Migrated netlink_socket to INIT/METHOD macros
[strongswan.git] / src / libhydra / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2011 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <hydra.h>
58 #include <debug.h>
59 #include <utils/host.h>
60 #include <utils/linked_list.h>
61 #include <utils/hashtable.h>
62 #include <threading/thread.h>
63 #include <threading/mutex.h>
64 #include <processing/jobs/callback_job.h>
65
66 /** non linux specific */
67 #ifndef IPPROTO_COMP
68 #ifdef IPPROTO_IPCOMP
69 #define IPPROTO_COMP IPPROTO_IPCOMP
70 #endif
71 #endif
72
73 #ifndef SADB_X_AALG_SHA2_256HMAC
74 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
75 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
76 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
77 #endif
78
79 #ifndef SADB_X_EALG_AESCBC
80 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
81 #endif
82
83 #ifndef SADB_X_EALG_CASTCBC
84 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
85 #endif
86
87 #ifndef SOL_IP
88 #define SOL_IP IPPROTO_IP
89 #define SOL_IPV6 IPPROTO_IPV6
90 #endif
91
92 /** from linux/in.h */
93 #ifndef IP_IPSEC_POLICY
94 #define IP_IPSEC_POLICY 16
95 #endif
96
97 /** missing on uclibc */
98 #ifndef IPV6_IPSEC_POLICY
99 #define IPV6_IPSEC_POLICY 34
100 #endif
101
102 /** default priority of installed policies */
103 #define PRIO_BASE 512
104
105 #ifdef __APPLE__
106 /** from xnu/bsd/net/pfkeyv2.h */
107 #define SADB_X_EXT_NATT 0x002
108 struct sadb_sa_2 {
109 struct sadb_sa sa;
110 u_int16_t sadb_sa_natt_port;
111 u_int16_t sadb_reserved0;
112 u_int32_t sadb_reserved1;
113 };
114 #endif
115
116 /** buffer size for PF_KEY messages */
117 #define PFKEY_BUFFER_SIZE 4096
118
119 /** PF_KEY messages are 64 bit aligned */
120 #define PFKEY_ALIGNMENT 8
121 /** aligns len to 64 bits */
122 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
123 /** calculates the properly padded length in 64 bit chunks */
124 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
125 /** calculates user mode length i.e. in bytes */
126 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
127
128 /** given a PF_KEY message header and an extension this updates the length in the header */
129 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
130 /** given a PF_KEY message header this returns a pointer to the next extension */
131 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
132 /** copy an extension and append it to a PF_KEY message */
133 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
134 /** given a PF_KEY extension this returns a pointer to the next extension */
135 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
136 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
137 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
138 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
139 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
140 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len <= (len))
142
143 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
144
145 /**
146 * Private variables and functions of kernel_pfkey class.
147 */
148 struct private_kernel_pfkey_ipsec_t
149 {
150 /**
151 * Public part of the kernel_pfkey_t object.
152 */
153 kernel_pfkey_ipsec_t public;
154
155 /**
156 * mutex to lock access to various lists
157 */
158 mutex_t *mutex;
159
160 /**
161 * List of installed policies (policy_entry_t)
162 */
163 linked_list_t *policies;
164
165 /**
166 * Hash table of IPsec SAs using policies (ipsec_sa_t)
167 */
168 hashtable_t *sas;
169
170 /**
171 * whether to install routes along policies
172 */
173 bool install_routes;
174
175 /**
176 * job receiving PF_KEY events
177 */
178 callback_job_t *job;
179
180 /**
181 * mutex to lock access to the PF_KEY socket
182 */
183 mutex_t *mutex_pfkey;
184
185 /**
186 * PF_KEY socket to communicate with the kernel
187 */
188 int socket;
189
190 /**
191 * PF_KEY socket to receive acquire and expire events
192 */
193 int socket_events;
194
195 /**
196 * sequence number for messages sent to the kernel
197 */
198 int seq;
199 };
200
201 typedef struct route_entry_t route_entry_t;
202
203 /**
204 * installed routing entry
205 */
206 struct route_entry_t {
207 /** name of the interface the route is bound to */
208 char *if_name;
209
210 /** source ip of the route */
211 host_t *src_ip;
212
213 /** gateway for this route */
214 host_t *gateway;
215
216 /** destination net */
217 chunk_t dst_net;
218
219 /** destination net prefixlen */
220 u_int8_t prefixlen;
221 };
222
223 /**
224 * destroy an route_entry_t object
225 */
226 static void route_entry_destroy(route_entry_t *this)
227 {
228 free(this->if_name);
229 DESTROY_IF(this->src_ip);
230 DESTROY_IF(this->gateway);
231 chunk_free(&this->dst_net);
232 free(this);
233 }
234
235 /**
236 * compare two route_entry_t objects
237 */
238 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
239 {
240 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
241 a->src_ip->equals(a->src_ip, b->src_ip) &&
242 a->gateway->equals(a->gateway, b->gateway) &&
243 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
244 }
245
246 typedef struct ipsec_sa_t ipsec_sa_t;
247
248 /**
249 * IPsec SA assigned to a policy.
250 */
251 struct ipsec_sa_t {
252 /** Source address of this SA */
253 host_t *src;
254
255 /** Destination address of this SA */
256 host_t *dst;
257
258 /** Description of this SA */
259 ipsec_sa_cfg_t cfg;
260
261 /** Reference count for this SA */
262 refcount_t refcount;
263 };
264
265 /**
266 * Hash function for ipsec_sa_t objects
267 */
268 static u_int ipsec_sa_hash(ipsec_sa_t *sa)
269 {
270 return chunk_hash_inc(sa->src->get_address(sa->src),
271 chunk_hash_inc(sa->dst->get_address(sa->dst),
272 chunk_hash(chunk_from_thing(sa->cfg))));
273 }
274
275 /**
276 * Equality function for ipsec_sa_t objects
277 */
278 static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
279 {
280 return sa->src->ip_equals(sa->src, other_sa->src) &&
281 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
282 memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
283 }
284
285 /**
286 * Allocate or reference an IPsec SA object
287 */
288 static ipsec_sa_t *ipsec_sa_create(private_kernel_pfkey_ipsec_t *this,
289 host_t *src, host_t *dst,
290 ipsec_sa_cfg_t *cfg)
291 {
292 ipsec_sa_t *sa, *found;
293 INIT(sa,
294 .src = src,
295 .dst = dst,
296 .cfg = *cfg,
297 );
298 found = this->sas->get(this->sas, sa);
299 if (!found)
300 {
301 sa->src = src->clone(src);
302 sa->dst = dst->clone(dst);
303 this->sas->put(this->sas, sa, sa);
304 }
305 else
306 {
307 free(sa);
308 sa = found;
309 }
310 ref_get(&sa->refcount);
311 return sa;
312 }
313
314 /**
315 * Release and destroy an IPsec SA object
316 */
317 static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
318 ipsec_sa_t *sa)
319 {
320 if (ref_put(&sa->refcount))
321 {
322 this->sas->remove(this->sas, sa);
323 DESTROY_IF(sa->src);
324 DESTROY_IF(sa->dst);
325 free(sa);
326 }
327 }
328
329 typedef struct policy_sa_t policy_sa_t;
330 typedef struct policy_sa_fwd_t policy_sa_fwd_t;
331
332 /**
333 * Mapping between a policy and an IPsec SA.
334 */
335 struct policy_sa_t {
336 /** Priority assigned to the policy when installed with this SA */
337 u_int32_t priority;
338
339 /** Type of the policy */
340 policy_type_t type;
341
342 /** Assigned SA */
343 ipsec_sa_t *sa;
344 };
345
346 /**
347 * For forward policies we also cache the traffic selectors in order to install
348 * the route.
349 */
350 struct policy_sa_fwd_t {
351 /** Generic interface */
352 policy_sa_t generic;
353
354 /** Source traffic selector of this policy */
355 traffic_selector_t *src_ts;
356
357 /** Destination traffic selector of this policy */
358 traffic_selector_t *dst_ts;
359 };
360
361 /**
362 * Create a policy_sa(_fwd)_t object
363 */
364 static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
365 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
366 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, ipsec_sa_cfg_t *cfg)
367 {
368 policy_sa_t *policy;
369
370 if (dir == POLICY_FWD)
371 {
372 policy_sa_fwd_t *fwd;
373 INIT(fwd,
374 .src_ts = src_ts->clone(src_ts),
375 .dst_ts = dst_ts->clone(dst_ts),
376 );
377 policy = &fwd->generic;
378 }
379 else
380 {
381 INIT(policy);
382 }
383 policy->type = type;
384 policy->sa = ipsec_sa_create(this, src, dst, cfg);
385 return policy;
386 }
387
388 /**
389 * Destroy a policy_sa(_fwd)_t object
390 */
391 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
392 private_kernel_pfkey_ipsec_t *this)
393 {
394 if (*dir == POLICY_FWD)
395 {
396 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
397 fwd->src_ts->destroy(fwd->src_ts);
398 fwd->dst_ts->destroy(fwd->dst_ts);
399 }
400 ipsec_sa_destroy(this, policy->sa);
401 free(policy);
402 }
403
404 typedef struct policy_entry_t policy_entry_t;
405
406 /**
407 * installed kernel policy.
