Pass sockets to bypass to kernel interface, allowing us to register them dynamically
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <daemon.h>
58 #include <utils/host.h>
59 #include <threading/thread.h>
60 #include <threading/mutex.h>
61 #include <processing/jobs/callback_job.h>
62 #include <processing/jobs/acquire_job.h>
63 #include <processing/jobs/migrate_job.h>
64 #include <processing/jobs/rekey_child_sa_job.h>
65 #include <processing/jobs/delete_child_sa_job.h>
66 #include <processing/jobs/update_sa_job.h>
67
68 /** non linux specific */
69 #ifndef IPPROTO_COMP
70 #define IPPROTO_COMP IPPROTO_IPCOMP
71 #endif
72
73 #ifndef SADB_X_AALG_SHA2_256HMAC
74 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
75 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
76 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
77 #endif
78
79 #ifndef SADB_X_EALG_AESCBC
80 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
81 #endif
82
83 #ifndef SADB_X_EALG_CASTCBC
84 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
85 #endif
86
87 #ifndef SOL_IP
88 #define SOL_IP IPPROTO_IP
89 #define SOL_IPV6 IPPROTO_IPV6
90 #endif
91
92 /** from linux/in.h */
93 #ifndef IP_IPSEC_POLICY
94 #define IP_IPSEC_POLICY 16
95 #endif
96
97 /** missing on uclibc */
98 #ifndef IPV6_IPSEC_POLICY
99 #define IPV6_IPSEC_POLICY 34
100 #endif
101
102 /** default priority of installed policies */
103 #define PRIO_LOW 3000
104 #define PRIO_HIGH 2000
105
106 #ifdef __APPLE__
107 /** from xnu/bsd/net/pfkeyv2.h */
108 #define SADB_X_EXT_NATT 0x002
109 struct sadb_sa_2 {
110 struct sadb_sa sa;
111 u_int16_t sadb_sa_natt_port;
112 u_int16_t sadb_reserved0;
113 u_int32_t sadb_reserved1;
114 };
115 #endif
116
117 /** buffer size for PF_KEY messages */
118 #define PFKEY_BUFFER_SIZE 4096
119
120 /** PF_KEY messages are 64 bit aligned */
121 #define PFKEY_ALIGNMENT 8
122 /** aligns len to 64 bits */
123 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
124 /** calculates the properly padded length in 64 bit chunks */
125 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
126 /** calculates user mode length i.e. in bytes */
127 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
128
129 /** given a PF_KEY message header and an extension this updates the length in the header */
130 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
131 /** given a PF_KEY message header this returns a pointer to the next extension */
132 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
133 /** copy an extension and append it to a PF_KEY message */
134 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
135 /** given a PF_KEY extension this returns a pointer to the next extension */
136 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
137 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
138 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
139 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
140 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
142 (ext)->sadb_ext_len <= (len))
143
144 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
145
146 /**
147 * Private variables and functions of kernel_pfkey class.
148 */
149 struct private_kernel_pfkey_ipsec_t
150 {
151 /**
152 * Public part of the kernel_pfkey_t object.
153 */
154 kernel_pfkey_ipsec_t public;
155
156 /**
157 * mutex to lock access to various lists
158 */
159 mutex_t *mutex;
160
161 /**
162 * List of installed policies (policy_entry_t)
163 */
164 linked_list_t *policies;
165
166 /**
167 * whether to install routes along policies
168 */
169 bool install_routes;
170
171 /**
172 * job receiving PF_KEY events
173 */
174 callback_job_t *job;
175
176 /**
177 * mutex to lock access to the PF_KEY socket
178 */
179 mutex_t *mutex_pfkey;
180
181 /**
182 * PF_KEY socket to communicate with the kernel
183 */
184 int socket;
185
186 /**
187 * PF_KEY socket to receive acquire and expire events
188 */
189 int socket_events;
190
191 /**
192 * sequence number for messages sent to the kernel
193 */
194 int seq;
195 };
196
197 typedef struct route_entry_t route_entry_t;
198
199 /**
200 * installed routing entry
201 */
202 struct route_entry_t {
203 /** Name of the interface the route is bound to */
204 char *if_name;
205
206 /** Source ip of the route */
207 host_t *src_ip;
208
209 /** gateway for this route */
210 host_t *gateway;
211
212 /** Destination net */
213 chunk_t dst_net;
214
215 /** Destination net prefixlen */
216 u_int8_t prefixlen;
217 };
218
219 /**
220 * destroy an route_entry_t object
221 */
222 static void route_entry_destroy(route_entry_t *this)
223 {
224 free(this->if_name);
225 DESTROY_IF(this->src_ip);
226 DESTROY_IF(this->gateway);
227 chunk_free(&this->dst_net);
228 free(this);
229 }
230
231 typedef struct policy_entry_t policy_entry_t;
232
233 /**
234 * installed kernel policy.
235 */
236 struct policy_entry_t {
237
238 /** reqid of this policy */
239 u_int32_t reqid;
240
241 /** index assigned by the kernel */
242 u_int32_t index;
243
244 /** direction of this policy: in, out, forward */
245 u_int8_t direction;
246
247 /** parameters of installed policy */
248 struct {
249 /** subnet and port */
250 host_t *net;
251 /** subnet mask */
252 u_int8_t mask;
253 /** protocol */
254 u_int8_t proto;
255 } src, dst;
256
257 /** associated route installed for this policy */
258 route_entry_t *route;
259
260 /** by how many CHILD_SA's this policy is used */
261 u_int refcount;
262 };
263
264 /**
265 * create a policy_entry_t object
266 */
267 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
268 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
269 {
270 policy_entry_t *policy = malloc_thing(policy_entry_t);
271 policy->reqid = reqid;
272 policy->index = 0;
273 policy->direction = dir;
274 policy->route = NULL;
275 policy->refcount = 0;
276
277 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
278 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
279
280 /* src or dest proto may be "any" (0), use more restrictive one */
281 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
282 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
283 policy->dst.proto = policy->src.proto;
284
285 return policy;
286 }
287
288 /**
289 * destroy a policy_entry_t object
290 */
291 static void policy_entry_destroy(policy_entry_t *this)
292 {
293 DESTROY_IF(this->src.net);
294 DESTROY_IF(this->dst.net);
295 if (this->route)
296 {
297 route_entry_destroy(this->route);
298 }
299 free(this);
300 }
301
302 /**
303 * compares two policy_entry_t
304 */
305 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
306 {
307 return current->direction == policy->direction &&
308 current->src.proto == policy->src.proto &&
309 current->dst.proto == policy->dst.proto &&
310 current->src.mask == policy->src.mask &&
311 current->dst.mask == policy->dst.mask &&
312 current->src.net->equals(current->src.net, policy->src.net) &&
313 current->dst.net->equals(current->dst.net, policy->dst.net);
314 }
315
316 /**
317 * compare the given kernel index with that of a policy
318 */
319 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
320 {
321 return current->index == *index;
322 }
323
324 typedef struct pfkey_msg_t pfkey_msg_t;
325
326 struct pfkey_msg_t
327 {
328 /**
329 * PF_KEY message base
330 */
