8458cd1cfe8a20e2ea4de4f73d2471a43ae46036
[strongswan.git] / src / libcharon / plugins / kernel_libipsec / kernel_libipsec_ipsec.c
1 /*
2 * Copyright (C) 2012-2013 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include "kernel_libipsec_ipsec.h"
16 #include "kernel_libipsec_router.h"
17
18 #include <library.h>
19 #include <ipsec.h>
20 #include <hydra.h>
21 #include <networking/tun_device.h>
22 #include <threading/mutex.h>
23 #include <utils/debug.h>
24
25 typedef struct private_kernel_libipsec_ipsec_t private_kernel_libipsec_ipsec_t;
26
27 struct private_kernel_libipsec_ipsec_t {
28
29 /**
30 * Public libipsec_ipsec interface
31 */
32 kernel_libipsec_ipsec_t public;
33
34 /**
35 * Listener for lifetime expire events
36 */
37 ipsec_event_listener_t ipsec_listener;
38
39 /**
40 * Mutex to lock access to various lists
41 */
42 mutex_t *mutex;
43
44 /**
45 * List of installed policies (policy_entry_t)
46 */
47 linked_list_t *policies;
48
49 /**
50 * List of exclude routes (exclude_route_t)
51 */
52 linked_list_t *excludes;
53
54 /**
55 * Whether the remote TS may equal the IKE peer
56 */
57 bool allow_peer_ts;
58 };
59
60 typedef struct exclude_route_t exclude_route_t;
61
62 /**
63 * Exclude route definition
64 */
65 struct exclude_route_t {
66 /** Destination address to exclude */
67 host_t *dst;
68 /** Source address for route */
69 host_t *src;
70 /** Nexthop exclude has been installed */
71 host_t *gtw;
72 /** References to this route */
73 int refs;
74 };
75
76 /**
77 * Clean up an exclude route entry
78 */
79 static void exclude_route_destroy(exclude_route_t *this)
80 {
81 this->dst->destroy(this->dst);
82 this->src->destroy(this->src);
83 this->gtw->destroy(this->gtw);
84 free(this);
85 }
86
87 /**
88 * Find an exclude route entry by destination address
89 */
90 static bool exclude_route_match(exclude_route_t *current,
91 host_t *dst)
92 {
93 return dst->ip_equals(dst, current->dst);
94 }
95
96 typedef struct route_entry_t route_entry_t;
97
98 /**
99 * Installed routing entry
100 */
101 struct route_entry_t {
102 /** Name of the interface the route is bound to */
103 char *if_name;
104 /** Source IP of the route */
105 host_t *src_ip;
106 /** Gateway of the route */
107 host_t *gateway;
108 /** Destination net */
109 chunk_t dst_net;
110 /** Destination net prefixlen */
111 u_int8_t prefixlen;
112 /** Reference to exclude route, if any */
113 exclude_route_t *exclude;
114 };
115
116 /**
117 * Destroy a route_entry_t object
118 */
119 static void route_entry_destroy(route_entry_t *this)
120 {
121 free(this->if_name);
122 DESTROY_IF(this->src_ip);
123 DESTROY_IF(this->gateway);
124 chunk_free(&this->dst_net);
125 free(this);
126 }
127
128 /**
129 * Compare two route_entry_t objects
130 */
131 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
132 {
133 if ((!a->src_ip && !b->src_ip) || (a->src_ip && b->src_ip &&
134 a->src_ip->ip_equals(a->src_ip, b->src_ip)))
135 {
136 if ((!a->gateway && !b->gateway) || (a->gateway && b->gateway &&
137 a->gateway->ip_equals(a->gateway, b->gateway)))
138 {
139 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
140 chunk_equals(a->dst_net, b->dst_net) &&
141 a->prefixlen == b->prefixlen;
142 }
143 }
144 return FALSE;
145 }
146
147 typedef struct policy_entry_t policy_entry_t;
148
149 /**
150 * Installed policy
151 */
152 struct policy_entry_t {
153 /** Direction of this policy: in, out, forward */
154 u_int8_t direction;
155 /** Parameters of installed policy */
156 struct {
157 /** Subnet and port */
158 host_t *net;
159 /** Subnet mask */
160 u_int8_t mask;
161 /** Protocol */
162 u_int8_t proto;
163 } src, dst;
164 /** Associated route installed for this policy */
165 route_entry_t *route;
166 /** References to this policy */
167 int refs;
168 };
169
170 /**
171 * Create a policy_entry_t object
172 */
173 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
174 traffic_selector_t *dst_ts,
