moved the IPV6_IPSEC_POLICY definition to the ipsec plugins, fixes uClibc build
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <stdint.h>
22 #include <linux/ipsec.h>
23 #include <linux/pfkeyv2.h>
24 #include <linux/udp.h>
25 #include <unistd.h>
26 #include <pthread.h>
27 #include <errno.h>
28
29 #include "kernel_pfkey_ipsec.h"
30
31 #include <daemon.h>
32 #include <utils/host.h>
33 #include <utils/mutex.h>
34 #include <processing/jobs/callback_job.h>
35 #include <processing/jobs/acquire_job.h>
36 #include <processing/jobs/migrate_job.h>
37 #include <processing/jobs/rekey_child_sa_job.h>
38 #include <processing/jobs/delete_child_sa_job.h>
39 #include <processing/jobs/update_sa_job.h>
40
41 /** from linux/in.h */
42 #ifndef IP_IPSEC_POLICY
43 #define IP_IPSEC_POLICY 16
44 #endif
45
46 /* missing on uclibc */
47 #ifndef IPV6_IPSEC_POLICY
48 #define IPV6_IPSEC_POLICY 34
49 #endif /*IPV6_IPSEC_POLICY*/
50
51 /** default priority of installed policies */
52 #define PRIO_LOW 3000
53 #define PRIO_HIGH 2000
54
55 /** buffer size for PF_KEY messages */
56 #define PFKEY_BUFFER_SIZE 4096
57
58 /** PF_KEY messages are 64 bit aligned */
59 #define PFKEY_ALIGNMENT 8
60 /** aligns len to 64 bits */
61 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
62 /** calculates the properly padded length in 64 bit chunks */
63 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
64 /** calculates user mode length i.e. in bytes */
65 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
66
67 /** given a PF_KEY message header and an extension this updates the length in the header */
68 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
69 /** given a PF_KEY message header this returns a pointer to the next extension */
70 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
71 /** copy an extension and append it to a PF_KEY message */
72 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
73 /** given a PF_KEY extension this returns a pointer to the next extension */
74 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
75 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
76 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
77 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
78 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
79 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
80 (ext)->sadb_ext_len <= (len))
81
82 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
83
84 /**
85 * Private variables and functions of kernel_pfkey class.
86 */
87 struct private_kernel_pfkey_ipsec_t
88 {
89 /**
90 * Public part of the kernel_pfkey_t object.
91 */
92 kernel_pfkey_ipsec_t public;
93
94 /**
95 * mutex to lock access to various lists
96 */
97 mutex_t *mutex;
98
99 /**
100 * List of installed policies (policy_entry_t)
101 */
102 linked_list_t *policies;
103
104 /**
105 * whether to install routes along policies
106 */
107 bool install_routes;
108
109 /**
110 * job receiving PF_KEY events
111 */
112 callback_job_t *job;
113
114 /**
115 * mutex to lock access to the PF_KEY socket
116 */
117 mutex_t *mutex_pfkey;
118
119 /**
120 * PF_KEY socket to communicate with the kernel
121 */
122 int socket;
123
124 /**
125 * PF_KEY socket to receive acquire and expire events
126 */
127 int socket_events;
128
129 /**
130 * sequence number for messages sent to the kernel
131 */
132 int seq;
133 };
134
135 typedef struct route_entry_t route_entry_t;
136
137 /**
138 * installed routing entry
139 */
140 struct route_entry_t {
141 /** Name of the interface the route is bound to */
142 char *if_name;
143
144 /** Source ip of the route */
145 host_t *src_ip;
146
147 /** gateway for this route */
148 host_t *gateway;
149
150 /** Destination net */
151 chunk_t dst_net;
152
153 /** Destination net prefixlen */
154 u_int8_t prefixlen;
155 };
156
157 /**
158 * destroy an route_entry_t object
159 */
160 static void route_entry_destroy(route_entry_t *this)
161 {
162 free(this->if_name);
163 this->src_ip->destroy(this->src_ip);
164 this->gateway->destroy(this->gateway);
165 chunk_free(&this->dst_net);
166 free(this);
167 }
168
169 typedef struct policy_entry_t policy_entry_t;
170
171 /**
172 * installed kernel policy.
173 */
174 struct policy_entry_t {
175
176 /** reqid of this policy */
177 u_int32_t reqid;
178
179 /** index assigned by the kernel */
180 u_int32_t index;
181
182 /** direction of this policy: in, out, forward */
183 u_int8_t direction;
184
185 /** parameters of installed policy */
186 struct {
187 /** subnet and port */
188 host_t *net;
189 /** subnet mask */
190 u_int8_t mask;
191 /** protocol */
192 u_int8_t proto;
193 } src, dst;
194
195 /** associated route installed for this policy */
196 route_entry_t *route;
197
198 /** by how many CHILD_SA's this policy is used */
199 u_int refcount;
200 };
201
202 /**
203 * create a policy_entry_t object
204 */
205 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
206 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
207 {
208 policy_entry_t *policy = malloc_thing(policy_entry_t);
209 policy->reqid = reqid;
210 policy->index = 0;
211 policy->direction = dir;
212 policy->route = NULL;
213 policy->refcount = 0;
214
215 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
216 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
217
218 /* src or dest proto may be "any" (0), use more restrictive one */
219 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
220 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
221 policy->dst.proto = policy->src.proto;
222
223 return policy;
224 }
225
226 /**
227 * destroy a policy_entry_t object
228 */
229 static void policy_entry_destroy(policy_entry_t *this)
230 {
231 DESTROY_IF(this->src.net);
232 DESTROY_IF(this->dst.net);
233 if (this->route)
234 {
235 route_entry_destroy(this->route);
236 }
237 free(this);
238 }
239
240 /**
241 * compares two policy_entry_t
242 */
243 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
244 {
245 return current->direction == policy->direction &&
246 current->src.proto == policy->src.proto &&
247 current->dst.proto == policy->dst.proto &&
248 current->src.mask == policy->src.mask &&
249 current->dst.mask == policy->dst.mask &&
250 current->src.net->equals(current->src.net, policy->src.net) &&
251 current->dst.net->equals(current->dst.net, policy->dst.net);
252 }
253
254 /**
255 * compare the given kernel index with that of a policy
256 */
257 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
258 {
