Fixed BEET mode by installing SAs with negotiated address in traffic selector
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <pthread.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <daemon.h>
58 #include <utils/host.h>
59 #include <utils/mutex.h>
60 #include <processing/jobs/callback_job.h>
61 #include <processing/jobs/acquire_job.h>
62 #include <processing/jobs/migrate_job.h>
63 #include <processing/jobs/rekey_child_sa_job.h>
64 #include <processing/jobs/delete_child_sa_job.h>
65 #include <processing/jobs/update_sa_job.h>
66
67 /** non linux specific */
68 #ifndef IPPROTO_COMP
69 #define IPPROTO_COMP IPPROTO_IPCOMP
70 #endif
71
72 #ifndef SADB_X_AALG_SHA2_256HMAC
73 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
74 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
75 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
76 #endif
77
78 #ifndef SADB_X_EALG_AESCBC
79 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
80 #endif
81
82 #ifndef SADB_X_EALG_CASTCBC
83 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
84 #endif
85
86 #ifndef SOL_IP
87 #define SOL_IP IPPROTO_IP
88 #define SOL_IPV6 IPPROTO_IPV6
89 #endif
90
91 /** from linux/in.h */
92 #ifndef IP_IPSEC_POLICY
93 #define IP_IPSEC_POLICY 16
94 #endif
95
96 /** missing on uclibc */
97 #ifndef IPV6_IPSEC_POLICY
98 #define IPV6_IPSEC_POLICY 34
99 #endif
100
101 /** default priority of installed policies */
102 #define PRIO_LOW 3000
103 #define PRIO_HIGH 2000
104
105 #ifdef __APPLE__
106 /** from xnu/bsd/net/pfkeyv2.h */
107 #define SADB_X_EXT_NATT 0x002
108 struct sadb_sa_2 {
109 struct sadb_sa sa;
110 u_int16_t sadb_sa_natt_port;
111 u_int16_t sadb_reserved0;
112 u_int32_t sadb_reserved1;
113 };
114 #endif
115
116 /** buffer size for PF_KEY messages */
117 #define PFKEY_BUFFER_SIZE 4096
118
119 /** PF_KEY messages are 64 bit aligned */
120 #define PFKEY_ALIGNMENT 8
121 /** aligns len to 64 bits */
122 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
123 /** calculates the properly padded length in 64 bit chunks */
124 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
125 /** calculates user mode length i.e. in bytes */
126 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
127
128 /** given a PF_KEY message header and an extension this updates the length in the header */
129 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
130 /** given a PF_KEY message header this returns a pointer to the next extension */
131 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
132 /** copy an extension and append it to a PF_KEY message */
133 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
134 /** given a PF_KEY extension this returns a pointer to the next extension */
135 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
136 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
137 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
138 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
139 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
140 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len <= (len))
142
143 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
144
145 /**
146 * Private variables and functions of kernel_pfkey class.
147 */
148 struct private_kernel_pfkey_ipsec_t
149 {
150 /**
151 * Public part of the kernel_pfkey_t object.
152 */
153 kernel_pfkey_ipsec_t public;
154
155 /**
156 * mutex to lock access to various lists
157 */
158 mutex_t *mutex;
159
160 /**
161 * List of installed policies (policy_entry_t)
162 */
163 linked_list_t *policies;
164
165 /**
166 * whether to install routes along policies
167 */
168 bool install_routes;
169
170 /**
171 * job receiving PF_KEY events
172 */
173 callback_job_t *job;
174
175 /**
176 * mutex to lock access to the PF_KEY socket
177 */
178 mutex_t *mutex_pfkey;
179
180 /**
181 * PF_KEY socket to communicate with the kernel
182 */
183 int socket;
184
185 /**
186 * PF_KEY socket to receive acquire and expire events
187 */
188 int socket_events;
189
190 /**
191 * sequence number for messages sent to the kernel
192 */
193 int seq;
194 };
195
196 typedef struct route_entry_t route_entry_t;
197
198 /**
199 * installed routing entry
200 */
201 struct route_entry_t {
202 /** Name of the interface the route is bound to */
203 char *if_name;
204
205 /** Source ip of the route */
206 host_t *src_ip;
207
208 /** gateway for this route */
209 host_t *gateway;
210
211 /** Destination net */
212 chunk_t dst_net;
213
214 /** Destination net prefixlen */
215 u_int8_t prefixlen;
216 };
217
218 /**
219 * destroy an route_entry_t object
220 */
221 static void route_entry_destroy(route_entry_t *this)
222 {
223 free(this->if_name);
224 DESTROY_IF(this->src_ip);
225 DESTROY_IF(this->gateway);
226 chunk_free(&this->dst_net);
227 free(this);
228 }
229
230 typedef struct policy_entry_t policy_entry_t;
231
232 /**
233 * installed kernel policy.
234 */
235 struct policy_entry_t {
236
237 /** reqid of this policy */
238 u_int32_t reqid;
239
240 /** index assigned by the kernel */
241 u_int32_t index;
242
243 /** direction of this policy: in, out, forward */
244 u_int8_t direction;
245
246 /** parameters of installed policy */
247 struct {
248 /** subnet and port */
249 host_t *net;
250 /** subnet mask */
251 u_int8_t mask;
252 /** protocol */
253 u_int8_t proto;
254 } src, dst;
255
256 /** associated route installed for this policy */
257 route_entry_t *route;
258
259 /** by how many CHILD_SA's this policy is used */
260 u_int refcount;
261 };
262
263 /**
264 * create a policy_entry_t object
265 */
266 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
267 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
268 {
269 policy_entry_t *policy = malloc_thing(policy_entry_t);
270 policy->reqid = reqid;
271 policy->index = 0;
272 policy->direction = dir;
273 policy->route = NULL;
274 policy->refcount = 0;
275
276 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
277 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
278
279 /* src or dest proto may be "any" (0), use more restrictive one */
280 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
281 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
282 policy->dst.proto = policy->src.proto;
283
284 return policy;
285 }
286
287 /**
288 * destroy a policy_entry_t object
289 */
290 static void policy_entry_destroy(policy_entry_t *this)
291 {
292 DESTROY_IF(this->src.net);
293 DESTROY_IF(this->dst.net);
294 if (this->route)
295 {
296 route_entry_destroy(this->route);
297 }
298 free(this);
299 }
300
301 /**
302 * compares two policy_entry_t
303 */
304 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
305 {
306 return current->direction == policy->direction &&
307 current->src.proto == policy->src.proto &&
308 current->dst.proto == policy->dst.proto &&
309 current->src.mask == policy->src.mask &&
310 current->dst.mask == policy->dst.mask &&
311 current->src.net->equals(current->src.net, policy->src.net) &&
312 current->dst.net->equals(current->dst.net, policy->dst.net);
313 }
314
315 /**
316 * compare the given kernel index with that of a policy
317 */
318 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
319 {
320 return current->index == *index;
321 }
322
323 typedef struct pfkey_msg_t pfkey_msg_t;
324
325 struct pfkey_msg_t
326 {
