2 * Copyright (C) 2008-2018 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * HSR Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * Copyright (C) 2014 Nanoteq Pty Ltd
19 * Permission is hereby granted, free of charge, to any person obtaining a copy
20 * of this software and associated documentation files (the "Software"), to deal
21 * in the Software without restriction, including without limitation the rights
22 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
23 * copies of the Software, and to permit persons to whom the Software is
24 * furnished to do so, subject to the following conditions:
26 * The above copyright notice and this permission notice shall be included in
27 * all copies or substantial portions of the Software.
29 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
30 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
31 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
32 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
33 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
34 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
39 #include <sys/types.h>
40 #include <sys/socket.h>
43 #include <limits.h> /* for LONG_MAX */
46 #ifdef HAVE_NET_PFKEYV2_H
47 #include <net/pfkeyv2.h>
49 #include <linux/pfkeyv2.h>
52 #ifdef SADB_X_EXT_NAT_T_TYPE
56 #ifdef HAVE_NETIPSEC_IPSEC_H
57 #include <netipsec/ipsec.h>
58 #elif defined(HAVE_NETINET6_IPSEC_H)
59 #include <netinet6/ipsec.h>
61 #include <linux/ipsec.h>
65 #ifdef HAVE_LINUX_UDP_H
66 #include <linux/udp.h>
68 #include <netinet/udp.h>
69 #endif /*HAVE_LINUX_UDP_H*/
76 #include <sys/sysctl.h>
79 #include "kernel_pfkey_ipsec.h"
82 #include <utils/debug.h>
83 #include <networking/host.h>
84 #include <collections/linked_list.h>
85 #include <collections/hashtable.h>
86 #include <threading/mutex.h>
88 /** non linux specific */
91 #define IPPROTO_COMP IPPROTO_IPCOMP
95 #ifndef SADB_X_AALG_SHA2_256HMAC
96 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
97 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
98 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
101 #ifndef SADB_X_EALG_AESCBC
102 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
105 #ifndef SADB_X_EALG_CASTCBC
106 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
109 #if !defined(SADB_X_EALG_AES_GCM_ICV8) && defined(SADB_X_EALG_AESGCM8)
110 #define SADB_X_EALG_AES_GCM_ICV8 SADB_X_EALG_AESGCM8
111 #define SADB_X_EALG_AES_GCM_ICV12 SADB_X_EALG_AESGCM12
112 #define SADB_X_EALG_AES_GCM_ICV16 SADB_X_EALG_AESGCM16
116 #define SOL_IP IPPROTO_IP
117 #define SOL_IPV6 IPPROTO_IPV6
120 /** from linux/in.h */
121 #ifndef IP_IPSEC_POLICY
122 #define IP_IPSEC_POLICY 16
125 /** missing on uclibc */
126 #ifndef IPV6_IPSEC_POLICY
127 #define IPV6_IPSEC_POLICY 34
130 /* from linux/udp.h */
132 #define UDP_ENCAP 100
135 #ifndef UDP_ENCAP_ESPINUDP
136 #define UDP_ENCAP_ESPINUDP 2
139 /* this is not defined on some platforms */
141 #define SOL_UDP IPPROTO_UDP
144 /** Base priority for installed policies */
145 #define PRIO_BASE 200000
148 /** from xnu/bsd/net/pfkeyv2.h */
149 #define SADB_X_EXT_NATT 0x002
152 uint16_t sadb_sa_natt_port
;
153 uint16_t sadb_reserved0
;
154 uint32_t sadb_reserved1
;
158 /** buffer size for PF_KEY messages */
159 #define PFKEY_BUFFER_SIZE 4096
161 /** PF_KEY messages are 64 bit aligned */
162 #define PFKEY_ALIGNMENT 8
163 /** aligns len to 64 bits */
164 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
165 /** calculates the properly padded length in 64 bit chunks */
166 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
167 /** calculates user mode length i.e. in bytes */
168 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
170 /** given a PF_KEY message header and an extension this updates the length in the header */
171 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
172 /** given a PF_KEY message header this returns a pointer to the next extension */
173 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
174 /** copy an extension and append it to a PF_KEY message */
175 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
176 /** given a PF_KEY extension this returns a pointer to the next extension */
177 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
178 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
179 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
180 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
181 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
182 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
183 (ext)->sadb_ext_len <= (len))
185 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t
;
188 * Private variables and functions of kernel_pfkey class.
190 struct private_kernel_pfkey_ipsec_t
193 * Public part of the kernel_pfkey_t object.
195 kernel_pfkey_ipsec_t
public;
198 * mutex to lock access to various lists
203 * List of installed policies (policy_entry_t)
205 linked_list_t
*policies
;
208 * List of exclude routes (exclude_route_t)
210 linked_list_t
*excludes
;
213 * Hash table of IPsec SAs using policies (ipsec_sa_t)
218 * whether to install routes along policies
223 * whether to install the route via internal interface
225 bool route_via_internal
;
228 * mutex to lock access to the PF_KEY socket
230 mutex_t
*mutex_pfkey
;
233 * PF_KEY socket to communicate with the kernel
238 * PF_KEY socket to receive acquire and expire events
243 * sequence number for messages sent to the kernel
248 typedef struct exclude_route_t exclude_route_t
;
251 * Exclude route definition
253 struct exclude_route_t
{
254 /** destination address of exclude */
256 /** source address for route */
258 /** nexthop exclude has been installed */
260 /** references to this route */
265 * clean up a route exclude entry
267 static void exclude_route_destroy(exclude_route_t
*this)
269 this->dst
->destroy(this->dst
);
270 this->src
->destroy(this->src
);
271 this->gtw
->destroy(this->gtw
);
275 typedef struct route_entry_t route_entry_t
;
278 * installed routing entry
280 struct route_entry_t
{
281 /** name of the interface the route is bound to */
284 /** source ip of the route */
287 /** gateway for this route */
290 /** destination net */
293 /** destination net prefixlen */
296 /** reference to exclude route, if any */
297 exclude_route_t
*exclude
;
301 * destroy an route_entry_t object
303 static void route_entry_destroy(route_entry_t
*this)
306 DESTROY_IF(this->src_ip
);
307 DESTROY_IF(this->gateway
);
308 chunk_free(&this->dst_net
);
313 * compare two route_entry_t objects
315 static bool route_entry_equals(route_entry_t
*a
, route_entry_t
*b
)
317 return a
->if_name
&& b
->if_name
&& streq(a
->if_name
, b
->if_name
) &&
318 a
->src_ip
->ip_equals(a
->src_ip
, b
->src_ip
) &&
319 a
->gateway
&& b
->gateway
&&
320 a
->gateway
->ip_equals(a
->gateway
, b
->gateway
) &&
321 chunk_equals(a
->dst_net
, b
->dst_net
) && a
->prefixlen
== b
->prefixlen
;
324 typedef struct ipsec_sa_t ipsec_sa_t
;
327 * IPsec SA assigned to a policy.
330 /** Source address of this SA */
333 /** Destination address of this SA */
336 /** Description of this SA */
339 /** Reference count for this SA */
344 * Hash function for ipsec_sa_t objects
346 static u_int
ipsec_sa_hash(ipsec_sa_t
*sa
)
348 return chunk_hash_inc(sa
->src
->get_address(sa
->src
),
349 chunk_hash_inc(sa
->dst
->get_address(sa
->dst
),
350 chunk_hash(chunk_from_thing(sa
->cfg
))));
354 * Equality function for ipsec_sa_t objects
356 static bool ipsec_sa_equals(ipsec_sa_t
*sa
, ipsec_sa_t
*other_sa
)
358 return sa
->src
->ip_equals(sa
->src
, other_sa
->src
) &&
359 sa
->dst
->ip_equals(sa
->dst
, other_sa
->dst
) &&
360 ipsec_sa_cfg_equals(&sa
->cfg
, &other_sa
->cfg
);
364 * Allocate or reference an IPsec SA object
366 static ipsec_sa_t
*ipsec_sa_create(private_kernel_pfkey_ipsec_t
*this,
367 host_t
*src
, host_t
*dst
,
370 ipsec_sa_t
*sa
, *found
;
376 found
= this->sas
->get(this->sas
, sa
);
379 sa
->src
= src
->clone(src
);
380 sa
->dst
= dst
->clone(dst
);
381 this->sas
->put(this->sas
, sa
, sa
);
388 ref_get(&sa
->refcount
);
393 * Release and destroy an IPsec SA object
395 static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t
*this,
398 if (ref_put(&sa
->refcount
))
400 this->sas
->remove(this->sas
, sa
);
407 typedef struct policy_sa_t policy_sa_t
;
408 typedef struct policy_sa_out_t policy_sa_out_t
;
411 * Mapping between a policy and an IPsec SA.
414 /** Priority assigned to the policy when installed with this SA */
417 /** Base priority assigned to the policy when installed with this SA */
418 uint32_t auto_priority
;
420 /** Type of the policy */
428 * For outbound policies we also cache the traffic selectors in order to install
431 struct policy_sa_out_t
{
432 /** Generic interface */
435 /** Source traffic selector of this policy */
436 traffic_selector_t
*src_ts
;
438 /** Destination traffic selector of this policy */
439 traffic_selector_t
*dst_ts
;
443 * Create a policy_sa(_in)_t object
445 static policy_sa_t
*policy_sa_create(private_kernel_pfkey_ipsec_t
*this,
446 policy_dir_t dir
, policy_type_t type
, host_t
*src
, host_t
*dst
,
447 traffic_selector_t
*src_ts
, traffic_selector_t
*dst_ts
, ipsec_sa_cfg_t
*cfg
)
451 if (dir
== POLICY_OUT
)
453 policy_sa_out_t
*out
;
455 .src_ts
= src_ts
->clone(src_ts
),
456 .dst_ts
= dst_ts
->clone(dst_ts
),
458 policy
= &out
->generic
;
462 INIT(policy
, .priority
= 0);
465 policy
->sa
= ipsec_sa_create(this, src
, dst
, cfg
);
470 * Destroy a policy_sa(_in)_t object
472 static void policy_sa_destroy(policy_sa_t
*policy
, policy_dir_t dir
,
473 private_kernel_pfkey_ipsec_t
*this)
475 if (dir
== POLICY_OUT
)
477 policy_sa_out_t
*out
= (policy_sa_out_t
*)policy
;
478 out
->src_ts
->destroy(out
->src_ts
);
479 out
->dst_ts
->destroy(out
->dst_ts
);
481 ipsec_sa_destroy(this, policy
->sa
);
485 CALLBACK(policy_sa_destroy_cb
, void,
486 policy_sa_t
*policy
, va_list args
)
488 private_kernel_pfkey_ipsec_t
*this;
491 VA_ARGS_VGET(args
, dir
, this);
492 policy_sa_destroy(policy
, dir
, this);
495 typedef struct policy_entry_t policy_entry_t
;
498 * installed kernel policy.