331 struct sadb_msg *msg;
332
333 /**
334 * PF_KEY message extensions
335 */
336 union {
337 struct sadb_ext *ext[SADB_EXT_MAX + 1];
338 struct {
339 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
340 struct sadb_sa *sa; /* SADB_EXT_SA */
341 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
342 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
343 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
344 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
345 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
346 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
347 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
348 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
349 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
350 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
351 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
352 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
353 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
354 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
355 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
356 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
357 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
358 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
359 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
360 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
361 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
362 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
363 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
364 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
365 } __attribute__((__packed__));
366 };
367 };
368
369 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
370 "SADB_EXT_RESERVED",
371 "SADB_EXT_SA",
372 "SADB_EXT_LIFETIME_CURRENT",
373 "SADB_EXT_LIFETIME_HARD",
374 "SADB_EXT_LIFETIME_SOFT",
375 "SADB_EXT_ADDRESS_SRC",
376 "SADB_EXT_ADDRESS_DST",
377 "SADB_EXT_ADDRESS_PROXY",
378 "SADB_EXT_KEY_AUTH",
379 "SADB_EXT_KEY_ENCRYPT",
380 "SADB_EXT_IDENTITY_SRC",
381 "SADB_EXT_IDENTITY_DST",
382 "SADB_EXT_SENSITIVITY",
383 "SADB_EXT_PROPOSAL",
384 "SADB_EXT_SUPPORTED_AUTH",
385 "SADB_EXT_SUPPORTED_ENCRYPT",
386 "SADB_EXT_SPIRANGE",
387 "SADB_X_EXT_KMPRIVATE",
388 "SADB_X_EXT_POLICY",
389 "SADB_X_EXT_SA2",
390 "SADB_X_EXT_NAT_T_TYPE",
391 "SADB_X_EXT_NAT_T_SPORT",
392 "SADB_X_EXT_NAT_T_DPORT",
393 "SADB_X_EXT_NAT_T_OA",
394 "SADB_X_EXT_SEC_CTX",
395 "SADB_X_EXT_KMADDRESS"
396 );
397
398 /**
399 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
400 */
401 static u_int8_t proto_ike2satype(protocol_id_t proto)
402 {
403 switch (proto)
404 {
405 case PROTO_ESP:
406 return SADB_SATYPE_ESP;
407 case PROTO_AH:
408 return SADB_SATYPE_AH;
409 case IPPROTO_COMP:
410 return SADB_X_SATYPE_IPCOMP;
411 default:
412 return proto;
413 }
414 }
415
416 /**
417 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
418 */
419 static protocol_id_t proto_satype2ike(u_int8_t proto)
420 {
421 switch (proto)
422 {
423 case SADB_SATYPE_ESP:
424 return PROTO_ESP;
425 case SADB_SATYPE_AH:
426 return PROTO_AH;
427 case SADB_X_SATYPE_IPCOMP:
428 return IPPROTO_COMP;
429 default:
430 return proto;
431 }
432 }
433
434 /**
435 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
436 */
437 static u_int8_t proto_ike2ip(protocol_id_t proto)
438 {
439 switch (proto)
440 {
441 case PROTO_ESP:
442 return IPPROTO_ESP;
443 case PROTO_AH:
444 return IPPROTO_AH;
445 default:
446 return proto;
447 }
448 }
449
450 /**
451 * convert the general ipsec mode to the one defined in ipsec.h
452 */
453 static u_int8_t mode2kernel(ipsec_mode_t mode)
454 {
455 switch (mode)
456 {
457 case MODE_TRANSPORT:
458 return IPSEC_MODE_TRANSPORT;
459 case MODE_TUNNEL:
460 return IPSEC_MODE_TUNNEL;
461 #ifdef HAVE_IPSEC_MODE_BEET
462 case MODE_BEET:
463 return IPSEC_MODE_BEET;
464 #endif
465 default:
466 return mode;
467 }
468 }
469
470 /**
471 * convert the general policy direction to the one defined in ipsec.h
472 */
473 static u_int8_t dir2kernel(policy_dir_t dir)
474 {
475 switch (dir)
476 {
477 case POLICY_IN:
478 return IPSEC_DIR_INBOUND;
479 case POLICY_OUT:
480 return IPSEC_DIR_OUTBOUND;
481 #ifdef HAVE_IPSEC_DIR_FWD
482 case POLICY_FWD:
483 return IPSEC_DIR_FWD;
484 #endif
485 default:
486 return IPSEC_DIR_INVALID;
487 }
488 }
489
490 #ifdef SADB_X_MIGRATE
491 /**
492 * convert the policy direction in ipsec.h to the general one.
493 */
494 static policy_dir_t kernel2dir(u_int8_t dir)
495 {
496 switch (dir)
497 {
498 case IPSEC_DIR_INBOUND:
499 return POLICY_IN;
500 case IPSEC_DIR_OUTBOUND:
501 return POLICY_OUT;
502 #ifdef HAVE_IPSEC_DIR_FWD
503 case IPSEC_DIR_FWD:
504 return POLICY_FWD;
505 #endif
506 default:
507 return dir;
508 }
509 }
510 #endif /*SADB_X_MIGRATE*/
511
512 typedef struct kernel_algorithm_t kernel_algorithm_t;
513
514 /**
515 * Mapping of IKEv2 algorithms to PF_KEY algorithms
516 */
517 struct kernel_algorithm_t {
518 /**
519 * Identifier specified in IKEv2
520 */
521 int ikev2;
522
523 /**
524 * Identifier as defined in pfkeyv2.h
525 */
526 int kernel;
527 };
528
529 #define END_OF_LIST -1
530
531 /**
532 * Algorithms for encryption
533 */
534 static kernel_algorithm_t encryption_algs[] = {
535 /* {ENCR_DES_IV64, 0 }, */
536 {ENCR_DES, SADB_EALG_DESCBC },
537 {ENCR_3DES, SADB_EALG_3DESCBC },
538 /* {ENCR_RC5, 0 }, */
539 /* {ENCR_IDEA, 0 }, */
540 {ENCR_CAST, SADB_X_EALG_CASTCBC },
541 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
542 /* {ENCR_3IDEA, 0 }, */
543 /* {ENCR_DES_IV32, 0 }, */
544 {ENCR_NULL, SADB_EALG_NULL },
545 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
546 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
547 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
548 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
549 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
550 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
551 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
552 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
553 {END_OF_LIST, 0 },
554 };
555
556 /**
557 * Algorithms for integrity protection
558 */
559 static kernel_algorithm_t integrity_algs[] = {
560 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
561 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
562 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
563 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
564 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
565 /* {AUTH_DES_MAC, 0, }, */
566 /* {AUTH_KPDK_MD5, 0, }, */
567 #ifdef SADB_X_AALG_AES_XCBC_MAC
568 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
569 #endif
570 {END_OF_LIST, 0, },
571 };
572
573 #if 0
574 /**
575 * Algorithms for IPComp, unused yet
576 */
577 static kernel_algorithm_t compression_algs[] = {
578 /* {IPCOMP_OUI, 0 }, */
579 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
580 {IPCOMP_LZS, SADB_X_CALG_LZS },
581 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
582 {END_OF_LIST, 0 },
583 };
584 #endif
585
586 /**
587 * Look up a kernel algorithm ID and its key size
588 */
589 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
590 {
591 while (list->ikev2 != END_OF_LIST)
592 {
593 if (ikev2 == list->ikev2)
594 {
595 return list->kernel;
596 }
597 list++;
