2bce6067f4752ac7acfc8c936cef418457cef34b
[strongswan.git] / src / libhydra / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2011 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <hydra.h>
58 #include <debug.h>
59 #include <utils/host.h>
60 #include <utils/linked_list.h>
61 #include <utils/hashtable.h>
62 #include <threading/thread.h>
63 #include <threading/mutex.h>
64 #include <processing/jobs/callback_job.h>
65
66 /** non linux specific */
67 #ifndef IPPROTO_COMP
68 #ifdef IPPROTO_IPCOMP
69 #define IPPROTO_COMP IPPROTO_IPCOMP
70 #endif
71 #endif
72
73 #ifndef SADB_X_AALG_SHA2_256HMAC
74 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
75 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
76 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
77 #endif
78
79 #ifndef SADB_X_EALG_AESCBC
80 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
81 #endif
82
83 #ifndef SADB_X_EALG_CASTCBC
84 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
85 #endif
86
87 #ifndef SOL_IP
88 #define SOL_IP IPPROTO_IP
89 #define SOL_IPV6 IPPROTO_IPV6
90 #endif
91
92 /** from linux/in.h */
93 #ifndef IP_IPSEC_POLICY
94 #define IP_IPSEC_POLICY 16
95 #endif
96
97 /** missing on uclibc */
98 #ifndef IPV6_IPSEC_POLICY
99 #define IPV6_IPSEC_POLICY 34
100 #endif
101
102 /** default priority of installed policies */
103 #define PRIO_BASE 512
104
105 #ifdef __APPLE__
106 /** from xnu/bsd/net/pfkeyv2.h */
107 #define SADB_X_EXT_NATT 0x002
108 struct sadb_sa_2 {
109 struct sadb_sa sa;
110 u_int16_t sadb_sa_natt_port;
111 u_int16_t sadb_reserved0;
112 u_int32_t sadb_reserved1;
113 };
114 #endif
115
116 /** buffer size for PF_KEY messages */
117 #define PFKEY_BUFFER_SIZE 4096
118
119 /** PF_KEY messages are 64 bit aligned */
120 #define PFKEY_ALIGNMENT 8
121 /** aligns len to 64 bits */
122 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
123 /** calculates the properly padded length in 64 bit chunks */
124 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
125 /** calculates user mode length i.e. in bytes */
126 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
127
128 /** given a PF_KEY message header and an extension this updates the length in the header */
129 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
130 /** given a PF_KEY message header this returns a pointer to the next extension */
131 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
132 /** copy an extension and append it to a PF_KEY message */
133 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
134 /** given a PF_KEY extension this returns a pointer to the next extension */
135 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
136 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
137 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
138 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
139 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
140 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len <= (len))
142
143 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
144
145 /**
146 * Private variables and functions of kernel_pfkey class.
147 */
148 struct private_kernel_pfkey_ipsec_t
149 {
150 /**
151 * Public part of the kernel_pfkey_t object.
152 */
153 kernel_pfkey_ipsec_t public;
154
155 /**
156 * mutex to lock access to various lists
157 */
158 mutex_t *mutex;
159
160 /**
161 * List of installed policies (policy_entry_t)
162 */
163 linked_list_t *policies;
164
165 /**
166 * Hash table of IPsec SAs using policies (ipsec_sa_t)
167 */
168 hashtable_t *sas;
169
170 /**
171 * whether to install routes along policies
172 */
173 bool install_routes;
174
175 /**
176 * job receiving PF_KEY events
177 */
178 callback_job_t *job;
179
180 /**
181 * mutex to lock access to the PF_KEY socket
182 */
183 mutex_t *mutex_pfkey;
184
185 /**
186 * PF_KEY socket to communicate with the kernel
187 */
188 int socket;
189
190 /**
191 * PF_KEY socket to receive acquire and expire events
192 */
193 int socket_events;
194
195 /**
196 * sequence number for messages sent to the kernel
197 */
198 int seq;
199 };
200
201 typedef struct route_entry_t route_entry_t;
202
203 /**
204 * installed routing entry
205 */
206 struct route_entry_t {
207 /** name of the interface the route is bound to */
208 char *if_name;
209
210 /** source ip of the route */
211 host_t *src_ip;
212
213 /** gateway for this route */
214 host_t *gateway;
215
216 /** destination net */
217 chunk_t dst_net;
218
219 /** destination net prefixlen */
220 u_int8_t prefixlen;
221 };
222
223 /**
224 * destroy an route_entry_t object
225 */
226 static void route_entry_destroy(route_entry_t *this)
227 {
228 free(this->if_name);
229 DESTROY_IF(this->src_ip);
230 DESTROY_IF(this->gateway);
231 chunk_free(&this->dst_net);
232 free(this);
233 }
234
235 /**
236 * compare two route_entry_t objects
237 */
238 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
239 {
240 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
241 a->src_ip->equals(a->src_ip, b->src_ip) &&
242 a->gateway->equals(a->gateway, b->gateway) &&
243 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
244 }
245
246 typedef struct ipsec_sa_t ipsec_sa_t;
247
248 /**
249 * IPsec SA assigned to a policy.
250 */
251 struct ipsec_sa_t {
252 /** Source address of this SA */
253 host_t *src;
254
255 /** Destination address of this SA */
256 host_t *dst;
257
258 /** Description of this SA */
259 ipsec_sa_cfg_t cfg;
260
261 /** Reference count for this SA */
262 refcount_t refcount;
263 };
264
265 /**
266 * Hash function for ipsec_sa_t objects
267 */
268 static u_int ipsec_sa_hash(ipsec_sa_t *sa)
269 {
270 return chunk_hash_inc(sa->src->get_address(sa->src),
271 chunk_hash_inc(sa->dst->get_address(sa->dst),
272 chunk_hash(chunk_from_thing(sa->cfg))));
273 }
274
275 /**
276 * Equality function for ipsec_sa_t objects
277 */
278 static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
279 {
280 return sa->src->ip_equals(sa->src, other_sa->src) &&
281 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
282 memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
283 }
284
285 /**
286 * Allocate or reference an IPsec SA object
287 */
288 static ipsec_sa_t *ipsec_sa_create(private_kernel_pfkey_ipsec_t *this,
289 host_t *src, host_t *dst,
290 ipsec_sa_cfg_t *cfg)
291 {
292 ipsec_sa_t *sa, *found;
293 INIT(sa,
294 .src = src,
295 .dst = dst,
296 .cfg = *cfg,
297 );
298 found = this->sas->get(this->sas, sa);
299 if (!found)
300 {
301 sa->src = src->clone(src);
302 sa->dst = dst->clone(dst);
303 this->sas->put(this->sas, sa, sa);
304 }
305 else
306 {
307 free(sa);
308 sa = found;
309 }
310 ref_get(&sa->refcount);
311 return sa;
312 }
313
314 /**
315 * Release and destroy an IPsec SA object
316 */
317 static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
318 ipsec_sa_t *sa)
319 {
320 if (ref_put(&sa->refcount))
321 {
322 this->sas->remove(this->sas, sa);
323 DESTROY_IF(sa->src);
324 DESTROY_IF(sa->dst);
325 free(sa);
326 }
327 }
328
329 typedef struct policy_sa_t policy_sa_t;
330 typedef struct policy_sa_fwd_t policy_sa_fwd_t;
331
332 /**
333 * Mapping between a policy and an IPsec SA.
334 */
335 struct policy_sa_t {
336 /** Priority assigned to the policy when installed with this SA */
337 u_int32_t priority;
338
339 /** Type of the policy */
340 policy_type_t type;
341
342 /** Assigned SA */
343 ipsec_sa_t *sa;
344 };
345
346 /**
347 * For forward policies we also cache the traffic selectors in order to install
348 * the route.
349 */
350 struct policy_sa_fwd_t {
351 /** Generic interface */
352 policy_sa_t generic;
353
354 /** Source traffic selector of this policy */
355 traffic_selector_t *src_ts;
356
357 /** Destination traffic selector of this policy */
358 traffic_selector_t *dst_ts;
359 };
360
361 /**
362 * Create a policy_sa(_fwd)_t object
363 */
364 static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
365 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
366 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, ipsec_sa_cfg_t *cfg)
367 {
368 policy_sa_t *policy;
369
370 if (dir == POLICY_FWD)
371 {
372 policy_sa_fwd_t *fwd;
373 INIT(fwd,
374 .src_ts = src_ts->clone(src_ts),
375 .dst_ts = dst_ts->clone(dst_ts),
376 );
377 policy = &fwd->generic;
378 }
379 else
380 {
381 INIT(policy);
382 }
383 policy->type = type;
384 policy->sa = ipsec_sa_create(this, src, dst, cfg);
385 return policy;
386 }
387
388 /**
389 * Destroy a policy_sa(_fwd)_t object
390 */
391 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
392 private_kernel_pfkey_ipsec_t *this)
393 {
394 if (*dir == POLICY_FWD)
395 {
396 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
397 fwd->src_ts->destroy(fwd->src_ts);
398 fwd->dst_ts->destroy(fwd->dst_ts);
399 }
400 ipsec_sa_destroy(this, policy->sa);
401 free(policy);
402 }
403
404 typedef struct policy_entry_t policy_entry_t;
405
406 /**
407 * installed kernel policy.
