Set the ports of all hosts installed via the PF_KEY kernel interface to zero.
[strongswan.git] / src / libcharon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2010 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <daemon.h>
58 #include <utils/host.h>
59 #include <threading/thread.h>
60 #include <threading/mutex.h>
61 #include <processing/jobs/callback_job.h>
62 #include <processing/jobs/acquire_job.h>
63 #include <processing/jobs/migrate_job.h>
64 #include <processing/jobs/rekey_child_sa_job.h>
65 #include <processing/jobs/delete_child_sa_job.h>
66 #include <processing/jobs/update_sa_job.h>
67
68 /** non linux specific */
69 #ifndef IPPROTO_COMP
70 #define IPPROTO_COMP IPPROTO_IPCOMP
71 #endif
72
73 #ifndef SADB_X_AALG_SHA2_256HMAC
74 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
75 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
76 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
77 #endif
78
79 #ifndef SADB_X_EALG_AESCBC
80 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
81 #endif
82
83 #ifndef SADB_X_EALG_CASTCBC
84 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
85 #endif
86
87 #ifndef SOL_IP
88 #define SOL_IP IPPROTO_IP
89 #define SOL_IPV6 IPPROTO_IPV6
90 #endif
91
92 /** from linux/in.h */
93 #ifndef IP_IPSEC_POLICY
94 #define IP_IPSEC_POLICY 16
95 #endif
96
97 /** missing on uclibc */
98 #ifndef IPV6_IPSEC_POLICY
99 #define IPV6_IPSEC_POLICY 34
100 #endif
101
102 /** default priority of installed policies */
103 #define PRIO_LOW 3000
104 #define PRIO_HIGH 2000
105
106 #ifdef __APPLE__
107 /** from xnu/bsd/net/pfkeyv2.h */
108 #define SADB_X_EXT_NATT 0x002
109 struct sadb_sa_2 {
110 struct sadb_sa sa;
111 u_int16_t sadb_sa_natt_port;
112 u_int16_t sadb_reserved0;
113 u_int32_t sadb_reserved1;
114 };
115 #endif
116
117 /** buffer size for PF_KEY messages */
118 #define PFKEY_BUFFER_SIZE 4096
119
120 /** PF_KEY messages are 64 bit aligned */
121 #define PFKEY_ALIGNMENT 8
122 /** aligns len to 64 bits */
123 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
124 /** calculates the properly padded length in 64 bit chunks */
125 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
126 /** calculates user mode length i.e. in bytes */
127 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
128
129 /** given a PF_KEY message header and an extension this updates the length in the header */
130 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
131 /** given a PF_KEY message header this returns a pointer to the next extension */
132 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
133 /** copy an extension and append it to a PF_KEY message */
134 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
135 /** given a PF_KEY extension this returns a pointer to the next extension */
136 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
137 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
138 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
139 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
140 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
142 (ext)->sadb_ext_len <= (len))
143
144 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
145
146 /**
147 * Private variables and functions of kernel_pfkey class.
148 */
149 struct private_kernel_pfkey_ipsec_t
150 {
151 /**
152 * Public part of the kernel_pfkey_t object.
153 */
154 kernel_pfkey_ipsec_t public;
155
156 /**
157 * mutex to lock access to various lists
158 */
159 mutex_t *mutex;
160
161 /**
162 * List of installed policies (policy_entry_t)
163 */
164 linked_list_t *policies;
165
166 /**
167 * whether to install routes along policies
168 */
169 bool install_routes;
170
171 /**
172 * job receiving PF_KEY events
173 */
174 callback_job_t *job;
175
176 /**
177 * mutex to lock access to the PF_KEY socket
178 */
179 mutex_t *mutex_pfkey;
180
181 /**
182 * PF_KEY socket to communicate with the kernel
183 */
184 int socket;
185
186 /**
187 * PF_KEY socket to receive acquire and expire events
188 */
189 int socket_events;
190
191 /**
192 * sequence number for messages sent to the kernel
193 */
194 int seq;
195 };
196
197 typedef struct route_entry_t route_entry_t;
198
199 /**
200 * installed routing entry
201 */
202 struct route_entry_t {
203 /** Name of the interface the route is bound to */
204 char *if_name;
205
206 /** Source ip of the route */
207 host_t *src_ip;
208
209 /** gateway for this route */
210 host_t *gateway;
211
212 /** Destination net */
213 chunk_t dst_net;
214
215 /** Destination net prefixlen */
216 u_int8_t prefixlen;
217 };
218
219 /**
220 * destroy an route_entry_t object
221 */
222 static void route_entry_destroy(route_entry_t *this)
223 {
224 free(this->if_name);
225 DESTROY_IF(this->src_ip);
226 DESTROY_IF(this->gateway);
227 chunk_free(&this->dst_net);
228 free(this);
229 }
230
231 typedef struct policy_entry_t policy_entry_t;
232
233 /**
234 * installed kernel policy.
235 */
236 struct policy_entry_t {
237
238 /** reqid of this policy */
239 u_int32_t reqid;
240
241 /** index assigned by the kernel */
242 u_int32_t index;
243
244 /** direction of this policy: in, out, forward */
245 u_int8_t direction;
246
247 /** parameters of installed policy */
248 struct {
249 /** subnet and port */
250 host_t *net;
251 /** subnet mask */
252 u_int8_t mask;
253 /** protocol */
254 u_int8_t proto;
255 } src, dst;
256
257 /** associated route installed for this policy */
258 route_entry_t *route;
259
260 /** by how many CHILD_SA's this policy is used */
261 u_int refcount;
262 };
263
264 /**
265 * create a policy_entry_t object
266 */
267 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
268 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
269 {
270 policy_entry_t *policy = malloc_thing(policy_entry_t);
271 policy->reqid = reqid;
272 policy->index = 0;
273 policy->direction = dir;
274 policy->route = NULL;
275 policy->refcount = 0;
276
277 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
278 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
279
280 /* src or dest proto may be "any" (0), use more restrictive one */
281 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
282 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
283 policy->dst.proto = policy->src.proto;
284
285 return policy;
286 }
287
288 /**
289 * destroy a policy_entry_t object
290 */
291 static void policy_entry_destroy(policy_entry_t *this)
292 {
293 DESTROY_IF(this->src.net);
294 DESTROY_IF(this->dst.net);
295 if (this->route)
296 {
297 route_entry_destroy(this->route);
298 }
299 free(this);
300 }
301
302 /**
303 * compares two policy_entry_t
304 */
305 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
306 {
307 return current->direction == policy->direction &&
308 current->src.proto == policy->src.proto &&
309 current->dst.proto == policy->dst.proto &&
310 current->src.mask == policy->src.mask &&
311 current->dst.mask == policy->dst.mask &&
312 current->src.net->equals(current->src.net, policy->src.net) &&
313 current->dst.net->equals(current->dst.net, policy->dst.net);
314 }
315
316 /**
317 * compare the given kernel index with that of a policy
318 */
319 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
320 {
321 return current->index == *index;
322 }
323
324 typedef struct pfkey_msg_t pfkey_msg_t;
325
326 struct pfkey_msg_t
327 {
328 /**
329 * PF_KEY message base
330 */
331 struct sadb_msg *msg;
332
