#defing out compress algs to avoid compiler warning
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <stdint.h>
22 #include <linux/ipsec.h>
23 #include <linux/pfkeyv2.h>
24 #include <linux/udp.h>
25 #include <unistd.h>
26 #include <pthread.h>
27 #include <errno.h>
28
29 #include "kernel_pfkey_ipsec.h"
30
31 #include <daemon.h>
32 #include <utils/host.h>
33 #include <utils/mutex.h>
34 #include <processing/jobs/callback_job.h>
35 #include <processing/jobs/acquire_job.h>
36 #include <processing/jobs/migrate_job.h>
37 #include <processing/jobs/rekey_child_sa_job.h>
38 #include <processing/jobs/delete_child_sa_job.h>
39 #include <processing/jobs/update_sa_job.h>
40
41 /** from linux/in.h */
42 #ifndef IP_IPSEC_POLICY
43 #define IP_IPSEC_POLICY 16
44 #endif
45
46 /** default priority of installed policies */
47 #define PRIO_LOW 3000
48 #define PRIO_HIGH 2000
49
50 /** buffer size for PF_KEY messages */
51 #define PFKEY_BUFFER_SIZE 4096
52
53 /** PF_KEY messages are 64 bit aligned */
54 #define PFKEY_ALIGNMENT 8
55 /** aligns len to 64 bits */
56 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
57 /** calculates the properly padded length in 64 bit chunks */
58 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
59 /** calculates user mode length i.e. in bytes */
60 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
61
62 /** given a PF_KEY message header and an extension this updates the length in the header */
63 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
64 /** given a PF_KEY message header this returns a pointer to the next extension */
65 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
66 /** copy an extension and append it to a PF_KEY message */
67 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
68 /** given a PF_KEY extension this returns a pointer to the next extension */
69 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
70 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
71 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
72 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
73 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
74 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
75 (ext)->sadb_ext_len <= (len))
76
77 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
78
79 /**
80 * Private variables and functions of kernel_pfkey class.
81 */
82 struct private_kernel_pfkey_ipsec_t
83 {
84 /**
85 * Public part of the kernel_pfkey_t object.
86 */
87 kernel_pfkey_ipsec_t public;
88
89 /**
90 * mutex to lock access to various lists
91 */
92 mutex_t *mutex;
93
94 /**
95 * List of installed policies (policy_entry_t)
96 */
97 linked_list_t *policies;
98
99 /**
100 * whether to install routes along policies
101 */
102 bool install_routes;
103
104 /**
105 * job receiving PF_KEY events
106 */
107 callback_job_t *job;
108
109 /**
110 * mutex to lock access to the PF_KEY socket
111 */
112 mutex_t *mutex_pfkey;
113
114 /**
115 * PF_KEY socket to communicate with the kernel
116 */
117 int socket;
118
119 /**
120 * PF_KEY socket to receive acquire and expire events
121 */
122 int socket_events;
123
124 /**
125 * sequence number for messages sent to the kernel
126 */
127 int seq;
128 };
129
130 typedef struct route_entry_t route_entry_t;
131
132 /**
133 * installed routing entry
134 */
135 struct route_entry_t {
136 /** Name of the interface the route is bound to */
137 char *if_name;
138
139 /** Source ip of the route */
140 host_t *src_ip;
141
142 /** gateway for this route */
143 host_t *gateway;
144
145 /** Destination net */
146 chunk_t dst_net;
147
148 /** Destination net prefixlen */
149 u_int8_t prefixlen;
150 };
151
152 /**
153 * destroy an route_entry_t object
154 */
155 static void route_entry_destroy(route_entry_t *this)
156 {
157 free(this->if_name);
158 this->src_ip->destroy(this->src_ip);
159 this->gateway->destroy(this->gateway);
160 chunk_free(&this->dst_net);
161 free(this);
162 }
163
164 typedef struct policy_entry_t policy_entry_t;
165
166 /**
167 * installed kernel policy.
168 */
169 struct policy_entry_t {
170
171 /** reqid of this policy */
172 u_int32_t reqid;
173
174 /** index assigned by the kernel */
175 u_int32_t index;
176
177 /** direction of this policy: in, out, forward */
178 u_int8_t direction;
179
180 /** parameters of installed policy */
181 struct {
182 /** subnet and port */
183 host_t *net;
184 /** subnet mask */
185 u_int8_t mask;
186 /** protocol */
187 u_int8_t proto;
188 } src, dst;
189
190 /** associated route installed for this policy */
191 route_entry_t *route;
192
193 /** by how many CHILD_SA's this policy is used */
194 u_int refcount;
195 };
196
197 /**
198 * create a policy_entry_t object
199 */
200 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
201 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
202 {
203 policy_entry_t *policy = malloc_thing(policy_entry_t);
204 policy->reqid = reqid;
205 policy->index = 0;
206 policy->direction = dir;
207 policy->route = NULL;
208 policy->refcount = 0;
209
210 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
211 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
212
213 /* src or dest proto may be "any" (0), use more restrictive one */
214 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
215 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
216 policy->dst.proto = policy->src.proto;
217
218 return policy;
219 }
220
221 /**
222 * destroy a policy_entry_t object
223 */
224 static void policy_entry_destroy(policy_entry_t *this)
225 {
226 DESTROY_IF(this->src.net);
227 DESTROY_IF(this->dst.net);
228 if (this->route)
229 {
230 route_entry_destroy(this->route);
231 }
232 free(this);
233 }
234
235 /**
236 * compares two policy_entry_t
237 */
238 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
239 {
240 return current->direction == policy->direction &&
241 current->src.proto == policy->src.proto &&
242 current->dst.proto == policy->dst.proto &&
243 current->src.mask == policy->src.mask &&
244 current->dst.mask == policy->dst.mask &&
245 current->src.net->equals(current->src.net, policy->src.net) &&
246 current->dst.net->equals(current->dst.net, policy->dst.net);
247 }
248
249 /**
250 * compare the given kernel index with that of a policy
251 */
252 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
253 {
254 return current->index == *index;
255 }
256
257 typedef struct pfkey_msg_t pfkey_msg_t;
258
259 struct pfkey_msg_t