500 struct policy_entry_t
{
501 /** Index assigned by the kernel */
504 /** Direction of this policy: in, out, forward */
507 /** Parameters of installed policy */
509 /** Subnet and port */
517 /** Associated route installed for this policy */
518 route_entry_t
*route
;
520 /** List of SAs this policy is used by, ordered by priority */
521 linked_list_t
*used_by
;
525 * Create a policy_entry_t object
527 static policy_entry_t
*create_policy_entry(traffic_selector_t
*src_ts
,
528 traffic_selector_t
*dst_ts
,
531 policy_entry_t
*policy
;
538 src_ts
->to_subnet(src_ts
, &policy
->src
.net
, &policy
->src
.mask
);
539 dst_ts
->to_subnet(dst_ts
, &policy
->dst
.net
, &policy
->dst
.mask
);
541 /* src or dest proto may be "any" (0), use more restrictive one */
542 proto
= max(src_ts
->get_protocol(src_ts
), dst_ts
->get_protocol(dst_ts
));
543 /* map the ports to ICMP type/code how the Linux kernel expects them, that
544 * is, type in src, code in dst */
545 if (proto
== IPPROTO_ICMP
|| proto
== IPPROTO_ICMPV6
)
547 port
= max(policy
->src
.net
->get_port(policy
->src
.net
),
548 policy
->dst
.net
->get_port(policy
->dst
.net
));
549 policy
->src
.net
->set_port(policy
->src
.net
,
550 traffic_selector_icmp_type(port
));
551 policy
->dst
.net
->set_port(policy
->dst
.net
,
552 traffic_selector_icmp_code(port
));
556 proto
= IPSEC_PROTO_ANY
;
558 policy
->src
.proto
= policy
->dst
.proto
= proto
;
564 * Destroy a policy_entry_t object
566 static void policy_entry_destroy(policy_entry_t
*policy
,
567 private_kernel_pfkey_ipsec_t
*this)
571 route_entry_destroy(policy
->route
);
575 policy
->used_by
->invoke_function(policy
->used_by
, policy_sa_destroy_cb
,
576 policy
->direction
, this);
577 policy
->used_by
->destroy(policy
->used_by
);
579 DESTROY_IF(policy
->src
.net
);
580 DESTROY_IF(policy
->dst
.net
);
584 CALLBACK(policy_entry_destroy_cb
, void,
585 policy_entry_t
*policy
, va_list args
)
587 private_kernel_pfkey_ipsec_t
*this;
589 VA_ARGS_VGET(args
, this);
590 policy_entry_destroy(policy
, this);
593 CALLBACK(policy_entry_equals
, bool,
594 policy_entry_t
*current
, va_list args
)
596 policy_entry_t
*policy
;
598 VA_ARGS_VGET(args
, policy
);
599 return current
->direction
== policy
->direction
&&
600 current
->src
.proto
== policy
->src
.proto
&&
601 current
->dst
.proto
== policy
->dst
.proto
&&
602 current
->src
.mask
== policy
->src
.mask
&&
603 current
->dst
.mask
== policy
->dst
.mask
&&
604 current
->src
.net
->equals(current
->src
.net
, policy
->src
.net
) &&
605 current
->dst
.net
->equals(current
->dst
.net
, policy
->dst
.net
);
608 CALLBACK(policy_entry_match_byindex
, bool,
609 policy_entry_t
*current
, va_list args
)
613 VA_ARGS_VGET(args
, index
);
614 return current
->index
== index
;
618 * Calculate the priority of a policy
620 * This is the same formula we use in the kernel-netlink interface, but some
621 * features are currently not or only partially supported by PF_KEY.
623 * bits 0-0: separate trap and regular policies (0..1) 1 bit
624 * bits 1-1: reserved for interface restriction (0..1) 1 bit
625 * bits 2-7: src + dst port mask bits (2 * 0..16) 6 bits
626 * bits 8-8: restriction to protocol (0..1) 1 bit
627 * bits 9-17: src + dst network mask bits (2 * 0..128) 9 bits
630 * smallest value: 000000000 0 000000 0 0: 0, lowest priority = 100'000
631 * largest value : 100000000 1 100000 0 1: 131'457, highst priority = 68'543
633 static inline uint32_t get_priority(policy_entry_t
*policy
,
634 policy_priority_t prio
)
636 uint32_t priority
= PRIO_BASE
;
640 case POLICY_PRIORITY_FALLBACK
:
641 priority
+= PRIO_BASE
;
643 case POLICY_PRIORITY_ROUTED
:
644 case POLICY_PRIORITY_DEFAULT
:
645 priority
+= PRIO_BASE
;
647 case POLICY_PRIORITY_PASS
:
651 /* calculate priority */
652 priority
-= (policy
->src
.mask
+ policy
->dst
.mask
) * 512;
653 priority
-= policy
->src
.proto
!= IPSEC_PROTO_ANY ?
256 : 0;
654 priority
-= policy
->src
.net
->get_port(policy
->src
.net
) ?
64 : 0;
655 priority
-= policy
->dst
.net
->get_port(policy
->dst
.net
) ?
64 : 0;
656 priority
-= (prio
!= POLICY_PRIORITY_ROUTED
);
660 typedef struct pfkey_msg_t pfkey_msg_t
;
665 * PF_KEY message base
667 struct sadb_msg
*msg
;
670 * PF_KEY message extensions
673 struct sadb_ext
*ext
[SADB_EXT_MAX
+ 1];
675 struct sadb_ext
*reserved
; /* SADB_EXT_RESERVED */
676 struct sadb_sa
*sa
; /* SADB_EXT_SA */
677 struct sadb_lifetime
*lft_current
; /* SADB_EXT_LIFETIME_CURRENT */
678 struct sadb_lifetime
*lft_hard
; /* SADB_EXT_LIFETIME_HARD */
679 struct sadb_lifetime
*lft_soft
; /* SADB_EXT_LIFETIME_SOFT */
680 struct sadb_address
*src
; /* SADB_EXT_ADDRESS_SRC */
681 struct sadb_address
*dst
; /* SADB_EXT_ADDRESS_DST */
682 struct sadb_address
*proxy
; /* SADB_EXT_ADDRESS_PROXY */
683 struct sadb_key
*key_auth
; /* SADB_EXT_KEY_AUTH */
684 struct sadb_key
*key_encr
; /* SADB_EXT_KEY_ENCRYPT */
685 struct sadb_ident
*id_src
; /* SADB_EXT_IDENTITY_SRC */
686 struct sadb_ident
*id_dst
; /* SADB_EXT_IDENTITY_DST */
687 struct sadb_sens
*sensitivity
; /* SADB_EXT_SENSITIVITY */
688 struct sadb_prop
*proposal
; /* SADB_EXT_PROPOSAL */
689 struct sadb_supported
*supported_auth
; /* SADB_EXT_SUPPORTED_AUTH */
690 struct sadb_supported
*supported_encr
; /* SADB_EXT_SUPPORTED_ENCRYPT */
691 struct sadb_spirange
*spirange
; /* SADB_EXT_SPIRANGE */
692 struct sadb_x_kmprivate
*x_kmprivate
; /* SADB_X_EXT_KMPRIVATE */
693 struct sadb_x_policy
*x_policy
; /* SADB_X_EXT_POLICY */
694 struct sadb_x_sa2
*x_sa2
; /* SADB_X_EXT_SA2 */
695 struct sadb_x_nat_t_type
*x_natt_type
; /* SADB_X_EXT_NAT_T_TYPE */
696 struct sadb_x_nat_t_port
*x_natt_sport
; /* SADB_X_EXT_NAT_T_SPORT */
697 struct sadb_x_nat_t_port
*x_natt_dport
; /* SADB_X_EXT_NAT_T_DPORT */
698 struct sadb_address
*x_natt_oa
; /* SADB_X_EXT_NAT_T_OA */
699 struct sadb_x_sec_ctx
*x_sec_ctx
; /* SADB_X_EXT_SEC_CTX */
700 struct sadb_x_kmaddress
*x_kmaddress
; /* SADB_X_EXT_KMADDRESS */
701 } __attribute__((__packed__
));
705 ENUM(sadb_ext_type_names
, SADB_EXT_RESERVED
, SADB_EXT_MAX
,
708 "SADB_EXT_LIFETIME_CURRENT",
709 "SADB_EXT_LIFETIME_HARD",
710 "SADB_EXT_LIFETIME_SOFT",
711 "SADB_EXT_ADDRESS_SRC",
712 "SADB_EXT_ADDRESS_DST",
713 "SADB_EXT_ADDRESS_PROXY",
715 "SADB_EXT_KEY_ENCRYPT",
716 "SADB_EXT_IDENTITY_SRC",
717 "SADB_EXT_IDENTITY_DST",
718 "SADB_EXT_SENSITIVITY",
720 "SADB_EXT_SUPPORTED_AUTH",
721 "SADB_EXT_SUPPORTED_ENCRYPT",
723 "SADB_X_EXT_KMPRIVATE",
726 "SADB_X_EXT_NAT_T_TYPE",
727 "SADB_X_EXT_NAT_T_SPORT",
728 "SADB_X_EXT_NAT_T_DPORT",
729 "SADB_X_EXT_NAT_T_OA",
730 "SADB_X_EXT_SEC_CTX",
731 "SADB_X_EXT_KMADDRESS"
735 * convert a protocol identifier to the PF_KEY sa type
737 static uint8_t proto2satype(uint8_t proto
)
742 return SADB_SATYPE_ESP
;
744 return SADB_SATYPE_AH
;
746 return SADB_X_SATYPE_IPCOMP
;
753 * convert a PF_KEY sa type to a protocol identifier
755 static uint8_t satype2proto(uint8_t satype
)
759 case SADB_SATYPE_ESP
:
763 case SADB_X_SATYPE_IPCOMP
:
771 * convert the general ipsec mode to the one defined in ipsec.h
773 static uint8_t mode2kernel(ipsec_mode_t mode
)
778 return IPSEC_MODE_TRANSPORT
;
780 return IPSEC_MODE_TUNNEL
;
781 #ifdef HAVE_IPSEC_MODE_BEET
783 return IPSEC_MODE_BEET
;
791 * convert the general policy direction to the one defined in ipsec.h
793 static uint8_t dir2kernel(policy_dir_t dir
)
798 return IPSEC_DIR_INBOUND
;
800 return IPSEC_DIR_OUTBOUND
;
801 #ifdef HAVE_IPSEC_DIR_FWD
803 return IPSEC_DIR_FWD
;
806 return IPSEC_DIR_INVALID
;
811 * convert the policy type to the one defined in ipsec.h
813 static inline uint16_t type2kernel(policy_type_t type
)
818 return IPSEC_POLICY_IPSEC
;
820 return IPSEC_POLICY_NONE
;
822 return IPSEC_POLICY_DISCARD
;
827 #ifdef SADB_X_MIGRATE
829 * convert the policy direction in ipsec.h to the general one.