327 /**
328 * PF_KEY message base
329 */
330 struct sadb_msg *msg;
331
332 /**
333 * PF_KEY message extensions
334 */
335 union {
336 struct sadb_ext *ext[SADB_EXT_MAX + 1];
337 struct {
338 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
339 struct sadb_sa *sa; /* SADB_EXT_SA */
340 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
341 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
342 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
343 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
344 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
345 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
346 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
347 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
348 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
349 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
350 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
351 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
352 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
353 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
354 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
355 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
356 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
357 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
358 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
359 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
360 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
361 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
362 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
363 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
364 } __attribute__((__packed__));
365 };
366 };
367
368 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
369 "SADB_EXT_RESERVED",
370 "SADB_EXT_SA",
371 "SADB_EXT_LIFETIME_CURRENT",
372 "SADB_EXT_LIFETIME_HARD",
373 "SADB_EXT_LIFETIME_SOFT",
374 "SADB_EXT_ADDRESS_SRC",
375 "SADB_EXT_ADDRESS_DST",
376 "SADB_EXT_ADDRESS_PROXY",
377 "SADB_EXT_KEY_AUTH",
378 "SADB_EXT_KEY_ENCRYPT",
379 "SADB_EXT_IDENTITY_SRC",
380 "SADB_EXT_IDENTITY_DST",
381 "SADB_EXT_SENSITIVITY",
382 "SADB_EXT_PROPOSAL",
383 "SADB_EXT_SUPPORTED_AUTH",
384 "SADB_EXT_SUPPORTED_ENCRYPT",
385 "SADB_EXT_SPIRANGE",
386 "SADB_X_EXT_KMPRIVATE",
387 "SADB_X_EXT_POLICY",
388 "SADB_X_EXT_SA2",
389 "SADB_X_EXT_NAT_T_TYPE",
390 "SADB_X_EXT_NAT_T_SPORT",
391 "SADB_X_EXT_NAT_T_DPORT",
392 "SADB_X_EXT_NAT_T_OA",
393 "SADB_X_EXT_SEC_CTX",
394 "SADB_X_EXT_KMADDRESS"
395 );
396
397 /**
398 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
399 */
400 static u_int8_t proto_ike2satype(protocol_id_t proto)
401 {
402 switch (proto)
403 {
404 case PROTO_ESP:
405 return SADB_SATYPE_ESP;
406 case PROTO_AH:
407 return SADB_SATYPE_AH;
408 case IPPROTO_COMP:
409 return SADB_X_SATYPE_IPCOMP;
410 default:
411 return proto;
412 }
413 }
414
415 /**
416 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
417 */
418 static protocol_id_t proto_satype2ike(u_int8_t proto)
419 {
420 switch (proto)
421 {
422 case SADB_SATYPE_ESP:
423 return PROTO_ESP;
424 case SADB_SATYPE_AH:
425 return PROTO_AH;
426 case SADB_X_SATYPE_IPCOMP:
427 return IPPROTO_COMP;
428 default:
429 return proto;
430 }
431 }
432
433 /**
434 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
435 */
436 static u_int8_t proto_ike2ip(protocol_id_t proto)
437 {
438 switch (proto)
439 {
440 case PROTO_ESP:
441 return IPPROTO_ESP;
442 case PROTO_AH:
443 return IPPROTO_AH;
444 default:
445 return proto;
446 }
447 }
448
449 /**
450 * convert the general ipsec mode to the one defined in ipsec.h
451 */
452 static u_int8_t mode2kernel(ipsec_mode_t mode)
453 {
454 switch (mode)
455 {
456 case MODE_TRANSPORT:
457 return IPSEC_MODE_TRANSPORT;
458 case MODE_TUNNEL:
459 return IPSEC_MODE_TUNNEL;
460 #ifdef HAVE_IPSEC_MODE_BEET
461 case MODE_BEET:
462 return IPSEC_MODE_BEET;
463 #endif
464 default:
465 return mode;
466 }
467 }
468
469 /**
470 * convert the general policy direction to the one defined in ipsec.h
471 */
472 static u_int8_t dir2kernel(policy_dir_t dir)
473 {
474 switch (dir)
475 {
476 case POLICY_IN:
477 return IPSEC_DIR_INBOUND;
478 case POLICY_OUT:
479 return IPSEC_DIR_OUTBOUND;
480 #ifdef HAVE_IPSEC_DIR_FWD
481 case POLICY_FWD:
482 return IPSEC_DIR_FWD;
483 #endif
484 default:
485 return IPSEC_DIR_INVALID;
486 }
487 }
488
489 #ifdef SADB_X_MIGRATE
490 /**
491 * convert the policy direction in ipsec.h to the general one.
492 */
493 static policy_dir_t kernel2dir(u_int8_t dir)
494 {
495 switch (dir)
496 {
497 case IPSEC_DIR_INBOUND:
498 return POLICY_IN;
499 case IPSEC_DIR_OUTBOUND:
500 return POLICY_OUT;
501 #ifdef HAVE_IPSEC_DIR_FWD
502 case IPSEC_DIR_FWD:
503 return POLICY_FWD;
504 #endif
505 default:
506 return dir;
507 }
508 }
509 #endif /*SADB_X_MIGRATE*/
510
511 typedef struct kernel_algorithm_t kernel_algorithm_t;
512
513 /**
514 * Mapping of IKEv2 algorithms to PF_KEY algorithms
515 */
516 struct kernel_algorithm_t {
517 /**
518 * Identifier specified in IKEv2
519 */
520 int ikev2;
521
522 /**
523 * Identifier as defined in pfkeyv2.h
524 */
525 int kernel;
526 };
527
528 #define END_OF_LIST -1
529
530 /**
531 * Algorithms for encryption
532 */
533 static kernel_algorithm_t encryption_algs[] = {
534 /* {ENCR_DES_IV64, 0 }, */
535 {ENCR_DES, SADB_EALG_DESCBC },
536 {ENCR_3DES, SADB_EALG_3DESCBC },
537 /* {ENCR_RC5, 0 }, */
538 /* {ENCR_IDEA, 0 }, */
539 {ENCR_CAST, SADB_X_EALG_CASTCBC },
540 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
541 /* {ENCR_3IDEA, 0 }, */
542 /* {ENCR_DES_IV32, 0 }, */
543 {ENCR_NULL, SADB_EALG_NULL },
544 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
545 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
546 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
547 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
548 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
549 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
550 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
551 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
552 {END_OF_LIST, 0 },
553 };
554
555 /**
556 * Algorithms for integrity protection
557 */
558 static kernel_algorithm_t integrity_algs[] = {
559 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
560 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
561 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
562 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
563 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
564 /* {AUTH_DES_MAC, 0, }, */
565 /* {AUTH_KPDK_MD5, 0, }, */
566 #ifdef SADB_X_AALG_AES_XCBC_MAC
567 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
568 #endif
569 {END_OF_LIST, 0, },
570 };
571
572 #if 0
573 /**
574 * Algorithms for IPComp, unused yet
575 */
576 static kernel_algorithm_t compression_algs[] = {
577 /* {IPCOMP_OUI, 0 }, */
578 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
579 {IPCOMP_LZS, SADB_X_CALG_LZS },
580 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
581 {END_OF_LIST, 0 },
582 };
583 #endif
584
585 /**
586 * Look up a kernel algorithm ID and its key size
587 */
588 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
589 {
590 while (list->ikev2 != END_OF_LIST)
591 {
592 if (ikev2 == list->ikev2)
593 {
594 return list->kernel;