598 }
599 return 0;
600 }
601
602 /**
603 * add a host behind a sadb_address extension
604 */
605 static void host2ext(host_t *host, struct sadb_address *ext)
606 {
607 sockaddr_t *host_addr = host->get_sockaddr(host);
608 socklen_t *len = host->get_sockaddr_len(host);
609 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
610 host_addr->sa_len = *len;
611 #endif
612 memcpy((char*)(ext + 1), host_addr, *len);
613 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
614 }
615
616 /**
617 * add a host to the given sadb_msg
618 */
619 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
620 u_int8_t proto, u_int8_t prefixlen)
621 {
622 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
623 addr->sadb_address_exttype = type;
624 addr->sadb_address_proto = proto;
625 addr->sadb_address_prefixlen = prefixlen;
626 host2ext(host, addr);
627 PFKEY_EXT_ADD(msg, addr);
628 }
629
630 /**
631 * adds an empty address extension to the given sadb_msg
632 */
633 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
634 {
635 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
636 sizeof(struct sockaddr_in6);
637 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
638 addr->sadb_address_exttype = type;
639 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
640 saddr->sa_family = family;
641 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
642 saddr->sa_len = len;
643 #endif
644 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
645 PFKEY_EXT_ADD(msg, addr);
646 }
647
648 #ifdef HAVE_NATT
649 /**
650 * add udp encap extensions to a sadb_msg
651 */
652 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
653 {
654 struct sadb_x_nat_t_type* nat_type;
655 struct sadb_x_nat_t_port* nat_port;
656
657 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
658 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
659 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
660 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
661 PFKEY_EXT_ADD(msg, nat_type);
662
663 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
664 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
665 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
666 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
667 PFKEY_EXT_ADD(msg, nat_port);
668
669 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
670 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
671 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
672 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
673 PFKEY_EXT_ADD(msg, nat_port);
674 }
675 #endif /*HAVE_NATT*/
676
677 /**
678 * Convert a sadb_address to a traffic_selector
679 */
680 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
681 {
682 traffic_selector_t *ts;
683 host_t *host;
684
685 /* The Linux 2.6 kernel does not set the protocol and port information
686 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
687 */
688 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
689 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
690 address->sadb_address_proto, host->get_port(host));
691 return ts;
692 }
693
694 /**
695 * Parses a pfkey message received from the kernel
696 */
697 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
698 {
699 struct sadb_ext* ext;
700 size_t len;
701
702 memset(out, 0, sizeof(pfkey_msg_t));
703 out->msg = msg;
704
705 len = msg->sadb_msg_len;
706 len -= PFKEY_LEN(sizeof(struct sadb_msg));
707
708 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
709
710 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
711 {
712 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
713 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
714 ext->sadb_ext_len > len)
715 {
716 DBG1(DBG_KNL, "length of %N extension is invalid",
717 sadb_ext_type_names, ext->sadb_ext_type);
718 break;
719 }
720
721 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
722 {
723 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
724 break;
725 }
726
727 if (out->ext[ext->sadb_ext_type])
728 {
729 DBG1(DBG_KNL, "duplicate %N extension",
730 sadb_ext_type_names, ext->sadb_ext_type);
731 break;
732 }
733
734 out->ext[ext->sadb_ext_type] = ext;
735 ext = PFKEY_EXT_NEXT_LEN(ext, len);
736 }
737
738 if (len)
739 {
740 DBG1(DBG_KNL, "PF_KEY message length is invalid");
741 return FAILED;
742 }
743
744 return SUCCESS;
745 }
746
747 /**
748 * Send a message to a specific PF_KEY socket and handle the response.
749 */
750 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
751 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
752 {
753 unsigned char buf[PFKEY_BUFFER_SIZE];
754 struct sadb_msg *msg;
755 int in_len, len;
756
757 this->mutex_pfkey->lock(this->mutex_pfkey);
758
759 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
760 * in particular the behavior in response to an SADB_ACQUIRE. */
761 in->sadb_msg_seq = ++this->seq;
762 in->sadb_msg_pid = getpid();
763
764 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
765
766 while (TRUE)
767 {
768 len = send(socket, in, in_len, 0);
769
770 if (len != in_len)
771 {
772 if (errno == EINTR)
773 {
774 /* interrupted, try again */
775 continue;
776 }
777 this->mutex_pfkey->unlock(this->mutex_pfkey);
778 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
779 return FAILED;
780 }
781 break;
782 }
783
784 while (TRUE)
785 {
786 msg = (struct sadb_msg*)buf;
787
788 len = recv(socket, buf, sizeof(buf), 0);
789
790 if (len < 0)
791 {
792 if (errno == EINTR)
793 {
794 DBG1(DBG_KNL, "got interrupted");
795 /* interrupted, try again */
796 continue;
797 }
798 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
799 this->mutex_pfkey->unlock(this->mutex_pfkey);
800 return FAILED;
801 }
802 if (len < sizeof(struct sadb_msg) ||
803 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
804 {
805 DBG1(DBG_KNL, "received corrupted PF_KEY message");
806 this->mutex_pfkey->unlock(this->mutex_pfkey);
807 return FAILED;
808 }
809 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
810 {
811 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
812 this->mutex_pfkey->unlock(this->mutex_pfkey);
813 return FAILED;
814 }
815 if (msg->sadb_msg_pid != in->sadb_msg_pid)
816 {
817 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
818 continue;
819 }
820 if (msg->sadb_msg_seq != this->seq)
821 {
822 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
823 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
824 if (msg->sadb_msg_seq == 0)
825 {
826 /* FreeBSD and Mac OS X do this for the response to
827 * SADB_X_SPDGET (but not for the response to SADB_GET).
828 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
829 }
830 else if (msg->sadb_msg_seq < this->seq)
831 {
832 continue;
833 }
834 else
835 {
836 this->mutex_pfkey->unlock(this->mutex_pfkey);
837 return FAILED;
838 }
839 }
840 if (msg->sadb_msg_type != in->sadb_msg_type)
841 {
842 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
843 "was %d expected %d, ignoring",
844 msg->sadb_msg_type, in->sadb_msg_type);
845 }
846 break;
847 }
848
849 *out_len = len;
850 *out = (struct sadb_msg*)malloc(len);
851 memcpy(*out, buf, len);
852
853 this->mutex_pfkey->unlock(this->mutex_pfkey);
854
855 return SUCCESS;
856 }
857
858 /**
859 * Send a message to the default PF_KEY socket and handle the response.