831 static policy_dir_t
kernel2dir(uint8_t dir
)
835 case IPSEC_DIR_INBOUND
:
837 case IPSEC_DIR_OUTBOUND
:
839 #ifdef HAVE_IPSEC_DIR_FWD
847 #endif /*SADB_X_MIGRATE*/
849 typedef struct kernel_algorithm_t kernel_algorithm_t
;
852 * Mapping of IKEv2 algorithms to PF_KEY algorithms
854 struct kernel_algorithm_t
{
856 * Identifier specified in IKEv2
861 * Identifier as defined in pfkeyv2.h
866 #define END_OF_LIST -1
869 * Algorithms for encryption
871 static kernel_algorithm_t encryption_algs
[] = {
872 /* {ENCR_DES_IV64, 0 }, */
873 {ENCR_DES
, SADB_EALG_DESCBC
},
874 {ENCR_3DES
, SADB_EALG_3DESCBC
},
875 /* {ENCR_RC5, 0 }, */
876 /* {ENCR_IDEA, 0 }, */
877 {ENCR_CAST
, SADB_X_EALG_CASTCBC
},
878 {ENCR_BLOWFISH
, SADB_X_EALG_BLOWFISHCBC
},
879 /* {ENCR_3IDEA, 0 }, */
880 /* {ENCR_DES_IV32, 0 }, */
881 {ENCR_NULL
, SADB_EALG_NULL
},
882 {ENCR_AES_CBC
, SADB_X_EALG_AESCBC
},
883 #ifdef SADB_X_EALG_AESCTR
884 {ENCR_AES_CTR
, SADB_X_EALG_AESCTR
},
886 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
887 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
888 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
889 #ifdef SADB_X_EALG_AES_GCM_ICV8 /* assume the others are defined too */
890 {ENCR_AES_GCM_ICV8
, SADB_X_EALG_AES_GCM_ICV8
},
891 {ENCR_AES_GCM_ICV12
, SADB_X_EALG_AES_GCM_ICV12
},
892 {ENCR_AES_GCM_ICV16
, SADB_X_EALG_AES_GCM_ICV16
},
893 #elif defined(SADB_X_EALG_AES_GCM) /* macOS */
894 {ENCR_AES_GCM_ICV16
, SADB_X_EALG_AES_GCM
},
896 #ifdef SADB_X_EALG_CAMELLIACBC
897 {ENCR_CAMELLIA_CBC
, SADB_X_EALG_CAMELLIACBC
},
899 #ifdef SADB_X_EALG_CHACHA20POLY1305
900 {ENCR_CHACHA20_POLY1305
, SADB_X_EALG_CHACHA20POLY1305
},
906 * Algorithms for integrity protection
908 static kernel_algorithm_t integrity_algs
[] = {
909 {AUTH_HMAC_MD5_96
, SADB_AALG_MD5HMAC
},
910 {AUTH_HMAC_SHA1_96
, SADB_AALG_SHA1HMAC
},
911 {AUTH_HMAC_SHA2_256_128
, SADB_X_AALG_SHA2_256HMAC
},
912 {AUTH_HMAC_SHA2_384_192
, SADB_X_AALG_SHA2_384HMAC
},
913 {AUTH_HMAC_SHA2_512_256
, SADB_X_AALG_SHA2_512HMAC
},
914 /* {AUTH_DES_MAC, 0, }, */
915 /* {AUTH_KPDK_MD5, 0, }, */
916 #ifdef SADB_X_AALG_AES_XCBC_MAC
917 {AUTH_AES_XCBC_96
, SADB_X_AALG_AES_XCBC_MAC
, },
923 * Algorithms for IPComp, unused yet
925 static kernel_algorithm_t compression_algs
[] = {
926 /* {IPCOMP_OUI, 0 }, */
927 {IPCOMP_DEFLATE
, SADB_X_CALG_DEFLATE
},
928 #ifdef SADB_X_CALG_LZS
929 {IPCOMP_LZS
, SADB_X_CALG_LZS
},
931 #ifdef SADB_X_CALG_LZJH
932 {IPCOMP_LZJH
, SADB_X_CALG_LZJH
},
938 * Look up a kernel algorithm ID and its key size
940 static int lookup_algorithm(transform_type_t type
, int ikev2
)
942 kernel_algorithm_t
*list
;
947 case ENCRYPTION_ALGORITHM
:
948 list
= encryption_algs
;
950 case INTEGRITY_ALGORITHM
:
951 list
= integrity_algs
;
953 case COMPRESSION_ALGORITHM
:
954 list
= compression_algs
;
959 while (list
->ikev2
!= END_OF_LIST
)
961 if (ikev2
== list
->ikev2
)
967 charon
->kernel
->lookup_algorithm(charon
->kernel
, ikev2
, type
, &alg
, NULL
);
972 * Helper to set a port in a sockaddr_t, the port has to be in host order
974 static void set_port(sockaddr_t
*addr
, uint16_t port
)
976 switch (addr
->sa_family
)
980 struct sockaddr_in
*sin
= (struct sockaddr_in
*)addr
;
981 sin
->sin_port
= htons(port
);
986 struct sockaddr_in6
*sin6
= (struct sockaddr_in6
*)addr
;
987 sin6
->sin6_port
= htons(port
);
994 * Copy a host_t as sockaddr_t to the given memory location.
995 * @return the number of bytes copied
997 static size_t hostcpy(void *dest
, host_t
*host
, bool include_port
)
999 sockaddr_t
*addr
= host
->get_sockaddr(host
), *dest_addr
= dest
;
1000 socklen_t
*len
= host
->get_sockaddr_len(host
);
1002 memcpy(dest
, addr
, *len
);
1003 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
1004 dest_addr
->sa_len
= *len
;
1008 set_port(dest_addr
, 0);
1014 * add a host to the given sadb_msg
1016 static void add_addr_ext(struct sadb_msg
*msg
, host_t
*host
, uint16_t type
,
1017 uint8_t proto
, uint8_t prefixlen
, bool include_port
)
1019 struct sadb_address
*addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1022 addr
->sadb_address_exttype
= type
;
1023 addr
->sadb_address_proto
= proto
;
1024 addr
->sadb_address_prefixlen
= prefixlen
;
1025 len
= hostcpy(addr
+ 1, host
, include_port
);
1026 addr
->sadb_address_len
= PFKEY_LEN(sizeof(*addr
) + len
);
1027 PFKEY_EXT_ADD(msg
, addr
);
1032 * add udp encap extensions to a sadb_msg
1034 static void add_encap_ext(struct sadb_msg
*msg
, host_t
*src
, host_t
*dst
)
1036 struct sadb_x_nat_t_type
* nat_type
;
1037 struct sadb_x_nat_t_port
* nat_port
;
1039 nat_type
= (struct sadb_x_nat_t_type
*)PFKEY_EXT_ADD_NEXT(msg
);
1040 nat_type
->sadb_x_nat_t_type_exttype
= SADB_X_EXT_NAT_T_TYPE
;
1041 nat_type
->sadb_x_nat_t_type_len
= PFKEY_LEN(sizeof(*nat_type
));
1042 nat_type
->sadb_x_nat_t_type_type
= UDP_ENCAP_ESPINUDP
;
1043 PFKEY_EXT_ADD(msg
, nat_type
);
1045 nat_port
= (struct sadb_x_nat_t_port
*)PFKEY_EXT_ADD_NEXT(msg
);
1046 nat_port
->sadb_x_nat_t_port_exttype
= SADB_X_EXT_NAT_T_SPORT
;
1047 nat_port
->sadb_x_nat_t_port_len
= PFKEY_LEN(sizeof(*nat_port
));
1048 nat_port
->sadb_x_nat_t_port_port
= htons(src
->get_port(src
));
1049 PFKEY_EXT_ADD(msg
, nat_port
);
1051 nat_port
= (struct sadb_x_nat_t_port
*)PFKEY_EXT_ADD_NEXT(msg
);
1052 nat_port
->sadb_x_nat_t_port_exttype
= SADB_X_EXT_NAT_T_DPORT
;
1053 nat_port
->sadb_x_nat_t_port_len
= PFKEY_LEN(sizeof(*nat_port
));
1054 nat_port
->sadb_x_nat_t_port_port
= htons(dst
->get_port(dst
));
1055 PFKEY_EXT_ADD(msg
, nat_port
);
1057 #endif /*HAVE_NATT*/
1060 * Convert a sadb_address to a traffic_selector
1062 static traffic_selector_t
* sadb_address2ts(struct sadb_address
*address
)
1064 traffic_selector_t
*ts
;
1068 proto
= address
->sadb_address_proto
;
1069 proto
= proto
== IPSEC_PROTO_ANY ?
0 : proto
;
1071 /* The Linux 2.6 kernel does not set the protocol and port information
1072 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
1074 host
= host_create_from_sockaddr((sockaddr_t
*)&address
[1]);
1075 ts
= traffic_selector_create_from_subnet(host
,
1076 address
->sadb_address_prefixlen
,
1077 proto
, host
->get_port(host
),
1078 host
->get_port(host
) ?
: 65535);
1083 * Parses a pfkey message received from the kernel
1085 static status_t
parse_pfkey_message(struct sadb_msg
*msg
, pfkey_msg_t
*out
)
1087 struct sadb_ext
* ext
;
1090 memset(out
, 0, sizeof(pfkey_msg_t
));
1093 len
= msg
->sadb_msg_len
;
1094 len
-= PFKEY_LEN(sizeof(struct sadb_msg
));
1096 ext
= (struct sadb_ext
*)(((char*)msg
) + sizeof(struct sadb_msg
));
1098 while (len
>= PFKEY_LEN(sizeof(struct sadb_ext
)))
1100 DBG3(DBG_KNL
, " %N", sadb_ext_type_names
, ext
->sadb_ext_type
);
1101 if (ext
->sadb_ext_len
< PFKEY_LEN(sizeof(struct sadb_ext
)) ||
1102 ext
->sadb_ext_len
> len
)
1104 DBG1(DBG_KNL
, "length of %N extension is invalid",
1105 sadb_ext_type_names
, ext
->sadb_ext_type
);
1109 if ((ext
->sadb_ext_type
> SADB_EXT_MAX
) || (!ext
->sadb_ext_type
))
1111 DBG1(DBG_KNL
, "type of PF_KEY extension (%d) is invalid",
1112 ext
->sadb_ext_type
);
1116 if (out
->ext
[ext
->sadb_ext_type
])
1118 DBG1(DBG_KNL
, "duplicate %N extension",
1119 sadb_ext_type_names
, ext
->sadb_ext_type
);
1123 out
->ext
[ext
->sadb_ext_type
] = ext
;
1124 ext
= PFKEY_EXT_NEXT_LEN(ext
, len
);
1129 DBG1(DBG_KNL
, "PF_KEY message length is invalid");
1137 * Send a message to a specific PF_KEY socket and handle the response.
1139 static status_t
pfkey_send_socket(private_kernel_pfkey_ipsec_t
*this, int socket
,
1140 struct sadb_msg
*in
, struct sadb_msg
**out
, size_t *out_len
)
1142 unsigned char buf
[PFKEY_BUFFER_SIZE
];
1143 struct sadb_msg
*msg
;
1146 this->mutex_pfkey
->lock(this->mutex_pfkey
);
1148 /* the kernel may broadcast messages not related to our requests (e.g. when
1149 * managing SAs and policies via an external tool), so let's clear the
1150 * receive buffer so there is room for our request and its reply. */
1153 len
= recv(socket
, buf
, sizeof(buf
), MSG_DONTWAIT
);
1158 { /* interrupted, try again */
1165 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
1166 * in particular the behavior in response to an SADB_ACQUIRE. */
1167 in
->sadb_msg_seq
= ++this->seq
;
1168 in
->sadb_msg_pid
= getpid();
1170 in_len
= PFKEY_USER_LEN(in
->sadb_msg_len
);
1174 len
= send(socket
, in
, in_len
, 0);
1180 /* interrupted, try again */
1183 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1184 DBG1(DBG_KNL
, "error sending to PF_KEY socket: %s",
1193 msg
= (struct sadb_msg
*)buf
;
1195 len
= recv(socket
, buf
, sizeof(buf
), 0);
1201 DBG1(DBG_KNL
, "got interrupted");
1202 /* interrupted, try again */
1205 DBG1(DBG_KNL
, "error reading from PF_KEY socket: %s",
1207 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1210 if (len
< sizeof(struct sadb_msg
) ||
1211 msg
->sadb_msg_len
< PFKEY_LEN(sizeof(struct sadb_msg
)))
1213 DBG1(DBG_KNL
, "received corrupted PF_KEY message");
1214 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1217 if (msg
->sadb_msg_len
> len
/ PFKEY_ALIGNMENT
)
1219 DBG1(DBG_KNL
, "buffer was too small to receive the complete PF_KEY "
1221 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1224 if (msg
->sadb_msg_pid
!= in
->sadb_msg_pid
)
1226 DBG2(DBG_KNL
, "received PF_KEY message is not intended for us");
1229 if (msg
->sadb_msg_seq
!= this->seq
)
1231 DBG2(DBG_KNL
, "received PF_KEY message with unexpected sequence "
1232 "number, was %d expected %d", msg
->sadb_msg_seq
,
1234 if (msg
->sadb_msg_seq
== 0)
1236 /* FreeBSD and Mac OS X do this for the response to
1237 * SADB_X_SPDGET (but not for the response to SADB_GET).
