Record usage history of policies in PF_KEY kernel interface.
[strongswan.git] / src / libhydra / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2011 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <hydra.h>
58 #include <debug.h>
59 #include <utils/host.h>
60 #include <utils/linked_list.h>
61 #include <utils/hashtable.h>
62 #include <threading/thread.h>
63 #include <threading/mutex.h>
64 #include <processing/jobs/callback_job.h>
65
66 /** non linux specific */
67 #ifndef IPPROTO_COMP
68 #ifdef IPPROTO_IPCOMP
69 #define IPPROTO_COMP IPPROTO_IPCOMP
70 #endif
71 #endif
72
73 #ifndef SADB_X_AALG_SHA2_256HMAC
74 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
75 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
76 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
77 #endif
78
79 #ifndef SADB_X_EALG_AESCBC
80 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
81 #endif
82
83 #ifndef SADB_X_EALG_CASTCBC
84 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
85 #endif
86
87 #ifndef SOL_IP
88 #define SOL_IP IPPROTO_IP
89 #define SOL_IPV6 IPPROTO_IPV6
90 #endif
91
92 /** from linux/in.h */
93 #ifndef IP_IPSEC_POLICY
94 #define IP_IPSEC_POLICY 16
95 #endif
96
97 /** missing on uclibc */
98 #ifndef IPV6_IPSEC_POLICY
99 #define IPV6_IPSEC_POLICY 34
100 #endif
101
102 /** default priority of installed policies */
103 #define PRIO_LOW 1024
104 #define PRIO_HIGH 512
105
106 #ifdef __APPLE__
107 /** from xnu/bsd/net/pfkeyv2.h */
108 #define SADB_X_EXT_NATT 0x002
109 struct sadb_sa_2 {
110 struct sadb_sa sa;
111 u_int16_t sadb_sa_natt_port;
112 u_int16_t sadb_reserved0;
113 u_int32_t sadb_reserved1;
114 };
115 #endif
116
117 /** buffer size for PF_KEY messages */
118 #define PFKEY_BUFFER_SIZE 4096
119
120 /** PF_KEY messages are 64 bit aligned */
121 #define PFKEY_ALIGNMENT 8
122 /** aligns len to 64 bits */
123 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
124 /** calculates the properly padded length in 64 bit chunks */
125 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
126 /** calculates user mode length i.e. in bytes */
127 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
128
129 /** given a PF_KEY message header and an extension this updates the length in the header */
130 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
131 /** given a PF_KEY message header this returns a pointer to the next extension */
132 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
133 /** copy an extension and append it to a PF_KEY message */
134 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
135 /** given a PF_KEY extension this returns a pointer to the next extension */
136 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
137 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
138 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
139 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
140 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
142 (ext)->sadb_ext_len <= (len))
143
144 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
145
146 /**
147 * Private variables and functions of kernel_pfkey class.
148 */
149 struct private_kernel_pfkey_ipsec_t
150 {
151 /**
152 * Public part of the kernel_pfkey_t object.
153 */
154 kernel_pfkey_ipsec_t public;
155
156 /**
157 * mutex to lock access to various lists
158 */
159 mutex_t *mutex;
160
161 /**
162 * List of installed policies (policy_entry_t)
163 */
164 linked_list_t *policies;
165
166 /**
167 * Hash table of IPsec SAs using policies (ipsec_sa_t)
168 */
169 hashtable_t *sas;
170
171 /**
172 * whether to install routes along policies
173 */
174 bool install_routes;
175
176 /**
177 * job receiving PF_KEY events
178 */
179 callback_job_t *job;
180
181 /**
182 * mutex to lock access to the PF_KEY socket
183 */
184 mutex_t *mutex_pfkey;
185
186 /**
187 * PF_KEY socket to communicate with the kernel
188 */
189 int socket;
190
191 /**
192 * PF_KEY socket to receive acquire and expire events
193 */
194 int socket_events;
195
196 /**
197 * sequence number for messages sent to the kernel
198 */
199 int seq;
200 };
201
202 typedef struct route_entry_t route_entry_t;
203
204 /**
205 * installed routing entry
206 */
207 struct route_entry_t {
208 /** name of the interface the route is bound to */
209 char *if_name;
210
211 /** source ip of the route */
212 host_t *src_ip;
213
214 /** gateway for this route */
215 host_t *gateway;
216
217 /** destination net */
218 chunk_t dst_net;
219
220 /** destination net prefixlen */
221 u_int8_t prefixlen;
222 };
223
224 /**
225 * destroy an route_entry_t object
226 */
227 static void route_entry_destroy(route_entry_t *this)
228 {
229 free(this->if_name);
230 DESTROY_IF(this->src_ip);
231 DESTROY_IF(this->gateway);
232 chunk_free(&this->dst_net);
233 free(this);
234 }
235
236 /**
237 * compare two route_entry_t objects
238 */
239 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
240 {
241 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
242 a->src_ip->equals(a->src_ip, b->src_ip) &&
243 a->gateway->equals(a->gateway, b->gateway) &&
244 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
245 }
246
247 typedef struct ipsec_sa_t ipsec_sa_t;
248
249 /**
250 * IPsec SA assigned to a policy.
251 */
252 struct ipsec_sa_t {
253 /** Source address of this SA */
254 host_t *src;
255
256 /** Destination address of this SA */
257 host_t *dst;
258
259 /** Description of this SA */
260 ipsec_sa_cfg_t cfg;
261
262 /** Reference count for this SA */
263 refcount_t refcount;
264 };
265
266 /**
267 * Hash function for ipsec_sa_t objects
268 */
269 static u_int ipsec_sa_hash(ipsec_sa_t *sa)
270 {
271 return chunk_hash_inc(sa->src->get_address(sa->src),
272 chunk_hash_inc(sa->dst->get_address(sa->dst),
273 chunk_hash(chunk_from_thing(sa->cfg))));
274 }
275
276 /**
277 * Equality function for ipsec_sa_t objects
278 */
279 static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
280 {
281 return sa->src->ip_equals(sa->src, other_sa->src) &&
282 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
283 memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
284 }
285
286 /**
287 * Allocate or reference an IPsec SA object
288 */
289 static ipsec_sa_t *ipsec_sa_create(private_kernel_pfkey_ipsec_t *this,
290 host_t *src, host_t *dst,
291 ipsec_sa_cfg_t *cfg)
292 {
293 ipsec_sa_t *sa, *found;
294 INIT(sa,
295 .src = src,
296 .dst = dst,
297 .cfg = *cfg,
298 );
299 found = this->sas->get(this->sas, sa);
300 if (!found)
301 {
302 sa->src = src->clone(src);
303 sa->dst = dst->clone(dst);
304 this->sas->put(this->sas, sa, sa);
305 }
306 else
307 {
308 free(sa);
309 sa = found;
310 }
311 ref_get(&sa->refcount);
312 return sa;
313 }
314
315 /**
316 * Release and destroy an IPsec SA object
317 */
318 static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
319 ipsec_sa_t *sa)
320 {
321 if (ref_put(&sa->refcount))
322 {
323 this->sas->remove(this->sas, sa);
324 DESTROY_IF(sa->src);
325 DESTROY_IF(sa->dst);
326 free(sa);
327 }
328 }
329
330 typedef struct policy_sa_t policy_sa_t;
331 typedef struct policy_sa_fwd_t policy_sa_fwd_t;
332
333 /**
334 * Mapping between a policy and an IPsec SA.
335 */
336 struct policy_sa_t {
337 /** Priority assigned to the policy when installed with this SA */
338 u_int32_t priority;
339
340 /** Type of the policy */
341 policy_type_t type;
342
343 /** Assigned SA */
344 ipsec_sa_t *sa;
345 };
346
347 /**
348 * For forward policies we also cache the traffic selectors in order to install
349 * the route.
350 */
351 struct policy_sa_fwd_t {
352 /** Generic interface */
353 policy_sa_t generic;
354
355 /** Source traffic selector of this policy */
356 traffic_selector_t *src_ts;
357
358 /** Destination traffic selector of this policy */
359 traffic_selector_t *dst_ts;
360 };
361
362 /**
363 * Create a policy_sa(_fwd)_t object
364 */
365 static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
366 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
367 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, ipsec_sa_cfg_t *cfg)
368 {
369 policy_sa_t *policy;
370
371 if (dir == POLICY_FWD)
372 {
373 policy_sa_fwd_t *fwd;
374 INIT(fwd,
375 .src_ts = src_ts->clone(src_ts),
376 .dst_ts = dst_ts->clone(dst_ts),
377 );
378 policy = &fwd->generic;
379 }
380 else
381 {
382 INIT(policy);
383 }
384 policy->type = type;
385 policy->sa = ipsec_sa_create(this, src, dst, cfg);
386 return policy;
387 }
388
389 /**
390 * Destroy a policy_sa(_fwd)_t object
391 */
392 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
393 private_kernel_pfkey_ipsec_t *this)
394 {
395 if (*dir == POLICY_FWD)
396 {
397 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
398 fwd->src_ts->destroy(fwd->src_ts);
399 fwd->dst_ts->destroy(fwd->dst_ts);
400 }
401 ipsec_sa_destroy(this, policy->sa);
402 free(policy);
403 }
404
405 typedef struct policy_entry_t policy_entry_t;
406
407 /**
408 * installed kernel policy.
