use time_monotonic() instead of time() for statistics and time difference calculations
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <pthread.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <daemon.h>
58 #include <utils/host.h>
59 #include <utils/mutex.h>
60 #include <processing/jobs/callback_job.h>
61 #include <processing/jobs/acquire_job.h>
62 #include <processing/jobs/migrate_job.h>
63 #include <processing/jobs/rekey_child_sa_job.h>
64 #include <processing/jobs/delete_child_sa_job.h>
65 #include <processing/jobs/update_sa_job.h>
66
67 /** non linux specific */
68 #ifndef IPPROTO_COMP
69 #define IPPROTO_COMP IPPROTO_IPCOMP
70 #endif
71
72 #ifndef SADB_X_AALG_SHA2_256HMAC
73 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
74 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
75 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
76 #endif
77
78 #ifndef SADB_X_EALG_AESCBC
79 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
80 #endif
81
82 #ifndef SADB_X_EALG_CASTCBC
83 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
84 #endif
85
86 #ifndef SOL_IP
87 #define SOL_IP IPPROTO_IP
88 #define SOL_IPV6 IPPROTO_IPV6
89 #endif
90
91 /** from linux/in.h */
92 #ifndef IP_IPSEC_POLICY
93 #define IP_IPSEC_POLICY 16
94 #endif
95
96 /** missing on uclibc */
97 #ifndef IPV6_IPSEC_POLICY
98 #define IPV6_IPSEC_POLICY 34
99 #endif
100
101 /** default priority of installed policies */
102 #define PRIO_LOW 3000
103 #define PRIO_HIGH 2000
104
105 #ifdef __APPLE__
106 /** from xnu/bsd/net/pfkeyv2.h */
107 #define SADB_X_EXT_NATT 0x002
108 struct sadb_sa_2 {
109 struct sadb_sa sa;
110 u_int16_t sadb_sa_natt_port;
111 u_int16_t sadb_reserved0;
112 u_int32_t sadb_reserved1;
113 };
114 #endif
115
116 /** buffer size for PF_KEY messages */
117 #define PFKEY_BUFFER_SIZE 4096
118
119 /** PF_KEY messages are 64 bit aligned */
120 #define PFKEY_ALIGNMENT 8
121 /** aligns len to 64 bits */
122 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
123 /** calculates the properly padded length in 64 bit chunks */
124 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
125 /** calculates user mode length i.e. in bytes */
126 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
127
128 /** given a PF_KEY message header and an extension this updates the length in the header */
129 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
130 /** given a PF_KEY message header this returns a pointer to the next extension */
131 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
132 /** copy an extension and append it to a PF_KEY message */
133 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
134 /** given a PF_KEY extension this returns a pointer to the next extension */
135 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
136 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
137 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
138 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
139 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
140 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len <= (len))
142
143 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
144
145 /**
146 * Private variables and functions of kernel_pfkey class.
147 */
148 struct private_kernel_pfkey_ipsec_t
149 {
150 /**
151 * Public part of the kernel_pfkey_t object.
152 */
153 kernel_pfkey_ipsec_t public;
154
155 /**
156 * mutex to lock access to various lists
157 */
158 mutex_t *mutex;
159
160 /**
161 * List of installed policies (policy_entry_t)
162 */
163 linked_list_t *policies;
164
165 /**
166 * whether to install routes along policies
167 */
168 bool install_routes;
169
170 /**
171 * job receiving PF_KEY events
172 */
173 callback_job_t *job;
174
175 /**
176 * mutex to lock access to the PF_KEY socket
177 */
178 mutex_t *mutex_pfkey;
179
180 /**
181 * PF_KEY socket to communicate with the kernel
182 */
183 int socket;
184
185 /**
186 * PF_KEY socket to receive acquire and expire events
187 */
188 int socket_events;
189
190 /**
191 * sequence number for messages sent to the kernel
192 */
193 int seq;
194 };
195
196 typedef struct route_entry_t route_entry_t;
197
198 /**
199 * installed routing entry
200 */
201 struct route_entry_t {
202 /** Name of the interface the route is bound to */
203 char *if_name;
204
205 /** Source ip of the route */
206 host_t *src_ip;
207
208 /** gateway for this route */
209 host_t *gateway;
210
211 /** Destination net */
212 chunk_t dst_net;
213
214 /** Destination net prefixlen */
215 u_int8_t prefixlen;
216 };
217
218 /**
219 * destroy an route_entry_t object
220 */
221 static void route_entry_destroy(route_entry_t *this)
222 {
223 free(this->if_name);
224 DESTROY_IF(this->src_ip);
225 DESTROY_IF(this->gateway);
226 chunk_free(&this->dst_net);
227 free(this);
228 }
229
230 typedef struct policy_entry_t policy_entry_t;
231
232 /**
233 * installed kernel policy.
234 */
235 struct policy_entry_t {
236
237 /** reqid of this policy */
238 u_int32_t reqid;
239
240 /** index assigned by the kernel */
241 u_int32_t index;
242
243 /** direction of this policy: in, out, forward */
244 u_int8_t direction;
245
246 /** parameters of installed policy */
247 struct {
248 /** subnet and port */
249 host_t *net;
250 /** subnet mask */
251 u_int8_t mask;
252 /** protocol */
253 u_int8_t proto;
254 } src, dst;
255
256 /** associated route installed for this policy */
257 route_entry_t *route;
258
259 /** by how many CHILD_SA's this policy is used */
260 u_int refcount;
261 };
262
263 /**
264 * create a policy_entry_t object
265 */
266 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
267 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
268 {
269 policy_entry_t *policy = malloc_thing(policy_entry_t);
270 policy->reqid = reqid;
271 policy->index = 0;
272 policy->direction = dir;
273 policy->route = NULL;
274 policy->refcount = 0;
275
276 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
277 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
278
279 /* src or dest proto may be "any" (0), use more restrictive one */
280 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
281 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
282 policy->dst.proto = policy->src.proto;
283
284 return policy;
285 }
286
287 /**
288 * destroy a policy_entry_t object
289 */
290 static void policy_entry_destroy(policy_entry_t *this)
291 {
292 DESTROY_IF(this->src.net);
293 DESTROY_IF(this->dst.net);
294 if (this->route)
295 {
296 route_entry_destroy(this->route);
297 }
298 free(this);
299 }
300
301 /**
302 * compares two policy_entry_t
303 */
304 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
305 {
306 return current->direction == policy->direction &&
307 current->src.proto == policy->src.proto &&
308 current->dst.proto == policy->dst.proto &&
309 current->src.mask == policy->src.mask &&
310 current->dst.mask == policy->dst.mask &&
311 current->src.net->equals(current->src.net, policy->src.net) &&
312 current->dst.net->equals(current->dst.net, policy->dst.net);
313 }
314
315 /**
316 * compare the given kernel index with that of a policy
317 */
318 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
319 {
320 return current->index == *index;
321 }
322
323 typedef struct pfkey_msg_t pfkey_msg_t;
324
325 struct pfkey_msg_t