408 */
409 struct policy_entry_t {
410 /** Index assigned by the kernel */
411 u_int32_t index;
412
413 /** Direction of this policy: in, out, forward */
414 u_int8_t direction;
415
416 /** Parameters of installed policy */
417 struct {
418 /** Subnet and port */
419 host_t *net;
420 /** Subnet mask */
421 u_int8_t mask;
422 /** Protocol */
423 u_int8_t proto;
424 } src, dst;
425
426 /** Associated route installed for this policy */
427 route_entry_t *route;
428
429 /** List of SAs this policy is used by, ordered by priority */
430 linked_list_t *used_by;
431 };
432
433 /**
434 * Create a policy_entry_t object
435 */
436 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
437 traffic_selector_t *dst_ts,
438 policy_dir_t dir)
439 {
440 policy_entry_t *policy;
441 INIT(policy,
442 .direction = dir,
443 );
444
445 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
446 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
447
448 /* src or dest proto may be "any" (0), use more restrictive one */
449 policy->src.proto = max(src_ts->get_protocol(src_ts),
450 dst_ts->get_protocol(dst_ts));
451 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
452 policy->dst.proto = policy->src.proto;
453
454 return policy;
455 }
456
457 /**
458 * Destroy a policy_entry_t object
459 */
460 static void policy_entry_destroy(policy_entry_t *policy,
461 private_kernel_pfkey_ipsec_t *this)
462 {
463 if (policy->route)
464 {
465 route_entry_destroy(policy->route);
466 }
467 if (policy->used_by)
468 {
469 policy->used_by->invoke_function(policy->used_by,
470 (linked_list_invoke_t)policy_sa_destroy,
471 &policy->direction, this);
472 policy->used_by->destroy(policy->used_by);
473 }
474 DESTROY_IF(policy->src.net);
475 DESTROY_IF(policy->dst.net);
476 free(policy);
477 }
478
479 /**
480 * compares two policy_entry_t
481 */
482 static inline bool policy_entry_equals(policy_entry_t *current,
483 policy_entry_t *policy)
484 {
485 return current->direction == policy->direction &&
486 current->src.proto == policy->src.proto &&
487 current->dst.proto == policy->dst.proto &&
488 current->src.mask == policy->src.mask &&
489 current->dst.mask == policy->dst.mask &&
490 current->src.net->equals(current->src.net, policy->src.net) &&
491 current->dst.net->equals(current->dst.net, policy->dst.net);
492 }
493
494 /**
495 * compare the given kernel index with that of a policy
496 */
497 static inline bool policy_entry_match_byindex(policy_entry_t *current,
498 u_int32_t *index)
499 {
500 return current->index == *index;
501 }
502
503 /**
504 * Calculate the priority of a policy
505 */
506 static inline u_int32_t get_priority(policy_entry_t *policy,
507 policy_priority_t prio)
508 {
509 u_int32_t priority = PRIO_BASE;
510 switch (prio)
511 {
512 case POLICY_PRIORITY_FALLBACK:
513 priority <<= 1;
514 /* fall-through */
515 case POLICY_PRIORITY_ROUTED:
516 priority <<= 1;
517 /* fall-through */
518 case POLICY_PRIORITY_DEFAULT:
519 break;
520 }
521 /* calculate priority based on selector size, small size = high prio */
522 priority -= policy->src.mask;
523 priority -= policy->dst.mask;
524 priority <<= 2; /* make some room for the two flags */
525 priority += policy->src.net->get_port(policy->src.net) ||
526 policy->dst.net->get_port(policy->dst.net) ?
527 0 : 2;
528 priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
529 return priority;
530 }
531
532 typedef struct pfkey_msg_t pfkey_msg_t;
533
534 struct pfkey_msg_t
535 {
536 /**
537 * PF_KEY message base
538 */
539 struct sadb_msg *msg;
540
541 /**
542 * PF_KEY message extensions
543 */
544 union {
545 struct sadb_ext *ext[SADB_EXT_MAX + 1];
546 struct {
547 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
548 struct sadb_sa *sa; /* SADB_EXT_SA */
549 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
550 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
551 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
552 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
553 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
554 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
555 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
556 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
557 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
558 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
559 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
560 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
561 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
562 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
563 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
564 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
565 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
566 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
567 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
568 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
569 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
570 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
571 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
572 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
573 } __attribute__((__packed__));
574 };
575 };
576
577 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
578 "SADB_EXT_RESERVED",
579 "SADB_EXT_SA",
580 "SADB_EXT_LIFETIME_CURRENT",
581 "SADB_EXT_LIFETIME_HARD",
582 "SADB_EXT_LIFETIME_SOFT",
583 "SADB_EXT_ADDRESS_SRC",
584 "SADB_EXT_ADDRESS_DST",
585 "SADB_EXT_ADDRESS_PROXY",
586 "SADB_EXT_KEY_AUTH",
587 "SADB_EXT_KEY_ENCRYPT",
588 "SADB_EXT_IDENTITY_SRC",
589 "SADB_EXT_IDENTITY_DST",
590 "SADB_EXT_SENSITIVITY",
591 "SADB_EXT_PROPOSAL",
592 "SADB_EXT_SUPPORTED_AUTH",
593 "SADB_EXT_SUPPORTED_ENCRYPT",
594 "SADB_EXT_SPIRANGE",
595 "SADB_X_EXT_KMPRIVATE",
596 "SADB_X_EXT_POLICY",
597 "SADB_X_EXT_SA2",
598 "SADB_X_EXT_NAT_T_TYPE",
599 "SADB_X_EXT_NAT_T_SPORT",
600 "SADB_X_EXT_NAT_T_DPORT",
601 "SADB_X_EXT_NAT_T_OA",
602 "SADB_X_EXT_SEC_CTX",
603 "SADB_X_EXT_KMADDRESS"
604 );
605
606 /**
607 * convert a protocol identifier to the PF_KEY sa type
608 */
609 static u_int8_t proto2satype(u_int8_t proto)
610 {
611 switch (proto)
612 {
613 case IPPROTO_ESP:
614 return SADB_SATYPE_ESP;
615 case IPPROTO_AH:
616 return SADB_SATYPE_AH;
617 case IPPROTO_COMP:
618 return SADB_X_SATYPE_IPCOMP;
619 default:
620 return proto;
621 }
622 }
623
624 /**
625 * convert a PF_KEY sa type to a protocol identifier
626 */
627 static u_int8_t satype2proto(u_int8_t satype)
628 {
629 switch (satype)
630 {
631 case SADB_SATYPE_ESP:
632 return IPPROTO_ESP;
633 case SADB_SATYPE_AH:
634 return IPPROTO_AH;
635 case SADB_X_SATYPE_IPCOMP:
636 return IPPROTO_COMP;
637 default:
638 return satype;
639 }
640 }
641
642 /**
643 * convert the general ipsec mode to the one defined in ipsec.h
644 */
645 static u_int8_t mode2kernel(ipsec_mode_t mode)
646 {
647 switch (mode)
648 {
649 case MODE_TRANSPORT:
650 return IPSEC_MODE_TRANSPORT;
651 case MODE_TUNNEL:
652 return IPSEC_MODE_TUNNEL;
653 #ifdef HAVE_IPSEC_MODE_BEET
654 case MODE_BEET:
655 return IPSEC_MODE_BEET;
656 #endif
657 default:
658 return mode;
659 }
660 }
661
662 /**
663 * convert the general policy direction to the one defined in ipsec.h
664 */
665 static u_int8_t dir2kernel(policy_dir_t dir)
666 {
667 switch (dir)
668 {
669 case POLICY_IN:
670 return IPSEC_DIR_INBOUND;
671 case POLICY_OUT:
672 return IPSEC_DIR_OUTBOUND;
673 #ifdef HAVE_IPSEC_DIR_FWD
674 case POLICY_FWD:
675 return IPSEC_DIR_FWD;
676 #endif
677 default:
678 return IPSEC_DIR_INVALID;
679 }
680 }
681
682 /**
683 * convert the policy type to the one defined in ipsec.h
684 */
685 static inline u_int16_t type2kernel(policy_type_t type)
686 {
687 switch (type)
688 {
689 case POLICY_IPSEC:
690 return IPSEC_POLICY_IPSEC;
691 case POLICY_PASS:
692 return IPSEC_POLICY_NONE;
693 case POLICY_DROP:
694 return IPSEC_POLICY_DISCARD;
695 }
696 return type;
697 }
698
699 #ifdef SADB_X_MIGRATE
700 /**
701 * convert the policy direction in ipsec.h to the general one.