333 /**
334 * PF_KEY message extensions
335 */
336 union {
337 struct sadb_ext *ext[SADB_EXT_MAX + 1];
338 struct {
339 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
340 struct sadb_sa *sa; /* SADB_EXT_SA */
341 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
342 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
343 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
344 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
345 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
346 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
347 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
348 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
349 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
350 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
351 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
352 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
353 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
354 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
355 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
356 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
357 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
358 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
359 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
360 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
361 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
362 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
363 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
364 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
365 } __attribute__((__packed__));
366 };
367 };
368
369 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
370 "SADB_EXT_RESERVED",
371 "SADB_EXT_SA",
372 "SADB_EXT_LIFETIME_CURRENT",
373 "SADB_EXT_LIFETIME_HARD",
374 "SADB_EXT_LIFETIME_SOFT",
375 "SADB_EXT_ADDRESS_SRC",
376 "SADB_EXT_ADDRESS_DST",
377 "SADB_EXT_ADDRESS_PROXY",
378 "SADB_EXT_KEY_AUTH",
379 "SADB_EXT_KEY_ENCRYPT",
380 "SADB_EXT_IDENTITY_SRC",
381 "SADB_EXT_IDENTITY_DST",
382 "SADB_EXT_SENSITIVITY",
383 "SADB_EXT_PROPOSAL",
384 "SADB_EXT_SUPPORTED_AUTH",
385 "SADB_EXT_SUPPORTED_ENCRYPT",
386 "SADB_EXT_SPIRANGE",
387 "SADB_X_EXT_KMPRIVATE",
388 "SADB_X_EXT_POLICY",
389 "SADB_X_EXT_SA2",
390 "SADB_X_EXT_NAT_T_TYPE",
391 "SADB_X_EXT_NAT_T_SPORT",
392 "SADB_X_EXT_NAT_T_DPORT",
393 "SADB_X_EXT_NAT_T_OA",
394 "SADB_X_EXT_SEC_CTX",
395 "SADB_X_EXT_KMADDRESS"
396 );
397
398 /**
399 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
400 */
401 static u_int8_t proto_ike2satype(protocol_id_t proto)
402 {
403 switch (proto)
404 {
405 case PROTO_ESP:
406 return SADB_SATYPE_ESP;
407 case PROTO_AH:
408 return SADB_SATYPE_AH;
409 case IPPROTO_COMP:
410 return SADB_X_SATYPE_IPCOMP;
411 default:
412 return proto;
413 }
414 }
415
416 /**
417 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
418 */
419 static protocol_id_t proto_satype2ike(u_int8_t proto)
420 {
421 switch (proto)
422 {
423 case SADB_SATYPE_ESP:
424 return PROTO_ESP;
425 case SADB_SATYPE_AH:
426 return PROTO_AH;
427 case SADB_X_SATYPE_IPCOMP:
428 return IPPROTO_COMP;
429 default:
430 return proto;
431 }
432 }
433
434 /**
435 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
436 */
437 static u_int8_t proto_ike2ip(protocol_id_t proto)
438 {
439 switch (proto)
440 {
441 case PROTO_ESP:
442 return IPPROTO_ESP;
443 case PROTO_AH:
444 return IPPROTO_AH;
445 default:
446 return proto;
447 }
448 }
449
450 /**
451 * convert the general ipsec mode to the one defined in ipsec.h
452 */
453 static u_int8_t mode2kernel(ipsec_mode_t mode)
454 {
455 switch (mode)
456 {
457 case MODE_TRANSPORT:
458 return IPSEC_MODE_TRANSPORT;
459 case MODE_TUNNEL:
460 return IPSEC_MODE_TUNNEL;
461 #ifdef HAVE_IPSEC_MODE_BEET
462 case MODE_BEET:
463 return IPSEC_MODE_BEET;
464 #endif
465 default:
466 return mode;
467 }
468 }
469
470 /**
471 * convert the general policy direction to the one defined in ipsec.h
472 */
473 static u_int8_t dir2kernel(policy_dir_t dir)
474 {
475 switch (dir)
476 {
477 case POLICY_IN:
478 return IPSEC_DIR_INBOUND;
479 case POLICY_OUT:
480 return IPSEC_DIR_OUTBOUND;
481 #ifdef HAVE_IPSEC_DIR_FWD
482 case POLICY_FWD:
483 return IPSEC_DIR_FWD;
484 #endif
485 default:
486 return IPSEC_DIR_INVALID;
487 }
488 }
489
490 #ifdef SADB_X_MIGRATE
491 /**
492 * convert the policy direction in ipsec.h to the general one.
493 */
494 static policy_dir_t kernel2dir(u_int8_t dir)
495 {
496 switch (dir)
497 {
498 case IPSEC_DIR_INBOUND:
499 return POLICY_IN;
500 case IPSEC_DIR_OUTBOUND:
501 return POLICY_OUT;
502 #ifdef HAVE_IPSEC_DIR_FWD
503 case IPSEC_DIR_FWD:
504 return POLICY_FWD;
505 #endif
506 default:
507 return dir;
508 }
509 }
510 #endif /*SADB_X_MIGRATE*/
511
512 typedef struct kernel_algorithm_t kernel_algorithm_t;
513
514 /**
515 * Mapping of IKEv2 algorithms to PF_KEY algorithms
516 */
517 struct kernel_algorithm_t {
518 /**
519 * Identifier specified in IKEv2
520 */
521 int ikev2;
522
523 /**
524 * Identifier as defined in pfkeyv2.h
525 */
526 int kernel;
527 };
528
529 #define END_OF_LIST -1
530
531 /**
532 * Algorithms for encryption
533 */
534 static kernel_algorithm_t encryption_algs[] = {
535 /* {ENCR_DES_IV64, 0 }, */
536 {ENCR_DES, SADB_EALG_DESCBC },
537 {ENCR_3DES, SADB_EALG_3DESCBC },
538 /* {ENCR_RC5, 0 }, */
539 /* {ENCR_IDEA, 0 }, */
540 {ENCR_CAST, SADB_X_EALG_CASTCBC },
541 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
542 /* {ENCR_3IDEA, 0 }, */
543 /* {ENCR_DES_IV32, 0 }, */
544 {ENCR_NULL, SADB_EALG_NULL },
545 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
546 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
547 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
548 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
549 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
550 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
551 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
552 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
553 {END_OF_LIST, 0 },
554 };
555
556 /**
557 * Algorithms for integrity protection
558 */
559 static kernel_algorithm_t integrity_algs[] = {
560 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
561 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
562 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
563 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
564 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
565 /* {AUTH_DES_MAC, 0, }, */
566 /* {AUTH_KPDK_MD5, 0, }, */
567 #ifdef SADB_X_AALG_AES_XCBC_MAC
568 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
569 #endif
570 {END_OF_LIST, 0, },
571 };
572
573 #if 0
574 /**
575 * Algorithms for IPComp, unused yet
576 */
577 static kernel_algorithm_t compression_algs[] = {
578 /* {IPCOMP_OUI, 0 }, */
579 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
580 {IPCOMP_LZS, SADB_X_CALG_LZS },
581 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
582 {END_OF_LIST, 0 },
583 };
584 #endif
585
586 /**
587 * Look up a kernel algorithm ID and its key size
588 */
589 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
590 {
591 while (list->ikev2 != END_OF_LIST)
592 {
593 if (ikev2 == list->ikev2)
594 {
595 return list->kernel;
596 }
597 list++;
598 }
599 return 0;
600 }
601
602 /**
603 * Copy a host_t as sockaddr_t to the given memory location. Ports are
604 * reset to zero as per RFC 2367.
