FreeBSD returns the current policy use time only after specifying a hard lifetime...
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef HAVE_NET_PFKEYV2_H
21 #include <net/pfkeyv2.h>
22 #else
23 #include <stdint.h>
24 #include <linux/pfkeyv2.h>
25 #endif
26
27 #ifdef SADB_X_EXT_NAT_T_TYPE
28 #define HAVE_NATT
29 #endif
30
31 #ifdef HAVE_NETIPSEC_IPSEC_H
32 #include <netipsec/ipsec.h>
33 #elif defined(HAVE_NETINET6_IPSEC_H)
34 #include <netinet6/ipsec.h>
35 #else
36 #include <linux/ipsec.h>
37 #endif
38
39 #ifdef HAVE_NATT
40 #ifdef HAVE_LINUX_UDP_H
41 #include <linux/udp.h>
42 #else
43 #include <netinet/udp.h>
44 #endif /*HAVE_LINUX_UDP_H*/
45 #endif /*HAVE_NATT*/
46
47 #include <unistd.h>
48 #include <pthread.h>
49 #include <errno.h>
50
51 #include "kernel_pfkey_ipsec.h"
52
53 #include <daemon.h>
54 #include <utils/host.h>
55 #include <utils/mutex.h>
56 #include <processing/jobs/callback_job.h>
57 #include <processing/jobs/acquire_job.h>
58 #include <processing/jobs/migrate_job.h>
59 #include <processing/jobs/rekey_child_sa_job.h>
60 #include <processing/jobs/delete_child_sa_job.h>
61 #include <processing/jobs/update_sa_job.h>
62
63 /** non linux specific */
64 #ifndef IPPROTO_COMP
65 #define IPPROTO_COMP IPPROTO_IPCOMP
66 #endif
67
68 #ifndef SADB_X_AALG_SHA2_256HMAC
69 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
70 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
71 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
72 #endif
73
74 #ifndef SADB_X_EALG_AESCBC
75 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
76 #endif
77
78 #ifndef SADB_X_EALG_CASTCBC
79 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
80 #endif
81
82 #ifndef SOL_IP
83 #define SOL_IP IPPROTO_IP
84 #define SOL_IPV6 IPPROTO_IPV6
85 #endif
86
87 /** from linux/in.h */
88 #ifndef IP_IPSEC_POLICY
89 #define IP_IPSEC_POLICY 16
90 #endif
91
92 /** missing on uclibc */
93 #ifndef IPV6_IPSEC_POLICY
94 #define IPV6_IPSEC_POLICY 34
95 #endif
96
97 /** default priority of installed policies */
98 #define PRIO_LOW 3000
99 #define PRIO_HIGH 2000
100
101 #ifdef __APPLE__
102 /** from xnu/bsd/net/pfkeyv2.h */
103 #define SADB_X_EXT_NATT 0x002
104 struct sadb_sa_2 {
105 struct sadb_sa sa;
106 u_int16_t sadb_sa_natt_port;
107 u_int16_t sadb_reserved0;
108 u_int32_t sadb_reserved1;
109 };
110 #endif
111
112 /** buffer size for PF_KEY messages */
113 #define PFKEY_BUFFER_SIZE 4096
114
115 /** PF_KEY messages are 64 bit aligned */
116 #define PFKEY_ALIGNMENT 8
117 /** aligns len to 64 bits */
118 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
119 /** calculates the properly padded length in 64 bit chunks */
120 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
121 /** calculates user mode length i.e. in bytes */
122 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
123
124 /** given a PF_KEY message header and an extension this updates the length in the header */
125 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
126 /** given a PF_KEY message header this returns a pointer to the next extension */
127 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
128 /** copy an extension and append it to a PF_KEY message */
129 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
130 /** given a PF_KEY extension this returns a pointer to the next extension */
131 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
132 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
133 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
134 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
135 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
136 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
137 (ext)->sadb_ext_len <= (len))
138
139 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
140
141 /**
142 * Private variables and functions of kernel_pfkey class.
143 */
144 struct private_kernel_pfkey_ipsec_t
145 {
146 /**
147 * Public part of the kernel_pfkey_t object.
148 */
149 kernel_pfkey_ipsec_t public;
150
151 /**
152 * mutex to lock access to various lists
153 */
154 mutex_t *mutex;
155
156 /**
157 * List of installed policies (policy_entry_t)
158 */
159 linked_list_t *policies;
160
161 /**
162 * whether to install routes along policies
163 */
164 bool install_routes;
165
166 /**
167 * job receiving PF_KEY events
168 */
169 callback_job_t *job;
170
171 /**
172 * mutex to lock access to the PF_KEY socket
173 */
174 mutex_t *mutex_pfkey;
175
176 /**
177 * PF_KEY socket to communicate with the kernel
178 */
179 int socket;
180
181 /**
182 * PF_KEY socket to receive acquire and expire events
183 */
184 int socket_events;
185
186 /**
187 * sequence number for messages sent to the kernel
188 */
189 int seq;
190 };
191
192 typedef struct route_entry_t route_entry_t;
193
194 /**
195 * installed routing entry
196 */
197 struct route_entry_t {
198 /** Name of the interface the route is bound to */
199 char *if_name;
200
201 /** Source ip of the route */
202 host_t *src_ip;
203
204 /** gateway for this route */
205 host_t *gateway;
206
207 /** Destination net */
208 chunk_t dst_net;
209
210 /** Destination net prefixlen */
211 u_int8_t prefixlen;
212 };
213
214 /**
215 * destroy an route_entry_t object
216 */
217 static void route_entry_destroy(route_entry_t *this)
218 {
219 free(this->if_name);
220 DESTROY_IF(this->src_ip);
221 DESTROY_IF(this->gateway);
222 chunk_free(&this->dst_net);
223 free(this);
224 }
225
226 typedef struct policy_entry_t policy_entry_t;
227
228 /**
229 * installed kernel policy.