409 */
410 struct policy_entry_t {
411 /** Index assigned by the kernel */
412 u_int32_t index;
413
414 /** Direction of this policy: in, out, forward */
415 u_int8_t direction;
416
417 /** Parameters of installed policy */
418 struct {
419 /** Subnet and port */
420 host_t *net;
421 /** Subnet mask */
422 u_int8_t mask;
423 /** Protocol */
424 u_int8_t proto;
425 } src, dst;
426
427 /** Associated route installed for this policy */
428 route_entry_t *route;
429
430 /** List of SAs this policy is used by, ordered by priority */
431 linked_list_t *used_by;
432 };
433
434 /**
435 * Create a policy_entry_t object
436 */
437 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
438 traffic_selector_t *dst_ts,
439 policy_dir_t dir)
440 {
441 policy_entry_t *policy;
442 INIT(policy,
443 .direction = dir,
444 );
445
446 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
447 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
448
449 /* src or dest proto may be "any" (0), use more restrictive one */
450 policy->src.proto = max(src_ts->get_protocol(src_ts),
451 dst_ts->get_protocol(dst_ts));
452 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
453 policy->dst.proto = policy->src.proto;
454
455 return policy;
456 }
457
458 /**
459 * Destroy a policy_entry_t object
460 */
461 static void policy_entry_destroy(policy_entry_t *policy,
462 private_kernel_pfkey_ipsec_t *this)
463 {
464 if (policy->route)
465 {
466 route_entry_destroy(policy->route);
467 }
468 if (policy->used_by)
469 {
470 policy->used_by->invoke_function(policy->used_by,
471 (linked_list_invoke_t)policy_sa_destroy,
472 &policy->direction, this);
473 policy->used_by->destroy(policy->used_by);
474 }
475 DESTROY_IF(policy->src.net);
476 DESTROY_IF(policy->dst.net);
477 free(policy);
478 }
479
480 /**
481 * compares two policy_entry_t
482 */
483 static inline bool policy_entry_equals(policy_entry_t *current,
484 policy_entry_t *policy)
485 {
486 return current->direction == policy->direction &&
487 current->src.proto == policy->src.proto &&
488 current->dst.proto == policy->dst.proto &&
489 current->src.mask == policy->src.mask &&
490 current->dst.mask == policy->dst.mask &&
491 current->src.net->equals(current->src.net, policy->src.net) &&
492 current->dst.net->equals(current->dst.net, policy->dst.net);
493 }
494
495 /**
496 * compare the given kernel index with that of a policy
497 */
498 static inline bool policy_entry_match_byindex(policy_entry_t *current,
499 u_int32_t *index)
500 {
501 return current->index == *index;
502 }
503
504 typedef struct pfkey_msg_t pfkey_msg_t;
505
506 struct pfkey_msg_t
507 {
508 /**
509 * PF_KEY message base
510 */
511 struct sadb_msg *msg;
512
513 /**
514 * PF_KEY message extensions
515 */
516 union {
517 struct sadb_ext *ext[SADB_EXT_MAX + 1];
518 struct {
519 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
520 struct sadb_sa *sa; /* SADB_EXT_SA */
521 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
522 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
523 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
524 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
525 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
526 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
527 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
528 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
529 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
530 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
531 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
532 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
533 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
534 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
535 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
536 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
537 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
538 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
539 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
540 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
541 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
542 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
543 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
544 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
545 } __attribute__((__packed__));
546 };
547 };
548
549 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
550 "SADB_EXT_RESERVED",
551 "SADB_EXT_SA",
552 "SADB_EXT_LIFETIME_CURRENT",
553 "SADB_EXT_LIFETIME_HARD",
554 "SADB_EXT_LIFETIME_SOFT",
555 "SADB_EXT_ADDRESS_SRC",
556 "SADB_EXT_ADDRESS_DST",
557 "SADB_EXT_ADDRESS_PROXY",
558 "SADB_EXT_KEY_AUTH",
559 "SADB_EXT_KEY_ENCRYPT",
560 "SADB_EXT_IDENTITY_SRC",
561 "SADB_EXT_IDENTITY_DST",
562 "SADB_EXT_SENSITIVITY",
563 "SADB_EXT_PROPOSAL",
564 "SADB_EXT_SUPPORTED_AUTH",
565 "SADB_EXT_SUPPORTED_ENCRYPT",
566 "SADB_EXT_SPIRANGE",
567 "SADB_X_EXT_KMPRIVATE",
568 "SADB_X_EXT_POLICY",
569 "SADB_X_EXT_SA2",
570 "SADB_X_EXT_NAT_T_TYPE",
571 "SADB_X_EXT_NAT_T_SPORT",
572 "SADB_X_EXT_NAT_T_DPORT",
573 "SADB_X_EXT_NAT_T_OA",
574 "SADB_X_EXT_SEC_CTX",
575 "SADB_X_EXT_KMADDRESS"
576 );
577
578 /**
579 * convert a protocol identifier to the PF_KEY sa type
580 */
581 static u_int8_t proto2satype(u_int8_t proto)
582 {
583 switch (proto)
584 {
585 case IPPROTO_ESP:
586 return SADB_SATYPE_ESP;
587 case IPPROTO_AH:
588 return SADB_SATYPE_AH;
589 case IPPROTO_COMP:
590 return SADB_X_SATYPE_IPCOMP;
591 default:
592 return proto;
593 }
594 }
595
596 /**
597 * convert a PF_KEY sa type to a protocol identifier
598 */
599 static u_int8_t satype2proto(u_int8_t satype)
600 {
601 switch (satype)
602 {
603 case SADB_SATYPE_ESP:
604 return IPPROTO_ESP;
605 case SADB_SATYPE_AH:
606 return IPPROTO_AH;
607 case SADB_X_SATYPE_IPCOMP:
608 return IPPROTO_COMP;
609 default:
610 return satype;
611 }
612 }
613
614 /**
615 * convert the general ipsec mode to the one defined in ipsec.h
616 */
617 static u_int8_t mode2kernel(ipsec_mode_t mode)
618 {
619 switch (mode)
620 {
621 case MODE_TRANSPORT:
622 return IPSEC_MODE_TRANSPORT;
623 case MODE_TUNNEL:
624 return IPSEC_MODE_TUNNEL;
625 #ifdef HAVE_IPSEC_MODE_BEET
626 case MODE_BEET:
627 return IPSEC_MODE_BEET;
628 #endif
629 default:
630 return mode;
631 }
632 }
633
634 /**
635 * convert the general policy direction to the one defined in ipsec.h
636 */
637 static u_int8_t dir2kernel(policy_dir_t dir)
638 {
639 switch (dir)
640 {
641 case POLICY_IN:
642 return IPSEC_DIR_INBOUND;
643 case POLICY_OUT:
644 return IPSEC_DIR_OUTBOUND;
645 #ifdef HAVE_IPSEC_DIR_FWD
646 case POLICY_FWD:
647 return IPSEC_DIR_FWD;
648 #endif
649 default:
650 return IPSEC_DIR_INVALID;
651 }
652 }
653
654 /**
655 * convert the policy type to the one defined in ipsec.h
656 */
657 static inline u_int16_t type2kernel(policy_type_t type)
658 {
659 switch (type)
660 {
661 case POLICY_IPSEC:
662 return IPSEC_POLICY_IPSEC;
663 case POLICY_PASS:
664 return IPSEC_POLICY_NONE;
665 case POLICY_DROP:
666 return IPSEC_POLICY_DISCARD;
667 }
668 return type;
669 }
670
671 #ifdef SADB_X_MIGRATE
672 /**
673 * convert the policy direction in ipsec.h to the general one.
