Simplified destruction of policy_sa_t objects in Netlink interface.
[strongswan.git] / src / libhydra / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2011 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <hydra.h>
58 #include <debug.h>
59 #include <utils/host.h>
60 #include <utils/linked_list.h>
61 #include <threading/thread.h>
62 #include <threading/mutex.h>
63 #include <processing/jobs/callback_job.h>
64
65 /** non linux specific */
66 #ifndef IPPROTO_COMP
67 #ifdef IPPROTO_IPCOMP
68 #define IPPROTO_COMP IPPROTO_IPCOMP
69 #endif
70 #endif
71
72 #ifndef SADB_X_AALG_SHA2_256HMAC
73 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
74 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
75 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
76 #endif
77
78 #ifndef SADB_X_EALG_AESCBC
79 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
80 #endif
81
82 #ifndef SADB_X_EALG_CASTCBC
83 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
84 #endif
85
86 #ifndef SOL_IP
87 #define SOL_IP IPPROTO_IP
88 #define SOL_IPV6 IPPROTO_IPV6
89 #endif
90
91 /** from linux/in.h */
92 #ifndef IP_IPSEC_POLICY
93 #define IP_IPSEC_POLICY 16
94 #endif
95
96 /** missing on uclibc */
97 #ifndef IPV6_IPSEC_POLICY
98 #define IPV6_IPSEC_POLICY 34
99 #endif
100
101 /** default priority of installed policies */
102 #define PRIO_LOW 1024
103 #define PRIO_HIGH 512
104
105 #ifdef __APPLE__
106 /** from xnu/bsd/net/pfkeyv2.h */
107 #define SADB_X_EXT_NATT 0x002
108 struct sadb_sa_2 {
109 struct sadb_sa sa;
110 u_int16_t sadb_sa_natt_port;
111 u_int16_t sadb_reserved0;
112 u_int32_t sadb_reserved1;
113 };
114 #endif
115
116 /** buffer size for PF_KEY messages */
117 #define PFKEY_BUFFER_SIZE 4096
118
119 /** PF_KEY messages are 64 bit aligned */
120 #define PFKEY_ALIGNMENT 8
121 /** aligns len to 64 bits */
122 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
123 /** calculates the properly padded length in 64 bit chunks */
124 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
125 /** calculates user mode length i.e. in bytes */
126 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
127
128 /** given a PF_KEY message header and an extension this updates the length in the header */
129 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
130 /** given a PF_KEY message header this returns a pointer to the next extension */
131 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
132 /** copy an extension and append it to a PF_KEY message */
133 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
134 /** given a PF_KEY extension this returns a pointer to the next extension */
135 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
136 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
137 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
138 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
139 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
140 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len <= (len))
142
143 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
144
145 /**
146 * Private variables and functions of kernel_pfkey class.
147 */
148 struct private_kernel_pfkey_ipsec_t
149 {
150 /**
151 * Public part of the kernel_pfkey_t object.
152 */
153 kernel_pfkey_ipsec_t public;
154
155 /**
156 * mutex to lock access to various lists
157 */
158 mutex_t *mutex;
159
160 /**
161 * List of installed policies (policy_entry_t)
162 */
163 linked_list_t *policies;
164
165 /**
166 * whether to install routes along policies
167 */
168 bool install_routes;
169
170 /**
171 * job receiving PF_KEY events
172 */
173 callback_job_t *job;
174
175 /**
176 * mutex to lock access to the PF_KEY socket
177 */
178 mutex_t *mutex_pfkey;
179
180 /**
181 * PF_KEY socket to communicate with the kernel
182 */
183 int socket;
184
185 /**
186 * PF_KEY socket to receive acquire and expire events
187 */
188 int socket_events;
189
190 /**
191 * sequence number for messages sent to the kernel
192 */
193 int seq;
194 };
195
196 typedef struct route_entry_t route_entry_t;
197
198 /**
199 * installed routing entry
200 */
201 struct route_entry_t {
202 /** name of the interface the route is bound to */
203 char *if_name;
204
205 /** source ip of the route */
206 host_t *src_ip;
207
208 /** gateway for this route */
209 host_t *gateway;
210
211 /** destination net */
212 chunk_t dst_net;
213
214 /** destination net prefixlen */
215 u_int8_t prefixlen;
216 };
217
218 /**
219 * destroy an route_entry_t object
220 */
221 static void route_entry_destroy(route_entry_t *this)
222 {
223 free(this->if_name);
224 DESTROY_IF(this->src_ip);
225 DESTROY_IF(this->gateway);
226 chunk_free(&this->dst_net);
227 free(this);
228 }
229
230 typedef struct policy_entry_t policy_entry_t;
231
232 /**
233 * installed kernel policy.
234 */
235 struct policy_entry_t {
236
237 /** reqid of this policy */
238 u_int32_t reqid;
239
240 /** index assigned by the kernel */
241 u_int32_t index;
242
243 /** direction of this policy: in, out, forward */
244 u_int8_t direction;
245
246 /** parameters of installed policy */
247 struct {
248 /** subnet and port */
249 host_t *net;
250 /** subnet mask */
251 u_int8_t mask;
252 /** protocol */
253 u_int8_t proto;
254 } src, dst;
255
256 /** associated route installed for this policy */
257 route_entry_t *route;
258
259 /** by how many CHILD_SAs this policy is used */
260 u_int refcount;
261 };
262
263 /**
264 * create a policy_entry_t object
265 */
266 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
267 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
268 {
269 policy_entry_t *policy;
270 INIT(policy,
271 .reqid = reqid,
272 .direction = dir,
273 );
274
275 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
276 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
277
278 /* src or dest proto may be "any" (0), use more restrictive one */
279 policy->src.proto = max(src_ts->get_protocol(src_ts),
280 dst_ts->get_protocol(dst_ts));
281 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
282 policy->dst.proto = policy->src.proto;
283
284 return policy;
285 }
286
287 /**
288 * destroy a policy_entry_t object
289 */
290 static void policy_entry_destroy(policy_entry_t *this)
291 {
292 DESTROY_IF(this->src.net);
293 DESTROY_IF(this->dst.net);
294 if (this->route)
295 {
296 route_entry_destroy(this->route);
297 }
298 free(this);
299 }
300
301 /**
302 * compares two policy_entry_t
303 */
304 static inline bool policy_entry_equals(policy_entry_t *current,
305 policy_entry_t *policy)
306 {
307 return current->direction == policy->direction &&
308 current->src.proto == policy->src.proto &&
309 current->dst.proto == policy->dst.proto &&
310 current->src.mask == policy->src.mask &&
311 current->dst.mask == policy->dst.mask &&
312 current->src.net->equals(current->src.net, policy->src.net) &&
313 current->dst.net->equals(current->dst.net, policy->dst.net);
314 }
315
316 /**
317 * compare the given kernel index with that of a policy
318 */
319 static inline bool policy_entry_match_byindex(policy_entry_t *current,
320 u_int32_t *index)
321 {
322 return current->index == *index;
323 }
324
325 typedef struct pfkey_msg_t pfkey_msg_t;
326