326 {
327 /**
328 * PF_KEY message base
329 */
330 struct sadb_msg *msg;
331
332 /**
333 * PF_KEY message extensions
334 */
335 union {
336 struct sadb_ext *ext[SADB_EXT_MAX + 1];
337 struct {
338 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
339 struct sadb_sa *sa; /* SADB_EXT_SA */
340 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
341 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
342 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
343 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
344 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
345 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
346 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
347 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
348 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
349 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
350 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
351 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
352 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
353 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
354 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
355 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
356 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
357 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
358 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
359 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
360 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
361 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
362 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
363 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
364 } __attribute__((__packed__));
365 };
366 };
367
368 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
369 "SADB_EXT_RESERVED",
370 "SADB_EXT_SA",
371 "SADB_EXT_LIFETIME_CURRENT",
372 "SADB_EXT_LIFETIME_HARD",
373 "SADB_EXT_LIFETIME_SOFT",
374 "SADB_EXT_ADDRESS_SRC",
375 "SADB_EXT_ADDRESS_DST",
376 "SADB_EXT_ADDRESS_PROXY",
377 "SADB_EXT_KEY_AUTH",
378 "SADB_EXT_KEY_ENCRYPT",
379 "SADB_EXT_IDENTITY_SRC",
380 "SADB_EXT_IDENTITY_DST",
381 "SADB_EXT_SENSITIVITY",
382 "SADB_EXT_PROPOSAL",
383 "SADB_EXT_SUPPORTED_AUTH",
384 "SADB_EXT_SUPPORTED_ENCRYPT",
385 "SADB_EXT_SPIRANGE",
386 "SADB_X_EXT_KMPRIVATE",
387 "SADB_X_EXT_POLICY",
388 "SADB_X_EXT_SA2",
389 "SADB_X_EXT_NAT_T_TYPE",
390 "SADB_X_EXT_NAT_T_SPORT",
391 "SADB_X_EXT_NAT_T_DPORT",
392 "SADB_X_EXT_NAT_T_OA",
393 "SADB_X_EXT_SEC_CTX",
394 "SADB_X_EXT_KMADDRESS"
395 );
396
397 /**
398 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
399 */
400 static u_int8_t proto_ike2satype(protocol_id_t proto)
401 {
402 switch (proto)
403 {
404 case PROTO_ESP:
405 return SADB_SATYPE_ESP;
406 case PROTO_AH:
407 return SADB_SATYPE_AH;
408 case IPPROTO_COMP:
409 return SADB_X_SATYPE_IPCOMP;
410 default:
411 return proto;
412 }
413 }
414
415 /**
416 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
417 */
418 static protocol_id_t proto_satype2ike(u_int8_t proto)
419 {
420 switch (proto)
421 {
422 case SADB_SATYPE_ESP:
423 return PROTO_ESP;
424 case SADB_SATYPE_AH:
425 return PROTO_AH;
426 case SADB_X_SATYPE_IPCOMP:
427 return IPPROTO_COMP;
428 default:
429 return proto;
430 }
431 }
432
433 /**
434 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
435 */
436 static u_int8_t proto_ike2ip(protocol_id_t proto)
437 {
438 switch (proto)
439 {
440 case PROTO_ESP:
441 return IPPROTO_ESP;
442 case PROTO_AH:
443 return IPPROTO_AH;
444 default:
445 return proto;
446 }
447 }
448
449 /**
450 * convert the general ipsec mode to the one defined in ipsec.h
451 */
452 static u_int8_t mode2kernel(ipsec_mode_t mode)
453 {
454 switch (mode)
455 {
456 case MODE_TRANSPORT:
457 return IPSEC_MODE_TRANSPORT;
458 case MODE_TUNNEL:
459 return IPSEC_MODE_TUNNEL;
460 #ifdef HAVE_IPSEC_MODE_BEET
461 case MODE_BEET:
462 return IPSEC_MODE_BEET;
463 #endif
464 default:
465 return mode;
466 }
467 }
468
469 /**
470 * convert the general policy direction to the one defined in ipsec.h
471 */
472 static u_int8_t dir2kernel(policy_dir_t dir)
473 {
474 switch (dir)
475 {
476 case POLICY_IN:
477 return IPSEC_DIR_INBOUND;
478 case POLICY_OUT:
479 return IPSEC_DIR_OUTBOUND;
480 #ifdef HAVE_IPSEC_DIR_FWD
481 case POLICY_FWD:
482 return IPSEC_DIR_FWD;
483 #endif
484 default:
485 return IPSEC_DIR_INVALID;
486 }
487 }
488
489 #ifdef SADB_X_MIGRATE
490 /**
491 * convert the policy direction in ipsec.h to the general one.
492 */
493 static policy_dir_t kernel2dir(u_int8_t dir)
494 {
495 switch (dir)
496 {
497 case IPSEC_DIR_INBOUND:
498 return POLICY_IN;
499 case IPSEC_DIR_OUTBOUND:
500 return POLICY_OUT;
501 #ifdef HAVE_IPSEC_DIR_FWD
502 case IPSEC_DIR_FWD:
503 return POLICY_FWD;
504 #endif
505 default:
506 return dir;
507 }
508 }
509 #endif /*SADB_X_MIGRATE*/
510
511 typedef struct kernel_algorithm_t kernel_algorithm_t;
512
513 /**
514 * Mapping of IKEv2 algorithms to PF_KEY algorithms
515 */
516 struct kernel_algorithm_t {
517 /**
518 * Identifier specified in IKEv2
519 */
520 int ikev2;
521
522 /**
523 * Identifier as defined in pfkeyv2.h
524 */
525 int kernel;
526 };
527
528 #define END_OF_LIST -1
529
530 /**
531 * Algorithms for encryption
532 */
533 static kernel_algorithm_t encryption_algs[] = {
534 /* {ENCR_DES_IV64, 0 }, */
535 {ENCR_DES, SADB_EALG_DESCBC },
536 {ENCR_3DES, SADB_EALG_3DESCBC },
537 /* {ENCR_RC5, 0 }, */
538 /* {ENCR_IDEA, 0 }, */
539 {ENCR_CAST, SADB_X_EALG_CASTCBC },
540 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
541 /* {ENCR_3IDEA, 0 }, */
542 /* {ENCR_DES_IV32, 0 }, */
543 {ENCR_NULL, SADB_EALG_NULL },
544 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
545 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
546 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
547 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
548 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
549 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
550 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
551 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
552 {END_OF_LIST, 0 },
553 };
554
555 /**
556 * Algorithms for integrity protection
557 */
558 static kernel_algorithm_t integrity_algs[] = {
559 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
560 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
561 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
562 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
563 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
564 /* {AUTH_DES_MAC, 0, }, */
565 /* {AUTH_KPDK_MD5, 0, }, */
566 #ifdef SADB_X_AALG_AES_XCBC_MAC
567 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
568 #endif
569 {END_OF_LIST, 0, },
570 };
571
572 #if 0
573 /**
574 * Algorithms for IPComp, unused yet
575 */
576 static kernel_algorithm_t compression_algs[] = {
577 /* {IPCOMP_OUI, 0 }, */
578 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
579 {IPCOMP_LZS, SADB_X_CALG_LZS },
580 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
581 {END_OF_LIST, 0 },
582 };
583 #endif
584
585 /**
586 * Look up a kernel algorithm ID and its key size
587 */
588 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
589 {
590 while (list->ikev2 != END_OF_LIST)
591 {
592 if (ikev2 == list->ikev2)
593 {
594 return list->kernel;