1238 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
1240 else if (msg
->sadb_msg_seq
< this->seq
)
1246 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1250 if (msg
->sadb_msg_type
!= in
->sadb_msg_type
)
1252 DBG2(DBG_KNL
, "received PF_KEY message of wrong type, "
1253 "was %d expected %d, ignoring", msg
->sadb_msg_type
,
1260 *out
= (struct sadb_msg
*)malloc(len
);
1261 memcpy(*out
, buf
, len
);
1263 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1268 * Send a message to the default PF_KEY socket and handle the response.
1270 static status_t
pfkey_send(private_kernel_pfkey_ipsec_t
*this,
1271 struct sadb_msg
*in
, struct sadb_msg
**out
,
1274 return pfkey_send_socket(this, this->socket
, in
, out
, out_len
);
1278 * Process a SADB_ACQUIRE message from the kernel
1280 static void process_acquire(private_kernel_pfkey_ipsec_t
*this,
1281 struct sadb_msg
* msg
)
1283 pfkey_msg_t response
;
1284 uint32_t index
, reqid
= 0;
1285 traffic_selector_t
*src_ts
, *dst_ts
;
1286 policy_entry_t
*policy
;
1289 switch (msg
->sadb_msg_satype
)
1291 case SADB_SATYPE_UNSPEC
:
1292 case SADB_SATYPE_ESP
:
1293 case SADB_SATYPE_AH
:
1296 /* acquire for AH/ESP only */
1299 DBG2(DBG_KNL
, "received an SADB_ACQUIRE");
1301 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
1303 DBG1(DBG_KNL
, "parsing SADB_ACQUIRE from kernel failed");
1309 reqid
= response
.x_sa2
->sadb_x_sa2_reqid
;
1313 index
= response
.x_policy
->sadb_x_policy_id
;
1314 this->mutex
->lock(this->mutex
);
1315 if (this->policies
->find_first(this->policies
, policy_entry_match_byindex
,
1316 (void**)&policy
, index
) &&
1317 policy
->used_by
->get_first(policy
->used_by
, (void**)&sa
) == SUCCESS
)
1319 reqid
= sa
->sa
->cfg
.reqid
;
1323 DBG1(DBG_KNL
, "received an SADB_ACQUIRE with policy id %d but no "
1324 "matching policy found", index
);
1326 this->mutex
->unlock(this->mutex
);
1329 src_ts
= sadb_address2ts(response
.src
);
1330 dst_ts
= sadb_address2ts(response
.dst
);
1332 charon
->kernel
->acquire(charon
->kernel
, reqid
, src_ts
, dst_ts
);
1336 * Process a SADB_EXPIRE message from the kernel
1338 static void process_expire(private_kernel_pfkey_ipsec_t
*this,
1339 struct sadb_msg
* msg
)
1341 pfkey_msg_t response
;
1347 DBG2(DBG_KNL
, "received an SADB_EXPIRE");
1349 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
1351 DBG1(DBG_KNL
, "parsing SADB_EXPIRE from kernel failed");
1355 protocol
= satype2proto(msg
->sadb_msg_satype
);
1356 spi
= response
.sa
->sadb_sa_spi
;
1357 hard
= response
.lft_hard
!= NULL
;
1359 if (protocol
== IPPROTO_ESP
|| protocol
== IPPROTO_AH
)
1361 dst
= host_create_from_sockaddr((sockaddr_t
*)(response
.dst
+ 1));
1364 charon
->kernel
->expire(charon
->kernel
, protocol
, spi
, dst
, hard
);
1370 #ifdef SADB_X_MIGRATE
1372 * Process a SADB_X_MIGRATE message from the kernel
1374 static void process_migrate(private_kernel_pfkey_ipsec_t
*this,
1375 struct sadb_msg
* msg
)
1377 pfkey_msg_t response
;
1378 traffic_selector_t
*src_ts
, *dst_ts
;
1381 host_t
*local
= NULL
, *remote
= NULL
;
1383 DBG2(DBG_KNL
, "received an SADB_X_MIGRATE");
1385 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
1387 DBG1(DBG_KNL
, "parsing SADB_X_MIGRATE from kernel failed");
1390 src_ts
= sadb_address2ts(response
.src
);
1391 dst_ts
= sadb_address2ts(response
.dst
);
1392 dir
= kernel2dir(response
.x_policy
->sadb_x_policy_dir
);
1393 DBG2(DBG_KNL
, " policy %R === %R %N, id %u", src_ts
, dst_ts
,
1394 policy_dir_names
, dir
);
1396 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
1397 if (response
.x_kmaddress
)
1399 sockaddr_t
*local_addr
, *remote_addr
;
1402 local_addr
= (sockaddr_t
*)&response
.x_kmaddress
[1];
1403 local
= host_create_from_sockaddr(local_addr
);
1404 local_len
= (local_addr
->sa_family
== AF_INET6
)?
1405 sizeof(struct sockaddr_in6
) : sizeof(struct sockaddr_in
);
1406 remote_addr
= (sockaddr_t
*)((uint8_t*)local_addr
+ local_len
);
1407 remote
= host_create_from_sockaddr(remote_addr
);
1408 DBG2(DBG_KNL
, " kmaddress: %H...%H", local
, remote
);
1411 if (src_ts
&& dst_ts
&& local
&& remote
)
1413 charon
->kernel
->migrate(charon
->kernel
, reqid
, src_ts
, dst_ts
, dir
,
1424 #endif /*SADB_X_MIGRATE*/
1426 #ifdef SADB_X_NAT_T_NEW_MAPPING
1428 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1430 static void process_mapping(private_kernel_pfkey_ipsec_t
*this,
1431 struct sadb_msg
* msg
)
1433 pfkey_msg_t response
;
1438 DBG2(DBG_KNL
, "received an SADB_X_NAT_T_NEW_MAPPING");
1440 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
1442 DBG1(DBG_KNL
, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1446 if (!response
.x_sa2
)
1448 DBG1(DBG_KNL
, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1453 spi
= response
.sa
->sadb_sa_spi
;
1455 if (satype2proto(msg
->sadb_msg_satype
) != IPPROTO_ESP
)
1460 sa
= (sockaddr_t
*)(response
.dst
+ 1);
1461 dst
= host_create_from_sockaddr(sa
);
1462 switch (sa
->sa_family
)
1466 struct sockaddr_in
*sin
= (struct sockaddr_in
*)sa
;
1467 sin
->sin_port
= htons(response
.x_natt_dport
->sadb_x_nat_t_port_port
);
1472 struct sockaddr_in6
*sin6
= (struct sockaddr_in6
*)sa
;
1473 sin6
->sin6_port
= htons(response
.x_natt_dport
->sadb_x_nat_t_port_port
);
1481 new = host_create_from_sockaddr(sa
);
1484 charon
->kernel
->mapping(charon
->kernel
, IPPROTO_ESP
, spi
, dst
, new);
1490 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1493 * Receives events from kernel
1495 static bool receive_events(private_kernel_pfkey_ipsec_t
*this, int fd
,
1496 watcher_event_t event
)
1498 unsigned char buf
[PFKEY_BUFFER_SIZE
];
1499 struct sadb_msg
*msg
= (struct sadb_msg
*)buf
;
1502 len
= recvfrom(this->socket_events
, buf
, sizeof(buf
), MSG_DONTWAIT
, NULL
, 0);
1508 /* interrupted, try again */
1511 /* no data ready, select again */
1514 DBG1(DBG_KNL
, "unable to receive from PF_KEY event socket");
1520 if (len
< sizeof(struct sadb_msg
) ||
1521 msg
->sadb_msg_len
< PFKEY_LEN(sizeof(struct sadb_msg
)))
1523 DBG2(DBG_KNL
, "received corrupted PF_KEY message");
1526 if (msg
->sadb_msg_pid
!= 0)
1527 { /* not from kernel. not interested, try another one */
1530 if (msg
->sadb_msg_len
> len
/ PFKEY_ALIGNMENT
)
1532 DBG1(DBG_KNL
, "buffer was too small to receive the complete "
1537 switch (msg
->sadb_msg_type
)
1540 process_acquire(this, msg
);
1543 process_expire(this, msg
);
1545 #ifdef SADB_X_MIGRATE
1546 case SADB_X_MIGRATE
:
1547 process_migrate(this, msg
);
1549 #endif /*SADB_X_MIGRATE*/
1550 #ifdef SADB_X_NAT_T_NEW_MAPPING
1551 case SADB_X_NAT_T_NEW_MAPPING
:
1552 process_mapping(this, msg
);
1554 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1563 * Get an SPI for a specific protocol from the kernel.