260 {
261 /**
262 * PF_KEY message base
263 */
264 struct sadb_msg *msg;
265
266
267 /**
268 * PF_KEY message extensions
269 */
270 union {
271 struct sadb_ext *ext[SADB_EXT_MAX + 1];
272 struct {
273 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
274 struct sadb_sa *sa; /* SADB_EXT_SA */
275 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
276 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
277 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
278 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
279 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
280 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
281 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
282 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
283 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
284 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
285 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
286 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
287 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
288 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
289 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
290 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
291 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
292 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
293 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
294 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
295 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
296 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
297 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
298 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
299 } __attribute__((__packed__));
300 };
301 };
302
303 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
304 "SADB_EXT_RESERVED",
305 "SADB_EXT_SA",
306 "SADB_EXT_LIFETIME_CURRENT",
307 "SADB_EXT_LIFETIME_HARD",
308 "SADB_EXT_LIFETIME_SOFT",
309 "SADB_EXT_ADDRESS_SRC",
310 "SADB_EXT_ADDRESS_DST",
311 "SADB_EXT_ADDRESS_PROXY",
312 "SADB_EXT_KEY_AUTH",
313 "SADB_EXT_KEY_ENCRYPT",
314 "SADB_EXT_IDENTITY_SRC",
315 "SADB_EXT_IDENTITY_DST",
316 "SADB_EXT_SENSITIVITY",
317 "SADB_EXT_PROPOSAL",
318 "SADB_EXT_SUPPORTED_AUTH",
319 "SADB_EXT_SUPPORTED_ENCRYPT",
320 "SADB_EXT_SPIRANGE",
321 "SADB_X_EXT_KMPRIVATE",
322 "SADB_X_EXT_POLICY",
323 "SADB_X_EXT_SA2",
324 "SADB_X_EXT_NAT_T_TYPE",
325 "SADB_X_EXT_NAT_T_SPORT",
326 "SADB_X_EXT_NAT_T_DPORT",
327 "SADB_X_EXT_NAT_T_OA",
328 "SADB_X_EXT_SEC_CTX",
329 "SADB_X_EXT_KMADDRESS"
330 );
331 /**
332 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
333 */
334 static u_int8_t proto_ike2satype(protocol_id_t proto)
335 {
336 switch (proto)
337 {
338 case PROTO_ESP:
339 return SADB_SATYPE_ESP;
340 case PROTO_AH:
341 return SADB_SATYPE_AH;
342 case IPPROTO_COMP:
343 return SADB_X_SATYPE_IPCOMP;
344 default:
345 return proto;
346 }
347 }
348
349 /**
350 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
351 */
352 static protocol_id_t proto_satype2ike(u_int8_t proto)
353 {
354 switch (proto)
355 {
356 case SADB_SATYPE_ESP:
357 return PROTO_ESP;
358 case SADB_SATYPE_AH:
359 return PROTO_AH;
360 case SADB_X_SATYPE_IPCOMP:
361 return IPPROTO_COMP;
362 default:
363 return proto;
364 }
365 }
366
367 /**
368 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
369 */
370 static u_int8_t proto_ike2ip(protocol_id_t proto)
371 {
372 switch (proto)
373 {
374 case PROTO_ESP:
375 return IPPROTO_ESP;
376 case PROTO_AH:
377 return IPPROTO_AH;
378 default:
379 return proto;
380 }
381 }
382
383 /**
384 * convert the general ipsec mode to the one defined in ipsec.h
385 */
386 static u_int8_t mode2kernel(ipsec_mode_t mode)
387 {
388 switch (mode)
389 {
390 case MODE_TRANSPORT:
391 return IPSEC_MODE_TRANSPORT;
392 case MODE_TUNNEL:
393 return IPSEC_MODE_TUNNEL;
394 case MODE_BEET:
395 return IPSEC_MODE_BEET;
396 default:
397 return mode;
398 }
399 }
400
401 /**
402 * convert the general policy direction to the one defined in ipsec.h
403 */
404 static u_int8_t dir2kernel(policy_dir_t dir)
405 {
406 switch (dir)
407 {
408 case POLICY_IN:
409 return IPSEC_DIR_INBOUND;
410 case POLICY_OUT:
411 return IPSEC_DIR_OUTBOUND;
412 case POLICY_FWD:
413 return IPSEC_DIR_FWD;
414 default:
415 return dir;
416 }
417 }
418
419 /**
420 * convert the policy direction in ipsec.h to the general one.
421 */
422 static policy_dir_t kernel2dir(u_int8_t dir)
423 {
424 switch (dir)
425 {
426 case IPSEC_DIR_INBOUND:
427 return POLICY_IN;
428 case IPSEC_DIR_OUTBOUND:
429 return POLICY_OUT;
430 case IPSEC_DIR_FWD:
431 return POLICY_FWD;
432 default:
433 return dir;
434 }
435 }
436 typedef struct kernel_algorithm_t kernel_algorithm_t;
437
438 /**
439 * Mapping of IKEv2 algorithms to PF_KEY algorithms
440 */
441 struct kernel_algorithm_t {
442 /**
443 * Identifier specified in IKEv2
444 */
445 int ikev2;
446
447 /**
448 * Identifier as defined in pfkeyv2.h
449 */
450 int kernel;
451 };
452
453 #define END_OF_LIST -1
454
455 /**
456 * Algorithms for encryption
457 */
458 static kernel_algorithm_t encryption_algs[] = {
459 /* {ENCR_DES_IV64, 0 }, */
460 {ENCR_DES, SADB_EALG_DESCBC },
461 {ENCR_3DES, SADB_EALG_3DESCBC },
462 /* {ENCR_RC5, 0 }, */
463 /* {ENCR_IDEA, 0 }, */
464 {ENCR_CAST, SADB_X_EALG_CASTCBC },
465 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
466 /* {ENCR_3IDEA, 0 }, */
467 /* {ENCR_DES_IV32, 0 }, */
468 {ENCR_NULL, SADB_EALG_NULL },
469 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
470 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
471 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
472 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
473 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
474 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
475 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
476 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
477 {END_OF_LIST, 0 },
478 };
479
480 /**
481 * Algorithms for integrity protection
482 */
483 static kernel_algorithm_t integrity_algs[] = {
484 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
485 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
486 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
487 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
488 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
489 /* {AUTH_DES_MAC, 0, }, */
490 /* {AUTH_KPDK_MD5, 0, }, */
491 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