702 */
703 static policy_dir_t kernel2dir(u_int8_t dir)
704 {
705 switch (dir)
706 {
707 case IPSEC_DIR_INBOUND:
708 return POLICY_IN;
709 case IPSEC_DIR_OUTBOUND:
710 return POLICY_OUT;
711 #ifdef HAVE_IPSEC_DIR_FWD
712 case IPSEC_DIR_FWD:
713 return POLICY_FWD;
714 #endif
715 default:
716 return dir;
717 }
718 }
719 #endif /*SADB_X_MIGRATE*/
720
721 typedef struct kernel_algorithm_t kernel_algorithm_t;
722
723 /**
724 * Mapping of IKEv2 algorithms to PF_KEY algorithms
725 */
726 struct kernel_algorithm_t {
727 /**
728 * Identifier specified in IKEv2
729 */
730 int ikev2;
731
732 /**
733 * Identifier as defined in pfkeyv2.h
734 */
735 int kernel;
736 };
737
738 #define END_OF_LIST -1
739
740 /**
741 * Algorithms for encryption
742 */
743 static kernel_algorithm_t encryption_algs[] = {
744 /* {ENCR_DES_IV64, 0 }, */
745 {ENCR_DES, SADB_EALG_DESCBC },
746 {ENCR_3DES, SADB_EALG_3DESCBC },
747 /* {ENCR_RC5, 0 }, */
748 /* {ENCR_IDEA, 0 }, */
749 {ENCR_CAST, SADB_X_EALG_CASTCBC },
750 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
751 /* {ENCR_3IDEA, 0 }, */
752 /* {ENCR_DES_IV32, 0 }, */
753 {ENCR_NULL, SADB_EALG_NULL },
754 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
755 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
756 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
757 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
758 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
759 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
760 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
761 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
762 {END_OF_LIST, 0 },
763 };
764
765 /**
766 * Algorithms for integrity protection
767 */
768 static kernel_algorithm_t integrity_algs[] = {
769 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
770 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
771 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
772 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
773 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
774 /* {AUTH_DES_MAC, 0, }, */
775 /* {AUTH_KPDK_MD5, 0, }, */
776 #ifdef SADB_X_AALG_AES_XCBC_MAC
777 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
778 #endif
779 {END_OF_LIST, 0, },
780 };
781
782 #if 0
783 /**
784 * Algorithms for IPComp, unused yet
785 */
786 static kernel_algorithm_t compression_algs[] = {
787 /* {IPCOMP_OUI, 0 }, */
788 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
789 {IPCOMP_LZS, SADB_X_CALG_LZS },
790 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
791 {END_OF_LIST, 0 },
792 };
793 #endif
794
795 /**
796 * Look up a kernel algorithm ID and its key size
797 */
798 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
799 {
800 while (list->ikev2 != END_OF_LIST)
801 {
802 if (ikev2 == list->ikev2)
803 {
804 return list->kernel;
805 }
806 list++;
807 }
808 return 0;
809 }
810
811 /**
812 * Copy a host_t as sockaddr_t to the given memory location. Ports are
813 * reset to zero as per RFC 2367.
814 * @return the number of bytes copied
815 */
816 static size_t hostcpy(void *dest, host_t *host)
817 {
818 sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
819 socklen_t *len = host->get_sockaddr_len(host);
820 memcpy(dest, addr, *len);
821 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
822 dest_addr->sa_len = *len;
823 #endif
824 switch (dest_addr->sa_family)
825 {
826 case AF_INET:
827 {
828 struct sockaddr_in *sin = dest;
829 sin->sin_port = 0;
830 break;
831 }
832 case AF_INET6:
833 {
834 struct sockaddr_in6 *sin6 = dest;
835 sin6->sin6_port = 0;
836 break;
837 }
838 }
839 return *len;
840 }
841
842 /**
843 * add a host behind an sadb_address extension
844 */
845 static void host2ext(host_t *host, struct sadb_address *ext)
846 {
847 size_t len = hostcpy(ext + 1, host);
848 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
849 }
850
851 /**
852 * add a host to the given sadb_msg
853 */
854 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
855 u_int8_t proto, u_int8_t prefixlen)
856 {
857 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
858 addr->sadb_address_exttype = type;
859 addr->sadb_address_proto = proto;
860 addr->sadb_address_prefixlen = prefixlen;
861 host2ext(host, addr);
862 PFKEY_EXT_ADD(msg, addr);
863 }
864
865 /**
866 * adds an empty address extension to the given sadb_msg
867 */
868 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
869 {
870 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
871 sizeof(struct sockaddr_in6);
872 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
873 addr->sadb_address_exttype = type;
874 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
875 saddr->sa_family = family;
876 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
877 saddr->sa_len = len;
878 #endif
879 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
880 PFKEY_EXT_ADD(msg, addr);
881 }
882
883 #ifdef HAVE_NATT
884 /**
885 * add udp encap extensions to a sadb_msg
886 */
887 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
888 {
889 struct sadb_x_nat_t_type* nat_type;
890 struct sadb_x_nat_t_port* nat_port;
891
892 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
893 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
894 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(*nat_type));
895 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
896 PFKEY_EXT_ADD(msg, nat_type);
897
898 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
899 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
900 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
901 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
902 PFKEY_EXT_ADD(msg, nat_port);
903
904 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
905 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
906 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
907 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
908 PFKEY_EXT_ADD(msg, nat_port);
909 }
910 #endif /*HAVE_NATT*/
911
912 /**
913 * Convert a sadb_address to a traffic_selector
914 */
915 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
916 {
917 traffic_selector_t *ts;
918 host_t *host;
919
920 /* The Linux 2.6 kernel does not set the protocol and port information
921 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
922 */
923 host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
924 ts = traffic_selector_create_from_subnet(host,
925 address->sadb_address_prefixlen,
926 address->sadb_address_proto,
927 host->get_port(host));
928 return ts;
929 }
930
931 /**
932 * Parses a pfkey message received from the kernel
933 */
934 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
935 {
936 struct sadb_ext* ext;
937 size_t len;
938
939 memset(out, 0, sizeof(pfkey_msg_t));
940 out->msg = msg;
941
942 len = msg->sadb_msg_len;
943 len -= PFKEY_LEN(sizeof(struct sadb_msg));
944
945 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
946
947 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
948 {
949 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
950 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
951 ext->sadb_ext_len > len)
952 {
953 DBG1(DBG_KNL, "length of %N extension is invalid",
954 sadb_ext_type_names, ext->sadb_ext_type);
955 break;
956 }
957
958 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
959 {
960 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid",
961 ext->sadb_ext_type);
962 break;
963 }
964
965 if (out->ext[ext->sadb_ext_type])
966 {
967 DBG1(DBG_KNL, "duplicate %N extension",
968 sadb_ext_type_names, ext->sadb_ext_type);
969 break;
970 }
971
972 out->ext[ext->sadb_ext_type] = ext;
973 ext = PFKEY_EXT_NEXT_LEN(ext, len);
974 }
975
976 if (len)
977 {
978 DBG1(DBG_KNL, "PF_KEY message length is invalid");
979 return FAILED;
980 }
981
982 return SUCCESS;
983 }
984
985 /**
986 * Send a message to a specific PF_KEY socket and handle the response.
987 */
988 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
989 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
990 {
991 unsigned char buf[PFKEY_BUFFER_SIZE];
992 struct sadb_msg *msg;
993 int in_len, len;
994
995 this->mutex_pfkey->lock(this->mutex_pfkey);
996
997 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
998 * in particular the behavior in response to an SADB_ACQUIRE. */
999 in->sadb_msg_seq = ++this->seq;
1000 in->sadb_msg_pid = getpid();
1001
1002 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
1003
1004 while (TRUE)
1005 {
1006 len = send(socket, in, in_len, 0);
1007
1008 if (len != in_len)
1009 {
1010 if (errno == EINTR)
1011 {
1012 /* interrupted, try again */
1013 continue;
1014 }
1015 this->mutex_pfkey->unlock(this->mutex_pfkey);
1016 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s",
1017 strerror(errno));
1018 return FAILED;
1019 }
1020 break;
1021 }
1022
1023 while (TRUE)
1024 {
1025 msg = (struct sadb_msg*)buf;
1026
1027 len = recv(socket, buf, sizeof(buf), 0);
1028
1029 if (len < 0)
1030 {
1031 if (errno == EINTR)
1032 {
1033 DBG1(DBG_KNL, "got interrupted");
1034 /* interrupted, try again */
1035 continue;
1036 }
1037 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s",
1038 strerror(errno));
1039 this->mutex_pfkey->unlock(this->mutex_pfkey);
1040 return FAILED;
1041 }
1042 if (len < sizeof(struct sadb_msg) ||
1043 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1044 {
1045 DBG1(DBG_KNL, "received corrupted PF_KEY message");
1046 this->mutex_pfkey->unlock(this->mutex_pfkey);
1047 return FAILED;
1048 }
1049 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1050 {
1051 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY "
1052 "message");
1053 this->mutex_pfkey->unlock(this->mutex_pfkey);
1054 return FAILED;
1055 }
1056 if (msg->sadb_msg_pid != in->sadb_msg_pid)
1057 {
1058 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
1059 continue;
1060 }
1061 if (msg->sadb_msg_seq != this->seq)
1062 {
1063 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
1064 "number, was %d expected %d", msg->sadb_msg_seq,
1065 this->seq);
1066 if (msg->sadb_msg_seq == 0)
1067 {
1068 /* FreeBSD and Mac OS X do this for the response to
1069 * SADB_X_SPDGET (but not for the response to SADB_GET).