175 policy_dir_t dir)
176 {
177 policy_entry_t *this;
178 INIT(this,
179 .direction = dir,
180 );
181
182 src_ts->to_subnet(src_ts, &this->src.net, &this->src.mask);
183 dst_ts->to_subnet(dst_ts, &this->dst.net, &this->dst.mask);
184
185 /* src or dest proto may be "any" (0), use more restrictive one */
186 this->src.proto = max(src_ts->get_protocol(src_ts),
187 dst_ts->get_protocol(dst_ts));
188 this->src.proto = this->src.proto ? this->src.proto : 0;
189 this->dst.proto = this->src.proto;
190 return this;
191 }
192
193 /**
194 * Destroy a policy_entry_t object
195 */
196 static void policy_entry_destroy(policy_entry_t *this)
197 {
198 if (this->route)
199 {
200 route_entry_destroy(this->route);
201 }
202 DESTROY_IF(this->src.net);
203 DESTROY_IF(this->dst.net);
204 free(this);
205 }
206
207 /**
208 * Compare two policy_entry_t objects
209 */
210 static inline bool policy_entry_equals(policy_entry_t *a,
211 policy_entry_t *b)
212 {
213 return a->direction == b->direction &&
214 a->src.proto == b->src.proto &&
215 a->dst.proto == b->dst.proto &&
216 a->src.mask == b->src.mask &&
217 a->dst.mask == b->dst.mask &&
218 a->src.net->equals(a->src.net, b->src.net) &&
219 a->dst.net->equals(a->dst.net, b->dst.net);
220 }
221
222 /**
223 * Expiration callback
224 */
225 static void expire(u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard)
226 {
227 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
228 spi, hard);
229 }
230
231 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
232 private_kernel_libipsec_ipsec_t *this)
233 {
234 return KERNEL_REQUIRE_UDP_ENCAPSULATION | KERNEL_ESP_V3_TFC;
235 }
236
237 METHOD(kernel_ipsec_t, get_spi, status_t,
238 private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
239 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
240 {
241 return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, reqid, spi);
242 }
243
244 METHOD(kernel_ipsec_t, get_cpi, status_t,
245 private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
246 u_int32_t reqid, u_int16_t *cpi)
247 {
248 return NOT_SUPPORTED;
249 }
250
251 METHOD(kernel_ipsec_t, add_sa, status_t,
252 private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
253 u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
254 u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
255 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
256 u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
257 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
258 {
259 return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
260 tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
261 mode, ipcomp, cpi, initiator, encap, esn, inbound,
262 src_ts, dst_ts);
263 }
264
265 METHOD(kernel_ipsec_t, update_sa, status_t,
266 private_kernel_libipsec_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
267 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
268 bool encap, bool new_encap, mark_t mark)
269 {
270 return NOT_SUPPORTED;
271 }
272
273 METHOD(kernel_ipsec_t, query_sa, status_t,
274 private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
275 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes,
276 u_int64_t *packets, time_t *time)
277 {
278 return ipsec->sas->query_sa(ipsec->sas, src, dst, spi, protocol, mark,
279 bytes, packets, time);
280 }
281
282 METHOD(kernel_ipsec_t, del_sa, status_t,
283 private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
284 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
285 {
286 return ipsec->sas->del_sa(ipsec->sas, src, dst, spi, protocol, cpi, mark);
287 }
288
289 METHOD(kernel_ipsec_t, flush_sas, status_t,
290 private_kernel_libipsec_ipsec_t *this)
291 {
292 return ipsec->sas->flush_sas(ipsec->sas);
293 }
294
295 /**
296 * Add an explicit exclude route to a routing entry
297 */
298 static void add_exclude_route(private_kernel_libipsec_ipsec_t *this,
299 route_entry_t *route, host_t *src, host_t *dst)