595 }
596 list++;
597 }
598 return 0;
599 }
600
601 /**
602 * add a host behind a sadb_address extension
603 */
604 static void host2ext(host_t *host, struct sadb_address *ext)
605 {
606 sockaddr_t *host_addr = host->get_sockaddr(host);
607 socklen_t *len = host->get_sockaddr_len(host);
608 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
609 host_addr->sa_len = *len;
610 #endif
611 memcpy((char*)(ext + 1), host_addr, *len);
612 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
613 }
614
615 /**
616 * add a host to the given sadb_msg
617 */
618 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
619 u_int8_t proto, u_int8_t prefixlen)
620 {
621 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
622 addr->sadb_address_exttype = type;
623 addr->sadb_address_proto = proto;
624 addr->sadb_address_prefixlen = prefixlen;
625 host2ext(host, addr);
626 PFKEY_EXT_ADD(msg, addr);
627 }
628
629 /**
630 * adds an empty address extension to the given sadb_msg
631 */
632 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
633 {
634 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
635 sizeof(struct sockaddr_in6);
636 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
637 addr->sadb_address_exttype = type;
638 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
639 saddr->sa_family = family;
640 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
641 saddr->sa_len = len;
642 #endif
643 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
644 PFKEY_EXT_ADD(msg, addr);
645 }
646
647 #ifdef HAVE_NATT
648 /**
649 * add udp encap extensions to a sadb_msg
650 */
651 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
652 {
653 struct sadb_x_nat_t_type* nat_type;
654 struct sadb_x_nat_t_port* nat_port;
655
656 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
657 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
658 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
659 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
660 PFKEY_EXT_ADD(msg, nat_type);
661
662 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
663 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
664 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
665 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
666 PFKEY_EXT_ADD(msg, nat_port);
667
668 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
669 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
670 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
671 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
672 PFKEY_EXT_ADD(msg, nat_port);
673 }
674 #endif /*HAVE_NATT*/
675
676 /**
677 * Convert a sadb_address to a traffic_selector
678 */
679 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
680 {
681 traffic_selector_t *ts;
682 host_t *host;
683
684 /* The Linux 2.6 kernel does not set the protocol and port information
685 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
686 */
687 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
688 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
689 address->sadb_address_proto, host->get_port(host));
690 return ts;
691 }
692
693 /**
694 * Parses a pfkey message received from the kernel
695 */
696 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
697 {
698 struct sadb_ext* ext;
699 size_t len;
700
701 memset(out, 0, sizeof(pfkey_msg_t));
702 out->msg = msg;
703
704 len = msg->sadb_msg_len;
705 len -= PFKEY_LEN(sizeof(struct sadb_msg));
706
707 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
708
709 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
710 {
711 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
712 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
713 ext->sadb_ext_len > len)
714 {
715 DBG1(DBG_KNL, "length of %N extension is invalid",
716 sadb_ext_type_names, ext->sadb_ext_type);
717 break;
718 }
719
720 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
721 {
722 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
723 break;
724 }
725
726 if (out->ext[ext->sadb_ext_type])
727 {
728 DBG1(DBG_KNL, "duplicate %N extension",
729 sadb_ext_type_names, ext->sadb_ext_type);
730 break;
731 }
732
733 out->ext[ext->sadb_ext_type] = ext;
734 ext = PFKEY_EXT_NEXT_LEN(ext, len);
735 }
736
737 if (len)
738 {
739 DBG1(DBG_KNL, "PF_KEY message length is invalid");
740 return FAILED;
741 }
742
743 return SUCCESS;
744 }
745
746 /**
747 * Send a message to a specific PF_KEY socket and handle the response.
748 */
749 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
750 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
751 {
752 unsigned char buf[PFKEY_BUFFER_SIZE];
753 struct sadb_msg *msg;
754 int in_len, len;
755
756 this->mutex_pfkey->lock(this->mutex_pfkey);
757
758 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
759 * in particular the behavior in response to an SADB_ACQUIRE. */
760 in->sadb_msg_seq = ++this->seq;
761 in->sadb_msg_pid = getpid();
762
763 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
764
765 while (TRUE)
766 {
767 len = send(socket, in, in_len, 0);
768
769 if (len != in_len)
770 {
771 if (errno == EINTR)
772 {
773 /* interrupted, try again */
774 continue;
775 }
776 this->mutex_pfkey->unlock(this->mutex_pfkey);
777 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
778 return FAILED;
779 }
780 break;
781 }
782
783 while (TRUE)
784 {
785 msg = (struct sadb_msg*)buf;
786
787 len = recv(socket, buf, sizeof(buf), 0);
788
789 if (len < 0)
790 {
791 if (errno == EINTR)
792 {
793 DBG1(DBG_KNL, "got interrupted");
794 /* interrupted, try again */
795 continue;
796 }
797 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
798 this->mutex_pfkey->unlock(this->mutex_pfkey);
799 return FAILED;
800 }
801 if (len < sizeof(struct sadb_msg) ||
802 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
803 {
804 DBG1(DBG_KNL, "received corrupted PF_KEY message");
805 this->mutex_pfkey->unlock(this->mutex_pfkey);
806 return FAILED;
807 }
808 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
809 {
810 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
811 this->mutex_pfkey->unlock(this->mutex_pfkey);
812 return FAILED;
813 }
814 if (msg->sadb_msg_pid != in->sadb_msg_pid)
815 {
816 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
817 continue;
818 }
819 if (msg->sadb_msg_seq != this->seq)
820 {
821 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
822 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
823 if (msg->sadb_msg_seq == 0)
824 {
825 /* FreeBSD and Mac OS X do this for the response to
826 * SADB_X_SPDGET (but not for the response to SADB_GET).
827 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
828 }
829 else if (msg->sadb_msg_seq < this->seq)
830 {
831 continue;
832 }
833 else
834 {
835 this->mutex_pfkey->unlock(this->mutex_pfkey);
836 return FAILED;
837 }
838 }
839 if (msg->sadb_msg_type != in->sadb_msg_type)
840 {
841 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
842 "was %d expected %d, ignoring",
843 msg->sadb_msg_type, in->sadb_msg_type);
844 }
845 break;
846 }
847
848 *out_len = len;
849 *out = (struct sadb_msg*)malloc(len);
850 memcpy(*out, buf, len);
851
852 this->mutex_pfkey->unlock(this->mutex_pfkey);
853
854 return SUCCESS;
855 }
856
857 /**
858 * Send a message to the default PF_KEY socket and handle the response.