674 */
675 static policy_dir_t kernel2dir(u_int8_t dir)
676 {
677 switch (dir)
678 {
679 case IPSEC_DIR_INBOUND:
680 return POLICY_IN;
681 case IPSEC_DIR_OUTBOUND:
682 return POLICY_OUT;
683 #ifdef HAVE_IPSEC_DIR_FWD
684 case IPSEC_DIR_FWD:
685 return POLICY_FWD;
686 #endif
687 default:
688 return dir;
689 }
690 }
691 #endif /*SADB_X_MIGRATE*/
692
693 typedef struct kernel_algorithm_t kernel_algorithm_t;
694
695 /**
696 * Mapping of IKEv2 algorithms to PF_KEY algorithms
697 */
698 struct kernel_algorithm_t {
699 /**
700 * Identifier specified in IKEv2
701 */
702 int ikev2;
703
704 /**
705 * Identifier as defined in pfkeyv2.h
706 */
707 int kernel;
708 };
709
710 #define END_OF_LIST -1
711
712 /**
713 * Algorithms for encryption
714 */
715 static kernel_algorithm_t encryption_algs[] = {
716 /* {ENCR_DES_IV64, 0 }, */
717 {ENCR_DES, SADB_EALG_DESCBC },
718 {ENCR_3DES, SADB_EALG_3DESCBC },
719 /* {ENCR_RC5, 0 }, */
720 /* {ENCR_IDEA, 0 }, */
721 {ENCR_CAST, SADB_X_EALG_CASTCBC },
722 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
723 /* {ENCR_3IDEA, 0 }, */
724 /* {ENCR_DES_IV32, 0 }, */
725 {ENCR_NULL, SADB_EALG_NULL },
726 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
727 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
728 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
729 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
730 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
731 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
732 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
733 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
734 {END_OF_LIST, 0 },
735 };
736
737 /**
738 * Algorithms for integrity protection
739 */
740 static kernel_algorithm_t integrity_algs[] = {
741 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
742 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
743 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
744 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
745 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
746 /* {AUTH_DES_MAC, 0, }, */
747 /* {AUTH_KPDK_MD5, 0, }, */
748 #ifdef SADB_X_AALG_AES_XCBC_MAC
749 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
750 #endif
751 {END_OF_LIST, 0, },
752 };
753
754 #if 0
755 /**
756 * Algorithms for IPComp, unused yet
757 */
758 static kernel_algorithm_t compression_algs[] = {
759 /* {IPCOMP_OUI, 0 }, */
760 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
761 {IPCOMP_LZS, SADB_X_CALG_LZS },
762 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
763 {END_OF_LIST, 0 },
764 };
765 #endif
766
767 /**
768 * Look up a kernel algorithm ID and its key size
769 */
770 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
771 {
772 while (list->ikev2 != END_OF_LIST)
773 {
774 if (ikev2 == list->ikev2)
775 {
776 return list->kernel;
777 }
778 list++;
779 }
780 return 0;
781 }
782
783 /**
784 * Copy a host_t as sockaddr_t to the given memory location. Ports are
785 * reset to zero as per RFC 2367.
786 * @return the number of bytes copied
787 */
788 static size_t hostcpy(void *dest, host_t *host)
789 {
790 sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
791 socklen_t *len = host->get_sockaddr_len(host);
792 memcpy(dest, addr, *len);
793 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
794 dest_addr->sa_len = *len;
795 #endif
796 switch (dest_addr->sa_family)
797 {
798 case AF_INET:
799 {
800 struct sockaddr_in *sin = dest;
801 sin->sin_port = 0;
802 break;
803 }
804 case AF_INET6:
805 {
806 struct sockaddr_in6 *sin6 = dest;
807 sin6->sin6_port = 0;
808 break;
809 }
810 }
811 return *len;
812 }
813
814 /**
815 * add a host behind an sadb_address extension
816 */
817 static void host2ext(host_t *host, struct sadb_address *ext)
818 {
819 size_t len = hostcpy(ext + 1, host);
820 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
821 }
822
823 /**
824 * add a host to the given sadb_msg
825 */
826 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
827 u_int8_t proto, u_int8_t prefixlen)
828 {
829 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
830 addr->sadb_address_exttype = type;
831 addr->sadb_address_proto = proto;
832 addr->sadb_address_prefixlen = prefixlen;
833 host2ext(host, addr);
834 PFKEY_EXT_ADD(msg, addr);
835 }
836
837 /**
838 * adds an empty address extension to the given sadb_msg
839 */
840 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
841 {
842 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
843 sizeof(struct sockaddr_in6);
844 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
845 addr->sadb_address_exttype = type;
846 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
847 saddr->sa_family = family;
848 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
849 saddr->sa_len = len;
850 #endif
851 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
852 PFKEY_EXT_ADD(msg, addr);
853 }
854
855 #ifdef HAVE_NATT
856 /**
857 * add udp encap extensions to a sadb_msg
858 */
859 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
860 {
861 struct sadb_x_nat_t_type* nat_type;
862 struct sadb_x_nat_t_port* nat_port;
863
864 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
865 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
866 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(*nat_type));
867 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
868 PFKEY_EXT_ADD(msg, nat_type);
869
870 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
871 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
872 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
873 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
874 PFKEY_EXT_ADD(msg, nat_port);
875
876 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
877 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
878 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
879 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
880 PFKEY_EXT_ADD(msg, nat_port);
881 }
882 #endif /*HAVE_NATT*/
883
884 /**
885 * Convert a sadb_address to a traffic_selector
886 */
887 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
888 {
889 traffic_selector_t *ts;
890 host_t *host;
891
892 /* The Linux 2.6 kernel does not set the protocol and port information
893 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
894 */
895 host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
896 ts = traffic_selector_create_from_subnet(host,
897 address->sadb_address_prefixlen,
898 address->sadb_address_proto,
899 host->get_port(host));
900 return ts;
901 }
902
903 /**
904 * Parses a pfkey message received from the kernel
905 */
906 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
907 {
908 struct sadb_ext* ext;
909 size_t len;
910
911 memset(out, 0, sizeof(pfkey_msg_t));
912 out->msg = msg;
913
914 len = msg->sadb_msg_len;
915 len -= PFKEY_LEN(sizeof(struct sadb_msg));
916
917 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
918
919 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
920 {
921 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
922 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
923 ext->sadb_ext_len > len)
924 {
925 DBG1(DBG_KNL, "length of %N extension is invalid",
926 sadb_ext_type_names, ext->sadb_ext_type);
927 break;
928 }
929
930 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
931 {
932 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid",
933 ext->sadb_ext_type);
934 break;
935 }
936
937 if (out->ext[ext->sadb_ext_type])
938 {
939 DBG1(DBG_KNL, "duplicate %N extension",
940 sadb_ext_type_names, ext->sadb_ext_type);
941 break;
942 }
943
944 out->ext[ext->sadb_ext_type] = ext;
945 ext = PFKEY_EXT_NEXT_LEN(ext, len);
946 }
947
948 if (len)
949 {
950 DBG1(DBG_KNL, "PF_KEY message length is invalid");
951 return FAILED;
952 }
953
954 return SUCCESS;
955 }
956
957 /**
958 * Send a message to a specific PF_KEY socket and handle the response.
959 */
960 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
961 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
962 {
963 unsigned char buf[PFKEY_BUFFER_SIZE];
964 struct sadb_msg *msg;
965 int in_len, len;
966
967 this->mutex_pfkey->lock(this->mutex_pfkey);
968
969 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
970 * in particular the behavior in response to an SADB_ACQUIRE. */
971 in->sadb_msg_seq = ++this->seq;
972 in->sadb_msg_pid = getpid();
973
974 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
975
976 while (TRUE)
977 {
978 len = send(socket, in, in_len, 0);
979
980 if (len != in_len)
981 {
982 if (errno == EINTR)
983 {
984 /* interrupted, try again */
985 continue;
986 }
987 this->mutex_pfkey->unlock(this->mutex_pfkey);
988 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s",
989 strerror(errno));
990 return FAILED;
991 }
992 break;
993 }
994
995 while (TRUE)
996 {
997 msg = (struct sadb_msg*)buf;
998
999 len = recv(socket, buf, sizeof(buf), 0);
1000
1001 if (len < 0)
1002 {
1003 if (errno == EINTR)
1004 {
1005 DBG1(DBG_KNL, "got interrupted");
1006 /* interrupted, try again */
1007 continue;
1008 }
1009 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s",
1010 strerror(errno));
1011 this->mutex_pfkey->unlock(this->mutex_pfkey);
1012 return FAILED;
1013 }
1014 if (len < sizeof(struct sadb_msg) ||
1015 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1016 {
1017 DBG1(DBG_KNL, "received corrupted PF_KEY message");
1018 this->mutex_pfkey->unlock(this->mutex_pfkey);
1019 return FAILED;
1020 }
1021 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1022 {
1023 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY "
1024 "message");
1025 this->mutex_pfkey->unlock(this->mutex_pfkey);
1026 return FAILED;
1027 }
1028 if (msg->sadb_msg_pid != in->sadb_msg_pid)
1029 {
1030 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
1031 continue;
1032 }
1033 if (msg->sadb_msg_seq != this->seq)
1034 {
1035 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
1036 "number, was %d expected %d", msg->sadb_msg_seq,
1037 this->seq);
1038 if (msg->sadb_msg_seq == 0)
1039 {
1040 /* FreeBSD and Mac OS X do this for the response to
1041 * SADB_X_SPDGET (but not for the response to SADB_GET).
