2->sadb_x_sa2_reqid = reqid;
999 PFKEY_EXT_ADD(msg, sa2);
1000
1001 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1002 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1003 host2ext(src, addr);
1004 PFKEY_EXT_ADD(msg, addr);
1005
1006 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1007 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1008 host2ext(dst, addr);
1009 PFKEY_EXT_ADD(msg, addr);
1010
1011 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1012 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1013 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1014 range->sadb_spirange_min = 0xc0000000;
1015 range->sadb_spirange_max = 0xcFFFFFFF;
1016 PFKEY_EXT_ADD(msg, range);
1017
1018 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1019 {
1020 if (out->sadb_msg_errno)
1021 {
1022 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1023 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1024 }
1025 else if (parse_pfkey_message(out, &response) == SUCCESS)
1026 {
1027 received_spi = response.sa->sadb_sa_spi;
1028 }
1029 free(out);
1030 }
1031
1032 if (received_spi == 0)
1033 {
1034 return FAILED;
1035 }
1036
1037 *spi = received_spi;
1038 return SUCCESS;
1039 }
1040
1041 /**
1042 * Implementation of kernel_interface_t.get_cpi.
1043 */
1044 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1045 host_t *src, host_t *dst,
1046 u_int32_t reqid, u_int16_t *cpi)
1047 {
1048 return FAILED;
1049 }
1050
1051 /**
1052 * Implementation of kernel_interface_t.add_sa.
1053 */
1054 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1055 host_t *src, host_t *dst, u_int32_t spi,
1056 protocol_id_t protocol, u_int32_t reqid,
1057 u_int64_t expire_soft, u_int64_t expire_hard,
1058 u_int16_t enc_alg, chunk_t enc_key,
1059 u_int16_t int_alg, chunk_t int_key,
1060 ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
1061 bool replace)
1062 {
1063 unsigned char request[PFKEY_BUFFER_SIZE];
1064 struct sadb_msg *msg, *out;
1065 struct sadb_sa *sa;
1066 struct sadb_x_sa2 *sa2;
1067 struct sadb_address *addr;
1068 struct sadb_lifetime *lft;
1069 struct sadb_key *key;
1070 size_t len;
1071
1072 memset(&request, 0, sizeof(request));
1073
1074 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
1075
1076 msg = (struct sadb_msg*)request;
1077 msg->sadb_msg_version = PF_KEY_V2;
1078 msg->sadb_msg_type = replace ? SADB_UPDATE : SADB_ADD;
1079 msg->sadb_msg_satype = proto_ike2satype(protocol);
1080 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1081
1082 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1083 sa->sadb_sa_exttype = SADB_EXT_SA;
1084 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1085 sa->sadb_sa_spi = spi;
1086 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1087 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1088 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1089 PFKEY_EXT_ADD(msg, sa);
1090
1091 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1092 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1093 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1094 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1095 sa2->sadb_x_sa2_reqid = reqid;
1096 PFKEY_EXT_ADD(msg, sa2);
1097
1098 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1099 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1100 host2ext(src, addr);
1101 PFKEY_EXT_ADD(msg, addr);
1102
1103 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1104 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1105 host2ext(dst, addr);
1106 PFKEY_EXT_ADD(msg, addr);
1107
1108 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1109 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1110 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1111 lft->sadb_lifetime_addtime = expire_soft;
1112 PFKEY_EXT_ADD(msg, lft);
1113
1114 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1115 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1116 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1117 lft->sadb_lifetime_addtime = expire_hard;
1118 PFKEY_EXT_ADD(msg, lft);
1119
1120 if (enc_alg != ENCR_UNDEFINED)
1121 {
1122 if (!sa->sadb_sa_encrypt)
1123 {
1124 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1125 encryption_algorithm_names, enc_alg);
1126 return FAILED;
1127 }
1128 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1129 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1130
1131 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1132 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1133 key->sadb_key_bits = enc_key.len * 8;
1134 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1135 memcpy(key + 1, enc_key.ptr, enc_key.len);
1136
1137 PFKEY_EXT_ADD(msg, key);
1138 }
1139
1140 if (int_alg != AUTH_UNDEFINED)
1141 {
1142 if (!sa->sadb_sa_auth)
1143 {
1144 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1145 integrity_algorithm_names, int_alg);
1146 return FAILED;
1147 }
1148 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1149 integrity_algorithm_names, int_alg, int_key.len * 8);
1150
1151 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1152 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1153 key->sadb_key_bits = int_key.len * 8;
1154 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1155 memcpy(key + 1, int_key.ptr, int_key.len);
1156
1157 PFKEY_EXT_ADD(msg, key);
1158 }
1159
1160 if (ipcomp != IPCOMP_NONE)
1161 {
1162 /*TODO*/
1163 }
1164
1165 if (encap)
1166 {
1167 add_encap_ext(msg, src, dst);
1168 }
1169
1170 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1171 {
1172 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1173 return FAILED;
1174 }
1175 else if (out->sadb_msg_errno)
1176 {
1177 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1178 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1179 free(out);
1180 return FAILED;
1181 }
1182
1183 free(out);
1184 return SUCCESS;
1185 }
1186
1187 /**
1188 * Implementation of kernel_interface_t.update_sa.