259 return current->index == *index;
260 }
261
262 typedef struct pfkey_msg_t pfkey_msg_t;
263
264 struct pfkey_msg_t
265 {
266 /**
267 * PF_KEY message base
268 */
269 struct sadb_msg *msg;
270
271
272 /**
273 * PF_KEY message extensions
274 */
275 union {
276 struct sadb_ext *ext[SADB_EXT_MAX + 1];
277 struct {
278 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
279 struct sadb_sa *sa; /* SADB_EXT_SA */
280 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
281 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
282 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
283 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
284 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
285 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
286 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
287 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
288 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
289 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
290 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
291 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
292 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
293 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
294 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
295 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
296 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
297 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
298 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
299 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
300 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
301 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
302 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
303 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
304 } __attribute__((__packed__));
305 };
306 };
307
308 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
309 "SADB_EXT_RESERVED",
310 "SADB_EXT_SA",
311 "SADB_EXT_LIFETIME_CURRENT",
312 "SADB_EXT_LIFETIME_HARD",
313 "SADB_EXT_LIFETIME_SOFT",
314 "SADB_EXT_ADDRESS_SRC",
315 "SADB_EXT_ADDRESS_DST",
316 "SADB_EXT_ADDRESS_PROXY",
317 "SADB_EXT_KEY_AUTH",
318 "SADB_EXT_KEY_ENCRYPT",
319 "SADB_EXT_IDENTITY_SRC",
320 "SADB_EXT_IDENTITY_DST",
321 "SADB_EXT_SENSITIVITY",
322 "SADB_EXT_PROPOSAL",
323 "SADB_EXT_SUPPORTED_AUTH",
324 "SADB_EXT_SUPPORTED_ENCRYPT",
325 "SADB_EXT_SPIRANGE",
326 "SADB_X_EXT_KMPRIVATE",
327 "SADB_X_EXT_POLICY",
328 "SADB_X_EXT_SA2",
329 "SADB_X_EXT_NAT_T_TYPE",
330 "SADB_X_EXT_NAT_T_SPORT",
331 "SADB_X_EXT_NAT_T_DPORT",
332 "SADB_X_EXT_NAT_T_OA",
333 "SADB_X_EXT_SEC_CTX",
334 "SADB_X_EXT_KMADDRESS"
335 );
336 /**
337 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
338 */
339 static u_int8_t proto_ike2satype(protocol_id_t proto)
340 {
341 switch (proto)
342 {
343 case PROTO_ESP:
344 return SADB_SATYPE_ESP;
345 case PROTO_AH:
346 return SADB_SATYPE_AH;
347 case IPPROTO_COMP:
348 return SADB_X_SATYPE_IPCOMP;
349 default:
350 return proto;
351 }
352 }
353
354 /**
355 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
356 */
357 static protocol_id_t proto_satype2ike(u_int8_t proto)
358 {
359 switch (proto)
360 {
361 case SADB_SATYPE_ESP:
362 return PROTO_ESP;
363 case SADB_SATYPE_AH:
364 return PROTO_AH;
365 case SADB_X_SATYPE_IPCOMP:
366 return IPPROTO_COMP;
367 default:
368 return proto;
369 }
370 }
371
372 /**
373 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
374 */
375 static u_int8_t proto_ike2ip(protocol_id_t proto)
376 {
377 switch (proto)
378 {
379 case PROTO_ESP:
380 return IPPROTO_ESP;
381 case PROTO_AH:
382 return IPPROTO_AH;
383 default:
384 return proto;
385 }
386 }
387
388 /**
389 * convert the general ipsec mode to the one defined in ipsec.h
390 */
391 static u_int8_t mode2kernel(ipsec_mode_t mode)
392 {
393 switch (mode)
394 {
395 case MODE_TRANSPORT:
396 return IPSEC_MODE_TRANSPORT;
397 case MODE_TUNNEL:
398 return IPSEC_MODE_TUNNEL;
399 case MODE_BEET:
400 return IPSEC_MODE_BEET;
401 default:
402 return mode;
403 }
404 }
405
406 /**
407 * convert the general policy direction to the one defined in ipsec.h
408 */
409 static u_int8_t dir2kernel(policy_dir_t dir)
410 {
411 switch (dir)
412 {
413 case POLICY_IN:
414 return IPSEC_DIR_INBOUND;
415 case POLICY_OUT:
416 return IPSEC_DIR_OUTBOUND;
417 case POLICY_FWD:
418 return IPSEC_DIR_FWD;
419 default:
420 return dir;
421 }
422 }
423
424 /**
425 * convert the policy direction in ipsec.h to the general one.
426 */
427 static policy_dir_t kernel2dir(u_int8_t dir)
428 {
429 switch (dir)
430 {
431 case IPSEC_DIR_INBOUND:
432 return POLICY_IN;
433 case IPSEC_DIR_OUTBOUND:
434 return POLICY_OUT;
435 case IPSEC_DIR_FWD:
436 return POLICY_FWD;
437 default:
438 return dir;
439 }
440 }
441 typedef struct kernel_algorithm_t kernel_algorithm_t;
442
443 /**
444 * Mapping of IKEv2 algorithms to PF_KEY algorithms
445 */
446 struct kernel_algorithm_t {
447 /**
448 * Identifier specified in IKEv2
449 */
450 int ikev2;
451
452 /**
453 * Identifier as defined in pfkeyv2.h
454 */
455 int kernel;
456 };
457
458 #define END_OF_LIST -1
459
460 /**
461 * Algorithms for encryption
462 */
463 static kernel_algorithm_t encryption_algs[] = {
464 /* {ENCR_DES_IV64, 0 }, */
465 {ENCR_DES, SADB_EALG_DESCBC },
466 {ENCR_3DES, SADB_EALG_3DESCBC },
467 /* {ENCR_RC5, 0 }, */
468 /* {ENCR_IDEA, 0 }, */
469 {ENCR_CAST, SADB_X_EALG_CASTCBC },
470 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
471 /* {ENCR_3IDEA, 0 }, */
472 /* {ENCR_DES_IV32, 0 }, */
473 {ENCR_NULL, SADB_EALG_NULL },
474 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
475 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
476 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
477 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
478 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
479 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
480 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
481 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
482 {END_OF_LIST, 0 },
483 };
484
485 /**
486 * Algorithms for integrity protection
487 */
488 static kernel_algorithm_t integrity_algs[] = {
489 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
490 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
491 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
492 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
493 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
494 /* {AUTH_DES_MAC, 0, }, */
495 /* {AUTH_KPDK_MD5, 0, }, */
