8ad6748db72e5a6d3487d586d06fd63e6ad5c728
[strongswan.git] / src / libhydra / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2012 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <hydra.h>
58 #include <debug.h>
59 #include <utils/host.h>
60 #include <utils/linked_list.h>
61 #include <utils/hashtable.h>
62 #include <threading/thread.h>
63 #include <threading/mutex.h>
64 #include <processing/jobs/callback_job.h>
65
66 /** non linux specific */
67 #ifndef IPPROTO_COMP
68 #ifdef IPPROTO_IPCOMP
69 #define IPPROTO_COMP IPPROTO_IPCOMP
70 #endif
71 #endif
72
73 #ifndef SADB_X_AALG_SHA2_256HMAC
74 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
75 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
76 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
77 #endif
78
79 #ifndef SADB_X_EALG_AESCBC
80 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
81 #endif
82
83 #ifndef SADB_X_EALG_CASTCBC
84 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
85 #endif
86
87 #ifndef SOL_IP
88 #define SOL_IP IPPROTO_IP
89 #define SOL_IPV6 IPPROTO_IPV6
90 #endif
91
92 /** from linux/in.h */
93 #ifndef IP_IPSEC_POLICY
94 #define IP_IPSEC_POLICY 16
95 #endif
96
97 /** missing on uclibc */
98 #ifndef IPV6_IPSEC_POLICY
99 #define IPV6_IPSEC_POLICY 34
100 #endif
101
102 /** default priority of installed policies */
103 #define PRIO_BASE 512
104
105 #ifdef __APPLE__
106 /** from xnu/bsd/net/pfkeyv2.h */
107 #define SADB_X_EXT_NATT 0x002
108 struct sadb_sa_2 {
109 struct sadb_sa sa;
110 u_int16_t sadb_sa_natt_port;
111 u_int16_t sadb_reserved0;
112 u_int32_t sadb_reserved1;
113 };
114 #endif
115
116 /** buffer size for PF_KEY messages */
117 #define PFKEY_BUFFER_SIZE 4096
118
119 /** PF_KEY messages are 64 bit aligned */
120 #define PFKEY_ALIGNMENT 8
121 /** aligns len to 64 bits */
122 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
123 /** calculates the properly padded length in 64 bit chunks */
124 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
125 /** calculates user mode length i.e. in bytes */
126 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
127
128 /** given a PF_KEY message header and an extension this updates the length in the header */
129 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
130 /** given a PF_KEY message header this returns a pointer to the next extension */
131 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
132 /** copy an extension and append it to a PF_KEY message */
133 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
134 /** given a PF_KEY extension this returns a pointer to the next extension */
135 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
136 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
137 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
138 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
139 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
140 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len <= (len))
142
143 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
144
145 /**
146 * Private variables and functions of kernel_pfkey class.
147 */
148 struct private_kernel_pfkey_ipsec_t
149 {
150 /**
151 * Public part of the kernel_pfkey_t object.
152 */
153 kernel_pfkey_ipsec_t public;
154
155 /**
156 * mutex to lock access to various lists
157 */
158 mutex_t *mutex;
159
160 /**
161 * List of installed policies (policy_entry_t)
162 */
163 linked_list_t *policies;
164
165 /**
166 * Hash table of IPsec SAs using policies (ipsec_sa_t)
167 */
168 hashtable_t *sas;
169
170 /**
171 * whether to install routes along policies
172 */
173 bool install_routes;
174
175 /**
176 * job receiving PF_KEY events
177 */
178 callback_job_t *job;
179
180 /**
181 * mutex to lock access to the PF_KEY socket
182 */
183 mutex_t *mutex_pfkey;
184
185 /**
186 * PF_KEY socket to communicate with the kernel
187 */
188 int socket;
189
190 /**
191 * PF_KEY socket to receive acquire and expire events
192 */
193 int socket_events;
194
195 /**
196 * sequence number for messages sent to the kernel
197 */
198 int seq;
199 };
200
201 typedef struct route_entry_t route_entry_t;
202
203 /**
204 * installed routing entry
205 */
206 struct route_entry_t {
207 /** name of the interface the route is bound to */
208 char *if_name;
209
210 /** source ip of the route */
211 host_t *src_ip;
212
213 /** gateway for this route */
214 host_t *gateway;
215
216 /** destination net */
217 chunk_t dst_net;
218
219 /** destination net prefixlen */
220 u_int8_t prefixlen;
221 };
222
223 /**
224 * destroy an route_entry_t object
225 */
226 static void route_entry_destroy(route_entry_t *this)
227 {
228 free(this->if_name);
229 DESTROY_IF(this->src_ip);
230 DESTROY_IF(this->gateway);
231 chunk_free(&this->dst_net);
232 free(this);
233 }
234
235 /**
236 * compare two route_entry_t objects
237 */
238 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
239 {
240 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
241 a->src_ip->equals(a->src_ip, b->src_ip) &&
242 a->gateway->equals(a->gateway, b->gateway) &&
243 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
244 }
245
246 typedef struct ipsec_sa_t ipsec_sa_t;
247
248 /**
249 * IPsec SA assigned to a policy.
250 */
251 struct ipsec_sa_t {
252 /** Source address of this SA */
253 host_t *src;
254
255 /** Destination address of this SA */
256 host_t *dst;
257
258 /** Description of this SA */
259 ipsec_sa_cfg_t cfg;
260
261 /** Reference count for this SA */
262 refcount_t refcount;
263 };
264
265 /**
266 * Hash function for ipsec_sa_t objects
267 */
268 static u_int ipsec_sa_hash(ipsec_sa_t *sa)
269 {
270 return chunk_hash_inc(sa->src->get_address(sa->src),
271 chunk_hash_inc(sa->dst->get_address(sa->dst),
272 chunk_hash(chunk_from_thing(sa->cfg))));
273 }
274
275 /**
276 * Equality function for ipsec_sa_t objects
277 */
278 static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
279 {
280 return sa->src->ip_equals(sa->src, other_sa->src) &&
281 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
282 memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
283 }
284
285 /**
286 * Allocate or reference an IPsec SA object
287 */
288 static ipsec_sa_t *ipsec_sa_create(private_kernel_pfkey_ipsec_t *this,
289 host_t *src, host_t *dst,
290 ipsec_sa_cfg_t *cfg)
291 {
292 ipsec_sa_t *sa, *found;
293 INIT(sa,
294 .src = src,
295 .dst = dst,
296 .cfg = *cfg,
297 );
298 found = this->sas->get(this->sas, sa);
299 if (!found)
300 {
301 sa->src = src->clone(src);
302 sa->dst = dst->clone(dst);
303 this->sas->put(this->sas, sa, sa);
304 }
305 else
306 {
307 free(sa);
308 sa = found;
309 }
310 ref_get(&sa->refcount);
311 return sa;
312 }
313
314 /**
315 * Release and destroy an IPsec SA object
316 */
317 static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
318 ipsec_sa_t *sa)
319 {
320 if (ref_put(&sa->refcount))
321 {
322 this->sas->remove(this->sas, sa);
323 DESTROY_IF(sa->src);
324 DESTROY_IF(sa->dst);
325 free(sa);
326 }
327 }
328
329 typedef struct policy_sa_t policy_sa_t;
330 typedef struct policy_sa_fwd_t policy_sa_fwd_t;
331
332 /**
333 * Mapping between a policy and an IPsec SA.
334 */
335 struct policy_sa_t {
336 /** Priority assigned to the policy when installed with this SA */
337 u_int32_t priority;
338
339 /** Type of the policy */
340 policy_type_t type;
341
342 /** Assigned SA */
343 ipsec_sa_t *sa;
344 };
345
346 /**
347 * For forward policies we also cache the traffic selectors in order to install
348 * the route.
349 */
350 struct policy_sa_fwd_t {
351 /** Generic interface */
352 policy_sa_t generic;
353
354 /** Source traffic selector of this policy */
355 traffic_selector_t *src_ts;
356
357 /** Destination traffic selector of this policy */
358 traffic_selector_t *dst_ts;
359 };
360
361 /**
362 * Create a policy_sa(_fwd)_t object
363 */
364 static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
365 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
366 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, ipsec_sa_cfg_t *cfg)
367 {
368 policy_sa_t *policy;
369
370 if (dir == POLICY_FWD)
371 {
372 policy_sa_fwd_t *fwd;
373 INIT(fwd,
374 .src_ts = src_ts->clone(src_ts),
375 .dst_ts = dst_ts->clone(dst_ts),
376 );
377 policy = &fwd->generic;
378 }
379 else
380 {
381 INIT(policy, .priority = 0);
382 }
383 policy->type = type;
384 policy->sa = ipsec_sa_create(this, src, dst, cfg);
385 return policy;
386 }
387
388 /**
389 * Destroy a policy_sa(_fwd)_t object
390 */
391 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
392 private_kernel_pfkey_ipsec_t *this)
393 {
394 if (*dir == POLICY_FWD)
395 {
396 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
397 fwd->src_ts->destroy(fwd->src_ts);
398 fwd->dst_ts->destroy(fwd->dst_ts);
399 }
400 ipsec_sa_destroy(this, policy->sa);
401 free(policy);
402 }
403
404 typedef struct policy_entry_t policy_entry_t;
405
406 /**
407 * installed kernel policy.