1189 */
1190 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1191 u_int32_t spi, protocol_id_t protocol,
1192 host_t *src, host_t *dst,
1193 host_t *new_src, host_t *new_dst, bool encap)
1194 {
1195 unsigned char request[PFKEY_BUFFER_SIZE];
1196 struct sadb_msg *msg, *out;
1197 struct sadb_sa *sa;
1198 struct sadb_address *addr;
1199 pfkey_msg_t response;
1200 size_t len;
1201
1202 memset(&request, 0, sizeof(request));
1203
1204 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1205
1206 msg = (struct sadb_msg*)request;
1207 msg->sadb_msg_version = PF_KEY_V2;
1208 msg->sadb_msg_type = SADB_GET;
1209 msg->sadb_msg_satype = proto_ike2satype(protocol);
1210 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1211
1212 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1213 sa->sadb_sa_exttype = SADB_EXT_SA;
1214 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1215 sa->sadb_sa_spi = spi;
1216 PFKEY_EXT_ADD(msg, sa);
1217
1218 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1219 * it is not used for anything, so we just send dst twice */
1220 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1221 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1222 host2ext(dst, addr);
1223 PFKEY_EXT_ADD(msg, addr);
1224
1225 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1226 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1227 host2ext(dst, addr);
1228 PFKEY_EXT_ADD(msg, addr);
1229
1230 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1231 {
1232 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1233 ntohl(spi));
1234 return FAILED;
1235 }
1236 else if (out->sadb_msg_errno)
1237 {
1238 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1239 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1240 free(out);
1241 return FAILED;
1242 }
1243 else if (parse_pfkey_message(out, &response) != SUCCESS)
1244 {
1245 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1246 "from kernel failed", ntohl(spi));
1247 free(out);
1248 return FAILED;
1249 }
1250
1251 /* delete the old SA */
1252 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1253 {
1254 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1255 free(out);
1256 return FAILED;
1257 }
1258
1259 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1260 ntohl(spi), src, dst, new_src, new_dst);
1261
1262 memset(&request, 0, sizeof(request));
1263
1264 msg = (struct sadb_msg*)request;
1265 msg->sadb_msg_version = PF_KEY_V2;
1266 msg->sadb_msg_type = SADB_ADD;
1267 msg->sadb_msg_satype = proto_ike2satype(protocol);
1268 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1269
1270 PFKEY_EXT_COPY(msg, response.sa);
1271 PFKEY_EXT_COPY(msg, response.x_sa2);
1272
1273 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1274 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1275 host2ext(new_src, addr);
1276 PFKEY_EXT_ADD(msg, addr);
1277
1278 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1279 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1280 host2ext(new_dst, addr);
1281 PFKEY_EXT_ADD(msg, addr);
1282
1283 PFKEY_EXT_COPY(msg, response.lft_soft);
1284 PFKEY_EXT_COPY(msg, response.lft_hard);
1285
1286 if (response.key_encr)
1287 {
1288 PFKEY_EXT_COPY(msg, response.key_encr);
1289 }
1290
1291 if (response.key_auth)
1292 {
1293 PFKEY_EXT_COPY(msg, response.key_auth);
1294 }
1295
1296 if (encap)
1297 {
1298 add_encap_ext(msg, new_src, new_dst);
1299 }
1300
1301 free(out);
1302
1303 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1304 {
1305 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1306 return FAILED;
1307 }
1308 else if (out->sadb_msg_errno)
1309 {
1310 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1311 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1312 free(out);
1313 return FAILED;
1314 }
1315 free(out);
1316
1317 return SUCCESS;
1318 }
1319
1320 /**
1321 * Implementation of kernel_interface_t.del_sa.