496 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
497 {END_OF_LIST, 0, },
498 };
499
500 #if 0
501 /**
502 * Algorithms for IPComp, unused yet
503 */
504 static kernel_algorithm_t compression_algs[] = {
505 /* {IPCOMP_OUI, 0 }, */
506 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
507 {IPCOMP_LZS, SADB_X_CALG_LZS },
508 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
509 {END_OF_LIST, 0 },
510 };
511 #endif
512
513 /**
514 * Look up a kernel algorithm ID and its key size
515 */
516 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
517 {
518 while (list->ikev2 != END_OF_LIST)
519 {
520 if (ikev2 == list->ikev2)
521 {
522 return list->kernel;
523 }
524 list++;
525 }
526 return 0;
527 }
528
529 /**
530 * add a host behind a sadb_address extension
531 */
532 static void host2ext(host_t *host, struct sadb_address *ext)
533 {
534 sockaddr_t *host_addr = host->get_sockaddr(host);
535 socklen_t *len = host->get_sockaddr_len(host);
536 memcpy((char*)(ext + 1), host_addr, *len);
537 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
538 }
539
540 /**
541 * add udp encap extensions to a sadb_msg
542 */
543 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
544 {
545 struct sadb_x_nat_t_type* nat_type;
546 struct sadb_x_nat_t_port* nat_port;
547
548 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
549 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
550 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
551 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
552 PFKEY_EXT_ADD(msg, nat_type);
553
554 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
555 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
556 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
557 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
558 PFKEY_EXT_ADD(msg, nat_port);
559
560 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
561 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
562 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
563 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
564 PFKEY_EXT_ADD(msg, nat_port);
565 }
566
567 /**
568 * Convert a sadb_address to a traffic_selector
569 */
570 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
571 {
572 traffic_selector_t *ts;
573 host_t *host;
574
575 /* The Linux 2.6 kernel does not set the protocol and port information
576 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
577 */
578 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
579 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
580 address->sadb_address_proto, host->get_port(host));
581 host->destroy(host);
582 return ts;
583 }
584
585 /**
586 * Parses a pfkey message received from the kernel
587 */
588 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
589 {
590 struct sadb_ext* ext;
591 size_t len;
592
593 memset(out, 0, sizeof(pfkey_msg_t));
594 out->msg = msg;
595
596 len = msg->sadb_msg_len;
597 len -= PFKEY_LEN(sizeof(struct sadb_msg));
598
599 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
600
601 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
602 {
603 DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
604 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
605 ext->sadb_ext_len > len)
606 {
607 DBG1(DBG_KNL, "length of %N extension is invalid",
608 sadb_ext_type_names, ext->sadb_ext_type);
609 break;
610 }
611
612 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
613 {
614 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
615 break;
616 }
617
618 if (out->ext[ext->sadb_ext_type])
619 {
620 DBG1(DBG_KNL, "duplicate %N extension",
621 sadb_ext_type_names, ext->sadb_ext_type);
622 break;
623 }
624
625 out->ext[ext->sadb_ext_type] = ext;
626 ext = PFKEY_EXT_NEXT_LEN(ext, len);
627 }
628
629 if (len)
630 {
631 DBG1(DBG_KNL, "PF_KEY message length is invalid");
632 return FAILED;
633 }
634
635 return SUCCESS;
636 }
637
638 /**
639 * Send a message to a specific PF_KEY socket and handle the response.
640 */
641 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
642 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
643 {
644 unsigned char buf[PFKEY_BUFFER_SIZE];
645 struct sadb_msg *msg;
646 int in_len, len;
647
648 this->mutex_pfkey->lock(this->mutex_pfkey);
649
650 in->sadb_msg_seq = ++this->seq;
651 in->sadb_msg_pid = getpid();
652
653 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
654
655 while (TRUE)
656 {
657 len = send(socket, in, in_len, 0);
658
659 if (len != in_len)
660 {
661 if (errno == EINTR)
662 {
663 /* interrupted, try again */
664 continue;
665 }
666 this->mutex_pfkey->unlock(this->mutex_pfkey);
667 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
668 return FAILED;
669 }
670 break;
671 }
672
673 while (TRUE)
674 {
675 msg = (struct sadb_msg*)buf;
676
677 len = recv(socket, buf, sizeof(buf), 0);
678
679 if (len < 0)
680 {
681 if (errno == EINTR)
682 {
683 DBG1(DBG_KNL, "got interrupted");
684 /* interrupted, try again */
685 continue;
686 }
687 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
688 this->mutex_pfkey->unlock(this->mutex_pfkey);
689 return FAILED;
690 }
691 if (len < sizeof(struct sadb_msg) ||
692 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
693 {
694 DBG1(DBG_KNL, "received corrupted PF_KEY message");
695 this->mutex_pfkey->unlock(this->mutex_pfkey);
696 return FAILED;
697 }
698 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
699 {
700 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
701 this->mutex_pfkey->unlock(this->mutex_pfkey);
702 return FAILED;
703 }
704 if (msg->sadb_msg_pid != in->sadb_msg_pid)
705 {
706 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
707 continue;
708 }
709 if (msg->sadb_msg_seq != this->seq)
710 {
711 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
712 "was %d expected %d", msg->sadb_msg_seq, this->seq);
713 if (msg->sadb_msg_seq < this->seq)
714 {
715 continue;
716 }
717 this->mutex_pfkey->unlock(this->mutex_pfkey);
718 return FAILED;
719 }
720 if (msg->sadb_msg_type != in->sadb_msg_type)
721 {
722 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
723 "was %d expected %d, ignoring",
724 msg->sadb_msg_type, in->sadb_msg_type);
725 }
726 break;
727 }
728
729 *out_len = len;
730 *out = (struct sadb_msg*)malloc(len);
731 memcpy(*out, buf, len);
732
733 this->mutex_pfkey->unlock(this->mutex_pfkey);
734
735 return SUCCESS;
736 }
737
738 /**
739 * Send a message to the default PF_KEY socket and handle the response.