327 struct pfkey_msg_t
328 {
329 /**
330 * PF_KEY message base
331 */
332 struct sadb_msg *msg;
333
334 /**
335 * PF_KEY message extensions
336 */
337 union {
338 struct sadb_ext *ext[SADB_EXT_MAX + 1];
339 struct {
340 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
341 struct sadb_sa *sa; /* SADB_EXT_SA */
342 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
343 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
344 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
345 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
346 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
347 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
348 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
349 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
350 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
351 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
352 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
353 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
354 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
355 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
356 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
357 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
358 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
359 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
360 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
361 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
362 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
363 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
364 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
365 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
366 } __attribute__((__packed__));
367 };
368 };
369
370 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
371 "SADB_EXT_RESERVED",
372 "SADB_EXT_SA",
373 "SADB_EXT_LIFETIME_CURRENT",
374 "SADB_EXT_LIFETIME_HARD",
375 "SADB_EXT_LIFETIME_SOFT",
376 "SADB_EXT_ADDRESS_SRC",
377 "SADB_EXT_ADDRESS_DST",
378 "SADB_EXT_ADDRESS_PROXY",
379 "SADB_EXT_KEY_AUTH",
380 "SADB_EXT_KEY_ENCRYPT",
381 "SADB_EXT_IDENTITY_SRC",
382 "SADB_EXT_IDENTITY_DST",
383 "SADB_EXT_SENSITIVITY",
384 "SADB_EXT_PROPOSAL",
385 "SADB_EXT_SUPPORTED_AUTH",
386 "SADB_EXT_SUPPORTED_ENCRYPT",
387 "SADB_EXT_SPIRANGE",
388 "SADB_X_EXT_KMPRIVATE",
389 "SADB_X_EXT_POLICY",
390 "SADB_X_EXT_SA2",
391 "SADB_X_EXT_NAT_T_TYPE",
392 "SADB_X_EXT_NAT_T_SPORT",
393 "SADB_X_EXT_NAT_T_DPORT",
394 "SADB_X_EXT_NAT_T_OA",
395 "SADB_X_EXT_SEC_CTX",
396 "SADB_X_EXT_KMADDRESS"
397 );
398
399 /**
400 * convert a protocol identifier to the PF_KEY sa type
401 */
402 static u_int8_t proto2satype(u_int8_t proto)
403 {
404 switch (proto)
405 {
406 case IPPROTO_ESP:
407 return SADB_SATYPE_ESP;
408 case IPPROTO_AH:
409 return SADB_SATYPE_AH;
410 case IPPROTO_COMP:
411 return SADB_X_SATYPE_IPCOMP;
412 default:
413 return proto;
414 }
415 }
416
417 /**
418 * convert a PF_KEY sa type to a protocol identifier
419 */
420 static u_int8_t satype2proto(u_int8_t satype)
421 {
422 switch (satype)
423 {
424 case SADB_SATYPE_ESP:
425 return IPPROTO_ESP;
426 case SADB_SATYPE_AH:
427 return IPPROTO_AH;
428 case SADB_X_SATYPE_IPCOMP:
429 return IPPROTO_COMP;
430 default:
431 return satype;
432 }
433 }
434
435 /**
436 * convert the general ipsec mode to the one defined in ipsec.h
437 */
438 static u_int8_t mode2kernel(ipsec_mode_t mode)
439 {
440 switch (mode)
441 {
442 case MODE_TRANSPORT:
443 return IPSEC_MODE_TRANSPORT;
444 case MODE_TUNNEL:
445 return IPSEC_MODE_TUNNEL;
446 #ifdef HAVE_IPSEC_MODE_BEET
447 case MODE_BEET:
448 return IPSEC_MODE_BEET;
449 #endif
450 default:
451 return mode;
452 }
453 }
454
455 /**
456 * convert the general policy direction to the one defined in ipsec.h
457 */
458 static u_int8_t dir2kernel(policy_dir_t dir)
459 {
460 switch (dir)
461 {
462 case POLICY_IN:
463 return IPSEC_DIR_INBOUND;
464 case POLICY_OUT:
465 return IPSEC_DIR_OUTBOUND;
466 #ifdef HAVE_IPSEC_DIR_FWD
467 case POLICY_FWD:
468 return IPSEC_DIR_FWD;
469 #endif
470 default:
471 return IPSEC_DIR_INVALID;
472 }
473 }
474
475 #ifdef SADB_X_MIGRATE
476 /**
477 * convert the policy direction in ipsec.h to the general one.
478 */
479 static policy_dir_t kernel2dir(u_int8_t dir)
480 {
481 switch (dir)
482 {
483 case IPSEC_DIR_INBOUND:
484 return POLICY_IN;
485 case IPSEC_DIR_OUTBOUND:
486 return POLICY_OUT;
487 #ifdef HAVE_IPSEC_DIR_FWD
488 case IPSEC_DIR_FWD:
489 return POLICY_FWD;
490 #endif
491 default:
492 return dir;
493 }
494 }
495 #endif /*SADB_X_MIGRATE*/
496
497 typedef struct kernel_algorithm_t kernel_algorithm_t;
498
499 /**
500 * Mapping of IKEv2 algorithms to PF_KEY algorithms
501 */
502 struct kernel_algorithm_t {
503 /**
504 * Identifier specified in IKEv2
505 */
506 int ikev2;
507
508 /**
509 * Identifier as defined in pfkeyv2.h
510 */
511 int kernel;
512 };
513
514 #define END_OF_LIST -1
515
516 /**
517 * Algorithms for encryption
518 */
519 static kernel_algorithm_t encryption_algs[] = {
520 /* {ENCR_DES_IV64, 0 }, */
521 {ENCR_DES, SADB_EALG_DESCBC },
522 {ENCR_3DES, SADB_EALG_3DESCBC },
523 /* {ENCR_RC5, 0 }, */
524 /* {ENCR_IDEA, 0 }, */
525 {ENCR_CAST, SADB_X_EALG_CASTCBC },
526 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
527 /* {ENCR_3IDEA, 0 }, */
528 /* {ENCR_DES_IV32, 0 }, */
529 {ENCR_NULL, SADB_EALG_NULL },
530 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
531 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
532 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
533 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
534 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
535 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
536 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
537 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
538 {END_OF_LIST, 0 },
539 };
540
541 /**
542 * Algorithms for integrity protection
543 */
544 static kernel_algorithm_t integrity_algs[] = {
545 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
546 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
547 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
548 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
549 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
550 /* {AUTH_DES_MAC, 0, }, */
551 /* {AUTH_KPDK_MD5, 0, }, */
552 #ifdef SADB_X_AALG_AES_XCBC_MAC
553 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
554 #endif
555 {END_OF_LIST, 0, },
556 };
557
558 #if 0
559 /**
560 * Algorithms for IPComp, unused yet
561 */
562 static kernel_algorithm_t compression_algs[] = {
563 /* {IPCOMP_OUI, 0 }, */
564 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
565 {IPCOMP_LZS, SADB_X_CALG_LZS },
566 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
567 {END_OF_LIST, 0 },
568 };
569 #endif
570
571 /**
572 * Look up a kernel algorithm ID and its key size
573 */
574 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
575 {
576 while (list->ikev2 != END_OF_LIST)
577 {
578 if (ikev2 == list->ikev2)
579 {
580 return list->kernel;
581 }
582 list++;
583 }
584 return 0;
585 }
586
587 /**
588 * Copy a host_t as sockaddr_t to the given memory location. Ports are
589 * reset to zero as per RFC 2367.
