kernel-interface: Add a separate "update" flag to add_sa()
[strongswan.git] / src / libcharon / sa / child_sa.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #define _GNU_SOURCE
20 #include "child_sa.h"
21
22 #include <stdio.h>
23 #include <string.h>
24 #include <time.h>
25
26 #include <hydra.h>
27 #include <daemon.h>
28 #include <collections/array.h>
29
30 ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
31 "CREATED",
32 "ROUTED",
33 "INSTALLING",
34 "INSTALLED",
35 "UPDATING",
36 "REKEYING",
37 "RETRYING",
38 "DELETING",
39 "DESTROYING",
40 );
41
42 typedef struct private_child_sa_t private_child_sa_t;
43
44 /**
45 * Private data of a child_sa_t object.
46 */
47 struct private_child_sa_t {
48 /**
49 * Public interface of child_sa_t.
50 */
51 child_sa_t public;
52
53 /**
54 * address of us
55 */
56 host_t *my_addr;
57
58 /**
59 * address of remote
60 */
61 host_t *other_addr;
62
63 /**
64 * our actually used SPI, 0 if unused
65 */
66 u_int32_t my_spi;
67
68 /**
69 * others used SPI, 0 if unused
70 */
71 u_int32_t other_spi;
72
73 /**
74 * our Compression Parameter Index (CPI) used, 0 if unused
75 */
76 u_int16_t my_cpi;
77
78 /**
79 * others Compression Parameter Index (CPI) used, 0 if unused
80 */
81 u_int16_t other_cpi;
82
83 /**
84 * Array for local traffic selectors
85 */
86 array_t *my_ts;
87
88 /**
89 * Array for remote traffic selectors
90 */
91 array_t *other_ts;
92
93 /**
94 * Protocol used to protect this SA, ESP|AH
95 */
96 protocol_id_t protocol;
97
98 /**
99 * reqid used for this child_sa
100 */
101 u_int32_t reqid;
102
103 /**
104 * Did we allocate/confirm and must release the reqid?
105 */
106 bool reqid_allocated;
107
108 /*
109 * Unique CHILD_SA identifier
110 */
111 u_int32_t unique_id;
112
113 /**
114 * inbound mark used for this child_sa
115 */
116 mark_t mark_in;
117
118 /**
119 * outbound mark used for this child_sa
120 */
121 mark_t mark_out;
122
123 /**
124 * absolute time when rekeying is scheduled
125 */
126 time_t rekey_time;
127
128 /**
129 * absolute time when the SA expires
130 */
131 time_t expire_time;
132
133 /**
134 * absolute time when SA has been installed
135 */
136 time_t install_time;
137
138 /**
139 * state of the CHILD_SA
140 */
141 child_sa_state_t state;
142
143 /**
144 * TRUE if this CHILD_SA is used to install trap policies
145 */
146 bool trap;
147
148 /**
149 * Specifies if UDP encapsulation is enabled (NAT traversal)
150 */
151 bool encap;
152
153 /**
154 * Specifies the IPComp transform used (IPCOMP_NONE if disabled)
155 */
156 ipcomp_transform_t ipcomp;
157
158 /**
159 * mode this SA uses, tunnel/transport
160 */
161 ipsec_mode_t mode;
162
163 /**
164 * Action to enforce if peer closes the CHILD_SA
165 */
166 action_t close_action;
167
168 /**
169 * Action to enforce if peer is considered dead
170 */
171 action_t dpd_action;
172
173 /**
174 * selected proposal
175 */
176 proposal_t *proposal;
177
178 /**
179 * config used to create this child
180 */
181 child_cfg_t *config;
182
183 /**
184 * time of last use in seconds (inbound)
185 */
186 time_t my_usetime;
187
188 /**
189 * time of last use in seconds (outbound)
190 */
191 time_t other_usetime;
192
193 /**
194 * last number of inbound bytes
195 */
196 u_int64_t my_usebytes;
197
198 /**
199 * last number of outbound bytes
200 */
201 u_int64_t other_usebytes;
202
203 /**
204 * last number of inbound packets
205 */
206 u_int64_t my_usepackets;
207
208 /**
209 * last number of outbound bytes
210 */
211 u_int64_t other_usepackets;
212 };
213
214 /**
215 * convert an IKEv2 specific protocol identifier to the IP protocol identifier.