740 */
741 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
742 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
743 {
744 return pfkey_send_socket(this, this->socket, in, out, out_len);
745 }
746
747 /**
748 * Process a SADB_ACQUIRE message from the kernel
749 */
750 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
751 {
752 pfkey_msg_t response;
753 u_int32_t index, reqid = 0;
754 traffic_selector_t *src_ts, *dst_ts;
755 policy_entry_t *policy;
756 job_t *job;
757
758 switch (msg->sadb_msg_satype)
759 {
760 case SADB_SATYPE_UNSPEC:
761 case SADB_SATYPE_ESP:
762 case SADB_SATYPE_AH:
763 break;
764 default:
765 /* acquire for AH/ESP only */
766 return;
767 }
768 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
769
770 if (parse_pfkey_message(msg, &response) != SUCCESS)
771 {
772 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
773 return;
774 }
775
776 index = response.x_policy->sadb_x_policy_id;
777 this->mutex->lock(this->mutex);
778 if (this->policies->find_first(this->policies,
779 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
780 {
781 reqid = policy->reqid;
782 }
783 else
784 {
785 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
786 index);
787 }
788 src_ts = sadb_address2ts(response.src);
789 dst_ts = sadb_address2ts(response.dst);
790 this->mutex->unlock(this->mutex);
791
792 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
793 src_ts, dst_ts, reqid);
794 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
795 charon->processor->queue_job(charon->processor, job);
796 }
797
798 /**
799 * Process a SADB_EXPIRE message from the kernel
800 */
801 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
802 {
803 pfkey_msg_t response;
804 protocol_id_t protocol;
805 u_int32_t spi, reqid;
806 bool hard;
807 job_t *job;
808
809 DBG2(DBG_KNL, "received an SADB_EXPIRE");
810
811 if (parse_pfkey_message(msg, &response) != SUCCESS)
812 {
813 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
814 return;
815 }
816
817 protocol = proto_satype2ike(msg->sadb_msg_satype);
818 spi = response.sa->sadb_sa_spi;
819 reqid = response.x_sa2->sadb_x_sa2_reqid;
820 hard = response.lft_hard != NULL;
821
822 if (protocol != PROTO_ESP && protocol != PROTO_AH)
823 {
824 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
825 "which is not a CHILD_SA", ntohl(spi), reqid);
826 return;
827 }
828
829 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
830 hard ? "delete" : "rekey", protocol_id_names,
831 protocol, ntohl(spi), reqid);
832 if (hard)
833 {
834 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
835 }
836 else
837 {
838 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
839 }
840 charon->processor->queue_job(charon->processor, job);
841 }
842
843 /**
844 * Process a SADB_MIGRATE message from the kernel
845 */
846 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
847 {
848 pfkey_msg_t response;
849 traffic_selector_t *src_ts, *dst_ts;
850 policy_dir_t dir;
851 u_int32_t reqid = 0;
852 host_t *local = NULL, *remote = NULL;
853 job_t *job;
854
855 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
856
857 if (parse_pfkey_message(msg, &response) != SUCCESS)
858 {
859 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
860 return;
861 }
862 src_ts = sadb_address2ts(response.src);
863 dst_ts = sadb_address2ts(response.dst);
864 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
865 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
866 policy_dir_names, dir);
867
868 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
869 if (response.x_kmaddress)
870 {
871 sockaddr_t *local_addr, *remote_addr;
872 u_int32_t local_len;
873
874 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
875 local = host_create_from_sockaddr(local_addr);
876 local_len = (local_addr->sa_family == AF_INET6)?
877 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
878 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
879 remote = host_create_from_sockaddr(remote_addr);
880 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
881 }
882
883 if (src_ts && dst_ts && local && remote)
884 {
885 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
886 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
887 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
888 local, remote);
889 charon->processor->queue_job(charon->processor, job);
890 }
891 else
892 {
893 DESTROY_IF(src_ts);
894 DESTROY_IF(dst_ts);
895 DESTROY_IF(local);
896 DESTROY_IF(remote);
897 }
898 }
899
900 /**
901 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
902 */
903 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
904 {
905 pfkey_msg_t response;
906 u_int32_t spi, reqid;
907 host_t *host;
908 job_t *job;
909
910 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
911
912 if (parse_pfkey_message(msg, &response) != SUCCESS)
913 {
914 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
915 return;
916 }
917
918 if (!response.x_sa2)
919 {
920 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
921 return;
922 }
923
924 spi = response.sa->sadb_sa_spi;
925 reqid = response.x_sa2->sadb_x_sa2_reqid;
926
927 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
928 {
929 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
930 switch (sa->sa_family)
931 {
932 case AF_INET:
933 {
934 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
935 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
936 }
937 case AF_INET6:
938 {
939 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
940 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
941 }
942 default:
943 break;
944 }
945 host = host_create_from_sockaddr(sa);
946 if (host)
947 {
948 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
949 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
950 job = (job_t*)update_sa_job_create(reqid, host);
951 charon->processor->queue_job(charon->processor, job);
952 }
953 }
954 }
955
956 /**
957 * Receives events from kernel
958 */
959 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
960 {
961 unsigned char buf[PFKEY_BUFFER_SIZE];
962 struct sadb_msg *msg = (struct sadb_msg*)buf;
963 int len, oldstate;
964
965 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
966 len = recv(this->socket_events, buf, sizeof(buf), 0);
967 pthread_setcancelstate(oldstate, NULL);
968
969 if (len < 0)
970 {
971 switch (errno)
972 {
973 case EINTR:
974 /* interrupted, try again */
975 return JOB_REQUEUE_DIRECT;
976 case EAGAIN:
977 /* no data ready, select again */
978 return JOB_REQUEUE_DIRECT;
979 default:
980 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
981 sleep(1);
982 return JOB_REQUEUE_FAIR;
983 }
984 }
985
986 if (len < sizeof(struct sadb_msg) ||
987 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
988 {
989 DBG2(DBG_KNL, "received corrupted PF_KEY message");
990 return JOB_REQUEUE_DIRECT;
991 }
992 if (msg->sadb_msg_pid != 0)
993 { /* not from kernel. not interested, try another one */
994 return JOB_REQUEUE_DIRECT;
995 }
996 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
997 {
998 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
999 return JOB_REQUEUE_DIRECT;
1000 }
1001
1002 switch (msg->sadb_msg_type)
1003 {
1004 case SADB_ACQUIRE:
1005 process_acquire(this, msg);
1006 break;
1007 case SADB_EXPIRE:
1008 process_expire(this, msg);
1009 break;
1010 case SADB_X_MIGRATE:
1011 process_migrate(this, msg);
1012 break;
1013 case SADB_X_NAT_T_NEW_MAPPING:
1014 process_mapping(this, msg);
1015 break;
1016 default:
1017 break;
1018 }
1019
1020 return JOB_REQUEUE_DIRECT;
1021 }
1022
1023 /**
1024 * Implementation of kernel_interface_t.get_spi.
