a2fccd1d3f5879a8d19b00f9222371ee17accde6
[strongswan.git] / src / libhydra / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2015 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16 /*
17 * Copyright (C) 2014 Nanoteq Pty Ltd
18 *
19 * Permission is hereby granted, free of charge, to any person obtaining a copy
20 * of this software and associated documentation files (the "Software"), to deal
21 * in the Software without restriction, including without limitation the rights
22 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
23 * copies of the Software, and to permit persons to whom the Software is
24 * furnished to do so, subject to the following conditions:
25 *
26 * The above copyright notice and this permission notice shall be included in
27 * all copies or substantial portions of the Software.
28 *
29 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
30 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
31 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
32 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
33 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
34 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
35 * THE SOFTWARE.
36 */
37
38 #include <stdint.h>
39 #include <sys/types.h>
40 #include <sys/socket.h>
41
42 #ifdef __FreeBSD__
43 #include <limits.h> /* for LONG_MAX */
44 #endif
45
46 #ifdef HAVE_NET_PFKEYV2_H
47 #include <net/pfkeyv2.h>
48 #else
49 #include <linux/pfkeyv2.h>
50 #endif
51
52 #ifdef SADB_X_EXT_NAT_T_TYPE
53 #define HAVE_NATT
54 #endif
55
56 #ifdef HAVE_NETIPSEC_IPSEC_H
57 #include <netipsec/ipsec.h>
58 #elif defined(HAVE_NETINET6_IPSEC_H)
59 #include <netinet6/ipsec.h>
60 #else
61 #include <linux/ipsec.h>
62 #endif
63
64 #ifdef HAVE_NATT
65 #ifdef HAVE_LINUX_UDP_H
66 #include <linux/udp.h>
67 #else
68 #include <netinet/udp.h>
69 #endif /*HAVE_LINUX_UDP_H*/
70 #endif /*HAVE_NATT*/
71
72 #include <unistd.h>
73 #include <time.h>
74 #include <errno.h>
75 #ifdef __APPLE__
76 #include <sys/sysctl.h>
77 #endif
78
79 #include "kernel_pfkey_ipsec.h"
80
81 #include <hydra.h>
82 #include <utils/debug.h>
83 #include <networking/host.h>
84 #include <collections/linked_list.h>
85 #include <collections/hashtable.h>
86 #include <threading/mutex.h>
87
88 /** non linux specific */
89 #ifndef IPPROTO_COMP
90 #ifdef IPPROTO_IPCOMP
91 #define IPPROTO_COMP IPPROTO_IPCOMP
92 #endif
93 #endif
94
95 #ifndef SADB_X_AALG_SHA2_256HMAC
96 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
97 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
98 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
99 #endif
100
101 #ifndef SADB_X_EALG_AESCBC
102 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
103 #endif
104
105 #ifndef SADB_X_EALG_CASTCBC
106 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
107 #endif
108
109 #if !defined(SADB_X_EALG_AES_GCM_ICV8) && defined(SADB_X_EALG_AESGCM8)
110 #define SADB_X_EALG_AES_GCM_ICV8 SADB_X_EALG_AESGCM8
111 #define SADB_X_EALG_AES_GCM_ICV12 SADB_X_EALG_AESGCM12
112 #define SADB_X_EALG_AES_GCM_ICV16 SADB_X_EALG_AESGCM16
113 #endif
114
115 #ifndef SOL_IP
116 #define SOL_IP IPPROTO_IP
117 #define SOL_IPV6 IPPROTO_IPV6
118 #endif
119
120 /** from linux/in.h */
121 #ifndef IP_IPSEC_POLICY
122 #define IP_IPSEC_POLICY 16
123 #endif
124
125 /** missing on uclibc */
126 #ifndef IPV6_IPSEC_POLICY
127 #define IPV6_IPSEC_POLICY 34
128 #endif
129
130 /* from linux/udp.h */
131 #ifndef UDP_ENCAP
132 #define UDP_ENCAP 100
133 #endif
134
135 #ifndef UDP_ENCAP_ESPINUDP
136 #define UDP_ENCAP_ESPINUDP 2
137 #endif
138
139 /* this is not defined on some platforms */
140 #ifndef SOL_UDP
141 #define SOL_UDP IPPROTO_UDP
142 #endif
143
144 /** base priority for installed policies */
145 #define PRIO_BASE 384
146
147 #ifdef __APPLE__
148 /** from xnu/bsd/net/pfkeyv2.h */
149 #define SADB_X_EXT_NATT 0x002
150 struct sadb_sa_2 {
151 struct sadb_sa sa;
152 u_int16_t sadb_sa_natt_port;
153 u_int16_t sadb_reserved0;
154 u_int32_t sadb_reserved1;
155 };
156 #endif
157
158 /** buffer size for PF_KEY messages */
159 #define PFKEY_BUFFER_SIZE 4096
160
161 /** PF_KEY messages are 64 bit aligned */
162 #define PFKEY_ALIGNMENT 8
163 /** aligns len to 64 bits */