605 * @return the number of bytes copied
606 */
607 static size_t hostcpy(void *dest, host_t *host)
608 {
609 sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
610 socklen_t *len = host->get_sockaddr_len(host);
611 memcpy(dest, addr, *len);
612 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
613 dest_addr->sa_len = *len;
614 #endif
615 switch (dest_addr->sa_family)
616 {
617 case AF_INET:
618 {
619 struct sockaddr_in *sin = dest;
620 sin->sin_port = 0;
621 break;
622 }
623 case AF_INET6:
624 {
625 struct sockaddr_in6 *sin6 = dest;
626 sin6->sin6_port = 0;
627 break;
628 }
629 }
630 return *len;
631 }
632
633 /**
634 * add a host behind an sadb_address extension
635 */
636 static void host2ext(host_t *host, struct sadb_address *ext)
637 {
638 size_t len = hostcpy(ext + 1, host);
639 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
640 }
641
642 /**
643 * add a host to the given sadb_msg
644 */
645 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
646 u_int8_t proto, u_int8_t prefixlen)
647 {
648 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
649 addr->sadb_address_exttype = type;
650 addr->sadb_address_proto = proto;
651 addr->sadb_address_prefixlen = prefixlen;
652 host2ext(host, addr);
653 PFKEY_EXT_ADD(msg, addr);
654 }
655
656 /**
657 * adds an empty address extension to the given sadb_msg
658 */
659 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
660 {
661 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
662 sizeof(struct sockaddr_in6);
663 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
664 addr->sadb_address_exttype = type;
665 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
666 saddr->sa_family = family;
667 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
668 saddr->sa_len = len;
669 #endif
670 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
671 PFKEY_EXT_ADD(msg, addr);
672 }
673
674 #ifdef HAVE_NATT
675 /**
676 * add udp encap extensions to a sadb_msg
677 */
678 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
679 {
680 struct sadb_x_nat_t_type* nat_type;
681 struct sadb_x_nat_t_port* nat_port;
682
683 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
684 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
685 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
686 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
687 PFKEY_EXT_ADD(msg, nat_type);
688
689 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
690 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
691 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
692 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
693 PFKEY_EXT_ADD(msg, nat_port);
694
695 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
696 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
697 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
698 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
699 PFKEY_EXT_ADD(msg, nat_port);
700 }
701 #endif /*HAVE_NATT*/
702
703 /**
704 * Convert a sadb_address to a traffic_selector
705 */
706 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
707 {
708 traffic_selector_t *ts;
709 host_t *host;
710
711 /* The Linux 2.6 kernel does not set the protocol and port information
712 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
713 */
714 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
715 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
716 address->sadb_address_proto, host->get_port(host));
717 return ts;
718 }
719
720 /**
721 * Parses a pfkey message received from the kernel
722 */
723 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
724 {
725 struct sadb_ext* ext;
726 size_t len;
727
728 memset(out, 0, sizeof(pfkey_msg_t));
729 out->msg = msg;
730
731 len = msg->sadb_msg_len;
732 len -= PFKEY_LEN(sizeof(struct sadb_msg));
733
734 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
735
736 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
737 {
738 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
739 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
740 ext->sadb_ext_len > len)
741 {
742 DBG1(DBG_KNL, "length of %N extension is invalid",
743 sadb_ext_type_names, ext->sadb_ext_type);
744 break;
745 }
746
747 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
748 {
749 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
750 break;
751 }
752
753 if (out->ext[ext->sadb_ext_type])
754 {
755 DBG1(DBG_KNL, "duplicate %N extension",
756 sadb_ext_type_names, ext->sadb_ext_type);
757 break;
758 }
759
760 out->ext[ext->sadb_ext_type] = ext;
761 ext = PFKEY_EXT_NEXT_LEN(ext, len);
762 }
763
764 if (len)
765 {
766 DBG1(DBG_KNL, "PF_KEY message length is invalid");
767 return FAILED;
768 }
769
770 return SUCCESS;
771 }
772
773 /**
774 * Send a message to a specific PF_KEY socket and handle the response.
775 */
776 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
777 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
778 {
779 unsigned char buf[PFKEY_BUFFER_SIZE];
780 struct sadb_msg *msg;
781 int in_len, len;
782
783 this->mutex_pfkey->lock(this->mutex_pfkey);
784
785 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
786 * in particular the behavior in response to an SADB_ACQUIRE. */
787 in->sadb_msg_seq = ++this->seq;
788 in->sadb_msg_pid = getpid();
789
790 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
791
792 while (TRUE)
793 {
794 len = send(socket, in, in_len, 0);
795
796 if (len != in_len)
797 {
798 if (errno == EINTR)
799 {
800 /* interrupted, try again */
801 continue;
802 }
803 this->mutex_pfkey->unlock(this->mutex_pfkey);
804 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
805 return FAILED;
806 }
807 break;
808 }
809
810 while (TRUE)
811 {
812 msg = (struct sadb_msg*)buf;
813
814 len = recv(socket, buf, sizeof(buf), 0);
815
816 if (len < 0)
817 {
818 if (errno == EINTR)
819 {
820 DBG1(DBG_KNL, "got interrupted");
821 /* interrupted, try again */
822 continue;
823 }
824 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
825 this->mutex_pfkey->unlock(this->mutex_pfkey);
826 return FAILED;
827 }
828 if (len < sizeof(struct sadb_msg) ||
829 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
830 {
831 DBG1(DBG_KNL, "received corrupted PF_KEY message");
832 this->mutex_pfkey->unlock(this->mutex_pfkey);
833 return FAILED;
834 }
835 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
836 {
837 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
838 this->mutex_pfkey->unlock(this->mutex_pfkey);
839 return FAILED;
840 }
841 if (msg->sadb_msg_pid != in->sadb_msg_pid)
842 {
843 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
844 continue;
845 }
846 if (msg->sadb_msg_seq != this->seq)
847 {
848 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
849 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
850 if (msg->sadb_msg_seq == 0)
851 {
852 /* FreeBSD and Mac OS X do this for the response to
853 * SADB_X_SPDGET (but not for the response to SADB_GET).