1025 */
1026 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1027 host_t *src, host_t *dst,
1028 protocol_id_t protocol, u_int32_t reqid,
1029 u_int32_t *spi)
1030 {
1031 unsigned char request[PFKEY_BUFFER_SIZE];
1032 struct sadb_msg *msg, *out;
1033 struct sadb_x_sa2 *sa2;
1034 struct sadb_address *addr;
1035 struct sadb_spirange *range;
1036 pfkey_msg_t response;
1037 u_int32_t received_spi = 0;
1038 size_t len;
1039
1040 memset(&request, 0, sizeof(request));
1041
1042 msg = (struct sadb_msg*)request;
1043 msg->sadb_msg_version = PF_KEY_V2;
1044 msg->sadb_msg_type = SADB_GETSPI;
1045 msg->sadb_msg_satype = proto_ike2satype(protocol);
1046 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1047
1048 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1049 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1050 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1051 sa2->sadb_x_sa2_reqid = reqid;
1052 PFKEY_EXT_ADD(msg, sa2);
1053
1054 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1055 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1056 host2ext(src, addr);
1057 PFKEY_EXT_ADD(msg, addr);
1058
1059 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1060 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1061 host2ext(dst, addr);
1062 PFKEY_EXT_ADD(msg, addr);
1063
1064 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1065 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1066 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1067 range->sadb_spirange_min = 0xc0000000;
1068 range->sadb_spirange_max = 0xcFFFFFFF;
1069 PFKEY_EXT_ADD(msg, range);
1070
1071 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1072 {
1073 if (out->sadb_msg_errno)
1074 {
1075 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1076 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1077 }
1078 else if (parse_pfkey_message(out, &response) == SUCCESS)
1079 {
1080 received_spi = response.sa->sadb_sa_spi;
1081 }
1082 free(out);
1083 }
1084
1085 if (received_spi == 0)
1086 {
1087 return FAILED;
1088 }
1089
1090 *spi = received_spi;
1091 return SUCCESS;
1092 }
1093
1094 /**
1095 * Implementation of kernel_interface_t.get_cpi.
1096 */
1097 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1098 host_t *src, host_t *dst,
1099 u_int32_t reqid, u_int16_t *cpi)
1100 {
1101 return FAILED;
1102 }
1103
1104 /**
1105 * Implementation of kernel_interface_t.add_sa.
1106 */
1107 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1108 host_t *src, host_t *dst, u_int32_t spi,
1109 protocol_id_t protocol, u_int32_t reqid,
1110 u_int64_t expire_soft, u_int64_t expire_hard,
1111 u_int16_t enc_alg, chunk_t enc_key,
1112 u_int16_t int_alg, chunk_t int_key,
1113 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1114 bool encap, bool inbound)
1115 {
1116 unsigned char request[PFKEY_BUFFER_SIZE];
1117 struct sadb_msg *msg, *out;
1118 struct sadb_sa *sa;
1119 struct sadb_x_sa2 *sa2;
1120 struct sadb_address *addr;
1121 struct sadb_lifetime *lft;
1122 struct sadb_key *key;
1123 size_t len;
1124
1125 memset(&request, 0, sizeof(request));
1126
1127 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1128
1129 msg = (struct sadb_msg*)request;
1130 msg->sadb_msg_version = PF_KEY_V2;
1131 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1132 msg->sadb_msg_satype = proto_ike2satype(protocol);
1133 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1134
1135 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1136 sa->sadb_sa_exttype = SADB_EXT_SA;
1137 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1138 sa->sadb_sa_spi = spi;
1139 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1140 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1141 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1142 PFKEY_EXT_ADD(msg, sa);
1143
1144 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1145 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1146 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1147 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1148 sa2->sadb_x_sa2_reqid = reqid;
1149 PFKEY_EXT_ADD(msg, sa2);
1150
1151 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1152 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1153 host2ext(src, addr);
1154 PFKEY_EXT_ADD(msg, addr);
1155
1156 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1157 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1158 host2ext(dst, addr);
1159 PFKEY_EXT_ADD(msg, addr);
1160
1161 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1162 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1163 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1164 lft->sadb_lifetime_addtime = expire_soft;
1165 PFKEY_EXT_ADD(msg, lft);
1166
1167 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1168 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1169 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1170 lft->sadb_lifetime_addtime = expire_hard;
1171 PFKEY_EXT_ADD(msg, lft);
1172
1173 if (enc_alg != ENCR_UNDEFINED)
1174 {
1175 if (!sa->sadb_sa_encrypt)
1176 {
1177 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1178 encryption_algorithm_names, enc_alg);
1179 return FAILED;
1180 }
1181 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1182 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1183
1184 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1185 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1186 key->sadb_key_bits = enc_key.len * 8;
1187 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1188 memcpy(key + 1, enc_key.ptr, enc_key.len);
1189
1190 PFKEY_EXT_ADD(msg, key);
1191 }
1192
1193 if (int_alg != AUTH_UNDEFINED)
1194 {
1195 if (!sa->sadb_sa_auth)
1196 {
1197 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1198 integrity_algorithm_names, int_alg);
1199 return FAILED;
1200 }
1201 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1202 integrity_algorithm_names, int_alg, int_key.len * 8);
1203
1204 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1205 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1206 key->sadb_key_bits = int_key.len * 8;
1207 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1208 memcpy(key + 1, int_key.ptr, int_key.len);
1209
1210 PFKEY_EXT_ADD(msg, key);
1211 }
1212
1213 if (ipcomp != IPCOMP_NONE)
1214 {
1215 /*TODO*/
1216 }
1217
1218 if (encap)
1219 {
1220 add_encap_ext(msg, src, dst);
1221 }
1222
1223 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1224 {
1225 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1226 return FAILED;
1227 }
1228 else if (out->sadb_msg_errno)
1229 {
1230 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1231 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1232 free(out);
1233 return FAILED;
1234 }
1235
1236 free(out);
1237 return SUCCESS;
1238 }
1239
1240 /**
1241 * Implementation of kernel_interface_t.update_sa.
1242 */
1243 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1244 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1245 host_t *src, host_t *dst,
1246 host_t *new_src, host_t *new_dst,
1247 bool encap, bool new_encap)
1248 {
1249 unsigned char request[PFKEY_BUFFER_SIZE];
1250 struct sadb_msg *msg, *out;
1251 struct sadb_sa *sa;
1252 struct sadb_address *addr;
1253 pfkey_msg_t response;
1254 size_t len;
1255
1256 /* we can't update the SA if any of the ip addresses have changed.