164 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
165 /** calculates the properly padded length in 64 bit chunks */
166 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
167 /** calculates user mode length i.e. in bytes */
168 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
169
170 /** given a PF_KEY message header and an extension this updates the length in the header */
171 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
172 /** given a PF_KEY message header this returns a pointer to the next extension */
173 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
174 /** copy an extension and append it to a PF_KEY message */
175 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
176 /** given a PF_KEY extension this returns a pointer to the next extension */
177 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
178 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
179 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
180 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
181 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
182 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
183 (ext)->sadb_ext_len <= (len))
184
185 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
186
187 /**
188 * Private variables and functions of kernel_pfkey class.
189 */
190 struct private_kernel_pfkey_ipsec_t
191 {
192 /**
193 * Public part of the kernel_pfkey_t object.
194 */
195 kernel_pfkey_ipsec_t public;
196
197 /**
198 * mutex to lock access to various lists
199 */
200 mutex_t *mutex;
201
202 /**
203 * List of installed policies (policy_entry_t)
204 */
205 linked_list_t *policies;
206
207 /**
208 * List of exclude routes (exclude_route_t)
209 */
210 linked_list_t *excludes;
211
212 /**
213 * Hash table of IPsec SAs using policies (ipsec_sa_t)
214 */
215 hashtable_t *sas;
216
217 /**
218 * whether to install routes along policies
219 */
220 bool install_routes;
221
222 /**
223 * mutex to lock access to the PF_KEY socket
224 */
225 mutex_t *mutex_pfkey;
226
227 /**
228 * PF_KEY socket to communicate with the kernel
229 */
230 int socket;
231
232 /**
233 * PF_KEY socket to receive acquire and expire events
234 */
235 int socket_events;
236
237 /**
238 * sequence number for messages sent to the kernel
239 */
240 int seq;
241 };
242
243 typedef struct exclude_route_t exclude_route_t;
244
245 /**
246 * Exclude route definition
247 */
248 struct exclude_route_t {
249 /** destination address of exclude */
250 host_t *dst;
251 /** source address for route */
252 host_t *src;
253 /** nexthop exclude has been installed */
254 host_t *gtw;
255 /** references to this route */
256 int refs;
257 };
258
259 /**
260 * clean up a route exclude entry
261 */
262 static void exclude_route_destroy(exclude_route_t *this)
263 {
264 this->dst->destroy(this->dst);
265 this->src->destroy(this->src);
266 this->gtw->destroy(this->gtw);
267 free(this);
268 }
269
270 typedef struct route_entry_t route_entry_t;
271
272 /**
273 * installed routing entry
274 */
275 struct route_entry_t {
276 /** name of the interface the route is bound to */
277 char *if_name;
278
279 /** source ip of the route */
280 host_t *src_ip;
281
282 /** gateway for this route */
283 host_t *gateway;
284
285 /** destination net */
286 chunk_t dst_net;
287
288 /** destination net prefixlen */
289 u_int8_t prefixlen;
290
291 /** reference to exclude route, if any */
292 exclude_route_t *exclude;
293 };
294
295 /**
296 * destroy an route_entry_t object
297 */
298 static void route_entry_destroy(route_entry_t *this)
299 {
300 free(this->if_name);
301 DESTROY_IF(this->src_ip);
302 DESTROY_IF(this->gateway);
303 chunk_free(&this->dst_net);
304 free(this);
305 }
306
307 /**
308 * compare two route_entry_t objects
309 */
310 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
311 {
312 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
313 a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
314 a->gateway && b->gateway &&
315 a->gateway->ip_equals(a->gateway, b->gateway) &&
316 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
317 }
318
319 typedef struct ipsec_sa_t ipsec_sa_t;
320
321 /**
322 * IPsec SA assigned to a policy.