492 {END_OF_LIST, 0, },
493 };
494
495 #if 0
496 /**
497 * Algorithms for IPComp, unused yet
498 */
499 static kernel_algorithm_t compression_algs[] = {
500 /* {IPCOMP_OUI, 0 }, */
501 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
502 {IPCOMP_LZS, SADB_X_CALG_LZS },
503 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
504 {END_OF_LIST, 0 },
505 };
506 #endif
507
508 /**
509 * Look up a kernel algorithm ID and its key size
510 */
511 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
512 {
513 while (list->ikev2 != END_OF_LIST)
514 {
515 if (ikev2 == list->ikev2)
516 {
517 return list->kernel;
518 }
519 list++;
520 }
521 return 0;
522 }
523
524 /**
525 * add a host behind a sadb_address extension
526 */
527 static void host2ext(host_t *host, struct sadb_address *ext)
528 {
529 sockaddr_t *host_addr = host->get_sockaddr(host);
530 socklen_t *len = host->get_sockaddr_len(host);
531 memcpy((char*)(ext + 1), host_addr, *len);
532 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
533 }
534
535 /**
536 * add udp encap extensions to a sadb_msg
537 */
538 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
539 {
540 struct sadb_x_nat_t_type* nat_type;
541 struct sadb_x_nat_t_port* nat_port;
542
543 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
544 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
545 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
546 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
547 PFKEY_EXT_ADD(msg, nat_type);
548
549 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
550 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
551 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
552 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
553 PFKEY_EXT_ADD(msg, nat_port);
554
555 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
556 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
557 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
558 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
559 PFKEY_EXT_ADD(msg, nat_port);
560 }
561
562 /**
563 * Convert a sadb_address to a traffic_selector
564 */
565 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
566 {
567 traffic_selector_t *ts;
568 host_t *host;
569
570 /* The Linux 2.6 kernel does not set the protocol and port information
571 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
572 */
573 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
574 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
575 address->sadb_address_proto, host->get_port(host));
576 host->destroy(host);
577 return ts;
578 }
579
580 /**
581 * Parses a pfkey message received from the kernel
582 */
583 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
584 {
585 struct sadb_ext* ext;
586 size_t len;
587
588 memset(out, 0, sizeof(pfkey_msg_t));
589 out->msg = msg;
590
591 len = msg->sadb_msg_len;
592 len -= PFKEY_LEN(sizeof(struct sadb_msg));
593
594 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
595
596 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
597 {
598 DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
599 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
600 ext->sadb_ext_len > len)
601 {
602 DBG1(DBG_KNL, "length of %N extension is invalid",
603 sadb_ext_type_names, ext->sadb_ext_type);
604 break;
605 }
606
607 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
608 {
609 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
610 break;
611 }
612
613 if (out->ext[ext->sadb_ext_type])
614 {
615 DBG1(DBG_KNL, "duplicate %N extension",
616 sadb_ext_type_names, ext->sadb_ext_type);
617 break;
618 }
619
620 out->ext[ext->sadb_ext_type] = ext;
621 ext = PFKEY_EXT_NEXT_LEN(ext, len);
622 }
623
624 if (len)
625 {
626 DBG1(DBG_KNL, "PF_KEY message length is invalid");
627 return FAILED;
628 }
629
630 return SUCCESS;
631 }
632
633 /**
634 * Send a message to a specific PF_KEY socket and handle the response.
635 */
636 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
637 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
638 {
639 unsigned char buf[PFKEY_BUFFER_SIZE];
640 struct sadb_msg *msg;
641 int in_len, len;
642
643 this->mutex_pfkey->lock(this->mutex_pfkey);
644
645 in->sadb_msg_seq = ++this->seq;
646 in->sadb_msg_pid = getpid();
647
648 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
649
650 while (TRUE)
651 {
652 len = send(socket, in, in_len, 0);
653
654 if (len != in_len)
655 {
656 if (errno == EINTR)
657 {
658 /* interrupted, try again */
659 continue;
660 }
661 this->mutex_pfkey->unlock(this->mutex_pfkey);
662 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
663 return FAILED;
664 }
665 break;
666 }
667
668 while (TRUE)
669 {
670 msg = (struct sadb_msg*)buf;
671
672 len = recv(socket, buf, sizeof(buf), 0);
673
674 if (len < 0)
675 {
676 if (errno == EINTR)
677 {
678 DBG1(DBG_KNL, "got interrupted");
679 /* interrupted, try again */
680 continue;
681 }
682 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
683 this->mutex_pfkey->unlock(this->mutex_pfkey);
684 return FAILED;
685 }
686 if (len < sizeof(struct sadb_msg) ||
687 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
688 {
689 DBG1(DBG_KNL, "received corrupted PF_KEY message");
690 this->mutex_pfkey->unlock(this->mutex_pfkey);
691 return FAILED;
692 }
693 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
694 {
695 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
696 this->mutex_pfkey->unlock(this->mutex_pfkey);
697 return FAILED;
698 }
699 if (msg->sadb_msg_pid != in->sadb_msg_pid)
700 {
701 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
702 continue;
703 }
704 if (msg->sadb_msg_seq != this->seq)
705 {
706 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
707 "was %d expected %d", msg->sadb_msg_seq, this->seq);
708 if (msg->sadb_msg_seq < this->seq)
709 {
710 continue;
711 }
712 this->mutex_pfkey->unlock(this->mutex_pfkey);
713 return FAILED;
714 }
715 if (msg->sadb_msg_type != in->sadb_msg_type)
716 {
717 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
718 "was %d expected %d, ignoring",
719 msg->sadb_msg_type, in->sadb_msg_type);
720 }
721 break;
722 }
723
724 *out_len = len;
725 *out = (struct sadb_msg*)malloc(len);
726 memcpy(*out, buf, len);
727
728 this->mutex_pfkey->unlock(this->mutex_pfkey);
729
730 return SUCCESS;
731 }
732
733 /**
734 * Send a message to the default PF_KEY socket and handle the response.