408 */
409 struct policy_entry_t {
410 /** Index assigned by the kernel */
411 u_int32_t index;
412
413 /** Direction of this policy: in, out, forward */
414 u_int8_t direction;
415
416 /** Parameters of installed policy */
417 struct {
418 /** Subnet and port */
419 host_t *net;
420 /** Subnet mask */
421 u_int8_t mask;
422 /** Protocol */
423 u_int8_t proto;
424 } src, dst;
425
426 /** Associated route installed for this policy */
427 route_entry_t *route;
428
429 /** List of SAs this policy is used by, ordered by priority */
430 linked_list_t *used_by;
431 };
432
433 /**
434 * Create a policy_entry_t object
435 */
436 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
437 traffic_selector_t *dst_ts,
438 policy_dir_t dir)
439 {
440 policy_entry_t *policy;
441 INIT(policy,
442 .direction = dir,
443 );
444
445 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
446 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
447
448 /* src or dest proto may be "any" (0), use more restrictive one */
449 policy->src.proto = max(src_ts->get_protocol(src_ts),
450 dst_ts->get_protocol(dst_ts));
451 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
452 policy->dst.proto = policy->src.proto;
453
454 return policy;
455 }
456
457 /**
458 * Destroy a policy_entry_t object
459 */
460 static void policy_entry_destroy(policy_entry_t *policy,
461 private_kernel_pfkey_ipsec_t *this)
462 {
463 if (policy->route)
464 {
465 route_entry_destroy(policy->route);
466 }
467 if (policy->used_by)
468 {
469 policy->used_by->invoke_function(policy->used_by,
470 (linked_list_invoke_t)policy_sa_destroy,
471 &policy->direction, this);
472 policy->used_by->destroy(policy->used_by);
473 }
474 DESTROY_IF(policy->src.net);
475 DESTROY_IF(policy->dst.net);
476 free(policy);
477 }
478
479 /**
480 * compares two policy_entry_t
481 */
482 static inline bool policy_entry_equals(policy_entry_t *current,
483 policy_entry_t *policy)
484 {
485 return current->direction == policy->direction &&
486 current->src.proto == policy->src.proto &&
487 current->dst.proto == policy->dst.proto &&
488 current->src.mask == policy->src.mask &&
489 current->dst.mask == policy->dst.mask &&
490 current->src.net->equals(current->src.net, policy->src.net) &&
491 current->dst.net->equals(current->dst.net, policy->dst.net);
492 }
493
494 /**
495 * compare the given kernel index with that of a policy
496 */
497 static inline bool policy_entry_match_byindex(policy_entry_t *current,
498 u_int32_t *index)
499 {
500 return current->index == *index;
501 }
502
503 /**
504 * Calculate the priority of a policy
505 */
506 static inline u_int32_t get_priority(policy_entry_t *policy,
507 policy_priority_t prio)
508 {
509 u_int32_t priority = PRIO_BASE;
510 switch (prio)
511 {
512 case POLICY_PRIORITY_FALLBACK:
513 priority <<= 1;
514 /* fall-through */
515 case POLICY_PRIORITY_ROUTED:
516 priority <<= 1;
517 /* fall-through */
518 case POLICY_PRIORITY_DEFAULT:
519 break;
520 }
521 /* calculate priority based on selector size, small size = high prio */
522 priority -= policy->src.mask;
523 priority -= policy->dst.mask;
524 priority <<= 2; /* make some room for the two flags */
525 priority += policy->src.net->get_port(policy->src.net) ||
526 policy->dst.net->get_port(policy->dst.net) ?
527 0 : 2;
528 priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
529 return priority;
530 }
531
532 typedef struct pfkey_msg_t pfkey_msg_t;
533
534 struct pfkey_msg_t
535 {
536 /**
537 * PF_KEY message base
538 */
539 struct sadb_msg *msg;
540
541 /**
542 * PF_KEY message extensions
543 */
544 union {
545 struct sadb_ext *ext[SADB_EXT_MAX + 1];
546 struct {
547 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
548 struct sadb_sa *sa; /* SADB_EXT_SA */
549 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
550 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
551 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
552 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
553 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
554 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
555 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
556 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
557 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
558 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
559 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
560 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
561 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
562 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
563 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
564 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
565 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
566 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
567 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
568 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
569 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
570 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
571 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
572 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
573 } __attribute__((__packed__));
574 };
575 };
576
577 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
578 "SADB_EXT_RESERVED",
579 "SADB_EXT_SA",
580 "SADB_EXT_LIFETIME_CURRENT",
581 "SADB_EXT_LIFETIME_HARD",
582 "SADB_EXT_LIFETIME_SOFT",
583 "SADB_EXT_ADDRESS_SRC",
584 "SADB_EXT_ADDRESS_DST",
585 "SADB_EXT_ADDRESS_PROXY",
586 "SADB_EXT_KEY_AUTH",
587 "SADB_EXT_KEY_ENCRYPT",
588 "SADB_EXT_IDENTITY_SRC",
589 "SADB_EXT_IDENTITY_DST",
590 "SADB_EXT_SENSITIVITY",
591 "SADB_EXT_PROPOSAL",
592 "SADB_EXT_SUPPORTED_AUTH",
593 "SADB_EXT_SUPPORTED_ENCRYPT",
594 "SADB_EXT_SPIRANGE",
595 "SADB_X_EXT_KMPRIVATE",
596 "SADB_X_EXT_POLICY",
597 "SADB_X_EXT_SA2",
598 "SADB_X_EXT_NAT_T_TYPE",
599 "SADB_X_EXT_NAT_T_SPORT",
600 "SADB_X_EXT_NAT_T_DPORT",
601 "SADB_X_EXT_NAT_T_OA",
602 "SADB_X_EXT_SEC_CTX",
603 "SADB_X_EXT_KMADDRESS"
604 );
605
606 /**
607 * convert a protocol identifier to the PF_KEY sa type
608 */
609 static u_int8_t proto2satype(u_int8_t proto)
610 {
611 switch (proto)
612 {
613 case IPPROTO_ESP:
614 return SADB_SATYPE_ESP;
615 case IPPROTO_AH:
616 return SADB_SATYPE_AH;
617 case IPPROTO_COMP:
618 return SADB_X_SATYPE_IPCOMP;
619 default:
620 return proto;
621 }
622 }
623
624 /**
625 * convert a PF_KEY sa type to a protocol identifier
626 */
627 static u_int8_t satype2proto(u_int8_t satype)
628 {
629 switch (satype)
630 {
631 case SADB_SATYPE_ESP:
632 return IPPROTO_ESP;
633 case SADB_SATYPE_AH:
634 return IPPROTO_AH;
635 case SADB_X_SATYPE_IPCOMP:
636 return IPPROTO_COMP;
637 default:
638 return satype;
639 }
640 }
641
642 /**
643 * convert the general ipsec mode to the one defined in ipsec.h
644 */
645 static u_int8_t mode2kernel(ipsec_mode_t mode)
646 {
647 switch (mode)
648 {
649 case MODE_TRANSPORT:
650 return IPSEC_MODE_TRANSPORT;
651 case MODE_TUNNEL:
652 return IPSEC_MODE_TUNNEL;
653 #ifdef HAVE_IPSEC_MODE_BEET
654 case MODE_BEET:
655 return IPSEC_MODE_BEET;
656 #endif
657 default:
658 return mode;
659 }
660 }
661
662 /**
663 * convert the general policy direction to the one defined in ipsec.h
664 */
665 static u_int8_t dir2kernel(policy_dir_t dir)
666 {
667 switch (dir)
668 {
669 case POLICY_IN:
670 return IPSEC_DIR_INBOUND;
671 case POLICY_OUT:
672 return IPSEC_DIR_OUTBOUND;
673 #ifdef HAVE_IPSEC_DIR_FWD
674 case POLICY_FWD:
675 return IPSEC_DIR_FWD;
676 #endif
677 default:
678 return IPSEC_DIR_INVALID;
679 }
680 }
681
682 /**
683 * convert the policy type to the one defined in ipsec.h
684 */
685 static inline u_int16_t type2kernel(policy_type_t type)
686 {
687 switch (type)
688 {
689 case POLICY_IPSEC:
690 return IPSEC_POLICY_IPSEC;
691 case POLICY_PASS:
692 return IPSEC_POLICY_NONE;
693 case POLICY_DROP:
694 return IPSEC_POLICY_DISCARD;
695 }
696 return type;
697 }
698
699 #ifdef SADB_X_MIGRATE
700 /**
701 * convert the policy direction in ipsec.h to the general one.