408 */
409 struct policy_entry_t {
410 /** Index assigned by the kernel */
411 u_int32_t index;
412
413 /** Direction of this policy: in, out, forward */
414 u_int8_t direction;
415
416 /** Parameters of installed policy */
417 struct {
418 /** Subnet and port */
419 host_t *net;
420 /** Subnet mask */
421 u_int8_t mask;
422 /** Protocol */
423 u_int8_t proto;
424 } src, dst;
425
426 /** Associated route installed for this policy */
427 route_entry_t *route;
428
429 /** List of SAs this policy is used by, ordered by priority */
430 linked_list_t *used_by;
431 };
432
433 /**
434 * Create a policy_entry_t object
435 */
436 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
437 traffic_selector_t *dst_ts,
438 policy_dir_t dir)
439 {
440 policy_entry_t *policy;
441 INIT(policy,
442 .direction = dir,
443 );
444
445 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
446 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
447
448 /* src or dest proto may be "any" (0), use more restrictive one */
449 policy->src.proto = max(src_ts->get_protocol(src_ts),
450 dst_ts->get_protocol(dst_ts));
451 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
452 policy->dst.proto = policy->src.proto;
453
454 return policy;
455 }
456
457 /**
458 * Destroy a policy_entry_t object
459 */
460 static void policy_entry_destroy(policy_entry_t *policy,
461 private_kernel_pfkey_ipsec_t *this)
462 {
463 if (policy->route)
464 {
465 route_entry_destroy(policy->route);
466 }
467 if (policy->used_by)
468 {
469 policy->used_by->invoke_function(policy->used_by,
470 (linked_list_invoke_t)policy_sa_destroy,
471 &policy->direction, this);
472 policy->used_by->destroy(policy->used_by);
473 }
474 DESTROY_IF(policy->src.net);
475 DESTROY_IF(policy->dst.net);
476 free(policy);
477 }
478
479 /**
480 * compares two policy_entry_t
481 */
482 static inline bool policy_entry_equals(policy_entry_t *current,
483 policy_entry_t *policy)
484 {
485 return current->direction == policy->direction &&
486 current->src.proto == policy->src.proto &&
487 current->dst.proto == policy->dst.proto &&
488 current->src.mask == policy->src.mask &&
489 current->dst.mask == policy->dst.mask &&
490 current->src.net->equals(current->src.net, policy->src.net) &&
491 current->dst.net->equals(current->dst.net, policy->dst.net);
492 }
493
494 /**
495 * compare the given kernel index with that of a policy
496 */
497 static inline bool policy_entry_match_byindex(policy_entry_t *current,
498 u_int32_t *index)
499 {
500 return current->index == *index;
501 }
502
503 /**
504 * Calculate the priority of a policy
505 */
506 static inline u_int32_t get_priority(policy_entry_t *policy,
507 policy_priority_t prio)
508 {
509 u_int32_t priority = PRIO_BASE;
510 switch (prio)
511 {
512 case POLICY_PRIORITY_FALLBACK:
513 priority <<= 1;
514 /* fall-through */
515 case POLICY_PRIORITY_ROUTED:
516 priority <<= 1;
517 /* fall-through */
518 case POLICY_PRIORITY_DEFAULT:
519 break;
520 }
521 /* calculate priority based on selector size, small size = high prio */
522 priority -= policy->src.mask;
523 priority -= policy->dst.mask;
524 priority <<= 2; /* make some room for the two flags */
525 priority += policy->src.net->get_port(policy->src.net) ||
526 policy->dst.net->get_port(policy->dst.net) ?
527 0 : 2;
528 priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
529 return priority;
530 }
531
532 typedef struct pfkey_msg_t pfkey_msg_t;
533
534 struct pfkey_msg_t
535 {
536 /**
537 * PF_KEY message base
538 */
539 struct sadb_msg *msg;
540
541 /**
542 * PF_KEY message extensions
543 */
544 union {
545 struct sadb_ext *ext[SADB_EXT_MAX + 1];
546 struct {
547 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
548 struct sadb_sa *sa; /* SADB_EXT_SA */
549 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
550 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
551 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
552 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
553 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
554 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
555 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
556 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
557 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
558 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
559 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
560 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
561 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
562 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
563 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
564 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
565 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
566 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
567 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
568 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
569 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
570 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
571 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
572 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
573 } __attribute__((__packed__));
574 };
575 };
576
577 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
578 "SADB_EXT_RESERVED",
579 "SADB_EXT_SA",
580 "SADB_EXT_LIFETIME_CURRENT",
581 "SADB_EXT_LIFETIME_HARD",
582 "SADB_EXT_LIFETIME_SOFT",
583 "SADB_EXT_ADDRESS_SRC",
584 "SADB_EXT_ADDRESS_DST",
585 "SADB_EXT_ADDRESS_PROXY",
586 "SADB_EXT_KEY_AUTH",
587 "SADB_EXT_KEY_ENCRYPT",
588 "SADB_EXT_IDENTITY_SRC",
589 "SADB_EXT_IDENTITY_DST",
590 "SADB_EXT_SENSITIVITY",
591 "SADB_EXT_PROPOSAL",
592 "SADB_EXT_SUPPORTED_AUTH",
593 "SADB_EXT_SUPPORTED_ENCRYPT",
594 "SADB_EXT_SPIRANGE",
595 "SADB_X_EXT_KMPRIVATE",
596 "SADB_X_EXT_POLICY",
597 "SADB_X_EXT_SA2",
598 "SADB_X_EXT_NAT_T_TYPE",
599 "SADB_X_EXT_NAT_T_SPORT",
600 "SADB_X_EXT_NAT_T_DPORT",
601 "SADB_X_EXT_NAT_T_OA",
602 "SADB_X_EXT_SEC_CTX",
603 "SADB_X_EXT_KMADDRESS"
604 );
605
606 /**
607 * convert a protocol identifier to the PF_KEY sa type
608 */
609 static u_int8_t proto2satype(u_int8_t proto)
610 {
611 switch (proto)
612 {
613 case IPPROTO_ESP:
614 return SADB_SATYPE_ESP;
615 case IPPROTO_AH:
616 return SADB_SATYPE_AH;
617 case IPPROTO_COMP:
618 return SADB_X_SATYPE_IPCOMP;
619 default:
620 return proto;
621 }
622 }
623
624 /**
625 * convert a PF_KEY sa type to a protocol identifier
626 */
627 static u_int8_t satype2proto(u_int8_t satype)
628 {
629 switch (satype)
630 {
631 case SADB_SATYPE_ESP:
632 return IPPROTO_ESP;
633 case SADB_SATYPE_AH:
634 return IPPROTO_AH;
635 case SADB_X_SATYPE_IPCOMP:
636 return IPPROTO_COMP;
637 default:
638 return satype;
639 }
640 }
641
642 /**
643 * convert the general ipsec mode to the one defined in ipsec.h
644 */
645 static u_int8_t mode2kernel(ipsec_mode_t mode)
646 {
647 switch (mode)
648 {
649 case MODE_TRANSPORT:
650 return IPSEC_MODE_TRANSPORT;
651 case MODE_TUNNEL:
652 return IPSEC_MODE_TUNNEL;
653 #ifdef HAVE_IPSEC_MODE_BEET
654 case MODE_BEET:
655 return IPSEC_MODE_BEET;
656 #endif
657 default:
658 return mode;
659 }
660 }
661
662 /**
663 * convert the general policy direction to the one defined in ipsec.h
664 */
665 static u_int8_t dir2kernel(policy_dir_t dir)
666 {
667 switch (dir)
668 {
669 case POLICY_IN:
670 return IPSEC_DIR_INBOUND;
671 case POLICY_OUT:
672 return IPSEC_DIR_OUTBOUND;
673 #ifdef HAVE_IPSEC_DIR_FWD
674 case POLICY_FWD:
675 return IPSEC_DIR_FWD;
676 #endif
677 default:
678 return IPSEC_DIR_INVALID;
679 }
680 }
681
682 /**
683 * convert the policy type to the one defined in ipsec.h
684 */
685 static inline u_int16_t type2kernel(policy_type_t type)
686 {
687 switch (type)
688 {
689 case POLICY_IPSEC:
690 return IPSEC_POLICY_IPSEC;
691 case POLICY_PASS:
692 return IPSEC_POLICY_NONE;
693 case POLICY_DROP:
694 return IPSEC_POLICY_DISCARD;
695 }
696 return type;
697 }
698
699 #ifdef SADB_X_MIGRATE
700 /**
701 * convert the policy direction in ipsec.h to the general one.