854 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
855 }
856 else if (msg->sadb_msg_seq < this->seq)
857 {
858 continue;
859 }
860 else
861 {
862 this->mutex_pfkey->unlock(this->mutex_pfkey);
863 return FAILED;
864 }
865 }
866 if (msg->sadb_msg_type != in->sadb_msg_type)
867 {
868 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
869 "was %d expected %d, ignoring",
870 msg->sadb_msg_type, in->sadb_msg_type);
871 }
872 break;
873 }
874
875 *out_len = len;
876 *out = (struct sadb_msg*)malloc(len);
877 memcpy(*out, buf, len);
878
879 this->mutex_pfkey->unlock(this->mutex_pfkey);
880
881 return SUCCESS;
882 }
883
884 /**
885 * Send a message to the default PF_KEY socket and handle the response.
886 */
887 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
888 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
889 {
890 return pfkey_send_socket(this, this->socket, in, out, out_len);
891 }
892
893 /**
894 * Process a SADB_ACQUIRE message from the kernel
895 */
896 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
897 {
898 pfkey_msg_t response;
899 u_int32_t index, reqid = 0;
900 traffic_selector_t *src_ts, *dst_ts;
901 policy_entry_t *policy;
902 job_t *job;
903
904 switch (msg->sadb_msg_satype)
905 {
906 case SADB_SATYPE_UNSPEC:
907 case SADB_SATYPE_ESP:
908 case SADB_SATYPE_AH:
909 break;
910 default:
911 /* acquire for AH/ESP only */
912 return;
913 }
914 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
915
916 if (parse_pfkey_message(msg, &response) != SUCCESS)
917 {
918 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
919 return;
920 }
921
922 index = response.x_policy->sadb_x_policy_id;
923 this->mutex->lock(this->mutex);
924 if (this->policies->find_first(this->policies,
925 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
926 {
927 reqid = policy->reqid;
928 }
929 else
930 {
931 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
932 index);
933 }
934 src_ts = sadb_address2ts(response.src);
935 dst_ts = sadb_address2ts(response.dst);
936 this->mutex->unlock(this->mutex);
937
938 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
939 src_ts, dst_ts, reqid);
940 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
941 charon->processor->queue_job(charon->processor, job);
942 }
943
944 /**
945 * Process a SADB_EXPIRE message from the kernel
946 */
947 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
948 {
949 pfkey_msg_t response;
950 protocol_id_t protocol;
951 u_int32_t spi, reqid;
952 bool hard;
953 job_t *job;
954
955 DBG2(DBG_KNL, "received an SADB_EXPIRE");
956
957 if (parse_pfkey_message(msg, &response) != SUCCESS)
958 {
959 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
960 return;
961 }
962
963 protocol = proto_satype2ike(msg->sadb_msg_satype);
964 spi = response.sa->sadb_sa_spi;
965 reqid = response.x_sa2->sadb_x_sa2_reqid;
966 hard = response.lft_hard != NULL;
967
968 if (protocol != PROTO_ESP && protocol != PROTO_AH)
969 {
970 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
971 "which is not a CHILD_SA", ntohl(spi), reqid);
972 return;
973 }
974
975 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
976 hard ? "delete" : "rekey", protocol_id_names,
977 protocol, ntohl(spi), reqid);
978 if (hard)
979 {
980 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
981 }
982 else
983 {
984 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
985 }
986 charon->processor->queue_job(charon->processor, job);
987 }
988
989 #ifdef SADB_X_MIGRATE
990 /**
991 * Process a SADB_X_MIGRATE message from the kernel
992 */
993 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
994 {
995 pfkey_msg_t response;
996 traffic_selector_t *src_ts, *dst_ts;
997 policy_dir_t dir;
998 u_int32_t reqid = 0;
999 host_t *local = NULL, *remote = NULL;
1000 job_t *job;
1001
1002 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
1003
1004 if (parse_pfkey_message(msg, &response) != SUCCESS)
1005 {
1006 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
1007 return;
1008 }
1009 src_ts = sadb_address2ts(response.src);
1010 dst_ts = sadb_address2ts(response.dst);
1011 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
1012 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
1013 policy_dir_names, dir);
1014
1015 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
1016 if (response.x_kmaddress)
1017 {
1018 sockaddr_t *local_addr, *remote_addr;
1019 u_int32_t local_len;
1020
1021 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
1022 local = host_create_from_sockaddr(local_addr);
1023 local_len = (local_addr->sa_family == AF_INET6)?
1024 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
1025 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1026 remote = host_create_from_sockaddr(remote_addr);
1027 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1028 }
1029
1030 if (src_ts && dst_ts && local && remote)
1031 {
1032 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
1033 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
1034 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
1035 local, remote);
1036 charon->processor->queue_job(charon->processor, job);
1037 }
1038 else
1039 {
1040 DESTROY_IF(src_ts);
1041 DESTROY_IF(dst_ts);
1042 DESTROY_IF(local);
1043 DESTROY_IF(remote);
1044 }
1045 }
1046 #endif /*SADB_X_MIGRATE*/
1047
1048 #ifdef HAVE_NATT
1049 /**
1050 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1051 */
1052 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
1053 {
1054 pfkey_msg_t response;
1055 u_int32_t spi, reqid;
1056 host_t *host;
1057 job_t *job;
1058
1059 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1060
1061 if (parse_pfkey_message(msg, &response) != SUCCESS)
1062 {
1063 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1064 return;
1065 }
1066
1067 if (!response.x_sa2)
1068 {
1069 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
1070 return;
1071 }
1072
1073 spi = response.sa->sadb_sa_spi;
1074 reqid = response.x_sa2->sadb_x_sa2_reqid;
1075
1076 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
1077 {
1078 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
1079 switch (sa->sa_family)
1080 {
1081 case AF_INET:
1082 {
1083 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1084 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1085 }
1086 case AF_INET6:
1087 {
1088 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1089 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1090 }
1091 default:
1092 break;
1093 }
1094 host = host_create_from_sockaddr(sa);
1095 if (host)
1096 {
1097 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
1098 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
1099 job = (job_t*)update_sa_job_create(reqid, host);
1100 charon->processor->queue_job(charon->processor, job);
1101 }
1102 }
1103 }
1104 #endif /*HAVE_NATT*/
1105
1106 /**
1107 * Receives events from kernel
1108 */
1109 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1110 {
1111 unsigned char buf[PFKEY_BUFFER_SIZE];
1112 struct sadb_msg *msg = (struct sadb_msg*)buf;
1113 int len;
1114 bool oldstate;
1115
1116 oldstate = thread_cancelability(TRUE);
1117 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1118 thread_cancelability(oldstate);
1119
1120 if (len < 0)
1121 {
1122 switch (errno)
1123 {
1124 case EINTR:
1125 /* interrupted, try again */
1126 return JOB_REQUEUE_DIRECT;
1127 case EAGAIN:
1128 /* no data ready, select again */
1129 return JOB_REQUEUE_DIRECT;
1130 default:
1131 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1132 sleep(1);
1133 return JOB_REQUEUE_FAIR;
1134 }
1135 }
1136
1137 if (len < sizeof(struct sadb_msg) ||
1138 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1139 {
1140 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1141 return JOB_REQUEUE_DIRECT;
1142 }
1143 if (msg->sadb_msg_pid != 0)
1144 { /* not from kernel. not interested, try another one */
1145 return JOB_REQUEUE_DIRECT;
1146 }
1147 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1148 {