702 */
703 static policy_dir_t kernel2dir(u_int8_t dir)
704 {
705 switch (dir)
706 {
707 case IPSEC_DIR_INBOUND:
708 return POLICY_IN;
709 case IPSEC_DIR_OUTBOUND:
710 return POLICY_OUT;
711 #ifdef HAVE_IPSEC_DIR_FWD
712 case IPSEC_DIR_FWD:
713 return POLICY_FWD;
714 #endif
715 default:
716 return dir;
717 }
718 }
719 #endif /*SADB_X_MIGRATE*/
720
721 typedef struct kernel_algorithm_t kernel_algorithm_t;
722
723 /**
724 * Mapping of IKEv2 algorithms to PF_KEY algorithms
725 */
726 struct kernel_algorithm_t {
727 /**
728 * Identifier specified in IKEv2
729 */
730 int ikev2;
731
732 /**
733 * Identifier as defined in pfkeyv2.h
734 */
735 int kernel;
736 };
737
738 #define END_OF_LIST -1
739
740 /**
741 * Algorithms for encryption
742 */
743 static kernel_algorithm_t encryption_algs[] = {
744 /* {ENCR_DES_IV64, 0 }, */
745 {ENCR_DES, SADB_EALG_DESCBC },
746 {ENCR_3DES, SADB_EALG_3DESCBC },
747 /* {ENCR_RC5, 0 }, */
748 /* {ENCR_IDEA, 0 }, */
749 {ENCR_CAST, SADB_X_EALG_CASTCBC },
750 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
751 /* {ENCR_3IDEA, 0 }, */
752 /* {ENCR_DES_IV32, 0 }, */
753 {ENCR_NULL, SADB_EALG_NULL },
754 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
755 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
756 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
757 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
758 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
759 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
760 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
761 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
762 {END_OF_LIST, 0 },
763 };
764
765 /**
766 * Algorithms for integrity protection
767 */
768 static kernel_algorithm_t integrity_algs[] = {
769 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
770 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
771 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
772 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
773 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
774 /* {AUTH_DES_MAC, 0, }, */
775 /* {AUTH_KPDK_MD5, 0, }, */
776 #ifdef SADB_X_AALG_AES_XCBC_MAC
777 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
778 #endif
779 {END_OF_LIST, 0, },
780 };
781
782 #if 0
783 /**
784 * Algorithms for IPComp, unused yet
785 */
786 static kernel_algorithm_t compression_algs[] = {
787 /* {IPCOMP_OUI, 0 }, */
788 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
789 {IPCOMP_LZS, SADB_X_CALG_LZS },
790 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
791 {END_OF_LIST, 0 },
792 };
793 #endif
794
795 /**
796 * Look up a kernel algorithm ID and its key size
797 */
798 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
799 {
800 while (list->ikev2 != END_OF_LIST)
801 {
802 if (ikev2 == list->ikev2)
803 {
804 return list->kernel;
805 }
806 list++;
807 }
808 return 0;
809 }
810
811 /**
812 * Copy a host_t as sockaddr_t to the given memory location. Ports are
813 * reset to zero as per RFC 2367.
814 * @return the number of bytes copied
815 */
816 static size_t hostcpy(void *dest, host_t *host)
817 {
818 sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
819 socklen_t *len = host->get_sockaddr_len(host);
820 memcpy(dest, addr, *len);
821 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
822 dest_addr->sa_len = *len;
823 #endif
824 switch (dest_addr->sa_family)
825 {
826 case AF_INET:
827 {
828 struct sockaddr_in *sin = dest;
829 sin->sin_port = 0;
830 break;
831 }
832 case AF_INET6:
833 {
834 struct sockaddr_in6 *sin6 = dest;
835 sin6->sin6_port = 0;
836 break;
837 }
838 }
839 return *len;
840 }
841
842 /**
843 * add a host behind an sadb_address extension
844 */
845 static void host2ext(host_t *host, struct sadb_address *ext)
846 {
847 size_t len = hostcpy(ext + 1, host);
848 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
849 }
850
851 /**
852 * add a host to the given sadb_msg
853 */
854 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
855 u_int8_t proto, u_int8_t prefixlen)
856 {
857 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
858 addr->sadb_address_exttype = type;
859 addr->sadb_address_proto = proto;
860 addr->sadb_address_prefixlen = prefixlen;
861 host2ext(host, addr);
862 PFKEY_EXT_ADD(msg, addr);
863 }
864
865 /**
866 * adds an empty address extension to the given sadb_msg
867 */
868 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
869 {
870 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
871 sizeof(struct sockaddr_in6);
872 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
873 addr->sadb_address_exttype = type;
874 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
875 saddr->sa_family = family;
876 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
877 saddr->sa_len = len;
878 #endif
879 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
880 PFKEY_EXT_ADD(msg, addr);
881 }
882
883 #ifdef HAVE_NATT
884 /**
885 * add udp encap extensions to a sadb_msg
886 */
887 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
888 {
889 struct sadb_x_nat_t_type* nat_type;
890 struct sadb_x_nat_t_port* nat_port;
891
892 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
893 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
894 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(*nat_type));
895 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
896 PFKEY_EXT_ADD(msg, nat_type);
897
898 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
899 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
900 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
901 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
902 PFKEY_EXT_ADD(msg, nat_port);
903
904 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
905 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
906 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
907 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
908 PFKEY_EXT_ADD(msg, nat_port);
909 }
910 #endif /*HAVE_NATT*/
911
912 /**
913 * Convert a sadb_address to a traffic_selector
914 */
915 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
916 {
917 traffic_selector_t *ts;
918 host_t *host;
919
920 /* The Linux 2.6 kernel does not set the protocol and port information
921 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
922 */
923 host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
924 ts = traffic_selector_create_from_subnet(host,
925 address->sadb_address_prefixlen,
926 address->sadb_address_proto,
927 host->get_port(host));
928 return ts;
929 }
930
931 /**
932 * Parses a pfkey message received from the kernel
933 */
934 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
935 {
936 struct sadb_ext* ext;
937 size_t len;
938
939 memset(out, 0, sizeof(pfkey_msg_t));
940 out->msg = msg;
941
942 len = msg->sadb_msg_len;
943 len -= PFKEY_LEN(sizeof(struct sadb_msg));
944
945 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
946
947 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
948 {
949 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
950 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
951 ext->sadb_ext_len > len)
952 {
953 DBG1(DBG_KNL, "length of %N extension is invalid",
954 sadb_ext_type_names, ext->sadb_ext_type);
955 break;
956 }
957
958 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
959 {
960 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid",
961 ext->sadb_ext_type);
962 break;
963 }
964
965 if (out->ext[ext->sadb_ext_type])
966 {
967 DBG1(DBG_KNL, "duplicate %N extension",
968 sadb_ext_type_names, ext->sadb_ext_type);
969 break;
970 }
971
972 out->ext[ext->sadb_ext_type] = ext;
973 ext = PFKEY_EXT_NEXT_LEN(ext, len);
974 }
975
976 if (len)
977 {
978 DBG1(DBG_KNL, "PF_KEY message length is invalid");
979 return FAILED;
980 }
981
982 return SUCCESS;
983 }
984
985 /**
986 * Send a message to a specific PF_KEY socket and handle the response.