735 */
736 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
737 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
738 {
739 return pfkey_send_socket(this, this->socket, in, out, out_len);
740 }
741
742 /**
743 * Process a SADB_ACQUIRE message from the kernel
744 */
745 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
746 {
747 pfkey_msg_t response;
748 u_int32_t index, reqid = 0;
749 traffic_selector_t *src_ts, *dst_ts;
750 policy_entry_t *policy;
751 job_t *job;
752
753 switch (msg->sadb_msg_satype)
754 {
755 case SADB_SATYPE_UNSPEC:
756 case SADB_SATYPE_ESP:
757 case SADB_SATYPE_AH:
758 break;
759 default:
760 /* acquire for AH/ESP only */
761 return;
762 }
763 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
764
765 if (parse_pfkey_message(msg, &response) != SUCCESS)
766 {
767 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
768 return;
769 }
770
771 index = response.x_policy->sadb_x_policy_id;
772 this->mutex->lock(this->mutex);
773 if (this->policies->find_first(this->policies,
774 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
775 {
776 reqid = policy->reqid;
777 }
778 else
779 {
780 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
781 index);
782 }
783 src_ts = sadb_address2ts(response.src);
784 dst_ts = sadb_address2ts(response.dst);
785 this->mutex->unlock(this->mutex);
786
787 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
788 src_ts, dst_ts, reqid);
789 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
790 charon->processor->queue_job(charon->processor, job);
791 }
792
793 /**
794 * Process a SADB_EXPIRE message from the kernel
795 */
796 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
797 {
798 pfkey_msg_t response;
799 protocol_id_t protocol;
800 u_int32_t spi, reqid;
801 bool hard;
802 job_t *job;
803
804 DBG2(DBG_KNL, "received an SADB_EXPIRE");
805
806 if (parse_pfkey_message(msg, &response) != SUCCESS)
807 {
808 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
809 return;
810 }
811
812 protocol = proto_satype2ike(msg->sadb_msg_satype);
813 spi = response.sa->sadb_sa_spi;
814 reqid = response.x_sa2->sadb_x_sa2_reqid;
815 hard = response.lft_hard != NULL;
816
817 if (protocol != PROTO_ESP && protocol != PROTO_AH)
818 {
819 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
820 "which is not a CHILD_SA", ntohl(spi), reqid);
821 return;
822 }
823
824 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
825 hard ? "delete" : "rekey", protocol_id_names,
826 protocol, ntohl(spi), reqid);
827 if (hard)
828 {
829 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
830 }
831 else
832 {
833 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
834 }
835 charon->processor->queue_job(charon->processor, job);
836 }
837
838 /**
839 * Process a SADB_MIGRATE message from the kernel
840 */
841 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
842 {
843 pfkey_msg_t response;
844 traffic_selector_t *src_ts, *dst_ts;
845 policy_dir_t dir;
846 u_int32_t reqid = 0;
847 host_t *local = NULL, *remote = NULL;
848 job_t *job;
849
850 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
851
852 if (parse_pfkey_message(msg, &response) != SUCCESS)
853 {
854 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
855 return;
856 }
857 src_ts = sadb_address2ts(response.src);
858 dst_ts = sadb_address2ts(response.dst);
859 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
860 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
861 policy_dir_names, dir, response.x_policy->sadb_x_policy_id);
862
863 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
864 if (response.x_kmaddress)
865 {
866 sockaddr_t *local_addr, *remote_addr;
867 u_int32_t local_len;
868
869 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
870 local = host_create_from_sockaddr(local_addr);
871 local_len = (local_addr->sa_family == AF_INET6)?
872 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
873 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
874 remote = host_create_from_sockaddr(remote_addr);
875 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
876 }
877
878 if (src_ts && dst_ts)
879 {
880 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
881 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
882 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
883 local, remote);
884 charon->processor->queue_job(charon->processor, job);
885 }
886 else
887 {
888 DESTROY_IF(src_ts);
889 DESTROY_IF(dst_ts);
890 DESTROY_IF(local);
891 DESTROY_IF(remote);
892 }
893 }
894
895 /**
896 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
897 */
898 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
899 {
900 pfkey_msg_t response;
901 u_int32_t spi, reqid;
902 host_t *host;
903 job_t *job;
904
905 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
906
907 if (parse_pfkey_message(msg, &response) != SUCCESS)
908 {
909 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
910 return;
911 }
912
913 if (!response.x_sa2)
914 {
915 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
916 return;
917 }
918
919 spi = response.sa->sadb_sa_spi;
920 reqid = response.x_sa2->sadb_x_sa2_reqid;
921
922 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
923 {
924 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
925 switch (sa->sa_family)
926 {
927 case AF_INET:
928 {
929 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
930 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
931 }
932 case AF_INET6:
933 {
934 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
935 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
936 }
937 default:
938 break;
939 }
940 host = host_create_from_sockaddr(sa);
941 if (host)
942 {
943 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
944 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
945 job = (job_t*)update_sa_job_create(reqid, host);
946 charon->processor->queue_job(charon->processor, job);
947 }
948 }
949 }
950
951 /**
952 * Receives events from kernel
953 */
954 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
955 {
956 unsigned char buf[PFKEY_BUFFER_SIZE];
957 struct sadb_msg *msg = (struct sadb_msg*)buf;
958 int len, oldstate;
959
960 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
961 len = recv(this->socket_events, buf, sizeof(buf), 0);
962 pthread_setcancelstate(oldstate, NULL);
963
964 if (len < 0)
965 {
966 switch (errno)
967 {
968 case EINTR:
969 /* interrupted, try again */
970 return JOB_REQUEUE_DIRECT;
971 case EAGAIN:
972 /* no data ready, select again */
973 return JOB_REQUEUE_DIRECT;
974 default:
975 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
976 sleep(1);
977 return JOB_REQUEUE_FAIR;
978 }
979 }
980
981 if (len < sizeof(struct sadb_msg) ||
982 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
983 {
984 DBG2(DBG_KNL, "received corrupted PF_KEY message");
985 return JOB_REQUEUE_DIRECT;
986 }
987 if (msg->sadb_msg_pid != 0)
988 { /* not from kernel. not interested, try another one */
989 return JOB_REQUEUE_DIRECT;
990 }
991 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
992 {
993 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
994 return JOB_REQUEUE_DIRECT;
995 }
996
997 switch (msg->sadb_msg_type)
998 {
999 case SADB_ACQUIRE:
1000 process_acquire(this, msg);
1001 break;
1002 case SADB_EXPIRE:
1003 process_expire(this, msg);
1004 break;
1005 case SADB_X_MIGRATE:
1006 process_migrate(this, msg);
1007 break;
1008 case SADB_X_NAT_T_NEW_MAPPING:
1009 process_mapping(this, msg);
1010 break;
1011 default:
1012 break;
1013 }
1014
1015 return JOB_REQUEUE_DIRECT;
1016 }
1017
1018 /**
1019 * Implementation of kernel_interface_t.get_spi.