1149 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
1150 return JOB_REQUEUE_DIRECT;
1151 }
1152
1153 switch (msg->sadb_msg_type)
1154 {
1155 case SADB_ACQUIRE:
1156 process_acquire(this, msg);
1157 break;
1158 case SADB_EXPIRE:
1159 process_expire(this, msg);
1160 break;
1161 #ifdef SADB_X_MIGRATE
1162 case SADB_X_MIGRATE:
1163 process_migrate(this, msg);
1164 break;
1165 #endif /*SADB_X_MIGRATE*/
1166 #ifdef HAVE_NATT
1167 case SADB_X_NAT_T_NEW_MAPPING:
1168 process_mapping(this, msg);
1169 break;
1170 #endif /*HAVE_NATT*/
1171 default:
1172 break;
1173 }
1174
1175 return JOB_REQUEUE_DIRECT;
1176 }
1177
1178 METHOD(kernel_ipsec_t, get_spi, status_t,
1179 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1180 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
1181 {
1182 unsigned char request[PFKEY_BUFFER_SIZE];
1183 struct sadb_msg *msg, *out;
1184 struct sadb_x_sa2 *sa2;
1185 struct sadb_spirange *range;
1186 pfkey_msg_t response;
1187 u_int32_t received_spi = 0;
1188 size_t len;
1189
1190 memset(&request, 0, sizeof(request));
1191
1192 msg = (struct sadb_msg*)request;
1193 msg->sadb_msg_version = PF_KEY_V2;
1194 msg->sadb_msg_type = SADB_GETSPI;
1195 msg->sadb_msg_satype = proto_ike2satype(protocol);
1196 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1197
1198 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1199 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1200 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1201 sa2->sadb_x_sa2_reqid = reqid;
1202 PFKEY_EXT_ADD(msg, sa2);
1203
1204 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1205 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1206
1207 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1208 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1209 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1210 range->sadb_spirange_min = 0xc0000000;
1211 range->sadb_spirange_max = 0xcFFFFFFF;
1212 PFKEY_EXT_ADD(msg, range);
1213
1214 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1215 {
1216 if (out->sadb_msg_errno)
1217 {
1218 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1219 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1220 }
1221 else if (parse_pfkey_message(out, &response) == SUCCESS)
1222 {
1223 received_spi = response.sa->sadb_sa_spi;
1224 }
1225 free(out);
1226 }
1227
1228 if (received_spi == 0)
1229 {
1230 return FAILED;
1231 }
1232
1233 *spi = received_spi;
1234 return SUCCESS;
1235 }
1236
1237 METHOD(kernel_ipsec_t, get_cpi, status_t,
1238 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1239 u_int32_t reqid, u_int16_t *cpi)
1240 {
1241 return FAILED;
1242 }
1243
1244 METHOD(kernel_ipsec_t, add_sa, status_t,
1245 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1246 protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime,
1247 u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key,
1248 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
1249 bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
1250 {
1251 unsigned char request[PFKEY_BUFFER_SIZE];
1252 struct sadb_msg *msg, *out;
1253 struct sadb_sa *sa;
1254 struct sadb_x_sa2 *sa2;
1255 struct sadb_lifetime *lft;
1256 struct sadb_key *key;
1257 size_t len;
1258
1259 memset(&request, 0, sizeof(request));
1260
1261 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1262
1263 msg = (struct sadb_msg*)request;
1264 msg->sadb_msg_version = PF_KEY_V2;
1265 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1266 msg->sadb_msg_satype = proto_ike2satype(protocol);
1267 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1268
1269 #ifdef __APPLE__
1270 if (encap)
1271 {
1272 struct sadb_sa_2 *sa_2;
1273 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1274 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1275 sa = &sa_2->sa;
1276 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1277 len = sizeof(struct sadb_sa_2);
1278 }
1279 else
1280 #endif
1281 {
1282 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1283 len = sizeof(struct sadb_sa);
1284 }
1285 sa->sadb_sa_exttype = SADB_EXT_SA;
1286 sa->sadb_sa_len = PFKEY_LEN(len);
1287 sa->sadb_sa_spi = spi;
1288 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1289 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1290 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1291 PFKEY_EXT_ADD(msg, sa);
1292
1293 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1294 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1295 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1296 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1297 sa2->sadb_x_sa2_reqid = reqid;
1298 PFKEY_EXT_ADD(msg, sa2);
1299
1300 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1301 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1302
1303 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1304 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1305 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1306 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1307 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1308 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1309 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1310 PFKEY_EXT_ADD(msg, lft);
1311
1312 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1313 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1314 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1315 lft->sadb_lifetime_allocations = lifetime->packets.life;
1316 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1317 lft->sadb_lifetime_addtime = lifetime->time.life;
1318 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1319 PFKEY_EXT_ADD(msg, lft);
1320
1321 if (enc_alg != ENCR_UNDEFINED)
1322 {
1323 if (!sa->sadb_sa_encrypt)
1324 {
1325 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1326 encryption_algorithm_names, enc_alg);
1327 return FAILED;
1328 }
1329 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1330 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1331
1332 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1333 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1334 key->sadb_key_bits = enc_key.len * 8;
1335 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1336 memcpy(key + 1, enc_key.ptr, enc_key.len);
1337
1338 PFKEY_EXT_ADD(msg, key);
1339 }
1340
1341 if (int_alg != AUTH_UNDEFINED)
1342 {
1343 if (!sa->sadb_sa_auth)
1344 {
1345 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1346 integrity_algorithm_names, int_alg);
1347 return FAILED;
1348 }
1349 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1350 integrity_algorithm_names, int_alg, int_key.len * 8);
1351
1352 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1353 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1354 key->sadb_key_bits = int_key.len * 8;
1355 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1356 memcpy(key + 1, int_key.ptr, int_key.len);
1357
1358 PFKEY_EXT_ADD(msg, key);
1359 }
1360
1361 if (ipcomp != IPCOMP_NONE)
1362 {
1363 /*TODO*/
1364 }
1365
1366 #ifdef HAVE_NATT
1367 if (encap)
1368 {
1369 add_encap_ext(msg, src, dst);
1370 }
1371 #endif /*HAVE_NATT*/
1372
1373 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1374 {
1375 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1376 return FAILED;
1377 }
1378 else if (out->sadb_msg_errno)
1379 {
1380 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1381 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1382 free(out);
1383 return FAILED;
1384 }
1385
1386 free(out);
1387 return SUCCESS;
1388 }
1389
1390 METHOD(kernel_ipsec_t, update_sa, status_t,
1391 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
1392 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1393 bool encap, bool new_encap)
1394 {
1395 unsigned char request[PFKEY_BUFFER_SIZE];
1396 struct sadb_msg *msg, *out;
1397 struct sadb_sa *sa;
1398 pfkey_msg_t response;
1399 size_t len;
1400
1401 /* we can't update the SA if any of the ip addresses have changed.