987 */
988 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
989 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
990 {
991 unsigned char buf[PFKEY_BUFFER_SIZE];
992 struct sadb_msg *msg;
993 int in_len, len;
994
995 this->mutex_pfkey->lock(this->mutex_pfkey);
996
997 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
998 * in particular the behavior in response to an SADB_ACQUIRE. */
999 in->sadb_msg_seq = ++this->seq;
1000 in->sadb_msg_pid = getpid();
1001
1002 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
1003
1004 while (TRUE)
1005 {
1006 len = send(socket, in, in_len, 0);
1007
1008 if (len != in_len)
1009 {
1010 if (errno == EINTR)
1011 {
1012 /* interrupted, try again */
1013 continue;
1014 }
1015 this->mutex_pfkey->unlock(this->mutex_pfkey);
1016 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s",
1017 strerror(errno));
1018 return FAILED;
1019 }
1020 break;
1021 }
1022
1023 while (TRUE)
1024 {
1025 msg = (struct sadb_msg*)buf;
1026
1027 len = recv(socket, buf, sizeof(buf), 0);
1028
1029 if (len < 0)
1030 {
1031 if (errno == EINTR)
1032 {
1033 DBG1(DBG_KNL, "got interrupted");
1034 /* interrupted, try again */
1035 continue;
1036 }
1037 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s",
1038 strerror(errno));
1039 this->mutex_pfkey->unlock(this->mutex_pfkey);
1040 return FAILED;
1041 }
1042 if (len < sizeof(struct sadb_msg) ||
1043 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1044 {
1045 DBG1(DBG_KNL, "received corrupted PF_KEY message");
1046 this->mutex_pfkey->unlock(this->mutex_pfkey);
1047 return FAILED;
1048 }
1049 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1050 {
1051 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY "
1052 "message");
1053 this->mutex_pfkey->unlock(this->mutex_pfkey);
1054 return FAILED;
1055 }
1056 if (msg->sadb_msg_pid != in->sadb_msg_pid)
1057 {
1058 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
1059 continue;
1060 }
1061 if (msg->sadb_msg_seq != this->seq)
1062 {
1063 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
1064 "number, was %d expected %d", msg->sadb_msg_seq,
1065 this->seq);
1066 if (msg->sadb_msg_seq == 0)
1067 {
1068 /* FreeBSD and Mac OS X do this for the response to
1069 * SADB_X_SPDGET (but not for the response to SADB_GET).
1070 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
1071 }
1072 else if (msg->sadb_msg_seq < this->seq)
1073 {
1074 continue;
1075 }
1076 else
1077 {
1078 this->mutex_pfkey->unlock(this->mutex_pfkey);
1079 return FAILED;
1080 }
1081 }
1082 if (msg->sadb_msg_type != in->sadb_msg_type)
1083 {
1084 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
1085 "was %d expected %d, ignoring", msg->sadb_msg_type,
1086 in->sadb_msg_type);
1087 }
1088 break;
1089 }
1090
1091 *out_len = len;
1092 *out = (struct sadb_msg*)malloc(len);
1093 memcpy(*out, buf, len);
1094
1095 this->mutex_pfkey->unlock(this->mutex_pfkey);
1096 return SUCCESS;
1097 }
1098
1099 /**
1100 * Send a message to the default PF_KEY socket and handle the response.
1101 */
1102 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
1103 struct sadb_msg *in, struct sadb_msg **out,
1104 size_t *out_len)
1105 {
1106 return pfkey_send_socket(this, this->socket, in, out, out_len);
1107 }
1108
1109 /**
1110 * Process a SADB_ACQUIRE message from the kernel
1111 */
1112 static void process_acquire(private_kernel_pfkey_ipsec_t *this,
1113 struct sadb_msg* msg)
1114 {
1115 pfkey_msg_t response;
1116 u_int32_t index, reqid = 0;
1117 traffic_selector_t *src_ts, *dst_ts;
1118 policy_entry_t *policy;
1119 policy_sa_t *sa;
1120
1121 switch (msg->sadb_msg_satype)
1122 {
1123 case SADB_SATYPE_UNSPEC:
1124 case SADB_SATYPE_ESP:
1125 case SADB_SATYPE_AH:
1126 break;
1127 default:
1128 /* acquire for AH/ESP only */
1129 return;
1130 }
1131 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
1132
1133 if (parse_pfkey_message(msg, &response) != SUCCESS)
1134 {
1135 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
1136 return;
1137 }
1138
1139 index = response.x_policy->sadb_x_policy_id;
1140 this->mutex->lock(this->mutex);
1141 if (this->policies->find_first(this->policies,
1142 (linked_list_match_t)policy_entry_match_byindex,
1143 (void**)&policy, &index) == SUCCESS &&
1144 policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
1145 {
1146 reqid = sa->sa->cfg.reqid;
1147 }
1148 else
1149 {
1150 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
1151 "matching policy found", index);
1152 }
1153 this->mutex->unlock(this->mutex);
1154
1155 src_ts = sadb_address2ts(response.src);
1156 dst_ts = sadb_address2ts(response.dst);
1157
1158 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
1159 dst_ts);
1160 }
1161
1162 /**
1163 * Process a SADB_EXPIRE message from the kernel
1164 */
1165 static void process_expire(private_kernel_pfkey_ipsec_t *this,
1166 struct sadb_msg* msg)
1167 {
1168 pfkey_msg_t response;
1169 u_int8_t protocol;
1170 u_int32_t spi, reqid;
1171 bool hard;
1172
1173 DBG2(DBG_KNL, "received an SADB_EXPIRE");
1174
1175 if (parse_pfkey_message(msg, &response) != SUCCESS)
1176 {
1177 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
1178 return;
1179 }
1180
1181 protocol = satype2proto(msg->sadb_msg_satype);
1182 spi = response.sa->sadb_sa_spi;
1183 reqid = response.x_sa2->sadb_x_sa2_reqid;
1184 hard = response.lft_hard != NULL;
1185
1186 if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
1187 {
1188 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and "
1189 "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
1190 return;
1191 }
1192
1193 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
1194 spi, hard);
1195 }
1196
1197 #ifdef SADB_X_MIGRATE
1198 /**
1199 * Process a SADB_X_MIGRATE message from the kernel
1200 */
1201 static void process_migrate(private_kernel_pfkey_ipsec_t *this,
1202 struct sadb_msg* msg)
1203 {
1204 pfkey_msg_t response;
1205 traffic_selector_t *src_ts, *dst_ts;
1206 policy_dir_t dir;
1207 u_int32_t reqid = 0;
1208 host_t *local = NULL, *remote = NULL;
1209
1210 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
1211
1212 if (parse_pfkey_message(msg, &response) != SUCCESS)
1213 {
1214 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
1215 return;
1216 }
1217 src_ts = sadb_address2ts(response.src);
1218 dst_ts = sadb_address2ts(response.dst);
1219 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
1220 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
1221 policy_dir_names, dir);
1222
1223 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
1224 if (response.x_kmaddress)
1225 {
1226 sockaddr_t *local_addr, *remote_addr;
1227 u_int32_t local_len;
1228
1229 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
1230 local = host_create_from_sockaddr(local_addr);
1231 local_len = (local_addr->sa_family == AF_INET6)?
1232 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
1233 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1234 remote = host_create_from_sockaddr(remote_addr);
1235 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1236 }
1237
1238 if (src_ts && dst_ts && local && remote)
1239 {
1240 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
1241 src_ts, dst_ts, dir, local, remote);
1242 }
1243 else
1244 {
1245 DESTROY_IF(src_ts);
1246 DESTROY_IF(dst_ts);
1247 DESTROY_IF(local);
1248 DESTROY_IF(remote);
1249 }
1250 }
1251 #endif /*SADB_X_MIGRATE*/
1252
1253 #ifdef SADB_X_NAT_T_NEW_MAPPING
1254 /**
1255 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1256 */
1257 static void process_mapping(private_kernel_pfkey_ipsec_t *this,
1258 struct sadb_msg* msg)
1259 {
1260 pfkey_msg_t response;
1261 u_int32_t spi, reqid;
1262 sockaddr_t *sa;
1263 host_t *host;
1264
1265 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1266
1267 if (parse_pfkey_message(msg, &response) != SUCCESS)
1268 {
1269 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1270 return;
1271 }
1272
1273 if (!response.x_sa2)
1274 {
1275 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1276 "information");
1277 return;
1278 }
1279
1280 spi = response.sa->sadb_sa_spi;
1281 reqid = response.x_sa2->sadb_x_sa2_reqid;
1282
1283 if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
1284 {
1285 return;
1286 }
1287
1288 sa = (sockaddr_t*)(response.dst + 1);
1289 switch (sa->sa_family)
1290 {
1291 case AF_INET:
1292 {
1293 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1294 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1295 }
1296 case AF_INET6:
1297 {
1298 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1299 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1300 }
1301 default:
1302 break;
1303 }
1304
1305 host = host_create_from_sockaddr(sa);
1306 if (host)
1307 {
1308 hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
1309 spi, host);
1310 }
1311 }
1312 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1313
1314 /**
1315 * Receives events from kernel
1316 */
1317 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1318 {
1319 unsigned char buf[PFKEY_BUFFER_SIZE];
1320 struct sadb_msg *msg = (struct sadb_msg*)buf;