859 */
860 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
861 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
862 {
863 return pfkey_send_socket(this, this->socket, in, out, out_len);
864 }
865
866 /**
867 * Process a SADB_ACQUIRE message from the kernel
868 */
869 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
870 {
871 pfkey_msg_t response;
872 u_int32_t index, reqid = 0;
873 traffic_selector_t *src_ts, *dst_ts;
874 policy_entry_t *policy;
875 job_t *job;
876
877 switch (msg->sadb_msg_satype)
878 {
879 case SADB_SATYPE_UNSPEC:
880 case SADB_SATYPE_ESP:
881 case SADB_SATYPE_AH:
882 break;
883 default:
884 /* acquire for AH/ESP only */
885 return;
886 }
887 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
888
889 if (parse_pfkey_message(msg, &response) != SUCCESS)
890 {
891 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
892 return;
893 }
894
895 index = response.x_policy->sadb_x_policy_id;
896 this->mutex->lock(this->mutex);
897 if (this->policies->find_first(this->policies,
898 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
899 {
900 reqid = policy->reqid;
901 }
902 else
903 {
904 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
905 index);
906 }
907 src_ts = sadb_address2ts(response.src);
908 dst_ts = sadb_address2ts(response.dst);
909 this->mutex->unlock(this->mutex);
910
911 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
912 src_ts, dst_ts, reqid);
913 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
914 charon->processor->queue_job(charon->processor, job);
915 }
916
917 /**
918 * Process a SADB_EXPIRE message from the kernel
919 */
920 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
921 {
922 pfkey_msg_t response;
923 protocol_id_t protocol;
924 u_int32_t spi, reqid;
925 bool hard;
926 job_t *job;
927
928 DBG2(DBG_KNL, "received an SADB_EXPIRE");
929
930 if (parse_pfkey_message(msg, &response) != SUCCESS)
931 {
932 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
933 return;
934 }
935
936 protocol = proto_satype2ike(msg->sadb_msg_satype);
937 spi = response.sa->sadb_sa_spi;
938 reqid = response.x_sa2->sadb_x_sa2_reqid;
939 hard = response.lft_hard != NULL;
940
941 if (protocol != PROTO_ESP && protocol != PROTO_AH)
942 {
943 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
944 "which is not a CHILD_SA", ntohl(spi), reqid);
945 return;
946 }
947
948 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
949 hard ? "delete" : "rekey", protocol_id_names,
950 protocol, ntohl(spi), reqid);
951 if (hard)
952 {
953 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
954 }
955 else
956 {
957 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
958 }
959 charon->processor->queue_job(charon->processor, job);
960 }
961
962 #ifdef SADB_X_MIGRATE
963 /**
964 * Process a SADB_X_MIGRATE message from the kernel
965 */
966 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
967 {
968 pfkey_msg_t response;
969 traffic_selector_t *src_ts, *dst_ts;
970 policy_dir_t dir;
971 u_int32_t reqid = 0;
972 host_t *local = NULL, *remote = NULL;
973 job_t *job;
974
975 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
976
977 if (parse_pfkey_message(msg, &response) != SUCCESS)
978 {
979 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
980 return;
981 }
982 src_ts = sadb_address2ts(response.src);
983 dst_ts = sadb_address2ts(response.dst);
984 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
985 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
986 policy_dir_names, dir);
987
988 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
989 if (response.x_kmaddress)
990 {
991 sockaddr_t *local_addr, *remote_addr;
992 u_int32_t local_len;
993
994 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
995 local = host_create_from_sockaddr(local_addr);
996 local_len = (local_addr->sa_family == AF_INET6)?
997 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
998 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
999 remote = host_create_from_sockaddr(remote_addr);
1000 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1001 }
1002
1003 if (src_ts && dst_ts && local && remote)
1004 {
1005 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
1006 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
1007 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
1008 local, remote);
1009 charon->processor->queue_job(charon->processor, job);
1010 }
1011 else
1012 {
1013 DESTROY_IF(src_ts);
1014 DESTROY_IF(dst_ts);
1015 DESTROY_IF(local);
1016 DESTROY_IF(remote);
1017 }
1018 }
1019 #endif /*SADB_X_MIGRATE*/
1020
1021 #ifdef HAVE_NATT
1022 /**
1023 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1024 */
1025 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
1026 {
1027 pfkey_msg_t response;
1028 u_int32_t spi, reqid;
1029 host_t *host;
1030 job_t *job;
1031
1032 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1033
1034 if (parse_pfkey_message(msg, &response) != SUCCESS)
1035 {
1036 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1037 return;
1038 }
1039
1040 if (!response.x_sa2)
1041 {
1042 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
1043 return;
1044 }
1045
1046 spi = response.sa->sadb_sa_spi;
1047 reqid = response.x_sa2->sadb_x_sa2_reqid;
1048
1049 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
1050 {
1051 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
1052 switch (sa->sa_family)
1053 {
1054 case AF_INET:
1055 {
1056 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1057 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1058 }
1059 case AF_INET6:
1060 {
1061 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1062 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1063 }
1064 default:
1065 break;
1066 }
1067 host = host_create_from_sockaddr(sa);
1068 if (host)
1069 {
1070 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
1071 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
1072 job = (job_t*)update_sa_job_create(reqid, host);
1073 charon->processor->queue_job(charon->processor, job);
1074 }
1075 }
1076 }
1077 #endif /*HAVE_NATT*/
1078
1079 /**
1080 * Receives events from kernel
1081 */
1082 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1083 {
1084 unsigned char buf[PFKEY_BUFFER_SIZE];
1085 struct sadb_msg *msg = (struct sadb_msg*)buf;
1086 int len, oldstate;
1087
1088 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
1089 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1090 pthread_setcancelstate(oldstate, NULL);
1091
1092 if (len < 0)
1093 {
1094 switch (errno)
1095 {
1096 case EINTR:
1097 /* interrupted, try again */
1098 return JOB_REQUEUE_DIRECT;
1099 case EAGAIN:
1100 /* no data ready, select again */
1101 return JOB_REQUEUE_DIRECT;
1102 default:
1103 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1104 sleep(1);
1105 return JOB_REQUEUE_FAIR;
1106 }
1107 }
1108
1109 if (len < sizeof(struct sadb_msg) ||
1110 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1111 {
1112 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1113 return JOB_REQUEUE_DIRECT;
1114 }
1115 if (msg->sadb_msg_pid != 0)
1116 { /* not from kernel. not interested, try another one */
1117 return JOB_REQUEUE_DIRECT;
1118 }
1119 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1120 {
1121 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
1122 return JOB_REQUEUE_DIRECT;
1123 }
1124
1125 switch (msg->sadb_msg_type)
1126 {
1127 case SADB_ACQUIRE:
1128 process_acquire(this, msg);
1129 break;
1130 case SADB_EXPIRE:
1131 process_expire(this, msg);
1132 break;
1133 #ifdef SADB_X_MIGRATE
1134 case SADB_X_MIGRATE:
1135 process_migrate(this, msg);
1136 break;
1137 #endif /*SADB_X_MIGRATE*/
1138 #ifdef HAVE_NATT
1139 case SADB_X_NAT_T_NEW_MAPPING:
1140 process_mapping(this, msg);
1141 break;
1142 #endif /*HAVE_NATT*/
1143 default:
1144 break;
1145 }
1146
1147 return JOB_REQUEUE_DIRECT;
1148 }
1149
1150 /**
1151 * Implementation of kernel_interface_t.get_spi.