590 * @return the number of bytes copied
591 */
592 static size_t hostcpy(void *dest, host_t *host)
593 {
594 sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
595 socklen_t *len = host->get_sockaddr_len(host);
596 memcpy(dest, addr, *len);
597 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
598 dest_addr->sa_len = *len;
599 #endif
600 switch (dest_addr->sa_family)
601 {
602 case AF_INET:
603 {
604 struct sockaddr_in *sin = dest;
605 sin->sin_port = 0;
606 break;
607 }
608 case AF_INET6:
609 {
610 struct sockaddr_in6 *sin6 = dest;
611 sin6->sin6_port = 0;
612 break;
613 }
614 }
615 return *len;
616 }
617
618 /**
619 * add a host behind an sadb_address extension
620 */
621 static void host2ext(host_t *host, struct sadb_address *ext)
622 {
623 size_t len = hostcpy(ext + 1, host);
624 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
625 }
626
627 /**
628 * add a host to the given sadb_msg
629 */
630 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
631 u_int8_t proto, u_int8_t prefixlen)
632 {
633 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
634 addr->sadb_address_exttype = type;
635 addr->sadb_address_proto = proto;
636 addr->sadb_address_prefixlen = prefixlen;
637 host2ext(host, addr);
638 PFKEY_EXT_ADD(msg, addr);
639 }
640
641 /**
642 * adds an empty address extension to the given sadb_msg
643 */
644 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
645 {
646 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
647 sizeof(struct sockaddr_in6);
648 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
649 addr->sadb_address_exttype = type;
650 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
651 saddr->sa_family = family;
652 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
653 saddr->sa_len = len;
654 #endif
655 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
656 PFKEY_EXT_ADD(msg, addr);
657 }
658
659 #ifdef HAVE_NATT
660 /**
661 * add udp encap extensions to a sadb_msg
662 */
663 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
664 {
665 struct sadb_x_nat_t_type* nat_type;
666 struct sadb_x_nat_t_port* nat_port;
667
668 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
669 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
670 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(*nat_type));
671 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
672 PFKEY_EXT_ADD(msg, nat_type);
673
674 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
675 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
676 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
677 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
678 PFKEY_EXT_ADD(msg, nat_port);
679
680 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
681 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
682 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
683 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
684 PFKEY_EXT_ADD(msg, nat_port);
685 }
686 #endif /*HAVE_NATT*/
687
688 /**
689 * Convert a sadb_address to a traffic_selector
690 */
691 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
692 {
693 traffic_selector_t *ts;
694 host_t *host;
695
696 /* The Linux 2.6 kernel does not set the protocol and port information
697 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
698 */
699 host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
700 ts = traffic_selector_create_from_subnet(host,
701 address->sadb_address_prefixlen,
702 address->sadb_address_proto,
703 host->get_port(host));
704 return ts;
705 }
706
707 /**
708 * Parses a pfkey message received from the kernel
709 */
710 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
711 {
712 struct sadb_ext* ext;
713 size_t len;
714
715 memset(out, 0, sizeof(pfkey_msg_t));
716 out->msg = msg;
717
718 len = msg->sadb_msg_len;
719 len -= PFKEY_LEN(sizeof(struct sadb_msg));
720
721 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
722
723 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
724 {
725 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
726 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
727 ext->sadb_ext_len > len)
728 {
729 DBG1(DBG_KNL, "length of %N extension is invalid",
730 sadb_ext_type_names, ext->sadb_ext_type);
731 break;
732 }
733
734 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
735 {
736 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid",
737 ext->sadb_ext_type);
738 break;
739 }
740
741 if (out->ext[ext->sadb_ext_type])
742 {
743 DBG1(DBG_KNL, "duplicate %N extension",
744 sadb_ext_type_names, ext->sadb_ext_type);
745 break;
746 }
747
748 out->ext[ext->sadb_ext_type] = ext;
749 ext = PFKEY_EXT_NEXT_LEN(ext, len);
750 }
751
752 if (len)
753 {
754 DBG1(DBG_KNL, "PF_KEY message length is invalid");
755 return FAILED;
756 }
757
758 return SUCCESS;
759 }
760
761 /**
762 * Send a message to a specific PF_KEY socket and handle the response.
763 */
764 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
765 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
766 {
767 unsigned char buf[PFKEY_BUFFER_SIZE];
768 struct sadb_msg *msg;
769 int in_len, len;
770
771 this->mutex_pfkey->lock(this->mutex_pfkey);
772
773 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
774 * in particular the behavior in response to an SADB_ACQUIRE. */
775 in->sadb_msg_seq = ++this->seq;
776 in->sadb_msg_pid = getpid();
777
778 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
779
780 while (TRUE)
781 {
782 len = send(socket, in, in_len, 0);
783
784 if (len != in_len)
785 {
786 if (errno == EINTR)
787 {
788 /* interrupted, try again */
789 continue;
790 }
791 this->mutex_pfkey->unlock(this->mutex_pfkey);
792 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s",
793 strerror(errno));
794 return FAILED;
795 }
796 break;
797 }
798
799 while (TRUE)
800 {
801 msg = (struct sadb_msg*)buf;
802
803 len = recv(socket, buf, sizeof(buf), 0);
804
805 if (len < 0)
806 {
807 if (errno == EINTR)
808 {
809 DBG1(DBG_KNL, "got interrupted");
810 /* interrupted, try again */
811 continue;
812 }
813 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s",
814 strerror(errno));
815 this->mutex_pfkey->unlock(this->mutex_pfkey);
816 return FAILED;
817 }
818 if (len < sizeof(struct sadb_msg) ||
819 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
820 {
821 DBG1(DBG_KNL, "received corrupted PF_KEY message");
822 this->mutex_pfkey->unlock(this->mutex_pfkey);
823 return FAILED;
824 }
825 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
826 {
827 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY "
828 "message");
829 this->mutex_pfkey->unlock(this->mutex_pfkey);
830 return FAILED;
831 }
832 if (msg->sadb_msg_pid != in->sadb_msg_pid)
833 {
834 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
835 continue;
836 }
837 if (msg->sadb_msg_seq != this->seq)
838 {
839 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
840 "number, was %d expected %d", msg->sadb_msg_seq,
841 this->seq);
842 if (msg->sadb_msg_seq == 0)
843 {
844 /* FreeBSD and Mac OS X do this for the response to
845 * SADB_X_SPDGET (but not for the response to SADB_GET).
846 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
847 }
848 else if (msg->sadb_msg_seq < this->seq)
849 {
850 continue;
851 }
852 else
853 {
854 this->mutex_pfkey->unlock(this->mutex_pfkey);
855 return FAILED;
856 }
857 }
858 if (msg->sadb_msg_type != in->sadb_msg_type)
859 {
860 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
861 "was %d expected %d, ignoring", msg->sadb_msg_type,
862 in->sadb_msg_type);
863 }
864 break;
865 }
866
867 *out_len = len;
868 *out = (struct sadb_msg*)malloc(len);
869 memcpy(*out, buf, len);
870
871 this->mutex_pfkey->unlock(this->mutex_pfkey);
872 return SUCCESS;
873 }
874
875 /**
876 * Send a message to the default PF_KEY socket and handle the response.