1321 bool oldstate;
1322 int len;
1323
1324 oldstate = thread_cancelability(TRUE);
1325 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1326 thread_cancelability(oldstate);
1327
1328 if (len < 0)
1329 {
1330 switch (errno)
1331 {
1332 case EINTR:
1333 /* interrupted, try again */
1334 return JOB_REQUEUE_DIRECT;
1335 case EAGAIN:
1336 /* no data ready, select again */
1337 return JOB_REQUEUE_DIRECT;
1338 default:
1339 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1340 sleep(1);
1341 return JOB_REQUEUE_FAIR;
1342 }
1343 }
1344
1345 if (len < sizeof(struct sadb_msg) ||
1346 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1347 {
1348 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1349 return JOB_REQUEUE_DIRECT;
1350 }
1351 if (msg->sadb_msg_pid != 0)
1352 { /* not from kernel. not interested, try another one */
1353 return JOB_REQUEUE_DIRECT;
1354 }
1355 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1356 {
1357 DBG1(DBG_KNL, "buffer was too small to receive the complete "
1358 "PF_KEY message");
1359 return JOB_REQUEUE_DIRECT;
1360 }
1361
1362 switch (msg->sadb_msg_type)
1363 {
1364 case SADB_ACQUIRE:
1365 process_acquire(this, msg);
1366 break;
1367 case SADB_EXPIRE:
1368 process_expire(this, msg);
1369 break;
1370 #ifdef SADB_X_MIGRATE
1371 case SADB_X_MIGRATE:
1372 process_migrate(this, msg);
1373 break;
1374 #endif /*SADB_X_MIGRATE*/
1375 #ifdef SADB_X_NAT_T_NEW_MAPPING
1376 case SADB_X_NAT_T_NEW_MAPPING:
1377 process_mapping(this, msg);
1378 break;
1379 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1380 default:
1381 break;
1382 }
1383
1384 return JOB_REQUEUE_DIRECT;
1385 }
1386
1387 METHOD(kernel_ipsec_t, get_spi, status_t,
1388 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1389 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
1390 {
1391 unsigned char request[PFKEY_BUFFER_SIZE];
1392 struct sadb_msg *msg, *out;
1393 struct sadb_x_sa2 *sa2;
1394 struct sadb_spirange *range;
1395 pfkey_msg_t response;
1396 u_int32_t received_spi = 0;
1397 size_t len;
1398
1399 memset(&request, 0, sizeof(request));
1400
1401 msg = (struct sadb_msg*)request;
1402 msg->sadb_msg_version = PF_KEY_V2;
1403 msg->sadb_msg_type = SADB_GETSPI;
1404 msg->sadb_msg_satype = proto2satype(protocol);
1405 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1406
1407 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1408 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1409 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1410 sa2->sadb_x_sa2_reqid = reqid;
1411 PFKEY_EXT_ADD(msg, sa2);
1412
1413 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1414 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1415
1416 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1417 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1418 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1419 range->sadb_spirange_min = 0xc0000000;
1420 range->sadb_spirange_max = 0xcFFFFFFF;
1421 PFKEY_EXT_ADD(msg, range);
1422
1423 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1424 {
1425 if (out->sadb_msg_errno)
1426 {
1427 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1428 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1429 }
1430 else if (parse_pfkey_message(out, &response) == SUCCESS)
1431 {
1432 received_spi = response.sa->sadb_sa_spi;
1433 }
1434 free(out);
1435 }
1436
1437 if (received_spi == 0)
1438 {
1439 return FAILED;
1440 }
1441
1442 *spi = received_spi;
1443 return SUCCESS;
1444 }
1445
1446 METHOD(kernel_ipsec_t, get_cpi, status_t,
1447 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1448 u_int32_t reqid, u_int16_t *cpi)
1449 {
1450 return FAILED;
1451 }
1452
1453 METHOD(kernel_ipsec_t, add_sa, status_t,
1454 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1455 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
1456 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
1457 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
1458 u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
1459 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
1460 {
1461 unsigned char request[PFKEY_BUFFER_SIZE];
1462 struct sadb_msg *msg, *out;
1463 struct sadb_sa *sa;
1464 struct sadb_x_sa2 *sa2;
1465 struct sadb_lifetime *lft;
1466 struct sadb_key *key;
1467 size_t len;
1468
1469 memset(&request, 0, sizeof(request));
1470
1471 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
1472 ntohl(spi), reqid);
1473
1474 msg = (struct sadb_msg*)request;
1475 msg->sadb_msg_version = PF_KEY_V2;
1476 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1477 msg->sadb_msg_satype = proto2satype(protocol);
1478 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1479
1480 #ifdef __APPLE__
1481 if (encap)
1482 {
1483 struct sadb_sa_2 *sa_2;
1484 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1485 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1486 sa = &sa_2->sa;
1487 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1488 len = sizeof(struct sadb_sa_2);
1489 }
1490 else
1491 #endif
1492 {
1493 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1494 len = sizeof(struct sadb_sa);
1495 }
1496 sa->sadb_sa_exttype = SADB_EXT_SA;
1497 sa->sadb_sa_len = PFKEY_LEN(len);
1498 sa->sadb_sa_spi = spi;
1499 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1500 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1501 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1502 PFKEY_EXT_ADD(msg, sa);
1503
1504 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1505 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1506 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1507 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1508 sa2->sadb_x_sa2_reqid = reqid;
1509 PFKEY_EXT_ADD(msg, sa2);
1510
1511 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1512 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1513
1514 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1515 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1516 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1517 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1518 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1519 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1520 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1521 PFKEY_EXT_ADD(msg, lft);
1522
1523 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1524 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1525 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1526 lft->sadb_lifetime_allocations = lifetime->packets.life;
1527 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1528 lft->sadb_lifetime_addtime = lifetime->time.life;
1529 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1530 PFKEY_EXT_ADD(msg, lft);
1531
1532 if (enc_alg != ENCR_UNDEFINED)
1533 {
1534 if (!sa->sadb_sa_encrypt)
1535 {
1536 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1537 encryption_algorithm_names, enc_alg);
1538 return FAILED;
1539 }
1540 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1541 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1542
1543 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1544 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1545 key->sadb_key_bits = enc_key.len * 8;
1546 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1547 memcpy(key + 1, enc_key.ptr, enc_key.len);
1548
1549 PFKEY_EXT_ADD(msg, key);
1550 }
1551
1552 if (int_alg != AUTH_UNDEFINED)
1553 {
1554 if (!sa->sadb_sa_auth)
1555 {
1556 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1557 integrity_algorithm_names, int_alg);
1558 return FAILED;
1559 }
1560 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1561 integrity_algorithm_names, int_alg, int_key.len * 8);
1562
1563 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1564 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1565 key->sadb_key_bits = int_key.len * 8;
1566 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1567 memcpy(key + 1, int_key.ptr, int_key.len);
1568
1569 PFKEY_EXT_ADD(msg, key);
1570 }
1571
1572 if (ipcomp != IPCOMP_NONE)
1573 {
1574 /*TODO*/
1575 }
1576
1577 #ifdef HAVE_NATT
1578 if (encap)
1579 {
1580 add_encap_ext(msg, src, dst);
1581 }
1582 #endif /*HAVE_NATT*/
1583
1584 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1585 {
1586 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1587 return FAILED;
1588 }
1589 else if (out->sadb_msg_errno)
1590 {
1591 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1592 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1593 free(out);
1594 return FAILED;
1595 }
1596
1597 free(out);
1598 return SUCCESS;
1599 }
1600
1601 METHOD(kernel_ipsec_t, update_sa, status_t,
1602 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1603 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1604 bool encap, bool new_encap, mark_t mark)
1605 {
1606 unsigned char request[PFKEY_BUFFER_SIZE];
1607 struct sadb_msg *msg, *out;
1608 struct sadb_sa *sa;
1609 pfkey_msg_t response;
1610 size_t len;
1611
1612 /* we can't update the SA if any of the ip addresses have changed.