1152 */
1153 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1154 host_t *src, host_t *dst,
1155 protocol_id_t protocol, u_int32_t reqid,
1156 u_int32_t *spi)
1157 {
1158 unsigned char request[PFKEY_BUFFER_SIZE];
1159 struct sadb_msg *msg, *out;
1160 struct sadb_x_sa2 *sa2;
1161 struct sadb_spirange *range;
1162 pfkey_msg_t response;
1163 u_int32_t received_spi = 0;
1164 size_t len;
1165
1166 memset(&request, 0, sizeof(request));
1167
1168 msg = (struct sadb_msg*)request;
1169 msg->sadb_msg_version = PF_KEY_V2;
1170 msg->sadb_msg_type = SADB_GETSPI;
1171 msg->sadb_msg_satype = proto_ike2satype(protocol);
1172 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1173
1174 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1175 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1176 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1177 sa2->sadb_x_sa2_reqid = reqid;
1178 PFKEY_EXT_ADD(msg, sa2);
1179
1180 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1181 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1182
1183 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1184 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1185 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1186 range->sadb_spirange_min = 0xc0000000;
1187 range->sadb_spirange_max = 0xcFFFFFFF;
1188 PFKEY_EXT_ADD(msg, range);
1189
1190 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1191 {
1192 if (out->sadb_msg_errno)
1193 {
1194 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1195 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1196 }
1197 else if (parse_pfkey_message(out, &response) == SUCCESS)
1198 {
1199 received_spi = response.sa->sadb_sa_spi;
1200 }
1201 free(out);
1202 }
1203
1204 if (received_spi == 0)
1205 {
1206 return FAILED;
1207 }
1208
1209 *spi = received_spi;
1210 return SUCCESS;
1211 }
1212
1213 /**
1214 * Implementation of kernel_interface_t.get_cpi.
1215 */
1216 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1217 host_t *src, host_t *dst,
1218 u_int32_t reqid, u_int16_t *cpi)
1219 {
1220 return FAILED;
1221 }
1222
1223 /**
1224 * Implementation of kernel_interface_t.add_sa.
1225 */
1226 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1227 host_t *src, host_t *dst, u_int32_t spi,
1228 protocol_id_t protocol, u_int32_t reqid,
1229 lifetime_cfg_t *lifetime,
1230 u_int16_t enc_alg, chunk_t enc_key,
1231 u_int16_t int_alg, chunk_t int_key,
1232 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1233 bool encap, bool inbound, traffic_selector_t *src_ts,
1234 traffic_selector_t *dst_ts)
1235 {
1236 unsigned char request[PFKEY_BUFFER_SIZE];
1237 struct sadb_msg *msg, *out;
1238 struct sadb_sa *sa;
1239 struct sadb_x_sa2 *sa2;
1240 struct sadb_lifetime *lft;
1241 struct sadb_key *key;
1242 size_t len;
1243
1244 memset(&request, 0, sizeof(request));
1245
1246 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1247
1248 msg = (struct sadb_msg*)request;
1249 msg->sadb_msg_version = PF_KEY_V2;
1250 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1251 msg->sadb_msg_satype = proto_ike2satype(protocol);
1252 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1253
1254 #ifdef __APPLE__
1255 if (encap)
1256 {
1257 struct sadb_sa_2 *sa_2;
1258 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1259 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1260 sa = &sa_2->sa;
1261 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1262 len = sizeof(struct sadb_sa_2);
1263 }
1264 else
1265 #endif
1266 {
1267 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1268 len = sizeof(struct sadb_sa);
1269 }
1270 sa->sadb_sa_exttype = SADB_EXT_SA;
1271 sa->sadb_sa_len = PFKEY_LEN(len);
1272 sa->sadb_sa_spi = spi;
1273 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1274 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1275 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1276 PFKEY_EXT_ADD(msg, sa);
1277
1278 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1279 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1280 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1281 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1282 sa2->sadb_x_sa2_reqid = reqid;
1283 PFKEY_EXT_ADD(msg, sa2);
1284
1285 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1286 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1287
1288 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1289 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1290 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1291 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1292 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1293 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1294 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1295 PFKEY_EXT_ADD(msg, lft);
1296
1297 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1298 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1299 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1300 lft->sadb_lifetime_allocations = lifetime->packets.life;
1301 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1302 lft->sadb_lifetime_addtime = lifetime->time.life;
1303 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1304 PFKEY_EXT_ADD(msg, lft);
1305
1306 if (enc_alg != ENCR_UNDEFINED)
1307 {
1308 if (!sa->sadb_sa_encrypt)
1309 {
1310 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1311 encryption_algorithm_names, enc_alg);
1312 return FAILED;
1313 }
1314 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1315 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1316
1317 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1318 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1319 key->sadb_key_bits = enc_key.len * 8;
1320 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1321 memcpy(key + 1, enc_key.ptr, enc_key.len);
1322
1323 PFKEY_EXT_ADD(msg, key);
1324 }
1325
1326 if (int_alg != AUTH_UNDEFINED)
1327 {
1328 if (!sa->sadb_sa_auth)
1329 {
1330 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1331 integrity_algorithm_names, int_alg);
1332 return FAILED;
1333 }
1334 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1335 integrity_algorithm_names, int_alg, int_key.len * 8);
1336
1337 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1338 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1339 key->sadb_key_bits = int_key.len * 8;
1340 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1341 memcpy(key + 1, int_key.ptr, int_key.len);
1342
1343 PFKEY_EXT_ADD(msg, key);
1344 }
1345
1346 if (ipcomp != IPCOMP_NONE)
1347 {
1348 /*TODO*/
1349 }
1350
1351 #ifdef HAVE_NATT
1352 if (encap)
1353 {
1354 add_encap_ext(msg, src, dst);
1355 }
1356 #endif /*HAVE_NATT*/
1357
1358 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1359 {
1360 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1361 return FAILED;
1362 }
1363 else if (out->sadb_msg_errno)
1364 {
1365 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1366 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1367 free(out);
1368 return FAILED;
1369 }
1370
1371 free(out);
1372 return SUCCESS;
1373 }
1374
1375 /**
1376 * Implementation of kernel_interface_t.update_sa.
1377 */
1378 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1379 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1380 host_t *src, host_t *dst,
1381 host_t *new_src, host_t *new_dst,
1382 bool encap, bool new_encap)
1383 {
1384 unsigned char request[PFKEY_BUFFER_SIZE];
1385 struct sadb_msg *msg, *out;
1386 struct sadb_sa *sa;
1387 pfkey_msg_t response;
1388 size_t len;
1389
1390 /* we can't update the SA if any of the ip addresses have changed.