230 */
231 struct policy_entry_t {
232
233 /** reqid of this policy */
234 u_int32_t reqid;
235
236 /** index assigned by the kernel */
237 u_int32_t index;
238
239 /** direction of this policy: in, out, forward */
240 u_int8_t direction;
241
242 /** parameters of installed policy */
243 struct {
244 /** subnet and port */
245 host_t *net;
246 /** subnet mask */
247 u_int8_t mask;
248 /** protocol */
249 u_int8_t proto;
250 } src, dst;
251
252 /** associated route installed for this policy */
253 route_entry_t *route;
254
255 /** by how many CHILD_SA's this policy is used */
256 u_int refcount;
257 };
258
259 /**
260 * create a policy_entry_t object
261 */
262 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
263 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
264 {
265 policy_entry_t *policy = malloc_thing(policy_entry_t);
266 policy->reqid = reqid;
267 policy->index = 0;
268 policy->direction = dir;
269 policy->route = NULL;
270 policy->refcount = 0;
271
272 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
273 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
274
275 /* src or dest proto may be "any" (0), use more restrictive one */
276 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
277 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
278 policy->dst.proto = policy->src.proto;
279
280 return policy;
281 }
282
283 /**
284 * destroy a policy_entry_t object
285 */
286 static void policy_entry_destroy(policy_entry_t *this)
287 {
288 DESTROY_IF(this->src.net);
289 DESTROY_IF(this->dst.net);
290 if (this->route)
291 {
292 route_entry_destroy(this->route);
293 }
294 free(this);
295 }
296
297 /**
298 * compares two policy_entry_t
299 */
300 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
301 {
302 return current->direction == policy->direction &&
303 current->src.proto == policy->src.proto &&
304 current->dst.proto == policy->dst.proto &&
305 current->src.mask == policy->src.mask &&
306 current->dst.mask == policy->dst.mask &&
307 current->src.net->equals(current->src.net, policy->src.net) &&
308 current->dst.net->equals(current->dst.net, policy->dst.net);
309 }
310
311 /**
312 * compare the given kernel index with that of a policy
313 */
314 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
315 {
316 return current->index == *index;
317 }
318
319 typedef struct pfkey_msg_t pfkey_msg_t;
320
321 struct pfkey_msg_t
322 {
323 /**
324 * PF_KEY message base
325 */
326 struct sadb_msg *msg;
327
328 /**
329 * PF_KEY message extensions
330 */
331 union {
332 struct sadb_ext *ext[SADB_EXT_MAX + 1];
333 struct {
334 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
335 struct sadb_sa *sa; /* SADB_EXT_SA */
336 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
337 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
338 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
339 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
340 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
341 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
342 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
343 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
344 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
345 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
346 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
347 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
348 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
349 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
350 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
351 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
352 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
353 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
354 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
355 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
356 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
357 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
358 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
359 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
360 } __attribute__((__packed__));
361 };
362 };
363
364 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
365 "SADB_EXT_RESERVED",
366 "SADB_EXT_SA",
367 "SADB_EXT_LIFETIME_CURRENT",
368 "SADB_EXT_LIFETIME_HARD",
369 "SADB_EXT_LIFETIME_SOFT",
370 "SADB_EXT_ADDRESS_SRC",
371 "SADB_EXT_ADDRESS_DST",
372 "SADB_EXT_ADDRESS_PROXY",
373 "SADB_EXT_KEY_AUTH",
374 "SADB_EXT_KEY_ENCRYPT",
375 "SADB_EXT_IDENTITY_SRC",
376 "SADB_EXT_IDENTITY_DST",
377 "SADB_EXT_SENSITIVITY",
378 "SADB_EXT_PROPOSAL",
379 "SADB_EXT_SUPPORTED_AUTH",
380 "SADB_EXT_SUPPORTED_ENCRYPT",
381 "SADB_EXT_SPIRANGE",
382 "SADB_X_EXT_KMPRIVATE",
383 "SADB_X_EXT_POLICY",
384 "SADB_X_EXT_SA2",
385 "SADB_X_EXT_NAT_T_TYPE",
386 "SADB_X_EXT_NAT_T_SPORT",
387 "SADB_X_EXT_NAT_T_DPORT",
388 "SADB_X_EXT_NAT_T_OA",
389 "SADB_X_EXT_SEC_CTX",
390 "SADB_X_EXT_KMADDRESS"
391 );
392
393 /**
394 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
395 */
396 static u_int8_t proto_ike2satype(protocol_id_t proto)
397 {
398 switch (proto)
399 {
400 case PROTO_ESP:
401 return SADB_SATYPE_ESP;
402 case PROTO_AH:
403 return SADB_SATYPE_AH;
404 case IPPROTO_COMP:
405 return SADB_X_SATYPE_IPCOMP;
406 default:
407 return proto;
408 }
409 }
410
411 /**
412 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
413 */
414 static protocol_id_t proto_satype2ike(u_int8_t proto)
415 {
416 switch (proto)
417 {
418 case SADB_SATYPE_ESP:
419 return PROTO_ESP;
420 case SADB_SATYPE_AH:
421 return PROTO_AH;
422 case SADB_X_SATYPE_IPCOMP:
423 return IPPROTO_COMP;
424 default:
425 return proto;
426 }
427 }
428
429 /**
430 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
431 */
432 static u_int8_t proto_ike2ip(protocol_id_t proto)
433 {
434 switch (proto)
435 {
436 case PROTO_ESP:
437 return IPPROTO_ESP;
438 case PROTO_AH:
439 return IPPROTO_AH;
440 default:
441 return proto;
442 }
443 }
444
445 /**
446 * convert the general ipsec mode to the one defined in ipsec.h
447 */
448 static u_int8_t mode2kernel(ipsec_mode_t mode)
449 {
450 switch (mode)
451 {
452 case MODE_TRANSPORT:
453 return IPSEC_MODE_TRANSPORT;
454 case MODE_TUNNEL:
455 return IPSEC_MODE_TUNNEL;
456 #ifdef HAVE_IPSEC_MODE_BEET
457 case MODE_BEET:
458 return IPSEC_MODE_BEET;
459 #endif
460 default:
461 return mode;
462 }
463 }
464
465 /**
466 * convert the general policy direction to the one defined in ipsec.h
467 */
468 static u_int8_t dir2kernel(policy_dir_t dir)
469 {
470 switch (dir)
471 {
472 case POLICY_IN:
473 return IPSEC_DIR_INBOUND;
474 case POLICY_OUT:
475 return IPSEC_DIR_OUTBOUND;
476 #ifdef HAVE_IPSEC_DIR_FWD
477 case POLICY_FWD:
478 return IPSEC_DIR_FWD;
479 #endif
480 default:
481 return IPSEC_DIR_INVALID;
482 }
483 }
484
485 #ifdef SADB_X_MIGRATE
486 /**
487 * convert the policy direction in ipsec.h to the general one.