595 }
596 list++;
597 }
598 return 0;
599 }
600
601 /**
602 * add a host behind a sadb_address extension
603 */
604 static void host2ext(host_t *host, struct sadb_address *ext)
605 {
606 sockaddr_t *host_addr = host->get_sockaddr(host);
607 socklen_t *len = host->get_sockaddr_len(host);
608 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
609 host_addr->sa_len = *len;
610 #endif
611 memcpy((char*)(ext + 1), host_addr, *len);
612 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
613 }
614
615 /**
616 * add a host to the given sadb_msg
617 */
618 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
619 u_int8_t proto, u_int8_t prefixlen)
620 {
621 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
622 addr->sadb_address_exttype = type;
623 addr->sadb_address_proto = proto;
624 addr->sadb_address_prefixlen = prefixlen;
625 host2ext(host, addr);
626 PFKEY_EXT_ADD(msg, addr);
627 }
628
629 /**
630 * adds an empty address extension to the given sadb_msg
631 */
632 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
633 {
634 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
635 sizeof(struct sockaddr_in6);
636 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
637 addr->sadb_address_exttype = type;
638 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
639 saddr->sa_family = family;
640 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
641 saddr->sa_len = len;
642 #endif
643 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
644 PFKEY_EXT_ADD(msg, addr);
645 }
646
647 #ifdef HAVE_NATT
648 /**
649 * add udp encap extensions to a sadb_msg
650 */
651 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
652 {
653 struct sadb_x_nat_t_type* nat_type;
654 struct sadb_x_nat_t_port* nat_port;
655
656 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
657 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
658 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
659 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
660 PFKEY_EXT_ADD(msg, nat_type);
661
662 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
663 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
664 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
665 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
666 PFKEY_EXT_ADD(msg, nat_port);
667
668 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
669 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
670 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
671 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
672 PFKEY_EXT_ADD(msg, nat_port);
673 }
674 #endif /*HAVE_NATT*/
675
676 /**
677 * Convert a sadb_address to a traffic_selector
678 */
679 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
680 {
681 traffic_selector_t *ts;
682 host_t *host;
683
684 /* The Linux 2.6 kernel does not set the protocol and port information
685 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
686 */
687 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
688 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
689 address->sadb_address_proto, host->get_port(host));
690 return ts;
691 }
692
693 /**
694 * Parses a pfkey message received from the kernel
695 */
696 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
697 {
698 struct sadb_ext* ext;
699 size_t len;
700
701 memset(out, 0, sizeof(pfkey_msg_t));
702 out->msg = msg;
703
704 len = msg->sadb_msg_len;
705 len -= PFKEY_LEN(sizeof(struct sadb_msg));
706
707 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
708
709 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
710 {
711 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
712 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
713 ext->sadb_ext_len > len)
714 {
715 DBG1(DBG_KNL, "length of %N extension is invalid",
716 sadb_ext_type_names, ext->sadb_ext_type);
717 break;
718 }
719
720 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
721 {
722 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
723 break;
724 }
725
726 if (out->ext[ext->sadb_ext_type])
727 {
728 DBG1(DBG_KNL, "duplicate %N extension",
729 sadb_ext_type_names, ext->sadb_ext_type);
730 break;
731 }
732
733 out->ext[ext->sadb_ext_type] = ext;
734 ext = PFKEY_EXT_NEXT_LEN(ext, len);
735 }
736
737 if (len)
738 {
739 DBG1(DBG_KNL, "PF_KEY message length is invalid");
740 return FAILED;
741 }
742
743 return SUCCESS;
744 }
745
746 /**
747 * Send a message to a specific PF_KEY socket and handle the response.
748 */
749 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
750 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
751 {
752 unsigned char buf[PFKEY_BUFFER_SIZE];
753 struct sadb_msg *msg;
754 int in_len, len;
755
756 this->mutex_pfkey->lock(this->mutex_pfkey);
757
758 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
759 * in particular the behavior in response to an SADB_ACQUIRE. */
760 in->sadb_msg_seq = ++this->seq;
761 in->sadb_msg_pid = getpid();
762
763 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
764
765 while (TRUE)
766 {
767 len = send(socket, in, in_len, 0);
768
769 if (len != in_len)
770 {
771 if (errno == EINTR)
772 {
773 /* interrupted, try again */
774 continue;
775 }
776 this->mutex_pfkey->unlock(this->mutex_pfkey);
777 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
778 return FAILED;
779 }
780 break;
781 }
782
783 while (TRUE)
784 {
785 msg = (struct sadb_msg*)buf;
786
787 len = recv(socket, buf, sizeof(buf), 0);
788
789 if (len < 0)
790 {
791 if (errno == EINTR)
792 {
793 DBG1(DBG_KNL, "got interrupted");
794 /* interrupted, try again */
795 continue;
796 }
797 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
798 this->mutex_pfkey->unlock(this->mutex_pfkey);
799 return FAILED;
800 }
801 if (len < sizeof(struct sadb_msg) ||
802 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
803 {
804 DBG1(DBG_KNL, "received corrupted PF_KEY message");
805 this->mutex_pfkey->unlock(this->mutex_pfkey);
806 return FAILED;
807 }
808 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
809 {
810 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
811 this->mutex_pfkey->unlock(this->mutex_pfkey);
812 return FAILED;
813 }
814 if (msg->sadb_msg_pid != in->sadb_msg_pid)
815 {
816 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
817 continue;
818 }
819 if (msg->sadb_msg_seq != this->seq)
820 {
821 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
822 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
823 if (msg->sadb_msg_seq == 0)
824 {
825 /* FreeBSD and Mac OS X do this for the response to
826 * SADB_X_SPDGET (but not for the response to SADB_GET).
827 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
828 }
829 else if (msg->sadb_msg_seq < this->seq)
830 {
831 continue;
832 }
833 else
834 {
835 this->mutex_pfkey->unlock(this->mutex_pfkey);
836 return FAILED;
837 }
838 }
839 if (msg->sadb_msg_type != in->sadb_msg_type)
840 {
841 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
842 "was %d expected %d, ignoring",
843 msg->sadb_msg_type, in->sadb_msg_type);
844 }
845 break;
846 }
847
848 *out_len = len;
849 *out = (struct sadb_msg*)malloc(len);
850 memcpy(*out, buf, len);
851
852 this->mutex_pfkey->unlock(this->mutex_pfkey);
853
854 return SUCCESS;
855 }
856
857 /**
858 * Send a message to the default PF_KEY socket and handle the response.