1391 * that's because we can't use SADB_UPDATE and by deleting and readding the
1392 * SA the sequence numbers would get lost */
1393 if (!src->ip_equals(src, new_src) ||
1394 !dst->ip_equals(dst, new_dst))
1395 {
1396 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1397 " are not supported", ntohl(spi));
1398 return NOT_SUPPORTED;
1399 }
1400
1401 memset(&request, 0, sizeof(request));
1402
1403 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1404
1405 msg = (struct sadb_msg*)request;
1406 msg->sadb_msg_version = PF_KEY_V2;
1407 msg->sadb_msg_type = SADB_GET;
1408 msg->sadb_msg_satype = proto_ike2satype(protocol);
1409 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1410
1411 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1412 sa->sadb_sa_exttype = SADB_EXT_SA;
1413 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1414 sa->sadb_sa_spi = spi;
1415 PFKEY_EXT_ADD(msg, sa);
1416
1417 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1418 * it is not used for anything. */
1419 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1420 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1421
1422 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1423 {
1424 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1425 ntohl(spi));
1426 return FAILED;
1427 }
1428 else if (out->sadb_msg_errno)
1429 {
1430 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1431 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1432 free(out);
1433 return FAILED;
1434 }
1435 else if (parse_pfkey_message(out, &response) != SUCCESS)
1436 {
1437 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1438 "from kernel failed", ntohl(spi));
1439 free(out);
1440 return FAILED;
1441 }
1442
1443 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1444 ntohl(spi), src, dst, new_src, new_dst);
1445
1446 memset(&request, 0, sizeof(request));
1447
1448 msg = (struct sadb_msg*)request;
1449 msg->sadb_msg_version = PF_KEY_V2;
1450 msg->sadb_msg_type = SADB_UPDATE;
1451 msg->sadb_msg_satype = proto_ike2satype(protocol);
1452 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1453
1454 #ifdef __APPLE__
1455 {
1456 struct sadb_sa_2 *sa_2;
1457 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1458 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1459 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1460 if (encap)
1461 {
1462 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1463 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1464 }
1465 }
1466 #else
1467 PFKEY_EXT_COPY(msg, response.sa);
1468 #endif
1469 PFKEY_EXT_COPY(msg, response.x_sa2);
1470
1471 PFKEY_EXT_COPY(msg, response.src);
1472 PFKEY_EXT_COPY(msg, response.dst);
1473
1474 PFKEY_EXT_COPY(msg, response.lft_soft);
1475 PFKEY_EXT_COPY(msg, response.lft_hard);
1476
1477 if (response.key_encr)
1478 {
1479 PFKEY_EXT_COPY(msg, response.key_encr);
1480 }
1481
1482 if (response.key_auth)
1483 {
1484 PFKEY_EXT_COPY(msg, response.key_auth);
1485 }
1486
1487 #ifdef HAVE_NATT
1488 if (new_encap)
1489 {
1490 add_encap_ext(msg, new_src, new_dst);
1491 }
1492 #endif /*HAVE_NATT*/
1493
1494 free(out);
1495
1496 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1497 {
1498 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1499 return FAILED;
1500 }
1501 else if (out->sadb_msg_errno)
1502 {
1503 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1504 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1505 free(out);
1506 return FAILED;
1507 }
1508 free(out);
1509
1510 return SUCCESS;
1511 }
1512
1513 /**
1514 * Implementation of kernel_interface_t.query_sa.
1515 */
1516 static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
1517 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1518 u_int64_t *bytes)
1519 {
1520 unsigned char request[PFKEY_BUFFER_SIZE];
1521 struct sadb_msg *msg, *out;
1522 struct sadb_sa *sa;
1523 pfkey_msg_t response;
1524 size_t len;
1525
1526 memset(&request, 0, sizeof(request));
1527
1528 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1529
1530 msg = (struct sadb_msg*)request;
1531 msg->sadb_msg_version = PF_KEY_V2;
1532 msg->sadb_msg_type = SADB_GET;
1533 msg->sadb_msg_satype = proto_ike2satype(protocol);
1534 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1535
1536 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1537 sa->sadb_sa_exttype = SADB_EXT_SA;
1538 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1539 sa->sadb_sa_spi = spi;
1540 PFKEY_EXT_ADD(msg, sa);
1541
1542 /* the Linux Kernel doesn't care for the src address, but other systems do
1543 * (e.g. FreeBSD)
1544 */
1545 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1546 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1547
1548 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1549 {
1550 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1551 return FAILED;
1552 }
1553 else if (out->sadb_msg_errno)
1554 {
1555 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1556 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1557 free(out);
1558 return FAILED;
1559 }
1560 else if (parse_pfkey_message(out, &response) != SUCCESS)
1561 {
1562 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1563 free(out);
1564 return FAILED;
1565 }
1566 *bytes = response.lft_current->sadb_lifetime_bytes;
1567
1568 free(out);
1569 return SUCCESS;
1570 }
1571
1572 /**
1573 * Implementation of kernel_interface_t.del_sa.
1574 */
1575 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
1576 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1577 u_int16_t cpi)
1578 {
1579 unsigned char request[PFKEY_BUFFER_SIZE];
1580 struct sadb_msg *msg, *out;
1581 struct sadb_sa *sa;
1582 size_t len;
1583
1584 memset(&request, 0, sizeof(request));
1585
1586 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1587
1588 msg = (struct sadb_msg*)request;
1589 msg->sadb_msg_version = PF_KEY_V2;
1590 msg->sadb_msg_type = SADB_DELETE;
1591 msg->sadb_msg_satype = proto_ike2satype(protocol);
1592 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1593
1594 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1595 sa->sadb_sa_exttype = SADB_EXT_SA;
1596 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1597 sa->sadb_sa_spi = spi;
1598 PFKEY_EXT_ADD(msg, sa);
1599
1600 /* the Linux Kernel doesn't care for the src address, but other systems do
1601 * (e.g. FreeBSD)
1602 */
1603 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1604 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1605
1606 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1607 {
1608 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1609 return FAILED;
1610 }
1611 else if (out->sadb_msg_errno)
1612 {
1613 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1614 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1615 free(out);
1616 return FAILED;
1617 }
1618
1619 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1620 free(out);
1621 return SUCCESS;
1622 }
1623
1624 /**
1625 * Implementation of kernel_interface_t.add_policy.