702 */
703 static policy_dir_t kernel2dir(u_int8_t dir)
704 {
705 switch (dir)
706 {
707 case IPSEC_DIR_INBOUND:
708 return POLICY_IN;
709 case IPSEC_DIR_OUTBOUND:
710 return POLICY_OUT;
711 #ifdef HAVE_IPSEC_DIR_FWD
712 case IPSEC_DIR_FWD:
713 return POLICY_FWD;
714 #endif
715 default:
716 return dir;
717 }
718 }
719 #endif /*SADB_X_MIGRATE*/
720
721 typedef struct kernel_algorithm_t kernel_algorithm_t;
722
723 /**
724 * Mapping of IKEv2 algorithms to PF_KEY algorithms
725 */
726 struct kernel_algorithm_t {
727 /**
728 * Identifier specified in IKEv2
729 */
730 int ikev2;
731
732 /**
733 * Identifier as defined in pfkeyv2.h
734 */
735 int kernel;
736 };
737
738 #define END_OF_LIST -1
739
740 /**
741 * Algorithms for encryption
742 */
743 static kernel_algorithm_t encryption_algs[] = {
744 /* {ENCR_DES_IV64, 0 }, */
745 {ENCR_DES, SADB_EALG_DESCBC },
746 {ENCR_3DES, SADB_EALG_3DESCBC },
747 /* {ENCR_RC5, 0 }, */
748 /* {ENCR_IDEA, 0 }, */
749 {ENCR_CAST, SADB_X_EALG_CASTCBC },
750 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
751 /* {ENCR_3IDEA, 0 }, */
752 /* {ENCR_DES_IV32, 0 }, */
753 {ENCR_NULL, SADB_EALG_NULL },
754 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
755 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
756 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
757 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
758 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
759 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
760 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
761 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
762 {END_OF_LIST, 0 },
763 };
764
765 /**
766 * Algorithms for integrity protection
767 */
768 static kernel_algorithm_t integrity_algs[] = {
769 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
770 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
771 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
772 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
773 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
774 /* {AUTH_DES_MAC, 0, }, */
775 /* {AUTH_KPDK_MD5, 0, }, */
776 #ifdef SADB_X_AALG_AES_XCBC_MAC
777 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
778 #endif
779 {END_OF_LIST, 0, },
780 };
781
782 #if 0
783 /**
784 * Algorithms for IPComp, unused yet
785 */
786 static kernel_algorithm_t compression_algs[] = {
787 /* {IPCOMP_OUI, 0 }, */
788 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
789 {IPCOMP_LZS, SADB_X_CALG_LZS },
790 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
791 {END_OF_LIST, 0 },
792 };
793 #endif
794
795 /**
796 * Look up a kernel algorithm ID and its key size
797 */
798 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
799 {
800 while (list->ikev2 != END_OF_LIST)
801 {
802 if (ikev2 == list->ikev2)
803 {
804 return list->kernel;
805 }
806 list++;
807 }
808 return 0;
809 }
810
811 /**
812 * Copy a host_t as sockaddr_t to the given memory location.
813 * @return the number of bytes copied
814 */
815 static size_t hostcpy(void *dest, host_t *host, bool include_port)
816 {
817 sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
818 socklen_t *len = host->get_sockaddr_len(host);
819 u_int16_t port = htons(host->get_port(host));
820
821 memcpy(dest, addr, *len);
822 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
823 dest_addr->sa_len = *len;
824 #endif
825 switch (dest_addr->sa_family)
826 {
827 case AF_INET:
828 {
829 struct sockaddr_in *sin = dest;
830 sin->sin_port = include_port ? port : 0;
831 break;
832 }
833 case AF_INET6:
834 {
835 struct sockaddr_in6 *sin6 = dest;
836 sin6->sin6_port = include_port ? port : 0;
837 break;
838 }
839 }
840 return *len;
841 }
842
843 /**
844 * add a host behind an sadb_address extension
845 */
846 static void host2ext(host_t *host, struct sadb_address *ext, bool include_port)
847 {
848 size_t len = hostcpy(ext + 1, host, include_port);
849 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
850 }
851
852 /**
853 * add a host to the given sadb_msg
854 */
855 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
856 u_int8_t proto, u_int8_t prefixlen, bool include_port)
857 {
858 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
859 addr->sadb_address_exttype = type;
860 addr->sadb_address_proto = proto;
861 addr->sadb_address_prefixlen = prefixlen;
862 host2ext(host, addr, include_port);
863 PFKEY_EXT_ADD(msg, addr);
864 }
865
866 /**
867 * adds an empty address extension to the given sadb_msg
868 */
869 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
870 {
871 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
872 sizeof(struct sockaddr_in6);
873 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
874 addr->sadb_address_exttype = type;
875 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
876 saddr->sa_family = family;
877 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
878 saddr->sa_len = len;
879 #endif
880 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
881 PFKEY_EXT_ADD(msg, addr);
882 }
883
884 #ifdef HAVE_NATT
885 /**
886 * add udp encap extensions to a sadb_msg
887 */
888 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
889 {
890 struct sadb_x_nat_t_type* nat_type;
891 struct sadb_x_nat_t_port* nat_port;
892
893 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
894 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
895 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(*nat_type));
896 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
897 PFKEY_EXT_ADD(msg, nat_type);
898
899 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
900 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
901 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
902 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
903 PFKEY_EXT_ADD(msg, nat_port);
904
905 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
906 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
907 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
908 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
909 PFKEY_EXT_ADD(msg, nat_port);
910 }
911 #endif /*HAVE_NATT*/
912
913 /**
914 * Convert a sadb_address to a traffic_selector
915 */
916 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
917 {
918 traffic_selector_t *ts;
919 host_t *host;
920
921 /* The Linux 2.6 kernel does not set the protocol and port information
922 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
923 */
924 host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
925 ts = traffic_selector_create_from_subnet(host,
926 address->sadb_address_prefixlen,
927 address->sadb_address_proto,
928 host->get_port(host));
929 return ts;
930 }
931
932 /**
933 * Parses a pfkey message received from the kernel
934 */
935 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
936 {
937 struct sadb_ext* ext;
938 size_t len;
939
940 memset(out, 0, sizeof(pfkey_msg_t));
941 out->msg = msg;
942
943 len = msg->sadb_msg_len;
944 len -= PFKEY_LEN(sizeof(struct sadb_msg));
945
946 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
947
948 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
949 {
950 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
951 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
952 ext->sadb_ext_len > len)
953 {
954 DBG1(DBG_KNL, "length of %N extension is invalid",
955 sadb_ext_type_names, ext->sadb_ext_type);
956 break;
957 }
958
959 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
960 {
961 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid",
962 ext->sadb_ext_type);
963 break;
964 }
965
966 if (out->ext[ext->sadb_ext_type])
967 {
968 DBG1(DBG_KNL, "duplicate %N extension",
969 sadb_ext_type_names, ext->sadb_ext_type);
970 break;
971 }
972
973 out->ext[ext->sadb_ext_type] = ext;
974 ext = PFKEY_EXT_NEXT_LEN(ext, len);
975 }
976
977 if (len)
978 {
979 DBG1(DBG_KNL, "PF_KEY message length is invalid");
980 return FAILED;
981 }
982
983 return SUCCESS;
984 }
985
986 /**
987 * Send a message to a specific PF_KEY socket and handle the response.
988 */
989 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
990 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
991 {
992 unsigned char buf[PFKEY_BUFFER_SIZE];
993 struct sadb_msg *msg;
994 int in_len, len;
995
996 this->mutex_pfkey->lock(this->mutex_pfkey);
997
998 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
999 * in particular the behavior in response to an SADB_ACQUIRE. */
1000 in->sadb_msg_seq = ++this->seq;
1001 in->sadb_msg_pid = getpid();
1002
1003 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
1004
1005 while (TRUE)
1006 {
1007 len = send(socket, in, in_len, 0);
1008
1009 if (len != in_len)
1010 {
1011 if (errno == EINTR)
1012 {
1013 /* interrupted, try again */
1014 continue;
1015 }
1016 this->mutex_pfkey->unlock(this->mutex_pfkey);
1017 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s",
1018 strerror(errno));
1019 return FAILED;
1020 }
1021 break;
1022 }
1023
1024 while (TRUE)
1025 {
1026 msg = (struct sadb_msg*)buf;
1027
1028 len = recv(socket, buf, sizeof(buf), 0);
1029
1030 if (len < 0)
1031 {
1032 if (errno == EINTR)
1033 {
1034 DBG1(DBG_KNL, "got interrupted");
1035 /* interrupted, try again */
1036 continue;
1037 }
1038 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s",
1039 strerror(errno));
1040 this->mutex_pfkey->unlock(this->mutex_pfkey);
1041 return FAILED;
1042 }
1043 if (len < sizeof(struct sadb_msg) ||
1044 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1045 {
1046 DBG1(DBG_KNL, "received corrupted PF_KEY message");
1047 this->mutex_pfkey->unlock(this->mutex_pfkey);
1048 return FAILED;
1049 }
1050 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1051 {
1052 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY "
1053 "message");
1054 this->mutex_pfkey->unlock(this->mutex_pfkey);
1055 return FAILED;
1056 }
1057 if (msg->sadb_msg_pid != in->sadb_msg_pid)
1058 {
1059 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
1060 continue;
1061 }
1062 if (msg->sadb_msg_seq != this->seq)
1063 {
1064 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
1065 "number, was %d expected %d", msg->sadb_msg_seq,
1066 this->seq);
1067 if (msg->sadb_msg_seq == 0)
1068 {
1069 /* FreeBSD and Mac OS X do this for the response to
1070 * SADB_X_SPDGET (but not for the response to SADB_GET).