877 */
878 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
879 struct sadb_msg *in, struct sadb_msg **out,
880 size_t *out_len)
881 {
882 return pfkey_send_socket(this, this->socket, in, out, out_len);
883 }
884
885 /**
886 * Process a SADB_ACQUIRE message from the kernel
887 */
888 static void process_acquire(private_kernel_pfkey_ipsec_t *this,
889 struct sadb_msg* msg)
890 {
891 pfkey_msg_t response;
892 u_int32_t index, reqid = 0;
893 traffic_selector_t *src_ts, *dst_ts;
894 policy_entry_t *policy;
895
896 switch (msg->sadb_msg_satype)
897 {
898 case SADB_SATYPE_UNSPEC:
899 case SADB_SATYPE_ESP:
900 case SADB_SATYPE_AH:
901 break;
902 default:
903 /* acquire for AH/ESP only */
904 return;
905 }
906 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
907
908 if (parse_pfkey_message(msg, &response) != SUCCESS)
909 {
910 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
911 return;
912 }
913
914 index = response.x_policy->sadb_x_policy_id;
915 this->mutex->lock(this->mutex);
916 if (this->policies->find_first(this->policies,
917 (linked_list_match_t)policy_entry_match_byindex,
918 (void**)&policy, &index) == SUCCESS)
919 {
920 reqid = policy->reqid;
921 }
922 else
923 {
924 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
925 "matching policy found", index);
926 }
927 this->mutex->unlock(this->mutex);
928
929 src_ts = sadb_address2ts(response.src);
930 dst_ts = sadb_address2ts(response.dst);
931
932 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
933 dst_ts);
934 }
935
936 /**
937 * Process a SADB_EXPIRE message from the kernel
938 */
939 static void process_expire(private_kernel_pfkey_ipsec_t *this,
940 struct sadb_msg* msg)
941 {
942 pfkey_msg_t response;
943 u_int8_t protocol;
944 u_int32_t spi, reqid;
945 bool hard;
946
947 DBG2(DBG_KNL, "received an SADB_EXPIRE");
948
949 if (parse_pfkey_message(msg, &response) != SUCCESS)
950 {
951 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
952 return;
953 }
954
955 protocol = satype2proto(msg->sadb_msg_satype);
956 spi = response.sa->sadb_sa_spi;
957 reqid = response.x_sa2->sadb_x_sa2_reqid;
958 hard = response.lft_hard != NULL;
959
960 if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
961 {
962 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and "
963 "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
964 return;
965 }
966
967 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
968 spi, hard);
969 }
970
971 #ifdef SADB_X_MIGRATE
972 /**
973 * Process a SADB_X_MIGRATE message from the kernel
974 */
975 static void process_migrate(private_kernel_pfkey_ipsec_t *this,
976 struct sadb_msg* msg)
977 {
978 pfkey_msg_t response;
979 traffic_selector_t *src_ts, *dst_ts;
980 policy_dir_t dir;
981 u_int32_t reqid = 0;
982 host_t *local = NULL, *remote = NULL;
983
984 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
985
986 if (parse_pfkey_message(msg, &response) != SUCCESS)
987 {
988 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
989 return;
990 }
991 src_ts = sadb_address2ts(response.src);
992 dst_ts = sadb_address2ts(response.dst);
993 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
994 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
995 policy_dir_names, dir);
996
997 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
998 if (response.x_kmaddress)
999 {
1000 sockaddr_t *local_addr, *remote_addr;
1001 u_int32_t local_len;
1002
1003 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
1004 local = host_create_from_sockaddr(local_addr);
1005 local_len = (local_addr->sa_family == AF_INET6)?
1006 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
1007 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1008 remote = host_create_from_sockaddr(remote_addr);
1009 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1010 }
1011
1012 if (src_ts && dst_ts && local && remote)
1013 {
1014 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
1015 src_ts, dst_ts, dir, local, remote);
1016 }
1017 else
1018 {
1019 DESTROY_IF(src_ts);
1020 DESTROY_IF(dst_ts);
1021 DESTROY_IF(local);
1022 DESTROY_IF(remote);
1023 }
1024 }
1025 #endif /*SADB_X_MIGRATE*/
1026
1027 #ifdef SADB_X_NAT_T_NEW_MAPPING
1028 /**
1029 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1030 */
1031 static void process_mapping(private_kernel_pfkey_ipsec_t *this,
1032 struct sadb_msg* msg)
1033 {
1034 pfkey_msg_t response;
1035 u_int32_t spi, reqid;
1036 sockaddr_t *sa;
1037 host_t *host;
1038
1039 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1040
1041 if (parse_pfkey_message(msg, &response) != SUCCESS)
1042 {
1043 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1044 return;
1045 }
1046
1047 if (!response.x_sa2)
1048 {
1049 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1050 "information");
1051 return;
1052 }
1053
1054 spi = response.sa->sadb_sa_spi;
1055 reqid = response.x_sa2->sadb_x_sa2_reqid;
1056
1057 if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
1058 {
1059 return;
1060 }
1061
1062 sa = (sockaddr_t*)(response.dst + 1);
1063 switch (sa->sa_family)
1064 {
1065 case AF_INET:
1066 {
1067 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1068 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1069 }
1070 case AF_INET6:
1071 {
1072 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1073 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1074 }
1075 default:
1076 break;
1077 }
1078
1079 host = host_create_from_sockaddr(sa);
1080 if (host)
1081 {
1082 hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
1083 spi, host);
1084 }
1085 }
1086 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1087
1088 /**
1089 * Receives events from kernel
1090 */
1091 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1092 {
1093 unsigned char buf[PFKEY_BUFFER_SIZE];
1094 struct sadb_msg *msg = (struct sadb_msg*)buf;
1095 bool oldstate;
1096 int len;
1097
1098 oldstate = thread_cancelability(TRUE);
1099 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1100 thread_cancelability(oldstate);
1101
1102 if (len < 0)
1103 {
1104 switch (errno)
1105 {
1106 case EINTR:
1107 /* interrupted, try again */
1108 return JOB_REQUEUE_DIRECT;
1109 case EAGAIN:
1110 /* no data ready, select again */
1111 return JOB_REQUEUE_DIRECT;
1112 default:
1113 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1114 sleep(1);
1115 return JOB_REQUEUE_FAIR;
1116 }
1117 }
1118
1119 if (len < sizeof(struct sadb_msg) ||
1120 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1121 {
1122 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1123 return JOB_REQUEUE_DIRECT;
1124 }
1125 if (msg->sadb_msg_pid != 0)
1126 { /* not from kernel. not interested, try another one */
1127 return JOB_REQUEUE_DIRECT;
1128 }
1129 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1130 {
1131 DBG1(DBG_KNL, "buffer was too small to receive the complete "
1132 "PF_KEY message");
1133 return JOB_REQUEUE_DIRECT;
1134 }
1135
1136 switch (msg->sadb_msg_type)
1137 {
1138 case SADB_ACQUIRE:
1139 process_acquire(this, msg);
1140 break;
1141 case SADB_EXPIRE:
1142 process_expire(this, msg);
1143 break;
1144 #ifdef SADB_X_MIGRATE
1145 case SADB_X_MIGRATE:
1146 process_migrate(this, msg);
1147 break;
1148 #endif /*SADB_X_MIGRATE*/
1149 #ifdef SADB_X_NAT_T_NEW_MAPPING
1150 case SADB_X_NAT_T_NEW_MAPPING:
1151 process_mapping(this, msg);
1152 break;
1153 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1154 default:
1155 break;
1156 }
1157
1158 return JOB_REQUEUE_DIRECT;