1020 */
1021 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1022 host_t *src, host_t *dst,
1023 protocol_id_t protocol, u_int32_t reqid,
1024 u_int32_t *spi)
1025 {
1026 unsigned char request[PFKEY_BUFFER_SIZE];
1027 struct sadb_msg *msg, *out;
1028 struct sadb_x_sa2 *sa2;
1029 struct sadb_address *addr;
1030 struct sadb_spirange *range;
1031 pfkey_msg_t response;
1032 u_int32_t received_spi = 0;
1033 size_t len;
1034
1035 memset(&request, 0, sizeof(request));
1036
1037 msg = (struct sadb_msg*)request;
1038 msg->sadb_msg_version = PF_KEY_V2;
1039 msg->sadb_msg_type = SADB_GETSPI;
1040 msg->sadb_msg_satype = proto_ike2satype(protocol);
1041 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1042
1043 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1044 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1045 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1046 sa2->sadb_x_sa2_reqid = reqid;
1047 PFKEY_EXT_ADD(msg, sa2);
1048
1049 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1050 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1051 host2ext(src, addr);
1052 PFKEY_EXT_ADD(msg, addr);
1053
1054 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1055 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1056 host2ext(dst, addr);
1057 PFKEY_EXT_ADD(msg, addr);
1058
1059 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1060 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1061 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1062 range->sadb_spirange_min = 0xc0000000;
1063 range->sadb_spirange_max = 0xcFFFFFFF;
1064 PFKEY_EXT_ADD(msg, range);
1065
1066 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1067 {
1068 if (out->sadb_msg_errno)
1069 {
1070 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1071 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1072 }
1073 else if (parse_pfkey_message(out, &response) == SUCCESS)
1074 {
1075 received_spi = response.sa->sadb_sa_spi;
1076 }
1077 free(out);
1078 }
1079
1080 if (received_spi == 0)
1081 {
1082 return FAILED;
1083 }
1084
1085 *spi = received_spi;
1086 return SUCCESS;
1087 }
1088
1089 /**
1090 * Implementation of kernel_interface_t.get_cpi.
1091 */
1092 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1093 host_t *src, host_t *dst,
1094 u_int32_t reqid, u_int16_t *cpi)
1095 {
1096 return FAILED;
1097 }
1098
1099 /**
1100 * Implementation of kernel_interface_t.add_sa.
1101 */
1102 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1103 host_t *src, host_t *dst, u_int32_t spi,
1104 protocol_id_t protocol, u_int32_t reqid,
1105 u_int64_t expire_soft, u_int64_t expire_hard,
1106 u_int16_t enc_alg, chunk_t enc_key,
1107 u_int16_t int_alg, chunk_t int_key,
1108 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1109 bool encap, bool inbound)
1110 {
1111 unsigned char request[PFKEY_BUFFER_SIZE];
1112 struct sadb_msg *msg, *out;
1113 struct sadb_sa *sa;
1114 struct sadb_x_sa2 *sa2;
1115 struct sadb_address *addr;
1116 struct sadb_lifetime *lft;
1117 struct sadb_key *key;
1118 size_t len;
1119
1120 memset(&request, 0, sizeof(request));
1121
1122 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1123
1124 msg = (struct sadb_msg*)request;
1125 msg->sadb_msg_version = PF_KEY_V2;
1126 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1127 msg->sadb_msg_satype = proto_ike2satype(protocol);
1128 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1129
1130 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1131 sa->sadb_sa_exttype = SADB_EXT_SA;
1132 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1133 sa->sadb_sa_spi = spi;
1134 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1135 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1136 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1137 PFKEY_EXT_ADD(msg, sa);
1138
1139 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1140 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1141 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1142 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1143 sa2->sadb_x_sa2_reqid = reqid;
1144 PFKEY_EXT_ADD(msg, sa2);
1145
1146 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1147 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1148 host2ext(src, addr);
1149 PFKEY_EXT_ADD(msg, addr);
1150
1151 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1152 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1153 host2ext(dst, addr);
1154 PFKEY_EXT_ADD(msg, addr);
1155
1156 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1157 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1158 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1159 lft->sadb_lifetime_addtime = expire_soft;
1160 PFKEY_EXT_ADD(msg, lft);
1161
1162 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1163 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1164 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1165 lft->sadb_lifetime_addtime = expire_hard;
1166 PFKEY_EXT_ADD(msg, lft);
1167
1168 if (enc_alg != ENCR_UNDEFINED)
1169 {
1170 if (!sa->sadb_sa_encrypt)
1171 {
1172 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1173 encryption_algorithm_names, enc_alg);
1174 return FAILED;
1175 }
1176 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1177 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1178
1179 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1180 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1181 key->sadb_key_bits = enc_key.len * 8;
1182 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1183 memcpy(key + 1, enc_key.ptr, enc_key.len);
1184
1185 PFKEY_EXT_ADD(msg, key);
1186 }
1187
1188 if (int_alg != AUTH_UNDEFINED)
1189 {
1190 if (!sa->sadb_sa_auth)
1191 {
1192 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1193 integrity_algorithm_names, int_alg);
1194 return FAILED;
1195 }
1196 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1197 integrity_algorithm_names, int_alg, int_key.len * 8);
1198
1199 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1200 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1201 key->sadb_key_bits = int_key.len * 8;
1202 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1203 memcpy(key + 1, int_key.ptr, int_key.len);
1204
1205 PFKEY_EXT_ADD(msg, key);
1206 }
1207
1208 if (ipcomp != IPCOMP_NONE)
1209 {
1210 /*TODO*/
1211 }
1212
1213 if (encap)
1214 {
1215 add_encap_ext(msg, src, dst);
1216 }
1217
1218 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1219 {
1220 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1221 return FAILED;
1222 }
1223 else if (out->sadb_msg_errno)
1224 {
1225 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1226 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1227 free(out);
1228 return FAILED;
1229 }
1230
1231 free(out);
1232 return SUCCESS;
1233 }
1234
1235 /**
1236 * Implementation of kernel_interface_t.update_sa.
1237 */
1238 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1239 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1240 host_t *src, host_t *dst,
1241 host_t *new_src, host_t *new_dst,
1242 bool encap, bool new_encap)
1243 {
1244 unsigned char request[PFKEY_BUFFER_SIZE];
1245 struct sadb_msg *msg, *out;
1246 struct sadb_sa *sa;
1247 struct sadb_address *addr;
1248 pfkey_msg_t response;
1249 size_t len;
1250
1251 /* we can't update the SA if any of the ip addresses have changed.