1070 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
1071 }
1072 else if (msg->sadb_msg_seq < this->seq)
1073 {
1074 continue;
1075 }
1076 else
1077 {
1078 this->mutex_pfkey->unlock(this->mutex_pfkey);
1079 return FAILED;
1080 }
1081 }
1082 if (msg->sadb_msg_type != in->sadb_msg_type)
1083 {
1084 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
1085 "was %d expected %d, ignoring", msg->sadb_msg_type,
1086 in->sadb_msg_type);
1087 }
1088 break;
1089 }
1090
1091 *out_len = len;
1092 *out = (struct sadb_msg*)malloc(len);
1093 memcpy(*out, buf, len);
1094
1095 this->mutex_pfkey->unlock(this->mutex_pfkey);
1096 return SUCCESS;
1097 }
1098
1099 /**
1100 * Send a message to the default PF_KEY socket and handle the response.
1101 */
1102 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
1103 struct sadb_msg *in, struct sadb_msg **out,
1104 size_t *out_len)
1105 {
1106 return pfkey_send_socket(this, this->socket, in, out, out_len);
1107 }
1108
1109 /**
1110 * Process a SADB_ACQUIRE message from the kernel
1111 */
1112 static void process_acquire(private_kernel_pfkey_ipsec_t *this,
1113 struct sadb_msg* msg)
1114 {
1115 pfkey_msg_t response;
1116 u_int32_t index, reqid = 0;
1117 traffic_selector_t *src_ts, *dst_ts;
1118 policy_entry_t *policy;
1119 policy_sa_t *sa;
1120
1121 switch (msg->sadb_msg_satype)
1122 {
1123 case SADB_SATYPE_UNSPEC:
1124 case SADB_SATYPE_ESP:
1125 case SADB_SATYPE_AH:
1126 break;
1127 default:
1128 /* acquire for AH/ESP only */
1129 return;
1130 }
1131 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
1132
1133 if (parse_pfkey_message(msg, &response) != SUCCESS)
1134 {
1135 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
1136 return;
1137 }
1138
1139 index = response.x_policy->sadb_x_policy_id;
1140 this->mutex->lock(this->mutex);
1141 if (this->policies->find_first(this->policies,
1142 (linked_list_match_t)policy_entry_match_byindex,
1143 (void**)&policy, &index) == SUCCESS &&
1144 policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
1145 {
1146 reqid = sa->sa->cfg.reqid;
1147 }
1148 else
1149 {
1150 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
1151 "matching policy found", index);
1152 }
1153 this->mutex->unlock(this->mutex);
1154
1155 src_ts = sadb_address2ts(response.src);
1156 dst_ts = sadb_address2ts(response.dst);
1157
1158 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
1159 dst_ts);
1160 }
1161
1162 /**
1163 * Process a SADB_EXPIRE message from the kernel
1164 */
1165 static void process_expire(private_kernel_pfkey_ipsec_t *this,
1166 struct sadb_msg* msg)
1167 {
1168 pfkey_msg_t response;
1169 u_int8_t protocol;
1170 u_int32_t spi, reqid;
1171 bool hard;
1172
1173 DBG2(DBG_KNL, "received an SADB_EXPIRE");
1174
1175 if (parse_pfkey_message(msg, &response) != SUCCESS)
1176 {
1177 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
1178 return;
1179 }
1180
1181 protocol = satype2proto(msg->sadb_msg_satype);
1182 spi = response.sa->sadb_sa_spi;
1183 reqid = response.x_sa2->sadb_x_sa2_reqid;
1184 hard = response.lft_hard != NULL;
1185
1186 if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
1187 {
1188 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and "
1189 "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
1190 return;
1191 }
1192
1193 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
1194 spi, hard);
1195 }
1196
1197 #ifdef SADB_X_MIGRATE
1198 /**
1199 * Process a SADB_X_MIGRATE message from the kernel
1200 */
1201 static void process_migrate(private_kernel_pfkey_ipsec_t *this,
1202 struct sadb_msg* msg)
1203 {
1204 pfkey_msg_t response;
1205 traffic_selector_t *src_ts, *dst_ts;
1206 policy_dir_t dir;
1207 u_int32_t reqid = 0;
1208 host_t *local = NULL, *remote = NULL;
1209
1210 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
1211
1212 if (parse_pfkey_message(msg, &response) != SUCCESS)
1213 {
1214 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
1215 return;
1216 }
1217 src_ts = sadb_address2ts(response.src);
1218 dst_ts = sadb_address2ts(response.dst);
1219 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
1220 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
1221 policy_dir_names, dir);
1222
1223 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
1224 if (response.x_kmaddress)
1225 {
1226 sockaddr_t *local_addr, *remote_addr;
1227 u_int32_t local_len;
1228
1229 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
1230 local = host_create_from_sockaddr(local_addr);
1231 local_len = (local_addr->sa_family == AF_INET6)?
1232 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
1233 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1234 remote = host_create_from_sockaddr(remote_addr);
1235 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1236 }
1237
1238 if (src_ts && dst_ts && local && remote)
1239 {
1240 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
1241 src_ts, dst_ts, dir, local, remote);
1242 }
1243 else
1244 {
1245 DESTROY_IF(src_ts);
1246 DESTROY_IF(dst_ts);
1247 DESTROY_IF(local);
1248 DESTROY_IF(remote);
1249 }
1250 }
1251 #endif /*SADB_X_MIGRATE*/
1252
1253 #ifdef SADB_X_NAT_T_NEW_MAPPING
1254 /**
1255 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1256 */
1257 static void process_mapping(private_kernel_pfkey_ipsec_t *this,
1258 struct sadb_msg* msg)
1259 {
1260 pfkey_msg_t response;
1261 u_int32_t spi, reqid;
1262 sockaddr_t *sa;
1263 host_t *host;
1264
1265 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1266
1267 if (parse_pfkey_message(msg, &response) != SUCCESS)
1268 {
1269 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1270 return;
1271 }
1272
1273 if (!response.x_sa2)
1274 {
1275 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1276 "information");
1277 return;
1278 }
1279
1280 spi = response.sa->sadb_sa_spi;
1281 reqid = response.x_sa2->sadb_x_sa2_reqid;
1282
1283 if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
1284 {
1285 return;
1286 }
1287
1288 sa = (sockaddr_t*)(response.dst + 1);
1289 switch (sa->sa_family)
1290 {
1291 case AF_INET:
1292 {
1293 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1294 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1295 }
1296 case AF_INET6:
1297 {
1298 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1299 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1300 }
1301 default:
1302 break;
1303 }
1304
1305 host = host_create_from_sockaddr(sa);
1306 if (host)
1307 {
1308 hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
1309 spi, host);
1310 }
1311 }
1312 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1313
1314 /**
1315 * Receives events from kernel
1316 */
1317 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1318 {
1319 unsigned char buf[PFKEY_BUFFER_SIZE];
1320 struct sadb_msg *msg = (struct sadb_msg*)buf;
1321 bool oldstate;
1322 int len;
1323
1324 oldstate = thread_cancelability(TRUE);
1325 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1326 thread_cancelability(oldstate);
1327
1328 if (len < 0)
1329 {
1330 switch (errno)
1331 {
1332 case EINTR:
1333 /* interrupted, try again */
1334 return JOB_REQUEUE_DIRECT;
1335 case EAGAIN:
1336 /* no data ready, select again */
1337 return JOB_REQUEUE_DIRECT;
1338 default:
1339 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1340 sleep(1);
1341 return JOB_REQUEUE_FAIR;
1342 }
1343 }
1344
1345 if (len < sizeof(struct sadb_msg) ||
1346 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1347 {
1348 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1349 return JOB_REQUEUE_DIRECT;
1350 }
1351 if (msg->sadb_msg_pid != 0)
1352 { /* not from kernel. not interested, try another one */
1353 return JOB_REQUEUE_DIRECT;
1354 }
1355 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1356 {
1357 DBG1(DBG_KNL, "buffer was too small to receive the complete "
1358 "PF_KEY message");
1359 return JOB_REQUEUE_DIRECT;
1360 }
1361
1362 switch (msg->sadb_msg_type)
1363 {
1364 case SADB_ACQUIRE:
1365 process_acquire(this, msg);
1366 break;
1367 case SADB_EXPIRE:
1368 process_expire(this, msg);
1369 break;
1370 #ifdef SADB_X_MIGRATE
1371 case SADB_X_MIGRATE:
1372 process_migrate(this, msg);
1373 break;
1374 #endif /*SADB_X_MIGRATE*/
1375 #ifdef SADB_X_NAT_T_NEW_MAPPING
1376 case SADB_X_NAT_T_NEW_MAPPING:
1377 process_mapping(this, msg);
1378 break;
1379 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1380 default:
1381 break;
1382 }
1383
1384 return JOB_REQUEUE_DIRECT;
1385 }
1386
1387 METHOD(kernel_ipsec_t, get_spi, status_t,
1388 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1389 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
1390 {
1391 unsigned char request[PFKEY_BUFFER_SIZE];
1392 struct sadb_msg *msg, *out;
1393 struct sadb_x_sa2 *sa2;
1394 struct sadb_spirange *range;
1395 pfkey_msg_t response;
1396 u_int32_t received_spi = 0;
1397 size_t len;
1398
1399 memset(&request, 0, sizeof(request));
1400
1401 msg = (struct sadb_msg*)request;
1402 msg->sadb_msg_version = PF_KEY_V2;
1403 msg->sadb_msg_type = SADB_GETSPI;
1404 msg->sadb_msg_satype = proto2satype(protocol);
1405 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1406
1407 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1408 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1409 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1410 sa2->sadb_x_sa2_reqid = reqid;