1613 * that's because we can't use SADB_UPDATE and by deleting and readding the
1614 * SA the sequence numbers would get lost */
1615 if (!src->ip_equals(src, new_src) ||
1616 !dst->ip_equals(dst, new_dst))
1617 {
1618 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address "
1619 "changes are not supported", ntohl(spi));
1620 return NOT_SUPPORTED;
1621 }
1622
1623 memset(&request, 0, sizeof(request));
1624
1625 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1626
1627 msg = (struct sadb_msg*)request;
1628 msg->sadb_msg_version = PF_KEY_V2;
1629 msg->sadb_msg_type = SADB_GET;
1630 msg->sadb_msg_satype = proto2satype(protocol);
1631 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1632
1633 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1634 sa->sadb_sa_exttype = SADB_EXT_SA;
1635 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1636 sa->sadb_sa_spi = spi;
1637 PFKEY_EXT_ADD(msg, sa);
1638
1639 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1640 * it is not used for anything. */
1641 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1642 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1643
1644 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1645 {
1646 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1647 return FAILED;
1648 }
1649 else if (out->sadb_msg_errno)
1650 {
1651 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1652 ntohl(spi), strerror(out->sadb_msg_errno),
1653 out->sadb_msg_errno);
1654 free(out);
1655 return FAILED;
1656 }
1657 else if (parse_pfkey_message(out, &response) != SUCCESS)
1658 {
1659 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing "
1660 "response from kernel failed", ntohl(spi));
1661 free(out);
1662 return FAILED;
1663 }
1664
1665 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1666 ntohl(spi), src, dst, new_src, new_dst);
1667
1668 memset(&request, 0, sizeof(request));
1669
1670 msg = (struct sadb_msg*)request;
1671 msg->sadb_msg_version = PF_KEY_V2;
1672 msg->sadb_msg_type = SADB_UPDATE;
1673 msg->sadb_msg_satype = proto2satype(protocol);
1674 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1675
1676 #ifdef __APPLE__
1677 {
1678 struct sadb_sa_2 *sa_2;
1679 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1680 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1681 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1682 if (encap)
1683 {
1684 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1685 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1686 }
1687 }
1688 #else
1689 PFKEY_EXT_COPY(msg, response.sa);
1690 #endif
1691 PFKEY_EXT_COPY(msg, response.x_sa2);
1692
1693 PFKEY_EXT_COPY(msg, response.src);
1694 PFKEY_EXT_COPY(msg, response.dst);
1695
1696 PFKEY_EXT_COPY(msg, response.lft_soft);
1697 PFKEY_EXT_COPY(msg, response.lft_hard);
1698
1699 if (response.key_encr)
1700 {
1701 PFKEY_EXT_COPY(msg, response.key_encr);
1702 }
1703
1704 if (response.key_auth)
1705 {
1706 PFKEY_EXT_COPY(msg, response.key_auth);
1707 }
1708
1709 #ifdef HAVE_NATT
1710 if (new_encap)
1711 {
1712 add_encap_ext(msg, new_src, new_dst);
1713 }
1714 #endif /*HAVE_NATT*/
1715
1716 free(out);
1717
1718 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1719 {
1720 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1721 return FAILED;
1722 }
1723 else if (out->sadb_msg_errno)
1724 {
1725 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1726 ntohl(spi), strerror(out->sadb_msg_errno),
1727 out->sadb_msg_errno);
1728 free(out);
1729 return FAILED;
1730 }
1731 free(out);
1732
1733 return SUCCESS;
1734 }
1735
1736 METHOD(kernel_ipsec_t, query_sa, status_t,
1737 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1738 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
1739 {
1740 unsigned char request[PFKEY_BUFFER_SIZE];
1741 struct sadb_msg *msg, *out;
1742 struct sadb_sa *sa;
1743 pfkey_msg_t response;
1744 size_t len;
1745
1746 memset(&request, 0, sizeof(request));
1747
1748 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1749
1750 msg = (struct sadb_msg*)request;
1751 msg->sadb_msg_version = PF_KEY_V2;
1752 msg->sadb_msg_type = SADB_GET;
1753 msg->sadb_msg_satype = proto2satype(protocol);
1754 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1755
1756 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1757 sa->sadb_sa_exttype = SADB_EXT_SA;
1758 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1759 sa->sadb_sa_spi = spi;
1760 PFKEY_EXT_ADD(msg, sa);
1761
1762 /* the Linux Kernel doesn't care for the src address, but other systems do
1763 * (e.g. FreeBSD)
1764 */
1765 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1766 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1767
1768 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1769 {
1770 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1771 return FAILED;
1772 }
1773 else if (out->sadb_msg_errno)
1774 {
1775 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1776 ntohl(spi), strerror(out->sadb_msg_errno),
1777 out->sadb_msg_errno);
1778 free(out);
1779 return FAILED;
1780 }
1781 else if (parse_pfkey_message(out, &response) != SUCCESS)
1782 {
1783 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1784 free(out);
1785 return FAILED;
1786 }
1787 *bytes = response.lft_current->sadb_lifetime_bytes;
1788
1789 free(out);
1790 return SUCCESS;
1791 }
1792
1793 METHOD(kernel_ipsec_t, del_sa, status_t,
1794 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1795 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
1796 {
1797 unsigned char request[PFKEY_BUFFER_SIZE];
1798 struct sadb_msg *msg, *out;
1799 struct sadb_sa *sa;
1800 size_t len;
1801
1802 memset(&request, 0, sizeof(request));
1803
1804 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1805
1806 msg = (struct sadb_msg*)request;
1807 msg->sadb_msg_version = PF_KEY_V2;
1808 msg->sadb_msg_type = SADB_DELETE;
1809 msg->sadb_msg_satype = proto2satype(protocol);
1810 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1811
1812 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1813 sa->sadb_sa_exttype = SADB_EXT_SA;
1814 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1815 sa->sadb_sa_spi = spi;
1816 PFKEY_EXT_ADD(msg, sa);
1817
1818 /* the Linux Kernel doesn't care for the src address, but other systems do
1819 * (e.g. FreeBSD)
1820 */
1821 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1822 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1823
1824 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1825 {
1826 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1827 return FAILED;
1828 }
1829 else if (out->sadb_msg_errno)
1830 {
1831 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1832 ntohl(spi), strerror(out->sadb_msg_errno),
1833 out->sadb_msg_errno);
1834 free(out);
1835 return FAILED;
1836 }
1837
1838 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1839 free(out);
1840 return SUCCESS;
1841 }
1842
1843 /**
1844 * Add or update a policy in the kernel.
1845 *
1846 * Note: The mutex has to be locked when entering this function.
1847 */
1848 static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
1849 policy_entry_t *policy, policy_sa_t *mapping, bool update)
1850 {
1851 unsigned char request[PFKEY_BUFFER_SIZE];
1852 struct sadb_msg *msg, *out;
1853 struct sadb_x_policy *pol;
1854 struct sadb_x_ipsecrequest *req;
1855 ipsec_sa_t *ipsec = mapping->sa;
1856 pfkey_msg_t response;
1857 size_t len;
1858
1859 memset(&request, 0, sizeof(request));
1860
1861 msg = (struct sadb_msg*)request;
1862 msg->sadb_msg_version = PF_KEY_V2;
1863 msg->sadb_msg_type = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1864 msg->sadb_msg_satype = 0;
1865 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1866
1867 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1868 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1869 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1870 pol->sadb_x_policy_id = 0;
1871 pol->sadb_x_policy_dir = dir2kernel(policy->direction);
1872 pol->sadb_x_policy_type = type2kernel(mapping->type);
1873 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1874 pol->sadb_x_policy_priority = mapping->priority;
1875 #endif
1876
1877 /* one or more sadb_x_ipsecrequest extensions are added to the
1878 * sadb_x_policy extension */
1879 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1880 req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP
1881 : IPPROTO_AH;
1882 /* !!! the length here MUST be in octets instead of 64 bit words */
1883 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1884 req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode);
1885 req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
1886 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1887 if (ipsec->cfg.mode == MODE_TUNNEL)
1888 {
1889 len = hostcpy(req + 1, ipsec->src);
1890 req->sadb_x_ipsecrequest_len += len;
1891 len = hostcpy((char*)(req + 1) + len, ipsec->dst);
1892 req->sadb_x_ipsecrequest_len += len;
1893 }
1894
1895 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1896 PFKEY_EXT_ADD(msg, pol);
1897
1898 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1899 policy->src.mask);
1900 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1901 policy->dst.mask);
1902
1903 #ifdef __FreeBSD__
1904 { /* on FreeBSD a lifetime has to be defined to be able to later query
1905 * the current use time. */
1906 struct sadb_lifetime *lft;