488 */
489 static policy_dir_t kernel2dir(u_int8_t dir)
490 {
491 switch (dir)
492 {
493 case IPSEC_DIR_INBOUND:
494 return POLICY_IN;
495 case IPSEC_DIR_OUTBOUND:
496 return POLICY_OUT;
497 #ifdef HAVE_IPSEC_DIR_FWD
498 case IPSEC_DIR_FWD:
499 return POLICY_FWD;
500 #endif
501 default:
502 return dir;
503 }
504 }
505 #endif /*SADB_X_MIGRATE*/
506
507 typedef struct kernel_algorithm_t kernel_algorithm_t;
508
509 /**
510 * Mapping of IKEv2 algorithms to PF_KEY algorithms
511 */
512 struct kernel_algorithm_t {
513 /**
514 * Identifier specified in IKEv2
515 */
516 int ikev2;
517
518 /**
519 * Identifier as defined in pfkeyv2.h
520 */
521 int kernel;
522 };
523
524 #define END_OF_LIST -1
525
526 /**
527 * Algorithms for encryption
528 */
529 static kernel_algorithm_t encryption_algs[] = {
530 /* {ENCR_DES_IV64, 0 }, */
531 {ENCR_DES, SADB_EALG_DESCBC },
532 {ENCR_3DES, SADB_EALG_3DESCBC },
533 /* {ENCR_RC5, 0 }, */
534 /* {ENCR_IDEA, 0 }, */
535 {ENCR_CAST, SADB_X_EALG_CASTCBC },
536 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
537 /* {ENCR_3IDEA, 0 }, */
538 /* {ENCR_DES_IV32, 0 }, */
539 {ENCR_NULL, SADB_EALG_NULL },
540 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
541 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
542 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
543 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
544 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
545 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
546 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
547 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
548 {END_OF_LIST, 0 },
549 };
550
551 /**
552 * Algorithms for integrity protection
553 */
554 static kernel_algorithm_t integrity_algs[] = {
555 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
556 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
557 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
558 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
559 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
560 /* {AUTH_DES_MAC, 0, }, */
561 /* {AUTH_KPDK_MD5, 0, }, */
562 #ifdef SADB_X_AALG_AES_XCBC_MAC
563 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
564 #endif
565 {END_OF_LIST, 0, },
566 };
567
568 #if 0
569 /**
570 * Algorithms for IPComp, unused yet
571 */
572 static kernel_algorithm_t compression_algs[] = {
573 /* {IPCOMP_OUI, 0 }, */
574 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
575 {IPCOMP_LZS, SADB_X_CALG_LZS },
576 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
577 {END_OF_LIST, 0 },
578 };
579 #endif
580
581 /**
582 * Look up a kernel algorithm ID and its key size
583 */
584 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
585 {
586 while (list->ikev2 != END_OF_LIST)
587 {
588 if (ikev2 == list->ikev2)
589 {
590 return list->kernel;
591 }
592 list++;
593 }
594 return 0;
595 }
596
597 /**
598 * add a host behind a sadb_address extension
599 */
600 static void host2ext(host_t *host, struct sadb_address *ext)
601 {
602 sockaddr_t *host_addr = host->get_sockaddr(host);
603 socklen_t *len = host->get_sockaddr_len(host);
604 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
605 host_addr->sa_len = *len;
606 #endif
607 memcpy((char*)(ext + 1), host_addr, *len);
608 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
609 }
610
611 /**
612 * add a host to the given sadb_msg
613 */
614 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
615 u_int8_t proto, u_int8_t prefixlen)
616 {
617 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
618 addr->sadb_address_exttype = type;
619 addr->sadb_address_proto = proto;
620 addr->sadb_address_prefixlen = prefixlen;
621 host2ext(host, addr);
622 PFKEY_EXT_ADD(msg, addr);
623 }
624
625 /**
626 * adds an empty address extension to the given sadb_msg
627 */
628 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
629 {
630 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
631 sizeof(struct sockaddr_in6);
632 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
633 addr->sadb_address_exttype = type;
634 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
635 saddr->sa_family = family;
636 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
637 saddr->sa_len = len;
638 #endif
639 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
640 PFKEY_EXT_ADD(msg, addr);
641 }
642
643 #ifdef HAVE_NATT
644 /**
645 * add udp encap extensions to a sadb_msg
646 */
647 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
648 {
649 struct sadb_x_nat_t_type* nat_type;
650 struct sadb_x_nat_t_port* nat_port;
651
652 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
653 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
654 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
655 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
656 PFKEY_EXT_ADD(msg, nat_type);
657
658 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
659 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
660 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
661 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
662 PFKEY_EXT_ADD(msg, nat_port);
663
664 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
665 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
666 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
667 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
668 PFKEY_EXT_ADD(msg, nat_port);
669 }
670 #endif /*HAVE_NATT*/
671
672 /**
673 * Convert a sadb_address to a traffic_selector
674 */
675 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
676 {
677 traffic_selector_t *ts;
678 host_t *host;
679
680 /* The Linux 2.6 kernel does not set the protocol and port information
681 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
682 */
683 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
684 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
685 address->sadb_address_proto, host->get_port(host));
686 return ts;
687 }
688
689 /**
690 * Parses a pfkey message received from the kernel
691 */
692 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
693 {
694 struct sadb_ext* ext;
695 size_t len;
696
697 memset(out, 0, sizeof(pfkey_msg_t));
698 out->msg = msg;
699
700 len = msg->sadb_msg_len;
701 len -= PFKEY_LEN(sizeof(struct sadb_msg));
702
703 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
704
705 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
706 {
707 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
708 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
709 ext->sadb_ext_len > len)
710 {
711 DBG1(DBG_KNL, "length of %N extension is invalid",
712 sadb_ext_type_names, ext->sadb_ext_type);
713 break;
714 }
715
716 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
717 {
718 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
719 break;
720 }
721
722 if (out->ext[ext->sadb_ext_type])
723 {
724 DBG1(DBG_KNL, "duplicate %N extension",
725 sadb_ext_type_names, ext->sadb_ext_type);
726 break;
727 }
728
729 out->ext[ext->sadb_ext_type] = ext;
730 ext = PFKEY_EXT_NEXT_LEN(ext, len);
731 }
732
733 if (len)
734 {
735 DBG1(DBG_KNL, "PF_KEY message length is invalid");
736 return FAILED;
737 }
738
739 return SUCCESS;
740 }
741
742 /**
743 * Send a message to a specific PF_KEY socket and handle the response.
744 */
745 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
746 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
747 {
748 unsigned char buf[PFKEY_BUFFER_SIZE];
749 struct sadb_msg *msg;
750 int in_len, len;
751
752 this->mutex_pfkey->lock(this->mutex_pfkey);
753
754 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
755 * in particular the behavior in response to an SADB_ACQUIRE. */
756 in->sadb_msg_seq = ++this->seq;
757 in->sadb_msg_pid = getpid();
758
759 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
760
761 while (TRUE)
762 {
763 len = send(socket, in, in_len, 0);
764
765 if (len != in_len)
766 {
767 if (errno == EINTR)
768 {
769 /* interrupted, try again */
770 continue;
771 }
772 this->mutex_pfkey->unlock(this->mutex_pfkey);
773 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
774 return FAILED;
775 }
776 break;
777 }
778
779 while (TRUE)
780 {
781 msg = (struct sadb_msg*)buf;
782
783 len = recv(socket, buf, sizeof(buf), 0);
784
785 if (len < 0)
786 {
787 if (errno == EINTR)
788 {
789 DBG1(DBG_KNL, "got interrupted");
790 /* interrupted, try again */
791 continue;
792 }
793 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
794 this->mutex_pfkey->unlock(this->mutex_pfkey);
795 return FAILED;
796 }
797 if (len < sizeof(struct sadb_msg) ||
798 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
799 {
800 DBG1(DBG_KNL, "received corrupted PF_KEY message");
801 this->mutex_pfkey->unlock(this->mutex_pfkey);
802 return FAILED;
803 }
804 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
805 {
806 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
807 this->mutex_pfkey->unlock(this->mutex_pfkey);
808 return FAILED;
809 }
810 if (msg->sadb_msg_pid != in->sadb_msg_pid)
811 {
812 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
813 continue;
814 }
815 if (msg->sadb_msg_seq != this->seq)
816 {
817 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
818 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
819 if (msg->sadb_msg_seq == 0)
820 {
821 /* FreeBSD and Mac OS X do this for the response to
822 * SADB_X_SPDGET (but not for the response to SADB_GET).
823 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
824 }
825 else if (msg->sadb_msg_seq < this->seq)
826 {
827 continue;
828 }
829 else
830 {
831 this->mutex_pfkey->unlock(this->mutex_pfkey);
832 return FAILED;
833 }
834 }
835 if (msg->sadb_msg_type != in->sadb_msg_type)
836 {
837 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
838 "was %d expected %d, ignoring",
839 msg->sadb_msg_type, in->sadb_msg_type);
840 }
841 break;
842 }
843
844 *out_len = len;
845 *out = (struct sadb_msg*)malloc(len);
846 memcpy(*out, buf, len);
847
848 this->mutex_pfkey->unlock(this->mutex_pfkey);
849
850 return SUCCESS;
851 }
852
853 /**
854 * Send a message to the default PF_KEY socket and handle the response.