1411 PFKEY_EXT_ADD(msg, sa2);
1412
1413 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1414 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1415
1416 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1417 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1418 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1419 range->sadb_spirange_min = 0xc0000000;
1420 range->sadb_spirange_max = 0xcFFFFFFF;
1421 PFKEY_EXT_ADD(msg, range);
1422
1423 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1424 {
1425 if (out->sadb_msg_errno)
1426 {
1427 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1428 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1429 }
1430 else if (parse_pfkey_message(out, &response) == SUCCESS)
1431 {
1432 received_spi = response.sa->sadb_sa_spi;
1433 }
1434 free(out);
1435 }
1436
1437 if (received_spi == 0)
1438 {
1439 return FAILED;
1440 }
1441
1442 *spi = received_spi;
1443 return SUCCESS;
1444 }
1445
1446 METHOD(kernel_ipsec_t, get_cpi, status_t,
1447 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1448 u_int32_t reqid, u_int16_t *cpi)
1449 {
1450 return FAILED;
1451 }
1452
1453 METHOD(kernel_ipsec_t, add_sa, status_t,
1454 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1455 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
1456 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
1457 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
1458 u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
1459 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
1460 {
1461 unsigned char request[PFKEY_BUFFER_SIZE];
1462 struct sadb_msg *msg, *out;
1463 struct sadb_sa *sa;
1464 struct sadb_x_sa2 *sa2;
1465 struct sadb_lifetime *lft;
1466 struct sadb_key *key;
1467 size_t len;
1468
1469 memset(&request, 0, sizeof(request));
1470
1471 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
1472 ntohl(spi), reqid);
1473
1474 msg = (struct sadb_msg*)request;
1475 msg->sadb_msg_version = PF_KEY_V2;
1476 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1477 msg->sadb_msg_satype = proto2satype(protocol);
1478 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1479
1480 #ifdef __APPLE__
1481 if (encap)
1482 {
1483 struct sadb_sa_2 *sa_2;
1484 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1485 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1486 sa = &sa_2->sa;
1487 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1488 len = sizeof(struct sadb_sa_2);
1489 }
1490 else
1491 #endif
1492 {
1493 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1494 len = sizeof(struct sadb_sa);
1495 }
1496 sa->sadb_sa_exttype = SADB_EXT_SA;
1497 sa->sadb_sa_len = PFKEY_LEN(len);
1498 sa->sadb_sa_spi = spi;
1499 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1500 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1501 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1502 PFKEY_EXT_ADD(msg, sa);
1503
1504 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1505 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1506 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1507 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1508 sa2->sadb_x_sa2_reqid = reqid;
1509 PFKEY_EXT_ADD(msg, sa2);
1510
1511 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1512 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1513
1514 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1515 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1516 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1517 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1518 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1519 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1520 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1521 PFKEY_EXT_ADD(msg, lft);
1522
1523 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1524 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1525 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1526 lft->sadb_lifetime_allocations = lifetime->packets.life;
1527 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1528 lft->sadb_lifetime_addtime = lifetime->time.life;
1529 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1530 PFKEY_EXT_ADD(msg, lft);
1531
1532 if (enc_alg != ENCR_UNDEFINED)
1533 {
1534 if (!sa->sadb_sa_encrypt)
1535 {
1536 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1537 encryption_algorithm_names, enc_alg);
1538 return FAILED;
1539 }
1540 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1541 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1542
1543 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1544 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1545 key->sadb_key_bits = enc_key.len * 8;
1546 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1547 memcpy(key + 1, enc_key.ptr, enc_key.len);
1548
1549 PFKEY_EXT_ADD(msg, key);
1550 }
1551
1552 if (int_alg != AUTH_UNDEFINED)
1553 {
1554 if (!sa->sadb_sa_auth)
1555 {
1556 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1557 integrity_algorithm_names, int_alg);
1558 return FAILED;
1559 }
1560 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1561 integrity_algorithm_names, int_alg, int_key.len * 8);
1562
1563 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1564 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1565 key->sadb_key_bits = int_key.len * 8;
1566 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1567 memcpy(key + 1, int_key.ptr, int_key.len);
1568
1569 PFKEY_EXT_ADD(msg, key);
1570 }
1571
1572 if (ipcomp != IPCOMP_NONE)
1573 {
1574 /*TODO*/
1575 }
1576
1577 #ifdef HAVE_NATT
1578 if (encap)
1579 {
1580 add_encap_ext(msg, src, dst);
1581 }
1582 #endif /*HAVE_NATT*/
1583
1584 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1585 {
1586 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1587 return FAILED;
1588 }
1589 else if (out->sadb_msg_errno)
1590 {
1591 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1592 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1593 free(out);
1594 return FAILED;
1595 }
1596
1597 free(out);
1598 return SUCCESS;
1599 }
1600
1601 METHOD(kernel_ipsec_t, update_sa, status_t,
1602 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1603 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1604 bool encap, bool new_encap, mark_t mark)
1605 {
1606 unsigned char request[PFKEY_BUFFER_SIZE];
1607 struct sadb_msg *msg, *out;
1608 struct sadb_sa *sa;
1609 pfkey_msg_t response;
1610 size_t len;
1611
1612 /* we can't update the SA if any of the ip addresses have changed.
1613 * that's because we can't use SADB_UPDATE and by deleting and readding the
1614 * SA the sequence numbers would get lost */
1615 if (!src->ip_equals(src, new_src) ||
1616 !dst->ip_equals(dst, new_dst))
1617 {
1618 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address "
1619 "changes are not supported", ntohl(spi));
1620 return NOT_SUPPORTED;
1621 }
1622
1623 memset(&request, 0, sizeof(request));
1624
1625 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1626
1627 msg = (struct sadb_msg*)request;
1628 msg->sadb_msg_version = PF_KEY_V2;
1629 msg->sadb_msg_type = SADB_GET;
1630 msg->sadb_msg_satype = proto2satype(protocol);
1631 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1632
1633 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1634 sa->sadb_sa_exttype = SADB_EXT_SA;
1635 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1636 sa->sadb_sa_spi = spi;
1637 PFKEY_EXT_ADD(msg, sa);
1638
1639 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1640 * it is not used for anything. */
1641 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1642 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1643
1644 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1645 {
1646 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1647 return FAILED;
1648 }
1649 else if (out->sadb_msg_errno)
1650 {
1651 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1652 ntohl(spi), strerror(out->sadb_msg_errno),
1653 out->sadb_msg_errno);
1654 free(out);
1655 return FAILED;
1656 }
1657 else if (parse_pfkey_message(out, &response) != SUCCESS)
1658 {
1659 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing "
1660 "response from kernel failed", ntohl(spi));
1661 free(out);
1662 return FAILED;
1663 }
1664
1665 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1666 ntohl(spi), src, dst, new_src, new_dst);
1667
1668 memset(&request, 0, sizeof(request));
1669
1670 msg = (struct sadb_msg*)request;
1671 msg->sadb_msg_version = PF_KEY_V2;
1672 msg->sadb_msg_type = SADB_UPDATE;
1673 msg->sadb_msg_satype = proto2satype(protocol);
1674 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1675
1676 #ifdef __APPLE__
1677 {
1678 struct sadb_sa_2 *sa_2;
1679 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1680 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1681 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1682 if (encap)
1683 {
1684 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1685 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1686 }
1687 }
1688 #else
1689 PFKEY_EXT_COPY(msg, response.sa);
1690 #endif
1691 PFKEY_EXT_COPY(msg, response.x_sa2);
1692
1693 PFKEY_EXT_COPY(msg, response.src);