1566 static status_t
get_spi_internal(private_kernel_pfkey_ipsec_t
*this,
1567 host_t
*src
, host_t
*dst
, uint8_t proto
, uint32_t min
, uint32_t max
,
1570 unsigned char request
[PFKEY_BUFFER_SIZE
];
1571 struct sadb_msg
*msg
, *out
;
1572 struct sadb_spirange
*range
;
1573 pfkey_msg_t response
;
1574 uint32_t received_spi
= 0;
1577 memset(&request
, 0, sizeof(request
));
1579 msg
= (struct sadb_msg
*)request
;
1580 msg
->sadb_msg_version
= PF_KEY_V2
;
1581 msg
->sadb_msg_type
= SADB_GETSPI
;
1582 msg
->sadb_msg_satype
= proto2satype(proto
);
1583 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1585 add_addr_ext(msg
, src
, SADB_EXT_ADDRESS_SRC
, 0, 0, FALSE
);
1586 add_addr_ext(msg
, dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
1588 range
= (struct sadb_spirange
*)PFKEY_EXT_ADD_NEXT(msg
);
1589 range
->sadb_spirange_exttype
= SADB_EXT_SPIRANGE
;
1590 range
->sadb_spirange_len
= PFKEY_LEN(sizeof(struct sadb_spirange
));
1591 range
->sadb_spirange_min
= min
;
1592 range
->sadb_spirange_max
= max
;
1593 PFKEY_EXT_ADD(msg
, range
);
1595 if (pfkey_send(this, msg
, &out
, &len
) == SUCCESS
)
1597 if (out
->sadb_msg_errno
)
1599 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
1600 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1602 else if (parse_pfkey_message(out
, &response
) == SUCCESS
)
1604 received_spi
= response
.sa
->sadb_sa_spi
;
1609 if (received_spi
== 0)
1614 *spi
= received_spi
;
1618 METHOD(kernel_ipsec_t
, get_spi
, status_t
,
1619 private_kernel_pfkey_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1620 uint8_t protocol
, uint32_t *spi
)
1622 uint32_t spi_min
, spi_max
;
1624 spi_min
= lib
->settings
->get_int(lib
->settings
, "%s.spi_min",
1625 KERNEL_SPI_MIN
, lib
->ns
);
1626 spi_max
= lib
->settings
->get_int(lib
->settings
, "%s.spi_max",
1627 KERNEL_SPI_MAX
, lib
->ns
);
1629 if (get_spi_internal(this, src
, dst
, protocol
, min(spi_min
, spi_max
),
1630 max(spi_min
, spi_max
), spi
) != SUCCESS
)
1632 DBG1(DBG_KNL
, "unable to get SPI");
1636 DBG2(DBG_KNL
, "got SPI %.8x", ntohl(*spi
));
1640 METHOD(kernel_ipsec_t
, get_cpi
, status_t
,
1641 private_kernel_pfkey_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1644 uint32_t received_spi
= 0;
1646 DBG2(DBG_KNL
, "getting CPI");
1648 if (get_spi_internal(this, src
, dst
, IPPROTO_COMP
,
1649 0x100, 0xEFFF, &received_spi
) != SUCCESS
)
1651 DBG1(DBG_KNL
, "unable to get CPI");
1655 *cpi
= htons((uint16_t)ntohl(received_spi
));
1657 DBG2(DBG_KNL
, "got CPI %.4x", ntohs(*cpi
));
1661 METHOD(kernel_ipsec_t
, add_sa
, status_t
,
1662 private_kernel_pfkey_ipsec_t
*this, kernel_ipsec_sa_id_t
*id
,
1663 kernel_ipsec_add_sa_t
*data
)
1665 unsigned char request
[PFKEY_BUFFER_SIZE
];
1666 struct sadb_msg
*msg
, *out
;
1668 struct sadb_x_sa2
*sa2
;
1669 struct sadb_lifetime
*lft
;
1670 struct sadb_key
*key
;
1672 uint16_t ipcomp
= data
->ipcomp
;
1673 ipsec_mode_t mode
= data
->mode
;
1675 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
1676 * we are in the recursive call below */
1677 if (ipcomp
!= IPCOMP_NONE
&& data
->cpi
!= 0)
1679 lifetime_cfg_t lft
= {{0,0,0},{0,0,0},{0,0,0}};
1680 kernel_ipsec_sa_id_t ipcomp_id
= {
1683 .spi
= htonl(ntohs(data
->cpi
)),
1684 .proto
= IPPROTO_COMP
,
1687 kernel_ipsec_add_sa_t ipcomp_sa
= {
1688 .reqid
= data
->reqid
,
1690 .src_ts
= data
->src_ts
,
1691 .dst_ts
= data
->dst_ts
,
1693 .enc_alg
= ENCR_UNDEFINED
,
1694 .int_alg
= AUTH_UNDEFINED
,
1696 .ipcomp
= data
->ipcomp
,
1697 .initiator
= data
->initiator
,
1698 .inbound
= data
->inbound
,
1699 .update
= data
->update
,
1701 add_sa(this, &ipcomp_id
, &ipcomp_sa
);
1702 ipcomp
= IPCOMP_NONE
;
1703 /* use transport mode ESP SA, IPComp uses tunnel mode */
1704 mode
= MODE_TRANSPORT
;
1709 /* As we didn't know the reqid during SPI allocation, we used reqid
1710 * zero. Unfortunately we can't SADB_UPDATE to the new reqid, hence we
1711 * have to delete the SPI allocation state manually. The reqid
1712 * selector does not count for that, therefore we have to delete
1713 * that state before installing the new SA to avoid deleting the
1714 * the new state after installing it. */
1715 kernel_ipsec_sa_id_t del_id
= {
1721 kernel_ipsec_del_sa_t del
= { 0 };
1723 if (this->public.interface
.del_sa(&this->public.interface
, &del_id
,
1726 DBG1(DBG_KNL
, "deleting SPI allocation SA failed");
1730 memset(&request
, 0, sizeof(request
));
1732 DBG2(DBG_KNL
, "adding SAD entry with SPI %.8x and reqid {%u}",
1733 ntohl(id
->spi
), data
->reqid
);
1735 msg
= (struct sadb_msg
*)request
;
1736 msg
->sadb_msg_version
= PF_KEY_V2
;
1737 msg
->sadb_msg_type
= SADB_ADD
;
1738 msg
->sadb_msg_satype
= proto2satype(id
->proto
);
1739 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1744 struct sadb_sa_2
*sa_2
;
1745 sa_2
= (struct sadb_sa_2
*)PFKEY_EXT_ADD_NEXT(msg
);
1746 sa_2
->sadb_sa_natt_port
= id
->dst
->get_port(id
->dst
);
1748 sa
->sadb_sa_flags
|= SADB_X_EXT_NATT
;
1749 len
= sizeof(struct sadb_sa_2
);
1754 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
1755 len
= sizeof(struct sadb_sa
);
1757 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
1758 sa
->sadb_sa_len
= PFKEY_LEN(len
);
1759 sa
->sadb_sa_spi
= id
->spi
;
1760 sa
->sadb_sa_state
= SADB_SASTATE_MATURE
;
1761 if (id
->proto
== IPPROTO_COMP
)
1763 sa
->sadb_sa_encrypt
= lookup_algorithm(COMPRESSION_ALGORITHM
,
1768 /* Linux interprets sadb_sa_replay as number of packets/bits in the
1769 * replay window, whereas on BSD it's the size of the window in bytes.
1770 * Only set for the inbound SA as it's not relevant for the outbound
1771 * SA and might waste memory with large windows. */
1775 sa
->sadb_sa_replay
= min(data
->replay_window
, 32);
1777 sa
->sadb_sa_replay
= min((data
->replay_window
+ 7) / 8, UINT8_MAX
);
1782 #ifdef SADB_X_SAFLAGS_ESN
1783 DBG2(DBG_KNL
, " using extended sequence numbers (ESN)");
1784 sa
->sadb_sa_flags
|= SADB_X_SAFLAGS_ESN
;
1786 DBG1(DBG_KNL
, "extended sequence numbers (ESN) not supported by "
1791 sa
->sadb_sa_auth
= lookup_algorithm(INTEGRITY_ALGORITHM
, data
->int_alg
);
1792 sa
->sadb_sa_encrypt
= lookup_algorithm(ENCRYPTION_ALGORITHM
,
1795 PFKEY_EXT_ADD(msg
, sa
);
1797 #ifdef SADB_X_EXT_SA_REPLAY
1800 struct sadb_x_sa_replay
*repl
;
1802 repl
= (struct sadb_x_sa_replay
*)PFKEY_EXT_ADD_NEXT(msg
);
1803 repl
->sadb_x_sa_replay_exttype
= SADB_X_EXT_SA_REPLAY
;
1804 repl
->sadb_x_sa_replay_len
= PFKEY_LEN(sizeof(struct sadb_x_sa_replay
));
1805 repl
->sadb_x_sa_replay_replay
= min(data
->replay_window
, UINT32_MAX
-32);
1806 PFKEY_EXT_ADD(msg
, repl
);
1810 sa2
= (struct sadb_x_sa2
*)PFKEY_EXT_ADD_NEXT(msg
);
1811 sa2
->sadb_x_sa2_exttype
= SADB_X_EXT_SA2
;
1812 sa2
->sadb_x_sa2_len
= PFKEY_LEN(sizeof(struct sadb_spirange
));
1813 sa2
->sadb_x_sa2_mode
= mode2kernel(mode
);
1814 sa2
->sadb_x_sa2_reqid
= data
->reqid
;
1815 PFKEY_EXT_ADD(msg
, sa2
);
1817 add_addr_ext(msg
, id
->src
, SADB_EXT_ADDRESS_SRC
, 0, 0, FALSE
);
1818 add_addr_ext(msg
, id
->dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
1820 lft
= (struct sadb_lifetime
*)PFKEY_EXT_ADD_NEXT(msg
);
1821 lft
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_SOFT
;
1822 lft
->sadb_lifetime_len
= PFKEY_LEN(sizeof(struct sadb_lifetime
));
1823 lft
->sadb_lifetime_allocations
= data
->lifetime
->packets
.rekey
;
1824 lft
->sadb_lifetime_bytes
= data
->lifetime
->bytes
.rekey
;
1825 lft
->sadb_lifetime_addtime
= data
->lifetime
->time
.rekey
;
1826 lft
->sadb_lifetime_usetime
= 0; /* we only use addtime */
1827 PFKEY_EXT_ADD(msg
, lft
);
1829 lft
= (struct sadb_lifetime
*)PFKEY_EXT_ADD_NEXT(msg
);
1830 lft
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
1831 lft
->sadb_lifetime_len
= PFKEY_LEN(sizeof(struct sadb_lifetime
));
1832 lft
->sadb_lifetime_allocations
= data
->lifetime
->packets
.life
;
1833 lft
->sadb_lifetime_bytes
= data
->lifetime
->bytes
.life
;
1834 lft
->sadb_lifetime_addtime
= data
->lifetime
->time
.life
;
1835 lft
->sadb_lifetime_usetime
= 0; /* we only use addtime */
1836 PFKEY_EXT_ADD(msg
, lft
);
1838 if (data
->enc_alg
!= ENCR_UNDEFINED
)
1840 if (!sa
->sadb_sa_encrypt
)
1842 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1843 encryption_algorithm_names
, data
->enc_alg
);
1846 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1847 encryption_algorithm_names
, data
->enc_alg
, data
->enc_key
.len
* 8);
1849 key
= (struct sadb_key
*)PFKEY_EXT_ADD_NEXT(msg
);
1850 key
->sadb_key_exttype
= SADB_EXT_KEY_ENCRYPT
;
1851 key
->sadb_key_bits
= data
->enc_key
.len
* 8;
1852 key
->sadb_key_len
= PFKEY_LEN(sizeof(struct sadb_key
) + data
->enc_key
.len
);
1853 memcpy(key
+ 1, data
->enc_key
.ptr
, data
->enc_key
.len
);
1855 PFKEY_EXT_ADD(msg
, key
);
1858 if (data
->int_alg
!= AUTH_UNDEFINED
)
1860 if (!sa
->sadb_sa_auth
)
1862 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1863 integrity_algorithm_names
, data
->int_alg
);
1866 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
1867 integrity_algorithm_names
, data
->int_alg
, data
->int_key
.len
* 8);
1869 key
= (struct sadb_key
*)PFKEY_EXT_ADD_NEXT(msg
);
1870 key
->sadb_key_exttype
= SADB_EXT_KEY_AUTH
;
1871 key
->sadb_key_bits
= data
->int_key
.len
* 8;
1872 key
->sadb_key_len
= PFKEY_LEN(sizeof(struct sadb_key
) + data
->int_key
.len
);
1873 memcpy(key
+ 1, data
->int_key
.ptr
, data
->int_key
.len
);
1875 PFKEY_EXT_ADD(msg
, key
);
1881 add_encap_ext(msg
, id
->src
, id
->dst
);
1883 #endif /*HAVE_NATT*/
1885 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1887 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x",
1891 else if (out
->sadb_msg_errno
)
1893 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x: %s (%d)",
1894 ntohl(id
->spi
), strerror(out
->sadb_msg_errno
),
1895 out
->sadb_msg_errno
);
1904 METHOD(kernel_ipsec_t
, update_sa
, status_t
,
1905 private_kernel_pfkey_ipsec_t
*this, kernel_ipsec_sa_id_t
*id
,
1906 kernel_ipsec_update_sa_t
*data
)
1908 unsigned char request
[PFKEY_BUFFER_SIZE
];
1909 struct sadb_msg
*msg
, *out
;
1911 pfkey_msg_t response
;
1914 #ifndef SADB_X_EXT_NEW_ADDRESS_SRC
1915 /* we can't update the SA if any of the ip addresses have changed.