1626 */
1627 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1628 host_t *src, host_t *dst,
1629 traffic_selector_t *src_ts,
1630 traffic_selector_t *dst_ts,
1631 policy_dir_t direction, u_int32_t spi,
1632 protocol_id_t protocol, u_int32_t reqid,
1633 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1634 bool routed)
1635 {
1636 unsigned char request[PFKEY_BUFFER_SIZE];
1637 struct sadb_msg *msg, *out;
1638 struct sadb_x_policy *pol;
1639 struct sadb_x_ipsecrequest *req;
1640 policy_entry_t *policy, *found = NULL;
1641 pfkey_msg_t response;
1642 size_t len;
1643
1644 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1645 {
1646 /* FWD policies are not supported on all platforms */
1647 return SUCCESS;
1648 }
1649
1650 /* create a policy */
1651 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1652
1653 /* find a matching policy */
1654 this->mutex->lock(this->mutex);
1655 if (this->policies->find_first(this->policies,
1656 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1657 {
1658 /* use existing policy */
1659 found->refcount++;
1660 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1661 "refcount", src_ts, dst_ts,
1662 policy_dir_names, direction);
1663 policy_entry_destroy(policy);
1664 policy = found;
1665 }
1666 else
1667 {
1668 /* apply the new one, if we have no such policy */
1669 this->policies->insert_last(this->policies, policy);
1670 policy->refcount = 1;
1671 }
1672
1673 memset(&request, 0, sizeof(request));
1674
1675 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1676 policy_dir_names, direction);
1677
1678 msg = (struct sadb_msg*)request;
1679 msg->sadb_msg_version = PF_KEY_V2;
1680 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1681 msg->sadb_msg_satype = 0;
1682 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1683
1684 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1685 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1686 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1687 pol->sadb_x_policy_id = 0;
1688 pol->sadb_x_policy_dir = dir2kernel(direction);
1689 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1690 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1691 /* calculate priority based on source selector size, small size = high prio */
1692 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1693 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1694 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1695 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1696 #endif
1697
1698 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1699 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1700 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1701 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1702 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1703 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1704 req->sadb_x_ipsecrequest_reqid = reqid;
1705 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1706 if (mode == MODE_TUNNEL)
1707 {
1708 sockaddr_t *sa;
1709 socklen_t sl;
1710 sa = src->get_sockaddr(src);
1711 sl = *src->get_sockaddr_len(src);
1712 memcpy(req + 1, sa, sl);
1713 sa = dst->get_sockaddr(dst);
1714 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1715 req->sadb_x_ipsecrequest_len += sl * 2;
1716 }
1717
1718 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1719 PFKEY_EXT_ADD(msg, pol);
1720
1721 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1722 policy->src.mask);
1723 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1724 policy->dst.mask);
1725
1726 #ifdef __FreeBSD__
1727 { /* on FreeBSD a lifetime has to be defined to be able to later query
1728 * the current use time. */
1729 struct sadb_lifetime *lft;
1730 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1731 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1732 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1733 lft->sadb_lifetime_addtime = LONG_MAX;
1734 PFKEY_EXT_ADD(msg, lft);
1735 }
1736 #endif
1737
1738 this->mutex->unlock(this->mutex);
1739
1740 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1741 {
1742 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1743 policy_dir_names, direction);
1744 return FAILED;
1745 }
1746 else if (out->sadb_msg_errno)
1747 {
1748 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1749 policy_dir_names, direction,
1750 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1751 free(out);
1752 return FAILED;
1753 }
1754 else if (parse_pfkey_message(out, &response) != SUCCESS)
1755 {
1756 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1757 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1758 free(out);
1759 return FAILED;
1760 }
1761
1762 this->mutex->lock(this->mutex);
1763
1764 /* we try to find the policy again and update the kernel index */
1765 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1766 {
1767 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1768 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1769 this->mutex->unlock(this->mutex);
1770 free(out);
1771 return SUCCESS;
1772 }
1773 policy->index = response.x_policy->sadb_x_policy_id;
1774 free(out);
1775
1776 /* install a route, if:
1777 * - we are NOT updating a policy
1778 * - this is a forward policy (to just get one for each child)
1779 * - we are in tunnel mode
1780 * - we are not using IPv6 (does not work correctly yet!)
1781 * - routing is not disabled via strongswan.conf
1782 */
1783 if (policy->route == NULL && direction == POLICY_FWD &&
1784 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1785 this->install_routes)
1786 {
1787 route_entry_t *route = malloc_thing(route_entry_t);
1788
1789 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1790 dst_ts, &route->src_ip) == SUCCESS)
1791 {
1792 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1793 route->gateway = charon->kernel_interface->get_nexthop(
1794 charon->kernel_interface, src);
1795 route->if_name = charon->kernel_interface->get_interface(
1796 charon->kernel_interface, dst);
1797 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1798 route->prefixlen = policy->src.mask;
1799
1800 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1801 route->dst_net, route->prefixlen, route->gateway,
1802 route->src_ip, route->if_name))
1803 {
1804 default:
1805 DBG1(DBG_KNL, "unable to install source route for %H",
1806 route->src_ip);
1807 /* FALL */
1808 case ALREADY_DONE:
1809 /* route exists, do not uninstall */
1810 route_entry_destroy(route);
1811 break;
1812 case SUCCESS:
1813 /* cache the installed route */
1814 policy->route = route;
1815 break;
1816 }
1817 }
1818 else
1819 {
1820 free(route);
1821 }
1822 }
1823
1824 this->mutex->unlock(this->mutex);
1825
1826 return SUCCESS;
1827 }
1828
1829 /**
1830 * Implementation of kernel_interface_t.query_policy.
1831 */
1832 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1833 traffic_selector_t *src_ts,
1834 traffic_selector_t *dst_ts,
1835 policy_dir_t direction, u_int32_t *use_time)
1836 {
1837 unsigned char request[PFKEY_BUFFER_SIZE];
1838 struct sadb_msg *msg, *out;
1839 struct sadb_x_policy *pol;
1840 policy_entry_t *policy, *found = NULL;
1841 pfkey_msg_t response;
1842 size_t len;
1843
1844 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1845 {
1846 /* FWD policies are not supported on all platforms */
1847 return NOT_FOUND;
1848 }
1849
1850 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1851 policy_dir_names, direction);
1852
1853 /* create a policy */
1854 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1855
1856 /* find a matching policy */
1857 this->mutex->lock(this->mutex);
1858 if (this->policies->find_first(this->policies,
1859 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1860 {
1861 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1862 dst_ts, policy_dir_names, direction);
1863 policy_entry_destroy(policy);
1864 this->mutex->unlock(this->mutex);
1865 return NOT_FOUND;
1866 }
1867 policy_entry_destroy(policy);
1868 policy = found;
1869
1870 memset(&request, 0, sizeof(request));
1871
1872 msg = (struct sadb_msg*)request;
1873 msg->sadb_msg_version = PF_KEY_V2;
1874 msg->sadb_msg_type = SADB_X_SPDGET;
1875 msg->sadb_msg_satype = 0;
1876 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1877
1878 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1879 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1880 pol->sadb_x_policy_id = policy->index;
1881 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1882 pol->sadb_x_policy_dir = dir2kernel(direction);
1883 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1884 PFKEY_EXT_ADD(msg, pol);
1885
1886 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1887 policy->src.mask);
1888 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1889 policy->dst.mask);
1890
1891 this->mutex->unlock(this->mutex);
1892
1893 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1894 {
1895 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1896 policy_dir_names, direction);
1897 return FAILED;
1898 }
1899 else if (out->sadb_msg_errno)
1900 {
1901 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1902 dst_ts, policy_dir_names, direction,
1903 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1904 free(out);
1905 return FAILED;
1906 }
1907 else if (parse_pfkey_message(out, &response) != SUCCESS)
1908 {
1909 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1910 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1911 free(out);
1912 return FAILED;
1913 }
1914 else if (response.lft_current == NULL)
1915 {
1916 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
1917 "use time", src_ts, dst_ts, policy_dir_names, direction);
1918 free(out);
1919 return FAILED;
1920 }
1921 /* we need the monotonic time, but the kernel returns system time. */
1922 if (response.lft_current->sadb_lifetime_usetime)
1923 {
1924 *use_time = time_monotonic(NULL) -
1925 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
1926 }
1927 else
1928 {
1929 *use_time = 0;
1930 }
1931 free(out);
1932
1933 return SUCCESS;
1934 }
1935
1936 /**
1937 * Implementation of kernel_interface_t.del_policy.