323 */
324 struct ipsec_sa_t {
325 /** Source address of this SA */
326 host_t *src;
327
328 /** Destination address of this SA */
329 host_t *dst;
330
331 /** Description of this SA */
332 ipsec_sa_cfg_t cfg;
333
334 /** Reference count for this SA */
335 refcount_t refcount;
336 };
337
338 /**
339 * Hash function for ipsec_sa_t objects
340 */
341 static u_int ipsec_sa_hash(ipsec_sa_t *sa)
342 {
343 return chunk_hash_inc(sa->src->get_address(sa->src),
344 chunk_hash_inc(sa->dst->get_address(sa->dst),
345 chunk_hash(chunk_from_thing(sa->cfg))));
346 }
347
348 /**
349 * Equality function for ipsec_sa_t objects
350 */
351 static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
352 {
353 return sa->src->ip_equals(sa->src, other_sa->src) &&
354 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
355 memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
356 }
357
358 /**
359 * Allocate or reference an IPsec SA object
360 */
361 static ipsec_sa_t *ipsec_sa_create(private_kernel_pfkey_ipsec_t *this,
362 host_t *src, host_t *dst,
363 ipsec_sa_cfg_t *cfg)
364 {
365 ipsec_sa_t *sa, *found;
366 INIT(sa,
367 .src = src,
368 .dst = dst,
369 .cfg = *cfg,
370 );
371 found = this->sas->get(this->sas, sa);
372 if (!found)
373 {
374 sa->src = src->clone(src);
375 sa->dst = dst->clone(dst);
376 this->sas->put(this->sas, sa, sa);
377 }
378 else
379 {
380 free(sa);
381 sa = found;
382 }
383 ref_get(&sa->refcount);
384 return sa;
385 }
386
387 /**
388 * Release and destroy an IPsec SA object
389 */
390 static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
391 ipsec_sa_t *sa)
392 {
393 if (ref_put(&sa->refcount))
394 {
395 this->sas->remove(this->sas, sa);
396 DESTROY_IF(sa->src);
397 DESTROY_IF(sa->dst);
398 free(sa);
399 }
400 }
401
402 typedef struct policy_sa_t policy_sa_t;
403 typedef struct policy_sa_in_t policy_sa_in_t;
404
405 /**
406 * Mapping between a policy and an IPsec SA.
407 */
408 struct policy_sa_t {
409 /** Priority assigned to the policy when installed with this SA */
410 u_int32_t priority;
411
412 /** Type of the policy */
413 policy_type_t type;
414
415 /** Assigned SA */
416 ipsec_sa_t *sa;
417 };
418
419 /**
420 * For input policies we also cache the traffic selectors in order to install
421 * the route.