1257 * that's because we can't use SADB_UPDATE and by deleting and readding the
1258 * SA the sequence numbers would get lost */
1259 if (!src->ip_equals(src, new_src) ||
1260 !dst->ip_equals(dst, new_dst))
1261 {
1262 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1263 " are not supported", ntohl(spi));
1264 return NOT_SUPPORTED;
1265 }
1266
1267 memset(&request, 0, sizeof(request));
1268
1269 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1270
1271 msg = (struct sadb_msg*)request;
1272 msg->sadb_msg_version = PF_KEY_V2;
1273 msg->sadb_msg_type = SADB_GET;
1274 msg->sadb_msg_satype = proto_ike2satype(protocol);
1275 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1276
1277 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1278 sa->sadb_sa_exttype = SADB_EXT_SA;
1279 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1280 sa->sadb_sa_spi = spi;
1281 PFKEY_EXT_ADD(msg, sa);
1282
1283 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1284 * it is not used for anything, so we just send dst twice */
1285 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1286 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1287 host2ext(dst, addr);
1288 PFKEY_EXT_ADD(msg, addr);
1289
1290 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1291 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1292 host2ext(dst, addr);
1293 PFKEY_EXT_ADD(msg, addr);
1294
1295 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1296 {
1297 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1298 ntohl(spi));
1299 return FAILED;
1300 }
1301 else if (out->sadb_msg_errno)
1302 {
1303 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1304 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1305 free(out);
1306 return FAILED;
1307 }
1308 else if (parse_pfkey_message(out, &response) != SUCCESS)
1309 {
1310 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1311 "from kernel failed", ntohl(spi));
1312 free(out);
1313 return FAILED;
1314 }
1315
1316 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1317 ntohl(spi), src, dst, new_src, new_dst);
1318
1319 memset(&request, 0, sizeof(request));
1320
1321 msg = (struct sadb_msg*)request;
1322 msg->sadb_msg_version = PF_KEY_V2;
1323 msg->sadb_msg_type = SADB_UPDATE;
1324 msg->sadb_msg_satype = proto_ike2satype(protocol);
1325 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1326
1327 PFKEY_EXT_COPY(msg, response.sa);
1328 PFKEY_EXT_COPY(msg, response.x_sa2);
1329
1330 PFKEY_EXT_COPY(msg, response.src);
1331 PFKEY_EXT_COPY(msg, response.dst);
1332
1333 PFKEY_EXT_COPY(msg, response.lft_soft);
1334 PFKEY_EXT_COPY(msg, response.lft_hard);
1335
1336 if (response.key_encr)
1337 {
1338 PFKEY_EXT_COPY(msg, response.key_encr);
1339 }
1340
1341 if (response.key_auth)
1342 {
1343 PFKEY_EXT_COPY(msg, response.key_auth);
1344 }
1345
1346 if (new_encap)
1347 {
1348 add_encap_ext(msg, new_src, new_dst);
1349 }
1350
1351 free(out);
1352
1353 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1354 {
1355 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1356 return FAILED;
1357 }
1358 else if (out->sadb_msg_errno)
1359 {
1360 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1361 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1362 free(out);
1363 return FAILED;
1364 }
1365 free(out);
1366
1367 return SUCCESS;
1368 }
1369
1370 /**
1371 * Implementation of kernel_interface_t.del_sa.
1372 */
1373 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
1374 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1375 {
1376 unsigned char request[PFKEY_BUFFER_SIZE];
1377 struct sadb_msg *msg, *out;
1378 struct sadb_sa *sa;
1379 struct sadb_address *addr;
1380 size_t len;
1381
1382 memset(&request, 0, sizeof(request));
1383
1384 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1385
1386 msg = (struct sadb_msg*)request;
1387 msg->sadb_msg_version = PF_KEY_V2;
1388 msg->sadb_msg_type = SADB_DELETE;
1389 msg->sadb_msg_satype = proto_ike2satype(protocol);
1390 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1391
1392 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1393 sa->sadb_sa_exttype = SADB_EXT_SA;
1394 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1395 sa->sadb_sa_spi = spi;
1396 PFKEY_EXT_ADD(msg, sa);
1397
1398 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1399 * it is not used for anything, so we just send dst twice */
1400 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1401 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1402 host2ext(dst, addr);
1403 PFKEY_EXT_ADD(msg, addr);
1404
1405 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1406 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1407 host2ext(dst, addr);
1408 PFKEY_EXT_ADD(msg, addr);
1409
1410 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1411 {
1412 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1413 return FAILED;
1414 }
1415 else if (out->sadb_msg_errno)
1416 {
1417 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1418 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1419 free(out);
1420 return FAILED;
1421 }
1422
1423 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1424 free(out);
1425 return SUCCESS;
1426 }
1427
1428 /**
1429 * Implementation of kernel_interface_t.add_policy.
1430 */
1431 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1432 host_t *src, host_t *dst,
1433 traffic_selector_t *src_ts,
1434 traffic_selector_t *dst_ts,
1435 policy_dir_t direction, u_int32_t spi,
1436 protocol_id_t protocol, u_int32_t reqid,
1437 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1438 bool routed)
1439 {
1440 unsigned char request[PFKEY_BUFFER_SIZE];
1441 struct sadb_msg *msg, *out;
1442 struct sadb_x_policy *pol;
1443 struct sadb_address *addr;
1444 struct sadb_x_ipsecrequest *req;
1445 policy_entry_t *policy, *found = NULL;
1446 pfkey_msg_t response;
1447 size_t len;
1448
1449 /* create a policy */
1450 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1451
1452 /* find a matching policy */
1453 this->mutex->lock(this->mutex);
1454 if (this->policies->find_first(this->policies,
1455 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1456 {
1457 /* use existing policy */
1458 found->refcount++;
1459 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1460 "refcount", src_ts, dst_ts,
1461 policy_dir_names, direction);
1462 policy_entry_destroy(policy);
1463 policy = found;
1464 }
1465 else
1466 {
1467 /* apply the new one, if we have no such policy */
1468 this->policies->insert_last(this->policies, policy);
1469 policy->refcount = 1;
1470 }
1471
1472 memset(&request, 0, sizeof(request));
1473
1474 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1475 policy_dir_names, direction);
1476
1477 msg = (struct sadb_msg*)request;
1478 msg->sadb_msg_version = PF_KEY_V2;
1479 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1480 msg->sadb_msg_satype = 0;
1481 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1482
1483 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1484 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1485 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1486 pol->sadb_x_policy_id = 0;
1487 pol->sadb_x_policy_dir = dir2kernel(direction);
1488 /* calculate priority based on source selector size, small size = high prio */
1489 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1490 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1491 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1492 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1493 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1494
1495 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1496 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1497 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1498 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1499 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1500 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1501 req->sadb_x_ipsecrequest_reqid = reqid;
1502 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1503 if (mode == MODE_TUNNEL)
1504 {
1505 sockaddr_t *sa;
1506 socklen_t sl;
1507 sa = src->get_sockaddr(src);
1508 sl = *src->get_sockaddr_len(src);
1509 memcpy(req + 1, sa, sl);
1510 sa = dst->get_sockaddr(dst);
1511 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1512 req->sadb_x_ipsecrequest_len += sl * 2;
1513 }
1514
1515 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1516 PFKEY_EXT_ADD(msg, pol);
1517
1518 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1519 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1520 addr->sadb_address_proto = policy->src.proto;
1521 addr->sadb_address_prefixlen = policy->src.mask;
1522 host2ext(policy->src.net, addr);
1523 PFKEY_EXT_ADD(msg, addr);
1524
1525 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1526 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1527 addr->sadb_address_proto = policy->dst.proto;
1528 addr->sadb_address_prefixlen = policy->dst.mask;
1529 host2ext(policy->dst.net, addr);
1530 PFKEY_EXT_ADD(msg, addr);
1531
1532 this->mutex->unlock(this->mutex);
1533
1534 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1535 {
1536 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1537 policy_dir_names, direction);
1538 return FAILED;
1539 }
1540 else if (out->sadb_msg_errno)
1541 {
1542 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1543 policy_dir_names, direction,
1544 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1545 free(out);
1546 return FAILED;
1547 }
1548 else if (parse_pfkey_message(out, &response) != SUCCESS)
1549 {
1550 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1551 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1552 free(out);
1553 return FAILED;
1554 }
1555
1556 this->mutex->lock(this->mutex);
1557
1558 /* we try to find the policy again and update the kernel index */
1559 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1560 {
1561 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1562 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1563 this->mutex->unlock(this->mutex);
1564 free(out);
1565 return SUCCESS;
1566 }
1567 policy->index = response.x_policy->sadb_x_policy_id;
1568 free(out);
1569
1570 /* install a route, if:
1571 * - we are NOT updating a policy
1572 * - this is a forward policy (to just get one for each child)
1573 * - we are in tunnel mode
1574 * - we are not using IPv6 (does not work correctly yet!)