1071 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
1072 }
1073 else if (msg->sadb_msg_seq < this->seq)
1074 {
1075 continue;
1076 }
1077 else
1078 {
1079 this->mutex_pfkey->unlock(this->mutex_pfkey);
1080 return FAILED;
1081 }
1082 }
1083 if (msg->sadb_msg_type != in->sadb_msg_type)
1084 {
1085 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
1086 "was %d expected %d, ignoring", msg->sadb_msg_type,
1087 in->sadb_msg_type);
1088 }
1089 break;
1090 }
1091
1092 *out_len = len;
1093 *out = (struct sadb_msg*)malloc(len);
1094 memcpy(*out, buf, len);
1095
1096 this->mutex_pfkey->unlock(this->mutex_pfkey);
1097 return SUCCESS;
1098 }
1099
1100 /**
1101 * Send a message to the default PF_KEY socket and handle the response.
1102 */
1103 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
1104 struct sadb_msg *in, struct sadb_msg **out,
1105 size_t *out_len)
1106 {
1107 return pfkey_send_socket(this, this->socket, in, out, out_len);
1108 }
1109
1110 /**
1111 * Process a SADB_ACQUIRE message from the kernel
1112 */
1113 static void process_acquire(private_kernel_pfkey_ipsec_t *this,
1114 struct sadb_msg* msg)
1115 {
1116 pfkey_msg_t response;
1117 u_int32_t index, reqid = 0;
1118 traffic_selector_t *src_ts, *dst_ts;
1119 policy_entry_t *policy;
1120 policy_sa_t *sa;
1121
1122 switch (msg->sadb_msg_satype)
1123 {
1124 case SADB_SATYPE_UNSPEC:
1125 case SADB_SATYPE_ESP:
1126 case SADB_SATYPE_AH:
1127 break;
1128 default:
1129 /* acquire for AH/ESP only */
1130 return;
1131 }
1132 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
1133
1134 if (parse_pfkey_message(msg, &response) != SUCCESS)
1135 {
1136 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
1137 return;
1138 }
1139
1140 index = response.x_policy->sadb_x_policy_id;
1141 this->mutex->lock(this->mutex);
1142 if (this->policies->find_first(this->policies,
1143 (linked_list_match_t)policy_entry_match_byindex,
1144 (void**)&policy, &index) == SUCCESS &&
1145 policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
1146 {
1147 reqid = sa->sa->cfg.reqid;
1148 }
1149 else
1150 {
1151 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
1152 "matching policy found", index);
1153 }
1154 this->mutex->unlock(this->mutex);
1155
1156 src_ts = sadb_address2ts(response.src);
1157 dst_ts = sadb_address2ts(response.dst);
1158
1159 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
1160 dst_ts);
1161 }
1162
1163 /**
1164 * Process a SADB_EXPIRE message from the kernel
1165 */
1166 static void process_expire(private_kernel_pfkey_ipsec_t *this,
1167 struct sadb_msg* msg)
1168 {
1169 pfkey_msg_t response;
1170 u_int8_t protocol;
1171 u_int32_t spi, reqid;
1172 bool hard;
1173
1174 DBG2(DBG_KNL, "received an SADB_EXPIRE");
1175
1176 if (parse_pfkey_message(msg, &response) != SUCCESS)
1177 {
1178 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
1179 return;
1180 }
1181
1182 protocol = satype2proto(msg->sadb_msg_satype);
1183 spi = response.sa->sadb_sa_spi;
1184 reqid = response.x_sa2->sadb_x_sa2_reqid;
1185 hard = response.lft_hard != NULL;
1186
1187 if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
1188 {
1189 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and "
1190 "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
1191 return;
1192 }
1193
1194 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
1195 spi, hard);
1196 }
1197
1198 #ifdef SADB_X_MIGRATE
1199 /**
1200 * Process a SADB_X_MIGRATE message from the kernel
1201 */
1202 static void process_migrate(private_kernel_pfkey_ipsec_t *this,
1203 struct sadb_msg* msg)
1204 {
1205 pfkey_msg_t response;
1206 traffic_selector_t *src_ts, *dst_ts;
1207 policy_dir_t dir;
1208 u_int32_t reqid = 0;
1209 host_t *local = NULL, *remote = NULL;
1210
1211 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
1212
1213 if (parse_pfkey_message(msg, &response) != SUCCESS)
1214 {
1215 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
1216 return;
1217 }
1218 src_ts = sadb_address2ts(response.src);
1219 dst_ts = sadb_address2ts(response.dst);
1220 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
1221 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
1222 policy_dir_names, dir);
1223
1224 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
1225 if (response.x_kmaddress)
1226 {
1227 sockaddr_t *local_addr, *remote_addr;
1228 u_int32_t local_len;
1229
1230 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
1231 local = host_create_from_sockaddr(local_addr);
1232 local_len = (local_addr->sa_family == AF_INET6)?
1233 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
1234 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1235 remote = host_create_from_sockaddr(remote_addr);
1236 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1237 }
1238
1239 if (src_ts && dst_ts && local && remote)
1240 {
1241 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
1242 src_ts, dst_ts, dir, local, remote);
1243 }
1244 else
1245 {
1246 DESTROY_IF(src_ts);
1247 DESTROY_IF(dst_ts);
1248 DESTROY_IF(local);
1249 DESTROY_IF(remote);
1250 }
1251 }
1252 #endif /*SADB_X_MIGRATE*/
1253
1254 #ifdef SADB_X_NAT_T_NEW_MAPPING
1255 /**
1256 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1257 */
1258 static void process_mapping(private_kernel_pfkey_ipsec_t *this,
1259 struct sadb_msg* msg)
1260 {
1261 pfkey_msg_t response;
1262 u_int32_t spi, reqid;
1263 sockaddr_t *sa;
1264 host_t *host;
1265
1266 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1267
1268 if (parse_pfkey_message(msg, &response) != SUCCESS)
1269 {
1270 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1271 return;
1272 }
1273
1274 if (!response.x_sa2)
1275 {
1276 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1277 "information");
1278 return;
1279 }
1280
1281 spi = response.sa->sadb_sa_spi;
1282 reqid = response.x_sa2->sadb_x_sa2_reqid;
1283
1284 if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
1285 {
1286 return;
1287 }
1288
1289 sa = (sockaddr_t*)(response.dst + 1);
1290 switch (sa->sa_family)
1291 {
1292 case AF_INET:
1293 {
1294 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1295 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1296 }
1297 case AF_INET6:
1298 {
1299 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1300 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1301 }
1302 default:
1303 break;
1304 }
1305
1306 host = host_create_from_sockaddr(sa);
1307 if (host)
1308 {
1309 hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
1310 spi, host);
1311 }
1312 }
1313 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1314
1315 /**
1316 * Receives events from kernel
1317 */
1318 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1319 {
1320 unsigned char buf[PFKEY_BUFFER_SIZE];
1321 struct sadb_msg *msg = (struct sadb_msg*)buf;
1322 bool oldstate;
1323 int len;
1324
1325 oldstate = thread_cancelability(TRUE);
1326 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1327 thread_cancelability(oldstate);
1328
1329 if (len < 0)
1330 {
1331 switch (errno)
1332 {
1333 case EINTR:
1334 /* interrupted, try again */
1335 return JOB_REQUEUE_DIRECT;
1336 case EAGAIN:
1337 /* no data ready, select again */
1338 return JOB_REQUEUE_DIRECT;
1339 default:
1340 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1341 sleep(1);
1342 return JOB_REQUEUE_FAIR;
1343 }
1344 }
1345
1346 if (len < sizeof(struct sadb_msg) ||
1347 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1348 {
1349 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1350 return JOB_REQUEUE_DIRECT;
1351 }
1352 if (msg->sadb_msg_pid != 0)
1353 { /* not from kernel. not interested, try another one */
1354 return JOB_REQUEUE_DIRECT;
1355 }
1356 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1357 {
1358 DBG1(DBG_KNL, "buffer was too small to receive the complete "
1359 "PF_KEY message");
1360 return JOB_REQUEUE_DIRECT;
1361 }
1362
1363 switch (msg->sadb_msg_type)
1364 {
1365 case SADB_ACQUIRE:
1366 process_acquire(this, msg);
1367 break;
1368 case SADB_EXPIRE:
1369 process_expire(this, msg);
1370 break;
1371 #ifdef SADB_X_MIGRATE
1372 case SADB_X_MIGRATE:
1373 process_migrate(this, msg);
1374 break;
1375 #endif /*SADB_X_MIGRATE*/
1376 #ifdef SADB_X_NAT_T_NEW_MAPPING
1377 case SADB_X_NAT_T_NEW_MAPPING:
1378 process_mapping(this, msg);
1379 break;
1380 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1381 default:
1382 break;
1383 }
1384
1385 return JOB_REQUEUE_DIRECT;
1386 }
1387
1388 METHOD(kernel_ipsec_t, get_spi, status_t,
1389 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1390 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
1391 {
1392 unsigned char request[PFKEY_BUFFER_SIZE];
1393 struct sadb_msg *msg, *out;
1394 struct sadb_x_sa2 *sa2;
1395 struct sadb_spirange *range;
1396 pfkey_msg_t response;
1397 u_int32_t received_spi = 0;
1398 size_t len;
1399
1400 memset(&request, 0, sizeof(request));
1401
1402 msg = (struct sadb_msg*)request;
1403 msg->sadb_msg_version = PF_KEY_V2;
1404 msg->sadb_msg_type = SADB_GETSPI;
1405 msg->sadb_msg_satype = proto2satype(protocol);
1406 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1407
1408 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1409 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1410 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1411 sa2->sadb_x_sa2_reqid = reqid;