1159 }
1160
1161 METHOD(kernel_ipsec_t, get_spi, status_t,
1162 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1163 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
1164 {
1165 unsigned char request[PFKEY_BUFFER_SIZE];
1166 struct sadb_msg *msg, *out;
1167 struct sadb_x_sa2 *sa2;
1168 struct sadb_spirange *range;
1169 pfkey_msg_t response;
1170 u_int32_t received_spi = 0;
1171 size_t len;
1172
1173 memset(&request, 0, sizeof(request));
1174
1175 msg = (struct sadb_msg*)request;
1176 msg->sadb_msg_version = PF_KEY_V2;
1177 msg->sadb_msg_type = SADB_GETSPI;
1178 msg->sadb_msg_satype = proto2satype(protocol);
1179 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1180
1181 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1182 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1183 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1184 sa2->sadb_x_sa2_reqid = reqid;
1185 PFKEY_EXT_ADD(msg, sa2);
1186
1187 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1188 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1189
1190 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1191 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1192 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1193 range->sadb_spirange_min = 0xc0000000;
1194 range->sadb_spirange_max = 0xcFFFFFFF;
1195 PFKEY_EXT_ADD(msg, range);
1196
1197 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1198 {
1199 if (out->sadb_msg_errno)
1200 {
1201 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1202 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1203 }
1204 else if (parse_pfkey_message(out, &response) == SUCCESS)
1205 {
1206 received_spi = response.sa->sadb_sa_spi;
1207 }
1208 free(out);
1209 }
1210
1211 if (received_spi == 0)
1212 {
1213 return FAILED;
1214 }
1215
1216 *spi = received_spi;
1217 return SUCCESS;
1218 }
1219
1220 METHOD(kernel_ipsec_t, get_cpi, status_t,
1221 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1222 u_int32_t reqid, u_int16_t *cpi)
1223 {
1224 return FAILED;
1225 }
1226
1227 METHOD(kernel_ipsec_t, add_sa, status_t,
1228 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1229 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
1230 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
1231 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
1232 u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
1233 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
1234 {
1235 unsigned char request[PFKEY_BUFFER_SIZE];
1236 struct sadb_msg *msg, *out;
1237 struct sadb_sa *sa;
1238 struct sadb_x_sa2 *sa2;
1239 struct sadb_lifetime *lft;
1240 struct sadb_key *key;
1241 size_t len;
1242
1243 memset(&request, 0, sizeof(request));
1244
1245 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
1246 ntohl(spi), reqid);
1247
1248 msg = (struct sadb_msg*)request;
1249 msg->sadb_msg_version = PF_KEY_V2;
1250 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1251 msg->sadb_msg_satype = proto2satype(protocol);
1252 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1253
1254 #ifdef __APPLE__
1255 if (encap)
1256 {
1257 struct sadb_sa_2 *sa_2;
1258 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1259 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1260 sa = &sa_2->sa;
1261 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1262 len = sizeof(struct sadb_sa_2);
1263 }
1264 else
1265 #endif
1266 {
1267 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1268 len = sizeof(struct sadb_sa);
1269 }
1270 sa->sadb_sa_exttype = SADB_EXT_SA;
1271 sa->sadb_sa_len = PFKEY_LEN(len);
1272 sa->sadb_sa_spi = spi;
1273 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1274 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1275 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1276 PFKEY_EXT_ADD(msg, sa);
1277
1278 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1279 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1280 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1281 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1282 sa2->sadb_x_sa2_reqid = reqid;
1283 PFKEY_EXT_ADD(msg, sa2);
1284
1285 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1286 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1287
1288 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1289 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1290 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1291 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1292 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1293 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1294 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1295 PFKEY_EXT_ADD(msg, lft);
1296
1297 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1298 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1299 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1300 lft->sadb_lifetime_allocations = lifetime->packets.life;
1301 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1302 lft->sadb_lifetime_addtime = lifetime->time.life;
1303 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1304 PFKEY_EXT_ADD(msg, lft);
1305
1306 if (enc_alg != ENCR_UNDEFINED)
1307 {
1308 if (!sa->sadb_sa_encrypt)
1309 {
1310 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1311 encryption_algorithm_names, enc_alg);
1312 return FAILED;
1313 }
1314 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1315 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1316
1317 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1318 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1319 key->sadb_key_bits = enc_key.len * 8;
1320 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1321 memcpy(key + 1, enc_key.ptr, enc_key.len);
1322
1323 PFKEY_EXT_ADD(msg, key);
1324 }
1325
1326 if (int_alg != AUTH_UNDEFINED)
1327 {
1328 if (!sa->sadb_sa_auth)
1329 {
1330 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1331 integrity_algorithm_names, int_alg);
1332 return FAILED;
1333 }
1334 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1335 integrity_algorithm_names, int_alg, int_key.len * 8);
1336
1337 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1338 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1339 key->sadb_key_bits = int_key.len * 8;
1340 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1341 memcpy(key + 1, int_key.ptr, int_key.len);
1342
1343 PFKEY_EXT_ADD(msg, key);
1344 }
1345
1346 if (ipcomp != IPCOMP_NONE)
1347 {
1348 /*TODO*/
1349 }
1350
1351 #ifdef HAVE_NATT
1352 if (encap)
1353 {
1354 add_encap_ext(msg, src, dst);
1355 }
1356 #endif /*HAVE_NATT*/
1357
1358 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1359 {
1360 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1361 return FAILED;
1362 }
1363 else if (out->sadb_msg_errno)
1364 {
1365 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1366 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1367 free(out);
1368 return FAILED;
1369 }
1370
1371 free(out);
1372 return SUCCESS;
1373 }
1374
1375 METHOD(kernel_ipsec_t, update_sa, status_t,
1376 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1377 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1378 bool encap, bool new_encap, mark_t mark)
1379 {
1380 unsigned char request[PFKEY_BUFFER_SIZE];
1381 struct sadb_msg *msg, *out;
1382 struct sadb_sa *sa;
1383 pfkey_msg_t response;
1384 size_t len;
1385
1386 /* we can't update the SA if any of the ip addresses have changed.