1322 */
1323 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
1324 u_int32_t spi, protocol_id_t protocol)
1325 {
1326 unsigned char request[PFKEY_BUFFER_SIZE];
1327 struct sadb_msg *msg, *out;
1328 struct sadb_sa *sa;
1329 struct sadb_address *addr;
1330 size_t len;
1331
1332 memset(&request, 0, sizeof(request));
1333
1334 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1335
1336 msg = (struct sadb_msg*)request;
1337 msg->sadb_msg_version = PF_KEY_V2;
1338 msg->sadb_msg_type = SADB_DELETE;
1339 msg->sadb_msg_satype = proto_ike2satype(protocol);
1340 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1341
1342 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1343 sa->sadb_sa_exttype = SADB_EXT_SA;
1344 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1345 sa->sadb_sa_spi = spi;
1346 PFKEY_EXT_ADD(msg, sa);
1347
1348 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1349 * it is not used for anything, so we just send dst twice */
1350 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1351 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1352 host2ext(dst, addr);
1353 PFKEY_EXT_ADD(msg, addr);
1354
1355 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1356 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1357 host2ext(dst, addr);
1358 PFKEY_EXT_ADD(msg, addr);
1359
1360 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1361 {
1362 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1363 return FAILED;
1364 }
1365 else if (out->sadb_msg_errno)
1366 {
1367 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1368 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1369 free(out);
1370 return FAILED;
1371 }
1372
1373 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1374 free(out);
1375 return SUCCESS;
1376 }
1377
1378 /**
1379 * Implementation of kernel_interface_t.add_policy.
1380 */
1381 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1382 host_t *src, host_t *dst,
1383 traffic_selector_t *src_ts,
1384 traffic_selector_t *dst_ts,
1385 policy_dir_t direction, protocol_id_t protocol,
1386 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1387 u_int16_t ipcomp)
1388 {
1389 unsigned char request[PFKEY_BUFFER_SIZE];
1390 struct sadb_msg *msg, *out;
1391 struct sadb_x_policy *pol;
1392 struct sadb_address *addr;
1393 struct sadb_x_ipsecrequest *req;
1394 policy_entry_t *policy, *found = NULL;
1395 pfkey_msg_t response;
1396 size_t len;
1397
1398 /* create a policy */
1399 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1400
1401 /* find a matching policy */
1402 pthread_mutex_lock(&this->mutex);
1403 if (this->policies->find_first(this->policies,
1404 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1405 {
1406 /* use existing policy */
1407 found->refcount++;
1408 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1409 "refcount", src_ts, dst_ts,
1410 policy_dir_names, direction);
1411 policy_entry_destroy(policy);
1412 policy = found;
1413 }
1414 else
1415 {
1416 /* apply the new one, if we have no such policy */
1417 this->policies->insert_last(this->policies, policy);
1418 policy->refcount = 1;
1419 }
1420
1421 memset(&request, 0, sizeof(request));
1422
1423 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1424 policy_dir_names, direction);
1425
1426 msg = (struct sadb_msg*)request;
1427 msg->sadb_msg_version = PF_KEY_V2;
1428 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1429 msg->sadb_msg_satype = 0;
1430 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1431
1432 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1433 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1434 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1435 pol->sadb_x_policy_id = 0;
1436 pol->sadb_x_policy_dir = dir2kernel(direction);
1437 /* calculate priority based on source selector size, small size = high prio */
1438 pol->sadb_x_policy_priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1439 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1440 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1441 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1442 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1443