1412 PFKEY_EXT_ADD(msg, sa2);
1413
1414 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
1415 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
1416
1417 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1418 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1419 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1420 range->sadb_spirange_min = 0xc0000000;
1421 range->sadb_spirange_max = 0xcFFFFFFF;
1422 PFKEY_EXT_ADD(msg, range);
1423
1424 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1425 {
1426 if (out->sadb_msg_errno)
1427 {
1428 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1429 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1430 }
1431 else if (parse_pfkey_message(out, &response) == SUCCESS)
1432 {
1433 received_spi = response.sa->sadb_sa_spi;
1434 }
1435 free(out);
1436 }
1437
1438 if (received_spi == 0)
1439 {
1440 return FAILED;
1441 }
1442
1443 *spi = received_spi;
1444 return SUCCESS;
1445 }
1446
1447 METHOD(kernel_ipsec_t, get_cpi, status_t,
1448 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1449 u_int32_t reqid, u_int16_t *cpi)
1450 {
1451 return FAILED;
1452 }
1453
1454 METHOD(kernel_ipsec_t, add_sa, status_t,
1455 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1456 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
1457 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
1458 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
1459 u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
1460 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
1461 {
1462 unsigned char request[PFKEY_BUFFER_SIZE];
1463 struct sadb_msg *msg, *out;
1464 struct sadb_sa *sa;
1465 struct sadb_x_sa2 *sa2;
1466 struct sadb_lifetime *lft;
1467 struct sadb_key *key;
1468 size_t len;
1469
1470 memset(&request, 0, sizeof(request));
1471
1472 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
1473 ntohl(spi), reqid);
1474
1475 msg = (struct sadb_msg*)request;
1476 msg->sadb_msg_version = PF_KEY_V2;
1477 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1478 msg->sadb_msg_satype = proto2satype(protocol);
1479 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1480
1481 #ifdef __APPLE__
1482 if (encap)
1483 {
1484 struct sadb_sa_2 *sa_2;
1485 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1486 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1487 sa = &sa_2->sa;
1488 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1489 len = sizeof(struct sadb_sa_2);
1490 }
1491 else
1492 #endif
1493 {
1494 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1495 len = sizeof(struct sadb_sa);
1496 }
1497 sa->sadb_sa_exttype = SADB_EXT_SA;
1498 sa->sadb_sa_len = PFKEY_LEN(len);
1499 sa->sadb_sa_spi = spi;
1500 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1501 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1502 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1503 PFKEY_EXT_ADD(msg, sa);
1504
1505 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1506 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1507 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1508 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1509 sa2->sadb_x_sa2_reqid = reqid;
1510 PFKEY_EXT_ADD(msg, sa2);
1511
1512 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
1513 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
1514
1515 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1516 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1517 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1518 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1519 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1520 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1521 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1522 PFKEY_EXT_ADD(msg, lft);
1523
1524 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1525 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1526 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1527 lft->sadb_lifetime_allocations = lifetime->packets.life;
1528 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1529 lft->sadb_lifetime_addtime = lifetime->time.life;
1530 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1531 PFKEY_EXT_ADD(msg, lft);
1532
1533 if (enc_alg != ENCR_UNDEFINED)
1534 {
1535 if (!sa->sadb_sa_encrypt)
1536 {
1537 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1538 encryption_algorithm_names, enc_alg);
1539 return FAILED;
1540 }
1541 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1542 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1543
1544 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1545 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1546 key->sadb_key_bits = enc_key.len * 8;
1547 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1548 memcpy(key + 1, enc_key.ptr, enc_key.len);
1549
1550 PFKEY_EXT_ADD(msg, key);
1551 }
1552
1553 if (int_alg != AUTH_UNDEFINED)
1554 {
1555 if (!sa->sadb_sa_auth)
1556 {
1557 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1558 integrity_algorithm_names, int_alg);
1559 return FAILED;
1560 }
1561 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1562 integrity_algorithm_names, int_alg, int_key.len * 8);
1563
1564 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1565 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1566 key->sadb_key_bits = int_key.len * 8;
1567 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1568 memcpy(key + 1, int_key.ptr, int_key.len);
1569
1570 PFKEY_EXT_ADD(msg, key);
1571 }
1572
1573 if (ipcomp != IPCOMP_NONE)
1574 {
1575 /*TODO*/
1576 }
1577
1578 #ifdef HAVE_NATT
1579 if (encap)
1580 {
1581 add_encap_ext(msg, src, dst);
1582 }
1583 #endif /*HAVE_NATT*/
1584
1585 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1586 {
1587 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1588 return FAILED;
1589 }
1590 else if (out->sadb_msg_errno)
1591 {
1592 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1593 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1594 free(out);
1595 return FAILED;
1596 }
1597
1598 free(out);
1599 return SUCCESS;
1600 }
1601
1602 METHOD(kernel_ipsec_t, update_sa, status_t,
1603 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1604 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1605 bool encap, bool new_encap, mark_t mark)
1606 {
1607 unsigned char request[PFKEY_BUFFER_SIZE];
1608 struct sadb_msg *msg, *out;
1609 struct sadb_sa *sa;
1610 pfkey_msg_t response;
1611 size_t len;
1612
1613 /* we can't update the SA if any of the ip addresses have changed.
1614 * that's because we can't use SADB_UPDATE and by deleting and readding the
1615 * SA the sequence numbers would get lost */
1616 if (!src->ip_equals(src, new_src) ||
1617 !dst->ip_equals(dst, new_dst))
1618 {
1619 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address "
1620 "changes are not supported", ntohl(spi));
1621 return NOT_SUPPORTED;
1622 }
1623
1624 memset(&request, 0, sizeof(request));
1625
1626 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1627
1628 msg = (struct sadb_msg*)request;
1629 msg->sadb_msg_version = PF_KEY_V2;
1630 msg->sadb_msg_type = SADB_GET;
1631 msg->sadb_msg_satype = proto2satype(protocol);
1632 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1633
1634 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1635 sa->sadb_sa_exttype = SADB_EXT_SA;
1636 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1637 sa->sadb_sa_spi = spi;
1638 PFKEY_EXT_ADD(msg, sa);
1639
1640 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1641 * it is not used for anything. */
1642 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1643 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
1644
1645 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1646 {
1647 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1648 return FAILED;
1649 }
1650 else if (out->sadb_msg_errno)
1651 {
1652 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1653 ntohl(spi), strerror(out->sadb_msg_errno),
1654 out->sadb_msg_errno);
1655 free(out);
1656 return FAILED;
1657 }
1658 else if (parse_pfkey_message(out, &response) != SUCCESS)
1659 {
1660 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing "
1661 "response from kernel failed", ntohl(spi));
1662 free(out);
1663 return FAILED;
1664 }
1665
1666 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1667 ntohl(spi), src, dst, new_src, new_dst);
1668
1669 memset(&request, 0, sizeof(request));
1670
1671 msg = (struct sadb_msg*)request;
1672 msg->sadb_msg_version = PF_KEY_V2;
1673 msg->sadb_msg_type = SADB_UPDATE;
1674 msg->sadb_msg_satype = proto2satype(protocol);
1675 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1676
1677 #ifdef __APPLE__
1678 {
1679 struct sadb_sa_2 *sa_2;
1680 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1681 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1682 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1683 if (encap)
1684 {
1685 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1686 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1687 }
1688 }
1689 #else
1690 PFKEY_EXT_COPY(msg, response.sa);
1691 #endif
1692 PFKEY_EXT_COPY(msg, response.x_sa2);
1693
1694 PFKEY_EXT_COPY(msg, response.src);
1695 PFKEY_EXT_COPY(msg, response.dst);
1696
1697 PFKEY_EXT_COPY(msg, response.lft_soft);