1916 * that's because we can't use SADB_UPDATE and by deleting and readding the
1917 * SA the sequence numbers would get lost */
1918 if (!id
->src
->ip_equals(id
->src
, data
->new_src
) ||
1919 !id
->dst
->ip_equals(id
->dst
, data
->new_dst
))
1921 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x: address "
1922 "changes are not supported", ntohl(id
->spi
));
1923 return NOT_SUPPORTED
;
1925 #endif /*SADB_X_EXT_NEW_ADDRESS_SRC*/
1927 /* if IPComp is used, we first update the IPComp SA */
1930 kernel_ipsec_sa_id_t ipcomp_id
= {
1933 .spi
= htonl(ntohs(data
->cpi
)),
1934 .proto
= IPPROTO_COMP
,
1937 kernel_ipsec_update_sa_t ipcomp
= {
1938 .new_src
= data
->new_src
,
1939 .new_dst
= data
->new_dst
,
1941 update_sa(this, &ipcomp_id
, &ipcomp
);
1944 memset(&request
, 0, sizeof(request
));
1946 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x for update",
1949 msg
= (struct sadb_msg
*)request
;
1950 msg
->sadb_msg_version
= PF_KEY_V2
;
1951 msg
->sadb_msg_type
= SADB_GET
;
1952 msg
->sadb_msg_satype
= proto2satype(id
->proto
);
1953 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1955 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
1956 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
1957 sa
->sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa
));
1958 sa
->sadb_sa_spi
= id
->spi
;
1959 sa
->sadb_sa_state
= SADB_SASTATE_MATURE
;
1960 PFKEY_EXT_ADD(msg
, sa
);
1962 add_addr_ext(msg
, id
->src
, SADB_EXT_ADDRESS_SRC
, 0, 0, FALSE
);
1963 add_addr_ext(msg
, id
->dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
1965 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1967 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x",
1971 else if (out
->sadb_msg_errno
)
1973 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x: %s (%d)",
1974 ntohl(id
->spi
), strerror(out
->sadb_msg_errno
),
1975 out
->sadb_msg_errno
);
1979 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
1981 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x: parsing "
1982 "response from kernel failed", ntohl(id
->spi
));
1987 DBG2(DBG_KNL
, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1988 ntohl(id
->spi
), id
->src
, id
->dst
, data
->new_src
, data
->new_dst
);
1990 memset(&request
, 0, sizeof(request
));
1992 msg
= (struct sadb_msg
*)request
;
1993 msg
->sadb_msg_version
= PF_KEY_V2
;
1994 msg
->sadb_msg_type
= SADB_UPDATE
;
1995 msg
->sadb_msg_satype
= proto2satype(id
->proto
);
1996 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2000 struct sadb_sa_2
*sa_2
;
2001 sa_2
= (struct sadb_sa_2
*)PFKEY_EXT_ADD_NEXT(msg
);
2002 sa_2
->sa
.sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa_2
));
2003 memcpy(&sa_2
->sa
, response
.sa
, sizeof(struct sadb_sa
));
2004 if (data
->new_encap
)
2006 sa_2
->sadb_sa_natt_port
= data
->new_dst
->get_port(data
->new_dst
);
2007 sa_2
->sa
.sadb_sa_flags
|= SADB_X_EXT_NATT
;
2011 PFKEY_EXT_COPY(msg
, response
.sa
);
2013 PFKEY_EXT_COPY(msg
, response
.x_sa2
);
2015 PFKEY_EXT_COPY(msg
, response
.src
);
2016 PFKEY_EXT_COPY(msg
, response
.dst
);
2018 PFKEY_EXT_COPY(msg
, response
.lft_soft
);
2019 PFKEY_EXT_COPY(msg
, response
.lft_hard
);
2022 /* FreeBSD 11.1 does not allow key updates via SADB_UPDATE for mature SAs */
2023 if (response
.key_encr
)
2025 PFKEY_EXT_COPY(msg
, response
.key_encr
);
2028 if (response
.key_auth
)
2030 PFKEY_EXT_COPY(msg
, response
.key_auth
);
2035 if (data
->new_encap
)
2037 add_encap_ext(msg
, data
->new_src
, data
->new_dst
);
2039 #endif /*HAVE_NATT*/
2041 #ifdef SADB_X_EXT_NEW_ADDRESS_SRC
2042 if (!id
->src
->ip_equals(id
->src
, data
->new_src
))
2044 add_addr_ext(msg
, data
->new_src
, SADB_X_EXT_NEW_ADDRESS_SRC
, 0, 0,
2047 if (!id
->dst
->ip_equals(id
->dst
, data
->new_dst
))
2049 add_addr_ext(msg
, data
->new_dst
, SADB_X_EXT_NEW_ADDRESS_DST
, 0, 0,
2052 #endif /*SADB_X_EXT_NEW_ADDRESS_SRC*/
2056 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2058 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x",
2062 else if (out
->sadb_msg_errno
)
2064 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x: %s (%d)",
2065 ntohl(id
->spi
), strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
2074 METHOD(kernel_ipsec_t
, query_sa
, status_t
,
2075 private_kernel_pfkey_ipsec_t
*this, kernel_ipsec_sa_id_t
*id
,
2076 kernel_ipsec_query_sa_t
*data
, uint64_t *bytes
, uint64_t *packets
,
2079 unsigned char request
[PFKEY_BUFFER_SIZE
];
2080 struct sadb_msg
*msg
, *out
;
2082 pfkey_msg_t response
;
2085 memset(&request
, 0, sizeof(request
));
2087 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x", ntohl(id
->spi
));
2089 msg
= (struct sadb_msg
*)request
;
2090 msg
->sadb_msg_version
= PF_KEY_V2
;
2091 msg
->sadb_msg_type
= SADB_GET
;
2092 msg
->sadb_msg_satype
= proto2satype(id
->proto
);
2093 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2095 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
2096 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
2097 sa
->sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa
));
2098 sa
->sadb_sa_spi
= id
->spi
;
2099 PFKEY_EXT_ADD(msg
, sa
);
2101 /* the Linux Kernel doesn't care for the src address, but other systems do
2104 add_addr_ext(msg
, id
->src
, SADB_EXT_ADDRESS_SRC
, 0, 0, FALSE
);
2105 add_addr_ext(msg
, id
->dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
2107 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2109 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x",
2113 else if (out
->sadb_msg_errno
)
2115 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x: %s (%d)",
2116 ntohl(id
->spi
), strerror(out
->sadb_msg_errno
),
2117 out
->sadb_msg_errno
);
2121 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
2123 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x",
2130 *bytes
= response
.lft_current
->sadb_lifetime_bytes
;
2134 /* at least on Linux and FreeBSD this contains the number of packets */
2135 *packets
= response
.lft_current
->sadb_lifetime_allocations
;
2140 /* OS X uses the "last" time of use in usetime */
2141 *time
= response
.lft_current
->sadb_lifetime_usetime
;
2142 #else /* !__APPLE__ */
2143 /* on Linux, sadb_lifetime_usetime is set to the "first" time of use,
2144 * which is actually correct according to PF_KEY. We have to query
2145 * policies for the last usetime. */
2147 #endif /* !__APPLE__ */
2154 METHOD(kernel_ipsec_t
, del_sa
, status_t
,
2155 private_kernel_pfkey_ipsec_t
*this, kernel_ipsec_sa_id_t
*id
,
2156 kernel_ipsec_del_sa_t
*data
)
2158 unsigned char request
[PFKEY_BUFFER_SIZE
];
2159 struct sadb_msg
*msg
, *out
;
2163 /* if IPComp was used, we first delete the additional IPComp SA */
2166 kernel_ipsec_sa_id_t ipcomp_id
= {
2169 .spi
= htonl(ntohs(data
->cpi
)),
2170 .proto
= IPPROTO_COMP
,
2173 kernel_ipsec_del_sa_t ipcomp
= { 0 };
2174 del_sa(this, &ipcomp_id
, &ipcomp
);
2177 memset(&request
, 0, sizeof(request
));
2179 DBG2(DBG_KNL
, "deleting SAD entry with SPI %.8x", ntohl(id
->spi
));
2181 msg
= (struct sadb_msg
*)request
;
2182 msg
->sadb_msg_version
= PF_KEY_V2
;
2183 msg
->sadb_msg_type
= SADB_DELETE
;
2184 msg
->sadb_msg_satype
= proto2satype(id
->proto
);
2185 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2187 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
2188 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
2189 sa
->sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa
));
2190 sa
->sadb_sa_spi
= id
->spi
;
2191 PFKEY_EXT_ADD(msg
, sa
);
2193 /* the Linux Kernel doesn't care for the src address, but other systems do
2196 add_addr_ext(msg
, id
->src
, SADB_EXT_ADDRESS_SRC
, 0, 0, FALSE
);
2197 add_addr_ext(msg
, id
->dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
2199 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2201 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x",
2205 else if (out
->sadb_msg_errno
)
2207 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x: %s (%d)",
2208 ntohl(id
->spi
), strerror(out
->sadb_msg_errno
),
2209 out
->sadb_msg_errno
);
2214 DBG2(DBG_KNL
, "deleted SAD entry with SPI %.8x", ntohl(id
->spi
));
2219 METHOD(kernel_ipsec_t
, flush_sas
, status_t
,
2220 private_kernel_pfkey_ipsec_t
*this)
2222 unsigned char request
[PFKEY_BUFFER_SIZE
];
2223 struct sadb_msg
*msg
, *out
;
2228 { SADB_SATYPE_AH
, "AH" },
2229 { SADB_SATYPE_ESP
, "ESP" },
2230 { SADB_X_SATYPE_IPCOMP
, "IPComp" },
2235 memset(&request
, 0, sizeof(request
));
2237 msg
= (struct sadb_msg
*)request
;
2238 msg
->sadb_msg_version
= PF_KEY_V2
;
2239 msg
->sadb_msg_type
= SADB_FLUSH
;
2240 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2242 for (i
= 0; i
< countof(protos
); i
++)
2244 DBG2(DBG_KNL
, "flushing all %s SAD entries", protos
[i
].name
);
2246 msg
->sadb_msg_satype
= protos
[i
].proto
;
2247 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2249 DBG1(DBG_KNL
, "unable to flush %s SAD entries", protos
[i
].name
);
2252 else if (out
->sadb_msg_errno
)
2254 DBG1(DBG_KNL
, "unable to flush %s SAD entries: %s (%d)",
2255 protos
[i
].name
, strerror(out
->sadb_msg_errno
),
2256 out
->sadb_msg_errno
);
2266 * Add an explicit exclude route to a routing entry
2268 static void add_exclude_route(private_kernel_pfkey_ipsec_t
*this,
2269 route_entry_t
*route
, host_t
*src
, host_t
*dst
)
2271 enumerator_t
*enumerator
;
2272 exclude_route_t
*exclude
;
2275 enumerator
= this->excludes
->create_enumerator(this->excludes
);
2276 while (enumerator
->enumerate(enumerator
, &exclude
))
2278 if (dst
->ip_equals(dst
, exclude
->dst
))
2280 route
->exclude
= exclude
;
2284 enumerator
->destroy(enumerator
);
2286 if (!route
->exclude
)
2288 DBG2(DBG_KNL
, "installing new exclude route for %H src %H", dst
, src
);
2289 gtw
= charon
->kernel
->get_nexthop(charon
->kernel
, dst
, -1, NULL
, NULL
);
2292 char *if_name
= NULL
;
2294 if (charon
->kernel
->get_interface(charon
->kernel
, src
, &if_name
) &&
2295 charon
->kernel
->add_route(charon
->kernel
,
2296 dst
->get_address(dst
),
2297 dst
->get_family(dst
) == AF_INET ?