1402 * that's because we can't use SADB_UPDATE and by deleting and readding the
1403 * SA the sequence numbers would get lost */
1404 if (!src->ip_equals(src, new_src) ||
1405 !dst->ip_equals(dst, new_dst))
1406 {
1407 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1408 " are not supported", ntohl(spi));
1409 return NOT_SUPPORTED;
1410 }
1411
1412 memset(&request, 0, sizeof(request));
1413
1414 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1415
1416 msg = (struct sadb_msg*)request;
1417 msg->sadb_msg_version = PF_KEY_V2;
1418 msg->sadb_msg_type = SADB_GET;
1419 msg->sadb_msg_satype = proto_ike2satype(protocol);
1420 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1421
1422 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1423 sa->sadb_sa_exttype = SADB_EXT_SA;
1424 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1425 sa->sadb_sa_spi = spi;
1426 PFKEY_EXT_ADD(msg, sa);
1427
1428 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1429 * it is not used for anything. */
1430 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1431 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1432
1433 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1434 {
1435 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1436 ntohl(spi));
1437 return FAILED;
1438 }
1439 else if (out->sadb_msg_errno)
1440 {
1441 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1442 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1443 free(out);
1444 return FAILED;
1445 }
1446 else if (parse_pfkey_message(out, &response) != SUCCESS)
1447 {
1448 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1449 "from kernel failed", ntohl(spi));
1450 free(out);
1451 return FAILED;
1452 }
1453
1454 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1455 ntohl(spi), src, dst, new_src, new_dst);
1456
1457 memset(&request, 0, sizeof(request));
1458
1459 msg = (struct sadb_msg*)request;
1460 msg->sadb_msg_version = PF_KEY_V2;
1461 msg->sadb_msg_type = SADB_UPDATE;
1462 msg->sadb_msg_satype = proto_ike2satype(protocol);
1463 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1464
1465 #ifdef __APPLE__
1466 {
1467 struct sadb_sa_2 *sa_2;
1468 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1469 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1470 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1471 if (encap)
1472 {
1473 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1474 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1475 }
1476 }
1477 #else
1478 PFKEY_EXT_COPY(msg, response.sa);
1479 #endif
1480 PFKEY_EXT_COPY(msg, response.x_sa2);
1481
1482 PFKEY_EXT_COPY(msg, response.src);
1483 PFKEY_EXT_COPY(msg, response.dst);
1484
1485 PFKEY_EXT_COPY(msg, response.lft_soft);
1486 PFKEY_EXT_COPY(msg, response.lft_hard);
1487
1488 if (response.key_encr)
1489 {
1490 PFKEY_EXT_COPY(msg, response.key_encr);
1491 }
1492
1493 if (response.key_auth)
1494 {
1495 PFKEY_EXT_COPY(msg, response.key_auth);
1496 }
1497
1498 #ifdef HAVE_NATT
1499 if (new_encap)
1500 {
1501 add_encap_ext(msg, new_src, new_dst);
1502 }
1503 #endif /*HAVE_NATT*/
1504
1505 free(out);
1506
1507 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1508 {
1509 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1510 return FAILED;
1511 }
1512 else if (out->sadb_msg_errno)
1513 {
1514 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1515 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1516 free(out);
1517 return FAILED;
1518 }
1519 free(out);
1520
1521 return SUCCESS;
1522 }
1523
1524 METHOD(kernel_ipsec_t, query_sa, status_t,
1525 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1526 u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
1527 {
1528 unsigned char request[PFKEY_BUFFER_SIZE];
1529 struct sadb_msg *msg, *out;
1530 struct sadb_sa *sa;
1531 pfkey_msg_t response;
1532 size_t len;
1533
1534 memset(&request, 0, sizeof(request));
1535
1536 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1537
1538 msg = (struct sadb_msg*)request;
1539 msg->sadb_msg_version = PF_KEY_V2;
1540 msg->sadb_msg_type = SADB_GET;
1541 msg->sadb_msg_satype = proto_ike2satype(protocol);
1542 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1543
1544 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1545 sa->sadb_sa_exttype = SADB_EXT_SA;
1546 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1547 sa->sadb_sa_spi = spi;
1548 PFKEY_EXT_ADD(msg, sa);
1549
1550 /* the Linux Kernel doesn't care for the src address, but other systems do
1551 * (e.g. FreeBSD)
1552 */
1553 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1554 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1555
1556 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1557 {
1558 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1559 return FAILED;
1560 }
1561 else if (out->sadb_msg_errno)
1562 {
1563 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1564 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1565 free(out);
1566 return FAILED;
1567 }
1568 else if (parse_pfkey_message(out, &response) != SUCCESS)
1569 {
1570 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1571 free(out);
1572 return FAILED;
1573 }
1574 *bytes = response.lft_current->sadb_lifetime_bytes;
1575
1576 free(out);
1577 return SUCCESS;
1578 }
1579
1580 METHOD(kernel_ipsec_t, del_sa, status_t,
1581 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1582 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1583 {
1584 unsigned char request[PFKEY_BUFFER_SIZE];
1585 struct sadb_msg *msg, *out;
1586 struct sadb_sa *sa;
1587 size_t len;
1588
1589 memset(&request, 0, sizeof(request));
1590
1591 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1592
1593 msg = (struct sadb_msg*)request;
1594 msg->sadb_msg_version = PF_KEY_V2;
1595 msg->sadb_msg_type = SADB_DELETE;
1596 msg->sadb_msg_satype = proto_ike2satype(protocol);
1597 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1598
1599 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1600 sa->sadb_sa_exttype = SADB_EXT_SA;
1601 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1602 sa->sadb_sa_spi = spi;
1603 PFKEY_EXT_ADD(msg, sa);
1604
1605 /* the Linux Kernel doesn't care for the src address, but other systems do
1606 * (e.g. FreeBSD)
1607 */
1608 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1609 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1610
1611 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1612 {
1613 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1614 return FAILED;
1615 }
1616 else if (out->sadb_msg_errno)
1617 {
1618 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1619 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1620 free(out);
1621 return FAILED;
1622 }
1623
1624 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1625 free(out);
1626 return SUCCESS;
1627 }
1628
1629 METHOD(kernel_ipsec_t, add_policy, status_t,
1630 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1631 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
1632 policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
1633 u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1634 bool routed)
1635 {
1636 unsigned char request[PFKEY_BUFFER_SIZE];
1637 struct sadb_msg *msg, *out;
1638 struct sadb_x_policy *pol;
1639 struct sadb_x_ipsecrequest *req;
1640 policy_entry_t *policy, *found = NULL;
1641 pfkey_msg_t response;
1642 size_t len;
1643
1644 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1645 {
1646 /* FWD policies are not supported on all platforms */
1647 return SUCCESS;
1648 }
1649
1650 /* create a policy */
1651 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1652
1653 /* find a matching policy */
1654 this->mutex->lock(this->mutex);
1655 if (this->policies->find_first(this->policies,
1656 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1657 {
1658 /* use existing policy */
1659 found->refcount++;
1660 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1661 "refcount", src_ts, dst_ts,
1662 policy_dir_names, direction);
1663 policy_entry_destroy(policy);
1664 policy = found;
1665 }
1666 else
1667 {
1668 /* apply the new one, if we have no such policy */