216 */
217 static inline u_int8_t proto_ike2ip(protocol_id_t protocol)
218 {
219 switch (protocol)
220 {
221 case PROTO_ESP:
222 return IPPROTO_ESP;
223 case PROTO_AH:
224 return IPPROTO_AH;
225 default:
226 return protocol;
227 }
228 }
229
230 METHOD(child_sa_t, get_name, char*,
231 private_child_sa_t *this)
232 {
233 return this->config->get_name(this->config);
234 }
235
236 METHOD(child_sa_t, get_reqid, u_int32_t,
237 private_child_sa_t *this)
238 {
239 return this->reqid;
240 }
241
242 METHOD(child_sa_t, get_unique_id, u_int32_t,
243 private_child_sa_t *this)
244 {
245 return this->unique_id;
246 }
247
248 METHOD(child_sa_t, get_config, child_cfg_t*,
249 private_child_sa_t *this)
250 {
251 return this->config;
252 }
253
254 METHOD(child_sa_t, set_state, void,
255 private_child_sa_t *this, child_sa_state_t state)
256 {
257 charon->bus->child_state_change(charon->bus, &this->public, state);
258 this->state = state;
259 }
260
261 METHOD(child_sa_t, get_state, child_sa_state_t,
262 private_child_sa_t *this)
263 {
264 return this->state;
265 }
266
267 METHOD(child_sa_t, get_spi, u_int32_t,
268 private_child_sa_t *this, bool inbound)
269 {
270 return inbound ? this->my_spi : this->other_spi;
271 }
272
273 METHOD(child_sa_t, get_cpi, u_int16_t,
274 private_child_sa_t *this, bool inbound)
275 {
276 return inbound ? this->my_cpi : this->other_cpi;
277 }
278
279 METHOD(child_sa_t, get_protocol, protocol_id_t,
280 private_child_sa_t *this)
281 {
282 return this->protocol;
283 }
284
285 METHOD(child_sa_t, set_protocol, void,
286 private_child_sa_t *this, protocol_id_t protocol)
287 {
288 this->protocol = protocol;
289 }
290
291 METHOD(child_sa_t, get_mode, ipsec_mode_t,
292 private_child_sa_t *this)
293 {
294 return this->mode;
295 }
296
297 METHOD(child_sa_t, set_mode, void,
298 private_child_sa_t *this, ipsec_mode_t mode)
299 {
300 this->mode = mode;
301 }
302
303 METHOD(child_sa_t, has_encap, bool,
304 private_child_sa_t *this)
305 {
306 return this->encap;
307 }
308
309 METHOD(child_sa_t, get_ipcomp, ipcomp_transform_t,
310 private_child_sa_t *this)
311 {
312 return this->ipcomp;
313 }
314
315 METHOD(child_sa_t, set_ipcomp, void,
316 private_child_sa_t *this, ipcomp_transform_t ipcomp)
317 {
318 this->ipcomp = ipcomp;
319 }
320
321 METHOD(child_sa_t, set_close_action, void,
322 private_child_sa_t *this, action_t action)
323 {
324 this->close_action = action;
325 }
326
327 METHOD(child_sa_t, get_close_action, action_t,
328 private_child_sa_t *this)
329 {
330 return this->close_action;
331 }
332
333 METHOD(child_sa_t, set_dpd_action, void,
334 private_child_sa_t *this, action_t action)
335 {
336 this->dpd_action = action;
337 }
338
339 METHOD(child_sa_t, get_dpd_action, action_t,
340 private_child_sa_t *this)
341 {
342 return this->dpd_action;
343 }
344
345 METHOD(child_sa_t, get_proposal, proposal_t*,
346 private_child_sa_t *this)
347 {
348 return this->proposal;
349 }
350
351 METHOD(child_sa_t, set_proposal, void,
352 private_child_sa_t *this, proposal_t *proposal)
353 {
354 this->proposal = proposal->clone(proposal);
355 }
356
357 METHOD(child_sa_t, create_ts_enumerator, enumerator_t*,
358 private_child_sa_t *this, bool local)
359 {
360 if (local)
361 {
362 return array_create_enumerator(this->my_ts);
363 }
364 return array_create_enumerator(this->other_ts);
365 }
366
367 typedef struct policy_enumerator_t policy_enumerator_t;
368
369 /**
370 * Private policy enumerator
371 */
372 struct policy_enumerator_t {
373 /** implements enumerator_t */
374 enumerator_t public;
375 /** enumerator over own TS */
376 enumerator_t *mine;
377 /** enumerator over others TS */
378 enumerator_t *other;
379 /** array of others TS, to recreate enumerator */
380 array_t *array;
381 /** currently enumerating TS for "me" side */
382 traffic_selector_t *ts;
383 };
384
385 METHOD(enumerator_t, policy_enumerate, bool,
386 policy_enumerator_t *this, traffic_selector_t **my_out,
387 traffic_selector_t **other_out)
388 {
389 traffic_selector_t *other_ts;
390
391 while (this->ts || this->mine->enumerate(this->mine, &this->ts))
392 {
393 if (!this->other->enumerate(this->other, &other_ts))
394 { /* end of others list, restart with new of mine */
395 this->other->destroy(this->other);
396 this->other = array_create_enumerator(this->array);
397 this->ts = NULL;
398 continue;
399 }
400 if (this->ts->get_type(this->ts) != other_ts->get_type(other_ts))
401 { /* family mismatch */
402 continue;
403 }
404 if (this->ts->get_protocol(this->ts) &&
405 other_ts->get_protocol(other_ts) &&
406 this->ts->get_protocol(this->ts) != other_ts->get_protocol(other_ts))
407 { /* protocol mismatch */
408 continue;
409 }
410 *my_out = this->ts;
411 *other_out = other_ts;
412 return TRUE;
413 }
414 return FALSE;
415 }
416
417 METHOD(enumerator_t, policy_destroy, void,
418 policy_enumerator_t *this)
419 {
420 this->mine->destroy(this->mine);
421 this->other->destroy(this->other);
422 free(this);
423 }
424
425 METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
426 private_child_sa_t *this)
427 {
428 policy_enumerator_t *e;
429
430 INIT(e,
431 .public = {
432 .enumerate = (void*)_policy_enumerate,
433 .destroy = _policy_destroy,
434 },
435 .mine = array_create_enumerator(this->my_ts),
436 .other = array_create_enumerator(this->other_ts),
437 .array = this->other_ts,
438 .ts = NULL,
439 );
440
441 return &e->public;
442 }
443
444 /**
445 * update the cached usebytes
446 * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs
447 * are available, and NOT_SUPPORTED if the kernel interface does not support
448 * querying the usebytes.