422 */
423 struct policy_sa_in_t {
424 /** Generic interface */
425 policy_sa_t generic;
426
427 /** Source traffic selector of this policy */
428 traffic_selector_t *src_ts;
429
430 /** Destination traffic selector of this policy */
431 traffic_selector_t *dst_ts;
432 };
433
434 /**
435 * Create a policy_sa(_in)_t object
436 */
437 static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
438 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
439 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, ipsec_sa_cfg_t *cfg)
440 {
441 policy_sa_t *policy;
442
443 if (dir == POLICY_IN)
444 {
445 policy_sa_in_t *in;
446 INIT(in,
447 .src_ts = src_ts->clone(src_ts),
448 .dst_ts = dst_ts->clone(dst_ts),
449 );
450 policy = &in->generic;
451 }
452 else
453 {
454 INIT(policy, .priority = 0);
455 }
456 policy->type = type;
457 policy->sa = ipsec_sa_create(this, src, dst, cfg);
458 return policy;
459 }
460
461 /**
462 * Destroy a policy_sa(_in)_t object
463 */
464 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
465 private_kernel_pfkey_ipsec_t *this)
466 {
467 if (*dir == POLICY_IN)
468 {
469 policy_sa_in_t *in = (policy_sa_in_t*)policy;
470 in->src_ts->destroy(in->src_ts);
471 in->dst_ts->destroy(in->dst_ts);
472 }
473 ipsec_sa_destroy(this, policy->sa);
474 free(policy);
475 }
476
477 typedef struct policy_entry_t policy_entry_t;
478
479 /**
480 * installed kernel policy.
481 */
482 struct policy_entry_t {
483 /** Index assigned by the kernel */
484 u_int32_t index;
485
486 /** Direction of this policy: in, out, forward */
487 u_int8_t direction;
488
489 /** Parameters of installed policy */
490 struct {
491 /** Subnet and port */
492 host_t *net;
493 /** Subnet mask */
494 u_int8_t mask;
495 /** Protocol */
496 u_int8_t proto;
497 } src, dst;
498
499 /** Associated route installed for this policy */
500 route_entry_t *route;
501
502 /** List of SAs this policy is used by, ordered by priority */
503 linked_list_t *used_by;
504 };
505
506 /**
507 * Create a policy_entry_t object
508 */
509 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
510 traffic_selector_t *dst_ts,
511 policy_dir_t dir)
512 {
513 policy_entry_t *policy;
514 INIT(policy,
515 .direction = dir,
516 );
517 u_int16_t port;
518 u_int8_t proto;
519
520 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
521 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
522
523 /* src or dest proto may be "any" (0), use more restrictive one */
524 proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
525 /* map the ports to ICMP type/code how the Linux kernel expects them, that
526 * is, type in src, code in dst */
527 if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)
528 {
529 port = max(policy->src.net->get_port(policy->src.net),
530 policy->dst.net->get_port(policy->dst.net));
531 policy->src.net->set_port(policy->src.net,
532 traffic_selector_icmp_type(port));
533 policy->dst.net->set_port(policy->dst.net,
534 traffic_selector_icmp_code(port));
535 }
536 else if (!proto)
537 {
538 proto = IPSEC_PROTO_ANY;
539 }
540 policy->src.proto = policy->dst.proto = proto;
541
542 return policy;
543 }
544
545 /**
546 * Destroy a policy_entry_t object
547 */
548 static void policy_entry_destroy(policy_entry_t *policy,
549 private_kernel_pfkey_ipsec_t *this)
550 {
551 if (policy->route)
552 {
553 route_entry_destroy(policy->route);
554 }
555 if (policy->used_by)
556 {
557 policy->used_by->invoke_function(policy->used_by,
558 (linked_list_invoke_t)policy_sa_destroy,
559 &policy->direction, this);
560 policy->used_by->destroy(policy->used_by);
561 }
562 DESTROY_IF(policy->src.net);
563 DESTROY_IF(policy->dst.net);
564 free(policy);
565 }
566
567 /**