1575 * - routing is not disabled via strongswan.conf
1576 */
1577 if (policy->route == NULL && direction == POLICY_FWD &&
1578 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1579 this->install_routes)
1580 {
1581 route_entry_t *route = malloc_thing(route_entry_t);
1582
1583 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1584 dst_ts, &route->src_ip) == SUCCESS)
1585 {
1586 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1587 route->gateway = charon->kernel_interface->get_nexthop(
1588 charon->kernel_interface, src);
1589 route->if_name = charon->kernel_interface->get_interface(
1590 charon->kernel_interface, dst);
1591 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1592 route->prefixlen = policy->src.mask;
1593
1594 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1595 route->dst_net, route->prefixlen, route->gateway,
1596 route->src_ip, route->if_name))
1597 {
1598 default:
1599 DBG1(DBG_KNL, "unable to install source route for %H",
1600 route->src_ip);
1601 /* FALL */
1602 case ALREADY_DONE:
1603 /* route exists, do not uninstall */
1604 route_entry_destroy(route);
1605 break;
1606 case SUCCESS:
1607 /* cache the installed route */
1608 policy->route = route;
1609 break;
1610 }
1611 }
1612 else
1613 {
1614 free(route);
1615 }
1616 }
1617
1618 this->mutex->unlock(this->mutex);
1619
1620 return SUCCESS;
1621 }
1622
1623 /**
1624 * Implementation of kernel_interface_t.query_policy.
1625 */
1626 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1627 traffic_selector_t *src_ts,
1628 traffic_selector_t *dst_ts,
1629 policy_dir_t direction, u_int32_t *use_time)
1630 {
1631 unsigned char request[PFKEY_BUFFER_SIZE];
1632 struct sadb_msg *msg, *out;
1633 struct sadb_x_policy *pol;
1634 struct sadb_address *addr;
1635 policy_entry_t *policy, *found = NULL;
1636 pfkey_msg_t response;
1637 size_t len;
1638
1639 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1640 policy_dir_names, direction);
1641
1642 /* create a policy */
1643 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1644
1645 /* find a matching policy */
1646 this->mutex->lock(this->mutex);
1647 if (this->policies->find_first(this->policies,
1648 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1649 {
1650 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1651 dst_ts, policy_dir_names, direction);
1652 policy_entry_destroy(policy);
1653 this->mutex->unlock(this->mutex);
1654 return NOT_FOUND;
1655 }
1656 policy_entry_destroy(policy);
1657 policy = found;
1658
1659 memset(&request, 0, sizeof(request));
1660
1661 msg = (struct sadb_msg*)request;
1662 msg->sadb_msg_version = PF_KEY_V2;
1663 msg->sadb_msg_type = SADB_X_SPDGET;
1664 msg->sadb_msg_satype = 0;
1665 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1666
1667 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1668 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1669 pol->sadb_x_policy_id = policy->index;
1670 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1671 pol->sadb_x_policy_dir = dir2kernel(direction);
1672 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1673 PFKEY_EXT_ADD(msg, pol);
1674
1675 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1676 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1677 addr->sadb_address_proto = policy->src.proto;
1678 addr->sadb_address_prefixlen = policy->src.mask;
1679 host2ext(policy->src.net, addr);
1680 PFKEY_EXT_ADD(msg, addr);
1681
1682 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1683 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1684 addr->sadb_address_proto = policy->dst.proto;
1685 addr->sadb_address_prefixlen = policy->dst.mask;
1686 host2ext(policy->dst.net, addr);
1687 PFKEY_EXT_ADD(msg, addr);
1688
1689 this->mutex->unlock(this->mutex);
1690
1691 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1692 {
1693 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1694 policy_dir_names, direction);
1695 return FAILED;
1696 }
1697 else if (out->sadb_msg_errno)
1698 {
1699 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1700 dst_ts, policy_dir_names, direction,
1701 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1702 free(out);
1703 return FAILED;
1704 }
1705 else if (parse_pfkey_message(out, &response) != SUCCESS)
1706 {
1707 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1708 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1709 free(out);
1710 return FAILED;
1711 }
1712
1713 *use_time = response.lft_current->sadb_lifetime_usetime;
1714
1715 free(out);
1716
1717 return SUCCESS;
1718 }
1719
1720 /**
1721 * Implementation of kernel_interface_t.del_policy.