855 */
856 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
857 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
858 {
859 return pfkey_send_socket(this, this->socket, in, out, out_len);
860 }
861
862 /**
863 * Process a SADB_ACQUIRE message from the kernel
864 */
865 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
866 {
867 pfkey_msg_t response;
868 u_int32_t index, reqid = 0;
869 traffic_selector_t *src_ts, *dst_ts;
870 policy_entry_t *policy;
871 job_t *job;
872
873 switch (msg->sadb_msg_satype)
874 {
875 case SADB_SATYPE_UNSPEC:
876 case SADB_SATYPE_ESP:
877 case SADB_SATYPE_AH:
878 break;
879 default:
880 /* acquire for AH/ESP only */
881 return;
882 }
883 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
884
885 if (parse_pfkey_message(msg, &response) != SUCCESS)
886 {
887 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
888 return;
889 }
890
891 index = response.x_policy->sadb_x_policy_id;
892 this->mutex->lock(this->mutex);
893 if (this->policies->find_first(this->policies,
894 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
895 {
896 reqid = policy->reqid;
897 }
898 else
899 {
900 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
901 index);
902 }
903 src_ts = sadb_address2ts(response.src);
904 dst_ts = sadb_address2ts(response.dst);
905 this->mutex->unlock(this->mutex);
906
907 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
908 src_ts, dst_ts, reqid);
909 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
910 charon->processor->queue_job(charon->processor, job);
911 }
912
913 /**
914 * Process a SADB_EXPIRE message from the kernel
915 */
916 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
917 {
918 pfkey_msg_t response;
919 protocol_id_t protocol;
920 u_int32_t spi, reqid;
921 bool hard;
922 job_t *job;
923
924 DBG2(DBG_KNL, "received an SADB_EXPIRE");
925
926 if (parse_pfkey_message(msg, &response) != SUCCESS)
927 {
928 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
929 return;
930 }
931
932 protocol = proto_satype2ike(msg->sadb_msg_satype);
933 spi = response.sa->sadb_sa_spi;
934 reqid = response.x_sa2->sadb_x_sa2_reqid;
935 hard = response.lft_hard != NULL;
936
937 if (protocol != PROTO_ESP && protocol != PROTO_AH)
938 {
939 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
940 "which is not a CHILD_SA", ntohl(spi), reqid);
941 return;
942 }
943
944 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
945 hard ? "delete" : "rekey", protocol_id_names,
946 protocol, ntohl(spi), reqid);
947 if (hard)
948 {
949 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
950 }
951 else
952 {
953 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
954 }
955 charon->processor->queue_job(charon->processor, job);
956 }
957
958 #ifdef SADB_X_MIGRATE
959 /**
960 * Process a SADB_X_MIGRATE message from the kernel
961 */
962 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
963 {
964 pfkey_msg_t response;
965 traffic_selector_t *src_ts, *dst_ts;
966 policy_dir_t dir;
967 u_int32_t reqid = 0;
968 host_t *local = NULL, *remote = NULL;
969 job_t *job;
970
971 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
972
973 if (parse_pfkey_message(msg, &response) != SUCCESS)
974 {
975 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
976 return;
977 }
978 src_ts = sadb_address2ts(response.src);
979 dst_ts = sadb_address2ts(response.dst);
980 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
981 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
982 policy_dir_names, dir);
983
984 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
985 if (response.x_kmaddress)
986 {
987 sockaddr_t *local_addr, *remote_addr;
988 u_int32_t local_len;
989
990 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
991 local = host_create_from_sockaddr(local_addr);
992 local_len = (local_addr->sa_family == AF_INET6)?
993 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
994 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
995 remote = host_create_from_sockaddr(remote_addr);
996 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
997 }
998
999 if (src_ts && dst_ts && local && remote)
1000 {
1001 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
1002 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
1003 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
1004 local, remote);
1005 charon->processor->queue_job(charon->processor, job);
1006 }
1007 else
1008 {
1009 DESTROY_IF(src_ts);
1010 DESTROY_IF(dst_ts);
1011 DESTROY_IF(local);
1012 DESTROY_IF(remote);
1013 }
1014 }
1015 #endif /*SADB_X_MIGRATE*/
1016
1017 #ifdef HAVE_NATT
1018 /**
1019 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1020 */
1021 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
1022 {
1023 pfkey_msg_t response;
1024 u_int32_t spi, reqid;
1025 host_t *host;
1026 job_t *job;
1027
1028 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1029
1030 if (parse_pfkey_message(msg, &response) != SUCCESS)
1031 {
1032 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1033 return;
1034 }
1035
1036 if (!response.x_sa2)
1037 {
1038 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
1039 return;
1040 }
1041
1042 spi = response.sa->sadb_sa_spi;
1043 reqid = response.x_sa2->sadb_x_sa2_reqid;
1044
1045 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
1046 {
1047 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
1048 switch (sa->sa_family)
1049 {
1050 case AF_INET:
1051 {
1052 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1053 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1054 }
1055 case AF_INET6:
1056 {
1057 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1058 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1059 }
1060 default:
1061 break;
1062 }
1063 host = host_create_from_sockaddr(sa);
1064 if (host)
1065 {
1066 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
1067 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
1068 job = (job_t*)update_sa_job_create(reqid, host);
1069 charon->processor->queue_job(charon->processor, job);
1070 }
1071 }
1072 }
1073 #endif /*HAVE_NATT*/
1074
1075 /**
1076 * Receives events from kernel
1077 */
1078 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1079 {
1080 unsigned char buf[PFKEY_BUFFER_SIZE];
1081 struct sadb_msg *msg = (struct sadb_msg*)buf;
1082 int len, oldstate;
1083
1084 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
1085 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1086 pthread_setcancelstate(oldstate, NULL);
1087
1088 if (len < 0)
1089 {
1090 switch (errno)
1091 {
1092 case EINTR:
1093 /* interrupted, try again */
1094 return JOB_REQUEUE_DIRECT;
1095 case EAGAIN:
1096 /* no data ready, select again */
1097 return JOB_REQUEUE_DIRECT;
1098 default:
1099 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1100 sleep(1);
1101 return JOB_REQUEUE_FAIR;
1102 }
1103 }
1104
1105 if (len < sizeof(struct sadb_msg) ||
1106 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1107 {
1108 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1109 return JOB_REQUEUE_DIRECT;
1110 }
1111 if (msg->sadb_msg_pid != 0)
1112 { /* not from kernel. not interested, try another one */
1113 return JOB_REQUEUE_DIRECT;
1114 }
1115 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1116 {
1117 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
1118 return JOB_REQUEUE_DIRECT;
1119 }
1120
1121 switch (msg->sadb_msg_type)
1122 {
1123 case SADB_ACQUIRE:
1124 process_acquire(this, msg);
1125 break;
1126 case SADB_EXPIRE:
1127 process_expire(this, msg);
1128 break;
1129 #ifdef SADB_X_MIGRATE
1130 case SADB_X_MIGRATE:
1131 process_migrate(this, msg);
1132 break;
1133 #endif /*SADB_X_MIGRATE*/
1134 #ifdef HAVE_NATT
1135 case SADB_X_NAT_T_NEW_MAPPING:
1136 process_mapping(this, msg);
1137 break;
1138 #endif /*HAVE_NATT*/
1139 default:
1140 break;
1141 }
1142
1143 return JOB_REQUEUE_DIRECT;
1144 }
1145
1146 /**
1147 * Implementation of kernel_interface_t.get_spi.