859 */
860 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
861 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
862 {
863 return pfkey_send_socket(this, this->socket, in, out, out_len);
864 }
865
866 /**
867 * Process a SADB_ACQUIRE message from the kernel
868 */
869 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
870 {
871 pfkey_msg_t response;
872 u_int32_t index, reqid = 0;
873 traffic_selector_t *src_ts, *dst_ts;
874 policy_entry_t *policy;
875 job_t *job;
876
877 switch (msg->sadb_msg_satype)
878 {
879 case SADB_SATYPE_UNSPEC:
880 case SADB_SATYPE_ESP:
881 case SADB_SATYPE_AH:
882 break;
883 default:
884 /* acquire for AH/ESP only */
885 return;
886 }
887 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
888
889 if (parse_pfkey_message(msg, &response) != SUCCESS)
890 {
891 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
892 return;
893 }
894
895 index = response.x_policy->sadb_x_policy_id;
896 this->mutex->lock(this->mutex);
897 if (this->policies->find_first(this->policies,
898 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
899 {
900 reqid = policy->reqid;
901 }
902 else
903 {
904 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
905 index);
906 }
907 src_ts = sadb_address2ts(response.src);
908 dst_ts = sadb_address2ts(response.dst);
909 this->mutex->unlock(this->mutex);
910
911 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
912 src_ts, dst_ts, reqid);
913 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
914 charon->processor->queue_job(charon->processor, job);
915 }
916
917 /**
918 * Process a SADB_EXPIRE message from the kernel
919 */
920 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
921 {
922 pfkey_msg_t response;
923 protocol_id_t protocol;
924 u_int32_t spi, reqid;
925 bool hard;
926 job_t *job;
927
928 DBG2(DBG_KNL, "received an SADB_EXPIRE");
929
930 if (parse_pfkey_message(msg, &response) != SUCCESS)
931 {
932 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
933 return;
934 }
935
936 protocol = proto_satype2ike(msg->sadb_msg_satype);
937 spi = response.sa->sadb_sa_spi;
938 reqid = response.x_sa2->sadb_x_sa2_reqid;
939 hard = response.lft_hard != NULL;
940
941 if (protocol != PROTO_ESP && protocol != PROTO_AH)
942 {
943 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
944 "which is not a CHILD_SA", ntohl(spi), reqid);
945 return;
946 }
947
948 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
949 hard ? "delete" : "rekey", protocol_id_names,
950 protocol, ntohl(spi), reqid);
951 if (hard)
952 {
953 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
954 }
955 else
956 {
957 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
958 }
959 charon->processor->queue_job(charon->processor, job);
960 }
961
962 #ifdef SADB_X_MIGRATE
963 /**
964 * Process a SADB_X_MIGRATE message from the kernel
965 */
966 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
967 {
968 pfkey_msg_t response;
969 traffic_selector_t *src_ts, *dst_ts;
970 policy_dir_t dir;
971 u_int32_t reqid = 0;
972 host_t *local = NULL, *remote = NULL;
973 job_t *job;
974
975 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
976
977 if (parse_pfkey_message(msg, &response) != SUCCESS)
978 {
979 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
980 return;
981 }
982 src_ts = sadb_address2ts(response.src);
983 dst_ts = sadb_address2ts(response.dst);
984 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
985 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
986 policy_dir_names, dir);
987
988 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
989 if (response.x_kmaddress)
990 {
991 sockaddr_t *local_addr, *remote_addr;
992 u_int32_t local_len;
993
994 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
995 local = host_create_from_sockaddr(local_addr);
996 local_len = (local_addr->sa_family == AF_INET6)?
997 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
998 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
999 remote = host_create_from_sockaddr(remote_addr);
1000 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1001 }
1002
1003 if (src_ts && dst_ts && local && remote)
1004 {
1005 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
1006 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
1007 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
1008 local, remote);
1009 charon->processor->queue_job(charon->processor, job);
1010 }
1011 else
1012 {
1013 DESTROY_IF(src_ts);
1014 DESTROY_IF(dst_ts);
1015 DESTROY_IF(local);
1016 DESTROY_IF(remote);
1017 }
1018 }
1019 #endif /*SADB_X_MIGRATE*/
1020
1021 #ifdef HAVE_NATT
1022 /**
1023 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1024 */
1025 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
1026 {
1027 pfkey_msg_t response;
1028 u_int32_t spi, reqid;
1029 host_t *host;
1030 job_t *job;
1031
1032 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1033
1034 if (parse_pfkey_message(msg, &response) != SUCCESS)
1035 {
1036 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1037 return;
1038 }
1039
1040 if (!response.x_sa2)
1041 {
1042 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
1043 return;
1044 }
1045
1046 spi = response.sa->sadb_sa_spi;
1047 reqid = response.x_sa2->sadb_x_sa2_reqid;
1048
1049 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
1050 {
1051 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
1052 switch (sa->sa_family)
1053 {
1054 case AF_INET:
1055 {
1056 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1057 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1058 }
1059 case AF_INET6:
1060 {
1061 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1062 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1063 }
1064 default:
1065 break;
1066 }
1067 host = host_create_from_sockaddr(sa);
1068 if (host)
1069 {
1070 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
1071 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
1072 job = (job_t*)update_sa_job_create(reqid, host);
1073 charon->processor->queue_job(charon->processor, job);
1074 }
1075 }
1076 }
1077 #endif /*HAVE_NATT*/
1078
1079 /**
1080 * Receives events from kernel
1081 */
1082 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1083 {
1084 unsigned char buf[PFKEY_BUFFER_SIZE];
1085 struct sadb_msg *msg = (struct sadb_msg*)buf;
1086 int len, oldstate;
1087
1088 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
1089 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1090 pthread_setcancelstate(oldstate, NULL);
1091
1092 if (len < 0)
1093 {
1094 switch (errno)
1095 {
1096 case EINTR:
1097 /* interrupted, try again */
1098 return JOB_REQUEUE_DIRECT;
1099 case EAGAIN:
1100 /* no data ready, select again */
1101 return JOB_REQUEUE_DIRECT;
1102 default:
1103 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1104 sleep(1);
1105 return JOB_REQUEUE_FAIR;
1106 }
1107 }
1108
1109 if (len < sizeof(struct sadb_msg) ||
1110 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1111 {
1112 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1113 return JOB_REQUEUE_DIRECT;
1114 }
1115 if (msg->sadb_msg_pid != 0)
1116 { /* not from kernel. not interested, try another one */
1117 return JOB_REQUEUE_DIRECT;
1118 }
1119 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1120 {
1121 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
1122 return JOB_REQUEUE_DIRECT;
1123 }
1124
1125 switch (msg->sadb_msg_type)
1126 {
1127 case SADB_ACQUIRE:
1128 process_acquire(this, msg);
1129 break;
1130 case SADB_EXPIRE:
1131 process_expire(this, msg);
1132 break;
1133 #ifdef SADB_X_MIGRATE
1134 case SADB_X_MIGRATE:
1135 process_migrate(this, msg);
1136 break;
1137 #endif /*SADB_X_MIGRATE*/
1138 #ifdef HAVE_NATT
1139 case SADB_X_NAT_T_NEW_MAPPING:
1140 process_mapping(this, msg);
1141 break;
1142 #endif /*HAVE_NATT*/
1143 default:
1144 break;
1145 }
1146
1147 return JOB_REQUEUE_DIRECT;
1148 }
1149
1150 /**
1151 * Implementation of kernel_interface_t.get_spi.