1042 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
1043 }
1044 else if (msg->sadb_msg_seq < this->seq)
1045 {
1046 continue;
1047 }
1048 else
1049 {
1050 this->mutex_pfkey->unlock(this->mutex_pfkey);
1051 return FAILED;
1052 }
1053 }
1054 if (msg->sadb_msg_type != in->sadb_msg_type)
1055 {
1056 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
1057 "was %d expected %d, ignoring", msg->sadb_msg_type,
1058 in->sadb_msg_type);
1059 }
1060 break;
1061 }
1062
1063 *out_len = len;
1064 *out = (struct sadb_msg*)malloc(len);
1065 memcpy(*out, buf, len);
1066
1067 this->mutex_pfkey->unlock(this->mutex_pfkey);
1068 return SUCCESS;
1069 }
1070
1071 /**
1072 * Send a message to the default PF_KEY socket and handle the response.
1073 */
1074 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
1075 struct sadb_msg *in, struct sadb_msg **out,
1076 size_t *out_len)
1077 {
1078 return pfkey_send_socket(this, this->socket, in, out, out_len);
1079 }
1080
1081 /**
1082 * Process a SADB_ACQUIRE message from the kernel
1083 */
1084 static void process_acquire(private_kernel_pfkey_ipsec_t *this,
1085 struct sadb_msg* msg)
1086 {
1087 pfkey_msg_t response;
1088 u_int32_t index, reqid = 0;
1089 traffic_selector_t *src_ts, *dst_ts;
1090 policy_entry_t *policy;
1091 policy_sa_t *sa;
1092
1093 switch (msg->sadb_msg_satype)
1094 {
1095 case SADB_SATYPE_UNSPEC:
1096 case SADB_SATYPE_ESP:
1097 case SADB_SATYPE_AH:
1098 break;
1099 default:
1100 /* acquire for AH/ESP only */
1101 return;
1102 }
1103 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
1104
1105 if (parse_pfkey_message(msg, &response) != SUCCESS)
1106 {
1107 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
1108 return;
1109 }
1110
1111 index = response.x_policy->sadb_x_policy_id;
1112 this->mutex->lock(this->mutex);
1113 if (this->policies->find_first(this->policies,
1114 (linked_list_match_t)policy_entry_match_byindex,
1115 (void**)&policy, &index) == SUCCESS &&
1116 policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
1117 {
1118 reqid = sa->sa->cfg.reqid;
1119 }
1120 else
1121 {
1122 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
1123 "matching policy found", index);
1124 }
1125 this->mutex->unlock(this->mutex);
1126
1127 src_ts = sadb_address2ts(response.src);
1128 dst_ts = sadb_address2ts(response.dst);
1129
1130 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
1131 dst_ts);
1132 }
1133
1134 /**
1135 * Process a SADB_EXPIRE message from the kernel
1136 */
1137 static void process_expire(private_kernel_pfkey_ipsec_t *this,
1138 struct sadb_msg* msg)
1139 {
1140 pfkey_msg_t response;
1141 u_int8_t protocol;
1142 u_int32_t spi, reqid;
1143 bool hard;
1144
1145 DBG2(DBG_KNL, "received an SADB_EXPIRE");
1146
1147 if (parse_pfkey_message(msg, &response) != SUCCESS)
1148 {
1149 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
1150 return;
1151 }
1152
1153 protocol = satype2proto(msg->sadb_msg_satype);
1154 spi = response.sa->sadb_sa_spi;
1155 reqid = response.x_sa2->sadb_x_sa2_reqid;
1156 hard = response.lft_hard != NULL;
1157
1158 if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
1159 {
1160 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and "
1161 "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
1162 return;
1163 }
1164
1165 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
1166 spi, hard);
1167 }
1168
1169 #ifdef SADB_X_MIGRATE
1170 /**
1171 * Process a SADB_X_MIGRATE message from the kernel
1172 */
1173 static void process_migrate(private_kernel_pfkey_ipsec_t *this,
1174 struct sadb_msg* msg)
1175 {
1176 pfkey_msg_t response;
1177 traffic_selector_t *src_ts, *dst_ts;
1178 policy_dir_t dir;
1179 u_int32_t reqid = 0;
1180 host_t *local = NULL, *remote = NULL;
1181
1182 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
1183
1184 if (parse_pfkey_message(msg, &response) != SUCCESS)
1185 {
1186 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
1187 return;
1188 }
1189 src_ts = sadb_address2ts(response.src);
1190 dst_ts = sadb_address2ts(response.dst);
1191 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
1192 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
1193 policy_dir_names, dir);
1194
1195 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
1196 if (response.x_kmaddress)
1197 {
1198 sockaddr_t *local_addr, *remote_addr;
1199 u_int32_t local_len;
1200
1201 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
1202 local = host_create_from_sockaddr(local_addr);
1203 local_len = (local_addr->sa_family == AF_INET6)?
1204 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
1205 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1206 remote = host_create_from_sockaddr(remote_addr);
1207 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1208 }
1209
1210 if (src_ts && dst_ts && local && remote)
1211 {
1212 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
1213 src_ts, dst_ts, dir, local, remote);
1214 }
1215 else
1216 {
1217 DESTROY_IF(src_ts);
1218 DESTROY_IF(dst_ts);
1219 DESTROY_IF(local);
1220 DESTROY_IF(remote);
1221 }
1222 }
1223 #endif /*SADB_X_MIGRATE*/
1224
1225 #ifdef SADB_X_NAT_T_NEW_MAPPING
1226 /**
1227 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1228 */
1229 static void process_mapping(private_kernel_pfkey_ipsec_t *this,
1230 struct sadb_msg* msg)
1231 {
1232 pfkey_msg_t response;
1233 u_int32_t spi, reqid;
1234 sockaddr_t *sa;
1235 host_t *host;
1236
1237 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1238
1239 if (parse_pfkey_message(msg, &response) != SUCCESS)
1240 {
1241 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1242 return;
1243 }
1244
1245 if (!response.x_sa2)
1246 {
1247 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1248 "information");
1249 return;
1250 }
1251
1252 spi = response.sa->sadb_sa_spi;
1253 reqid = response.x_sa2->sadb_x_sa2_reqid;
1254
1255 if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
1256 {
1257 return;
1258 }
1259
1260 sa = (sockaddr_t*)(response.dst + 1);
1261 switch (sa->sa_family)
1262 {
1263 case AF_INET:
1264 {
1265 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1266 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1267 }
1268 case AF_INET6:
1269 {
1270 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1271 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1272 }
1273 default:
1274 break;
1275 }
1276
1277 host = host_create_from_sockaddr(sa);
1278 if (host)
1279 {
1280 hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
1281 spi, host);
1282 }
1283 }
1284 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1285
1286 /**
1287 * Receives events from kernel
1288 */
1289 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1290 {
1291 unsigned char buf[PFKEY_BUFFER_SIZE];
1292 struct sadb_msg *msg = (struct sadb_msg*)buf;
1293 bool oldstate;
1294 int len;
1295
1296 oldstate = thread_cancelability(TRUE);
1297 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1298 thread_cancelability(oldstate);
1299
1300 if (len < 0)
1301 {
1302 switch (errno)
1303 {
1304 case EINTR:
1305 /* interrupted, try again */
1306 return JOB_REQUEUE_DIRECT;
1307 case EAGAIN:
1308 /* no data ready, select again */
1309 return JOB_REQUEUE_DIRECT;
1310 default:
1311 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1312 sleep(1);
1313 return JOB_REQUEUE_FAIR;
1314 }
1315 }
1316
1317 if (len < sizeof(struct sadb_msg) ||
1318 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1319 {
1320 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1321 return JOB_REQUEUE_DIRECT;
1322 }
1323 if (msg->sadb_msg_pid != 0)
1324 { /* not from kernel. not interested, try another one */
1325 return JOB_REQUEUE_DIRECT;
1326 }
1327 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1328 {
1329 DBG1(DBG_KNL, "buffer was too small to receive the complete "
1330 "PF_KEY message");
1331 return JOB_REQUEUE_DIRECT;
1332 }
1333
1334 switch (msg->sadb_msg_type)
1335 {
1336 case SADB_ACQUIRE:
1337 process_acquire(this, msg);
1338 break;
1339 case SADB_EXPIRE:
1340 process_expire(this, msg);
1341 break;
1342 #ifdef SADB_X_MIGRATE
1343 case SADB_X_MIGRATE:
1344 process_migrate(this, msg);
1345 break;
1346 #endif /*SADB_X_MIGRATE*/
1347 #ifdef SADB_X_NAT_T_NEW_MAPPING
1348 case SADB_X_NAT_T_NEW_MAPPING:
1349 process_mapping(this, msg);
1350 break;
1351 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1352 default:
1353 break;
1354 }
1355
1356 return JOB_REQUEUE_DIRECT;
1357 }
1358
1359 METHOD(kernel_ipsec_t, get_spi, status_t,
1360 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1361 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
1362 {
1363 unsigned char request[PFKEY_BUFFER_SIZE];
1364 struct sadb_msg *msg, *out;
1365 struct sadb_x_sa2 *sa2;
1366 struct sadb_spirange *range;
1367 pfkey_msg_t response;
1368 u_int32_t received_spi = 0;
1369 size_t len;
1370
1371 memset(&request, 0, sizeof(request));
1372
1373 msg = (struct sadb_msg*)request;
1374 msg->sadb_msg_version = PF_KEY_V2;
1375 msg->sadb_msg_type = SADB_GETSPI;
1376 msg->sadb_msg_satype = proto2satype(protocol);
1377 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1378
1379 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1380 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1381 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1382 sa2->sadb_x_sa2_reqid = reqid;
1383 PFKEY_EXT_ADD(msg, sa2);
1384
1385 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1386 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1387
1388 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1389 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1390 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1391 range->sadb_spirange_min = 0xc0000000;
1392 range->sadb_spirange_max = 0xcFFFFFFF;
1393 PFKEY_EXT_ADD(msg, range);
1394
1395 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1396 {
1397 if (out->sadb_msg_errno)
1398 {
1399 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1400 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1401 }
1402 else if (parse_pfkey_message(out, &response) == SUCCESS)
1403 {
1404 received_spi = response.sa->sadb_sa_spi;
1405 }
1406 free(out);
1407 }
1408
1409 if (received_spi == 0)
1410 {
1411 return FAILED;
1412 }
1413
1414 *spi = received_spi;
1415 return SUCCESS;
1416 }
1417
1418 METHOD(kernel_ipsec_t, get_cpi, status_t,
1419 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1420 u_int32_t reqid, u_int16_t *cpi)
1421 {
1422 return FAILED;
1423 }
1424
1425 METHOD(kernel_ipsec_t, add_sa, status_t,
1426 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1427 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
1428 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
1429 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
1430 u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
1431 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
1432 {
1433 unsigned char request[PFKEY_BUFFER_SIZE];
1434 struct sadb_msg *msg, *out;
1435 struct sadb_sa *sa;
1436 struct sadb_x_sa2 *sa2;
1437 struct sadb_lifetime *lft;
1438 struct sadb_key *key;
1439 size_t len;
1440
1441 memset(&request, 0, sizeof(request));
1442
1443 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
1444 ntohl(spi), reqid);
1445
1446 msg = (struct sadb_msg*)request;
1447 msg->sadb_msg_version = PF_KEY_V2;
1448 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1449 msg->sadb_msg_satype = proto2satype(protocol);
1450 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1451
1452 #ifdef __APPLE__
1453 if (encap)
1454 {
1455 struct sadb_sa_2 *sa_2;
1456 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1457 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1458 sa = &sa_2->sa;
1459 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1460 len = sizeof(struct sadb_sa_2);
1461 }
1462 else
1463 #endif
1464 {
1465 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1466 len = sizeof(struct sadb_sa);
1467 }
1468 sa->sadb_sa_exttype = SADB_EXT_SA;
1469 sa->sadb_sa_len = PFKEY_LEN(len);
1470 sa->sadb_sa_spi = spi;
1471 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1472 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1473 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1474 PFKEY_EXT_ADD(msg, sa);
1475
1476 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1477 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1478 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1479 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1480 sa2->sadb_x_sa2_reqid = reqid;
1481 PFKEY_EXT_ADD(msg, sa2);
1482
1483 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1484 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1485
1486 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1487 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1488 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1489 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1490 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1491 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1492 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1493 PFKEY_EXT_ADD(msg, lft);
1494
1495 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1496 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1497 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1498 lft->sadb_lifetime_allocations = lifetime->packets.life;
1499 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1500 lft->sadb_lifetime_addtime = lifetime->time.life;
1501 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1502 PFKEY_EXT_ADD(msg, lft);
1503
1504 if (enc_alg != ENCR_UNDEFINED)
1505 {
1506 if (!sa->sadb_sa_encrypt)
1507 {
1508 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1509 encryption_algorithm_names, enc_alg);
1510 return FAILED;
1511 }
1512 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1513 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1514
1515 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1516 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1517 key->sadb_key_bits = enc_key.len * 8;
1518 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1519 memcpy(key + 1, enc_key.ptr, enc_key.len);
1520
1521 PFKEY_EXT_ADD(msg, key);
1522 }
1523
1524 if (int_alg != AUTH_UNDEFINED)
1525 {
1526 if (!sa->sadb_sa_auth)
1527 {
1528 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1529 integrity_algorithm_names, int_alg);
1530 return FAILED;
1531 }
1532 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1533 integrity_algorithm_names, int_alg, int_key.len * 8);
1534
1535 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1536 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1537 key->sadb_key_bits = int_key.len * 8;
1538 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1539 memcpy(key + 1, int_key.ptr, int_key.len);
1540
1541 PFKEY_EXT_ADD(msg, key);
1542 }
1543
1544 if (ipcomp != IPCOMP_NONE)
1545 {
1546 /*TODO*/
1547 }
1548
1549 #ifdef HAVE_NATT
1550 if (encap)
1551 {
1552 add_encap_ext(msg, src, dst);
1553 }
1554 #endif /*HAVE_NATT*/
1555
1556 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1557 {
1558 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1559 return FAILED;
1560 }
1561 else if (out->sadb_msg_errno)
1562 {
1563 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1564 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1565 free(out);
1566 return FAILED;
1567 }
1568
1569 free(out);
1570 return SUCCESS;
1571 }
1572
1573 METHOD(kernel_ipsec_t, update_sa, status_t,
1574 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1575 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1576 bool encap, bool new_encap, mark_t mark)
1577 {
1578 unsigned char request[PFKEY_BUFFER_SIZE];
1579 struct sadb_msg *msg, *out;
1580 struct sadb_sa *sa;
1581 pfkey_msg_t response;
1582 size_t len;
1583
1584 /* we can't update the SA if any of the ip addresses have changed.