300 {
301 exclude_route_t *exclude;
302 host_t *gtw;
303
304 if (this->excludes->find_first(this->excludes,
305 (linked_list_match_t)exclude_route_match,
306 (void**)&exclude, dst) == SUCCESS)
307 {
308 route->exclude = exclude;
309 exclude->refs++;
310 }
311
312 if (!route->exclude)
313 {
314 DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
315 gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
316 dst, NULL);
317 if (gtw)
318 {
319 char *if_name = NULL;
320
321 if (hydra->kernel_interface->get_interface(
322 hydra->kernel_interface, src, &if_name) &&
323 hydra->kernel_interface->add_route(hydra->kernel_interface,
324 dst->get_address(dst),
325 dst->get_family(dst) == AF_INET ? 32 : 128,
326 gtw, src, if_name) == SUCCESS)
327 {
328 INIT(exclude,
329 .dst = dst->clone(dst),
330 .src = src->clone(src),
331 .gtw = gtw->clone(gtw),
332 .refs = 1,
333 );
334 route->exclude = exclude;
335 this->excludes->insert_last(this->excludes, exclude);
336 }
337 else
338 {
339 DBG1(DBG_KNL, "installing exclude route for %H failed", dst);
340 }
341 gtw->destroy(gtw);
342 free(if_name);
343 }
344 else
345 {
346 DBG1(DBG_KNL, "gateway lookup for %H failed", dst);
347 }
348 }
349 }
350
351 /**
352 * Remove an exclude route attached to a routing entry
353 */
354 static void remove_exclude_route(private_kernel_libipsec_ipsec_t *this,
355 route_entry_t *route)
356 {
357 char *if_name = NULL;
358 host_t *dst;
359
360 if (!route->exclude || --route->exclude->refs > 0)
361 {
362 return;
363 }
364 this->excludes->remove(this->excludes, route->exclude, NULL);
365
366 dst = route->exclude->dst;
367 DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
368 dst, route->exclude->src);
369 if (hydra->kernel_interface->get_interface(
370 hydra->kernel_interface,
371 route->exclude->src, &if_name) &&
372 hydra->kernel_interface->del_route(hydra->kernel_interface,
373 dst->get_address(dst),
374 dst->get_family(dst) == AF_INET ? 32 : 128,
375 route->exclude->gtw, route->exclude->src,
376 if_name) != SUCCESS)
377 {
378 DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
379 }
380 exclude_route_destroy(route->exclude);
381 route->exclude = NULL;
382 free(if_name);
383 }
384
385 /**
386 * Install a route for the given policy
387 *
388 * this->mutex is released by this function
389 */
390 static bool install_route(private_kernel_libipsec_ipsec_t *this,
391 host_t *src, host_t *dst, traffic_selector_t *src_ts,
392 traffic_selector_t *dst_ts, policy_entry_t *policy)
393 {
394 route_entry_t *route, *old;
395 host_t *src_ip;
396 bool is_virtual;
397
398 if (policy->direction != POLICY_OUT)
399 {
400 this->mutex->unlock(this->mutex);
401 return TRUE;
402 }
403
404 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
405 src_ts, &src_ip, &is_virtual) != SUCCESS)
406 {
407 traffic_selector_t *multicast, *broadcast = NULL;
408 bool ignore = FALSE;
409
410 this->mutex->unlock(this->mutex);
411 switch (src_ts->get_type(src_ts))
412 {
413 case TS_IPV4_ADDR_RANGE:
414 multicast = traffic_selector_create_from_cidr("224.0.0.0/4",
415 0, 0, 0xffff);
416 broadcast = traffic_selector_create_from_cidr("255.255.255.255/32",
417 0, 0, 0xffff);
418 break;
419 case TS_IPV6_ADDR_RANGE:
420 multicast = traffic_selector_create_from_cidr("ff00::/8",
421 0, 0, 0xffff);
422 break;
423 default:
424 return FALSE;
425 }
426 ignore = src_ts->is_contained_in(src_ts, multicast);
427 ignore |= broadcast && src_ts->is_contained_in(src_ts, broadcast);
428 multicast->destroy(multicast);
429 DESTROY_IF(broadcast);
430 if (!ignore)
431 {
432 DBG1(DBG_KNL, "error installing route with policy %R === %R %N",
433 src_ts, dst_ts, policy_dir_names, policy->direction);
434 }
435 return ignore;
436 }
437
438 INIT(route,
439 .if_name = router->get_tun_name(router, is_virtual ? src_ip : NULL),
440 .src_ip = src_ip,
441 .dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net)),