1252 * that's because we can't use SADB_UPDATE and by deleting and readding the
1253 * SA the sequence numbers would get lost */
1254 if (!src->ip_equals(src, new_src) ||
1255 !dst->ip_equals(dst, new_dst))
1256 {
1257 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1258 " are not supported", ntohl(spi));
1259 return NOT_SUPPORTED;
1260 }
1261
1262 memset(&request, 0, sizeof(request));
1263
1264 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1265
1266 msg = (struct sadb_msg*)request;
1267 msg->sadb_msg_version = PF_KEY_V2;
1268 msg->sadb_msg_type = SADB_GET;
1269 msg->sadb_msg_satype = proto_ike2satype(protocol);
1270 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1271
1272 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1273 sa->sadb_sa_exttype = SADB_EXT_SA;
1274 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1275 sa->sadb_sa_spi = spi;
1276 PFKEY_EXT_ADD(msg, sa);
1277
1278 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1279 * it is not used for anything, so we just send dst twice */
1280 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1281 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1282 host2ext(dst, addr);
1283 PFKEY_EXT_ADD(msg, addr);
1284
1285 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1286 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1287 host2ext(dst, addr);
1288 PFKEY_EXT_ADD(msg, addr);
1289
1290 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1291 {
1292 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1293 ntohl(spi));
1294 return FAILED;
1295 }
1296 else if (out->sadb_msg_errno)
1297 {
1298 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1299 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1300 free(out);
1301 return FAILED;
1302 }
1303 else if (parse_pfkey_message(out, &response) != SUCCESS)
1304 {
1305 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1306 "from kernel failed", ntohl(spi));
1307 free(out);
1308 return FAILED;
1309 }
1310
1311 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1312 ntohl(spi), src, dst, new_src, new_dst);
1313
1314 memset(&request, 0, sizeof(request));
1315
1316 msg = (struct sadb_msg*)request;
1317 msg->sadb_msg_version = PF_KEY_V2;
1318 msg->sadb_msg_type = SADB_UPDATE;
1319 msg->sadb_msg_satype = proto_ike2satype(protocol);
1320 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1321
1322 PFKEY_EXT_COPY(msg, response.sa);
1323 PFKEY_EXT_COPY(msg, response.x_sa2);
1324
1325 PFKEY_EXT_COPY(msg, response.src);
1326 PFKEY_EXT_COPY(msg, response.dst);
1327
1328 PFKEY_EXT_COPY(msg, response.lft_soft);
1329 PFKEY_EXT_COPY(msg, response.lft_hard);
1330
1331 if (response.key_encr)
1332 {
1333 PFKEY_EXT_COPY(msg, response.key_encr);
1334 }
1335
1336 if (response.key_auth)
1337 {
1338 PFKEY_EXT_COPY(msg, response.key_auth);
1339 }
1340
1341 if (encap)
1342 {
1343 add_encap_ext(msg, new_src, new_dst);
1344 }
1345
1346 free(out);
1347
1348 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1349 {
1350 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1351 return FAILED;
1352 }
1353 else if (out->sadb_msg_errno)
1354 {
1355 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1356 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1357 free(out);
1358 return FAILED;
1359 }
1360 free(out);
1361
1362 return SUCCESS;
1363 }
1364
1365 /**
1366 * Implementation of kernel_interface_t.del_sa.
1367 */
1368 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
1369 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1370 {
1371 unsigned char request[PFKEY_BUFFER_SIZE];
1372 struct sadb_msg *msg, *out;
1373 struct sadb_sa *sa;
1374 struct sadb_address *addr;
1375 size_t len;
1376
1377 memset(&request, 0, sizeof(request));
1378
1379 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1380
1381 msg = (struct sadb_msg*)request;
1382 msg->sadb_msg_version = PF_KEY_V2;
1383 msg->sadb_msg_type = SADB_DELETE;
1384 msg->sadb_msg_satype = proto_ike2satype(protocol);
1385 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1386
1387 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1388 sa->sadb_sa_exttype = SADB_EXT_SA;
1389 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1390 sa->sadb_sa_spi = spi;
1391 PFKEY_EXT_ADD(msg, sa);
1392
1393 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1394 * it is not used for anything, so we just send dst twice */
1395 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1396 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1397 host2ext(dst, addr);
1398 PFKEY_EXT_ADD(msg, addr);
1399
1400 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1401 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1402 host2ext(dst, addr);
1403 PFKEY_EXT_ADD(msg, addr);
1404
1405 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1406 {
1407 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1408 return FAILED;
1409 }
1410 else if (out->sadb_msg_errno)
1411 {
1412 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1413 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1414 free(out);
1415 return FAILED;
1416 }
1417
1418 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1419 free(out);
1420 return SUCCESS;
1421 }
1422
1423 /**
1424 * Implementation of kernel_interface_t.add_policy.
1425 */
1426 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1427 host_t *src, host_t *dst,
1428 traffic_selector_t *src_ts,
1429 traffic_selector_t *dst_ts,
1430 policy_dir_t direction, u_int32_t spi,
1431 protocol_id_t protocol, u_int32_t reqid,
1432 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1433 bool routed)
1434 {
1435 unsigned char request[PFKEY_BUFFER_SIZE];
1436 struct sadb_msg *msg, *out;
1437 struct sadb_x_policy *pol;
1438 struct sadb_address *addr;
1439 struct sadb_x_ipsecrequest *req;
1440 policy_entry_t *policy, *found = NULL;
1441 pfkey_msg_t response;
1442 size_t len;
1443
1444 /* create a policy */
1445 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1446
1447 /* find a matching policy */
1448 this->mutex->lock(this->mutex);
1449 if (this->policies->find_first(this->policies,
1450 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1451 {
1452 /* use existing policy */
1453 found->refcount++;
1454 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1455 "refcount", src_ts, dst_ts,
1456 policy_dir_names, direction);
1457 policy_entry_destroy(policy);
1458 policy = found;
1459 }
1460 else
1461 {
1462 /* apply the new one, if we have no such policy */
1463 this->policies->insert_last(this->policies, policy);
1464 policy->refcount = 1;
1465 }
1466
1467 memset(&request, 0, sizeof(request));
1468
1469 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1470 policy_dir_names, direction);
1471
1472 msg = (struct sadb_msg*)request;
1473 msg->sadb_msg_version = PF_KEY_V2;
1474 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1475 msg->sadb_msg_satype = 0;
1476 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1477
1478 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1479 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1480 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1481 pol->sadb_x_policy_id = 0;
1482 pol->sadb_x_policy_dir = dir2kernel(direction);
1483 /* calculate priority based on source selector size, small size = high prio */
1484 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1485 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1486 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1487 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1488 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1489
1490 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1491 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1492 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1493 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1494 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1495 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1496 req->sadb_x_ipsecrequest_reqid = reqid;
1497 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1498 if (mode == MODE_TUNNEL)
1499 {
1500 sockaddr_t *sa;
1501 socklen_t sl;
1502 sa = src->get_sockaddr(src);
1503 sl = *src->get_sockaddr_len(src);
1504 memcpy(req + 1, sa, sl);
1505 sa = dst->get_sockaddr(dst);
1506 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1507 req->sadb_x_ipsecrequest_len += sl * 2;
1508 }
1509
1510 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1511 PFKEY_EXT_ADD(msg, pol);
1512
1513 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1514 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1515 addr->sadb_address_proto = policy->src.proto;
1516 addr->sadb_address_prefixlen = policy->src.mask;
1517 host2ext(policy->src.net, addr);
1518 PFKEY_EXT_ADD(msg, addr);
1519
1520 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1521 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1522 addr->sadb_address_proto = policy->dst.proto;
1523 addr->sadb_address_prefixlen = policy->dst.mask;
1524 host2ext(policy->dst.net, addr);
1525 PFKEY_EXT_ADD(msg, addr);
1526
1527 this->mutex->unlock(this->mutex);
1528
1529 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1530 {
1531 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1532 policy_dir_names, direction);
1533 return FAILED;
1534 }
1535 else if (out->sadb_msg_errno)
1536 {
1537 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1538 policy_dir_names, direction,
1539 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1540 free(out);
1541 return FAILED;
1542 }
1543 else if (parse_pfkey_message(out, &response) != SUCCESS)
1544 {
1545 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1546 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1547 free(out);
1548 return FAILED;
1549 }
1550
1551 this->mutex->lock(this->mutex);
1552
1553 /* we try to find the policy again and update the kernel index */
1554 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1555 {
1556 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1557 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1558 this->mutex->unlock(this->mutex);
1559 free(out);
1560 return SUCCESS;
1561 }
1562 policy->index = response.x_policy->sadb_x_policy_id;
1563 free(out);
1564
1565 /* install a route, if:
1566 * - we are NOT updating a policy
1567 * - this is a forward policy (to just get one for each child)
1568 * - we are in tunnel mode
1569 * - we are not using IPv6 (does not work correctly yet!)