1694 PFKEY_EXT_COPY(msg, response.dst);
1695
1696 PFKEY_EXT_COPY(msg, response.lft_soft);
1697 PFKEY_EXT_COPY(msg, response.lft_hard);
1698
1699 if (response.key_encr)
1700 {
1701 PFKEY_EXT_COPY(msg, response.key_encr);
1702 }
1703
1704 if (response.key_auth)
1705 {
1706 PFKEY_EXT_COPY(msg, response.key_auth);
1707 }
1708
1709 #ifdef HAVE_NATT
1710 if (new_encap)
1711 {
1712 add_encap_ext(msg, new_src, new_dst);
1713 }
1714 #endif /*HAVE_NATT*/
1715
1716 free(out);
1717
1718 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1719 {
1720 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1721 return FAILED;
1722 }
1723 else if (out->sadb_msg_errno)
1724 {
1725 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1726 ntohl(spi), strerror(out->sadb_msg_errno),
1727 out->sadb_msg_errno);
1728 free(out);
1729 return FAILED;
1730 }
1731 free(out);
1732
1733 return SUCCESS;
1734 }
1735
1736 METHOD(kernel_ipsec_t, query_sa, status_t,
1737 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1738 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
1739 {
1740 unsigned char request[PFKEY_BUFFER_SIZE];
1741 struct sadb_msg *msg, *out;
1742 struct sadb_sa *sa;
1743 pfkey_msg_t response;
1744 size_t len;
1745
1746 memset(&request, 0, sizeof(request));
1747
1748 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1749
1750 msg = (struct sadb_msg*)request;
1751 msg->sadb_msg_version = PF_KEY_V2;
1752 msg->sadb_msg_type = SADB_GET;
1753 msg->sadb_msg_satype = proto2satype(protocol);
1754 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1755
1756 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1757 sa->sadb_sa_exttype = SADB_EXT_SA;
1758 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1759 sa->sadb_sa_spi = spi;
1760 PFKEY_EXT_ADD(msg, sa);
1761
1762 /* the Linux Kernel doesn't care for the src address, but other systems do
1763 * (e.g. FreeBSD)
1764 */
1765 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1766 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1767
1768 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1769 {
1770 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1771 return FAILED;
1772 }
1773 else if (out->sadb_msg_errno)
1774 {
1775 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1776 ntohl(spi), strerror(out->sadb_msg_errno),
1777 out->sadb_msg_errno);
1778 free(out);
1779 return FAILED;
1780 }
1781 else if (parse_pfkey_message(out, &response) != SUCCESS)
1782 {
1783 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1784 free(out);
1785 return FAILED;
1786 }
1787 *bytes = response.lft_current->sadb_lifetime_bytes;
1788
1789 free(out);
1790 return SUCCESS;
1791 }
1792
1793 METHOD(kernel_ipsec_t, del_sa, status_t,
1794 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1795 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
1796 {
1797 unsigned char request[PFKEY_BUFFER_SIZE];
1798 struct sadb_msg *msg, *out;
1799 struct sadb_sa *sa;
1800 size_t len;
1801
1802 memset(&request, 0, sizeof(request));
1803
1804 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1805
1806 msg = (struct sadb_msg*)request;
1807 msg->sadb_msg_version = PF_KEY_V2;
1808 msg->sadb_msg_type = SADB_DELETE;
1809 msg->sadb_msg_satype = proto2satype(protocol);
1810 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1811
1812 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1813 sa->sadb_sa_exttype = SADB_EXT_SA;
1814 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1815 sa->sadb_sa_spi = spi;
1816 PFKEY_EXT_ADD(msg, sa);
1817
1818 /* the Linux Kernel doesn't care for the src address, but other systems do
1819 * (e.g. FreeBSD)
1820 */
1821 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1822 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1823
1824 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1825 {
1826 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1827 return FAILED;
1828 }
1829 else if (out->sadb_msg_errno)
1830 {
1831 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1832 ntohl(spi), strerror(out->sadb_msg_errno),
1833 out->sadb_msg_errno);
1834 free(out);
1835 return FAILED;
1836 }
1837
1838 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1839 free(out);
1840 return SUCCESS;
1841 }
1842
1843 METHOD(kernel_ipsec_t, flush_sas, status_t,
1844 private_kernel_pfkey_ipsec_t *this)
1845 {
1846 unsigned char request[PFKEY_BUFFER_SIZE];
1847 struct sadb_msg *msg, *out;
1848 size_t len;
1849
1850 memset(&request, 0, sizeof(request));
1851
1852 DBG2(DBG_KNL, "flushing all SAD entries");
1853
1854 msg = (struct sadb_msg*)request;
1855 msg->sadb_msg_version = PF_KEY_V2;
1856 msg->sadb_msg_type = SADB_FLUSH;
1857 msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
1858 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1859
1860 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1861 {
1862 DBG1(DBG_KNL, "unable to flush SAD entries");
1863 return FAILED;
1864 }
1865 else if (out->sadb_msg_errno)
1866 {
1867 DBG1(DBG_KNL, "unable to flush SAD entries: %s (%d)",
1868 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1869 free(out);
1870 return FAILED;
1871 }
1872 free(out);
1873 return SUCCESS;
1874 }
1875
1876 /**
1877 * Add or update a policy in the kernel.
1878 *
1879 * Note: The mutex has to be locked when entering this function.
1880 */
1881 static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
1882 policy_entry_t *policy, policy_sa_t *mapping, bool update)
1883 {
1884 unsigned char request[PFKEY_BUFFER_SIZE];
1885 struct sadb_msg *msg, *out;
1886 struct sadb_x_policy *pol;
1887 struct sadb_x_ipsecrequest *req;
1888 ipsec_sa_t *ipsec = mapping->sa;
1889 pfkey_msg_t response;
1890 size_t len;
1891
1892 memset(&request, 0, sizeof(request));
1893
1894 msg = (struct sadb_msg*)request;
1895 msg->sadb_msg_version = PF_KEY_V2;
1896 msg->sadb_msg_type = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1897 msg->sadb_msg_satype = 0;
1898 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1899
1900 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1901 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1902 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1903 pol->sadb_x_policy_id = 0;
1904 pol->sadb_x_policy_dir = dir2kernel(policy->direction);
1905 pol->sadb_x_policy_type = type2kernel(mapping->type);
1906 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1907 pol->sadb_x_policy_priority = mapping->priority;
1908 #endif
1909
1910 /* one or more sadb_x_ipsecrequest extensions are added to the
1911 * sadb_x_policy extension */
1912 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1913 req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP
1914 : IPPROTO_AH;
1915 /* !!! the length here MUST be in octets instead of 64 bit words */
1916 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1917 req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode);
1918 req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
1919 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1920 if (ipsec->cfg.mode == MODE_TUNNEL)
1921 {
1922 len = hostcpy(req + 1, ipsec->src);
1923 req->sadb_x_ipsecrequest_len += len;
1924 len = hostcpy((char*)(req + 1) + len, ipsec->dst);
1925 req->sadb_x_ipsecrequest_len += len;
1926 }
1927
1928 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1929 PFKEY_EXT_ADD(msg, pol);
1930
1931 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1932 policy->src.mask);
1933 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1934 policy->dst.mask);
1935
1936 #ifdef __FreeBSD__
1937 { /* on FreeBSD a lifetime has to be defined to be able to later query
1938 * the current use time. */
1939 struct sadb_lifetime *lft;
1940 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1941 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1942 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1943 lft->sadb_lifetime_addtime = LONG_MAX;
1944 PFKEY_EXT_ADD(msg, lft);
1945 }
1946 #endif
1947
1948 this->mutex->unlock(this->mutex);
1949
1950 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1951 {
1952 return FAILED;
1953 }
1954 else if (out->sadb_msg_errno)
1955 {
1956 DBG1(DBG_KNL, "unable to %s policy: %s (%d)",
1957 update ? "update" : "add", strerror(out->sadb_msg_errno),
1958 out->sadb_msg_errno);
1959 free(out);
1960 return FAILED;
1961 }
1962 else if (parse_pfkey_message(out, &response) != SUCCESS)
1963 {
1964 DBG1(DBG_KNL, "unable to %s policy: parsing response from kernel "
1965 "failed", update ? "update" : "add");
1966 free(out);
1967 return FAILED;
1968 }
1969
1970 /* we try to find the policy again and update the kernel index */
1971 this->mutex->lock(this->mutex);
1972 if (this->policies->find_last(this->policies, NULL,
1973 (void**)&policy) != SUCCESS)
1974 {
1975 DBG2(DBG_KNL, "unable to update index, the policy is already gone, "
1976 "ignoring");
1977 this->mutex->unlock(this->mutex);
1978 free(out);
1979 return SUCCESS;
1980 }
1981 policy->index = response.x_policy->sadb_x_policy_id;
1982 free(out);
1983
1984 /* install a route, if:
1985 * - this is a forward policy (to just get one for each child)
1986 * - we are in tunnel mode
1987 * - routing is not disabled via strongswan.conf
1988 */
1989 if (policy->direction == POLICY_FWD &&