1148 */
1149 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
1150 host_t *src, host_t *dst,
1151 protocol_id_t protocol, u_int32_t reqid,
1152 u_int32_t *spi)
1153 {
1154 unsigned char request[PFKEY_BUFFER_SIZE];
1155 struct sadb_msg *msg, *out;
1156 struct sadb_x_sa2 *sa2;
1157 struct sadb_spirange *range;
1158 pfkey_msg_t response;
1159 u_int32_t received_spi = 0;
1160 size_t len;
1161
1162 memset(&request, 0, sizeof(request));
1163
1164 msg = (struct sadb_msg*)request;
1165 msg->sadb_msg_version = PF_KEY_V2;
1166 msg->sadb_msg_type = SADB_GETSPI;
1167 msg->sadb_msg_satype = proto_ike2satype(protocol);
1168 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1169
1170 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1171 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1172 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1173 sa2->sadb_x_sa2_reqid = reqid;
1174 PFKEY_EXT_ADD(msg, sa2);
1175
1176 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1177 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1178
1179 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1180 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1181 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1182 range->sadb_spirange_min = 0xc0000000;
1183 range->sadb_spirange_max = 0xcFFFFFFF;
1184 PFKEY_EXT_ADD(msg, range);
1185
1186 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1187 {
1188 if (out->sadb_msg_errno)
1189 {
1190 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1191 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1192 }
1193 else if (parse_pfkey_message(out, &response) == SUCCESS)
1194 {
1195 received_spi = response.sa->sadb_sa_spi;
1196 }
1197 free(out);
1198 }
1199
1200 if (received_spi == 0)
1201 {
1202 return FAILED;
1203 }
1204
1205 *spi = received_spi;
1206 return SUCCESS;
1207 }
1208
1209 /**
1210 * Implementation of kernel_interface_t.get_cpi.
1211 */
1212 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
1213 host_t *src, host_t *dst,
1214 u_int32_t reqid, u_int16_t *cpi)
1215 {
1216 return FAILED;
1217 }
1218
1219 /**
1220 * Implementation of kernel_interface_t.add_sa.
1221 */
1222 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
1223 host_t *src, host_t *dst, u_int32_t spi,
1224 protocol_id_t protocol, u_int32_t reqid,
1225 u_int64_t expire_soft, u_int64_t expire_hard,
1226 u_int16_t enc_alg, chunk_t enc_key,
1227 u_int16_t int_alg, chunk_t int_key,
1228 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1229 bool encap, bool inbound)
1230 {
1231 unsigned char request[PFKEY_BUFFER_SIZE];
1232 struct sadb_msg *msg, *out;
1233 struct sadb_sa *sa;
1234 struct sadb_x_sa2 *sa2;
1235 struct sadb_lifetime *lft;
1236 struct sadb_key *key;
1237 size_t len;
1238
1239 memset(&request, 0, sizeof(request));
1240
1241 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1242
1243 msg = (struct sadb_msg*)request;
1244 msg->sadb_msg_version = PF_KEY_V2;
1245 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1246 msg->sadb_msg_satype = proto_ike2satype(protocol);
1247 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1248
1249 #ifdef __APPLE__
1250 if (encap)
1251 {
1252 struct sadb_sa_2 *sa_2;
1253 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1254 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1255 sa = &sa_2->sa;
1256 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1257 len = sizeof(struct sadb_sa_2);
1258 }
1259 else
1260 #endif
1261 {
1262 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1263 len = sizeof(struct sadb_sa);
1264 }
1265 sa->sadb_sa_exttype = SADB_EXT_SA;
1266 sa->sadb_sa_len = PFKEY_LEN(len);
1267 sa->sadb_sa_spi = spi;
1268 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1269 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1270 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1271 PFKEY_EXT_ADD(msg, sa);
1272
1273 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1274 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1275 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1276 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1277 sa2->sadb_x_sa2_reqid = reqid;
1278 PFKEY_EXT_ADD(msg, sa2);
1279
1280 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1281 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1282
1283 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1284 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1285 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1286 lft->sadb_lifetime_addtime = expire_soft;
1287 PFKEY_EXT_ADD(msg, lft);
1288
1289 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1290 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1291 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1292 lft->sadb_lifetime_addtime = expire_hard;
1293 PFKEY_EXT_ADD(msg, lft);
1294
1295 if (enc_alg != ENCR_UNDEFINED)
1296 {
1297 if (!sa->sadb_sa_encrypt)
1298 {
1299 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1300 encryption_algorithm_names, enc_alg);
1301 return FAILED;
1302 }
1303 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1304 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1305
1306 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1307 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1308 key->sadb_key_bits = enc_key.len * 8;
1309 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1310 memcpy(key + 1, enc_key.ptr, enc_key.len);
1311
1312 PFKEY_EXT_ADD(msg, key);
1313 }
1314
1315 if (int_alg != AUTH_UNDEFINED)
1316 {
1317 if (!sa->sadb_sa_auth)
1318 {
1319 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1320 integrity_algorithm_names, int_alg);
1321 return FAILED;
1322 }
1323 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1324 integrity_algorithm_names, int_alg, int_key.len * 8);
1325
1326 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1327 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1328 key->sadb_key_bits = int_key.len * 8;
1329 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1330 memcpy(key + 1, int_key.ptr, int_key.len);
1331
1332 PFKEY_EXT_ADD(msg, key);
1333 }
1334
1335 if (ipcomp != IPCOMP_NONE)
1336 {
1337 /*TODO*/
1338 }
1339
1340 #ifdef HAVE_NATT
1341 if (encap)
1342 {
1343 add_encap_ext(msg, src, dst);
1344 }
1345 #endif /*HAVE_NATT*/
1346
1347 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1348 {
1349 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1350 return FAILED;
1351 }
1352 else if (out->sadb_msg_errno)
1353 {
1354 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1355 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1356 free(out);
1357 return FAILED;
1358 }
1359
1360 free(out);
1361 return SUCCESS;
1362 }
1363
1364 /**
1365 * Implementation of kernel_interface_t.update_sa.
1366 */
1367 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1368 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1369 host_t *src, host_t *dst,
1370 host_t *new_src, host_t *new_dst,
1371 bool encap, bool new_encap)
1372 {
1373 unsigned char request[PFKEY_BUFFER_SIZE];
1374 struct sadb_msg *msg, *out;
1375 struct sadb_sa *sa;
1376 pfkey_msg_t response;
1377 size_t len;
1378
1379 /* we can't update the SA if any of the ip addresses have changed.