442 .prefixlen = policy->dst.mask,
443 );
444 #ifndef __linux__
445 /* on Linux we cant't install a gateway */
446 route->gateway = hydra->kernel_interface->get_nexthop(
447 hydra->kernel_interface, dst, src);
448 #endif
449
450 if (policy->route)
451 {
452 old = policy->route;
453
454 if (route_entry_equals(old, route))
455 { /* such a route already exists */
456 route_entry_destroy(route);
457 this->mutex->unlock(this->mutex);
458 return TRUE;
459 }
460 /* uninstall previously installed route */
461 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
462 old->dst_net, old->prefixlen, old->gateway,
463 old->src_ip, old->if_name) != SUCCESS)
464 {
465 DBG1(DBG_KNL, "error uninstalling route installed with policy "
466 "%R === %R %N", src_ts, dst_ts, policy_dir_names,
467 policy->direction);
468 }
469 route_entry_destroy(old);
470 policy->route = NULL;
471 }
472
473 if (!this->allow_peer_ts && dst_ts->is_host(dst_ts, dst))
474 {
475 DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts with "
476 "IKE traffic", src_ts, dst_ts, policy_dir_names,
477 policy->direction);
478 route_entry_destroy(route);
479 this->mutex->unlock(this->mutex);
480 return FALSE;
481 }
482 /* if remote traffic selector covers the IKE peer, add an exclude route */
483 if (!this->allow_peer_ts && dst_ts->includes(dst_ts, dst))
484 {
485 /* add exclude route for peer */
486 add_exclude_route(this, route, src, dst);
487 }
488
489 DBG2(DBG_KNL, "installing route: %R src %H dev %s",
490 dst_ts, route->src_ip, route->if_name);
491
492 switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
493 route->dst_net, route->prefixlen, route->gateway,
494 route->src_ip, route->if_name))
495 {
496 case ALREADY_DONE:
497 /* route exists, do not uninstall */
498 remove_exclude_route(this, route);
499 route_entry_destroy(route);
500 this->mutex->unlock(this->mutex);
501 return TRUE;
502 case SUCCESS:
503 /* cache the installed route */
504 policy->route = route;
505 this->mutex->unlock(this->mutex);
506 return TRUE;
507 default:
508 DBG1(DBG_KNL, "installing route failed: %R src %H dev %s",
509 dst_ts, route->src_ip, route->if_name);
510 remove_exclude_route(this, route);
511 route_entry_destroy(route);
512 this->mutex->unlock(this->mutex);
513 return FALSE;
514 }
515 }
516
517 METHOD(kernel_ipsec_t, add_policy, status_t,
518 private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
519 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
520 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
521 policy_priority_t priority)
522 {
523 policy_entry_t *policy, *found = NULL;
524 status_t status;
525
526 if (type != POLICY_IPSEC)
527 {
528 return SUCCESS;
529 }
530
531 status = ipsec->policies->add_policy(ipsec->policies, src, dst, src_ts,
532 dst_ts, direction, type, sa, mark, priority);
533 if (status != SUCCESS)
534 {
535 return status;
536 }
537 /* we track policies in order to install routes */
538 policy = create_policy_entry(src_ts, dst_ts, direction);
539
540 this->mutex->lock(this->mutex);
541 if (this->policies->find_first(this->policies,
542 (linked_list_match_t)policy_entry_equals,
543 (void**)&found, policy) == SUCCESS)
544 {
545 policy_entry_destroy(policy);
546 policy = found;
547 }
548 else
549 { /* use the new one, if we have no such policy */
550 this->policies->insert_last(this->policies, policy);
551 }
552 policy->refs++;
553
554 if (!install_route(this, src, dst, src_ts, dst_ts, policy))
555 {
556 return FAILED;
557 }
558 return SUCCESS;
559 }
560
561 METHOD(kernel_ipsec_t, query_policy, status_t,
562 private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts,
563 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
564 time_t *use_time)
565 {
566 return NOT_SUPPORTED;
567 }
568
569 METHOD(kernel_ipsec_t, del_policy, status_t,
570 private_kernel_libipsec_ipsec_t *this, traffic_selector_t *src_ts,
571 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