1938 */
1939 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1940 traffic_selector_t *src_ts,
1941 traffic_selector_t *dst_ts,
1942 policy_dir_t direction, bool unrouted)
1943 {
1944 unsigned char request[PFKEY_BUFFER_SIZE];
1945 struct sadb_msg *msg, *out;
1946 struct sadb_x_policy *pol;
1947 policy_entry_t *policy, *found = NULL;
1948 route_entry_t *route;
1949 size_t len;
1950
1951 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1952 {
1953 /* FWD policies are not supported on all platforms */
1954 return SUCCESS;
1955 }
1956
1957 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1958 policy_dir_names, direction);
1959
1960 /* create a policy */
1961 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1962
1963 /* find a matching policy */
1964 this->mutex->lock(this->mutex);
1965 if (this->policies->find_first(this->policies,
1966 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1967 {
1968 if (--found->refcount > 0)
1969 {
1970 /* is used by more SAs, keep in kernel */
1971 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1972 policy_entry_destroy(policy);
1973 this->mutex->unlock(this->mutex);
1974 return SUCCESS;
1975 }
1976 /* remove if last reference */
1977 this->policies->remove(this->policies, found, NULL);
1978 policy_entry_destroy(policy);
1979 policy = found;
1980 }
1981 else
1982 {
1983 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1984 dst_ts, policy_dir_names, direction);
1985 policy_entry_destroy(policy);
1986 this->mutex->unlock(this->mutex);
1987 return NOT_FOUND;
1988 }
1989 this->mutex->unlock(this->mutex);
1990
1991 memset(&request, 0, sizeof(request));
1992
1993 msg = (struct sadb_msg*)request;
1994 msg->sadb_msg_version = PF_KEY_V2;
1995 msg->sadb_msg_type = SADB_X_SPDDELETE;
1996 msg->sadb_msg_satype = 0;
1997 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1998
1999 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2000 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2001 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2002 pol->sadb_x_policy_dir = dir2kernel(direction);
2003 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2004 PFKEY_EXT_ADD(msg, pol);
2005
2006 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2007 policy->src.mask);
2008 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2009 policy->dst.mask);
2010
2011 route = policy->route;
2012 policy->route = NULL;
2013 policy_entry_destroy(policy);
2014
2015 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2016 {
2017 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2018 policy_dir_names, direction);
2019 return FAILED;
2020 }
2021 else if (out->sadb_msg_errno)
2022 {
2023 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2024 dst_ts, policy_dir_names, direction,
2025 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2026 free(out);
2027 return FAILED;
2028 }
2029 free(out);
2030
2031 if (route)
2032 {
2033 if (charon->kernel_interface->del_route(charon->kernel_interface,
2034 route->dst_net, route->prefixlen, route->gateway,
2035 route->src_ip, route->if_name) != SUCCESS)
2036 {
2037 DBG1(DBG_KNL, "error uninstalling route installed with "
2038 "policy %R === %R %N", src_ts, dst_ts,
2039 policy_dir_names, direction);
2040 }
2041 route_entry_destroy(route);
2042 }
2043
2044 return SUCCESS;
2045 }
2046
2047 /**
2048 * Register a socket for AQUIRE/EXPIRE messages
2049 */
2050 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
2051 {
2052 unsigned char request[PFKEY_BUFFER_SIZE];
2053 struct sadb_msg *msg, *out;
2054 size_t len;
2055
2056 memset(&request, 0, sizeof(request));
2057
2058 msg = (struct sadb_msg*)request;
2059 msg->sadb_msg_version = PF_KEY_V2;
2060 msg->sadb_msg_type = SADB_REGISTER;
2061 msg->sadb_msg_satype = satype;
2062 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2063
2064 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2065 {
2066 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2067 return FAILED;
2068 }
2069 else if (out->sadb_msg_errno)
2070 {
2071 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2072 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2073 free(out);
2074 return FAILED;
2075 }
2076 free(out);
2077 return SUCCESS;
2078 }
2079
2080 /**
2081 * Implementation of kernel_interface_t.destroy.
2082 */
2083 static void destroy(private_kernel_pfkey_ipsec_t *this)
2084 {
2085 this->job->cancel(this->job);
2086 close(this->socket);
2087 close(this->socket_events);
2088 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
2089 this->mutex->destroy(this->mutex);
2090 this->mutex_pfkey->destroy(this->mutex_pfkey);
2091 free(this);
2092 }
2093
2094 /**
2095 * Add bypass policies for IKE on the sockets of charon
2096 */
2097 static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
2098 {
2099 int fd, family, port;
2100 enumerator_t *sockets;
2101 bool status = TRUE;
2102
2103 sockets = charon->socket->create_enumerator(charon->socket);
2104 while (sockets->enumerate(sockets, &fd, &family, &port))
2105 {
2106 struct sadb_x_policy policy;
2107 u_int sol, ipsec_policy;
2108
2109 switch (family)
2110 {
2111 case AF_INET:
2112 {
2113 sol = SOL_IP;
2114 ipsec_policy = IP_IPSEC_POLICY;
2115 break;
2116 }
2117 case AF_INET6:
2118 {
2119 sol = SOL_IPV6;
2120 ipsec_policy = IPV6_IPSEC_POLICY;
2121 break;
2122 }
2123 default:
2124 continue;
2125 }
2126
2127 memset(&policy, 0, sizeof(policy));
2128 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2129 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2130 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2131
2132 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2133 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2134 {
2135 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2136 strerror(errno));
2137 status = FALSE;
2138 break;
2139 }
2140 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2141 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2142 {
2143 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2144 strerror(errno));
2145 status = FALSE;
2146 break;
2147 }
2148 }
2149 sockets->destroy(sockets);
2150 return status;
2151 }
2152
2153 /*
2154 * Described in header.
2155 */
2156 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2157 {
2158 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
2159
2160 /* public functions */
2161 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2162 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
2163 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa;
2164 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
2165 this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
2166 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
2167 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
2168 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2169 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
2170
2171 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
2172
2173 /* private members */
2174 this->policies = linked_list_create();
2175 this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
2176 this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
2177 this->install_routes = lib->settings->get_bool(lib->settings,
2178 "charon.install_routes", TRUE);
2179 this->seq = 0;
2180
2181 /* create a PF_KEY socket to communicate with the kernel */
2182 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2183 if (this->socket <= 0)
2184 {
2185 charon->kill(charon, "unable to create PF_KEY socket");
2186 }
2187
2188 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2189 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2190 if (this->socket_events <= 0)
2191 {
2192 charon->kill(charon, "unable to create PF_KEY event socket");
2193 }
2194
2195 /* add bypass policies on the sockets used by charon */
2196 if (!add_bypass_policies(this))
2197 {
2198 charon->kill(charon, "unable to add bypass policies on sockets");
2199 }
2200
2201 /* register the event socket */
2202 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2203 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2204 {
2205 charon->kill(charon, "unable to register PF_KEY event socket");
2206 }
2207
2208 this->job = callback_job_create((callback_job_cb_t)receive_events,
2209 this, NULL, NULL);
2210 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2211
2212 return &this->public;
2213 }