1380 * that's because we can't use SADB_UPDATE and by deleting and readding the
1381 * SA the sequence numbers would get lost */
1382 if (!src->ip_equals(src, new_src) ||
1383 !dst->ip_equals(dst, new_dst))
1384 {
1385 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1386 " are not supported", ntohl(spi));
1387 return NOT_SUPPORTED;
1388 }
1389
1390 memset(&request, 0, sizeof(request));
1391
1392 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1393
1394 msg = (struct sadb_msg*)request;
1395 msg->sadb_msg_version = PF_KEY_V2;
1396 msg->sadb_msg_type = SADB_GET;
1397 msg->sadb_msg_satype = proto_ike2satype(protocol);
1398 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1399
1400 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1401 sa->sadb_sa_exttype = SADB_EXT_SA;
1402 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1403 sa->sadb_sa_spi = spi;
1404 PFKEY_EXT_ADD(msg, sa);
1405
1406 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1407 * it is not used for anything. */
1408 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1409 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1410
1411 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1412 {
1413 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1414 ntohl(spi));
1415 return FAILED;
1416 }
1417 else if (out->sadb_msg_errno)
1418 {
1419 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1420 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1421 free(out);
1422 return FAILED;
1423 }
1424 else if (parse_pfkey_message(out, &response) != SUCCESS)
1425 {
1426 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1427 "from kernel failed", ntohl(spi));
1428 free(out);
1429 return FAILED;
1430 }
1431
1432 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1433 ntohl(spi), src, dst, new_src, new_dst);
1434
1435 memset(&request, 0, sizeof(request));
1436
1437 msg = (struct sadb_msg*)request;
1438 msg->sadb_msg_version = PF_KEY_V2;
1439 msg->sadb_msg_type = SADB_UPDATE;
1440 msg->sadb_msg_satype = proto_ike2satype(protocol);
1441 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1442
1443 #ifdef __APPLE__
1444 {
1445 struct sadb_sa_2 *sa_2;
1446 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1447 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1448 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1449 if (encap)
1450 {
1451 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1452 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1453 }
1454 }
1455 #else
1456 PFKEY_EXT_COPY(msg, response.sa);
1457 #endif
1458 PFKEY_EXT_COPY(msg, response.x_sa2);
1459
1460 PFKEY_EXT_COPY(msg, response.src);
1461 PFKEY_EXT_COPY(msg, response.dst);
1462
1463 PFKEY_EXT_COPY(msg, response.lft_soft);
1464 PFKEY_EXT_COPY(msg, response.lft_hard);
1465
1466 if (response.key_encr)
1467 {
1468 PFKEY_EXT_COPY(msg, response.key_encr);
1469 }
1470
1471 if (response.key_auth)
1472 {
1473 PFKEY_EXT_COPY(msg, response.key_auth);
1474 }
1475
1476 #ifdef HAVE_NATT
1477 if (new_encap)
1478 {
1479 add_encap_ext(msg, new_src, new_dst);
1480 }
1481 #endif /*HAVE_NATT*/
1482
1483 free(out);
1484
1485 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1486 {
1487 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1488 return FAILED;
1489 }
1490 else if (out->sadb_msg_errno)
1491 {
1492 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1493 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1494 free(out);
1495 return FAILED;
1496 }
1497 free(out);
1498
1499 return SUCCESS;
1500 }
1501
1502 /**
1503 * Implementation of kernel_interface_t.query_sa.
1504 */
1505 static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
1506 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1507 u_int64_t *bytes)
1508 {
1509 unsigned char request[PFKEY_BUFFER_SIZE];
1510 struct sadb_msg *msg, *out;
1511 struct sadb_sa *sa;
1512 pfkey_msg_t response;
1513 size_t len;
1514
1515 memset(&request, 0, sizeof(request));
1516
1517 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1518
1519 msg = (struct sadb_msg*)request;
1520 msg->sadb_msg_version = PF_KEY_V2;
1521 msg->sadb_msg_type = SADB_GET;
1522 msg->sadb_msg_satype = proto_ike2satype(protocol);
1523 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1524
1525 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1526 sa->sadb_sa_exttype = SADB_EXT_SA;
1527 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1528 sa->sadb_sa_spi = spi;
1529 PFKEY_EXT_ADD(msg, sa);
1530
1531 /* the Linux Kernel doesn't care for the src address, but other systems do
1532 * (e.g. FreeBSD)
1533 */
1534 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1535 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1536
1537 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1538 {
1539 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1540 return FAILED;
1541 }
1542 else if (out->sadb_msg_errno)
1543 {
1544 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1545 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1546 free(out);
1547 return FAILED;
1548 }
1549 else if (parse_pfkey_message(out, &response) != SUCCESS)
1550 {
1551 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1552 free(out);
1553 return FAILED;
1554 }
1555 *bytes = response.lft_current->sadb_lifetime_bytes;
1556
1557 free(out);
1558 return SUCCESS;
1559 }
1560
1561 /**
1562 * Implementation of kernel_interface_t.del_sa.
1563 */
1564 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
1565 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1566 u_int16_t cpi)
1567 {
1568 unsigned char request[PFKEY_BUFFER_SIZE];
1569 struct sadb_msg *msg, *out;
1570 struct sadb_sa *sa;
1571 size_t len;
1572
1573 memset(&request, 0, sizeof(request));
1574
1575 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1576
1577 msg = (struct sadb_msg*)request;
1578 msg->sadb_msg_version = PF_KEY_V2;
1579 msg->sadb_msg_type = SADB_DELETE;
1580 msg->sadb_msg_satype = proto_ike2satype(protocol);
1581 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1582
1583 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1584 sa->sadb_sa_exttype = SADB_EXT_SA;
1585 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1586 sa->sadb_sa_spi = spi;
1587 PFKEY_EXT_ADD(msg, sa);
1588
1589 /* the Linux Kernel doesn't care for the src address, but other systems do
1590 * (e.g. FreeBSD)
1591 */
1592 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1593 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1594
1595 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1596 {
1597 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1598 return FAILED;
1599 }
1600 else if (out->sadb_msg_errno)
1601 {
1602 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1603 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1604 free(out);
1605 return FAILED;
1606 }
1607
1608 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1609 free(out);
1610 return SUCCESS;
1611 }
1612
1613 /**
1614 * Implementation of kernel_interface_t.add_policy.