1722 */
1723 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1724 traffic_selector_t *src_ts,
1725 traffic_selector_t *dst_ts,
1726 policy_dir_t direction, bool unrouted)
1727 {
1728 unsigned char request[PFKEY_BUFFER_SIZE];
1729 struct sadb_msg *msg, *out;
1730 struct sadb_x_policy *pol;
1731 struct sadb_address *addr;
1732 policy_entry_t *policy, *found = NULL;
1733 route_entry_t *route;
1734 size_t len;
1735
1736 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1737 policy_dir_names, direction);
1738
1739 /* create a policy */
1740 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1741
1742 /* find a matching policy */
1743 this->mutex->lock(this->mutex);
1744 if (this->policies->find_first(this->policies,
1745 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1746 {
1747 if (--found->refcount > 0)
1748 {
1749 /* is used by more SAs, keep in kernel */
1750 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1751 policy_entry_destroy(policy);
1752 this->mutex->unlock(this->mutex);
1753 return SUCCESS;
1754 }
1755 /* remove if last reference */
1756 this->policies->remove(this->policies, found, NULL);
1757 policy_entry_destroy(policy);
1758 policy = found;
1759 }
1760 else
1761 {
1762 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1763 dst_ts, policy_dir_names, direction);
1764 policy_entry_destroy(policy);
1765 this->mutex->unlock(this->mutex);
1766 return NOT_FOUND;
1767 }
1768 this->mutex->unlock(this->mutex);
1769
1770 memset(&request, 0, sizeof(request));
1771
1772 msg = (struct sadb_msg*)request;
1773 msg->sadb_msg_version = PF_KEY_V2;
1774 msg->sadb_msg_type = SADB_X_SPDDELETE;
1775 msg->sadb_msg_satype = 0;
1776 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1777
1778 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1779 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1780 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1781 pol->sadb_x_policy_dir = dir2kernel(direction);
1782 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1783 PFKEY_EXT_ADD(msg, pol);
1784
1785 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1786 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1787 addr->sadb_address_proto = policy->src.proto;
1788 addr->sadb_address_prefixlen = policy->src.mask;
1789 host2ext(policy->src.net, addr);
1790 PFKEY_EXT_ADD(msg, addr);
1791
1792 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1793 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1794 addr->sadb_address_proto = policy->dst.proto;
1795 addr->sadb_address_prefixlen = policy->dst.mask;
1796 host2ext(policy->dst.net, addr);
1797 PFKEY_EXT_ADD(msg, addr);
1798
1799 route = policy->route;
1800 policy->route = NULL;
1801 policy_entry_destroy(policy);
1802
1803 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1804 {
1805 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1806 policy_dir_names, direction);
1807 return FAILED;
1808 }
1809 else if (out->sadb_msg_errno)
1810 {
1811 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1812 dst_ts, policy_dir_names, direction,
1813 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1814 free(out);
1815 return FAILED;
1816 }
1817 free(out);
1818
1819 if (route)
1820 {
1821 if (charon->kernel_interface->del_route(charon->kernel_interface,
1822 route->dst_net, route->prefixlen, route->gateway,
1823 route->src_ip, route->if_name) != SUCCESS)
1824 {
1825 DBG1(DBG_KNL, "error uninstalling route installed with "
1826 "policy %R === %R %N", src_ts, dst_ts,
1827 policy_dir_names, direction);
1828 }
1829 route_entry_destroy(route);
1830 }
1831
1832 return SUCCESS;
1833 }
1834
1835 /**
1836 * Register a socket for AQUIRE/EXPIRE messages
1837 */
1838 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1839 {
1840 unsigned char request[PFKEY_BUFFER_SIZE];
1841 struct sadb_msg *msg, *out;
1842 size_t len;
1843
1844 memset(&request, 0, sizeof(request));
1845
1846 msg = (struct sadb_msg*)request;
1847 msg->sadb_msg_version = PF_KEY_V2;
1848 msg->sadb_msg_type = SADB_REGISTER;
1849 msg->sadb_msg_satype = satype;
1850 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1851
1852 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1853 {
1854 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1855 return FAILED;
1856 }
1857 else if (out->sadb_msg_errno)
1858 {
1859 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1860 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1861 free(out);
1862 return FAILED;
1863 }
1864 free(out);
1865 return SUCCESS;
1866 }
1867
1868 /**
1869 * Implementation of kernel_interface_t.destroy.
1870 */
1871 static void destroy(private_kernel_pfkey_ipsec_t *this)
1872 {
1873 this->job->cancel(this->job);
1874 close(this->socket);
1875 close(this->socket_events);
1876 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1877 this->mutex->destroy(this->mutex);
1878 this->mutex_pfkey->destroy(this->mutex_pfkey);
1879 free(this);
1880 }
1881
1882 /**
1883 * Add bypass policies for IKE on the sockets of charon
1884 */
1885 static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
1886 {
1887 int fd, family, port;
1888 enumerator_t *sockets;
1889 bool status = TRUE;
1890
1891 sockets = charon->socket->create_enumerator(charon->socket);
1892 while (sockets->enumerate(sockets, &fd, &family, &port))
1893 {
1894 struct sadb_x_policy policy;
1895 u_int sol, ipsec_policy;
1896
1897 switch (family)
1898 {
1899 case AF_INET:
1900 sol = SOL_IP;
1901 ipsec_policy = IP_IPSEC_POLICY;
1902 break;
1903 case AF_INET6:
1904 {
1905 sol = SOL_IPV6;
1906 ipsec_policy = IPV6_IPSEC_POLICY;
1907 break;
1908 }
1909 }
1910
1911 memset(&policy, 0, sizeof(policy));
1912 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
1913 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1914 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
1915
1916 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
1917 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1918 {
1919 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1920 strerror(errno));
1921 status = FALSE;
1922 break;
1923 }
1924 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1925 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1926 {
1927 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1928 strerror(errno));
1929 status = FALSE;
1930 break;
1931 }
1932 }
1933 sockets->destroy(sockets);
1934 return status;
1935 }
1936
1937 /*
1938 * Described in header.
1939 */
1940 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1941 {
1942 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1943
1944 /* public functions */
1945 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1946 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1947 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1948 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1949 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1950 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
1951 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1952 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
1953
1954 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1955
1956 /* private members */
1957 this->policies = linked_list_create();
1958 this->mutex = mutex_create(MUTEX_DEFAULT);
1959 this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
1960 this->install_routes = lib->settings->get_bool(lib->settings,
1961 "charon.install_routes", TRUE);
1962 this->seq = 0;
1963
1964 /* create a PF_KEY socket to communicate with the kernel */
1965 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1966 if (this->socket <= 0)
1967 {
1968 charon->kill(charon, "unable to create PF_KEY socket");
1969 }
1970
1971 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1972 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1973 if (this->socket_events <= 0)
1974 {
1975 charon->kill(charon, "unable to create PF_KEY event socket");
1976 }
1977
1978 /* add bypass policies on the sockets used by charon */
1979 if (!add_bypass_policies(this))
1980 {
1981 charon->kill(charon, "unable to add bypass policies on sockets");
1982 }
1983
1984 /* register the event socket */
1985 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
1986 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
1987 {
1988 charon->kill(charon, "unable to register PF_KEY event socket");
1989 }
1990
1991 this->job = callback_job_create((callback_job_cb_t)receive_events,
1992 this, NULL, NULL);
1993 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1994
1995 return &this->public;
1996 }