1444 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1445 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1446 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1447 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1448 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1449 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1450 req->sadb_x_ipsecrequest_reqid = reqid;
1451 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1452 if (mode == MODE_TUNNEL)
1453 {
1454 sockaddr_t *sa;
1455 socklen_t sl;
1456 sa = src->get_sockaddr(src);
1457 sl = *src->get_sockaddr_len(src);
1458 memcpy(req + 1, sa, sl);
1459 sa = dst->get_sockaddr(dst);
1460 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1461 req->sadb_x_ipsecrequest_len += sl * 2;
1462 }
1463
1464 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1465 PFKEY_EXT_ADD(msg, pol);
1466
1467 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1468 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1469 addr->sadb_address_proto = policy->src.proto;
1470 addr->sadb_address_prefixlen = policy->src.mask;
1471 host2ext(policy->src.net, addr);
1472 PFKEY_EXT_ADD(msg, addr);
1473
1474 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1475 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1476 addr->sadb_address_proto = policy->dst.proto;
1477 addr->sadb_address_prefixlen = policy->dst.mask;
1478 host2ext(policy->dst.net, addr);
1479 PFKEY_EXT_ADD(msg, addr);
1480
1481 pthread_mutex_unlock(&this->mutex);
1482
1483 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1484 {
1485 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1486 policy_dir_names, direction);
1487 return FAILED;
1488 }
1489 else if (out->sadb_msg_errno)
1490 {
1491 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1492 policy_dir_names, direction,
1493 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1494 free(out);
1495 return FAILED;
1496 }
1497 else if (parse_pfkey_message(out, &response) != SUCCESS)
1498 {
1499 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1500 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1501 free(out);
1502 return FAILED;
1503 }
1504
1505 pthread_mutex_lock(&this->mutex);
1506
1507 /* we try to find the policy again and update the kernel index */
1508 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1509 {
1510 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1511 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1512 pthread_mutex_unlock(&this->mutex);
1513 free(out);
1514 return SUCCESS;
1515 }
1516 policy->index = response.x_policy->sadb_x_policy_id;
1517 free(out);
1518
1519 /* install a route, if:
1520 * - we are NOT updating a policy
1521 * - this is a forward policy (to just get one for each child)
1522 * - we are in tunnel mode
1523 * - we are not using IPv6 (does not work correctly yet!)
1524 * - routing is not disabled via strongswan.conf
1525 */
1526 if (policy->route == NULL && direction == POLICY_FWD &&
1527 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1528 this->install_routes)
1529 {
1530 route_entry_t *route = malloc_thing(route_entry_t);
1531
1532 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1533 dst_ts, &route->src_ip) == SUCCESS)
1534 {
1535 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1536 route->gateway = charon->kernel_interface->get_nexthop(
1537 charon->kernel_interface, src);
1538 route->if_name = charon->kernel_interface->get_interface(
1539 charon->kernel_interface, dst);
1540 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1541 route->prefixlen = policy->src.mask;
1542
1543 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1544 route->dst_net, route->prefixlen, route->gateway,
1545 route->src_ip, route->if_name))
1546 {
1547 default:
1548 DBG1(DBG_KNL, "unable to install source route for %H",
1549 route->src_ip);
1550 /* FALL */
1551 case ALREADY_DONE:
1552 /* route exists, do not uninstall */
1553 route_entry_destroy(route);
1554 break;
1555 case SUCCESS:
1556 /* cache the installed route */
1557 policy->route = route;
1558 break;
1559 }
1560 }
1561 else
1562 {
1563 free(route);
1564 }
1565 }
1566
1567 pthread_mutex_unlock(&this->mutex);
1568
1569 return SUCCESS;
1570 }
1571
1572 /**
1573 * Implementation of kernel_interface_t.query_policy.