1698 PFKEY_EXT_COPY(msg, response.lft_hard);
1699
1700 if (response.key_encr)
1701 {
1702 PFKEY_EXT_COPY(msg, response.key_encr);
1703 }
1704
1705 if (response.key_auth)
1706 {
1707 PFKEY_EXT_COPY(msg, response.key_auth);
1708 }
1709
1710 #ifdef HAVE_NATT
1711 if (new_encap)
1712 {
1713 add_encap_ext(msg, new_src, new_dst);
1714 }
1715 #endif /*HAVE_NATT*/
1716
1717 free(out);
1718
1719 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1720 {
1721 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1722 return FAILED;
1723 }
1724 else if (out->sadb_msg_errno)
1725 {
1726 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1727 ntohl(spi), strerror(out->sadb_msg_errno),
1728 out->sadb_msg_errno);
1729 free(out);
1730 return FAILED;
1731 }
1732 free(out);
1733
1734 return SUCCESS;
1735 }
1736
1737 METHOD(kernel_ipsec_t, query_sa, status_t,
1738 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1739 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
1740 {
1741 unsigned char request[PFKEY_BUFFER_SIZE];
1742 struct sadb_msg *msg, *out;
1743 struct sadb_sa *sa;
1744 pfkey_msg_t response;
1745 size_t len;
1746
1747 memset(&request, 0, sizeof(request));
1748
1749 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1750
1751 msg = (struct sadb_msg*)request;
1752 msg->sadb_msg_version = PF_KEY_V2;
1753 msg->sadb_msg_type = SADB_GET;
1754 msg->sadb_msg_satype = proto2satype(protocol);
1755 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1756
1757 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1758 sa->sadb_sa_exttype = SADB_EXT_SA;
1759 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1760 sa->sadb_sa_spi = spi;
1761 PFKEY_EXT_ADD(msg, sa);
1762
1763 /* the Linux Kernel doesn't care for the src address, but other systems do
1764 * (e.g. FreeBSD)
1765 */
1766 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
1767 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
1768
1769 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1770 {
1771 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1772 return FAILED;
1773 }
1774 else if (out->sadb_msg_errno)
1775 {
1776 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1777 ntohl(spi), strerror(out->sadb_msg_errno),
1778 out->sadb_msg_errno);
1779 free(out);
1780 return FAILED;
1781 }
1782 else if (parse_pfkey_message(out, &response) != SUCCESS)
1783 {
1784 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1785 free(out);
1786 return FAILED;
1787 }
1788 *bytes = response.lft_current->sadb_lifetime_bytes;
1789
1790 free(out);
1791 return SUCCESS;
1792 }
1793
1794 METHOD(kernel_ipsec_t, del_sa, status_t,
1795 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1796 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
1797 {
1798 unsigned char request[PFKEY_BUFFER_SIZE];
1799 struct sadb_msg *msg, *out;
1800 struct sadb_sa *sa;
1801 size_t len;
1802
1803 memset(&request, 0, sizeof(request));
1804
1805 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1806
1807 msg = (struct sadb_msg*)request;
1808 msg->sadb_msg_version = PF_KEY_V2;
1809 msg->sadb_msg_type = SADB_DELETE;
1810 msg->sadb_msg_satype = proto2satype(protocol);
1811 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1812
1813 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1814 sa->sadb_sa_exttype = SADB_EXT_SA;
1815 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1816 sa->sadb_sa_spi = spi;
1817 PFKEY_EXT_ADD(msg, sa);
1818
1819 /* the Linux Kernel doesn't care for the src address, but other systems do
1820 * (e.g. FreeBSD)
1821 */
1822 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
1823 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
1824
1825 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1826 {
1827 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1828 return FAILED;
1829 }
1830 else if (out->sadb_msg_errno)
1831 {
1832 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1833 ntohl(spi), strerror(out->sadb_msg_errno),
1834 out->sadb_msg_errno);
1835 free(out);
1836 return FAILED;
1837 }
1838
1839 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1840 free(out);
1841 return SUCCESS;
1842 }
1843
1844 METHOD(kernel_ipsec_t, flush_sas, status_t,
1845 private_kernel_pfkey_ipsec_t *this)
1846 {
1847 unsigned char request[PFKEY_BUFFER_SIZE];
1848 struct sadb_msg *msg, *out;
1849 size_t len;
1850
1851 memset(&request, 0, sizeof(request));
1852
1853 DBG2(DBG_KNL, "flushing all SAD entries");
1854
1855 msg = (struct sadb_msg*)request;
1856 msg->sadb_msg_version = PF_KEY_V2;
1857 msg->sadb_msg_type = SADB_FLUSH;
1858 msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
1859 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1860
1861 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1862 {
1863 DBG1(DBG_KNL, "unable to flush SAD entries");
1864 return FAILED;
1865 }
1866 else if (out->sadb_msg_errno)
1867 {
1868 DBG1(DBG_KNL, "unable to flush SAD entries: %s (%d)",
1869 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1870 free(out);
1871 return FAILED;
1872 }
1873 free(out);
1874 return SUCCESS;
1875 }
1876
1877 /**
1878 * Add or update a policy in the kernel.
1879 *
1880 * Note: The mutex has to be locked when entering this function.
1881 */
1882 static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
1883 policy_entry_t *policy, policy_sa_t *mapping, bool update)
1884 {
1885 unsigned char request[PFKEY_BUFFER_SIZE];
1886 struct sadb_msg *msg, *out;
1887 struct sadb_x_policy *pol;
1888 struct sadb_x_ipsecrequest *req;
1889 ipsec_sa_t *ipsec = mapping->sa;
1890 pfkey_msg_t response;
1891 size_t len;
1892
1893 memset(&request, 0, sizeof(request));
1894
1895 msg = (struct sadb_msg*)request;
1896 msg->sadb_msg_version = PF_KEY_V2;
1897 msg->sadb_msg_type = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1898 msg->sadb_msg_satype = 0;
1899 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1900
1901 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1902 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1903 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1904 pol->sadb_x_policy_id = 0;
1905 pol->sadb_x_policy_dir = dir2kernel(policy->direction);
1906 pol->sadb_x_policy_type = type2kernel(mapping->type);
1907 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1908 pol->sadb_x_policy_priority = mapping->priority;
1909 #endif
1910
1911 /* one or more sadb_x_ipsecrequest extensions are added to the
1912 * sadb_x_policy extension */
1913 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1914 req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP
1915 : IPPROTO_AH;
1916 /* !!! the length here MUST be in octets instead of 64 bit words */
1917 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1918 req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode);
1919 req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
1920 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1921 if (ipsec->cfg.mode == MODE_TUNNEL)
1922 {
1923 len = hostcpy(req + 1, ipsec->src, FALSE);
1924 req->sadb_x_ipsecrequest_len += len;
1925 len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE);
1926 req->sadb_x_ipsecrequest_len += len;
1927 }
1928
1929 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1930 PFKEY_EXT_ADD(msg, pol);
1931
1932 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1933 policy->src.mask, TRUE);
1934 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1935 policy->dst.mask, TRUE);
1936
1937 #ifdef __FreeBSD__
1938 { /* on FreeBSD a lifetime has to be defined to be able to later query
1939 * the current use time. */
1940 struct sadb_lifetime *lft;
1941 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1942 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1943 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1944 lft->sadb_lifetime_addtime = LONG_MAX;
1945 PFKEY_EXT_ADD(msg, lft);
1946 }
1947 #endif
1948
1949 this->mutex->unlock(this->mutex);
1950
1951 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1952 {
1953 return FAILED;
1954 }
1955 else if (out->sadb_msg_errno)
1956 {
1957 DBG1(DBG_KNL, "unable to %s policy: %s (%d)",
1958 update ? "update" : "add", strerror(out->sadb_msg_errno),
1959 out->sadb_msg_errno);
1960 free(out);
1961 return FAILED;
1962 }
1963 else if (parse_pfkey_message(out, &response) != SUCCESS)
1964 {
1965 DBG1(DBG_KNL, "unable to %s policy: parsing response from kernel "
1966 "failed", update ? "update" : "add");
1967 free(out);
1968 return FAILED;
1969 }
1970
1971 /* we try to find the policy again and update the kernel index */
1972 this->mutex->lock(this->mutex);
1973 if (this->policies->find_last(this->policies, NULL,
1974 (void**)&policy) != SUCCESS)
1975 {
1976 DBG2(DBG_KNL, "unable to update index, the policy is already gone, "
1977 "ignoring");
1978 this->mutex->unlock(this->mutex);
1979 free(out);
1980 return SUCCESS;
1981 }
1982 policy->index = response.x_policy->sadb_x_policy_id;
1983 free(out);
1984
1985 /* install a route, if:
1986 * - this is a forward policy (to just get one for each child)
1987 * - we are in tunnel mode
1988 * - routing is not disabled via strongswan.conf
1989 */
1990 if (policy->direction == POLICY_FWD &&
1991 ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
1992 {
1993 route_entry_t *route = malloc_thing(route_entry_t);