1585 * that's because we can't use SADB_UPDATE and by deleting and readding the
1586 * SA the sequence numbers would get lost */
1587 if (!src->ip_equals(src, new_src) ||
1588 !dst->ip_equals(dst, new_dst))
1589 {
1590 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address "
1591 "changes are not supported", ntohl(spi));
1592 return NOT_SUPPORTED;
1593 }
1594
1595 memset(&request, 0, sizeof(request));
1596
1597 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1598
1599 msg = (struct sadb_msg*)request;
1600 msg->sadb_msg_version = PF_KEY_V2;
1601 msg->sadb_msg_type = SADB_GET;
1602 msg->sadb_msg_satype = proto2satype(protocol);
1603 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1604
1605 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1606 sa->sadb_sa_exttype = SADB_EXT_SA;
1607 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1608 sa->sadb_sa_spi = spi;
1609 PFKEY_EXT_ADD(msg, sa);
1610
1611 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1612 * it is not used for anything. */
1613 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1614 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1615
1616 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1617 {
1618 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1619 return FAILED;
1620 }
1621 else if (out->sadb_msg_errno)
1622 {
1623 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1624 ntohl(spi), strerror(out->sadb_msg_errno),
1625 out->sadb_msg_errno);
1626 free(out);
1627 return FAILED;
1628 }
1629 else if (parse_pfkey_message(out, &response) != SUCCESS)
1630 {
1631 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing "
1632 "response from kernel failed", ntohl(spi));
1633 free(out);
1634 return FAILED;
1635 }
1636
1637 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1638 ntohl(spi), src, dst, new_src, new_dst);
1639
1640 memset(&request, 0, sizeof(request));
1641
1642 msg = (struct sadb_msg*)request;
1643 msg->sadb_msg_version = PF_KEY_V2;
1644 msg->sadb_msg_type = SADB_UPDATE;
1645 msg->sadb_msg_satype = proto2satype(protocol);
1646 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1647
1648 #ifdef __APPLE__
1649 {
1650 struct sadb_sa_2 *sa_2;
1651 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1652 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1653 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1654 if (encap)
1655 {
1656 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1657 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1658 }
1659 }
1660 #else
1661 PFKEY_EXT_COPY(msg, response.sa);
1662 #endif
1663 PFKEY_EXT_COPY(msg, response.x_sa2);
1664
1665 PFKEY_EXT_COPY(msg, response.src);
1666 PFKEY_EXT_COPY(msg, response.dst);
1667
1668 PFKEY_EXT_COPY(msg, response.lft_soft);
1669 PFKEY_EXT_COPY(msg, response.lft_hard);
1670
1671 if (response.key_encr)
1672 {
1673 PFKEY_EXT_COPY(msg, response.key_encr);
1674 }
1675
1676 if (response.key_auth)
1677 {
1678 PFKEY_EXT_COPY(msg, response.key_auth);
1679 }
1680
1681 #ifdef HAVE_NATT
1682 if (new_encap)
1683 {
1684 add_encap_ext(msg, new_src, new_dst);
1685 }
1686 #endif /*HAVE_NATT*/
1687
1688 free(out);
1689
1690 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1691 {
1692 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1693 return FAILED;
1694 }
1695 else if (out->sadb_msg_errno)
1696 {
1697 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1698 ntohl(spi), strerror(out->sadb_msg_errno),
1699 out->sadb_msg_errno);
1700 free(out);
1701 return FAILED;
1702 }
1703 free(out);
1704
1705 return SUCCESS;
1706 }
1707
1708 METHOD(kernel_ipsec_t, query_sa, status_t,
1709 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1710 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
1711 {
1712 unsigned char request[PFKEY_BUFFER_SIZE];
1713 struct sadb_msg *msg, *out;
1714 struct sadb_sa *sa;
1715 pfkey_msg_t response;
1716 size_t len;
1717
1718 memset(&request, 0, sizeof(request));
1719
1720 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1721
1722 msg = (struct sadb_msg*)request;
1723 msg->sadb_msg_version = PF_KEY_V2;
1724 msg->sadb_msg_type = SADB_GET;
1725 msg->sadb_msg_satype = proto2satype(protocol);
1726 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1727
1728 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1729 sa->sadb_sa_exttype = SADB_EXT_SA;
1730 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1731 sa->sadb_sa_spi = spi;
1732 PFKEY_EXT_ADD(msg, sa);
1733
1734 /* the Linux Kernel doesn't care for the src address, but other systems do
1735 * (e.g. FreeBSD)
1736 */
1737 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1738 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1739
1740 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1741 {
1742 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1743 return FAILED;
1744 }
1745 else if (out->sadb_msg_errno)
1746 {
1747 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1748 ntohl(spi), strerror(out->sadb_msg_errno),
1749 out->sadb_msg_errno);
1750 free(out);
1751 return FAILED;
1752 }
1753 else if (parse_pfkey_message(out, &response) != SUCCESS)
1754 {
1755 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1756 free(out);
1757 return FAILED;
1758 }
1759 *bytes = response.lft_current->sadb_lifetime_bytes;
1760
1761 free(out);
1762 return SUCCESS;
1763 }
1764
1765 METHOD(kernel_ipsec_t, del_sa, status_t,
1766 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1767 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
1768 {
1769 unsigned char request[PFKEY_BUFFER_SIZE];
1770 struct sadb_msg *msg, *out;
1771 struct sadb_sa *sa;
1772 size_t len;
1773
1774 memset(&request, 0, sizeof(request));
1775
1776 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1777
1778 msg = (struct sadb_msg*)request;
1779 msg->sadb_msg_version = PF_KEY_V2;
1780 msg->sadb_msg_type = SADB_DELETE;
1781 msg->sadb_msg_satype = proto2satype(protocol);
1782 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1783
1784 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1785 sa->sadb_sa_exttype = SADB_EXT_SA;
1786 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1787 sa->sadb_sa_spi = spi;
1788 PFKEY_EXT_ADD(msg, sa);
1789
1790 /* the Linux Kernel doesn't care for the src address, but other systems do
1791 * (e.g. FreeBSD)
1792 */
1793 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1794 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1795
1796 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1797 {
1798 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1799 return FAILED;
1800 }
1801 else if (out->sadb_msg_errno)
1802 {
1803 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1804 ntohl(spi), strerror(out->sadb_msg_errno),
1805 out->sadb_msg_errno);
1806 free(out);
1807 return FAILED;
1808 }
1809
1810 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1811 free(out);
1812 return SUCCESS;
1813 }
1814
1815 /**
1816 * Add or update a policy in the kernel.
1817 *
1818 * Note: The mutex has to be locked when entering this function.
1819 */
1820 static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
1821 policy_entry_t *policy, policy_sa_t *mapping, bool update)
1822 {
1823 unsigned char request[PFKEY_BUFFER_SIZE];
1824 struct sadb_msg *msg, *out;
1825 struct sadb_x_policy *pol;
1826 struct sadb_x_ipsecrequest *req;
1827 ipsec_sa_t *ipsec = mapping->sa;
1828 pfkey_msg_t response;
1829 size_t len;
1830
1831 memset(&request, 0, sizeof(request));
1832
1833 msg = (struct sadb_msg*)request;
1834 msg->sadb_msg_version = PF_KEY_V2;
1835 msg->sadb_msg_type = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1836 msg->sadb_msg_satype = 0;
1837 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1838
1839 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1840 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1841 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1842 pol->sadb_x_policy_id = 0;
1843 pol->sadb_x_policy_dir = dir2kernel(policy->direction);
1844 pol->sadb_x_policy_type = type2kernel(mapping->type);
1845 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1846 pol->sadb_x_policy_priority = mapping->priority;
1847 #endif
1848
1849 /* one or more sadb_x_ipsecrequest extensions are added to the
1850 * sadb_x_policy extension */
1851 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1852 req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP
1853 : IPPROTO_AH;
1854 /* !!! the length here MUST be in octets instead of 64 bit words */
1855 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1856 req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode);
1857 req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
1858 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1859 if (ipsec->cfg.mode == MODE_TUNNEL)
1860 {
1861 len = hostcpy(req + 1, ipsec->src);
1862 req->sadb_x_ipsecrequest_len += len;
1863 len = hostcpy((char*)(req + 1) + len, ipsec->dst);
1864 req->sadb_x_ipsecrequest_len += len;
1865 }
1866
1867 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1868 PFKEY_EXT_ADD(msg, pol);
1869
1870 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1871 policy->src.mask);
1872 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1873 policy->dst.mask);
1874
1875 #ifdef __FreeBSD__
1876 { /* on FreeBSD a lifetime has to be defined to be able to later query
1877 * the current use time. */
1878 struct sadb_lifetime *lft;
1879 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1880 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1881 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1882 lft->sadb_lifetime_addtime = LONG_MAX;