860 */
861 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
862 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
863 {
864 return pfkey_send_socket(this, this->socket, in, out, out_len);
865 }
866
867 /**
868 * Process a SADB_ACQUIRE message from the kernel
869 */
870 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
871 {
872 pfkey_msg_t response;
873 u_int32_t index, reqid = 0;
874 traffic_selector_t *src_ts, *dst_ts;
875 policy_entry_t *policy;
876 job_t *job;
877
878 switch (msg->sadb_msg_satype)
879 {
880 case SADB_SATYPE_UNSPEC:
881 case SADB_SATYPE_ESP:
882 case SADB_SATYPE_AH:
883 break;
884 default:
885 /* acquire for AH/ESP only */
886 return;
887 }
888 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
889
890 if (parse_pfkey_message(msg, &response) != SUCCESS)
891 {
892 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
893 return;
894 }
895
896 index = response.x_policy->sadb_x_policy_id;
897 this->mutex->lock(this->mutex);
898 if (this->policies->find_first(this->policies,
899 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
900 {
901 reqid = policy->reqid;
902 }
903 else
904 {
905 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
906 index);
907 }
908 src_ts = sadb_address2ts(response.src);
909 dst_ts = sadb_address2ts(response.dst);
910 this->mutex->unlock(this->mutex);
911
912 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
913 src_ts, dst_ts, reqid);
914 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
915 charon->processor->queue_job(charon->processor, job);
916 }
917
918 /**
919 * Process a SADB_EXPIRE message from the kernel
920 */
921 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
922 {
923 pfkey_msg_t response;
924 protocol_id_t protocol;
925 u_int32_t spi, reqid;
926 bool hard;
927 job_t *job;
928
929 DBG2(DBG_KNL, "received an SADB_EXPIRE");
930
931 if (parse_pfkey_message(msg, &response) != SUCCESS)
932 {
933 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
934 return;
935 }
936
937 protocol = proto_satype2ike(msg->sadb_msg_satype);
938 spi = response.sa->sadb_sa_spi;
939 reqid = response.x_sa2->sadb_x_sa2_reqid;
940 hard = response.lft_hard != NULL;
941
942 if (protocol != PROTO_ESP && protocol != PROTO_AH)
943 {
944 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
945 "which is not a CHILD_SA", ntohl(spi), reqid);
946 return;
947 }
948
949 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
950 hard ? "delete" : "rekey", protocol_id_names,
951 protocol, ntohl(spi), reqid);
952 if (hard)
953 {
954 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
955 }
956 else
957 {
958 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
959 }
960 charon->processor->queue_job(charon->processor, job);
961 }
962
963 #ifdef SADB_X_MIGRATE
964 /**
965 * Process a SADB_X_MIGRATE message from the kernel
966 */
967 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
968 {
969 pfkey_msg_t response;
970 traffic_selector_t *src_ts, *dst_ts;
971 policy_dir_t dir;
972 u_int32_t reqid = 0;
973 host_t *local = NULL, *remote = NULL;
974 job_t *job;
975
976 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
977
978 if (parse_pfkey_message(msg, &response) != SUCCESS)
979 {
980 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
981 return;
982 }
983 src_ts = sadb_address2ts(response.src);
984 dst_ts = sadb_address2ts(response.dst);
985 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
986 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
987 policy_dir_names, dir);
988
989 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
990 if (response.x_kmaddress)
991 {
992 sockaddr_t *local_addr, *remote_addr;
993 u_int32_t local_len;
994
995 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
996 local = host_create_from_sockaddr(local_addr);
997 local_len = (local_addr->sa_family == AF_INET6)?
998 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
999 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1000 remote = host_create_from_sockaddr(remote_addr);
1001 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1002 }
1003
1004 if (src_ts && dst_ts && local && remote)
1005 {
1006 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
1007 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
1008 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
1009 local, remote);
1010 charon->processor->queue_job(charon->processor, job);
1011 }
1012 else
1013 {
1014 DESTROY_IF(src_ts);
1015 DESTROY_IF(dst_ts);
1016 DESTROY_IF(local);
1017 DESTROY_IF(remote);
1018 }
1019 }
1020 #endif /*SADB_X_MIGRATE*/
1021
1022 #ifdef HAVE_NATT
1023 /**
1024 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1025 */
1026 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
1027 {
1028 pfkey_msg_t response;
1029 u_int32_t spi, reqid;
1030 host_t *host;
1031 job_t *job;
1032
1033 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1034
1035 if (parse_pfkey_message(msg, &response) != SUCCESS)
1036 {
1037 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1038 return;
1039 }
1040
1041 if (!response.x_sa2)
1042 {
1043 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
1044 return;
1045 }
1046
1047 spi = response.sa->sadb_sa_spi;
1048 reqid = response.x_sa2->sadb_x_sa2_reqid;
1049
1050 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
1051 {
1052 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
1053 switch (sa->sa_family)
1054 {
1055 case AF_INET:
1056 {
1057 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1058 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1059 }
1060 case AF_INET6:
1061 {
1062 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1063 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1064 }
1065 default:
1066 break;
1067 }
1068 host = host_create_from_sockaddr(sa);
1069 if (host)
1070 {
1071 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
1072 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
1073 job = (job_t*)update_sa_job_create(reqid, host);
1074 charon->processor->queue_job(charon->processor, job);
1075 }
1076 }
1077 }
1078 #endif /*HAVE_NATT*/
1079
1080 /**
1081 * Receives events from kernel
1082 */
1083 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1084 {
1085 unsigned char buf[PFKEY_BUFFER_SIZE];
1086 struct sadb_msg *msg = (struct sadb_msg*)buf;
1087 int len;
1088 bool oldstate;
1089
1090 oldstate = thread_cancelability(TRUE);
1091 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1092 thread_cancelability(oldstate);
1093
1094 if (len < 0)
1095 {
1096 switch (errno)
1097 {
1098 case EINTR:
1099 /* interrupted, try again */
1100 return JOB_REQUEUE_DIRECT;
1101 case EAGAIN:
1102 /* no data ready, select again */
1103 return JOB_REQUEUE_DIRECT;
1104 default:
1105 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1106 sleep(1);
1107 return JOB_REQUEUE_FAIR;
1108 }
1109 }
1110
1111 if (len < sizeof(struct sadb_msg) ||
1112 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1113 {
1114 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1115 return JOB_REQUEUE_DIRECT;
1116 }
1117 if (msg->sadb_msg_pid != 0)
1118 { /* not from kernel. not interested, try another one */
1119 return JOB_REQUEUE_DIRECT;
1120 }
1121 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1122 {
1123 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
1124 return JOB_REQUEUE_DIRECT;
1125 }
1126
1127 switch (msg->sadb_msg_type)
1128 {
1129 case SADB_ACQUIRE:
1130 process_acquire(this, msg);
1131 break;
1132 case SADB_EXPIRE:
1133 process_expire(this, msg);
1134 break;
1135 #ifdef SADB_X_MIGRATE
1136 case SADB_X_MIGRATE:
1137 process_migrate(this, msg);