449 */
450 static status_t update_usebytes(private_child_sa_t *this, bool inbound)
451 {
452 status_t status = FAILED;
453 u_int64_t bytes, packets;
454 time_t time;
455
456 if (inbound)
457 {
458 if (this->my_spi)
459 {
460 status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
461 this->other_addr, this->my_addr, this->my_spi,
462 proto_ike2ip(this->protocol), this->mark_in,
463 &bytes, &packets, &time);
464 if (status == SUCCESS)
465 {
466 if (bytes > this->my_usebytes)
467 {
468 this->my_usebytes = bytes;
469 this->my_usepackets = packets;
470 if (time)
471 {
472 this->my_usetime = time;
473 }
474 return SUCCESS;
475 }
476 return FAILED;
477 }
478 }
479 }
480 else
481 {
482 if (this->other_spi)
483 {
484 status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
485 this->my_addr, this->other_addr, this->other_spi,
486 proto_ike2ip(this->protocol), this->mark_out,
487 &bytes, &packets, &time);
488 if (status == SUCCESS)
489 {
490 if (bytes > this->other_usebytes)
491 {
492 this->other_usebytes = bytes;
493 this->other_usepackets = packets;
494 if (time)
495 {
496 this->other_usetime = time;
497 }
498 return SUCCESS;
499 }
500 return FAILED;
501 }
502 }
503 }
504 return status;
505 }
506
507 /**
508 * updates the cached usetime
509 */
510 static bool update_usetime(private_child_sa_t *this, bool inbound)
511 {
512 enumerator_t *enumerator;
513 traffic_selector_t *my_ts, *other_ts;
514 time_t last_use = 0;
515
516 enumerator = create_policy_enumerator(this);
517 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
518 {
519 time_t in, out, fwd;
520
521 if (inbound)
522 {
523 if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
524 other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
525 {
526 last_use = max(last_use, in);
527 }
528 if (this->mode != MODE_TRANSPORT)
529 {
530 if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
531 other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
532 {
533 last_use = max(last_use, fwd);
534 }
535 }
536 }
537 else
538 {
539 if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
540 my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
541 {
542 last_use = max(last_use, out);
543 }
544 }
545 }
546 enumerator->destroy(enumerator);
547
548 if (last_use == 0)
549 {
550 return FALSE;
551 }
552 if (inbound)
553 {
554 this->my_usetime = last_use;
555 }
556 else
557 {
558 this->other_usetime = last_use;
559 }
560 return TRUE;
561 }
562
563 METHOD(child_sa_t, get_usestats, void,
564 private_child_sa_t *this, bool inbound,
565 time_t *time, u_int64_t *bytes, u_int64_t *packets)
566 {
567 if ((!bytes && !packets) || update_usebytes(this, inbound) != FAILED)
568 {
569 /* there was traffic since last update or the kernel interface
570 * does not support querying the number of usebytes.