1990 ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
1991 {
1992 route_entry_t *route = malloc_thing(route_entry_t);
1993 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
1994
1995 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
1996 fwd->dst_ts, &route->src_ip) == SUCCESS)
1997 {
1998 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1999 route->gateway = hydra->kernel_interface->get_nexthop(
2000 hydra->kernel_interface, ipsec->src);
2001 /* install route via outgoing interface */
2002 route->if_name = hydra->kernel_interface->get_interface(
2003 hydra->kernel_interface, ipsec->dst);
2004 route->dst_net = chunk_clone(policy->src.net->get_address(
2005 policy->src.net));
2006 route->prefixlen = policy->src.mask;
2007
2008 if (!route->if_name)
2009 {
2010 this->mutex->unlock(this->mutex);
2011 route_entry_destroy(route);
2012 return SUCCESS;
2013 }
2014
2015 if (policy->route)
2016 {
2017 route_entry_t *old = policy->route;
2018 if (route_entry_equals(old, route))
2019 { /* keep previously installed route */
2020 this->mutex->unlock(this->mutex);
2021 route_entry_destroy(route);
2022 return SUCCESS;
2023 }
2024 /* uninstall previously installed route */
2025 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2026 old->dst_net, old->prefixlen, old->gateway,
2027 old->src_ip, old->if_name) != SUCCESS)
2028 {
2029 DBG1(DBG_KNL, "error uninstalling route installed with "
2030 "policy %R === %R %N", fwd->src_ts,
2031 fwd->dst_ts, policy_dir_names,
2032 policy->direction);
2033 }
2034 route_entry_destroy(old);
2035 policy->route = NULL;
2036 }
2037
2038 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
2039 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
2040 switch (hydra->kernel_interface->add_route(
2041 hydra->kernel_interface, route->dst_net,
2042 route->prefixlen, route->gateway,
2043 route->src_ip, route->if_name))
2044 {
2045 default:
2046 DBG1(DBG_KNL, "unable to install source route for %H",
2047 route->src_ip);
2048 /* FALL */
2049 case ALREADY_DONE:
2050 /* route exists, do not uninstall */
2051 route_entry_destroy(route);
2052 break;
2053 case SUCCESS:
2054 /* cache the installed route */
2055 policy->route = route;
2056 break;
2057 }
2058 }
2059 else
2060 {
2061 free(route);
2062 }
2063 }
2064 this->mutex->unlock(this->mutex);
2065 return SUCCESS;
2066 }
2067
2068 METHOD(kernel_ipsec_t, add_policy, status_t,
2069 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
2070 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
2071 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
2072 mark_t mark, policy_priority_t priority)
2073 {
2074 policy_entry_t *policy, *found = NULL;
2075 policy_sa_t *assigned_sa, *current_sa;
2076 enumerator_t *enumerator;
2077 bool update = TRUE;
2078
2079 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2080 { /* FWD policies are not supported on all platforms */
2081 return SUCCESS;
2082 }
2083
2084 /* create a policy */
2085 policy = create_policy_entry(src_ts, dst_ts, direction);
2086
2087 /* find a matching policy */
2088 this->mutex->lock(this->mutex);
2089 if (this->policies->find_first(this->policies,
2090 (linked_list_match_t)policy_entry_equals,
2091 (void**)&found, policy) == SUCCESS)
2092 { /* use existing policy */
2093 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
2094 "refcount", src_ts, dst_ts, policy_dir_names, direction);
2095 policy_entry_destroy(policy, this);
2096 policy = found;
2097 }
2098 else
2099 { /* use the new one, if we have no such policy */
2100 this->policies->insert_last(this->policies, policy);
2101 policy->used_by = linked_list_create();
2102 }
2103
2104 /* cache the assigned IPsec SA */
2105 assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
2106 dst_ts, sa);
2107 assigned_sa->priority = get_priority(policy, priority);
2108
2109 /* insert the SA according to its priority */
2110 enumerator = policy->used_by->create_enumerator(policy->used_by);
2111 while (enumerator->enumerate(enumerator, (void**)&current_sa))
2112 {
2113 if (current_sa->priority >= assigned_sa->priority)
2114 {
2115 break;
2116 }
2117 update = FALSE;
2118 }
2119 policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
2120 enumerator->destroy(enumerator);
2121
2122 if (!update)
2123 { /* we don't update the policy if the priority is lower than that of the
2124 * currently installed one */
2125 this->mutex->unlock(this->mutex);
2126 return SUCCESS;
2127 }
2128
2129 DBG2(DBG_KNL, "%s policy %R === %R %N",
2130 found ? "updating" : "adding", src_ts, dst_ts,
2131 policy_dir_names, direction);
2132
2133 if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2134 {
2135 DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
2136 found ? "update" : "add", src_ts, dst_ts,
2137 policy_dir_names, direction);
2138 return FAILED;
2139 }
2140 return SUCCESS;
2141 }
2142
2143 METHOD(kernel_ipsec_t, query_policy, status_t,
2144 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2145 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
2146 u_int32_t *use_time)
2147 {
2148 unsigned char request[PFKEY_BUFFER_SIZE];
2149 struct sadb_msg *msg, *out;
2150 struct sadb_x_policy *pol;
2151 policy_entry_t *policy, *found = NULL;
2152 pfkey_msg_t response;
2153 size_t len;
2154
2155 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2156 { /* FWD policies are not supported on all platforms */
2157 return NOT_FOUND;
2158 }
2159
2160 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2161 policy_dir_names, direction);
2162
2163 /* create a policy */
2164 policy = create_policy_entry(src_ts, dst_ts, direction);
2165
2166 /* find a matching policy */
2167 this->mutex->lock(this->mutex);
2168 if (this->policies->find_first(this->policies,
2169 (linked_list_match_t)policy_entry_equals,
2170 (void**)&found, policy) != SUCCESS)
2171 {
2172 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
2173 dst_ts, policy_dir_names, direction);
2174 policy_entry_destroy(policy, this);
2175 this->mutex->unlock(this->mutex);
2176 return NOT_FOUND;
2177 }
2178 policy_entry_destroy(policy, this);
2179 policy = found;
2180
2181 memset(&request, 0, sizeof(request));
2182
2183 msg = (struct sadb_msg*)request;
2184 msg->sadb_msg_version = PF_KEY_V2;
2185 msg->sadb_msg_type = SADB_X_SPDGET;
2186 msg->sadb_msg_satype = 0;
2187 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2188
2189 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2190 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2191 pol->sadb_x_policy_id = policy->index;
2192 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2193 pol->sadb_x_policy_dir = dir2kernel(direction);
2194 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2195 PFKEY_EXT_ADD(msg, pol);
2196
2197 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2198 policy->src.mask);
2199 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2200 policy->dst.mask);
2201
2202 this->mutex->unlock(this->mutex);
2203
2204 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2205 {
2206 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2207 policy_dir_names, direction);
2208 return FAILED;
2209 }
2210 else if (out->sadb_msg_errno)
2211 {
2212 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
2213 dst_ts, policy_dir_names, direction,
2214 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2215 free(out);
2216 return FAILED;
2217 }
2218 else if (parse_pfkey_message(out, &response) != SUCCESS)
2219 {
2220 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
2221 "from kernel failed", src_ts, dst_ts, policy_dir_names,
2222 direction);
2223 free(out);
2224 return FAILED;
2225 }
2226 else if (response.lft_current == NULL)
2227 {
2228 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
2229 "use time", src_ts, dst_ts, policy_dir_names, direction);
2230 free(out);
2231 return FAILED;
2232 }
2233
2234 /* we need the monotonic time, but the kernel returns system time. */
2235 if (response.lft_current->sadb_lifetime_usetime)
2236 {
2237 *use_time = time_monotonic(NULL) -
2238 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
2239 }
2240 else
2241 {
2242 *use_time = 0;
2243 }
2244 free(out);
2245 return SUCCESS;
2246 }
2247
2248 METHOD(kernel_ipsec_t, del_policy, status_t,
2249 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2250 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
2251 mark_t mark, policy_priority_t prio)
2252 {
2253 unsigned char request[PFKEY_BUFFER_SIZE];
2254 struct sadb_msg *msg, *out;
2255 struct sadb_x_policy *pol;
2256 policy_entry_t *policy, *found = NULL;
2257 policy_sa_t *mapping;
2258 enumerator_t *enumerator;
2259 bool is_installed = TRUE;
2260 u_int32_t priority;
2261 size_t len;
2262
2263 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2264 { /* FWD policies are not supported on all platforms */
2265 return SUCCESS;
2266 }
2267
2268 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
2269 policy_dir_names, direction);
2270
2271 /* create a policy */
2272 policy = create_policy_entry(src_ts, dst_ts, direction);
2273
2274 /* find a matching policy */
2275 this->mutex->lock(this->mutex);
2276 if (this->policies->find_first(this->policies,
2277 (linked_list_match_t)policy_entry_equals,
2278 (void**)&found, policy) != SUCCESS)
2279 {