1907 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1908 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1909 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1910 lft->sadb_lifetime_addtime = LONG_MAX;
1911 PFKEY_EXT_ADD(msg, lft);
1912 }
1913 #endif
1914
1915 this->mutex->unlock(this->mutex);
1916
1917 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1918 {
1919 return FAILED;
1920 }
1921 else if (out->sadb_msg_errno)
1922 {
1923 DBG1(DBG_KNL, "unable to %s policy: %s (%d)",
1924 update ? "update" : "add", strerror(out->sadb_msg_errno),
1925 out->sadb_msg_errno);
1926 free(out);
1927 return FAILED;
1928 }
1929 else if (parse_pfkey_message(out, &response) != SUCCESS)
1930 {
1931 DBG1(DBG_KNL, "unable to %s policy: parsing response from kernel "
1932 "failed", update ? "update" : "add");
1933 free(out);
1934 return FAILED;
1935 }
1936
1937 /* we try to find the policy again and update the kernel index */
1938 this->mutex->lock(this->mutex);
1939 if (this->policies->find_last(this->policies, NULL,
1940 (void**)&policy) != SUCCESS)
1941 {
1942 DBG2(DBG_KNL, "unable to update index, the policy is already gone, "
1943 "ignoring");
1944 this->mutex->unlock(this->mutex);
1945 free(out);
1946 return SUCCESS;
1947 }
1948 policy->index = response.x_policy->sadb_x_policy_id;
1949 free(out);
1950
1951 /* install a route, if:
1952 * - this is a forward policy (to just get one for each child)
1953 * - we are in tunnel mode
1954 * - routing is not disabled via strongswan.conf
1955 */
1956 if (policy->direction == POLICY_FWD &&
1957 ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
1958 {
1959 route_entry_t *route = malloc_thing(route_entry_t);
1960 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
1961
1962 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
1963 fwd->dst_ts, &route->src_ip) == SUCCESS)
1964 {
1965 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1966 route->gateway = hydra->kernel_interface->get_nexthop(
1967 hydra->kernel_interface, ipsec->src);
1968 /* install route via outgoing interface */
1969 route->if_name = hydra->kernel_interface->get_interface(
1970 hydra->kernel_interface, ipsec->dst);
1971 route->dst_net = chunk_clone(policy->src.net->get_address(
1972 policy->src.net));
1973 route->prefixlen = policy->src.mask;
1974
1975 if (!route->if_name)
1976 {
1977 this->mutex->unlock(this->mutex);
1978 route_entry_destroy(route);
1979 return SUCCESS;
1980 }
1981
1982 if (policy->route)
1983 {
1984 route_entry_t *old = policy->route;
1985 if (route_entry_equals(old, route))
1986 { /* keep previously installed route */
1987 this->mutex->unlock(this->mutex);
1988 route_entry_destroy(route);
1989 return SUCCESS;
1990 }
1991 /* uninstall previously installed route */
1992 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
1993 old->dst_net, old->prefixlen, old->gateway,
1994 old->src_ip, old->if_name) != SUCCESS)
1995 {
1996 DBG1(DBG_KNL, "error uninstalling route installed with "
1997 "policy %R === %R %N", fwd->src_ts,
1998 fwd->dst_ts, policy_dir_names,
1999 policy->direction);
2000 }
2001 route_entry_destroy(old);
2002 policy->route = NULL;
2003 }
2004
2005 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
2006 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
2007 switch (hydra->kernel_interface->add_route(
2008 hydra->kernel_interface, route->dst_net,
2009 route->prefixlen, route->gateway,
2010 route->src_ip, route->if_name))
2011 {
2012 default:
2013 DBG1(DBG_KNL, "unable to install source route for %H",
2014 route->src_ip);
2015 /* FALL */
2016 case ALREADY_DONE:
2017 /* route exists, do not uninstall */
2018 route_entry_destroy(route);
2019 break;
2020 case SUCCESS:
2021 /* cache the installed route */
2022 policy->route = route;
2023 break;
2024 }
2025 }
2026 else
2027 {
2028 free(route);
2029 }
2030 }
2031 this->mutex->unlock(this->mutex);
2032 return SUCCESS;
2033 }
2034
2035 METHOD(kernel_ipsec_t, add_policy, status_t,
2036 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
2037 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
2038 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
2039 mark_t mark, policy_priority_t priority)
2040 {
2041 policy_entry_t *policy, *found = NULL;
2042 policy_sa_t *assigned_sa, *current_sa;
2043 enumerator_t *enumerator;
2044 bool update = TRUE;
2045
2046 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2047 { /* FWD policies are not supported on all platforms */
2048 return SUCCESS;
2049 }
2050
2051 /* create a policy */
2052 policy = create_policy_entry(src_ts, dst_ts, direction);
2053
2054 /* find a matching policy */
2055 this->mutex->lock(this->mutex);
2056 if (this->policies->find_first(this->policies,
2057 (linked_list_match_t)policy_entry_equals,
2058 (void**)&found, policy) == SUCCESS)
2059 { /* use existing policy */
2060 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
2061 "refcount", src_ts, dst_ts, policy_dir_names, direction);
2062 policy_entry_destroy(policy, this);
2063 policy = found;
2064 }
2065 else
2066 { /* use the new one, if we have no such policy */
2067 this->policies->insert_last(this->policies, policy);
2068 policy->used_by = linked_list_create();
2069 }
2070
2071 /* cache the assigned IPsec SA */
2072 assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
2073 dst_ts, sa);
2074 assigned_sa->priority = get_priority(policy, priority);
2075
2076 /* insert the SA according to its priority */
2077 enumerator = policy->used_by->create_enumerator(policy->used_by);
2078 while (enumerator->enumerate(enumerator, (void**)&current_sa))
2079 {
2080 if (current_sa->priority >= assigned_sa->priority)
2081 {
2082 break;
2083 }
2084 update = FALSE;
2085 }
2086 policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
2087 enumerator->destroy(enumerator);
2088
2089 if (!update)
2090 { /* we don't update the policy if the priority is lower than that of the
2091 * currently installed one */
2092 this->mutex->unlock(this->mutex);
2093 return SUCCESS;
2094 }
2095
2096 DBG2(DBG_KNL, "%s policy %R === %R %N",
2097 found ? "updating" : "adding", src_ts, dst_ts,
2098 policy_dir_names, direction);
2099
2100 if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2101 {
2102 DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
2103 found ? "update" : "add", src_ts, dst_ts,
2104 policy_dir_names, direction);
2105 return FAILED;
2106 }
2107 return SUCCESS;
2108 }
2109
2110 METHOD(kernel_ipsec_t, query_policy, status_t,
2111 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2112 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
2113 u_int32_t *use_time)
2114 {
2115 unsigned char request[PFKEY_BUFFER_SIZE];
2116 struct sadb_msg *msg, *out;
2117 struct sadb_x_policy *pol;
2118 policy_entry_t *policy, *found = NULL;
2119 pfkey_msg_t response;
2120 size_t len;
2121
2122 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2123 { /* FWD policies are not supported on all platforms */
2124 return NOT_FOUND;
2125 }
2126
2127 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2128 policy_dir_names, direction);
2129
2130 /* create a policy */
2131 policy = create_policy_entry(src_ts, dst_ts, direction);
2132
2133 /* find a matching policy */
2134 this->mutex->lock(this->mutex);
2135 if (this->policies->find_first(this->policies,
2136 (linked_list_match_t)policy_entry_equals,
2137 (void**)&found, policy) != SUCCESS)
2138 {
2139 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
2140 dst_ts, policy_dir_names, direction);
2141 policy_entry_destroy(policy, this);
2142 this->mutex->unlock(this->mutex);
2143 return NOT_FOUND;
2144 }
2145 policy_entry_destroy(policy, this);
2146 policy = found;
2147
2148 memset(&request, 0, sizeof(request));
2149
2150 msg = (struct sadb_msg*)request;
2151 msg->sadb_msg_version = PF_KEY_V2;
2152 msg->sadb_msg_type = SADB_X_SPDGET;
2153 msg->sadb_msg_satype = 0;
2154 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2155
2156 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2157 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2158 pol->sadb_x_policy_id = policy->index;
2159 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2160 pol->sadb_x_policy_dir = dir2kernel(direction);
2161 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2162 PFKEY_EXT_ADD(msg, pol);
2163
2164 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2165 policy->src.mask);
2166 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2167 policy->dst.mask);
2168
2169 this->mutex->unlock(this->mutex);
2170
2171 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2172 {
2173 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2174 policy_dir_names, direction);
2175 return FAILED;
2176 }
2177 else if (out->sadb_msg_errno)
2178 {
2179 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
2180 dst_ts, policy_dir_names, direction,
2181 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2182 free(out);
2183 return FAILED;
2184 }
2185 else if (parse_pfkey_message(out, &response) != SUCCESS)
2186 {
2187 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
2188 "from kernel failed", src_ts, dst_ts, policy_dir_names,
2189 direction);
2190 free(out);
2191 return FAILED;
2192 }
2193 else if (response.lft_current == NULL)
2194 {
2195 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
2196 "use time", src_ts, dst_ts, policy_dir_names, direction);
2197 free(out);
2198 return FAILED;
2199 }
2200
2201 /* we need the monotonic time, but the kernel returns system time. */
2202 if (response.lft_current->sadb_lifetime_usetime)
2203 {
2204 *use_time = time_monotonic(NULL) -