571 */
572 if (time)
573 {
574 if (!update_usetime(this, inbound) && !bytes && !packets)
575 {
576 /* if policy query did not yield a usetime, query SAs instead */
577 update_usebytes(this, inbound);
578 }
579 }
580 }
581 if (time)
582 {
583 *time = inbound ? this->my_usetime : this->other_usetime;
584 }
585 if (bytes)
586 {
587 *bytes = inbound ? this->my_usebytes : this->other_usebytes;
588 }
589 if (packets)
590 {
591 *packets = inbound ? this->my_usepackets : this->other_usepackets;
592 }
593 }
594
595 METHOD(child_sa_t, get_mark, mark_t,
596 private_child_sa_t *this, bool inbound)
597 {
598 if (inbound)
599 {
600 return this->mark_in;
601 }
602 return this->mark_out;
603 }
604
605 METHOD(child_sa_t, get_lifetime, time_t,
606 private_child_sa_t *this, bool hard)
607 {
608 return hard ? this->expire_time : this->rekey_time;
609 }
610
611 METHOD(child_sa_t, get_installtime, time_t,
612 private_child_sa_t *this)
613 {
614 return this->install_time;
615 }
616
617 METHOD(child_sa_t, alloc_spi, u_int32_t,
618 private_child_sa_t *this, protocol_id_t protocol)
619 {
620 if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
621 this->other_addr, this->my_addr,
622 proto_ike2ip(protocol),
623 &this->my_spi) == SUCCESS)
624 {
625 /* if we allocate a SPI, but then are unable to establish the SA, we
626 * need to know the protocol family to delete the partial SA */
627 this->protocol = protocol;
628 return this->my_spi;
629 }
630 return 0;
631 }
632
633 METHOD(child_sa_t, alloc_cpi, u_int16_t,
634 private_child_sa_t *this)
635 {
636 if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
637 this->other_addr, this->my_addr,
638 &this->my_cpi) == SUCCESS)
639 {
640 return this->my_cpi;
641 }
642 return 0;
643 }
644
645 METHOD(child_sa_t, install, status_t,
646 private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
647 u_int16_t cpi, bool initiator, bool inbound, bool tfcv3,
648 linked_list_t *my_ts, linked_list_t *other_ts)
649 {
650 u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
651 u_int16_t esn = NO_EXT_SEQ_NUMBERS;
652 linked_list_t *src_ts = NULL, *dst_ts = NULL;
653 time_t now;
654 lifetime_cfg_t *lifetime;
655 u_int32_t tfc = 0;
656 host_t *src, *dst;
657 status_t status;
658 bool update = FALSE;
659
660 /* now we have to decide which spi to use. Use self allocated, if "in",
661 * or the one in the proposal, if not "in" (others). Additionally,
662 * source and dest host switch depending on the role */
663 if (inbound)
664 {
665 dst = this->my_addr;
666 src = this->other_addr;
667 if (this->my_spi == spi)
668 { /* alloc_spi has been called, do an SA update */
669 update = TRUE;
670 }
671 this->my_spi = spi;
672 this->my_cpi = cpi;
673 }
674 else
675 {
676 src = this->my_addr;
677 dst = this->other_addr;
678 this->other_spi = spi;
679 this->other_cpi = cpi;
680
681 if (tfcv3)
682 {
683 tfc = this->config->get_tfc(this->config);
684 }
685 }
686
687 DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
688 protocol_id_names, this->protocol);
689
690 /* send SA down to the kernel */
691 DBG2(DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
692
693 this->proposal->get_algorithm(this->proposal, ENCRYPTION_ALGORITHM,
694 &enc_alg, &size);
695 this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
696 &int_alg, &size);
697 this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
698 &esn, NULL);
699
700 if (!this->reqid_allocated)
701 {
702 status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
703 my_ts, other_ts, this->mark_in, this->mark_out,
704 &this->reqid);
705 if (status != SUCCESS)
706 {
707 return status;
708 }
709 this->reqid_allocated = TRUE;
710 }
711
712 lifetime = this->config->get_lifetime(this->config);
713
714 now = time_monotonic(NULL);
715 if (lifetime->time.rekey)
716 {
717 if (this->rekey_time)
718 {
719 this->rekey_time = min(this->rekey_time, now + lifetime->time.rekey);
720 }
721 else
722 {
723 this->rekey_time = now + lifetime->time.rekey;
724 }
725 }
726 if (lifetime->time.life)
727 {
728 this->expire_time = now + lifetime->time.life;
729 }
730
731 if (!lifetime->time.jitter && !inbound)
732 { /* avoid triggering multiple rekey events */
733 lifetime->time.rekey = 0;
734 }
735
736 /* BEET requires the bound address from the traffic selectors */
737 if (inbound)
738 {
739 dst_ts = my_ts;
740 src_ts = other_ts;
741 }
742 else
743 {
744 src_ts = my_ts;
745 dst_ts = other_ts;
746 }
747