1138 break;
1139 #endif /*SADB_X_MIGRATE*/
1140 #ifdef HAVE_NATT
1141 case SADB_X_NAT_T_NEW_MAPPING:
1142 process_mapping(this, msg);
1143 break;
1144 #endif /*HAVE_NATT*/
1145 default:
1146 break;
1147 }
1148
1149 return JOB_REQUEUE_DIRECT;
1150 }
1151
1152 METHOD(kernel_ipsec_t, get_spi, status_t,
1153 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1154 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
1155 {
1156 unsigned char request[PFKEY_BUFFER_SIZE];
1157 struct sadb_msg *msg, *out;
1158 struct sadb_x_sa2 *sa2;
1159 struct sadb_spirange *range;
1160 pfkey_msg_t response;
1161 u_int32_t received_spi = 0;
1162 size_t len;
1163
1164 memset(&request, 0, sizeof(request));
1165
1166 msg = (struct sadb_msg*)request;
1167 msg->sadb_msg_version = PF_KEY_V2;
1168 msg->sadb_msg_type = SADB_GETSPI;
1169 msg->sadb_msg_satype = proto_ike2satype(protocol);
1170 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1171
1172 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1173 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1174 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1175 sa2->sadb_x_sa2_reqid = reqid;
1176 PFKEY_EXT_ADD(msg, sa2);
1177
1178 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1179 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1180
1181 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1182 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1183 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1184 range->sadb_spirange_min = 0xc0000000;
1185 range->sadb_spirange_max = 0xcFFFFFFF;
1186 PFKEY_EXT_ADD(msg, range);
1187
1188 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1189 {
1190 if (out->sadb_msg_errno)
1191 {
1192 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1193 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1194 }
1195 else if (parse_pfkey_message(out, &response) == SUCCESS)
1196 {
1197 received_spi = response.sa->sadb_sa_spi;
1198 }
1199 free(out);
1200 }
1201
1202 if (received_spi == 0)
1203 {
1204 return FAILED;
1205 }
1206
1207 *spi = received_spi;
1208 return SUCCESS;
1209 }
1210
1211 METHOD(kernel_ipsec_t, get_cpi, status_t,
1212 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1213 u_int32_t reqid, u_int16_t *cpi)
1214 {
1215 return FAILED;
1216 }
1217
1218 METHOD(kernel_ipsec_t, add_sa, status_t,
1219 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1220 protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime,
1221 u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key,
1222 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
1223 bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
1224 {
1225 unsigned char request[PFKEY_BUFFER_SIZE];
1226 struct sadb_msg *msg, *out;
1227 struct sadb_sa *sa;
1228 struct sadb_x_sa2 *sa2;
1229 struct sadb_lifetime *lft;
1230 struct sadb_key *key;
1231 size_t len;
1232
1233 memset(&request, 0, sizeof(request));
1234
1235 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1236
1237 msg = (struct sadb_msg*)request;
1238 msg->sadb_msg_version = PF_KEY_V2;
1239 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1240 msg->sadb_msg_satype = proto_ike2satype(protocol);
1241 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1242
1243 #ifdef __APPLE__
1244 if (encap)
1245 {
1246 struct sadb_sa_2 *sa_2;
1247 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1248 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1249 sa = &sa_2->sa;
1250 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1251 len = sizeof(struct sadb_sa_2);
1252 }
1253 else
1254 #endif
1255 {
1256 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1257 len = sizeof(struct sadb_sa);
1258 }
1259 sa->sadb_sa_exttype = SADB_EXT_SA;
1260 sa->sadb_sa_len = PFKEY_LEN(len);
1261 sa->sadb_sa_spi = spi;
1262 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1263 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1264 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1265 PFKEY_EXT_ADD(msg, sa);
1266
1267 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1268 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1269 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1270 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1271 sa2->sadb_x_sa2_reqid = reqid;
1272 PFKEY_EXT_ADD(msg, sa2);
1273
1274 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1275 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1276
1277 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1278 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1279 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1280 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1281 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1282 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1283 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1284 PFKEY_EXT_ADD(msg, lft);
1285
1286 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1287 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1288 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1289 lft->sadb_lifetime_allocations = lifetime->packets.life;
1290 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1291 lft->sadb_lifetime_addtime = lifetime->time.life;
1292 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1293 PFKEY_EXT_ADD(msg, lft);
1294
1295 if (enc_alg != ENCR_UNDEFINED)
1296 {
1297 if (!sa->sadb_sa_encrypt)
1298 {
1299 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1300 encryption_algorithm_names, enc_alg);
1301 return FAILED;
1302 }
1303 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1304 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1305
1306 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1307 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1308 key->sadb_key_bits = enc_key.len * 8;
1309 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1310 memcpy(key + 1, enc_key.ptr, enc_key.len);
1311
1312 PFKEY_EXT_ADD(msg, key);
1313 }
1314
1315 if (int_alg != AUTH_UNDEFINED)
1316 {
1317 if (!sa->sadb_sa_auth)
1318 {
1319 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1320 integrity_algorithm_names, int_alg);
1321 return FAILED;
1322 }
1323 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1324 integrity_algorithm_names, int_alg, int_key.len * 8);
1325
1326 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1327 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1328 key->sadb_key_bits = int_key.len * 8;
1329 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1330 memcpy(key + 1, int_key.ptr, int_key.len);
1331
1332 PFKEY_EXT_ADD(msg, key);
1333 }
1334
1335 if (ipcomp != IPCOMP_NONE)
1336 {
1337 /*TODO*/
1338 }
1339
1340 #ifdef HAVE_NATT
1341 if (encap)
1342 {
1343 add_encap_ext(msg, src, dst);
1344 }
1345 #endif /*HAVE_NATT*/
1346
1347 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1348 {
1349 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1350 return FAILED;
1351 }
1352 else if (out->sadb_msg_errno)
1353 {
1354 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1355 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1356 free(out);
1357 return FAILED;
1358 }
1359
1360 free(out);
1361 return SUCCESS;
1362 }
1363
1364 METHOD(kernel_ipsec_t, update_sa, status_t,
1365 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
1366 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1367 bool encap, bool new_encap)
1368 {
1369 unsigned char request[PFKEY_BUFFER_SIZE];
1370 struct sadb_msg *msg, *out;
1371 struct sadb_sa *sa;
1372 pfkey_msg_t response;
1373 size_t len;
1374
1375 /* we can't update the SA if any of the ip addresses have changed.