32 : 128,
2298 gtw
, src
, if_name
) == SUCCESS
)
2301 .dst
= dst
->clone(dst
),
2302 .src
= src
->clone(src
),
2303 .gtw
= gtw
->clone(gtw
),
2306 route
->exclude
= exclude
;
2307 this->excludes
->insert_last(this->excludes
, exclude
);
2311 DBG1(DBG_KNL
, "installing exclude route for %H failed", dst
);
2318 DBG1(DBG_KNL
, "gateway lookup for for %H failed", dst
);
2324 * Remove an exclude route attached to a routing entry
2326 static void remove_exclude_route(private_kernel_pfkey_ipsec_t
*this,
2327 route_entry_t
*route
)
2331 enumerator_t
*enumerator
;
2332 exclude_route_t
*exclude
;
2333 bool removed
= FALSE
;
2336 enumerator
= this->excludes
->create_enumerator(this->excludes
);
2337 while (enumerator
->enumerate(enumerator
, &exclude
))
2339 if (route
->exclude
== exclude
)
2341 if (--exclude
->refs
== 0)
2343 this->excludes
->remove_at(this->excludes
, enumerator
);
2349 enumerator
->destroy(enumerator
);
2353 char *if_name
= NULL
;
2355 dst
= route
->exclude
->dst
;
2356 DBG2(DBG_KNL
, "uninstalling exclude route for %H src %H",
2357 dst
, route
->exclude
->src
);
2358 if (charon
->kernel
->get_interface(
2360 route
->exclude
->src
, &if_name
) &&
2361 charon
->kernel
->del_route(charon
->kernel
,
2362 dst
->get_address(dst
),
2363 dst
->get_family(dst
) == AF_INET ?
32 : 128,
2364 route
->exclude
->gtw
, route
->exclude
->src
,
2365 if_name
) != SUCCESS
)
2367 DBG1(DBG_KNL
, "uninstalling exclude route for %H failed", dst
);
2369 exclude_route_destroy(route
->exclude
);
2372 route
->exclude
= NULL
;
2377 * Try to install a route to the given outbound policy
2379 static bool install_route(private_kernel_pfkey_ipsec_t
*this,
2380 policy_entry_t
*policy
, policy_sa_out_t
*out
)
2382 route_entry_t
*route
, *old
;
2383 host_t
*host
, *src
, *dst
;
2386 if (charon
->kernel
->get_address_by_ts(charon
->kernel
, out
->src_ts
, &host
,
2387 &is_virtual
) != SUCCESS
)
2393 .prefixlen
= policy
->dst
.mask
,
2395 .dst_net
= chunk_clone(policy
->dst
.net
->get_address(policy
->dst
.net
)),
2398 src
= out
->generic
.sa
->src
;
2399 dst
= out
->generic
.sa
->dst
;
2401 if (!dst
->is_anyaddr(dst
))
2403 route
->gateway
= charon
->kernel
->get_nexthop(charon
->kernel
, dst
, -1,
2404 src
, &route
->if_name
);
2406 /* if the IP is virtual, we install the route over the interface it has
2407 * been installed on. Otherwise we use the interface we use for IKE, as
2408 * this is required for example on Linux. */
2409 if (is_virtual
|| this->route_via_internal
)
2411 free(route
->if_name
);
2412 route
->if_name
= NULL
;
2413 src
= route
->src_ip
;
2417 { /* for shunt policies */
2418 route
->gateway
= charon
->kernel
->get_nexthop(charon
->kernel
,
2419 policy
->dst
.net
, policy
->dst
.mask
,
2420 route
->src_ip
, &route
->if_name
);
2422 /* we don't have a source address, use the address we found */
2423 src
= route
->src_ip
;
2426 /* get interface for route, using source address */
2427 if (!route
->if_name
&&
2428 !charon
->kernel
->get_interface(charon
->kernel
, src
, &route
->if_name
))
2430 route_entry_destroy(route
);
2436 old
= policy
->route
;
2438 if (route_entry_equals(old
, route
))
2439 { /* such a route already exists */
2440 route_entry_destroy(route
);
2443 /* uninstall previously installed route */
2444 if (charon
->kernel
->del_route(charon
->kernel
, old
->dst_net
,
2445 old
->prefixlen
, old
->gateway
,
2446 old
->src_ip
, old
->if_name
) != SUCCESS
)
2448 DBG1(DBG_KNL
, "error uninstalling route installed with policy "
2449 "%R === %R %N", out
->src_ts
, out
->dst_ts
,
2450 policy_dir_names
, policy
->direction
);
2452 route_entry_destroy(old
);
2453 policy
->route
= NULL
;
2456 /* if remote traffic selector covers the IKE peer, add an exclude route */
2457 if (charon
->kernel
->get_features(charon
->kernel
) & KERNEL_REQUIRE_EXCLUDE_ROUTE
)
2459 if (out
->dst_ts
->is_host(out
->dst_ts
, dst
))
2461 DBG1(DBG_KNL
, "can't install route for %R === %R %N, conflicts "
2462 "with IKE traffic", out
->src_ts
, out
->dst_ts
, policy_dir_names
,
2464 route_entry_destroy(route
);
2467 if (out
->dst_ts
->includes(out
->dst_ts
, dst
))
2469 add_exclude_route(this, route
, out
->generic
.sa
->src
, dst
);
2473 DBG2(DBG_KNL
, "installing route: %R via %H src %H dev %s",
2474 out
->dst_ts
, route
->gateway
, route
->src_ip
, route
->if_name
);
2476 switch (charon
->kernel
->add_route(charon
->kernel
, route
->dst_net
,
2477 route
->prefixlen
, route
->gateway
,
2478 route
->src_ip
, route
->if_name
))
2481 /* route exists, do not uninstall */
2482 remove_exclude_route(this, route
);
2483 route_entry_destroy(route
);
2486 /* cache the installed route */
2487 policy
->route
= route
;
2490 DBG1(DBG_KNL
, "installing route failed: %R via %H src %H dev %s",
2491 out
->dst_ts
, route
->gateway
, route
->src_ip
, route
->if_name
);
2492 remove_exclude_route(this, route
);
2493 route_entry_destroy(route
);
2499 * Check if any significant data has changed to warrant sending an update to
2502 static bool policy_update_required(policy_sa_t
*current
, policy_sa_t
*updated
)
2504 if (current
->type
!= updated
->type
2505 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
2506 || current
->priority
!= updated
->priority
2512 if (current
->type
== POLICY_IPSEC
)
2514 ipsec_sa_cfg_t
*cur
= ¤t
->sa
->cfg
, *upd
= &updated
->sa
->cfg
;
2516 /* we don't use ipsec_sa_cfg_equals() here as e.g. SPIs are not
2517 * relevant for this kernel interface, so we don't have to update the
2518 * policy during a rekeying */
2519 if (cur
->mode
!= upd
->mode
||
2520 cur
->reqid
!= upd
->reqid
||
2521 cur
->esp
.use
!= upd
->esp
.use
||
2522 cur
->ah
.use
!= upd
->ah
.use
||
2523 cur
->ipcomp
.transform
!= upd
->ipcomp
.transform
)
2527 if (cur
->mode
== MODE_TUNNEL
&&
2528 (!current
->sa
->src
->ip_equals(current
->sa
->src
, updated
->sa
->src
) ||
2529 !current
->sa
->dst
->ip_equals(current
->sa
->dst
, updated
->sa
->dst
)))
2538 * Add or update a policy in the kernel.
2540 * Note: The mutex has to be locked when entering this function.
2542 static status_t
add_policy_internal(private_kernel_pfkey_ipsec_t
*this,
2543 policy_entry_t
*policy
, policy_sa_t
*mapping
, bool update
)
2545 unsigned char request
[PFKEY_BUFFER_SIZE
];
2546 struct sadb_msg
*msg
, *out
;
2547 struct sadb_x_policy
*pol
;
2548 struct sadb_x_ipsecrequest
*req
;
2549 ipsec_sa_t
*ipsec
= mapping
->sa
;
2550 pfkey_msg_t response
;
2552 ipsec_mode_t proto_mode
;
2555 memset(&request
, 0, sizeof(request
));
2557 msg
= (struct sadb_msg
*)request
;
2558 msg
->sadb_msg_version
= PF_KEY_V2
;
2559 msg
->sadb_msg_type
= update ? SADB_X_SPDUPDATE
: SADB_X_SPDADD
;
2560 msg
->sadb_msg_satype
= 0;
2561 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2563 pol
= (struct sadb_x_policy
*)PFKEY_EXT_ADD_NEXT(msg
);
2564 pol
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
2565 pol
->sadb_x_policy_len
= PFKEY_LEN(sizeof(struct sadb_x_policy
));
2566 pol
->sadb_x_policy_id
= 0;
2567 pol
->sadb_x_policy_dir
= dir2kernel(policy
->direction
);
2568 pol
->sadb_x_policy_type
= type2kernel(mapping
->type
);
2569 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
2570 pol
->sadb_x_policy_priority
= mapping
->priority
;
2573 if (mapping
->type
== POLICY_IPSEC
&& ipsec
->cfg
.reqid
)
2575 /* one or more sadb_x_ipsecrequest extensions are added to the
2576 * sadb_x_policy extension */
2577 proto_mode
= ipsec
->cfg
.mode
;
2579 req
= (struct sadb_x_ipsecrequest
*)(pol
+ 1);
2581 if (ipsec
->cfg
.ipcomp
.transform
!= IPCOMP_NONE
)
2583 req
->sadb_x_ipsecrequest_proto
= IPPROTO_COMP
;
2585 /* !!! the length here MUST be in octets instead of 64 bit words */
2586 req
->sadb_x_ipsecrequest_len
= sizeof(struct sadb_x_ipsecrequest
);
2587 req
->sadb_x_ipsecrequest_mode
= mode2kernel(ipsec
->cfg
.mode
);
2588 req
->sadb_x_ipsecrequest_reqid
= ipsec
->cfg
.reqid
;
2589 req
->sadb_x_ipsecrequest_level
= (policy
->direction
== POLICY_OUT
) ?