1387 * that's because we can't use SADB_UPDATE and by deleting and readding the
1388 * SA the sequence numbers would get lost */
1389 if (!src->ip_equals(src, new_src) ||
1390 !dst->ip_equals(dst, new_dst))
1391 {
1392 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address "
1393 "changes are not supported", ntohl(spi));
1394 return NOT_SUPPORTED;
1395 }
1396
1397 memset(&request, 0, sizeof(request));
1398
1399 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1400
1401 msg = (struct sadb_msg*)request;
1402 msg->sadb_msg_version = PF_KEY_V2;
1403 msg->sadb_msg_type = SADB_GET;
1404 msg->sadb_msg_satype = proto2satype(protocol);
1405 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1406
1407 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1408 sa->sadb_sa_exttype = SADB_EXT_SA;
1409 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1410 sa->sadb_sa_spi = spi;
1411 PFKEY_EXT_ADD(msg, sa);
1412
1413 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1414 * it is not used for anything. */
1415 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1416 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1417
1418 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1419 {
1420 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1421 return FAILED;
1422 }
1423 else if (out->sadb_msg_errno)
1424 {
1425 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1426 ntohl(spi), strerror(out->sadb_msg_errno),
1427 out->sadb_msg_errno);
1428 free(out);
1429 return FAILED;
1430 }
1431 else if (parse_pfkey_message(out, &response) != SUCCESS)
1432 {
1433 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing "
1434 "response from kernel failed", ntohl(spi));
1435 free(out);
1436 return FAILED;
1437 }
1438
1439 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1440 ntohl(spi), src, dst, new_src, new_dst);
1441
1442 memset(&request, 0, sizeof(request));
1443
1444 msg = (struct sadb_msg*)request;
1445 msg->sadb_msg_version = PF_KEY_V2;
1446 msg->sadb_msg_type = SADB_UPDATE;
1447 msg->sadb_msg_satype = proto2satype(protocol);
1448 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1449
1450 #ifdef __APPLE__
1451 {
1452 struct sadb_sa_2 *sa_2;
1453 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1454 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1455 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1456 if (encap)
1457 {
1458 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1459 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1460 }
1461 }
1462 #else
1463 PFKEY_EXT_COPY(msg, response.sa);
1464 #endif
1465 PFKEY_EXT_COPY(msg, response.x_sa2);
1466
1467 PFKEY_EXT_COPY(msg, response.src);
1468 PFKEY_EXT_COPY(msg, response.dst);
1469
1470 PFKEY_EXT_COPY(msg, response.lft_soft);
1471 PFKEY_EXT_COPY(msg, response.lft_hard);
1472
1473 if (response.key_encr)
1474 {
1475 PFKEY_EXT_COPY(msg, response.key_encr);
1476 }
1477
1478 if (response.key_auth)
1479 {
1480 PFKEY_EXT_COPY(msg, response.key_auth);
1481 }
1482
1483 #ifdef HAVE_NATT
1484 if (new_encap)
1485 {
1486 add_encap_ext(msg, new_src, new_dst);
1487 }
1488 #endif /*HAVE_NATT*/
1489
1490 free(out);
1491
1492 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1493 {
1494 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1495 return FAILED;
1496 }
1497 else if (out->sadb_msg_errno)
1498 {
1499 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1500 ntohl(spi), strerror(out->sadb_msg_errno),
1501 out->sadb_msg_errno);
1502 free(out);
1503 return FAILED;
1504 }
1505 free(out);
1506
1507 return SUCCESS;
1508 }
1509
1510 METHOD(kernel_ipsec_t, query_sa, status_t,
1511 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1512 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
1513 {
1514 unsigned char request[PFKEY_BUFFER_SIZE];
1515 struct sadb_msg *msg, *out;
1516 struct sadb_sa *sa;
1517 pfkey_msg_t response;
1518 size_t len;
1519
1520 memset(&request, 0, sizeof(request));
1521
1522 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1523
1524 msg = (struct sadb_msg*)request;
1525 msg->sadb_msg_version = PF_KEY_V2;
1526 msg->sadb_msg_type = SADB_GET;
1527 msg->sadb_msg_satype = proto2satype(protocol);
1528 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1529
1530 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1531 sa->sadb_sa_exttype = SADB_EXT_SA;
1532 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1533 sa->sadb_sa_spi = spi;
1534 PFKEY_EXT_ADD(msg, sa);
1535
1536 /* the Linux Kernel doesn't care for the src address, but other systems do
1537 * (e.g. FreeBSD)
1538 */
1539 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1540 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1541
1542 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1543 {
1544 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1545 return FAILED;
1546 }
1547 else if (out->sadb_msg_errno)
1548 {
1549 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1550 ntohl(spi), strerror(out->sadb_msg_errno),
1551 out->sadb_msg_errno);
1552 free(out);
1553 return FAILED;
1554 }
1555 else if (parse_pfkey_message(out, &response) != SUCCESS)
1556 {
1557 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1558 free(out);
1559 return FAILED;
1560 }
1561 *bytes = response.lft_current->sadb_lifetime_bytes;
1562
1563 free(out);
1564 return SUCCESS;
1565 }
1566
1567 METHOD(kernel_ipsec_t, del_sa, status_t,
1568 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1569 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
1570 {
1571 unsigned char request[PFKEY_BUFFER_SIZE];
1572 struct sadb_msg *msg, *out;
1573 struct sadb_sa *sa;
1574 size_t len;
1575
1576 memset(&request, 0, sizeof(request));
1577
1578 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1579
1580 msg = (struct sadb_msg*)request;
1581 msg->sadb_msg_version = PF_KEY_V2;
1582 msg->sadb_msg_type = SADB_DELETE;
1583 msg->sadb_msg_satype = proto2satype(protocol);
1584 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1585
1586 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1587 sa->sadb_sa_exttype = SADB_EXT_SA;
1588 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1589 sa->sadb_sa_spi = spi;
1590 PFKEY_EXT_ADD(msg, sa);
1591
1592 /* the Linux Kernel doesn't care for the src address, but other systems do
1593 * (e.g. FreeBSD)
1594 */
1595 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1596 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1597
1598 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1599 {
1600 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1601 return FAILED;
1602 }
1603 else if (out->sadb_msg_errno)
1604 {
1605 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1606 ntohl(spi), strerror(out->sadb_msg_errno),
1607 out->sadb_msg_errno);
1608 free(out);
1609 return FAILED;
1610 }
1611
1612 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1613 free(out);
1614 return SUCCESS;
1615 }
1616
1617 METHOD(kernel_ipsec_t, add_policy, status_t,
1618 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1619 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
1620 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
1621 mark_t mark, bool routed)
1622 {
1623 unsigned char request[PFKEY_BUFFER_SIZE];
1624 struct sadb_msg *msg, *out;
1625 struct sadb_x_policy *pol;
1626 struct sadb_x_ipsecrequest *req;
1627 policy_entry_t *policy, *found = NULL;
1628 pfkey_msg_t response;
1629 size_t len;
1630
1631 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1632 { /* FWD policies are not supported on all platforms */
1633 return SUCCESS;
1634 }
1635
1636 /* create a policy */
1637 policy = create_policy_entry(src_ts, dst_ts, direction, sa->reqid);
1638
1639 /* find a matching policy */
1640 this->mutex->lock(this->mutex);
1641 if (this->policies->find_first(this->policies,
1642 (linked_list_match_t)policy_entry_equals,
1643 (void**)&found, policy) == SUCCESS)
1644 { /* use existing policy, but cache the most recent reqid */
1645 found->refcount++;
1646 found->reqid = policy->reqid;
1647 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1648 "refcount", src_ts, dst_ts, policy_dir_names, direction);
1649 policy_entry_destroy(policy);
1650 policy = found;
1651 }
1652 else
1653 { /* use the new one, if we have no such policy */
1654 this->policies->insert_last(this->policies, policy);
1655 policy->refcount = 1;
1656 }
1657
1658 memset(&request, 0, sizeof(request));
1659
1660 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1661 policy_dir_names, direction);
1662
1663 msg = (struct sadb_msg*)request;
1664 msg->sadb_msg_version = PF_KEY_V2;
1665 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1666 msg->sadb_msg_satype = 0;
1667 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1668
1669 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1670 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1671 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1672 pol->sadb_x_policy_id = 0;
1673 pol->sadb_x_policy_dir = dir2kernel(direction);
1674 switch (type)
1675 {
1676 case POLICY_IPSEC:
1677 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1678 break;
1679 case POLICY_PASS:
1680 pol->sadb_x_policy_type = IPSEC_POLICY_NONE;
1681 break;
1682 case POLICY_DROP:
1683 pol->sadb_x_policy_type = IPSEC_POLICY_DISCARD;
1684 break;
1685 }
1686 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1687 /* calculate priority based on selector size, small size = high prio */
1688 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1689 pol->sadb_x_policy_priority -= policy->src.mask;
1690 pol->sadb_x_policy_priority -= policy->dst.mask;
1691 pol->sadb_x_policy_priority <<= 2; /* make some room for the flags */
1692 pol->sadb_x_policy_priority += policy->src.net->get_port(policy->src.net) ||
1693 policy->dst.net->get_port(policy->dst.net) ?