1152 */
1153 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1154 host_t *src, host_t *dst,
1155 protocol_id_t protocol, u_int32_t reqid,
1156 u_int32_t *spi)
1157 {
1158 unsigned char request[PFKEY_BUFFER_SIZE];
1159 struct sadb_msg *msg, *out;
1160 struct sadb_x_sa2 *sa2;
1161 struct sadb_spirange *range;
1162 pfkey_msg_t response;
1163 u_int32_t received_spi = 0;
1164 size_t len;
1165
1166 memset(&request, 0, sizeof(request));
1167
1168 msg = (struct sadb_msg*)request;
1169 msg->sadb_msg_version = PF_KEY_V2;
1170 msg->sadb_msg_type = SADB_GETSPI;
1171 msg->sadb_msg_satype = proto_ike2satype(protocol);
1172 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1173
1174 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1175 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1176 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1177 sa2->sadb_x_sa2_reqid = reqid;
1178 PFKEY_EXT_ADD(msg, sa2);
1179
1180 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1181 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1182
1183 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1184 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1185 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1186 range->sadb_spirange_min = 0xc0000000;
1187 range->sadb_spirange_max = 0xcFFFFFFF;
1188 PFKEY_EXT_ADD(msg, range);
1189
1190 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1191 {
1192 if (out->sadb_msg_errno)
1193 {
1194 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1195 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1196 }
1197 else if (parse_pfkey_message(out, &response) == SUCCESS)
1198 {
1199 received_spi = response.sa->sadb_sa_spi;
1200 }
1201 free(out);
1202 }
1203
1204 if (received_spi == 0)
1205 {
1206 return FAILED;
1207 }
1208
1209 *spi = received_spi;
1210 return SUCCESS;
1211 }
1212
1213 /**
1214 * Implementation of kernel_interface_t.get_cpi.
1215 */
1216 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1217 host_t *src, host_t *dst,
1218 u_int32_t reqid, u_int16_t *cpi)
1219 {
1220 return FAILED;
1221 }
1222
1223 /**
1224 * Implementation of kernel_interface_t.add_sa.
1225 */
1226 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1227 host_t *src, host_t *dst, u_int32_t spi,
1228 protocol_id_t protocol, u_int32_t reqid,
1229 u_int64_t expire_soft, u_int64_t expire_hard,
1230 u_int16_t enc_alg, chunk_t enc_key,
1231 u_int16_t int_alg, chunk_t int_key,
1232 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1233 bool encap, bool inbound)
1234 {
1235 unsigned char request[PFKEY_BUFFER_SIZE];
1236 struct sadb_msg *msg, *out;
1237 struct sadb_sa *sa;
1238 struct sadb_x_sa2 *sa2;
1239 struct sadb_lifetime *lft;
1240 struct sadb_key *key;
1241 size_t len;
1242
1243 memset(&request, 0, sizeof(request));
1244
1245 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1246
1247 msg = (struct sadb_msg*)request;
1248 msg->sadb_msg_version = PF_KEY_V2;
1249 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1250 msg->sadb_msg_satype = proto_ike2satype(protocol);
1251 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1252
1253 #ifdef __APPLE__
1254 if (encap)
1255 {
1256 struct sadb_sa_2 *sa_2;
1257 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1258 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1259 sa = &sa_2->sa;
1260 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1261 len = sizeof(struct sadb_sa_2);
1262 }
1263 else
1264 #endif
1265 {
1266 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1267 len = sizeof(struct sadb_sa);
1268 }
1269 sa->sadb_sa_exttype = SADB_EXT_SA;
1270 sa->sadb_sa_len = PFKEY_LEN(len);
1271 sa->sadb_sa_spi = spi;
1272 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1273 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1274 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1275 PFKEY_EXT_ADD(msg, sa);
1276
1277 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1278 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1279 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1280 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1281 sa2->sadb_x_sa2_reqid = reqid;
1282 PFKEY_EXT_ADD(msg, sa2);
1283
1284 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1285 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1286
1287 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1288 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1289 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1290 lft->sadb_lifetime_addtime = expire_soft;
1291 PFKEY_EXT_ADD(msg, lft);
1292
1293 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1294 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1295 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1296 lft->sadb_lifetime_addtime = expire_hard;
1297 PFKEY_EXT_ADD(msg, lft);
1298
1299 if (enc_alg != ENCR_UNDEFINED)
1300 {
1301 if (!sa->sadb_sa_encrypt)
1302 {
1303 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1304 encryption_algorithm_names, enc_alg);
1305 return FAILED;
1306 }
1307 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1308 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1309
1310 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1311 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1312 key->sadb_key_bits = enc_key.len * 8;
1313 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1314 memcpy(key + 1, enc_key.ptr, enc_key.len);
1315
1316 PFKEY_EXT_ADD(msg, key);
1317 }
1318
1319 if (int_alg != AUTH_UNDEFINED)
1320 {
1321 if (!sa->sadb_sa_auth)
1322 {
1323 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1324 integrity_algorithm_names, int_alg);
1325 return FAILED;
1326 }
1327 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1328 integrity_algorithm_names, int_alg, int_key.len * 8);
1329
1330 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1331 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1332 key->sadb_key_bits = int_key.len * 8;
1333 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1334 memcpy(key + 1, int_key.ptr, int_key.len);
1335
1336 PFKEY_EXT_ADD(msg, key);
1337 }
1338
1339 if (ipcomp != IPCOMP_NONE)
1340 {
1341 /*TODO*/
1342 }
1343
1344 #ifdef HAVE_NATT
1345 if (encap)
1346 {
1347 add_encap_ext(msg, src, dst);
1348 }
1349 #endif /*HAVE_NATT*/
1350
1351 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1352 {
1353 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1354 return FAILED;
1355 }
1356 else if (out->sadb_msg_errno)
1357 {
1358 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1359 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1360 free(out);
1361 return FAILED;
1362 }
1363
1364 free(out);
1365 return SUCCESS;
1366 }
1367
1368 /**
1369 * Implementation of kernel_interface_t.update_sa.
1370 */
1371 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1372 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1373 host_t *src, host_t *dst,
1374 host_t *new_src, host_t *new_dst,
1375 bool encap, bool new_encap)
1376 {
1377 unsigned char request[PFKEY_BUFFER_SIZE];
1378 struct sadb_msg *msg, *out;
1379 struct sadb_sa *sa;
1380 pfkey_msg_t response;
1381 size_t len;
1382
1383 /* we can't update the SA if any of the ip addresses have changed.