1574 */
1575 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1576 traffic_selector_t *src_ts,
1577 traffic_selector_t *dst_ts,
1578 policy_dir_t direction, u_int32_t *use_time)
1579 {
1580 unsigned char request[PFKEY_BUFFER_SIZE];
1581 struct sadb_msg *msg, *out;
1582 struct sadb_x_policy *pol;
1583 struct sadb_address *addr;
1584 policy_entry_t *policy, *found = NULL;
1585 pfkey_msg_t response;
1586 size_t len;
1587
1588 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1589 policy_dir_names, direction);
1590
1591 /* create a policy */
1592 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1593
1594 /* find a matching policy */
1595 pthread_mutex_lock(&this->mutex);
1596 if (this->policies->find_first(this->policies,
1597 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1598 {
1599 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1600 dst_ts, policy_dir_names, direction);
1601 policy_entry_destroy(policy);
1602 pthread_mutex_unlock(&this->mutex);
1603 return NOT_FOUND;
1604 }
1605 policy_entry_destroy(policy);
1606 policy = found;
1607
1608 memset(&request, 0, sizeof(request));
1609
1610 msg = (struct sadb_msg*)request;
1611 msg->sadb_msg_version = PF_KEY_V2;
1612 msg->sadb_msg_type = SADB_X_SPDGET;
1613 msg->sadb_msg_satype = 0;
1614 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1615
1616 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1617 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1618 pol->sadb_x_policy_id = policy->index;
1619 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1620 pol->sadb_x_policy_dir = dir2kernel(direction);
1621 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1622 PFKEY_EXT_ADD(msg, pol);
1623
1624 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1625 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1626 addr->sadb_address_proto = policy->src.proto;
1627 addr->sadb_address_prefixlen = policy->src.mask;
1628 host2ext(policy->src.net, addr);
1629 PFKEY_EXT_ADD(msg, addr);
1630
1631 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1632 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1633 addr->sadb_address_proto = policy->dst.proto;
1634 addr->sadb_address_prefixlen = policy->dst.mask;
1635 host2ext(policy->dst.net, addr);
1636 PFKEY_EXT_ADD(msg, addr);
1637
1638 pthread_mutex_unlock(&this->mutex);
1639
1640 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1641 {
1642 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1643 policy_dir_names, direction);
1644 return FAILED;
1645 }
1646 else if (out->sadb_msg_errno)
1647 {
1648 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1649 dst_ts, policy_dir_names, direction,
1650 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1651 free(out);
1652 return FAILED;
1653 }
1654 else if (parse_pfkey_message(out, &response) != SUCCESS)
1655 {
1656 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1657 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1658 free(out);
1659 return FAILED;
1660 }
1661
1662 *use_time = response.lft_current->sadb_lifetime_usetime;
1663
1664 free(out);
1665
1666 return SUCCESS;
1667 }
1668
1669 /**
1670 * Implementation of kernel_interface_t.del_policy.
1671 */
1672 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1673 traffic_selector_t *src_ts,
1674 traffic_selector_t *dst_ts,
1675 policy_dir_t direction)
1676 {
1677 unsigned char request[PFKEY_BUFFER_SIZE];
1678 struct sadb_msg *msg, *out;
1679 struct sadb_x_policy *pol;
1680 struct sadb_address *addr;
1681 policy_entry_t *policy, *found = NULL;
1682 route_entry_t *route;
1683 size_t len;
1684
1685 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1686 policy_dir_names, direction);
1687
1688 /* create a policy */
1689 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1690
1691 /* find a matching policy */
1692 pthread_mutex_lock(&this->mutex);
1693 if (this->policies->find_first(this->policies,
1694 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1695 {
1696 if (--found->refcount > 0)
1697 {
1698 /* is used by more SAs, keep in kernel */
1699 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1700 policy_entry_destroy(policy);
1701 pthread_mutex_unlock(&this->mutex);
1702 return SUCCESS;
1703 }
1704 /* remove if last reference */
1705 this->policies->remove(this->policies, found, NULL);
1706 policy_entry_destroy(policy);
1707 policy = found;
1708 }
1709 else
1710 {
1711 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1712 dst_ts, policy_dir_names, direction);
1713 policy_entry_destroy(policy);
1714 pthread_mutex_unlock(&this->mutex);
1715 return NOT_FOUND;
1716 }
1717 pthread_mutex_unlock(&this->mutex);
1718
1719 memset(&request, 0, sizeof(request));
1720
1721 msg = (struct sadb_msg*)request;
1722 msg->sadb_msg_version = PF_KEY_V2;
1723 msg->sadb_msg_type = SADB_X_SPDDELETE;
1724 msg->sadb_msg_satype = 0;
1725 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1726
1727 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1728 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1729 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1730 pol->sadb_x_policy_dir = dir2kernel(direction);