1694 0 : 2;
1695 pol->sadb_x_policy_priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
1696 #endif
1697
1698 /* one or more sadb_x_ipsecrequest extensions are added to the
1699 * sadb_x_policy extension */
1700 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1701 req->sadb_x_ipsecrequest_proto = sa->esp.use ? IPPROTO_ESP : IPPROTO_AH;
1702 /* !!! the length here MUST be in octets instead of 64 bit words */
1703 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1704 req->sadb_x_ipsecrequest_mode = mode2kernel(sa->mode);
1705 req->sadb_x_ipsecrequest_reqid = sa->reqid;
1706 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1707 if (sa->mode == MODE_TUNNEL)
1708 {
1709 len = hostcpy(req + 1, src);
1710 req->sadb_x_ipsecrequest_len += len;
1711 len = hostcpy((char*)(req + 1) + len, dst);
1712 req->sadb_x_ipsecrequest_len += len;
1713 }
1714
1715 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1716 PFKEY_EXT_ADD(msg, pol);
1717
1718 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1719 policy->src.mask);
1720 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1721 policy->dst.mask);
1722
1723 #ifdef __FreeBSD__
1724 { /* on FreeBSD a lifetime has to be defined to be able to later query
1725 * the current use time. */
1726 struct sadb_lifetime *lft;
1727 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1728 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1729 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1730 lft->sadb_lifetime_addtime = LONG_MAX;
1731 PFKEY_EXT_ADD(msg, lft);
1732 }
1733 #endif
1734
1735 this->mutex->unlock(this->mutex);
1736
1737 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1738 {
1739 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1740 policy_dir_names, direction);
1741 return FAILED;
1742 }
1743 else if (out->sadb_msg_errno)
1744 {
1745 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)",
1746 src_ts, dst_ts, policy_dir_names, direction,
1747 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1748 free(out);
1749 return FAILED;
1750 }
1751 else if (parse_pfkey_message(out, &response) != SUCCESS)
1752 {
1753 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1754 "from kernel failed", src_ts, dst_ts, policy_dir_names,
1755 direction);
1756 free(out);
1757 return FAILED;
1758 }
1759
1760 /* we try to find the policy again and update the kernel index */
1761 this->mutex->lock(this->mutex);
1762 if (this->policies->find_last(this->policies, NULL,
1763 (void**)&policy) != SUCCESS)
1764 {
1765 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1766 "already gone, ignoring", src_ts, dst_ts,
1767 policy_dir_names, direction);
1768 this->mutex->unlock(this->mutex);
1769 free(out);
1770 return SUCCESS;
1771 }
1772 policy->index = response.x_policy->sadb_x_policy_id;
1773 free(out);
1774
1775 /* install a route, if:
1776 * - we are NOT updating a policy
1777 * - this is a forward policy (to just get one for each child)
1778 * - we are in tunnel mode
1779 * - we are not using IPv6 (does not work correctly yet!)
1780 * - routing is not disabled via strongswan.conf
1781 */
1782 if (policy->route == NULL && direction == POLICY_FWD &&
1783 sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1784 this->install_routes)
1785 {
1786 route_entry_t *route = malloc_thing(route_entry_t);
1787
1788 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
1789 dst_ts, &route->src_ip) == SUCCESS)
1790 {
1791 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1792 route->gateway = hydra->kernel_interface->get_nexthop(
1793 hydra->kernel_interface, src);
1794 route->if_name = hydra->kernel_interface->get_interface(
1795 hydra->kernel_interface, dst);
1796 route->dst_net = chunk_clone(policy->src.net->get_address(
1797 policy->src.net));
1798 route->prefixlen = policy->src.mask;
1799
1800 if (route->if_name)
1801 {
1802 switch (hydra->kernel_interface->add_route(
1803 hydra->kernel_interface, route->dst_net,
1804 route->prefixlen, route->gateway,
1805 route->src_ip, route->if_name))
1806 {
1807 default:
1808 DBG1(DBG_KNL, "unable to install source route for %H",
1809 route->src_ip);
1810 /* FALL */
1811 case ALREADY_DONE:
1812 /* route exists, do not uninstall */
1813 route_entry_destroy(route);
1814 break;
1815 case SUCCESS:
1816 /* cache the installed route */
1817 policy->route = route;
1818 break;
1819 }
1820 }
1821 else
1822 {
1823 route_entry_destroy(route);
1824 }
1825 }
1826 else
1827 {
1828 free(route);
1829 }
1830 }
1831 this->mutex->unlock(this->mutex);
1832 return SUCCESS;
1833 }
1834
1835 METHOD(kernel_ipsec_t, query_policy, status_t,
1836 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
1837 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
1838 u_int32_t *use_time)
1839 {
1840 unsigned char request[PFKEY_BUFFER_SIZE];
1841 struct sadb_msg *msg, *out;
1842 struct sadb_x_policy *pol;
1843 policy_entry_t *policy, *found = NULL;
1844 pfkey_msg_t response;
1845 size_t len;
1846
1847 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1848 { /* FWD policies are not supported on all platforms */
1849 return NOT_FOUND;
1850 }
1851
1852 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1853 policy_dir_names, direction);
1854
1855 /* create a policy */
1856 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1857
1858 /* find a matching policy */
1859 this->mutex->lock(this->mutex);
1860 if (this->policies->find_first(this->policies,
1861 (linked_list_match_t)policy_entry_equals,
1862 (void**)&found, policy) != SUCCESS)
1863 {
1864 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1865 dst_ts, policy_dir_names, direction);
1866 policy_entry_destroy(policy);
1867 this->mutex->unlock(this->mutex);
1868 return NOT_FOUND;
1869 }
1870 policy_entry_destroy(policy);
1871 policy = found;
1872
1873 memset(&request, 0, sizeof(request));
1874
1875 msg = (struct sadb_msg*)request;
1876 msg->sadb_msg_version = PF_KEY_V2;
1877 msg->sadb_msg_type = SADB_X_SPDGET;
1878 msg->sadb_msg_satype = 0;
1879 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1880
1881 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1882 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1883 pol->sadb_x_policy_id = policy->index;
1884 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1885 pol->sadb_x_policy_dir = dir2kernel(direction);
1886 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1887 PFKEY_EXT_ADD(msg, pol);
1888
1889 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1890 policy->src.mask);
1891 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1892 policy->dst.mask);
1893
1894 this->mutex->unlock(this->mutex);
1895
1896 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1897 {
1898 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1899 policy_dir_names, direction);
1900 return FAILED;
1901 }
1902 else if (out->sadb_msg_errno)
1903 {
1904 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1905 dst_ts, policy_dir_names, direction,
1906 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1907 free(out);
1908 return FAILED;
1909 }
1910 else if (parse_pfkey_message(out, &response) != SUCCESS)
1911 {
1912 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1913 "from kernel failed", src_ts, dst_ts, policy_dir_names,
1914 direction);
1915 free(out);
1916 return FAILED;
1917 }
1918 else if (response.lft_current == NULL)
1919 {
1920 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
1921 "use time", src_ts, dst_ts, policy_dir_names, direction);
1922 free(out);
1923 return FAILED;
1924 }
1925
1926 /* we need the monotonic time, but the kernel returns system time. */
1927 if (response.lft_current->sadb_lifetime_usetime)
1928 {
1929 *use_time = time_monotonic(NULL) -
1930 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
1931 }
1932 else
1933 {
1934 *use_time = 0;
1935 }
1936 free(out);
1937 return SUCCESS;
1938 }
1939
1940 METHOD(kernel_ipsec_t, del_policy, status_t,