1883 PFKEY_EXT_ADD(msg, lft);
1884 }
1885 #endif
1886
1887 this->mutex->unlock(this->mutex);
1888
1889 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1890 {
1891 return FAILED;
1892 }
1893 else if (out->sadb_msg_errno)
1894 {
1895 DBG1(DBG_KNL, "unable to %s policy: %s (%d)",
1896 update ? "update" : "add", strerror(out->sadb_msg_errno),
1897 out->sadb_msg_errno);
1898 free(out);
1899 return FAILED;
1900 }
1901 else if (parse_pfkey_message(out, &response) != SUCCESS)
1902 {
1903 DBG1(DBG_KNL, "unable to %s policy: parsing response from kernel "
1904 "failed", update ? "update" : "add");
1905 free(out);
1906 return FAILED;
1907 }
1908
1909 /* we try to find the policy again and update the kernel index */
1910 this->mutex->lock(this->mutex);
1911 if (this->policies->find_last(this->policies, NULL,
1912 (void**)&policy) != SUCCESS)
1913 {
1914 DBG2(DBG_KNL, "unable to update index, the policy is already gone, "
1915 "ignoring");
1916 this->mutex->unlock(this->mutex);
1917 free(out);
1918 return SUCCESS;
1919 }
1920 policy->index = response.x_policy->sadb_x_policy_id;
1921 free(out);
1922
1923 /* install a route, if:
1924 * - this is a forward policy (to just get one for each child)
1925 * - we are in tunnel mode
1926 * - routing is not disabled via strongswan.conf
1927 */
1928 if (policy->direction == POLICY_FWD &&
1929 ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
1930 {
1931 route_entry_t *route = malloc_thing(route_entry_t);
1932 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
1933
1934 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
1935 fwd->dst_ts, &route->src_ip) == SUCCESS)
1936 {
1937 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1938 route->gateway = hydra->kernel_interface->get_nexthop(
1939 hydra->kernel_interface, ipsec->src);
1940 /* install route via outgoing interface */
1941 route->if_name = hydra->kernel_interface->get_interface(
1942 hydra->kernel_interface, ipsec->dst);
1943 route->dst_net = chunk_clone(policy->src.net->get_address(
1944 policy->src.net));
1945 route->prefixlen = policy->src.mask;
1946
1947 if (!route->if_name)
1948 {
1949 this->mutex->unlock(this->mutex);
1950 route_entry_destroy(route);
1951 return SUCCESS;
1952 }
1953
1954 if (policy->route)
1955 {
1956 route_entry_t *old = policy->route;
1957 if (route_entry_equals(old, route))
1958 { /* keep previously installed route */
1959 this->mutex->unlock(this->mutex);
1960 route_entry_destroy(route);
1961 return SUCCESS;
1962 }
1963 /* uninstall previously installed route */
1964 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
1965 old->dst_net, old->prefixlen, old->gateway,
1966 old->src_ip, old->if_name) != SUCCESS)
1967 {
1968 DBG1(DBG_KNL, "error uninstalling route installed with "
1969 "policy %R === %R %N", fwd->src_ts,
1970 fwd->dst_ts, policy_dir_names,
1971 policy->direction);
1972 }
1973 route_entry_destroy(old);
1974 policy->route = NULL;
1975 }
1976
1977 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
1978 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
1979 switch (hydra->kernel_interface->add_route(
1980 hydra->kernel_interface, route->dst_net,
1981 route->prefixlen, route->gateway,
1982 route->src_ip, route->if_name))
1983 {
1984 default:
1985 DBG1(DBG_KNL, "unable to install source route for %H",
1986 route->src_ip);
1987 /* FALL */
1988 case ALREADY_DONE:
1989 /* route exists, do not uninstall */
1990 route_entry_destroy(route);
1991 break;
1992 case SUCCESS:
1993 /* cache the installed route */
1994 policy->route = route;
1995 break;
1996 }
1997 }
1998 else
1999 {
2000 free(route);
2001 }
2002 }
2003 this->mutex->unlock(this->mutex);
2004 return SUCCESS;
2005 }
2006
2007 METHOD(kernel_ipsec_t, add_policy, status_t,
2008 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
2009 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
2010 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
2011 mark_t mark, bool routed)
2012 {
2013 policy_entry_t *policy, *found = NULL;
2014 policy_sa_t *assigned_sa, *current_sa;
2015 enumerator_t *enumerator;
2016 bool update = TRUE;
2017
2018 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2019 { /* FWD policies are not supported on all platforms */
2020 return SUCCESS;
2021 }
2022
2023 /* create a policy */
2024 policy = create_policy_entry(src_ts, dst_ts, direction);
2025
2026 /* find a matching policy */
2027 this->mutex->lock(this->mutex);
2028 if (this->policies->find_first(this->policies,
2029 (linked_list_match_t)policy_entry_equals,
2030 (void**)&found, policy) == SUCCESS)
2031 { /* use existing policy */
2032 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
2033 "refcount", src_ts, dst_ts, policy_dir_names, direction);
2034 policy_entry_destroy(policy, this);
2035 policy = found;
2036 }
2037 else
2038 { /* use the new one, if we have no such policy */
2039 this->policies->insert_last(this->policies, policy);
2040 policy->used_by = linked_list_create();
2041 }
2042
2043 /* cache the assigned IPsec SA */
2044 assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
2045 dst_ts, sa);
2046
2047
2048 /* calculate priority based on selector size, small size = high prio */
2049 assigned_sa->priority = routed ? PRIO_LOW : PRIO_HIGH;
2050 assigned_sa->priority -= policy->src.mask;
2051 assigned_sa->priority -= policy->dst.mask;
2052 assigned_sa->priority <<= 2; /* make some room for the two flags */
2053 assigned_sa->priority += policy->src.net->get_port(policy->src.net) ||
2054 policy->dst.net->get_port(policy->dst.net) ?
2055 0 : 2;
2056 assigned_sa->priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
2057
2058 /* insert the SA according to its priority */
2059 enumerator = policy->used_by->create_enumerator(policy->used_by);
2060 while (enumerator->enumerate(enumerator, (void**)&current_sa))
2061 {
2062 if (current_sa->priority >= assigned_sa->priority)
2063 {
2064 break;
2065 }
2066 update = FALSE;
2067 }
2068 policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
2069 enumerator->destroy(enumerator);
2070
2071 if (!update)
2072 { /* we don't update the policy if the priority is lower than that of the
2073 * currently installed one */
2074 this->mutex->unlock(this->mutex);
2075 return SUCCESS;
2076 }
2077
2078 DBG2(DBG_KNL, "%s policy %R === %R %N",
2079 found ? "updating" : "adding", src_ts, dst_ts,
2080 policy_dir_names, direction);
2081
2082 if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2083 {
2084 DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
2085 found ? "update" : "add", src_ts, dst_ts,
2086 policy_dir_names, direction);
2087 return FAILED;
2088 }
2089 return SUCCESS;
2090 }
2091
2092 METHOD(kernel_ipsec_t, query_policy, status_t,
2093 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2094 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
2095 u_int32_t *use_time)
2096 {
2097 unsigned char request[PFKEY_BUFFER_SIZE];
2098 struct sadb_msg *msg, *out;
2099 struct sadb_x_policy *pol;
2100 policy_entry_t *policy, *found = NULL;
2101 pfkey_msg_t response;
2102 size_t len;
2103
2104 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2105 { /* FWD policies are not supported on all platforms */
2106 return NOT_FOUND;
2107 }
2108
2109 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2110 policy_dir_names, direction);
2111
2112 /* create a policy */
2113 policy = create_policy_entry(src_ts, dst_ts, direction);
2114
2115 /* find a matching policy */
2116 this->mutex->lock(this->mutex);
2117 if (this->policies->find_first(this->policies,
2118 (linked_list_match_t)policy_entry_equals,
2119 (void**)&found, policy) != SUCCESS)
2120 {
2121 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
2122 dst_ts, policy_dir_names, direction);
2123 policy_entry_destroy(policy, this);
2124 this->mutex->unlock(this->mutex);
2125 return NOT_FOUND;
2126 }
2127 policy_entry_destroy(policy, this);
2128 policy = found;
2129
2130 memset(&request, 0, sizeof(request));
2131
2132 msg = (struct sadb_msg*)request;
2133 msg->sadb_msg_version = PF_KEY_V2;
2134 msg->sadb_msg_type = SADB_X_SPDGET;
2135 msg->sadb_msg_satype = 0;
2136 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2137
2138 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2139 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2140 pol->sadb_x_policy_id = policy->index;
2141 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2142 pol->sadb_x_policy_dir = dir2kernel(direction);
2143 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2144 PFKEY_EXT_ADD(msg, pol);
2145
2146 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2147 policy->src.mask);
2148 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2149 policy->dst.mask);
2150
2151 this->mutex->unlock(this->mutex);
2152
2153 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2154 {
2155 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2156 policy_dir_names, direction);
2157 return FAILED;
2158 }
2159 else if (out->sadb_msg_errno)
2160 {
2161 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
2162 dst_ts, policy_dir_names, direction,
2163 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2164 free(out);
2165 return FAILED;
2166 }
2167 else if (parse_pfkey_message(out, &response) != SUCCESS)
2168 {
2169 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
2170 "from kernel failed", src_ts, dst_ts, policy_dir_names,
2171 direction);
2172 free(out);
2173 return FAILED;
2174 }
2175 else if (response.lft_current == NULL)
2176 {
2177 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
2178 "use time", src_ts, dst_ts, policy_dir_names, direction);