1570 * - routing is not disabled via strongswan.conf
1571 */
1572 if (policy->route == NULL && direction == POLICY_FWD &&
1573 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1574 this->install_routes)
1575 {
1576 route_entry_t *route = malloc_thing(route_entry_t);
1577
1578 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1579 dst_ts, &route->src_ip) == SUCCESS)
1580 {
1581 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1582 route->gateway = charon->kernel_interface->get_nexthop(
1583 charon->kernel_interface, src);
1584 route->if_name = charon->kernel_interface->get_interface(
1585 charon->kernel_interface, dst);
1586 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1587 route->prefixlen = policy->src.mask;
1588
1589 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1590 route->dst_net, route->prefixlen, route->gateway,
1591 route->src_ip, route->if_name))
1592 {
1593 default:
1594 DBG1(DBG_KNL, "unable to install source route for %H",
1595 route->src_ip);
1596 /* FALL */
1597 case ALREADY_DONE:
1598 /* route exists, do not uninstall */
1599 route_entry_destroy(route);
1600 break;
1601 case SUCCESS:
1602 /* cache the installed route */
1603 policy->route = route;
1604 break;
1605 }
1606 }
1607 else
1608 {
1609 free(route);
1610 }
1611 }
1612
1613 this->mutex->unlock(this->mutex);
1614
1615 return SUCCESS;
1616 }
1617
1618 /**
1619 * Implementation of kernel_interface_t.query_policy.
1620 */
1621 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1622 traffic_selector_t *src_ts,
1623 traffic_selector_t *dst_ts,
1624 policy_dir_t direction, u_int32_t *use_time)
1625 {
1626 unsigned char request[PFKEY_BUFFER_SIZE];
1627 struct sadb_msg *msg, *out;
1628 struct sadb_x_policy *pol;
1629 struct sadb_address *addr;
1630 policy_entry_t *policy, *found = NULL;
1631 pfkey_msg_t response;
1632 size_t len;
1633
1634 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1635 policy_dir_names, direction);
1636
1637 /* create a policy */
1638 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1639
1640 /* find a matching policy */
1641 this->mutex->lock(this->mutex);
1642 if (this->policies->find_first(this->policies,
1643 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1644 {
1645 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1646 dst_ts, policy_dir_names, direction);
1647 policy_entry_destroy(policy);
1648 this->mutex->unlock(this->mutex);
1649 return NOT_FOUND;
1650 }
1651 policy_entry_destroy(policy);
1652 policy = found;
1653
1654 memset(&request, 0, sizeof(request));
1655
1656 msg = (struct sadb_msg*)request;
1657 msg->sadb_msg_version = PF_KEY_V2;
1658 msg->sadb_msg_type = SADB_X_SPDGET;
1659 msg->sadb_msg_satype = 0;
1660 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1661
1662 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1663 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1664 pol->sadb_x_policy_id = policy->index;
1665 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1666 pol->sadb_x_policy_dir = dir2kernel(direction);
1667 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1668 PFKEY_EXT_ADD(msg, pol);
1669
1670 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1671 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1672 addr->sadb_address_proto = policy->src.proto;
1673 addr->sadb_address_prefixlen = policy->src.mask;
1674 host2ext(policy->src.net, addr);
1675 PFKEY_EXT_ADD(msg, addr);
1676
1677 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1678 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1679 addr->sadb_address_proto = policy->dst.proto;
1680 addr->sadb_address_prefixlen = policy->dst.mask;
1681 host2ext(policy->dst.net, addr);
1682 PFKEY_EXT_ADD(msg, addr);
1683
1684 this->mutex->unlock(this->mutex);
1685
1686 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1687 {
1688 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1689 policy_dir_names, direction);
1690 return FAILED;
1691 }
1692 else if (out->sadb_msg_errno)
1693 {
1694 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1695 dst_ts, policy_dir_names, direction,
1696 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1697 free(out);
1698 return FAILED;
1699 }
1700 else if (parse_pfkey_message(out, &response) != SUCCESS)
1701 {
1702 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1703 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1704 free(out);
1705 return FAILED;
1706 }
1707
1708 *use_time = response.lft_current->sadb_lifetime_usetime;
1709
1710 free(out);
1711
1712 return SUCCESS;
1713 }
1714
1715 /**
1716 * Implementation of kernel_interface_t.del_policy.