2205 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
2206 }
2207 else
2208 {
2209 *use_time = 0;
2210 }
2211 free(out);
2212 return SUCCESS;
2213 }
2214
2215 METHOD(kernel_ipsec_t, del_policy, status_t,
2216 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2217 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
2218 mark_t mark, policy_priority_t prio)
2219 {
2220 unsigned char request[PFKEY_BUFFER_SIZE];
2221 struct sadb_msg *msg, *out;
2222 struct sadb_x_policy *pol;
2223 policy_entry_t *policy, *found = NULL;
2224 policy_sa_t *mapping;
2225 enumerator_t *enumerator;
2226 bool is_installed = TRUE;
2227 u_int32_t priority;
2228 size_t len;
2229
2230 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2231 { /* FWD policies are not supported on all platforms */
2232 return SUCCESS;
2233 }
2234
2235 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
2236 policy_dir_names, direction);
2237
2238 /* create a policy */
2239 policy = create_policy_entry(src_ts, dst_ts, direction);
2240
2241 /* find a matching policy */
2242 this->mutex->lock(this->mutex);
2243 if (this->policies->find_first(this->policies,
2244 (linked_list_match_t)policy_entry_equals,
2245 (void**)&found, policy) != SUCCESS)
2246 {
2247 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
2248 dst_ts, policy_dir_names, direction);
2249 policy_entry_destroy(policy, this);
2250 this->mutex->unlock(this->mutex);
2251 return NOT_FOUND;
2252 }
2253 policy_entry_destroy(policy, this);
2254 policy = found;
2255
2256 /* remove mapping to SA by reqid and priority */
2257 priority = get_priority(policy, prio);
2258 enumerator = policy->used_by->create_enumerator(policy->used_by);
2259 while (enumerator->enumerate(enumerator, (void**)&mapping))
2260 {
2261 if (reqid == mapping->sa->cfg.reqid && priority == mapping->priority)
2262 {
2263 policy->used_by->remove_at(policy->used_by, enumerator);
2264 break;
2265 }
2266 is_installed = FALSE;
2267 }
2268 enumerator->destroy(enumerator);
2269
2270 if (policy->used_by->get_count(policy->used_by) > 0)
2271 { /* policy is used by more SAs, keep in kernel */
2272 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2273 policy_sa_destroy(mapping, &direction, this);
2274
2275 if (!is_installed)
2276 { /* no need to update as the policy was not installed for this SA */
2277 this->mutex->unlock(this->mutex);
2278 return SUCCESS;
2279 }
2280
2281 DBG2(DBG_KNL, "updating policy %R === %R %N", src_ts, dst_ts,
2282 policy_dir_names, direction);
2283 policy->used_by->get_first(policy->used_by, (void**)&mapping);
2284 if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS)
2285 {
2286 DBG1(DBG_KNL, "unable to update policy %R === %R %N",
2287 src_ts, dst_ts, policy_dir_names, direction);
2288 return FAILED;
2289 }
2290 return SUCCESS;
2291 }
2292
2293 memset(&request, 0, sizeof(request));
2294
2295 msg = (struct sadb_msg*)request;
2296 msg->sadb_msg_version = PF_KEY_V2;
2297 msg->sadb_msg_type = SADB_X_SPDDELETE;
2298 msg->sadb_msg_satype = 0;
2299 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2300
2301 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2302 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2303 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2304 pol->sadb_x_policy_dir = dir2kernel(direction);
2305 pol->sadb_x_policy_type = type2kernel(mapping->type);
2306 PFKEY_EXT_ADD(msg, pol);
2307
2308 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2309 policy->src.mask);
2310 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2311 policy->dst.mask);
2312
2313 if (policy->route)
2314 {
2315 route_entry_t *route = policy->route;
2316 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2317 route->dst_net, route->prefixlen, route->gateway,
2318 route->src_ip, route->if_name) != SUCCESS)
2319 {
2320 DBG1(DBG_KNL, "error uninstalling route installed with "
2321 "policy %R === %R %N", src_ts, dst_ts,
2322 policy_dir_names, direction);
2323 }
2324 }
2325
2326 this->policies->remove(this->policies, found, NULL);
2327 policy_sa_destroy(mapping, &direction, this);
2328 policy_entry_destroy(policy, this);
2329 this->mutex->unlock(this->mutex);
2330
2331 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2332 {
2333 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2334 policy_dir_names, direction);
2335 return FAILED;
2336 }
2337 else if (out->sadb_msg_errno)
2338 {
2339 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2340 dst_ts, policy_dir_names, direction,
2341 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2342 free(out);
2343 return FAILED;
2344 }
2345 free(out);
2346 return SUCCESS;
2347 }
2348
2349 /**
2350 * Register a socket for ACQUIRE/EXPIRE messages
2351 */
2352 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2353 u_int8_t satype)
2354 {
2355 unsigned char request[PFKEY_BUFFER_SIZE];
2356 struct sadb_msg *msg, *out;
2357 size_t len;
2358
2359 memset(&request, 0, sizeof(request));
2360
2361 msg = (struct sadb_msg*)request;
2362 msg->sadb_msg_version = PF_KEY_V2;
2363 msg->sadb_msg_type = SADB_REGISTER;
2364 msg->sadb_msg_satype = satype;
2365 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2366
2367 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2368 {
2369 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2370 return FAILED;
2371 }
2372 else if (out->sadb_msg_errno)
2373 {
2374 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2375 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2376 free(out);
2377 return FAILED;
2378 }
2379 free(out);
2380 return SUCCESS;
2381 }
2382
2383 METHOD(kernel_ipsec_t, bypass_socket, bool,
2384 private_kernel_pfkey_ipsec_t *this, int fd, int family)
2385 {
2386 struct sadb_x_policy policy;
2387 u_int sol, ipsec_policy;
2388
2389 switch (family)
2390 {
2391 case AF_INET:
2392 {
2393 sol = SOL_IP;
2394 ipsec_policy = IP_IPSEC_POLICY;
2395 break;
2396 }
2397 case AF_INET6:
2398 {
2399 sol = SOL_IPV6;
2400 ipsec_policy = IPV6_IPSEC_POLICY;
2401 break;
2402 }
2403 default:
2404 return FALSE;
2405 }
2406
2407 memset(&policy, 0, sizeof(policy));
2408 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2409 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2410 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2411
2412 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2413 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2414 {
2415 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2416 strerror(errno));
2417 return FALSE;
2418 }
2419 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2420 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2421 {
2422 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2423 strerror(errno));
2424 return FALSE;
2425 }
2426 return TRUE;
2427 }
2428
2429 METHOD(kernel_ipsec_t, destroy, void,
2430 private_kernel_pfkey_ipsec_t *this)
2431 {
2432 if (this->job)
2433 {
2434 this->job->cancel(this->job);
2435 }
2436 if (this->socket > 0)
2437 {
2438 close(this->socket);
2439 }
2440 if (this->socket_events > 0)
2441 {
2442 close(this->socket_events);
2443 }
2444 this->policies->invoke_function(this->policies,
2445 (linked_list_invoke_t)policy_entry_destroy,
2446 this);
2447 this->policies->destroy(this->policies);
2448 this->sas->destroy(this->sas);
2449 this->mutex->destroy(this->mutex);
2450 this->mutex_pfkey->destroy(this->mutex_pfkey);
2451 free(this);
2452 }
2453
2454 /*
2455 * Described in header.
2456 */
2457 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2458 {
2459 private_kernel_pfkey_ipsec_t *this;
2460
2461 INIT(this,
2462 .public = {
2463 .interface = {
2464 .get_spi = _get_spi,
2465 .get_cpi = _get_cpi,
2466 .add_sa = _add_sa,
2467 .update_sa = _update_sa,
2468 .query_sa = _query_sa,
2469 .del_sa = _del_sa,
2470 .add_policy = _add_policy,
2471 .query_policy = _query_policy,
2472 .del_policy = _del_policy,
2473 .bypass_socket = _bypass_socket,
2474 .destroy = _destroy,
2475 },
2476 },
2477 .policies = linked_list_create(),
2478 .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
2479 (hashtable_equals_t)ipsec_sa_equals, 32),
2480 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2481 .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
2482 .install_routes = lib->settings->get_bool(lib->settings,
2483 "%s.install_routes", TRUE,
2484 hydra->daemon),
2485 );
2486
2487 if (streq(hydra->daemon, "pluto"))
2488 { /* no routes for pluto, they are installed via updown script */
2489 this->install_routes = FALSE;
2490 }
2491
2492 /* create a PF_KEY socket to communicate with the kernel */
2493 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2494 if (this->socket <= 0)
2495 {
2496 DBG1(DBG_KNL, "unable to create PF_KEY socket");
2497 destroy(this);
2498 return NULL;
2499 }
2500
2501 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2502 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2503 if (this->socket_events <= 0)
2504 {
2505 DBG1(DBG_KNL, "unable to create PF_KEY event socket");
2506 destroy(this);
2507 return NULL;
2508 }
2509
2510 /* register the event socket */
2511 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2512 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2513 {
2514 DBG1(DBG_KNL, "unable to register PF_KEY event socket");
2515 destroy(this);
2516 return NULL;
2517 }
2518
2519 this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
2520 this, NULL, NULL, JOB_PRIO_CRITICAL);
2521 lib->processor->queue_job(lib->processor, (job_t*)this->job);
2522
2523 return &this->public;
2524 }
2525