1669 this->policies->insert_last(this->policies, policy);
1670 policy->refcount = 1;
1671 }
1672
1673 memset(&request, 0, sizeof(request));
1674
1675 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1676 policy_dir_names, direction);
1677
1678 msg = (struct sadb_msg*)request;
1679 msg->sadb_msg_version = PF_KEY_V2;
1680 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1681 msg->sadb_msg_satype = 0;
1682 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1683
1684 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1685 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1686 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1687 pol->sadb_x_policy_id = 0;
1688 pol->sadb_x_policy_dir = dir2kernel(direction);
1689 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1690 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1691 /* calculate priority based on source selector size, small size = high prio */
1692 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1693 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1694 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1695 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1696 #endif
1697
1698 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1699 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1700 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1701 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1702 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1703 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1704 req->sadb_x_ipsecrequest_reqid = reqid;
1705 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1706 if (mode == MODE_TUNNEL)
1707 {
1708 len = hostcpy(req + 1, src);
1709 req->sadb_x_ipsecrequest_len += len;
1710 len = hostcpy((char*)(req + 1) + len, dst);
1711 req->sadb_x_ipsecrequest_len += len;
1712 }
1713
1714 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1715 PFKEY_EXT_ADD(msg, pol);
1716
1717 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1718 policy->src.mask);
1719 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1720 policy->dst.mask);
1721
1722 #ifdef __FreeBSD__
1723 { /* on FreeBSD a lifetime has to be defined to be able to later query
1724 * the current use time. */
1725 struct sadb_lifetime *lft;
1726 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1727 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1728 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1729 lft->sadb_lifetime_addtime = LONG_MAX;
1730 PFKEY_EXT_ADD(msg, lft);
1731 }
1732 #endif
1733
1734 this->mutex->unlock(this->mutex);
1735
1736 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1737 {
1738 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1739 policy_dir_names, direction);
1740 return FAILED;
1741 }
1742 else if (out->sadb_msg_errno)
1743 {
1744 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1745 policy_dir_names, direction,
1746 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1747 free(out);
1748 return FAILED;
1749 }
1750 else if (parse_pfkey_message(out, &response) != SUCCESS)
1751 {
1752 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1753 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1754 free(out);
1755 return FAILED;
1756 }
1757
1758 this->mutex->lock(this->mutex);
1759
1760 /* we try to find the policy again and update the kernel index */
1761 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1762 {
1763 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1764 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1765 this->mutex->unlock(this->mutex);
1766 free(out);
1767 return SUCCESS;
1768 }
1769 policy->index = response.x_policy->sadb_x_policy_id;
1770 free(out);
1771
1772 /* install a route, if:
1773 * - we are NOT updating a policy
1774 * - this is a forward policy (to just get one for each child)
1775 * - we are in tunnel mode
1776 * - we are not using IPv6 (does not work correctly yet!)
1777 * - routing is not disabled via strongswan.conf
1778 */
1779 if (policy->route == NULL && direction == POLICY_FWD &&
1780 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1781 this->install_routes)
1782 {
1783 route_entry_t *route = malloc_thing(route_entry_t);
1784
1785 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1786 dst_ts, &route->src_ip) == SUCCESS)
1787 {
1788 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1789 route->gateway = charon->kernel_interface->get_nexthop(
1790 charon->kernel_interface, src);
1791 route->if_name = charon->kernel_interface->get_interface(
1792 charon->kernel_interface, dst);
1793 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1794 route->prefixlen = policy->src.mask;
1795
1796 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1797 route->dst_net, route->prefixlen, route->gateway,
1798 route->src_ip, route->if_name))
1799 {
1800 default:
1801 DBG1(DBG_KNL, "unable to install source route for %H",
1802 route->src_ip);
1803 /* FALL */
1804 case ALREADY_DONE:
1805 /* route exists, do not uninstall */
1806 route_entry_destroy(route);
1807 break;
1808 case SUCCESS:
1809 /* cache the installed route */
1810 policy->route = route;
1811 break;
1812 }
1813 }
1814 else
1815 {
1816 free(route);
1817 }
1818 }
1819
1820 this->mutex->unlock(this->mutex);
1821
1822 return SUCCESS;
1823 }
1824
1825 METHOD(kernel_ipsec_t, query_policy, status_t,
1826 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
1827 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
1828 {
1829 unsigned char request[PFKEY_BUFFER_SIZE];
1830 struct sadb_msg *msg, *out;
1831 struct sadb_x_policy *pol;
1832 policy_entry_t *policy, *found = NULL;
1833 pfkey_msg_t response;
1834 size_t len;
1835
1836 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1837 {
1838 /* FWD policies are not supported on all platforms */
1839 return NOT_FOUND;
1840 }
1841
1842 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1843 policy_dir_names, direction);
1844
1845 /* create a policy */
1846 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1847
1848 /* find a matching policy */
1849 this->mutex->lock(this->mutex);
1850 if (this->policies->find_first(this->policies,
1851 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1852 {
1853 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1854 dst_ts, policy_dir_names, direction);
1855 policy_entry_destroy(policy);
1856 this->mutex->unlock(this->mutex);
1857 return NOT_FOUND;
1858 }
1859 policy_entry_destroy(policy);
1860 policy = found;
1861
1862 memset(&request, 0, sizeof(request));
1863
1864 msg = (struct sadb_msg*)request;
1865 msg->sadb_msg_version = PF_KEY_V2;
1866 msg->sadb_msg_type = SADB_X_SPDGET;
1867 msg->sadb_msg_satype = 0;
1868 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1869
1870 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1871 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1872 pol->sadb_x_policy_id = policy->index;
1873 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1874 pol->sadb_x_policy_dir = dir2kernel(direction);
1875 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1876 PFKEY_EXT_ADD(msg, pol);
1877
1878 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1879 policy->src.mask);
1880 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1881 policy->dst.mask);
1882
1883 this->mutex->unlock(this->mutex);
1884
1885 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1886 {
1887 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1888 policy_dir_names, direction);
1889 return FAILED;
1890 }
1891 else if (out->sadb_msg_errno)
1892 {
1893 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1894 dst_ts, policy_dir_names, direction,
1895 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1896 free(out);
1897 return FAILED;
1898 }
1899 else if (parse_pfkey_message(out, &response) != SUCCESS)
1900 {
1901 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1902 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1903 free(out);
1904 return FAILED;
1905 }
1906 else if (response.lft_current == NULL)
1907 {
1908 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