1376 * that's because we can't use SADB_UPDATE and by deleting and readding the
1377 * SA the sequence numbers would get lost */
1378 if (!src->ip_equals(src, new_src) ||
1379 !dst->ip_equals(dst, new_dst))
1380 {
1381 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1382 " are not supported", ntohl(spi));
1383 return NOT_SUPPORTED;
1384 }
1385
1386 memset(&request, 0, sizeof(request));
1387
1388 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1389
1390 msg = (struct sadb_msg*)request;
1391 msg->sadb_msg_version = PF_KEY_V2;
1392 msg->sadb_msg_type = SADB_GET;
1393 msg->sadb_msg_satype = proto_ike2satype(protocol);
1394 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1395
1396 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1397 sa->sadb_sa_exttype = SADB_EXT_SA;
1398 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1399 sa->sadb_sa_spi = spi;
1400 PFKEY_EXT_ADD(msg, sa);
1401
1402 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1403 * it is not used for anything. */
1404 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1405 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1406
1407 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1408 {
1409 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1410 ntohl(spi));
1411 return FAILED;
1412 }
1413 else if (out->sadb_msg_errno)
1414 {
1415 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1416 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1417 free(out);
1418 return FAILED;
1419 }
1420 else if (parse_pfkey_message(out, &response) != SUCCESS)
1421 {
1422 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1423 "from kernel failed", ntohl(spi));
1424 free(out);
1425 return FAILED;
1426 }
1427
1428 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1429 ntohl(spi), src, dst, new_src, new_dst);
1430
1431 memset(&request, 0, sizeof(request));
1432
1433 msg = (struct sadb_msg*)request;
1434 msg->sadb_msg_version = PF_KEY_V2;
1435 msg->sadb_msg_type = SADB_UPDATE;
1436 msg->sadb_msg_satype = proto_ike2satype(protocol);
1437 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1438
1439 #ifdef __APPLE__
1440 {
1441 struct sadb_sa_2 *sa_2;
1442 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1443 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1444 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1445 if (encap)
1446 {
1447 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1448 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1449 }
1450 }
1451 #else
1452 PFKEY_EXT_COPY(msg, response.sa);
1453 #endif
1454 PFKEY_EXT_COPY(msg, response.x_sa2);
1455
1456 PFKEY_EXT_COPY(msg, response.src);
1457 PFKEY_EXT_COPY(msg, response.dst);
1458
1459 PFKEY_EXT_COPY(msg, response.lft_soft);
1460 PFKEY_EXT_COPY(msg, response.lft_hard);
1461
1462 if (response.key_encr)
1463 {
1464 PFKEY_EXT_COPY(msg, response.key_encr);
1465 }
1466
1467 if (response.key_auth)
1468 {
1469 PFKEY_EXT_COPY(msg, response.key_auth);
1470 }
1471
1472 #ifdef HAVE_NATT
1473 if (new_encap)
1474 {
1475 add_encap_ext(msg, new_src, new_dst);
1476 }
1477 #endif /*HAVE_NATT*/
1478
1479 free(out);
1480
1481 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1482 {
1483 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1484 return FAILED;
1485 }
1486 else if (out->sadb_msg_errno)
1487 {
1488 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1489 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1490 free(out);
1491 return FAILED;
1492 }
1493 free(out);
1494
1495 return SUCCESS;
1496 }
1497
1498 METHOD(kernel_ipsec_t, query_sa, status_t,
1499 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1500 u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
1501 {
1502 unsigned char request[PFKEY_BUFFER_SIZE];
1503 struct sadb_msg *msg, *out;
1504 struct sadb_sa *sa;
1505 pfkey_msg_t response;
1506 size_t len;
1507
1508 memset(&request, 0, sizeof(request));
1509
1510 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1511
1512 msg = (struct sadb_msg*)request;
1513 msg->sadb_msg_version = PF_KEY_V2;
1514 msg->sadb_msg_type = SADB_GET;
1515 msg->sadb_msg_satype = proto_ike2satype(protocol);
1516 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1517
1518 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1519 sa->sadb_sa_exttype = SADB_EXT_SA;
1520 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1521 sa->sadb_sa_spi = spi;
1522 PFKEY_EXT_ADD(msg, sa);
1523
1524 /* the Linux Kernel doesn't care for the src address, but other systems do
1525 * (e.g. FreeBSD)
1526 */
1527 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1528 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1529
1530 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1531 {
1532 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1533 return FAILED;
1534 }
1535 else if (out->sadb_msg_errno)
1536 {
1537 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1538 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1539 free(out);
1540 return FAILED;
1541 }
1542 else if (parse_pfkey_message(out, &response) != SUCCESS)
1543 {
1544 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1545 free(out);
1546 return FAILED;
1547 }
1548 *bytes = response.lft_current->sadb_lifetime_bytes;
1549
1550 free(out);
1551 return SUCCESS;
1552 }
1553
1554 METHOD(kernel_ipsec_t, del_sa, status_t,
1555 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1556 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1557 {
1558 unsigned char request[PFKEY_BUFFER_SIZE];
1559 struct sadb_msg *msg, *out;
1560 struct sadb_sa *sa;
1561 size_t len;
1562
1563 memset(&request, 0, sizeof(request));
1564
1565 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1566
1567 msg = (struct sadb_msg*)request;
1568 msg->sadb_msg_version = PF_KEY_V2;
1569 msg->sadb_msg_type = SADB_DELETE;
1570 msg->sadb_msg_satype = proto_ike2satype(protocol);
1571 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1572
1573 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1574 sa->sadb_sa_exttype = SADB_EXT_SA;
1575 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1576 sa->sadb_sa_spi = spi;
1577 PFKEY_EXT_ADD(msg, sa);
1578
1579 /* the Linux Kernel doesn't care for the src address, but other systems do
1580 * (e.g. FreeBSD)
1581 */
1582 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1583 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1584
1585 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1586 {
1587 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1588 return FAILED;
1589 }
1590 else if (out->sadb_msg_errno)
1591 {
1592 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1593 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1594 free(out);
1595 return FAILED;
1596 }
1597
1598 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1599 free(out);
1600 return SUCCESS;
1601 }
1602
1603 METHOD(kernel_ipsec_t, add_policy, status_t,
1604 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1605 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
1606 policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
1607 u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1608 bool routed)
1609 {
1610 unsigned char request[PFKEY_BUFFER_SIZE];
1611 struct sadb_msg *msg, *out;
1612 struct sadb_x_policy *pol;
1613 struct sadb_x_ipsecrequest *req;
1614 policy_entry_t *policy, *found = NULL;
1615 pfkey_msg_t response;
1616 size_t len;
1617
1618 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1619 {
1620 /* FWD policies are not supported on all platforms */
1621 return SUCCESS;
1622 }
1623
1624 /* create a policy */
1625 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1626
1627 /* find a matching policy */
1628 this->mutex->lock(this->mutex);
1629 if (this->policies->find_first(this->policies,
1630 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1631 {
1632 /* use existing policy */
1633 found->refcount++;
1634 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1635 "refcount", src_ts, dst_ts,
1636 policy_dir_names, direction);
1637 policy_entry_destroy(policy);
1638 policy = found;
1639 }
1640 else
1641 {