568 * compares two policy_entry_t
569 */
570 static inline bool policy_entry_equals(policy_entry_t *current,
571 policy_entry_t *policy)
572 {
573 return current->direction == policy->direction &&
574 current->src.proto == policy->src.proto &&
575 current->dst.proto == policy->dst.proto &&
576 current->src.mask == policy->src.mask &&
577 current->dst.mask == policy->dst.mask &&
578 current->src.net->equals(current->src.net, policy->src.net) &&
579 current->dst.net->equals(current->dst.net, policy->dst.net);
580 }
581
582 /**
583 * compare the given kernel index with that of a policy
584 */
585 static inline bool policy_entry_match_byindex(policy_entry_t *current,
586 u_int32_t *index)
587 {
588 return current->index == *index;
589 }
590
591 /**
592 * Calculate the priority of a policy
593 */
594 static inline u_int32_t get_priority(policy_entry_t *policy,
595 policy_priority_t prio)
596 {
597 u_int32_t priority = PRIO_BASE;
598 switch (prio)
599 {
600 case POLICY_PRIORITY_FALLBACK:
601 priority <<= 1;
602 /* fall-through */
603 case POLICY_PRIORITY_ROUTED:
604 priority <<= 1;
605 /* fall-through */
606 case POLICY_PRIORITY_DEFAULT:
607 priority <<= 1;
608 /* fall-trough */
609 case POLICY_PRIORITY_PASS:
610 break;
611 }
612 /* calculate priority based on selector size, small size = high prio */
613 priority -= policy->src.mask;
614 priority -= policy->dst.mask;
615 priority <<= 2; /* make some room for the two flags */
616 priority += policy->src.net->get_port(policy->src.net) ||
617 policy->dst.net->get_port(policy->dst.net) ?
618 0 : 2;
619 priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
620 return priority;
621 }
622
623 typedef struct pfkey_msg_t pfkey_msg_t;
624
625 struct pfkey_msg_t
626 {
627 /**
628 * PF_KEY message base
629 */
630 struct sadb_msg *msg;
631
632 /**
633 * PF_KEY message extensions
634 */
635 union {
636 struct sadb_ext *ext[SADB_EXT_MAX + 1];
637 struct {
638 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
639 struct sadb_sa *sa; /* SADB_EXT_SA */
640 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
641 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
642 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
643 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
644 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
645 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
646 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
647 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
648 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
649 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
650 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
651 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
652 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
653 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
654 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
655 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
656 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
657 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
658 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
659 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
660 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
661 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
662 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
663 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
664 } __attribute__((__packed__));
665 };
666 };
667
668 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
669 "SADB_EXT_RESERVED",
670 "SADB_EXT_SA",
671 "SADB_EXT_LIFETIME_CURRENT",
672 "SADB_EXT_LIFETIME_HARD",
673 "SADB_EXT_LIFETIME_SOFT",
674 "SADB_EXT_ADDRESS_SRC",