1717 */
1718 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1719 traffic_selector_t *src_ts,
1720 traffic_selector_t *dst_ts,
1721 policy_dir_t direction, bool unrouted)
1722 {
1723 unsigned char request[PFKEY_BUFFER_SIZE];
1724 struct sadb_msg *msg, *out;
1725 struct sadb_x_policy *pol;
1726 struct sadb_address *addr;
1727 policy_entry_t *policy, *found = NULL;
1728 route_entry_t *route;
1729 size_t len;
1730
1731 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1732 policy_dir_names, direction);
1733
1734 /* create a policy */
1735 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1736
1737 /* find a matching policy */
1738 this->mutex->lock(this->mutex);
1739 if (this->policies->find_first(this->policies,
1740 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1741 {
1742 if (--found->refcount > 0)
1743 {
1744 /* is used by more SAs, keep in kernel */
1745 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1746 policy_entry_destroy(policy);
1747 this->mutex->unlock(this->mutex);
1748 return SUCCESS;
1749 }
1750 /* remove if last reference */
1751 this->policies->remove(this->policies, found, NULL);
1752 policy_entry_destroy(policy);
1753 policy = found;
1754 }
1755 else
1756 {
1757 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1758 dst_ts, policy_dir_names, direction);
1759 policy_entry_destroy(policy);
1760 this->mutex->unlock(this->mutex);
1761 return NOT_FOUND;
1762 }
1763 this->mutex->unlock(this->mutex);
1764
1765 memset(&request, 0, sizeof(request));
1766
1767 msg = (struct sadb_msg*)request;
1768 msg->sadb_msg_version = PF_KEY_V2;
1769 msg->sadb_msg_type = SADB_X_SPDDELETE;
1770 msg->sadb_msg_satype = 0;
1771 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1772
1773 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1774 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1775 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1776 pol->sadb_x_policy_dir = dir2kernel(direction);
1777 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1778 PFKEY_EXT_ADD(msg, pol);
1779
1780 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1781 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1782 addr->sadb_address_proto = policy->src.proto;
1783 addr->sadb_address_prefixlen = policy->src.mask;
1784 host2ext(policy->src.net, addr);
1785 PFKEY_EXT_ADD(msg, addr);
1786
1787 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1788 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1789 addr->sadb_address_proto = policy->dst.proto;
1790 addr->sadb_address_prefixlen = policy->dst.mask;
1791 host2ext(policy->dst.net, addr);
1792 PFKEY_EXT_ADD(msg, addr);
1793
1794 route = policy->route;
1795 policy->route = NULL;
1796 policy_entry_destroy(policy);
1797
1798 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1799 {
1800 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1801 policy_dir_names, direction);
1802 return FAILED;
1803 }
1804 else if (out->sadb_msg_errno)
1805 {
1806 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1807 dst_ts, policy_dir_names, direction,
1808 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1809 free(out);
1810 return FAILED;
1811 }
1812 free(out);
1813
1814 if (route)
1815 {
1816 if (charon->kernel_interface->del_route(charon->kernel_interface,
1817 route->dst_net, route->prefixlen, route->gateway,
1818 route->src_ip, route->if_name) != SUCCESS)
1819 {
1820 DBG1(DBG_KNL, "error uninstalling route installed with "
1821 "policy %R === %R %N", src_ts, dst_ts,
1822 policy_dir_names, direction);
1823 }
1824 route_entry_destroy(route);
1825 }
1826
1827 return SUCCESS;
1828 }
1829
1830 /**
1831 * Register a socket for AQUIRE/EXPIRE messages
1832 */
1833 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1834 {
1835 unsigned char request[PFKEY_BUFFER_SIZE];
1836 struct sadb_msg *msg, *out;
1837 size_t len;
1838
1839 memset(&request, 0, sizeof(request));
1840
1841 msg = (struct sadb_msg*)request;
1842 msg->sadb_msg_version = PF_KEY_V2;
1843 msg->sadb_msg_type = SADB_REGISTER;
1844 msg->sadb_msg_satype = satype;
1845 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1846
1847 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1848 {
1849 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1850 return FAILED;
1851 }
1852 else if (out->sadb_msg_errno)
1853 {
1854 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1855 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1856 free(out);
1857 return FAILED;
1858 }
1859 free(out);
1860 return SUCCESS;
1861 }
1862
1863 /**
1864 * Implementation of kernel_interface_t.destroy.
1865 */
1866 static void destroy(private_kernel_pfkey_ipsec_t *this)
1867 {
1868 this->job->cancel(this->job);
1869 close(this->socket);
1870 close(this->socket_events);
1871 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1872 this->mutex->destroy(this->mutex);
1873 this->mutex_pfkey->destroy(this->mutex_pfkey);
1874 free(this);
1875 }
1876
1877 /**
1878 * Add bypass policies for IKE on the sockets of charon
1879 */
1880 static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
1881 {
1882 int fd, family, port;
1883 enumerator_t *sockets;
1884 bool status = TRUE;
1885
1886 sockets = charon->socket->create_enumerator(charon->socket);
1887 while (sockets->enumerate(sockets, &fd, &family, &port))
1888 {
1889 struct sadb_x_policy policy;
1890 u_int sol, ipsec_policy;
1891
1892 switch (family)
1893 {
1894 case AF_INET:
1895 sol = SOL_IP;
1896 ipsec_policy = IP_IPSEC_POLICY;
1897 break;
1898 case AF_INET6:
1899 {
1900 sol = SOL_IPV6;
1901 ipsec_policy = IPV6_IPSEC_POLICY;
1902 break;
1903 }
1904 }
1905
1906 memset(&policy, 0, sizeof(policy));
1907 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
1908 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1909 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
1910
1911 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
1912 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1913 {
1914 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1915 strerror(errno));
1916 status = FALSE;
1917 break;
1918 }
1919 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1920 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1921 {
1922 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1923 strerror(errno));
1924 status = FALSE;
1925 break;
1926 }
1927 }
1928 sockets->destroy(sockets);
1929 return status;
1930 }
1931
1932 /*
1933 * Described in header.
1934 */
1935 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1936 {
1937 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1938
1939 /* public functions */
1940 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1941 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1942 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1943 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1944 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1945 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
1946 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1947 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
1948
1949 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1950
1951 /* private members */
1952 this->policies = linked_list_create();
1953 this->mutex = mutex_create(MUTEX_DEFAULT);
1954 this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
1955 this->install_routes = lib->settings->get_bool(lib->settings,
1956 "charon.install_routes", TRUE);
1957 this->seq = 0;
1958
1959 /* create a PF_KEY socket to communicate with the kernel */
1960 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1961 if (this->socket <= 0)
1962 {
1963 charon->kill(charon, "unable to create PF_KEY socket");
1964 }
1965
1966 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1967 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1968 if (this->socket_events <= 0)
1969 {
1970 charon->kill(charon, "unable to create PF_KEY event socket");
1971 }
1972
1973 /* add bypass policies on the sockets used by charon */
1974 if (!add_bypass_policies(this))
1975 {
1976 charon->kill(charon, "unable to add bypass policies on sockets");
1977 }
1978
1979 /* register the event socket */
1980 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
1981 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
1982 {
1983 charon->kill(charon, "unable to register PF_KEY event socket");
1984 }
1985
1986 this->job = callback_job_create((callback_job_cb_t)receive_events,
1987 this, NULL, NULL);
1988 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1989
1990 return &this->public;
1991 }