748 status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
749 src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
750 inbound ? this->mark_in : this->mark_out, tfc,
751 lifetime, enc_alg, encr, int_alg, integ, this->mode,
752 this->ipcomp, cpi, this->config->get_replay_window(this->config),
753 initiator, this->encap, esn, inbound, update, src_ts, dst_ts);
754
755 free(lifetime);
756
757 return status;
758 }
759
760 /**
761 * Check kernel interface if policy updates are required
762 */
763 static bool require_policy_update()
764 {
765 kernel_feature_t f;
766
767 f = hydra->kernel_interface->get_features(hydra->kernel_interface);
768 return !(f & KERNEL_NO_POLICY_UPDATES);
769 }
770
771 /**
772 * Install 3 policies: out, in and forward
773 */
774 static status_t install_policies_internal(private_child_sa_t *this,
775 host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
776 traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
777 ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
778 {
779 status_t status = SUCCESS;
780 status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
781 my_addr, other_addr, my_ts, other_ts,
782 POLICY_OUT, type, other_sa,
783 this->mark_out, priority);
784
785 status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
786 other_addr, my_addr, other_ts, my_ts,
787 POLICY_IN, type, my_sa,
788 this->mark_in, priority);
789 if (this->mode != MODE_TRANSPORT)
790 {
791 status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
792 other_addr, my_addr, other_ts, my_ts,
793 POLICY_FWD, type, my_sa,
794 this->mark_in, priority);
795 }
796 return status;
797 }
798
799 /**
800 * Delete 3 policies: out, in and forward
801 */
802 static void del_policies_internal(private_child_sa_t *this,
803 traffic_selector_t *my_ts, traffic_selector_t *other_ts,
804 policy_priority_t priority)
805 {
806 hydra->kernel_interface->del_policy(hydra->kernel_interface,
807 my_ts, other_ts, POLICY_OUT, this->reqid,
808 this->mark_out, priority);
809 hydra->kernel_interface->del_policy(hydra->kernel_interface,
810 other_ts, my_ts, POLICY_IN, this->reqid,
811 this->mark_in, priority);
812 if (this->mode != MODE_TRANSPORT)
813 {
814 hydra->kernel_interface->del_policy(hydra->kernel_interface,
815 other_ts, my_ts, POLICY_FWD, this->reqid,
816 this->mark_in, priority);
817 }
818 }
819
820 METHOD(child_sa_t, add_policies, status_t,
821 private_child_sa_t *this, linked_list_t *my_ts_list,
822 linked_list_t *other_ts_list)
823 {
824 enumerator_t *enumerator;
825 traffic_selector_t *my_ts, *other_ts;
826 status_t status = SUCCESS;
827
828 if (!this->reqid_allocated)
829 {
830 /* trap policy, get or confirm reqid */
831 status = hydra->kernel_interface->alloc_reqid(
832 hydra->kernel_interface, my_ts_list, other_ts_list,
833 this->mark_in, this->mark_out, &this->reqid);
834 if (status != SUCCESS)
835 {
836 return status;
837 }
838 this->reqid_allocated = TRUE;
839 }
840
841 /* apply traffic selectors */
842 enumerator = my_ts_list->create_enumerator(my_ts_list);
843 while (enumerator->enumerate(enumerator, &my_ts))
844 {
845 array_insert(this->my_ts, ARRAY_TAIL, my_ts->clone(my_ts));
846 }
847 enumerator->destroy(enumerator);
848 array_sort(this->my_ts, (void*)traffic_selector_cmp, NULL);
849
850 enumerator = other_ts_list->create_enumerator(other_ts_list);
851 while (enumerator->enumerate(enumerator, &other_ts))
852 {
853 array_insert(this->other_ts, ARRAY_TAIL, other_ts->clone(other_ts));
854 }
855 enumerator->destroy(enumerator);
856 array_sort(this->other_ts, (void*)traffic_selector_cmp, NULL);
857
858 if (this->config->install_policy(this->config))
859 {
860 policy_priority_t priority;
861 ipsec_sa_cfg_t my_sa = {
862 .mode = this->mode,
863 .reqid = this->reqid,
864 .ipcomp = {
865 .transform = this->ipcomp,
866 },
867 }, other_sa = my_sa;
868
869 my_sa.ipcomp.cpi = this->my_cpi;
870 other_sa.ipcomp.cpi = this->other_cpi;
871
872 if (this->protocol == PROTO_ESP)
873 {
874 my_sa.esp.use = TRUE;
875 my_sa.esp.spi = this->my_spi;
876 other_sa.esp.use = TRUE;
877 other_sa.esp.spi = this->other_spi;
878 }
879 else
880 {
881 my_sa.ah.use = TRUE;
882 my_sa.ah.spi = this->my_spi;
883 other_sa.ah.use = TRUE;
884 other_sa.ah.spi = this->other_spi;
885 }
886
887 /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
888 * entry) we install a trap policy */
889 this->trap = this->state == CHILD_CREATED;
890 priority = this->trap ? POLICY_PRIORITY_ROUTED
891 : POLICY_PRIORITY_DEFAULT;