1994 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
1995
1996 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
1997 fwd->dst_ts, &route->src_ip) == SUCCESS)
1998 {
1999 /* get the nexthop to src (src as we are in POLICY_FWD).*/
2000 route->gateway = hydra->kernel_interface->get_nexthop(
2001 hydra->kernel_interface, ipsec->src);
2002 /* install route via outgoing interface */
2003 route->if_name = hydra->kernel_interface->get_interface(
2004 hydra->kernel_interface, ipsec->dst);
2005 route->dst_net = chunk_clone(policy->src.net->get_address(
2006 policy->src.net));
2007 route->prefixlen = policy->src.mask;
2008
2009 if (!route->if_name)
2010 {
2011 this->mutex->unlock(this->mutex);
2012 route_entry_destroy(route);
2013 return SUCCESS;
2014 }
2015
2016 if (policy->route)
2017 {
2018 route_entry_t *old = policy->route;
2019 if (route_entry_equals(old, route))
2020 {
2021 this->mutex->unlock(this->mutex);
2022 route_entry_destroy(route);
2023 return SUCCESS;
2024 }
2025 /* uninstall previously installed route */
2026 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2027 old->dst_net, old->prefixlen, old->gateway,
2028 old->src_ip, old->if_name) != SUCCESS)
2029 {
2030 DBG1(DBG_KNL, "error uninstalling route installed with "
2031 "policy %R === %R %N", fwd->src_ts,
2032 fwd->dst_ts, policy_dir_names,
2033 policy->direction);
2034 }
2035 route_entry_destroy(old);
2036 policy->route = NULL;
2037 }
2038
2039 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
2040 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
2041 switch (hydra->kernel_interface->add_route(
2042 hydra->kernel_interface, route->dst_net,
2043 route->prefixlen, route->gateway,
2044 route->src_ip, route->if_name))
2045 {
2046 default:
2047 DBG1(DBG_KNL, "unable to install source route for %H",
2048 route->src_ip);
2049 /* FALL */
2050 case ALREADY_DONE:
2051 /* route exists, do not uninstall */
2052 route_entry_destroy(route);
2053 break;
2054 case SUCCESS:
2055 /* cache the installed route */
2056 policy->route = route;
2057 break;
2058 }
2059 }
2060 else
2061 {
2062 free(route);
2063 }
2064 }
2065 this->mutex->unlock(this->mutex);
2066 return SUCCESS;
2067 }
2068
2069 METHOD(kernel_ipsec_t, add_policy, status_t,
2070 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
2071 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
2072 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
2073 mark_t mark, policy_priority_t priority)
2074 {
2075 policy_entry_t *policy, *found = NULL;
2076 policy_sa_t *assigned_sa, *current_sa;
2077 enumerator_t *enumerator;
2078 bool update = TRUE;
2079
2080 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2081 { /* FWD policies are not supported on all platforms */
2082 return SUCCESS;
2083 }
2084
2085 /* create a policy */
2086 policy = create_policy_entry(src_ts, dst_ts, direction);
2087
2088 /* find a matching policy */
2089 this->mutex->lock(this->mutex);
2090 if (this->policies->find_first(this->policies,
2091 (linked_list_match_t)policy_entry_equals,
2092 (void**)&found, policy) == SUCCESS)
2093 { /* use existing policy */
2094 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
2095 "refcount", src_ts, dst_ts, policy_dir_names, direction);
2096 policy_entry_destroy(policy, this);
2097 policy = found;
2098 }
2099 else
2100 { /* use the new one, if we have no such policy */
2101 this->policies->insert_last(this->policies, policy);
2102 policy->used_by = linked_list_create();
2103 }
2104
2105 /* cache the assigned IPsec SA */
2106 assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
2107 dst_ts, sa);
2108 assigned_sa->priority = get_priority(policy, priority);
2109
2110 /* insert the SA according to its priority */
2111 enumerator = policy->used_by->create_enumerator(policy->used_by);
2112 while (enumerator->enumerate(enumerator, (void**)&current_sa))
2113 {
2114 if (current_sa->priority >= assigned_sa->priority)
2115 {
2116 break;
2117 }
2118 update = FALSE;
2119 }
2120 policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
2121 enumerator->destroy(enumerator);
2122
2123 if (!update)
2124 { /* we don't update the policy if the priority is lower than that of the
2125 * currently installed one */
2126 this->mutex->unlock(this->mutex);
2127 return SUCCESS;
2128 }
2129
2130 DBG2(DBG_KNL, "%s policy %R === %R %N",
2131 found ? "updating" : "adding", src_ts, dst_ts,
2132 policy_dir_names, direction);
2133
2134 if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2135 {
2136 DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
2137 found ? "update" : "add", src_ts, dst_ts,
2138 policy_dir_names, direction);
2139 return FAILED;
2140 }
2141 return SUCCESS;
2142 }
2143
2144 METHOD(kernel_ipsec_t, query_policy, status_t,
2145 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2146 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
2147 u_int32_t *use_time)
2148 {
2149 unsigned char request[PFKEY_BUFFER_SIZE];
2150 struct sadb_msg *msg, *out;
2151 struct sadb_x_policy *pol;
2152 policy_entry_t *policy, *found = NULL;
2153 pfkey_msg_t response;
2154 size_t len;
2155
2156 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2157 { /* FWD policies are not supported on all platforms */
2158 return NOT_FOUND;
2159 }
2160
2161 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2162 policy_dir_names, direction);
2163
2164 /* create a policy */
2165 policy = create_policy_entry(src_ts, dst_ts, direction);
2166
2167 /* find a matching policy */
2168 this->mutex->lock(this->mutex);
2169 if (this->policies->find_first(this->policies,
2170 (linked_list_match_t)policy_entry_equals,
2171 (void**)&found, policy) != SUCCESS)
2172 {
2173 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
2174 dst_ts, policy_dir_names, direction);
2175 policy_entry_destroy(policy, this);
2176 this->mutex->unlock(this->mutex);
2177 return NOT_FOUND;
2178 }
2179 policy_entry_destroy(policy, this);
2180 policy = found;
2181
2182 memset(&request, 0, sizeof(request));
2183
2184 msg = (struct sadb_msg*)request;
2185 msg->sadb_msg_version = PF_KEY_V2;
2186 msg->sadb_msg_type = SADB_X_SPDGET;
2187 msg->sadb_msg_satype = 0;
2188 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2189
2190 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2191 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2192 pol->sadb_x_policy_id = policy->index;
2193 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2194 pol->sadb_x_policy_dir = dir2kernel(direction);
2195 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2196 PFKEY_EXT_ADD(msg, pol);
2197
2198 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2199 policy->src.mask, TRUE);
2200 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2201 policy->dst.mask, TRUE);
2202
2203 this->mutex->unlock(this->mutex);
2204
2205 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2206 {
2207 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2208 policy_dir_names, direction);
2209 return FAILED;
2210 }
2211 else if (out->sadb_msg_errno)
2212 {
2213 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
2214 dst_ts, policy_dir_names, direction,
2215 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2216 free(out);
2217 return FAILED;
2218 }
2219 else if (parse_pfkey_message(out, &response) != SUCCESS)
2220 {
2221 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
2222 "from kernel failed", src_ts, dst_ts, policy_dir_names,
2223 direction);
2224 free(out);
2225 return FAILED;
2226 }
2227 else if (response.lft_current == NULL)
2228 {
2229 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
2230 "use time", src_ts, dst_ts, policy_dir_names, direction);
2231 free(out);
2232 return FAILED;
2233 }
2234
2235 /* we need the monotonic time, but the kernel returns system time. */
2236 if (response.lft_current->sadb_lifetime_usetime)
2237 {
2238 *use_time = time_monotonic(NULL) -
2239 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
2240 }
2241 else
2242 {
2243 *use_time = 0;
2244 }
2245 free(out);
2246 return SUCCESS;
2247 }
2248
2249 METHOD(kernel_ipsec_t, del_policy, status_t,
2250 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2251 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
2252 mark_t mark, policy_priority_t prio)
2253 {
2254 unsigned char request[PFKEY_BUFFER_SIZE];
2255 struct sadb_msg *msg, *out;
2256 struct sadb_x_policy *pol;
2257 policy_entry_t *policy, *found = NULL;
2258 policy_sa_t *mapping;
2259 enumerator_t *enumerator;
2260 bool is_installed = TRUE;
2261 u_int32_t priority;
2262 size_t len;
2263
2264 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2265 { /* FWD policies are not supported on all platforms */
2266 return SUCCESS;
2267 }
2268
2269 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
2270 policy_dir_names, direction);
2271
2272 /* create a policy */
2273 policy = create_policy_entry(src_ts, dst_ts, direction);
2274
2275 /* find a matching policy */
2276 this->mutex->lock(this->mutex);
2277 if (this->policies->find_first(this->policies,
2278 (linked_list_match_t)policy_entry_equals,
2279 (void**)&found, policy) != SUCCESS)
2280 {
2281 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
2282 dst_ts, policy_dir_names, direction);
2283 policy_entry_destroy(policy, this);
2284 this->mutex->unlock(this->mutex);
2285 return NOT_FOUND;
2286 }