1941 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
1942 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
1943 mark_t mark, bool unrouted)
1944 {
1945 unsigned char request[PFKEY_BUFFER_SIZE];
1946 struct sadb_msg *msg, *out;
1947 struct sadb_x_policy *pol;
1948 policy_entry_t *policy, *found = NULL;
1949 route_entry_t *route;
1950 size_t len;
1951
1952 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1953 { /* FWD policies are not supported on all platforms */
1954 return SUCCESS;
1955 }
1956
1957 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1958 policy_dir_names, direction);
1959
1960 /* create a policy */
1961 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1962
1963 /* find a matching policy */
1964 this->mutex->lock(this->mutex);
1965 if (this->policies->find_first(this->policies,
1966 (linked_list_match_t)policy_entry_equals,
1967 (void**)&found, policy) == SUCCESS)
1968 {
1969 if (--found->refcount > 0)
1970 { /* is used by more SAs, keep in kernel */
1971 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1972 policy_entry_destroy(policy);
1973 this->mutex->unlock(this->mutex);
1974 return SUCCESS;
1975 }
1976 /* remove if last reference */
1977 this->policies->remove(this->policies, found, NULL);
1978 policy_entry_destroy(policy);
1979 policy = found;
1980 }
1981 else
1982 {
1983 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1984 dst_ts, policy_dir_names, direction);
1985 policy_entry_destroy(policy);
1986 this->mutex->unlock(this->mutex);
1987 return NOT_FOUND;
1988 }
1989 this->mutex->unlock(this->mutex);
1990
1991 memset(&request, 0, sizeof(request));
1992
1993 msg = (struct sadb_msg*)request;
1994 msg->sadb_msg_version = PF_KEY_V2;
1995 msg->sadb_msg_type = SADB_X_SPDDELETE;
1996 msg->sadb_msg_satype = 0;
1997 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1998
1999 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2000 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2001 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2002 pol->sadb_x_policy_dir = dir2kernel(direction);
2003 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2004 PFKEY_EXT_ADD(msg, pol);
2005
2006 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2007 policy->src.mask);
2008 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2009 policy->dst.mask);
2010
2011 route = policy->route;
2012 policy->route = NULL;
2013 policy_entry_destroy(policy);
2014
2015 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2016 {
2017 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2018 policy_dir_names, direction);
2019 return FAILED;
2020 }
2021 else if (out->sadb_msg_errno)
2022 {
2023 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2024 dst_ts, policy_dir_names, direction,
2025 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2026 free(out);
2027 return FAILED;
2028 }
2029 free(out);
2030
2031 if (route)
2032 {
2033 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2034 route->dst_net, route->prefixlen, route->gateway,
2035 route->src_ip, route->if_name) != SUCCESS)
2036 {
2037 DBG1(DBG_KNL, "error uninstalling route installed with "
2038 "policy %R === %R %N", src_ts, dst_ts,
2039 policy_dir_names, direction);
2040 }
2041 route_entry_destroy(route);
2042 }
2043 return SUCCESS;
2044 }
2045
2046 /**
2047 * Register a socket for AQUIRE/EXPIRE messages
2048 */
2049 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2050 u_int8_t satype)
2051 {
2052 unsigned char request[PFKEY_BUFFER_SIZE];
2053 struct sadb_msg *msg, *out;
2054 size_t len;
2055
2056 memset(&request, 0, sizeof(request));
2057
2058 msg = (struct sadb_msg*)request;
2059 msg->sadb_msg_version = PF_KEY_V2;
2060 msg->sadb_msg_type = SADB_REGISTER;
2061 msg->sadb_msg_satype = satype;
2062 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2063
2064 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2065 {
2066 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2067 return FAILED;
2068 }
2069 else if (out->sadb_msg_errno)
2070 {
2071 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2072 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2073 free(out);
2074 return FAILED;
2075 }
2076 free(out);
2077 return SUCCESS;
2078 }
2079
2080 METHOD(kernel_ipsec_t, bypass_socket, bool,
2081 private_kernel_pfkey_ipsec_t *this, int fd, int family)
2082 {
2083 struct sadb_x_policy policy;
2084 u_int sol, ipsec_policy;
2085
2086 switch (family)
2087 {
2088 case AF_INET:
2089 {
2090 sol = SOL_IP;
2091 ipsec_policy = IP_IPSEC_POLICY;
2092 break;
2093 }
2094 case AF_INET6:
2095 {
2096 sol = SOL_IPV6;
2097 ipsec_policy = IPV6_IPSEC_POLICY;
2098 break;
2099 }
2100 default:
2101 return FALSE;
2102 }
2103
2104 memset(&policy, 0, sizeof(policy));
2105 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2106 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2107 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2108
2109 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2110 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2111 {
2112 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2113 strerror(errno));
2114 return FALSE;
2115 }
2116 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2117 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2118 {
2119 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2120 strerror(errno));
2121 return FALSE;
2122 }
2123 return TRUE;
2124 }
2125
2126 METHOD(kernel_ipsec_t, destroy, void,
2127 private_kernel_pfkey_ipsec_t *this)
2128 {
2129 if (this->job)
2130 {
2131 this->job->cancel(this->job);
2132 }
2133 if (this->socket > 0)
2134 {
2135 close(this->socket);
2136 }
2137 if (this->socket_events > 0)
2138 {
2139 close(this->socket_events);
2140 }
2141 this->policies->destroy_function(this->policies,
2142 (void*)policy_entry_destroy);
2143 this->mutex->destroy(this->mutex);
2144 this->mutex_pfkey->destroy(this->mutex_pfkey);
2145 free(this);
2146 }
2147
2148 /*
2149 * Described in header.
2150 */
2151 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2152 {
2153 private_kernel_pfkey_ipsec_t *this;
2154
2155 INIT(this,
2156 .public = {
2157 .interface = {
2158 .get_spi = _get_spi,
2159 .get_cpi = _get_cpi,
2160 .add_sa = _add_sa,
2161 .update_sa = _update_sa,
2162 .query_sa = _query_sa,
2163 .del_sa = _del_sa,
2164 .add_policy = _add_policy,
2165 .query_policy = _query_policy,
2166 .del_policy = _del_policy,
2167 .bypass_socket = _bypass_socket,
2168 .destroy = _destroy,
2169 },
2170 },
2171 .policies = linked_list_create(),
2172 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2173 .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
2174 .install_routes = lib->settings->get_bool(lib->settings,
2175 "%s.install_routes", TRUE,
2176 hydra->daemon),
2177 );
2178
2179 if (streq(hydra->daemon, "pluto"))
2180 { /* no routes for pluto, they are installed via updown script */
2181 this->install_routes = FALSE;
2182 }
2183
2184 /* create a PF_KEY socket to communicate with the kernel */
2185 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2186 if (this->socket <= 0)
2187 {
2188 DBG1(DBG_KNL, "unable to create PF_KEY socket");
2189 destroy(this);
2190 return NULL;
2191 }
2192
2193 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2194 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2195 if (this->socket_events <= 0)
2196 {
2197 DBG1(DBG_KNL, "unable to create PF_KEY event socket");
2198 destroy(this);
2199 return NULL;
2200 }
2201
2202 /* register the event socket */
2203 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2204 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2205 {
2206 DBG1(DBG_KNL, "unable to register PF_KEY event socket");
2207 destroy(this);
2208 return NULL;
2209 }
2210
2211 this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
2212 this, NULL, NULL, JOB_PRIO_CRITICAL);
2213 lib->processor->queue_job(lib->processor, (job_t*)this->job);
2214
2215 return &this->public;
2216 }
2217