892
893 enumerator = create_policy_enumerator(this);
894 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
895 {
896 my_sa.policy_count++;
897 other_sa.policy_count++;
898 }
899 enumerator->destroy(enumerator);
900
901 /* enumerate pairs of traffic selectors */
902 enumerator = create_policy_enumerator(this);
903 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
904 {
905 /* install outbound drop policy to avoid packets leaving unencrypted
906 * when updating policies */
907 if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
908 {
909 status |= install_policies_internal(this, this->my_addr,
910 this->other_addr, my_ts, other_ts,
911 &my_sa, &other_sa, POLICY_DROP,
912 POLICY_PRIORITY_FALLBACK);
913 }
914
915 /* install policies */
916 status |= install_policies_internal(this, this->my_addr,
917 this->other_addr, my_ts, other_ts,
918 &my_sa, &other_sa, POLICY_IPSEC, priority);
919
920 if (status != SUCCESS)
921 {
922 break;
923 }
924 }
925 enumerator->destroy(enumerator);
926 }
927
928 if (status == SUCCESS && this->trap)
929 {
930 set_state(this, CHILD_ROUTED);
931 }
932 return status;
933 }
934
935 /**
936 * Callback to reinstall a virtual IP
937 */
938 static void reinstall_vip(host_t *vip, host_t *me)
939 {
940 char *iface;
941
942 if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
943 me, &iface))
944 {
945 hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
946 hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, -1, iface);
947 free(iface);
948 }
949 }
950
951 METHOD(child_sa_t, update, status_t,
952 private_child_sa_t *this, host_t *me, host_t *other, linked_list_t *vips,
953 bool encap)
954 {
955 child_sa_state_t old;
956 bool transport_proxy_mode;
957
958 /* anything changed at all? */
959 if (me->equals(me, this->my_addr) &&
960 other->equals(other, this->other_addr) && this->encap == encap)
961 {
962 return SUCCESS;
963 }
964
965 old = this->state;
966 set_state(this, CHILD_UPDATING);
967 transport_proxy_mode = this->config->use_proxy_mode(this->config) &&
968 this->mode == MODE_TRANSPORT;
969
970 if (!transport_proxy_mode)
971 {
972 /* update our (initiator) SA */
973 if (this->my_spi)
974 {
975 if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
976 this->my_spi, proto_ike2ip(this->protocol),
977 this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
978 this->other_addr, this->my_addr, other, me,
979 this->encap, encap, this->mark_in) == NOT_SUPPORTED)
980 {
981 set_state(this, old);
982 return NOT_SUPPORTED;
983 }
984 }
985
986 /* update his (responder) SA */
987 if (this->other_spi)
988 {
989 if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
990 this->other_spi, proto_ike2ip(this->protocol),
991 this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
992 this->my_addr, this->other_addr, me, other,
993 this->encap, encap, this->mark_out) == NOT_SUPPORTED)
994 {
995 set_state(this, old);
996 return NOT_SUPPORTED;
997 }
998 }
999 }
1000
1001 if (this->config->install_policy(this->config) && require_policy_update())
1002 {
1003 ipsec_sa_cfg_t my_sa = {
1004 .mode = this->mode,
1005 .reqid = this->reqid,
1006 .ipcomp = {
1007 .transform = this->ipcomp,
1008 },
1009 }, other_sa = my_sa;
1010
1011 my_sa.ipcomp.cpi = this->my_cpi;
1012 other_sa.ipcomp.cpi = this->other_cpi;
1013
1014 if (this->protocol == PROTO_ESP)
1015 {
1016 my_sa.esp.use = TRUE;
1017 my_sa.esp.spi = this->my_spi;
1018 other_sa.esp.use = TRUE;
1019 other_sa.esp.spi = this->other_spi;
1020 }
1021 else
1022 {
1023 my_sa.ah.use = TRUE;
1024 my_sa.ah.spi = this->my_spi;
1025 other_sa.ah.use = TRUE;
1026 other_sa.ah.spi = this->other_spi;
1027 }
1028
1029 /* update policies */
1030 if (!me->ip_equals(me, this->my_addr) ||
1031 !other->ip_equals(other, this->other_addr))
1032 {
1033 enumerator_t *enumerator;
1034 traffic_selector_t *my_ts, *other_ts;
1035
1036 /* always use high priorities, as hosts getting updated are INSTALLED */
1037 enumerator = create_policy_enumerator(this);
1038 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
1039 {
1040 traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL;
1041 /* remove old policies first */
1042 del_policies_internal(this, my_ts, other_ts,
1043 POLICY_PRIORITY_DEFAULT);
1044
1045 /* check if we have to update a "dynamic" traffic selector */
1046 if (!me->ip_equals(me, this->my_addr) &&
1047 my_ts->is_host(my_ts, this->my_addr))
1048 {
1049 old_my_ts = my_ts->clone(my_ts);