2179 free(out);
2180 return FAILED;
2181 }
2182
2183 /* we need the monotonic time, but the kernel returns system time. */
2184 if (response.lft_current->sadb_lifetime_usetime)
2185 {
2186 *use_time = time_monotonic(NULL) -
2187 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
2188 }
2189 else
2190 {
2191 *use_time = 0;
2192 }
2193 free(out);
2194 return SUCCESS;
2195 }
2196
2197 METHOD(kernel_ipsec_t, del_policy, status_t,
2198 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2199 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
2200 mark_t mark, bool unrouted)
2201 {
2202 unsigned char request[PFKEY_BUFFER_SIZE];
2203 struct sadb_msg *msg, *out;
2204 struct sadb_x_policy *pol;
2205 policy_entry_t *policy, *found = NULL;
2206 policy_sa_t *mapping;
2207 enumerator_t *enumerator;
2208 bool is_installed = TRUE;
2209 size_t len;
2210
2211 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2212 { /* FWD policies are not supported on all platforms */
2213 return SUCCESS;
2214 }
2215
2216 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
2217 policy_dir_names, direction);
2218
2219 /* create a policy */
2220 policy = create_policy_entry(src_ts, dst_ts, direction);
2221
2222 /* find a matching policy */
2223 this->mutex->lock(this->mutex);
2224 if (this->policies->find_first(this->policies,
2225 (linked_list_match_t)policy_entry_equals,
2226 (void**)&found, policy) != SUCCESS)
2227 {
2228 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
2229 dst_ts, policy_dir_names, direction);
2230 policy_entry_destroy(policy, this);
2231 this->mutex->unlock(this->mutex);
2232 return NOT_FOUND;
2233 }
2234 policy_entry_destroy(policy, this);
2235 policy = found;
2236
2237 /* remove mapping to SA by reqid */
2238 enumerator = policy->used_by->create_enumerator(policy->used_by);
2239 while (enumerator->enumerate(enumerator, (void**)&mapping))
2240 {
2241 if (reqid == mapping->sa->cfg.reqid)
2242 {
2243 policy->used_by->remove_at(policy->used_by, enumerator);
2244 break;
2245 }
2246 is_installed = FALSE;
2247 }
2248 enumerator->destroy(enumerator);
2249
2250 if (policy->used_by->get_count(policy->used_by) > 0)
2251 { /* policy is used by more SAs, keep in kernel */
2252 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2253 policy_sa_destroy(mapping, &direction, this);
2254
2255 if (!is_installed)
2256 { /* no need to update as the policy was not installed for this SA */
2257 this->mutex->unlock(this->mutex);
2258 return SUCCESS;
2259 }
2260
2261 DBG2(DBG_KNL, "updating policy %R === %R %N", src_ts, dst_ts,
2262 policy_dir_names, direction);
2263 policy->used_by->get_first(policy->used_by, (void**)&mapping);
2264 if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS)
2265 {
2266 DBG1(DBG_KNL, "unable to update policy %R === %R %N",
2267 src_ts, dst_ts, policy_dir_names, direction);
2268 return FAILED;
2269 }
2270 return SUCCESS;
2271 }
2272
2273 memset(&request, 0, sizeof(request));
2274
2275 msg = (struct sadb_msg*)request;
2276 msg->sadb_msg_version = PF_KEY_V2;
2277 msg->sadb_msg_type = SADB_X_SPDDELETE;
2278 msg->sadb_msg_satype = 0;
2279 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2280
2281 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2282 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2283 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2284 pol->sadb_x_policy_dir = dir2kernel(direction);
2285 pol->sadb_x_policy_type = type2kernel(mapping->type);
2286 PFKEY_EXT_ADD(msg, pol);
2287
2288 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2289 policy->src.mask);
2290 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2291 policy->dst.mask);
2292
2293 if (policy->route)
2294 {
2295 route_entry_t *route = policy->route;
2296 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2297 route->dst_net, route->prefixlen, route->gateway,
2298 route->src_ip, route->if_name) != SUCCESS)
2299 {
2300 DBG1(DBG_KNL, "error uninstalling route installed with "
2301 "policy %R === %R %N", src_ts, dst_ts,
2302 policy_dir_names, direction);
2303 }
2304 }
2305
2306 this->policies->remove(this->policies, found, NULL);
2307 policy_sa_destroy(mapping, &direction, this);
2308 policy_entry_destroy(policy, this);
2309 this->mutex->unlock(this->mutex);
2310
2311 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2312 {
2313 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2314 policy_dir_names, direction);
2315 return FAILED;
2316 }
2317 else if (out->sadb_msg_errno)
2318 {
2319 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2320 dst_ts, policy_dir_names, direction,
2321 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2322 free(out);
2323 return FAILED;
2324 }
2325 free(out);
2326 return SUCCESS;
2327 }
2328
2329 /**
2330 * Register a socket for AQUIRE/EXPIRE messages
2331 */
2332 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2333 u_int8_t satype)
2334 {
2335 unsigned char request[PFKEY_BUFFER_SIZE];
2336 struct sadb_msg *msg, *out;
2337 size_t len;
2338
2339 memset(&request, 0, sizeof(request));
2340
2341 msg = (struct sadb_msg*)request;
2342 msg->sadb_msg_version = PF_KEY_V2;
2343 msg->sadb_msg_type = SADB_REGISTER;
2344 msg->sadb_msg_satype = satype;
2345 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2346
2347 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2348 {
2349 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2350 return FAILED;
2351 }
2352 else if (out->sadb_msg_errno)
2353 {
2354 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2355 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2356 free(out);
2357 return FAILED;
2358 }
2359 free(out);
2360 return SUCCESS;
2361 }
2362
2363 METHOD(kernel_ipsec_t, bypass_socket, bool,
2364 private_kernel_pfkey_ipsec_t *this, int fd, int family)
2365 {
2366 struct sadb_x_policy policy;
2367 u_int sol, ipsec_policy;
2368
2369 switch (family)
2370 {
2371 case AF_INET:
2372 {
2373 sol = SOL_IP;
2374 ipsec_policy = IP_IPSEC_POLICY;
2375 break;
2376 }
2377 case AF_INET6:
2378 {
2379 sol = SOL_IPV6;
2380 ipsec_policy = IPV6_IPSEC_POLICY;
2381 break;
2382 }
2383 default:
2384 return FALSE;
2385 }
2386
2387 memset(&policy, 0, sizeof(policy));
2388 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2389 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2390 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2391
2392 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2393 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2394 {
2395 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2396 strerror(errno));
2397 return FALSE;
2398 }
2399 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2400 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2401 {
2402 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2403 strerror(errno));
2404 return FALSE;
2405 }
2406 return TRUE;
2407 }
2408
2409 METHOD(kernel_ipsec_t, destroy, void,
2410 private_kernel_pfkey_ipsec_t *this)
2411 {
2412 if (this->job)
2413 {
2414 this->job->cancel(this->job);
2415 }
2416 if (this->socket > 0)
2417 {
2418 close(this->socket);
2419 }
2420 if (this->socket_events > 0)
2421 {
2422 close(this->socket_events);
2423 }
2424 this->policies->invoke_function(this->policies,
2425 (linked_list_invoke_t)policy_entry_destroy,
2426 this);
2427 this->policies->destroy(this->policies);
2428 this->sas->destroy(this->sas);
2429 this->mutex->destroy(this->mutex);
2430 this->mutex_pfkey->destroy(this->mutex_pfkey);
2431 free(this);
2432 }
2433
2434 /*
2435 * Described in header.
2436 */
2437 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2438 {
2439 private_kernel_pfkey_ipsec_t *this;
2440
2441 INIT(this,
2442 .public = {
2443 .interface = {
2444 .get_spi = _get_spi,
2445 .get_cpi = _get_cpi,
2446 .add_sa = _add_sa,
2447 .update_sa = _update_sa,
2448 .query_sa = _query_sa,
2449 .del_sa = _del_sa,
2450 .add_policy = _add_policy,
2451 .query_policy = _query_policy,
2452 .del_policy = _del_policy,
2453 .bypass_socket = _bypass_socket,
2454 .destroy = _destroy,
2455 },
2456 },
2457 .policies = linked_list_create(),
2458 .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
2459 (hashtable_equals_t)ipsec_sa_equals, 32),
2460 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2461 .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
2462 .install_routes = lib->settings->get_bool(lib->settings,
2463 "%s.install_routes", TRUE,
2464 hydra->daemon),
2465 );
2466
2467 if (streq(hydra->daemon, "pluto"))
2468 { /* no routes for pluto, they are installed via updown script */
2469 this->install_routes = FALSE;
2470 }
2471
2472 /* create a PF_KEY socket to communicate with the kernel */
2473 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2474 if (this->socket <= 0)
2475 {
2476 DBG1(DBG_KNL, "unable to create PF_KEY socket");
2477 destroy(this);
2478 return NULL;
2479 }
2480
2481 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2482 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2483 if (this->socket_events <= 0)
2484 {
2485 DBG1(DBG_KNL, "unable to create PF_KEY event socket");
2486 destroy(this);
2487 return NULL;
2488 }
2489
2490 /* register the event socket */
2491 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2492 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2493 {
2494 DBG1(DBG_KNL, "unable to register PF_KEY event socket");
2495 destroy(this);
2496 return NULL;
2497 }
2498
2499 this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
2500 this, NULL, NULL, JOB_PRIO_CRITICAL);
2501 lib->processor->queue_job(lib->processor, (job_t*)this->job);
2502
2503 return &this->public;
2504 }
2505