1384 * that's because we can't use SADB_UPDATE and by deleting and readding the
1385 * SA the sequence numbers would get lost */
1386 if (!src->ip_equals(src, new_src) ||
1387 !dst->ip_equals(dst, new_dst))
1388 {
1389 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1390 " are not supported", ntohl(spi));
1391 return NOT_SUPPORTED;
1392 }
1393
1394 memset(&request, 0, sizeof(request));
1395
1396 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1397
1398 msg = (struct sadb_msg*)request;
1399 msg->sadb_msg_version = PF_KEY_V2;
1400 msg->sadb_msg_type = SADB_GET;
1401 msg->sadb_msg_satype = proto_ike2satype(protocol);
1402 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1403
1404 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1405 sa->sadb_sa_exttype = SADB_EXT_SA;
1406 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1407 sa->sadb_sa_spi = spi;
1408 PFKEY_EXT_ADD(msg, sa);
1409
1410 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1411 * it is not used for anything. */
1412 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1413 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1414
1415 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1416 {
1417 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1418 ntohl(spi));
1419 return FAILED;
1420 }
1421 else if (out->sadb_msg_errno)
1422 {
1423 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1424 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1425 free(out);
1426 return FAILED;
1427 }
1428 else if (parse_pfkey_message(out, &response) != SUCCESS)
1429 {
1430 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1431 "from kernel failed", ntohl(spi));
1432 free(out);
1433 return FAILED;
1434 }
1435
1436 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1437 ntohl(spi), src, dst, new_src, new_dst);
1438
1439 memset(&request, 0, sizeof(request));
1440
1441 msg = (struct sadb_msg*)request;
1442 msg->sadb_msg_version = PF_KEY_V2;
1443 msg->sadb_msg_type = SADB_UPDATE;
1444 msg->sadb_msg_satype = proto_ike2satype(protocol);
1445 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1446
1447 #ifdef __APPLE__
1448 {
1449 struct sadb_sa_2 *sa_2;
1450 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1451 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1452 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1453 if (encap)
1454 {
1455 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1456 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1457 }
1458 }
1459 #else
1460 PFKEY_EXT_COPY(msg, response.sa);
1461 #endif
1462 PFKEY_EXT_COPY(msg, response.x_sa2);
1463
1464 PFKEY_EXT_COPY(msg, response.src);
1465 PFKEY_EXT_COPY(msg, response.dst);
1466
1467 PFKEY_EXT_COPY(msg, response.lft_soft);
1468 PFKEY_EXT_COPY(msg, response.lft_hard);
1469
1470 if (response.key_encr)
1471 {
1472 PFKEY_EXT_COPY(msg, response.key_encr);
1473 }
1474
1475 if (response.key_auth)
1476 {
1477 PFKEY_EXT_COPY(msg, response.key_auth);
1478 }
1479
1480 #ifdef HAVE_NATT
1481 if (new_encap)
1482 {
1483 add_encap_ext(msg, new_src, new_dst);
1484 }
1485 #endif /*HAVE_NATT*/
1486
1487 free(out);
1488
1489 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1490 {
1491 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1492 return FAILED;
1493 }
1494 else if (out->sadb_msg_errno)
1495 {
1496 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1497 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1498 free(out);
1499 return FAILED;
1500 }
1501 free(out);
1502
1503 return SUCCESS;
1504 }
1505
1506 /**
1507 * Implementation of kernel_interface_t.query_sa.
1508 */
1509 static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
1510 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1511 u_int64_t *bytes)
1512 {
1513 unsigned char request[PFKEY_BUFFER_SIZE];
1514 struct sadb_msg *msg, *out;
1515 struct sadb_sa *sa;
1516 pfkey_msg_t response;
1517 size_t len;
1518
1519 memset(&request, 0, sizeof(request));
1520
1521 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1522
1523 msg = (struct sadb_msg*)request;
1524 msg->sadb_msg_version = PF_KEY_V2;
1525 msg->sadb_msg_type = SADB_GET;
1526 msg->sadb_msg_satype = proto_ike2satype(protocol);
1527 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1528
1529 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1530 sa->sadb_sa_exttype = SADB_EXT_SA;
1531 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1532 sa->sadb_sa_spi = spi;
1533 PFKEY_EXT_ADD(msg, sa);
1534
1535 /* the Linux Kernel doesn't care for the src address, but other systems do
1536 * (e.g. FreeBSD)
1537 */
1538 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1539 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1540
1541 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1542 {
1543 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1544 return FAILED;
1545 }
1546 else if (out->sadb_msg_errno)
1547 {
1548 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1549 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1550 free(out);
1551 return FAILED;
1552 }
1553 else if (parse_pfkey_message(out, &response) != SUCCESS)
1554 {
1555 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1556 free(out);
1557 return FAILED;
1558 }
1559 *bytes = response.lft_current->sadb_lifetime_bytes;
1560
1561 free(out);
1562 return SUCCESS;
1563 }
1564
1565 /**
1566 * Implementation of kernel_interface_t.del_sa.
1567 */
1568 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
1569 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1570 u_int16_t cpi)
1571 {
1572 unsigned char request[PFKEY_BUFFER_SIZE];
1573 struct sadb_msg *msg, *out;
1574 struct sadb_sa *sa;
1575 size_t len;
1576
1577 memset(&request, 0, sizeof(request));
1578
1579 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1580
1581 msg = (struct sadb_msg*)request;
1582 msg->sadb_msg_version = PF_KEY_V2;
1583 msg->sadb_msg_type = SADB_DELETE;
1584 msg->sadb_msg_satype = proto_ike2satype(protocol);
1585 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1586
1587 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1588 sa->sadb_sa_exttype = SADB_EXT_SA;
1589 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1590 sa->sadb_sa_spi = spi;
1591 PFKEY_EXT_ADD(msg, sa);
1592
1593 /* the Linux Kernel doesn't care for the src address, but other systems do
1594 * (e.g. FreeBSD)
1595 */
1596 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1597 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1598
1599 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1600 {
1601 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1602 return FAILED;
1603 }
1604 else if (out->sadb_msg_errno)
1605 {
1606 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1607 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1608 free(out);
1609 return FAILED;
1610 }
1611
1612 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1613 free(out);
1614 return SUCCESS;
1615 }
1616
1617 /**
1618 * Implementation of kernel_interface_t.add_policy.