1731 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1732 PFKEY_EXT_ADD(msg, pol);
1733
1734 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1735 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1736 addr->sadb_address_proto = policy->src.proto;
1737 addr->sadb_address_prefixlen = policy->src.mask;
1738 host2ext(policy->src.net, addr);
1739 PFKEY_EXT_ADD(msg, addr);
1740
1741 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1742 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1743 addr->sadb_address_proto = policy->dst.proto;
1744 addr->sadb_address_prefixlen = policy->dst.mask;
1745 host2ext(policy->dst.net, addr);
1746 PFKEY_EXT_ADD(msg, addr);
1747
1748 route = policy->route;
1749 policy->route = NULL;
1750 policy_entry_destroy(policy);
1751
1752 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1753 {
1754 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1755 policy_dir_names, direction);
1756 return FAILED;
1757 }
1758 else if (out->sadb_msg_errno)
1759 {
1760 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1761 dst_ts, policy_dir_names, direction,
1762 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1763 free(out);
1764 return FAILED;
1765 }
1766 free(out);
1767
1768 if (route)
1769 {
1770 if (charon->kernel_interface->del_route(charon->kernel_interface,
1771 route->dst_net, route->prefixlen, route->gateway,
1772 route->src_ip, route->if_name) != SUCCESS)
1773 {
1774 DBG1(DBG_KNL, "error uninstalling route installed with "
1775 "policy %R === %R %N", src_ts, dst_ts,
1776 policy_dir_names, direction);
1777 }
1778 route_entry_destroy(route);
1779 }
1780
1781 return SUCCESS;
1782 }
1783
1784 /**
1785 * Register a socket for AQUIRE/EXPIRE messages
1786 */
1787 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1788 {
1789 unsigned char request[PFKEY_BUFFER_SIZE];
1790 struct sadb_msg *msg, *out;
1791 struct sadb_x_policy *pol;
1792 struct sadb_address *addr;
1793 policy_entry_t *policy, *found = NULL;
1794 pfkey_msg_t response;
1795 size_t len;
1796
1797 memset(&request, 0, sizeof(request));
1798
1799 msg = (struct sadb_msg*)request;
1800 msg->sadb_msg_version = PF_KEY_V2;
1801 msg->sadb_msg_type = SADB_REGISTER;
1802 msg->sadb_msg_satype = satype;
1803 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1804
1805 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1806 {
1807 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1808 return FAILED;
1809 }
1810 else if (out->sadb_msg_errno)
1811 {
1812 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1813 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1814 free(out);
1815 return FAILED;
1816 }
1817 free(out);
1818 return SUCCESS;
1819 }
1820
1821 /**
1822 * Implementation of kernel_interface_t.destroy.
1823 */
1824 static void destroy(private_kernel_pfkey_ipsec_t *this)
1825 {
1826 this->job->cancel(this->job);
1827 close(this->socket);
1828 close(this->socket_events);
1829 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1830 free(this);
1831 }
1832
1833 /*
1834 * Described in header.
1835 */
1836 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1837 {
1838 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1839
1840 /* public functions */
1841 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1842 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1843 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1844 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1845 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1846 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1847 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1848 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1849
1850 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1851
1852 /* private members */
1853 this->policies = linked_list_create();
1854 pthread_mutex_init(&this->mutex, NULL);
1855 this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
1856 pthread_mutex_init(&this->mutex_pfkey, NULL);
1857 this->seq = 0;
1858
1859 /* create a PF_KEY socket to communicate with the kernel */
1860 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1861 if (this->socket <= 0)
1862 {
1863 charon->kill(charon, "unable to create PF_KEY socket");
1864 }
1865
1866 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1867 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1868 if (this->socket_events <= 0)
1869 {
1870 charon->kill(charon, "unable to create PF_KEY event socket");
1871 }
1872
1873 /* register the event socket */
1874 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
1875 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
1876 {
1877 charon->kill(charon, "unable to register PF_KEY event socket");
1878 }
1879
1880 this->job = callback_job_create((callback_job_cb_t)receive_events,
1881 this, NULL, NULL);
1882 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1883
1884 return &this->public;
1885 }
strongSwan - IPsec VPN