1615 */
1616 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1617 host_t *src, host_t *dst,
1618 traffic_selector_t *src_ts,
1619 traffic_selector_t *dst_ts,
1620 policy_dir_t direction, u_int32_t spi,
1621 protocol_id_t protocol, u_int32_t reqid,
1622 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1623 bool routed)
1624 {
1625 unsigned char request[PFKEY_BUFFER_SIZE];
1626 struct sadb_msg *msg, *out;
1627 struct sadb_x_policy *pol;
1628 struct sadb_x_ipsecrequest *req;
1629 policy_entry_t *policy, *found = NULL;
1630 pfkey_msg_t response;
1631 size_t len;
1632
1633 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1634 {
1635 /* FWD policies are not supported on all platforms */
1636 return SUCCESS;
1637 }
1638
1639 /* create a policy */
1640 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1641
1642 /* find a matching policy */
1643 this->mutex->lock(this->mutex);
1644 if (this->policies->find_first(this->policies,
1645 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1646 {
1647 /* use existing policy */
1648 found->refcount++;
1649 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1650 "refcount", src_ts, dst_ts,
1651 policy_dir_names, direction);
1652 policy_entry_destroy(policy);
1653 policy = found;
1654 }
1655 else
1656 {
1657 /* apply the new one, if we have no such policy */
1658 this->policies->insert_last(this->policies, policy);
1659 policy->refcount = 1;
1660 }
1661
1662 memset(&request, 0, sizeof(request));
1663
1664 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1665 policy_dir_names, direction);
1666
1667 msg = (struct sadb_msg*)request;
1668 msg->sadb_msg_version = PF_KEY_V2;
1669 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1670 msg->sadb_msg_satype = 0;
1671 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1672
1673 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1674 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1675 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1676 pol->sadb_x_policy_id = 0;
1677 pol->sadb_x_policy_dir = dir2kernel(direction);
1678 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1679 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1680 /* calculate priority based on source selector size, small size = high prio */
1681 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1682 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1683 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1684 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1685 #endif
1686
1687 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1688 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1689 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1690 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1691 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1692 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1693 req->sadb_x_ipsecrequest_reqid = reqid;
1694 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1695 if (mode == MODE_TUNNEL)
1696 {
1697 sockaddr_t *sa;
1698 socklen_t sl;
1699 sa = src->get_sockaddr(src);
1700 sl = *src->get_sockaddr_len(src);
1701 memcpy(req + 1, sa, sl);
1702 sa = dst->get_sockaddr(dst);
1703 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1704 req->sadb_x_ipsecrequest_len += sl * 2;
1705 }
1706
1707 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1708 PFKEY_EXT_ADD(msg, pol);
1709
1710 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1711 policy->src.mask);
1712 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1713 policy->dst.mask);
1714
1715 #ifdef __FreeBSD__
1716 { /* on FreeBSD a lifetime has to be defined to be able to later query
1717 * the current use time. */
1718 struct sadb_lifetime *lft;
1719 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1720 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1721 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1722 lft->sadb_lifetime_addtime = 0x7fffffff; /* kernel maps this to long */
1723 PFKEY_EXT_ADD(msg, lft);
1724 }
1725 #endif
1726
1727 this->mutex->unlock(this->mutex);
1728
1729 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1730 {
1731 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1732 policy_dir_names, direction);
1733 return FAILED;
1734 }
1735 else if (out->sadb_msg_errno)
1736 {
1737 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1738 policy_dir_names, direction,
1739 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1740 free(out);
1741 return FAILED;
1742 }
1743 else if (parse_pfkey_message(out, &response) != SUCCESS)
1744 {
1745 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1746 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1747 free(out);
1748 return FAILED;
1749 }
1750
1751 this->mutex->lock(this->mutex);
1752
1753 /* we try to find the policy again and update the kernel index */
1754 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1755 {
1756 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1757 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1758 this->mutex->unlock(this->mutex);
1759 free(out);
1760 return SUCCESS;
1761 }
1762 policy->index = response.x_policy->sadb_x_policy_id;
1763 free(out);
1764
1765 /* install a route, if:
1766 * - we are NOT updating a policy
1767 * - this is a forward policy (to just get one for each child)
1768 * - we are in tunnel mode
1769 * - we are not using IPv6 (does not work correctly yet!)
1770 * - routing is not disabled via strongswan.conf
1771 */
1772 if (policy->route == NULL && direction == POLICY_FWD &&
1773 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1774 this->install_routes)
1775 {
1776 route_entry_t *route = malloc_thing(route_entry_t);
1777
1778 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1779 dst_ts, &route->src_ip) == SUCCESS)
1780 {
1781 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1782 route->gateway = charon->kernel_interface->get_nexthop(
1783 charon->kernel_interface, src);
1784 route->if_name = charon->kernel_interface->get_interface(
1785 charon->kernel_interface, dst);
1786 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1787 route->prefixlen = policy->src.mask;
1788
1789 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1790 route->dst_net, route->prefixlen, route->gateway,
1791 route->src_ip, route->if_name))
1792 {
1793 default:
1794 DBG1(DBG_KNL, "unable to install source route for %H",
1795 route->src_ip);
1796 /* FALL */
1797 case ALREADY_DONE:
1798 /* route exists, do not uninstall */
1799 route_entry_destroy(route);
1800 break;
1801 case SUCCESS:
1802 /* cache the installed route */
1803 policy->route = route;
1804 break;
1805 }
1806 }
1807 else
1808 {
1809 free(route);
1810 }
1811 }
1812
1813 this->mutex->unlock(this->mutex);
1814
1815 return SUCCESS;
1816 }
1817
1818 /**
1819 * Implementation of kernel_interface_t.query_policy.
1820 */
1821 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1822 traffic_selector_t *src_ts,
1823 traffic_selector_t *dst_ts,
1824 policy_dir_t direction, u_int32_t *use_time)
1825 {
1826 unsigned char request[PFKEY_BUFFER_SIZE];
1827 struct sadb_msg *msg, *out;
1828 struct sadb_x_policy *pol;
1829 policy_entry_t *policy, *found = NULL;
1830 pfkey_msg_t response;
1831 size_t len;
1832
1833 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1834 {
1835 /* FWD policies are not supported on all platforms */
1836 return NOT_FOUND;
1837 }
1838
1839 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1840 policy_dir_names, direction);
1841
1842 /* create a policy */
1843 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1844
1845 /* find a matching policy */
1846 this->mutex->lock(this->mutex);
1847 if (this->policies->find_first(this->policies,
1848 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1849 {
1850 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1851 dst_ts, policy_dir_names, direction);
1852 policy_entry_destroy(policy);
1853 this->mutex->unlock(this->mutex);
1854 return NOT_FOUND;
1855 }
1856 policy_entry_destroy(policy);
1857 policy = found;
1858
1859 memset(&request, 0, sizeof(request));
1860
1861 msg = (struct sadb_msg*)request;
1862 msg->sadb_msg_version = PF_KEY_V2;
1863 msg->sadb_msg_type = SADB_X_SPDGET;
1864 msg->sadb_msg_satype = 0;
1865 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1866
1867 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1868 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1869 pol->sadb_x_policy_id = policy->index;
1870 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1871 pol->sadb_x_policy_dir = dir2kernel(direction);
1872 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1873 PFKEY_EXT_ADD(msg, pol);
1874
1875 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1876 policy->src.mask);
1877 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1878 policy->dst.mask);
1879
1880 this->mutex->unlock(this->mutex);
1881
1882 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1883 {
1884 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1885 policy_dir_names, direction);
1886 return FAILED;
1887 }
1888 else if (out->sadb_msg_errno)
1889 {
1890 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1891 dst_ts, policy_dir_names, direction,
1892 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1893 free(out);
1894 return FAILED;
1895 }
1896 else if (parse_pfkey_message(out, &response) != SUCCESS)
1897 {
1898 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1899 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1900 free(out);
1901 return FAILED;
1902 }
1903 else if (response.lft_current == NULL)
1904 {
1905 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
1906 "use time", src_ts, dst_ts, policy_dir_names, direction);
1907 free(out);
1908 return FAILED;
1909 }
1910
1911 *use_time = response.lft_current->sadb_lifetime_usetime;
1912
1913 free(out);
1914
1915 return SUCCESS;
1916 }
1917
1918 /**
1919 * Implementation of kernel_interface_t.del_policy.