572 mark_t mark, policy_priority_t priority)
573 {
574 policy_entry_t *policy, *found = NULL;
575 status_t status;
576
577 status = ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts,
578 direction, reqid, mark, priority);
579
580 policy = create_policy_entry(src_ts, dst_ts, direction);
581
582 this->mutex->lock(this->mutex);
583 if (this->policies->find_first(this->policies,
584 (linked_list_match_t)policy_entry_equals,
585 (void**)&found, policy) != SUCCESS)
586 {
587 policy_entry_destroy(policy);
588 this->mutex->unlock(this->mutex);
589 return status;
590 }
591 policy_entry_destroy(policy);
592 policy = found;
593
594 if (--policy->refs > 0)
595 { /* policy is still in use */
596 this->mutex->unlock(this->mutex);
597 return status;
598 }
599
600 if (policy->route)
601 {
602 route_entry_t *route = policy->route;
603
604 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
605 route->dst_net, route->prefixlen, route->gateway, route->src_ip,
606 route->if_name) != SUCCESS)
607 {
608 DBG1(DBG_KNL, "error uninstalling route installed with "
609 "policy %R === %R %N", src_ts, dst_ts,
610 policy_dir_names, direction);
611 }
612 remove_exclude_route(this, route);
613 }
614 this->policies->remove(this->policies, policy, NULL);
615 policy_entry_destroy(policy);
616 this->mutex->unlock(this->mutex);
617 return status;
618 }
619
620 METHOD(kernel_ipsec_t, flush_policies, status_t,
621 private_kernel_libipsec_ipsec_t *this)
622 {
623 policy_entry_t *pol;
624 status_t status;
625
626 status = ipsec->policies->flush_policies(ipsec->policies);
627
628 this->mutex->lock(this->mutex);
629 while (this->policies->remove_first(this->policies, (void*)&pol) == SUCCESS)
630 {
631 if (pol->route)
632 {
633 route_entry_t *route = pol->route;
634
635 hydra->kernel_interface->del_route(hydra->kernel_interface,
636 route->dst_net, route->prefixlen, route->gateway,
637 route->src_ip, route->if_name);
638 remove_exclude_route(this, route);
639 }
640 policy_entry_destroy(pol);
641 }
642 this->mutex->unlock(this->mutex);
643 return status;
644 }
645
646 METHOD(kernel_ipsec_t, bypass_socket, bool,
647 private_kernel_libipsec_ipsec_t *this, int fd, int family)
648 {
649 /* we use exclude routes for this */
650 return NOT_SUPPORTED;
651 }
652
653 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
654 private_kernel_libipsec_ipsec_t *this, int fd, int family, u_int16_t port)
655 {
656 return NOT_SUPPORTED;
657 }
658
659 METHOD(kernel_ipsec_t, destroy, void,
660 private_kernel_libipsec_ipsec_t *this)
661 {
662 ipsec->events->unregister_listener(ipsec->events, &this->ipsec_listener);
663 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
664 this->excludes->destroy(this->excludes);
665 this->mutex->destroy(this->mutex);
666 free(this);
667 }
668
669 /*
670 * Described in header.
671 */
672 kernel_libipsec_ipsec_t *kernel_libipsec_ipsec_create()
673 {
674 private_kernel_libipsec_ipsec_t *this;
675
676 INIT(this,
677 .public = {
678 .interface = {
679 .get_features = _get_features,
680 .get_spi = _get_spi,
681 .get_cpi = _get_cpi,
682 .add_sa = _add_sa,
683 .update_sa = _update_sa,
684 .query_sa = _query_sa,
685 .del_sa = _del_sa,
686 .flush_sas = _flush_sas,
687 .add_policy = _add_policy,
688 .query_policy = _query_policy,
689 .del_policy = _del_policy,
690 .flush_policies = _flush_policies,
691 .bypass_socket = _bypass_socket,
692 .enable_udp_decap = _enable_udp_decap,
693 .destroy = _destroy,
694 },
695 },
696 .ipsec_listener = {
697 .expire = expire,
698 },
699 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
700 .policies = linked_list_create(),
701 .excludes = linked_list_create(),
702 .allow_peer_ts = lib->settings->get_bool(lib->settings,
703 "%s.plugins.kernel-libipsec.allow_peer_ts", FALSE, hydra->daemon),
704 );
705
706 ipsec->events->register_listener(ipsec->events, &this->ipsec_listener);
707
708 return &this->public;
709 };