1050 my_ts->set_address(my_ts, me);
1051 }
1052 if (!other->ip_equals(other, this->other_addr) &&
1053 other_ts->is_host(other_ts, this->other_addr))
1054 {
1055 old_other_ts = other_ts->clone(other_ts);
1056 other_ts->set_address(other_ts, other);
1057 }
1058
1059 /* we reinstall the virtual IP to handle interface roaming
1060 * correctly */
1061 vips->invoke_function(vips, (void*)reinstall_vip, me);
1062
1063 /* reinstall updated policies */
1064 install_policies_internal(this, me, other, my_ts, other_ts,
1065 &my_sa, &other_sa, POLICY_IPSEC,
1066 POLICY_PRIORITY_DEFAULT);
1067
1068 /* update fallback policies after the new policy is in place */
1069 if (old_my_ts || old_other_ts)
1070 {
1071 del_policies_internal(this, old_my_ts ?: my_ts,
1072 old_other_ts ?: other_ts,
1073 POLICY_PRIORITY_FALLBACK);
1074 install_policies_internal(this, me, other, my_ts, other_ts,
1075 &my_sa, &other_sa, POLICY_DROP,
1076 POLICY_PRIORITY_FALLBACK);
1077 DESTROY_IF(old_my_ts);
1078 DESTROY_IF(old_other_ts);
1079 }
1080 }
1081 enumerator->destroy(enumerator);
1082 }
1083 }
1084
1085 if (!transport_proxy_mode)
1086 {
1087 /* apply hosts */
1088 if (!me->equals(me, this->my_addr))
1089 {
1090 this->my_addr->destroy(this->my_addr);
1091 this->my_addr = me->clone(me);
1092 }
1093 if (!other->equals(other, this->other_addr))
1094 {
1095 this->other_addr->destroy(this->other_addr);
1096 this->other_addr = other->clone(other);
1097 }
1098 }
1099
1100 this->encap = encap;
1101 set_state(this, old);
1102
1103 return SUCCESS;
1104 }
1105
1106 METHOD(child_sa_t, destroy, void,
1107 private_child_sa_t *this)
1108 {
1109 enumerator_t *enumerator;
1110 traffic_selector_t *my_ts, *other_ts;
1111 policy_priority_t priority;
1112
1113 priority = this->trap ? POLICY_PRIORITY_ROUTED : POLICY_PRIORITY_DEFAULT;
1114
1115 set_state(this, CHILD_DESTROYING);
1116
1117 /* delete SAs in the kernel, if they are set up */
1118 if (this->my_spi)
1119 {
1120 hydra->kernel_interface->del_sa(hydra->kernel_interface,
1121 this->other_addr, this->my_addr, this->my_spi,
1122 proto_ike2ip(this->protocol), this->my_cpi,
1123 this->mark_in);
1124 }
1125 if (this->other_spi)
1126 {
1127 hydra->kernel_interface->del_sa(hydra->kernel_interface,
1128 this->my_addr, this->other_addr, this->other_spi,
1129 proto_ike2ip(this->protocol), this->other_cpi,
1130 this->mark_out);
1131 }
1132
1133 if (this->config->install_policy(this->config))
1134 {
1135 /* delete all policies in the kernel */
1136 enumerator = create_policy_enumerator(this);
1137 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
1138 {
1139 del_policies_internal(this, my_ts, other_ts, priority);
1140 if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
1141 {
1142 del_policies_internal(this, my_ts, other_ts,
1143 POLICY_PRIORITY_FALLBACK);
1144 }
1145 }
1146 enumerator->destroy(enumerator);
1147 }
1148
1149 if (this->reqid_allocated)
1150 {
1151 if (hydra->kernel_interface->release_reqid(hydra->kernel_interface,
1152 this->reqid, this->mark_in, this->mark_out) != SUCCESS)
1153 {
1154 DBG1(DBG_CHD, "releasing reqid %u failed", this->reqid);
1155 }
1156 }
1157
1158 array_destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
1159 array_destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
1160 this->my_addr->destroy(this->my_addr);
1161 this->other_addr->destroy(this->other_addr);
1162 DESTROY_IF(this->proposal);
1163 this->config->destroy(this->config);
1164 free(this);
1165 }
1166
1167 /**
1168 * Get proxy address for one side, if any
1169 */
1170 static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
1171 {
1172 host_t *host = NULL;
1173 u_int8_t mask;
1174 enumerator_t *enumerator;
1175 linked_list_t *ts_list, *list;
1176 traffic_selector_t *ts;
1177
1178 list = linked_list_create_with_items(ike, NULL);
1179 ts_list = config->get_traffic_selectors(config, local, NULL, list);
1180 list->destroy(list);
1181
1182 enumerator = ts_list->create_enumerator(ts_list);
1183 while (enumerator->enumerate(enumerator, &ts))
1184 {
1185 if (ts->is_host(ts, NULL) && ts->to_subnet(ts, &host, &mask))
1186 {
1187 DBG1(DBG_CHD, "%s address: %H is a transport mode proxy for %H",
1188 local ? "my" : "other", ike, host);
1189 break;
1190 }
1191 }
1192 enumerator->destroy(enumerator);
1193 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
1194
1195 if (!host)
1196 {
1197 host = ike->clone(ike);
1198 }
1199 return host;
1200 }
1201
1202 /**
1203 * Described in header.