2590 IPSEC_LEVEL_UNIQUE
: IPSEC_LEVEL_USE
;
2591 if (ipsec
->cfg
.mode
== MODE_TUNNEL
)
2593 len
= hostcpy(req
+ 1, ipsec
->src
, FALSE
);
2594 req
->sadb_x_ipsecrequest_len
+= len
;
2595 len
= hostcpy((char*)(req
+ 1) + len
, ipsec
->dst
, FALSE
);
2596 req
->sadb_x_ipsecrequest_len
+= len
;
2597 /* use transport mode for other SAs */
2598 proto_mode
= MODE_TRANSPORT
;
2601 pol
->sadb_x_policy_len
+= PFKEY_LEN(req
->sadb_x_ipsecrequest_len
);
2602 req
= (struct sadb_x_ipsecrequest
*)((char*)(req
) +
2603 req
->sadb_x_ipsecrequest_len
);
2606 req
->sadb_x_ipsecrequest_proto
= ipsec
->cfg
.esp
.use ? IPPROTO_ESP
2608 /* !!! the length here MUST be in octets instead of 64 bit words */
2609 req
->sadb_x_ipsecrequest_len
= sizeof(struct sadb_x_ipsecrequest
);
2610 req
->sadb_x_ipsecrequest_mode
= mode2kernel(proto_mode
);
2611 req
->sadb_x_ipsecrequest_reqid
= ipsec
->cfg
.reqid
;
2612 req
->sadb_x_ipsecrequest_level
= IPSEC_LEVEL_UNIQUE
;
2613 if (proto_mode
== MODE_TUNNEL
)
2615 len
= hostcpy(req
+ 1, ipsec
->src
, FALSE
);
2616 req
->sadb_x_ipsecrequest_len
+= len
;
2617 len
= hostcpy((char*)(req
+ 1) + len
, ipsec
->dst
, FALSE
);
2618 req
->sadb_x_ipsecrequest_len
+= len
;
2621 pol
->sadb_x_policy_len
+= PFKEY_LEN(req
->sadb_x_ipsecrequest_len
);
2623 PFKEY_EXT_ADD(msg
, pol
);
2625 add_addr_ext(msg
, policy
->src
.net
, SADB_EXT_ADDRESS_SRC
, policy
->src
.proto
,
2626 policy
->src
.mask
, TRUE
);
2627 add_addr_ext(msg
, policy
->dst
.net
, SADB_EXT_ADDRESS_DST
, policy
->dst
.proto
,
2628 policy
->dst
.mask
, TRUE
);
2631 { /* on FreeBSD a lifetime has to be defined to be able to later query
2632 * the current use time. */
2633 struct sadb_lifetime
*lft
;
2634 lft
= (struct sadb_lifetime
*)PFKEY_EXT_ADD_NEXT(msg
);
2635 lft
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
2636 lft
->sadb_lifetime_len
= PFKEY_LEN(sizeof(struct sadb_lifetime
));
2637 lft
->sadb_lifetime_addtime
= LONG_MAX
;
2638 PFKEY_EXT_ADD(msg
, lft
);
2642 this->mutex
->unlock(this->mutex
);
2644 status
= pfkey_send(this, msg
, &out
, &len
);
2645 if (status
== SUCCESS
&& !update
&& out
->sadb_msg_errno
== EEXIST
)
2647 DBG1(DBG_KNL
, "policy already exists, try to update it");
2649 msg
->sadb_msg_type
= SADB_X_SPDUPDATE
;
2650 status
= pfkey_send(this, msg
, &out
, &len
);
2652 if (status
!= SUCCESS
)
2656 else if (out
->sadb_msg_errno
)
2658 DBG1(DBG_KNL
, "unable to %s policy: %s (%d)",
2659 update ?
"update" : "add", strerror(out
->sadb_msg_errno
),
2660 out
->sadb_msg_errno
);
2664 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
2666 DBG1(DBG_KNL
, "unable to %s policy: parsing response from kernel "
2667 "failed", update ?
"update" : "add");
2672 /* we try to find the policy again and update the kernel index */
2673 this->mutex
->lock(this->mutex
);
2674 if (!this->policies
->find_first(this->policies
, NULL
, (void**)&policy
))
2676 DBG2(DBG_KNL
, "unable to update index, the policy is already gone, "
2678 this->mutex
->unlock(this->mutex
);
2682 policy
->index
= response
.x_policy
->sadb_x_policy_id
;
2685 /* install a route, if:
2686 * - this is an outbound policy (to just get one for each child)
2687 * - routing is not disabled via strongswan.conf
2688 * - the selector is not for a specific protocol/port
2689 * - we are in tunnel mode or install a bypass policy
2691 if (policy
->direction
== POLICY_OUT
&& this->install_routes
&&
2692 policy
->src
.proto
== IPSEC_PROTO_ANY
&&
2693 !policy
->src
.net
->get_port(policy
->src
.net
) &&
2694 !policy
->dst
.net
->get_port(policy
->dst
.net
))
2696 if (mapping
->type
== POLICY_PASS
||
2697 (mapping
->type
== POLICY_IPSEC
&& ipsec
->cfg
.mode
!= MODE_TRANSPORT
))
2699 install_route(this, policy
, (policy_sa_out_t
*)mapping
);
2702 this->mutex
->unlock(this->mutex
);
2706 METHOD(kernel_ipsec_t
, add_policy
, status_t
,
2707 private_kernel_pfkey_ipsec_t
*this, kernel_ipsec_policy_id_t
*id
,
2708 kernel_ipsec_manage_policy_t
*data
)
2710 policy_entry_t
*policy
, *found
= NULL
;
2711 policy_sa_t
*assigned_sa
, *current_sa
= NULL
;
2712 enumerator_t
*enumerator
;
2715 if (dir2kernel(id
->dir
) == IPSEC_DIR_INVALID
)
2716 { /* FWD policies are not supported on all platforms */
2720 /* create a policy */
2721 policy
= create_policy_entry(id
->src_ts
, id
->dst_ts
, id
->dir
);
2723 /* find a matching policy */
2724 this->mutex
->lock(this->mutex
);
2725 if (this->policies
->find_first(this->policies
, policy_entry_equals
,
2726 (void**)&found
, policy
))
2727 { /* use existing policy */
2728 DBG2(DBG_KNL
, "policy %R === %R %N already exists, increasing "
2729 "refcount", id
->src_ts
, id
->dst_ts
, policy_dir_names
, id
->dir
);
2730 policy_entry_destroy(policy
, this);
2734 { /* use the new one, if we have no such policy */
2735 this->policies
->insert_first(this->policies
, policy
);
2736 policy
->used_by
= linked_list_create();
2739 /* cache the assigned IPsec SA */
2740 assigned_sa
= policy_sa_create(this, id
->dir
, data
->type
, data
->src
,
2741 data
->dst
, id
->src_ts
, id
->dst_ts
, data
->sa
);
2742 assigned_sa
->auto_priority
= get_priority(policy
, data
->prio
);
2743 assigned_sa
->priority
= data
->manual_prio ? data
->manual_prio
:
2744 assigned_sa
->auto_priority
;
2747 /* insert the SA according to its priority */
2748 enumerator
= policy
->used_by
->create_enumerator(policy
->used_by
);
2749 while (enumerator
->enumerate(enumerator
, (void**)¤t_sa
))
2751 if (current_sa
->priority
> assigned_sa
->priority
)
2755 if (current_sa
->priority
== assigned_sa
->priority
)
2757 /* in case of equal manual prios order SAs by automatic priority */
2758 if (current_sa
->auto_priority
> assigned_sa
->auto_priority
)
2762 /* prefer SAs with a reqid over those without */
2763 if (current_sa
->auto_priority
== assigned_sa
->auto_priority
&&
2764 (!current_sa
->sa
->cfg
.reqid
|| assigned_sa
->sa
->cfg
.reqid
))
2771 policy
->used_by
->insert_before(policy
->used_by
, enumerator
, assigned_sa
);
2772 enumerator
->destroy(enumerator
);
2774 if (update
&& current_sa
)
2775 { /* check if there are actually any relevant changes, if not, we don't
2776 * send an update to the kernel as e.g. FreeBSD doesn't do that
2777 * atomically, causing unnecessary traffic loss during rekeyings */
2778 update
= policy_update_required(current_sa
, assigned_sa
);
2782 { /* we don't update the policy if the priority is lower than that of the
2783 * currently installed one */
2784 this->mutex
->unlock(this->mutex
);
2788 DBG2(DBG_KNL
, "%s policy %R === %R %N",
2789 found ?
"updating" : "adding", id
->src_ts
, id
->dst_ts
,
2790 policy_dir_names
, id
->dir
);
2792 if (add_policy_internal(this, policy
, assigned_sa
, found
) != SUCCESS
)
2794 DBG1(DBG_KNL
, "unable to %s policy %R === %R %N",
2795 found ?
"update" : "add", id
->src_ts
, id
->dst_ts
,
2796 policy_dir_names
, id
->dir
);
2802 METHOD(kernel_ipsec_t
, query_policy
, status_t
,
2803 private_kernel_pfkey_ipsec_t
*this, kernel_ipsec_policy_id_t
*id
,
2804 kernel_ipsec_query_policy_t
*data
, time_t *use_time
)
2806 unsigned char request
[PFKEY_BUFFER_SIZE
];
2807 struct sadb_msg
*msg
, *out
;
2808 struct sadb_x_policy
*pol
;
2809 policy_entry_t
*policy
, *found
= NULL
;
2810 pfkey_msg_t response
;
2813 if (dir2kernel(id
->dir
) == IPSEC_DIR_INVALID
)
2814 { /* FWD policies are not supported on all platforms */
2818 DBG2(DBG_KNL
, "querying policy %R === %R %N", id
->src_ts
, id
->dst_ts
,
2819 policy_dir_names
, id
->dir
);
2821 /* create a policy */
2822 policy
= create_policy_entry(id
->src_ts
, id
->dst_ts
, id
->dir
);
2824 /* find a matching policy */
2825 this->mutex
->lock(this->mutex
);
2826 if (!this->policies
->find_first(this->policies
, policy_entry_equals
,
2827 (void**)&found
, policy
))
2829 DBG1(DBG_KNL
, "querying policy %R === %R %N failed, not found",
2830 id
->src_ts
, id
->dst_ts
, policy_dir_names
, id
->dir
);
2831 policy_entry_destroy(policy
, this);
2832 this->mutex
->unlock(this->mutex
);
2835 policy_entry_destroy(policy
, this);
2838 memset(&request
, 0, sizeof(request
));
2840 msg
= (struct sadb_msg
*)request
;
2841 msg
->sadb_msg_version
= PF_KEY_V2
;
2842 msg
->sadb_msg_type
= SADB_X_SPDGET
;
2843 msg
->sadb_msg_satype
= 0;
2844 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2846 pol
= (struct sadb_x_policy
*)PFKEY_EXT_ADD_NEXT(msg
);
2847 pol
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
2848 pol
->sadb_x_policy_id
= policy
->index
;
2849 pol
->sadb_x_policy_len
= PFKEY_LEN(sizeof(struct sadb_x_policy
));
2850 pol
->sadb_x_policy_dir
= dir2kernel(id
->dir
);
2851 pol
->sadb_x_policy_type
= IPSEC_POLICY_IPSEC
;
2852 PFKEY_EXT_ADD(msg
, pol
);
2854 add_addr_ext(msg
, policy
->src
.net
, SADB_EXT_ADDRESS_SRC
, policy
->src
.proto
,
2855 policy
->src
.mask
, TRUE
);
2856 add_addr_ext(msg
, policy
->dst
.net
, SADB_EXT_ADDRESS_DST
, policy
->dst
.proto
,
2857 policy
->dst
.mask
, TRUE
);
2859 this->mutex
->unlock(this->mutex
);
2861 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2863 DBG1(DBG_KNL
, "unable to query policy %R === %R %N", id
->src_ts
,
2864 id
->dst_ts
, policy_dir_names
, id
->dir
);
2867 else if (out
->sadb_msg_errno
)
2869 DBG1(DBG_KNL
, "unable to query policy %R === %R %N: %s (%d)",
2870 id
->src_ts
, id
->dst_ts
, policy_dir_names
, id
->dir
,
2871 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
2875 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
2877 DBG1(DBG_KNL
, "unable to query policy %R === %R %N: parsing response "
2878 "from kernel failed", id
->src_ts
, id
->dst_ts
, policy_dir_names
,
2883 else if (response
.lft_current
== NULL
)
2885 DBG2(DBG_KNL
, "unable to query policy %R === %R %N: kernel reports no "
2886 "use time", id
->src_ts
, id
->dst_ts
, policy_dir_names
,
2892 /* we need the monotonic time, but the kernel returns system time. */
2893 if (response
.lft_current
->sadb_lifetime_usetime
)
2895 *use_time
= time_monotonic(NULL
) -
2896 (time(NULL
) - response
.lft_current
->sadb_lifetime_usetime
);