1642 /* apply the new one, if we have no such policy */
1643 this->policies->insert_last(this->policies, policy);
1644 policy->refcount = 1;
1645 }
1646
1647 memset(&request, 0, sizeof(request));
1648
1649 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1650 policy_dir_names, direction);
1651
1652 msg = (struct sadb_msg*)request;
1653 msg->sadb_msg_version = PF_KEY_V2;
1654 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1655 msg->sadb_msg_satype = 0;
1656 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1657
1658 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1659 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1660 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1661 pol->sadb_x_policy_id = 0;
1662 pol->sadb_x_policy_dir = dir2kernel(direction);
1663 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1664 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1665 /* calculate priority based on source selector size, small size = high prio */
1666 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1667 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1668 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1669 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1670 #endif
1671
1672 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1673 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1674 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1675 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1676 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1677 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1678 req->sadb_x_ipsecrequest_reqid = reqid;
1679 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1680 if (mode == MODE_TUNNEL)
1681 {
1682 sockaddr_t *sa;
1683 socklen_t sl;
1684 sa = src->get_sockaddr(src);
1685 sl = *src->get_sockaddr_len(src);
1686 memcpy(req + 1, sa, sl);
1687 sa = dst->get_sockaddr(dst);
1688 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1689 req->sadb_x_ipsecrequest_len += sl * 2;
1690 }
1691
1692 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1693 PFKEY_EXT_ADD(msg, pol);
1694
1695 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1696 policy->src.mask);
1697 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1698 policy->dst.mask);
1699
1700 #ifdef __FreeBSD__
1701 { /* on FreeBSD a lifetime has to be defined to be able to later query
1702 * the current use time. */
1703 struct sadb_lifetime *lft;
1704 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1705 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1706 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1707 lft->sadb_lifetime_addtime = LONG_MAX;
1708 PFKEY_EXT_ADD(msg, lft);
1709 }
1710 #endif
1711
1712 this->mutex->unlock(this->mutex);
1713
1714 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1715 {
1716 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1717 policy_dir_names, direction);
1718 return FAILED;
1719 }
1720 else if (out->sadb_msg_errno)
1721 {
1722 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1723 policy_dir_names, direction,
1724 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1725 free(out);
1726 return FAILED;
1727 }
1728 else if (parse_pfkey_message(out, &response) != SUCCESS)
1729 {
1730 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1731 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1732 free(out);
1733 return FAILED;
1734 }
1735
1736 this->mutex->lock(this->mutex);
1737
1738 /* we try to find the policy again and update the kernel index */
1739 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1740 {
1741 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1742 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1743 this->mutex->unlock(this->mutex);
1744 free(out);
1745 return SUCCESS;
1746 }
1747 policy->index = response.x_policy->sadb_x_policy_id;
1748 free(out);
1749
1750 /* install a route, if:
1751 * - we are NOT updating a policy
1752 * - this is a forward policy (to just get one for each child)
1753 * - we are in tunnel mode
1754 * - we are not using IPv6 (does not work correctly yet!)
1755 * - routing is not disabled via strongswan.conf
1756 */
1757 if (policy->route == NULL && direction == POLICY_FWD &&
1758 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1759 this->install_routes)
1760 {
1761 route_entry_t *route = malloc_thing(route_entry_t);
1762
1763 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1764 dst_ts, &route->src_ip) == SUCCESS)
1765 {
1766 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1767 route->gateway = charon->kernel_interface->get_nexthop(
1768 charon->kernel_interface, src);
1769 route->if_name = charon->kernel_interface->get_interface(
1770 charon->kernel_interface, dst);
1771 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1772 route->prefixlen = policy->src.mask;
1773
1774 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1775 route->dst_net, route->prefixlen, route->gateway,
1776 route->src_ip, route->if_name))
1777 {
1778 default:
1779 DBG1(DBG_KNL, "unable to install source route for %H",
1780 route->src_ip);
1781 /* FALL */
1782 case ALREADY_DONE:
1783 /* route exists, do not uninstall */
1784 route_entry_destroy(route);
1785 break;
1786 case SUCCESS:
1787 /* cache the installed route */
1788 policy->route = route;
1789 break;
1790 }
1791 }
1792 else
1793 {
1794 free(route);
1795 }
1796 }
1797
1798 this->mutex->unlock(this->mutex);
1799
1800 return SUCCESS;
1801 }
1802
1803 METHOD(kernel_ipsec_t, query_policy, status_t,
1804 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
1805 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
1806 {
1807 unsigned char request[PFKEY_BUFFER_SIZE];
1808 struct sadb_msg *msg, *out;
1809 struct sadb_x_policy *pol;
1810 policy_entry_t *policy, *found = NULL;
1811 pfkey_msg_t response;
1812 size_t len;
1813
1814 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1815 {
1816 /* FWD policies are not supported on all platforms */
1817 return NOT_FOUND;
1818 }
1819
1820 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1821 policy_dir_names, direction);
1822
1823 /* create a policy */
1824 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1825
1826 /* find a matching policy */
1827 this->mutex->lock(this->mutex);
1828 if (this->policies->find_first(this->policies,
1829 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1830 {
1831 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1832 dst_ts, policy_dir_names, direction);
1833 policy_entry_destroy(policy);
1834 this->mutex->unlock(this->mutex);
1835 return NOT_FOUND;
1836 }
1837 policy_entry_destroy(policy);
1838 policy = found;
1839
1840 memset(&request, 0, sizeof(request));
1841
1842 msg = (struct sadb_msg*)request;
1843 msg->sadb_msg_version = PF_KEY_V2;
1844 msg->sadb_msg_type = SADB_X_SPDGET;
1845 msg->sadb_msg_satype = 0;
1846 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1847
1848 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1849 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1850 pol->sadb_x_policy_id = policy->index;
1851 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1852 pol->sadb_x_policy_dir = dir2kernel(direction);
1853 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1854 PFKEY_EXT_ADD(msg, pol);
1855
1856 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1857 policy->src.mask);
1858 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1859 policy->dst.mask);
1860
1861 this->mutex->unlock(this->mutex);
1862
1863 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1864 {
1865 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1866 policy_dir_names, direction);
1867 return FAILED;
1868 }
1869 else if (out->sadb_msg_errno)
1870 {
1871 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1872 dst_ts, policy_dir_names, direction,
1873 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1874 free(out);
1875 return FAILED;
1876 }
1877 else if (parse_pfkey_message(out, &response) != SUCCESS)
1878 {
1879 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1880 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1881 free(out);