1204 */
1205 child_sa_t * child_sa_create(host_t *me, host_t* other,
1206 child_cfg_t *config, u_int32_t rekey, bool encap,
1207 u_int mark_in, u_int mark_out)
1208 {
1209 private_child_sa_t *this;
1210 static refcount_t unique_id = 0, unique_mark = 0, mark;
1211
1212 INIT(this,
1213 .public = {
1214 .get_name = _get_name,
1215 .get_reqid = _get_reqid,
1216 .get_unique_id = _get_unique_id,
1217 .get_config = _get_config,
1218 .get_state = _get_state,
1219 .set_state = _set_state,
1220 .get_spi = _get_spi,
1221 .get_cpi = _get_cpi,
1222 .get_protocol = _get_protocol,
1223 .set_protocol = _set_protocol,
1224 .get_mode = _get_mode,
1225 .set_mode = _set_mode,
1226 .get_proposal = _get_proposal,
1227 .set_proposal = _set_proposal,
1228 .get_lifetime = _get_lifetime,
1229 .get_installtime = _get_installtime,
1230 .get_usestats = _get_usestats,
1231 .get_mark = _get_mark,
1232 .has_encap = _has_encap,
1233 .get_ipcomp = _get_ipcomp,
1234 .set_ipcomp = _set_ipcomp,
1235 .get_close_action = _get_close_action,
1236 .set_close_action = _set_close_action,
1237 .get_dpd_action = _get_dpd_action,
1238 .set_dpd_action = _set_dpd_action,
1239 .alloc_spi = _alloc_spi,
1240 .alloc_cpi = _alloc_cpi,
1241 .install = _install,
1242 .update = _update,
1243 .add_policies = _add_policies,
1244 .create_ts_enumerator = _create_ts_enumerator,
1245 .create_policy_enumerator = _create_policy_enumerator,
1246 .destroy = _destroy,
1247 },
1248 .encap = encap,
1249 .ipcomp = IPCOMP_NONE,
1250 .state = CHILD_CREATED,
1251 .my_ts = array_create(0, 0),
1252 .other_ts = array_create(0, 0),
1253 .protocol = PROTO_NONE,
1254 .mode = MODE_TUNNEL,
1255 .close_action = config->get_close_action(config),
1256 .dpd_action = config->get_dpd_action(config),
1257 .reqid = config->get_reqid(config),
1258 .unique_id = ref_get(&unique_id),
1259 .mark_in = config->get_mark(config, TRUE),
1260 .mark_out = config->get_mark(config, FALSE),
1261 .install_time = time_monotonic(NULL),
1262 );
1263
1264 this->config = config;
1265 config->get_ref(config);
1266
1267 if (mark_in)
1268 {
1269 this->mark_in.value = mark_in;
1270 }
1271 if (mark_out)
1272 {
1273 this->mark_out.value = mark_out;
1274 }
1275 if (this->mark_in.value == MARK_UNIQUE ||
1276 this->mark_out.value == MARK_UNIQUE)
1277 {
1278 mark = ref_get(&unique_mark);
1279 if (this->mark_in.value == MARK_UNIQUE)
1280 {
1281 this->mark_in.value = mark;
1282 }
1283 if (this->mark_out.value == MARK_UNIQUE)
1284 {
1285 this->mark_out.value = mark;
1286 }
1287 }
1288
1289 if (!this->reqid)
1290 {
1291 /* reuse old reqid if we are rekeying an existing CHILD_SA. While the
1292 * reqid cache would find the same reqid for our selectors, this does
1293 * not work in a special case: If an SA is triggered by a trap policy,
1294 * but the negotiated SA gets narrowed, we still must reuse the same
1295 * reqid to succesfully "trigger" the SA on the kernel level. Rekeying
1296 * such an SA requires an explicit reqid, as the cache currently knows
1297 * the original selectors only for that reqid. */
1298 if (rekey)
1299 {
1300 this->reqid = rekey;
1301 }
1302 else
1303 {
1304 this->reqid = charon->traps->find_reqid(charon->traps, config);
1305 }
1306 }
1307
1308 /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
1309 if (config->get_mode(config) == MODE_TRANSPORT &&
1310 config->use_proxy_mode(config))
1311 {
1312 this->mode = MODE_TRANSPORT;
1313
1314 this->my_addr = get_proxy_addr(config, me, TRUE);
1315 this->other_addr = get_proxy_addr(config, other, FALSE);
1316 }
1317 else
1318 {
1319 this->my_addr = me->clone(me);
1320 this->other_addr = other->clone(other);
1321 }
1322 return &this->public;
1323 }