1909 "use time", src_ts, dst_ts, policy_dir_names, direction);
1910 free(out);
1911 return FAILED;
1912 }
1913 /* we need the monotonic time, but the kernel returns system time. */
1914 if (response.lft_current->sadb_lifetime_usetime)
1915 {
1916 *use_time = time_monotonic(NULL) -
1917 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
1918 }
1919 else
1920 {
1921 *use_time = 0;
1922 }
1923 free(out);
1924
1925 return SUCCESS;
1926 }
1927
1928 METHOD(kernel_ipsec_t, del_policy, status_t,
1929 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
1930 traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
1931 {
1932 unsigned char request[PFKEY_BUFFER_SIZE];
1933 struct sadb_msg *msg, *out;
1934 struct sadb_x_policy *pol;
1935 policy_entry_t *policy, *found = NULL;
1936 route_entry_t *route;
1937 size_t len;
1938
1939 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1940 {
1941 /* FWD policies are not supported on all platforms */
1942 return SUCCESS;
1943 }
1944
1945 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1946 policy_dir_names, direction);
1947
1948 /* create a policy */
1949 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1950
1951 /* find a matching policy */
1952 this->mutex->lock(this->mutex);
1953 if (this->policies->find_first(this->policies,
1954 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1955 {
1956 if (--found->refcount > 0)
1957 {
1958 /* is used by more SAs, keep in kernel */
1959 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1960 policy_entry_destroy(policy);
1961 this->mutex->unlock(this->mutex);
1962 return SUCCESS;
1963 }
1964 /* remove if last reference */
1965 this->policies->remove(this->policies, found, NULL);
1966 policy_entry_destroy(policy);
1967 policy = found;
1968 }
1969 else
1970 {
1971 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1972 dst_ts, policy_dir_names, direction);
1973 policy_entry_destroy(policy);
1974 this->mutex->unlock(this->mutex);
1975 return NOT_FOUND;
1976 }
1977 this->mutex->unlock(this->mutex);
1978
1979 memset(&request, 0, sizeof(request));
1980
1981 msg = (struct sadb_msg*)request;
1982 msg->sadb_msg_version = PF_KEY_V2;
1983 msg->sadb_msg_type = SADB_X_SPDDELETE;
1984 msg->sadb_msg_satype = 0;
1985 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1986
1987 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1988 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1989 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1990 pol->sadb_x_policy_dir = dir2kernel(direction);
1991 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1992 PFKEY_EXT_ADD(msg, pol);
1993
1994 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1995 policy->src.mask);
1996 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1997 policy->dst.mask);
1998
1999 route = policy->route;
2000 policy->route = NULL;
2001 policy_entry_destroy(policy);
2002
2003 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2004 {
2005 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2006 policy_dir_names, direction);
2007 return FAILED;
2008 }
2009 else if (out->sadb_msg_errno)
2010 {
2011 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2012 dst_ts, policy_dir_names, direction,
2013 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2014 free(out);
2015 return FAILED;
2016 }
2017 free(out);
2018
2019 if (route)
2020 {
2021 if (charon->kernel_interface->del_route(charon->kernel_interface,
2022 route->dst_net, route->prefixlen, route->gateway,
2023 route->src_ip, route->if_name) != SUCCESS)
2024 {
2025 DBG1(DBG_KNL, "error uninstalling route installed with "
2026 "policy %R === %R %N", src_ts, dst_ts,
2027 policy_dir_names, direction);
2028 }
2029 route_entry_destroy(route);
2030 }
2031
2032 return SUCCESS;
2033 }
2034
2035 /**
2036 * Register a socket for AQUIRE/EXPIRE messages
2037 */
2038 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2039 u_int8_t satype)
2040 {
2041 unsigned char request[PFKEY_BUFFER_SIZE];
2042 struct sadb_msg *msg, *out;
2043 size_t len;
2044
2045 memset(&request, 0, sizeof(request));
2046
2047 msg = (struct sadb_msg*)request;
2048 msg->sadb_msg_version = PF_KEY_V2;
2049 msg->sadb_msg_type = SADB_REGISTER;
2050 msg->sadb_msg_satype = satype;
2051 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2052
2053 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2054 {
2055 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2056 return FAILED;
2057 }
2058 else if (out->sadb_msg_errno)
2059 {
2060 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2061 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2062 free(out);
2063 return FAILED;
2064 }
2065 free(out);
2066 return SUCCESS;
2067 }
2068
2069 METHOD(kernel_ipsec_t, bypass_socket, bool,
2070 private_kernel_pfkey_ipsec_t *this, int fd, int family)
2071 {
2072 struct sadb_x_policy policy;
2073 u_int sol, ipsec_policy;
2074
2075 switch (family)
2076 {
2077 case AF_INET:
2078 {
2079 sol = SOL_IP;
2080 ipsec_policy = IP_IPSEC_POLICY;
2081 break;
2082 }
2083 case AF_INET6:
2084 {
2085 sol = SOL_IPV6;
2086 ipsec_policy = IPV6_IPSEC_POLICY;
2087 break;
2088 }
2089 default:
2090 return FALSE;
2091 }
2092
2093 memset(&policy, 0, sizeof(policy));
2094 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2095 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2096 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2097
2098 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2099 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2100 {
2101 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2102 strerror(errno));
2103 return FALSE;
2104 }
2105 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2106 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2107 {
2108 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2109 strerror(errno));
2110 return FALSE;
2111 }
2112 return TRUE;
2113 }
2114
2115 METHOD(kernel_ipsec_t, destroy, void,
2116 private_kernel_pfkey_ipsec_t *this)
2117 {
2118 if (this->job)
2119 {
2120 this->job->cancel(this->job);
2121 }
2122 if (this->socket > 0)
2123 {
2124 close(this->socket);
2125 }
2126 if (this->socket_events > 0)
2127 {
2128 close(this->socket_events);
2129 }
2130 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
2131 this->mutex->destroy(this->mutex);
2132 this->mutex_pfkey->destroy(this->mutex_pfkey);
2133 free(this);
2134 }
2135
2136 /*
2137 * Described in header.
2138 */
2139 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2140 {
2141 private_kernel_pfkey_ipsec_t *this;
2142
2143 INIT(this,
2144 .public.interface = {
2145 .get_spi = _get_spi,
2146 .get_cpi = _get_cpi,
2147 .add_sa = _add_sa,
2148 .update_sa = _update_sa,
2149 .query_sa = _query_sa,
2150 .del_sa = _del_sa,
2151 .add_policy = _add_policy,
2152 .query_policy = _query_policy,
2153 .del_policy = _del_policy,
2154 .bypass_socket = _bypass_socket,
2155 .destroy = _destroy,
2156 },
2157 .policies = linked_list_create(),
2158 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2159 .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
2160 .install_routes = lib->settings->get_bool(lib->settings,
2161 "charon.install_routes", TRUE),
2162 );
2163
2164 /* create a PF_KEY socket to communicate with the kernel */
2165 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2166 if (this->socket <= 0)
2167 {
2168 DBG1(DBG_KNL, "unable to create PF_KEY socket");
2169 destroy(this);
2170 return NULL;
2171 }
2172
2173 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2174 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2175 if (this->socket_events <= 0)
2176 {
2177 DBG1(DBG_KNL, "unable to create PF_KEY event socket");
2178 destroy(this);
2179 return NULL;
2180 }
2181
2182 /* register the event socket */
2183 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2184 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2185 {
2186 DBG1(DBG_KNL, "unable to register PF_KEY event socket");
2187 destroy(this);
2188 return NULL;
2189 }
2190
2191 this->job = callback_job_create((callback_job_cb_t)receive_events,
2192 this, NULL, NULL);
2193 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2194
2195 return &this->public;
2196 }
2197