675 "SADB_EXT_ADDRESS_DST",
676 "SADB_EXT_ADDRESS_PROXY",
677 "SADB_EXT_KEY_AUTH",
678 "SADB_EXT_KEY_ENCRYPT",
679 "SADB_EXT_IDENTITY_SRC",
680 "SADB_EXT_IDENTITY_DST",
681 "SADB_EXT_SENSITIVITY",
682 "SADB_EXT_PROPOSAL",
683 "SADB_EXT_SUPPORTED_AUTH",
684 "SADB_EXT_SUPPORTED_ENCRYPT",
685 "SADB_EXT_SPIRANGE",
686 "SADB_X_EXT_KMPRIVATE",
687 "SADB_X_EXT_POLICY",
688 "SADB_X_EXT_SA2",
689 "SADB_X_EXT_NAT_T_TYPE",
690 "SADB_X_EXT_NAT_T_SPORT",
691 "SADB_X_EXT_NAT_T_DPORT",
692 "SADB_X_EXT_NAT_T_OA",
693 "SADB_X_EXT_SEC_CTX",
694 "SADB_X_EXT_KMADDRESS"
695 );
696
697 /**
698 * convert a protocol identifier to the PF_KEY sa type
699 */
700 static u_int8_t proto2satype(u_int8_t proto)
701 {
702 switch (proto)
703 {
704 case IPPROTO_ESP:
705 return SADB_SATYPE_ESP;
706 case IPPROTO_AH:
707 return SADB_SATYPE_AH;
708 case IPPROTO_COMP:
709 return SADB_X_SATYPE_IPCOMP;
710 default:
711 return proto;
712 }
713 }
714
715 /**
716 * convert a PF_KEY sa type to a protocol identifier
717 */
718 static u_int8_t satype2proto(u_int8_t satype)
719 {
720 switch (satype)
721 {
722 case SADB_SATYPE_ESP:
723 return IPPROTO_ESP;
724 case SADB_SATYPE_AH:
725 return IPPROTO_AH;
726 case SADB_X_SATYPE_IPCOMP:
727 return IPPROTO_COMP;
728 default:
729 return satype;
730 }
731 }
732
733 /**
734 * convert the general ipsec mode to the one defined in ipsec.h
735 */
736 static u_int8_t mode2kernel(ipsec_mode_t mode)
737 {
738 switch (mode)
739 {
740 case MODE_TRANSPORT:
741 return IPSEC_MODE_TRANSPORT;
742 case MODE_TUNNEL:
743 return IPSEC_MODE_TUNNEL;
744 #ifdef HAVE_IPSEC_MODE_BEET
745 case MODE_BEET:
746 return IPSEC_MODE_BEET;
747 #endif
748 default:
749 return mode;
750 }
751 }
752
753 /**
754 * convert the general policy direction to the one defined in ipsec.h
755 */
756 static u_int8_t dir2kernel(policy_dir_t dir)
757 {
758 switch (dir)
759 {
760 case POLICY_IN:
761 return IPSEC_DIR_INBOUND;
762 case POLICY_OUT:
763 return IPSEC_DIR_OUTBOUND;
764 #ifdef HAVE_IPSEC_DIR_FWD
765 case POLICY_FWD:
766 return IPSEC_DIR_FWD;
767 #endif
768 default:
769 return IPSEC_DIR_INVALID;
770 }
771 }
772
773 /**
774 * convert the policy type to the one defined in ipsec.h
775 */
776 static inline u_int16_t type2kernel(policy_type_t type)
777 {
778 switch (type)
779 {
780 case POLICY_IPSEC:
781 return IPSEC_POLICY_IPSEC;
782 case POLICY_PASS:
783 return IPSEC_POLICY_NONE;
784 case POLICY_DROP:
785 return IPSEC_POLICY_DISCARD;
786 }
787 return type;
788 }
789
790 #ifdef SADB_X_MIGRATE
791 /**
792 * convert the policy direction in ipsec.h to the general one.
793 */
794 static policy_dir_t kernel2dir(u_int8_t dir)
795 {
796 switch (dir)
797 {
798 case IPSEC_DIR_INBOUND:
799 return POLICY_IN;
800 case IPSEC_DIR_OUTBOUND:
801 return POLICY_OUT;
802 #ifdef HAVE_IPSEC_DIR_FWD
803 case IPSEC_DIR_FWD:
804 return POLICY_FWD;
805 #endif
806 default:
807 return dir;
808 }
809 }
810 #endif /*SADB_X_MIGRATE*/
811
812 typedef struct kernel_algorithm_t kernel_algorithm_t;
813
814 /**
815 * Mapping of IKEv2 algorithms to PF_KEY algorithms
816 */
817 struct kernel_algorithm_t {
818 /**
819 * Identifier specified in IKEv2
820 */
821 int ikev2;
822
823 /**
824 * Identifier as defined in pfkeyv2.h
825 */
826 int kernel;
827 };
828
829 #define END_OF_LIST -1
830
831 /**
832 * Algorithms for encryption
833 */
834 static kernel_algorithm_t encryption_algs[] = {
835 /* {ENCR_DES_IV64, 0 }, */
836 {ENCR_DES, SADB_EALG_DESCBC },
837 {ENCR_3DES, SADB_EALG_3DESCBC },
838 /* {ENCR_RC5, 0 }, */
839 /* {ENCR_IDEA, 0 }, */
840 {ENCR_CAST, SADB_X_EALG_CASTCBC },
841 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
842 /* {ENCR_3IDEA, 0 }, */
843 /* {ENCR_DES_IV32, 0 }, */
844 {ENCR_NULL, SADB_EALG_NULL },