1882 return FAILED;
1883 }
1884 else if (response.lft_current == NULL)
1885 {
1886 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
1887 "use time", src_ts, dst_ts, policy_dir_names, direction);
1888 free(out);
1889 return FAILED;
1890 }
1891 /* we need the monotonic time, but the kernel returns system time. */
1892 if (response.lft_current->sadb_lifetime_usetime)
1893 {
1894 *use_time = time_monotonic(NULL) -
1895 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
1896 }
1897 else
1898 {
1899 *use_time = 0;
1900 }
1901 free(out);
1902
1903 return SUCCESS;
1904 }
1905
1906 METHOD(kernel_ipsec_t, del_policy, status_t,
1907 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
1908 traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
1909 {
1910 unsigned char request[PFKEY_BUFFER_SIZE];
1911 struct sadb_msg *msg, *out;
1912 struct sadb_x_policy *pol;
1913 policy_entry_t *policy, *found = NULL;
1914 route_entry_t *route;
1915 size_t len;
1916
1917 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1918 {
1919 /* FWD policies are not supported on all platforms */
1920 return SUCCESS;
1921 }
1922
1923 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1924 policy_dir_names, direction);
1925
1926 /* create a policy */
1927 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1928
1929 /* find a matching policy */
1930 this->mutex->lock(this->mutex);
1931 if (this->policies->find_first(this->policies,
1932 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1933 {
1934 if (--found->refcount > 0)
1935 {
1936 /* is used by more SAs, keep in kernel */
1937 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1938 policy_entry_destroy(policy);
1939 this->mutex->unlock(this->mutex);
1940 return SUCCESS;
1941 }
1942 /* remove if last reference */
1943 this->policies->remove(this->policies, found, NULL);
1944 policy_entry_destroy(policy);
1945 policy = found;
1946 }
1947 else
1948 {
1949 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1950 dst_ts, policy_dir_names, direction);
1951 policy_entry_destroy(policy);
1952 this->mutex->unlock(this->mutex);
1953 return NOT_FOUND;
1954 }
1955 this->mutex->unlock(this->mutex);
1956
1957 memset(&request, 0, sizeof(request));
1958
1959 msg = (struct sadb_msg*)request;
1960 msg->sadb_msg_version = PF_KEY_V2;
1961 msg->sadb_msg_type = SADB_X_SPDDELETE;
1962 msg->sadb_msg_satype = 0;
1963 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1964
1965 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1966 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1967 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1968 pol->sadb_x_policy_dir = dir2kernel(direction);
1969 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1970 PFKEY_EXT_ADD(msg, pol);
1971
1972 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1973 policy->src.mask);
1974 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1975 policy->dst.mask);
1976
1977 route = policy->route;
1978 policy->route = NULL;
1979 policy_entry_destroy(policy);
1980
1981 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1982 {
1983 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1984 policy_dir_names, direction);
1985 return FAILED;
1986 }
1987 else if (out->sadb_msg_errno)
1988 {
1989 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1990 dst_ts, policy_dir_names, direction,
1991 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1992 free(out);
1993 return FAILED;
1994 }
1995 free(out);
1996
1997 if (route)
1998 {
1999 if (charon->kernel_interface->del_route(charon->kernel_interface,
2000 route->dst_net, route->prefixlen, route->gateway,
2001 route->src_ip, route->if_name) != SUCCESS)
2002 {
2003 DBG1(DBG_KNL, "error uninstalling route installed with "
2004 "policy %R === %R %N", src_ts, dst_ts,
2005 policy_dir_names, direction);
2006 }
2007 route_entry_destroy(route);
2008 }
2009
2010 return SUCCESS;
2011 }
2012
2013 /**
2014 * Register a socket for AQUIRE/EXPIRE messages
2015 */
2016 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2017 u_int8_t satype)
2018 {
2019 unsigned char request[PFKEY_BUFFER_SIZE];
2020 struct sadb_msg *msg, *out;
2021 size_t len;
2022
2023 memset(&request, 0, sizeof(request));
2024
2025 msg = (struct sadb_msg*)request;
2026 msg->sadb_msg_version = PF_KEY_V2;
2027 msg->sadb_msg_type = SADB_REGISTER;
2028 msg->sadb_msg_satype = satype;
2029 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2030
2031 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2032 {
2033 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2034 return FAILED;
2035 }
2036 else if (out->sadb_msg_errno)
2037 {
2038 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2039 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2040 free(out);
2041 return FAILED;
2042 }
2043 free(out);
2044 return SUCCESS;
2045 }
2046
2047 METHOD(kernel_ipsec_t, bypass_socket, bool,
2048 private_kernel_pfkey_ipsec_t *this, int fd, int family)
2049 {
2050 struct sadb_x_policy policy;
2051 u_int sol, ipsec_policy;
2052
2053 switch (family)
2054 {
2055 case AF_INET:
2056 {
2057 sol = SOL_IP;
2058 ipsec_policy = IP_IPSEC_POLICY;
2059 break;
2060 }
2061 case AF_INET6:
2062 {
2063 sol = SOL_IPV6;
2064 ipsec_policy = IPV6_IPSEC_POLICY;
2065 break;
2066 }
2067 default:
2068 return FALSE;
2069 }
2070
2071 memset(&policy, 0, sizeof(policy));
2072 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2073 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2074 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2075
2076 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2077 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2078 {
2079 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2080 strerror(errno));
2081 return FALSE;
2082 }
2083 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2084 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2085 {
2086 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2087 strerror(errno));
2088 return FALSE;
2089 }
2090 return TRUE;
2091 }
2092
2093 METHOD(kernel_ipsec_t, destroy, void,
2094 private_kernel_pfkey_ipsec_t *this)
2095 {
2096 this->job->cancel(this->job);
2097 close(this->socket);
2098 close(this->socket_events);
2099 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
2100 this->mutex->destroy(this->mutex);
2101 this->mutex_pfkey->destroy(this->mutex_pfkey);
2102 free(this);
2103 }
2104
2105 /*
2106 * Described in header.
2107 */
2108 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2109 {
2110 private_kernel_pfkey_ipsec_t *this;
2111
2112 INIT(this,
2113 .public.interface = {
2114 .get_spi = _get_spi,
2115 .get_cpi = _get_cpi,
2116 .add_sa = _add_sa,
2117 .update_sa = _update_sa,
2118 .query_sa = _query_sa,
2119 .del_sa = _del_sa,
2120 .add_policy = _add_policy,
2121 .query_policy = _query_policy,
2122 .del_policy = _del_policy,
2123 .bypass_socket = _bypass_socket,
2124 .destroy = _destroy,
2125 },
2126 .policies = linked_list_create(),
2127 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2128 .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
2129 .install_routes = lib->settings->get_bool(lib->settings,
2130 "charon.install_routes", TRUE),
2131 );
2132
2133 /* create a PF_KEY socket to communicate with the kernel */
2134 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2135 if (this->socket <= 0)
2136 {
2137 charon->kill(charon, "unable to create PF_KEY socket");
2138 }
2139
2140 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2141 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2142 if (this->socket_events <= 0)
2143 {
2144 charon->kill(charon, "unable to create PF_KEY event socket");
2145 }
2146
2147 /* register the event socket */
2148 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2149 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2150 {
2151 charon->kill(charon, "unable to register PF_KEY event socket");
2152 }
2153
2154 this->job = callback_job_create((callback_job_cb_t)receive_events,
2155 this, NULL, NULL);
2156 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2157
2158 return &this->public;
2159 }
2160