1920 */
1921 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1922 traffic_selector_t *src_ts,
1923 traffic_selector_t *dst_ts,
1924 policy_dir_t direction, bool unrouted)
1925 {
1926 unsigned char request[PFKEY_BUFFER_SIZE];
1927 struct sadb_msg *msg, *out;
1928 struct sadb_x_policy *pol;
1929 policy_entry_t *policy, *found = NULL;
1930 route_entry_t *route;
1931 size_t len;
1932
1933 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1934 {
1935 /* FWD policies are not supported on all platforms */
1936 return SUCCESS;
1937 }
1938
1939 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1940 policy_dir_names, direction);
1941
1942 /* create a policy */
1943 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1944
1945 /* find a matching policy */
1946 this->mutex->lock(this->mutex);
1947 if (this->policies->find_first(this->policies,
1948 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1949 {
1950 if (--found->refcount > 0)
1951 {
1952 /* is used by more SAs, keep in kernel */
1953 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1954 policy_entry_destroy(policy);
1955 this->mutex->unlock(this->mutex);
1956 return SUCCESS;
1957 }
1958 /* remove if last reference */
1959 this->policies->remove(this->policies, found, NULL);
1960 policy_entry_destroy(policy);
1961 policy = found;
1962 }
1963 else
1964 {
1965 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1966 dst_ts, policy_dir_names, direction);
1967 policy_entry_destroy(policy);
1968 this->mutex->unlock(this->mutex);
1969 return NOT_FOUND;
1970 }
1971 this->mutex->unlock(this->mutex);
1972
1973 memset(&request, 0, sizeof(request));
1974
1975 msg = (struct sadb_msg*)request;
1976 msg->sadb_msg_version = PF_KEY_V2;
1977 msg->sadb_msg_type = SADB_X_SPDDELETE;
1978 msg->sadb_msg_satype = 0;
1979 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1980
1981 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1982 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1983 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1984 pol->sadb_x_policy_dir = dir2kernel(direction);
1985 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1986 PFKEY_EXT_ADD(msg, pol);
1987
1988 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1989 policy->src.mask);
1990 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1991 policy->dst.mask);
1992
1993 route = policy->route;
1994 policy->route = NULL;
1995 policy_entry_destroy(policy);
1996
1997 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1998 {
1999 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2000 policy_dir_names, direction);
2001 return FAILED;
2002 }
2003 else if (out->sadb_msg_errno)
2004 {
2005 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2006 dst_ts, policy_dir_names, direction,
2007 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2008 free(out);
2009 return FAILED;
2010 }
2011 free(out);
2012
2013 if (route)
2014 {
2015 if (charon->kernel_interface->del_route(charon->kernel_interface,
2016 route->dst_net, route->prefixlen, route->gateway,
2017 route->src_ip, route->if_name) != SUCCESS)
2018 {
2019 DBG1(DBG_KNL, "error uninstalling route installed with "
2020 "policy %R === %R %N", src_ts, dst_ts,
2021 policy_dir_names, direction);
2022 }
2023 route_entry_destroy(route);
2024 }
2025
2026 return SUCCESS;
2027 }
2028
2029 /**
2030 * Register a socket for AQUIRE/EXPIRE messages
2031 */
2032 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
2033 {
2034 unsigned char request[PFKEY_BUFFER_SIZE];
2035 struct sadb_msg *msg, *out;
2036 size_t len;
2037
2038 memset(&request, 0, sizeof(request));
2039
2040 msg = (struct sadb_msg*)request;
2041 msg->sadb_msg_version = PF_KEY_V2;
2042 msg->sadb_msg_type = SADB_REGISTER;
2043 msg->sadb_msg_satype = satype;
2044 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2045
2046 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2047 {
2048 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2049 return FAILED;
2050 }
2051 else if (out->sadb_msg_errno)
2052 {
2053 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2054 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2055 free(out);
2056 return FAILED;
2057 }
2058 free(out);
2059 return SUCCESS;
2060 }
2061
2062 /**
2063 * Implementation of kernel_interface_t.destroy.
2064 */
2065 static void destroy(private_kernel_pfkey_ipsec_t *this)
2066 {
2067 this->job->cancel(this->job);
2068 close(this->socket);
2069 close(this->socket_events);
2070 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
2071 this->mutex->destroy(this->mutex);
2072 this->mutex_pfkey->destroy(this->mutex_pfkey);
2073 free(this);
2074 }
2075
2076 /**
2077 * Add bypass policies for IKE on the sockets of charon
2078 */
2079 static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
2080 {
2081 int fd, family, port;
2082 enumerator_t *sockets;
2083 bool status = TRUE;
2084
2085 sockets = charon->socket->create_enumerator(charon->socket);
2086 while (sockets->enumerate(sockets, &fd, &family, &port))
2087 {
2088 struct sadb_x_policy policy;
2089 u_int sol, ipsec_policy;
2090
2091 switch (family)
2092 {
2093 case AF_INET:
2094 {
2095 sol = SOL_IP;
2096 ipsec_policy = IP_IPSEC_POLICY;
2097 break;
2098 }
2099 case AF_INET6:
2100 {
2101 sol = SOL_IPV6;
2102 ipsec_policy = IPV6_IPSEC_POLICY;
2103 break;
2104 }
2105 default:
2106 continue;
2107 }
2108
2109 memset(&policy, 0, sizeof(policy));
2110 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2111 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2112 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2113
2114 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2115 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2116 {
2117 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2118 strerror(errno));
2119 status = FALSE;
2120 break;
2121 }
2122 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2123 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2124 {
2125 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2126 strerror(errno));
2127 status = FALSE;
2128 break;
2129 }
2130 }
2131 sockets->destroy(sockets);
2132 return status;
2133 }
2134
2135 /*
2136 * Described in header.
2137 */
2138 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2139 {
2140 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
2141
2142 /* public functions */
2143 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2144 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
2145 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
2146 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
2147 this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
2148 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
2149 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
2150 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2151 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
2152
2153 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
2154
2155 /* private members */
2156 this->policies = linked_list_create();
2157 this->mutex = mutex_create(MUTEX_DEFAULT);
2158 this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
2159 this->install_routes = lib->settings->get_bool(lib->settings,
2160 "charon.install_routes", TRUE);
2161 this->seq = 0;
2162
2163 /* create a PF_KEY socket to communicate with the kernel */
2164 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2165 if (this->socket <= 0)
2166 {
2167 charon->kill(charon, "unable to create PF_KEY socket");
2168 }
2169
2170 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2171 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2172 if (this->socket_events <= 0)
2173 {
2174 charon->kill(charon, "unable to create PF_KEY event socket");
2175 }
2176
2177 /* add bypass policies on the sockets used by charon */
2178 if (!add_bypass_policies(this))
2179 {
2180 charon->kill(charon, "unable to add bypass policies on sockets");
2181 }
2182
2183 /* register the event socket */
2184 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2185 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2186 {
2187 charon->kill(charon, "unable to register PF_KEY event socket");
2188 }
2189
2190 this->job = callback_job_create((callback_job_cb_t)receive_events,
2191 this, NULL, NULL);
2192 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2193
2194 return &this->public;
2195 }