1619 */
1620 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1621 host_t *src, host_t *dst,
1622 traffic_selector_t *src_ts,
1623 traffic_selector_t *dst_ts,
1624 policy_dir_t direction, u_int32_t spi,
1625 protocol_id_t protocol, u_int32_t reqid,
1626 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1627 bool routed)
1628 {
1629 unsigned char request[PFKEY_BUFFER_SIZE];
1630 struct sadb_msg *msg, *out;
1631 struct sadb_x_policy *pol;
1632 struct sadb_x_ipsecrequest *req;
1633 policy_entry_t *policy, *found = NULL;
1634 pfkey_msg_t response;
1635 size_t len;
1636
1637 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1638 {
1639 /* FWD policies are not supported on all platforms */
1640 return SUCCESS;
1641 }
1642
1643 /* create a policy */
1644 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1645
1646 /* find a matching policy */
1647 this->mutex->lock(this->mutex);
1648 if (this->policies->find_first(this->policies,
1649 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1650 {
1651 /* use existing policy */
1652 found->refcount++;
1653 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1654 "refcount", src_ts, dst_ts,
1655 policy_dir_names, direction);
1656 policy_entry_destroy(policy);
1657 policy = found;
1658 }
1659 else
1660 {
1661 /* apply the new one, if we have no such policy */
1662 this->policies->insert_last(this->policies, policy);
1663 policy->refcount = 1;
1664 }
1665
1666 memset(&request, 0, sizeof(request));
1667
1668 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1669 policy_dir_names, direction);
1670
1671 msg = (struct sadb_msg*)request;
1672 msg->sadb_msg_version = PF_KEY_V2;
1673 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1674 msg->sadb_msg_satype = 0;
1675 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1676
1677 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1678 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1679 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1680 pol->sadb_x_policy_id = 0;
1681 pol->sadb_x_policy_dir = dir2kernel(direction);
1682 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1683 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1684 /* calculate priority based on source selector size, small size = high prio */
1685 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1686 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1687 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1688 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1689 #endif
1690
1691 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1692 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1693 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1694 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1695 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1696 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1697 req->sadb_x_ipsecrequest_reqid = reqid;
1698 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1699 if (mode == MODE_TUNNEL)
1700 {
1701 sockaddr_t *sa;
1702 socklen_t sl;
1703 sa = src->get_sockaddr(src);
1704 sl = *src->get_sockaddr_len(src);
1705 memcpy(req + 1, sa, sl);
1706 sa = dst->get_sockaddr(dst);
1707 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1708 req->sadb_x_ipsecrequest_len += sl * 2;
1709 }
1710
1711 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1712 PFKEY_EXT_ADD(msg, pol);
1713
1714 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1715 policy->src.mask);
1716 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1717 policy->dst.mask);
1718
1719 #ifdef __FreeBSD__
1720 { /* on FreeBSD a lifetime has to be defined to be able to later query
1721 * the current use time. */
1722 struct sadb_lifetime *lft;
1723 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1724 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1725 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1726 lft->sadb_lifetime_addtime = LONG_MAX;
1727 PFKEY_EXT_ADD(msg, lft);
1728 }
1729 #endif
1730
1731 this->mutex->unlock(this->mutex);
1732
1733 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1734 {
1735 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1736 policy_dir_names, direction);
1737 return FAILED;
1738 }
1739 else if (out->sadb_msg_errno)
1740 {
1741 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1742 policy_dir_names, direction,
1743 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1744 free(out);
1745 return FAILED;
1746 }
1747 else if (parse_pfkey_message(out, &response) != SUCCESS)
1748 {
1749 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1750 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1751 free(out);
1752 return FAILED;
1753 }
1754
1755 this->mutex->lock(this->mutex);
1756
1757 /* we try to find the policy again and update the kernel index */
1758 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1759 {
1760 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1761 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1762 this->mutex->unlock(this->mutex);
1763 free(out);
1764 return SUCCESS;
1765 }
1766 policy->index = response.x_policy->sadb_x_policy_id;
1767 free(out);
1768
1769 /* install a route, if:
1770 * - we are NOT updating a policy
1771 * - this is a forward policy (to just get one for each child)
1772 * - we are in tunnel mode
1773 * - we are not using IPv6 (does not work correctly yet!)
1774 * - routing is not disabled via strongswan.conf
1775 */
1776 if (policy->route == NULL && direction == POLICY_FWD &&
1777 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1778 this->install_routes)
1779 {
1780 route_entry_t *route = malloc_thing(route_entry_t);
1781
1782 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1783 dst_ts, &route->src_ip) == SUCCESS)
1784 {
1785 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1786 route->gateway = charon->kernel_interface->get_nexthop(
1787 charon->kernel_interface, src);
1788 route->if_name = charon->kernel_interface->get_interface(
1789 charon->kernel_interface, dst);
1790 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1791 route->prefixlen = policy->src.mask;
1792
1793 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1794 route->dst_net, route->prefixlen, route->gateway,
1795 route->src_ip, route->if_name))
1796 {
1797 default:
1798 DBG1(DBG_KNL, "unable to install source route for %H",
1799 route->src_ip);
1800 /* FALL */
1801 case ALREADY_DONE:
1802 /* route exists, do not uninstall */
1803 route_entry_destroy(route);
1804 break;
1805 case SUCCESS:
1806 /* cache the installed route */
1807 policy->route = route;
1808 break;
1809 }
1810 }
1811 else
1812 {
1813 free(route);
1814 }
1815 }
1816
1817 this->mutex->unlock(this->mutex);
1818
1819 return SUCCESS;
1820 }
1821
1822 /**
1823 * Implementation of kernel_interface_t.query_policy.
1824 */
1825 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1826 traffic_selector_t *src_ts,
1827 traffic_selector_t *dst_ts,
1828 policy_dir_t direction, u_int32_t *use_time)
1829 {
1830 unsigned char request[PFKEY_BUFFER_SIZE];
1831 struct sadb_msg *msg, *out;
1832 struct sadb_x_policy *pol;
1833 policy_entry_t *policy, *found = NULL;
1834 pfkey_msg_t response;
1835 size_t len;
1836
1837 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1838 {
1839 /* FWD policies are not supported on all platforms */
1840 return NOT_FOUND;
1841 }
1842
1843 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1844 policy_dir_names, direction);
1845
1846 /* create a policy */
1847 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1848
1849 /* find a matching policy */
1850 this->mutex->lock(this->mutex);
1851 if (this->policies->find_first(this->policies,
1852 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1853 {
1854 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1855 dst_ts, policy_dir_names, direction);
1856 policy_entry_destroy(policy);
1857 this->mutex->unlock(this->mutex);
1858 return NOT_FOUND;
1859 }
1860 policy_entry_destroy(policy);
1861 policy = found;
1862
1863 memset(&request, 0, sizeof(request));
1864
1865 msg = (struct sadb_msg*)request;
1866 msg->sadb_msg_version = PF_KEY_V2;
1867 msg->sadb_msg_type = SADB_X_SPDGET;
1868 msg->sadb_msg_satype = 0;
1869 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1870
1871 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1872 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1873 pol->sadb_x_policy_id = policy->index;
1874 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1875 pol->sadb_x_policy_dir = dir2kernel(direction);
1876 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1877 PFKEY_EXT_ADD(msg, pol);
1878
1879 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1880 policy->src.mask);
1881 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1882 policy->dst.mask);
1883
1884 this->mutex->unlock(this->mutex);
1885
1886 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1887 {
1888 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1889 policy_dir_names, direction);
1890 return FAILED;
1891 }
1892 else if (out->sadb_msg_errno)
1893 {
1894 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1895 dst_ts, policy_dir_names, direction,
1896 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1897 free(out);
1898 return FAILED;
1899 }
1900 else if (parse_pfkey_message(out, &response) != SUCCESS)
1901 {
1902 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1903 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1904 free(out);
1905 return FAILED;
1906 }
1907 else if (response.lft_current == NULL)
1908 {
1909 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
1910 "use time", src_ts, dst_ts, policy_dir_names, direction);
1911 free(out);
1912 return FAILED;
1913 }
1914 /* we need the monotonic time, but the kernel returns system time. */
1915 if (response.lft_current->sadb_lifetime_usetime)
1916 {
1917 *use_time = time_monotonic(NULL) -
1918 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
1919 }
1920 else
1921 {
1922 *use_time = 0;
1923 }
1924 free(out);
1925
1926 return SUCCESS;
1927 }
1928
1929 /**
1930 * Implementation of kernel_interface_t.del_policy.