2280 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
2281 dst_ts, policy_dir_names, direction);
2282 policy_entry_destroy(policy, this);
2283 this->mutex->unlock(this->mutex);
2284 return NOT_FOUND;
2285 }
2286 policy_entry_destroy(policy, this);
2287 policy = found;
2288
2289 /* remove mapping to SA by reqid and priority */
2290 priority = get_priority(policy, prio);
2291 enumerator = policy->used_by->create_enumerator(policy->used_by);
2292 while (enumerator->enumerate(enumerator, (void**)&mapping))
2293 {
2294 if (reqid == mapping->sa->cfg.reqid && priority == mapping->priority)
2295 {
2296 policy->used_by->remove_at(policy->used_by, enumerator);
2297 break;
2298 }
2299 is_installed = FALSE;
2300 }
2301 enumerator->destroy(enumerator);
2302
2303 if (policy->used_by->get_count(policy->used_by) > 0)
2304 { /* policy is used by more SAs, keep in kernel */
2305 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2306 policy_sa_destroy(mapping, &direction, this);
2307
2308 if (!is_installed)
2309 { /* no need to update as the policy was not installed for this SA */
2310 this->mutex->unlock(this->mutex);
2311 return SUCCESS;
2312 }
2313
2314 DBG2(DBG_KNL, "updating policy %R === %R %N", src_ts, dst_ts,
2315 policy_dir_names, direction);
2316 policy->used_by->get_first(policy->used_by, (void**)&mapping);
2317 if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS)
2318 {
2319 DBG1(DBG_KNL, "unable to update policy %R === %R %N",
2320 src_ts, dst_ts, policy_dir_names, direction);
2321 return FAILED;
2322 }
2323 return SUCCESS;
2324 }
2325
2326 memset(&request, 0, sizeof(request));
2327
2328 msg = (struct sadb_msg*)request;
2329 msg->sadb_msg_version = PF_KEY_V2;
2330 msg->sadb_msg_type = SADB_X_SPDDELETE;
2331 msg->sadb_msg_satype = 0;
2332 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2333
2334 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2335 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2336 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2337 pol->sadb_x_policy_dir = dir2kernel(direction);
2338 pol->sadb_x_policy_type = type2kernel(mapping->type);
2339 PFKEY_EXT_ADD(msg, pol);
2340
2341 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2342 policy->src.mask);
2343 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2344 policy->dst.mask);
2345
2346 if (policy->route)
2347 {
2348 route_entry_t *route = policy->route;
2349 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2350 route->dst_net, route->prefixlen, route->gateway,
2351 route->src_ip, route->if_name) != SUCCESS)
2352 {
2353 DBG1(DBG_KNL, "error uninstalling route installed with "
2354 "policy %R === %R %N", src_ts, dst_ts,
2355 policy_dir_names, direction);
2356 }
2357 }
2358
2359 this->policies->remove(this->policies, found, NULL);
2360 policy_sa_destroy(mapping, &direction, this);
2361 policy_entry_destroy(policy, this);
2362 this->mutex->unlock(this->mutex);
2363
2364 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2365 {
2366 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2367 policy_dir_names, direction);
2368 return FAILED;
2369 }
2370 else if (out->sadb_msg_errno)
2371 {
2372 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2373 dst_ts, policy_dir_names, direction,
2374 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2375 free(out);
2376 return FAILED;
2377 }
2378 free(out);
2379 return SUCCESS;
2380 }
2381
2382 METHOD(kernel_ipsec_t, flush_policies, status_t,
2383 private_kernel_pfkey_ipsec_t *this)
2384 {
2385 unsigned char request[PFKEY_BUFFER_SIZE];
2386 struct sadb_msg *msg, *out;
2387 size_t len;
2388
2389 memset(&request, 0, sizeof(request));
2390
2391 DBG2(DBG_KNL, "flushing all policies from SPD");
2392
2393 msg = (struct sadb_msg*)request;
2394 msg->sadb_msg_version = PF_KEY_V2;
2395 msg->sadb_msg_type = SADB_X_SPDFLUSH;
2396 msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
2397 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2398
2399 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2400 {
2401 DBG1(DBG_KNL, "unable to flush SPD entries");
2402 return FAILED;
2403 }
2404 else if (out->sadb_msg_errno)
2405 {
2406 DBG1(DBG_KNL, "unable to flush SPD entries: %s (%d)",
2407 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2408 free(out);
2409 return FAILED;
2410 }
2411 free(out);
2412 return SUCCESS;
2413 }
2414
2415 /**
2416 * Register a socket for ACQUIRE/EXPIRE messages
2417 */
2418 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2419 u_int8_t satype)
2420 {
2421 unsigned char request[PFKEY_BUFFER_SIZE];
2422 struct sadb_msg *msg, *out;
2423 size_t len;
2424
2425 memset(&request, 0, sizeof(request));
2426
2427 msg = (struct sadb_msg*)request;
2428 msg->sadb_msg_version = PF_KEY_V2;
2429 msg->sadb_msg_type = SADB_REGISTER;
2430 msg->sadb_msg_satype = satype;
2431 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2432
2433 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2434 {
2435 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2436 return FAILED;
2437 }
2438 else if (out->sadb_msg_errno)
2439 {
2440 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2441 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2442 free(out);
2443 return FAILED;
2444 }
2445 free(out);
2446 return SUCCESS;
2447 }
2448
2449 METHOD(kernel_ipsec_t, bypass_socket, bool,
2450 private_kernel_pfkey_ipsec_t *this, int fd, int family)
2451 {
2452 struct sadb_x_policy policy;
2453 u_int sol, ipsec_policy;
2454
2455 switch (family)
2456 {
2457 case AF_INET:
2458 {
2459 sol = SOL_IP;
2460 ipsec_policy = IP_IPSEC_POLICY;
2461 break;
2462 }
2463 case AF_INET6:
2464 {
2465 sol = SOL_IPV6;
2466 ipsec_policy = IPV6_IPSEC_POLICY;
2467 break;
2468 }
2469 default:
2470 return FALSE;
2471 }
2472
2473 memset(&policy, 0, sizeof(policy));
2474 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2475 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2476 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2477
2478 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2479 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2480 {
2481 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2482 strerror(errno));
2483 return FALSE;
2484 }
2485 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2486 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2487 {
2488 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2489 strerror(errno));
2490 return FALSE;
2491 }
2492 return TRUE;
2493 }
2494
2495 METHOD(kernel_ipsec_t, destroy, void,
2496 private_kernel_pfkey_ipsec_t *this)
2497 {
2498 if (this->job)
2499 {
2500 this->job->cancel(this->job);
2501 }
2502 if (this->socket > 0)
2503 {
2504 close(this->socket);
2505 }
2506 if (this->socket_events > 0)
2507 {
2508 close(this->socket_events);
2509 }
2510 this->policies->invoke_function(this->policies,
2511 (linked_list_invoke_t)policy_entry_destroy,
2512 this);
2513 this->policies->destroy(this->policies);
2514 this->sas->destroy(this->sas);
2515 this->mutex->destroy(this->mutex);
2516 this->mutex_pfkey->destroy(this->mutex_pfkey);
2517 free(this);
2518 }
2519
2520 /*
2521 * Described in header.
2522 */
2523 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2524 {
2525 private_kernel_pfkey_ipsec_t *this;
2526
2527 INIT(this,
2528 .public = {
2529 .interface = {
2530 .get_spi = _get_spi,
2531 .get_cpi = _get_cpi,
2532 .add_sa = _add_sa,
2533 .update_sa = _update_sa,
2534 .query_sa = _query_sa,
2535 .del_sa = _del_sa,
2536 .flush_sas = _flush_sas,
2537 .add_policy = _add_policy,
2538 .query_policy = _query_policy,
2539 .del_policy = _del_policy,
2540 .flush_policies = _flush_policies,
2541 .bypass_socket = _bypass_socket,
2542 .destroy = _destroy,
2543 },
2544 },
2545 .policies = linked_list_create(),
2546 .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
2547 (hashtable_equals_t)ipsec_sa_equals, 32),
2548 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2549 .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
2550 .install_routes = lib->settings->get_bool(lib->settings,
2551 "%s.install_routes", TRUE,
2552 hydra->daemon),
2553 );
2554
2555 if (streq(hydra->daemon, "pluto"))
2556 { /* no routes for pluto, they are installed via updown script */
2557 this->install_routes = FALSE;
2558 }
2559
2560 /* create a PF_KEY socket to communicate with the kernel */
2561 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2562 if (this->socket <= 0)
2563 {
2564 DBG1(DBG_KNL, "unable to create PF_KEY socket");
2565 destroy(this);
2566 return NULL;
2567 }
2568
2569 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2570 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2571 if (this->socket_events <= 0)
2572 {
2573 DBG1(DBG_KNL, "unable to create PF_KEY event socket");
2574 destroy(this);
2575 return NULL;
2576 }
2577
2578 /* register the event socket */
2579 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2580 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2581 {
2582 DBG1(DBG_KNL, "unable to register PF_KEY event socket");
2583 destroy(this);
2584 return NULL;
2585 }
2586
2587 this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
2588 this, NULL, NULL, JOB_PRIO_CRITICAL);
2589 lib->processor->queue_job(lib->processor, (job_t*)this->job);
2590
2591 return &this->public;
2592 }
2593