2287 policy_entry_destroy(policy, this);
2288 policy = found;
2289
2290 /* remove mapping to SA by reqid and priority */
2291 priority = get_priority(policy, prio);
2292 enumerator = policy->used_by->create_enumerator(policy->used_by);
2293 while (enumerator->enumerate(enumerator, (void**)&mapping))
2294 {
2295 if (reqid == mapping->sa->cfg.reqid && priority == mapping->priority)
2296 {
2297 policy->used_by->remove_at(policy->used_by, enumerator);
2298 break;
2299 }
2300 is_installed = FALSE;
2301 }
2302 enumerator->destroy(enumerator);
2303
2304 if (policy->used_by->get_count(policy->used_by) > 0)
2305 { /* policy is used by more SAs, keep in kernel */
2306 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2307 policy_sa_destroy(mapping, &direction, this);
2308
2309 if (!is_installed)
2310 { /* no need to update as the policy was not installed for this SA */
2311 this->mutex->unlock(this->mutex);
2312 return SUCCESS;
2313 }
2314
2315 DBG2(DBG_KNL, "updating policy %R === %R %N", src_ts, dst_ts,
2316 policy_dir_names, direction);
2317 policy->used_by->get_first(policy->used_by, (void**)&mapping);
2318 if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS)
2319 {
2320 DBG1(DBG_KNL, "unable to update policy %R === %R %N",
2321 src_ts, dst_ts, policy_dir_names, direction);
2322 return FAILED;
2323 }
2324 return SUCCESS;
2325 }
2326
2327 memset(&request, 0, sizeof(request));
2328
2329 msg = (struct sadb_msg*)request;
2330 msg->sadb_msg_version = PF_KEY_V2;
2331 msg->sadb_msg_type = SADB_X_SPDDELETE;
2332 msg->sadb_msg_satype = 0;
2333 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2334
2335 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2336 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2337 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2338 pol->sadb_x_policy_dir = dir2kernel(direction);
2339 pol->sadb_x_policy_type = type2kernel(mapping->type);
2340 PFKEY_EXT_ADD(msg, pol);
2341
2342 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2343 policy->src.mask, TRUE);
2344 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2345 policy->dst.mask, TRUE);
2346
2347 if (policy->route)
2348 {
2349 route_entry_t *route = policy->route;
2350 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2351 route->dst_net, route->prefixlen, route->gateway,
2352 route->src_ip, route->if_name) != SUCCESS)
2353 {
2354 DBG1(DBG_KNL, "error uninstalling route installed with "
2355 "policy %R === %R %N", src_ts, dst_ts,
2356 policy_dir_names, direction);
2357 }
2358 }
2359
2360 this->policies->remove(this->policies, found, NULL);
2361 policy_sa_destroy(mapping, &direction, this);
2362 policy_entry_destroy(policy, this);
2363 this->mutex->unlock(this->mutex);
2364
2365 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2366 {
2367 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2368 policy_dir_names, direction);
2369 return FAILED;
2370 }
2371 else if (out->sadb_msg_errno)
2372 {
2373 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2374 dst_ts, policy_dir_names, direction,
2375 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2376 free(out);
2377 return FAILED;
2378 }
2379 free(out);
2380 return SUCCESS;
2381 }
2382
2383 METHOD(kernel_ipsec_t, flush_policies, status_t,
2384 private_kernel_pfkey_ipsec_t *this)
2385 {
2386 unsigned char request[PFKEY_BUFFER_SIZE];
2387 struct sadb_msg *msg, *out;
2388 size_t len;
2389
2390 memset(&request, 0, sizeof(request));
2391
2392 DBG2(DBG_KNL, "flushing all policies from SPD");
2393
2394 msg = (struct sadb_msg*)request;
2395 msg->sadb_msg_version = PF_KEY_V2;
2396 msg->sadb_msg_type = SADB_X_SPDFLUSH;
2397 msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
2398 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2399
2400 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2401 {
2402 DBG1(DBG_KNL, "unable to flush SPD entries");
2403 return FAILED;
2404 }
2405 else if (out->sadb_msg_errno)
2406 {
2407 DBG1(DBG_KNL, "unable to flush SPD entries: %s (%d)",
2408 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2409 free(out);
2410 return FAILED;
2411 }
2412 free(out);
2413 return SUCCESS;
2414 }
2415
2416 /**
2417 * Register a socket for ACQUIRE/EXPIRE messages
2418 */
2419 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2420 u_int8_t satype)
2421 {
2422 unsigned char request[PFKEY_BUFFER_SIZE];
2423 struct sadb_msg *msg, *out;
2424 size_t len;
2425
2426 memset(&request, 0, sizeof(request));
2427
2428 msg = (struct sadb_msg*)request;
2429 msg->sadb_msg_version = PF_KEY_V2;
2430 msg->sadb_msg_type = SADB_REGISTER;
2431 msg->sadb_msg_satype = satype;
2432 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2433
2434 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2435 {
2436 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2437 return FAILED;
2438 }
2439 else if (out->sadb_msg_errno)
2440 {
2441 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2442 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2443 free(out);
2444 return FAILED;
2445 }
2446 free(out);
2447 return SUCCESS;
2448 }
2449
2450 METHOD(kernel_ipsec_t, bypass_socket, bool,
2451 private_kernel_pfkey_ipsec_t *this, int fd, int family)
2452 {
2453 struct sadb_x_policy policy;
2454 u_int sol, ipsec_policy;
2455
2456 switch (family)
2457 {
2458 case AF_INET:
2459 {
2460 sol = SOL_IP;
2461 ipsec_policy = IP_IPSEC_POLICY;
2462 break;
2463 }
2464 case AF_INET6:
2465 {
2466 sol = SOL_IPV6;
2467 ipsec_policy = IPV6_IPSEC_POLICY;
2468 break;
2469 }
2470 default:
2471 return FALSE;
2472 }
2473
2474 memset(&policy, 0, sizeof(policy));
2475 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2476 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2477 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2478
2479 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2480 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2481 {
2482 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2483 strerror(errno));
2484 return FALSE;
2485 }
2486 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2487 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2488 {
2489 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2490 strerror(errno));
2491 return FALSE;
2492 }
2493 return TRUE;
2494 }
2495
2496 METHOD(kernel_ipsec_t, destroy, void,
2497 private_kernel_pfkey_ipsec_t *this)
2498 {
2499 if (this->job)
2500 {
2501 this->job->cancel(this->job);
2502 }
2503 if (this->socket > 0)
2504 {
2505 close(this->socket);
2506 }
2507 if (this->socket_events > 0)
2508 {
2509 close(this->socket_events);
2510 }
2511 this->policies->invoke_function(this->policies,
2512 (linked_list_invoke_t)policy_entry_destroy,
2513 this);
2514 this->policies->destroy(this->policies);
2515 this->sas->destroy(this->sas);
2516 this->mutex->destroy(this->mutex);
2517 this->mutex_pfkey->destroy(this->mutex_pfkey);
2518 free(this);
2519 }
2520
2521 /*
2522 * Described in header.
2523 */
2524 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2525 {
2526 private_kernel_pfkey_ipsec_t *this;
2527 bool register_for_events = TRUE;
2528
2529 INIT(this,
2530 .public = {
2531 .interface = {
2532 .get_spi = _get_spi,
2533 .get_cpi = _get_cpi,
2534 .add_sa = _add_sa,
2535 .update_sa = _update_sa,
2536 .query_sa = _query_sa,
2537 .del_sa = _del_sa,
2538 .flush_sas = _flush_sas,
2539 .add_policy = _add_policy,
2540 .query_policy = _query_policy,
2541 .del_policy = _del_policy,
2542 .flush_policies = _flush_policies,
2543 .bypass_socket = _bypass_socket,
2544 .destroy = _destroy,
2545 },
2546 },
2547 .policies = linked_list_create(),
2548 .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
2549 (hashtable_equals_t)ipsec_sa_equals, 32),
2550 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2551 .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
2552 .install_routes = lib->settings->get_bool(lib->settings,
2553 "%s.install_routes", TRUE,
2554 hydra->daemon),
2555 );
2556
2557 if (streq(hydra->daemon, "pluto"))
2558 { /* no routes for pluto, they are installed via updown script */
2559 this->install_routes = FALSE;
2560 }
2561 else if (streq(hydra->daemon, "starter"))
2562 { /* starter has no threads, so we do not register for kernel events */
2563 register_for_events = FALSE;
2564 }
2565
2566 /* create a PF_KEY socket to communicate with the kernel */
2567 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2568 if (this->socket <= 0)
2569 {
2570 DBG1(DBG_KNL, "unable to create PF_KEY socket");
2571 destroy(this);
2572 return NULL;
2573 }
2574
2575 if (register_for_events)
2576 {
2577 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2578 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2579 if (this->socket_events <= 0)
2580 {
2581 DBG1(DBG_KNL, "unable to create PF_KEY event socket");
2582 destroy(this);
2583 return NULL;
2584 }
2585
2586 /* register the event socket */
2587 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2588 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2589 {
2590 DBG1(DBG_KNL, "unable to register PF_KEY event socket");
2591 destroy(this);
2592 return NULL;
2593 }
2594
2595 this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
2596 this, NULL, NULL, JOB_PRIO_CRITICAL);
2597 lib->processor->queue_job(lib->processor, (job_t*)this->job);
2598 }
2599
2600 return &this->public;
2601 }
2602