1931 */
1932 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1933 traffic_selector_t *src_ts,
1934 traffic_selector_t *dst_ts,
1935 policy_dir_t direction, bool unrouted)
1936 {
1937 unsigned char request[PFKEY_BUFFER_SIZE];
1938 struct sadb_msg *msg, *out;
1939 struct sadb_x_policy *pol;
1940 policy_entry_t *policy, *found = NULL;
1941 route_entry_t *route;
1942 size_t len;
1943
1944 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1945 {
1946 /* FWD policies are not supported on all platforms */
1947 return SUCCESS;
1948 }
1949
1950 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1951 policy_dir_names, direction);
1952
1953 /* create a policy */
1954 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1955
1956 /* find a matching policy */
1957 this->mutex->lock(this->mutex);
1958 if (this->policies->find_first(this->policies,
1959 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1960 {
1961 if (--found->refcount > 0)
1962 {
1963 /* is used by more SAs, keep in kernel */
1964 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1965 policy_entry_destroy(policy);
1966 this->mutex->unlock(this->mutex);
1967 return SUCCESS;
1968 }
1969 /* remove if last reference */
1970 this->policies->remove(this->policies, found, NULL);
1971 policy_entry_destroy(policy);
1972 policy = found;
1973 }
1974 else
1975 {
1976 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1977 dst_ts, policy_dir_names, direction);
1978 policy_entry_destroy(policy);
1979 this->mutex->unlock(this->mutex);
1980 return NOT_FOUND;
1981 }
1982 this->mutex->unlock(this->mutex);
1983
1984 memset(&request, 0, sizeof(request));
1985
1986 msg = (struct sadb_msg*)request;
1987 msg->sadb_msg_version = PF_KEY_V2;
1988 msg->sadb_msg_type = SADB_X_SPDDELETE;
1989 msg->sadb_msg_satype = 0;
1990 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1991
1992 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1993 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1994 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1995 pol->sadb_x_policy_dir = dir2kernel(direction);
1996 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1997 PFKEY_EXT_ADD(msg, pol);
1998
1999 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2000 policy->src.mask);
2001 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2002 policy->dst.mask);
2003
2004 route = policy->route;
2005 policy->route = NULL;
2006 policy_entry_destroy(policy);
2007
2008 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2009 {
2010 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2011 policy_dir_names, direction);
2012 return FAILED;
2013 }
2014 else if (out->sadb_msg_errno)
2015 {
2016 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2017 dst_ts, policy_dir_names, direction,
2018 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2019 free(out);
2020 return FAILED;
2021 }
2022 free(out);
2023
2024 if (route)
2025 {
2026 if (charon->kernel_interface->del_route(charon->kernel_interface,
2027 route->dst_net, route->prefixlen, route->gateway,
2028 route->src_ip, route->if_name) != SUCCESS)
2029 {
2030 DBG1(DBG_KNL, "error uninstalling route installed with "
2031 "policy %R === %R %N", src_ts, dst_ts,
2032 policy_dir_names, direction);
2033 }
2034 route_entry_destroy(route);
2035 }
2036
2037 return SUCCESS;
2038 }
2039
2040 /**
2041 * Register a socket for AQUIRE/EXPIRE messages
2042 */
2043 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
2044 {
2045 unsigned char request[PFKEY_BUFFER_SIZE];
2046 struct sadb_msg *msg, *out;
2047 size_t len;
2048
2049 memset(&request, 0, sizeof(request));
2050
2051 msg = (struct sadb_msg*)request;
2052 msg->sadb_msg_version = PF_KEY_V2;
2053 msg->sadb_msg_type = SADB_REGISTER;
2054 msg->sadb_msg_satype = satype;
2055 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2056
2057 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2058 {
2059 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2060 return FAILED;
2061 }
2062 else if (out->sadb_msg_errno)
2063 {
2064 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2065 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2066 free(out);
2067 return FAILED;
2068 }
2069 free(out);
2070 return SUCCESS;
2071 }
2072
2073 /**
2074 * Implementation of kernel_interface_t.destroy.
2075 */
2076 static void destroy(private_kernel_pfkey_ipsec_t *this)
2077 {
2078 this->job->cancel(this->job);
2079 close(this->socket);
2080 close(this->socket_events);
2081 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
2082 this->mutex->destroy(this->mutex);
2083 this->mutex_pfkey->destroy(this->mutex_pfkey);
2084 free(this);
2085 }
2086
2087 /**
2088 * Add bypass policies for IKE on the sockets of charon
2089 */
2090 static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
2091 {
2092 int fd, family, port;
2093 enumerator_t *sockets;
2094 bool status = TRUE;
2095
2096 sockets = charon->socket->create_enumerator(charon->socket);
2097 while (sockets->enumerate(sockets, &fd, &family, &port))
2098 {
2099 struct sadb_x_policy policy;
2100 u_int sol, ipsec_policy;
2101
2102 switch (family)
2103 {
2104 case AF_INET:
2105 {
2106 sol = SOL_IP;
2107 ipsec_policy = IP_IPSEC_POLICY;
2108 break;
2109 }
2110 case AF_INET6:
2111 {
2112 sol = SOL_IPV6;
2113 ipsec_policy = IPV6_IPSEC_POLICY;
2114 break;
2115 }
2116 default:
2117 continue;
2118 }
2119
2120 memset(&policy, 0, sizeof(policy));
2121 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2122 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2123 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2124
2125 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2126 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2127 {
2128 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2129 strerror(errno));
2130 status = FALSE;
2131 break;
2132 }
2133 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2134 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2135 {
2136 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2137 strerror(errno));
2138 status = FALSE;
2139 break;
2140 }
2141 }
2142 sockets->destroy(sockets);
2143 return status;
2144 }
2145
2146 /*
2147 * Described in header.
2148 */
2149 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2150 {
2151 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
2152
2153 /* public functions */
2154 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2155 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
2156 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
2157 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
2158 this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
2159 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
2160 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
2161 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2162 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
2163
2164 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
2165
2166 /* private members */
2167 this->policies = linked_list_create();
2168 this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
2169 this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
2170 this->install_routes = lib->settings->get_bool(lib->settings,
2171 "charon.install_routes", TRUE);
2172 this->seq = 0;
2173
2174 /* create a PF_KEY socket to communicate with the kernel */
2175 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2176 if (this->socket <= 0)
2177 {
2178 charon->kill(charon, "unable to create PF_KEY socket");
2179 }
2180
2181 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2182 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2183 if (this->socket_events <= 0)
2184 {
2185 charon->kill(charon, "unable to create PF_KEY event socket");
2186 }
2187
2188 /* add bypass policies on the sockets used by charon */
2189 if (!add_bypass_policies(this))
2190 {
2191 charon->kill(charon, "unable to add bypass policies on sockets");
2192 }
2193
2194 /* register the event socket */
2195 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2196 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2197 {
2198 charon->kill(charon, "unable to register PF_KEY event socket");
2199 }
2200
2201 this->job = callback_job_create((callback_job_cb_t)receive_events,
2202 this, NULL, NULL);
2203 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2204
2205 return &this->public;
2206 }