845 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
846 #ifdef SADB_X_EALG_AESCTR
847 {ENCR_AES_CTR, SADB_X_EALG_AESCTR },
848 #endif
849 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
850 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
851 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
852 #ifdef SADB_X_EALG_AES_GCM_ICV8 /* assume the others are defined too */
853 {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 },
854 {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 },
855 {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 },
856 #endif
857 #ifdef SADB_X_EALG_CAMELLIACBC
858 {ENCR_CAMELLIA_CBC, SADB_X_EALG_CAMELLIACBC },
859 #endif
860 {END_OF_LIST, 0 },
861 };
862
863 /**
864 * Algorithms for integrity protection
865 */
866 static kernel_algorithm_t integrity_algs[] = {
867 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
868 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
869 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
870 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
871 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
872 /* {AUTH_DES_MAC, 0, }, */
873 /* {AUTH_KPDK_MD5, 0, }, */
874 #ifdef SADB_X_AALG_AES_XCBC_MAC
875 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
876 #endif
877 {END_OF_LIST, 0, },
878 };
879
880 /**
881 * Algorithms for IPComp, unused yet
882 */
883 static kernel_algorithm_t compression_algs[] = {
884 /* {IPCOMP_OUI, 0 }, */
885 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
886 #ifdef SADB_X_CALG_LZS
887 {IPCOMP_LZS, SADB_X_CALG_LZS },
888 #endif
889 #ifdef SADB_X_CALG_LZJH
890 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
891 #endif
892 {END_OF_LIST, 0 },
893 };
894
895 /**
896 * Look up a kernel algorithm ID and its key size
897 */
898 static int lookup_algorithm(transform_type_t type, int ikev2)
899 {
900 kernel_algorithm_t *list;
901 u_int16_t alg = 0;
902
903 switch (type)
904 {
905 case ENCRYPTION_ALGORITHM:
906 list = encryption_algs;
907 break;
908 case INTEGRITY_ALGORITHM:
909 list = integrity_algs;
910 break;
911 case COMPRESSION_ALGORITHM:
912 list = compression_algs;
913 break;
914 default:
915 return 0;
916 }
917 while (list->ikev2 != END_OF_LIST)
918 {
919 if (ikev2 == list->ikev2)
920 {
921 return list->kernel;
922 }
923 list++;
924 }
925 hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface, ikev2,
926 type, &alg, NULL);
927 return alg;
928 }
929
930 /**
931 * Helper to set a port in a sockaddr_t, the port has to be in host order
932 */
933 static void set_port(sockaddr_t *addr, u_int16_t port)
934 {
935 switch (addr->sa_family)
936 {
937 case AF_INET:
938 {
939 struct sockaddr_in *sin = (struct sockaddr_in*)addr;
940 sin->sin_port = htons(port);
941 break;
942 }
943 case AF_INET6:
944 {
945 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)addr;
946 sin6->sin6_port = htons(port);
947 break;
948 }
949 }
950 }
951
952 /**
953 * Copy a host_t as sockaddr_t to the given memory location.
954 * @return the number of bytes copied
955 */
956 static size_t hostcpy(void *dest, host_t *host, bool include_port)
957 {
958 sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
959 socklen_t *len = host->get_sockaddr_len(host);
960
961 memcpy(dest, addr, *len);
962 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
963 dest_addr->sa_len = *len;
964 #endif
965 if (!include_port)
966 {
967 set_port(dest_addr, 0);
968 }
969 return *len;
970 }
971
972 /**
973 * add a host to the given sadb_msg
974 */
975 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
976 u_int8_t proto, u_int8_t prefixlen, bool include_port)
977 {
978 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
979 size_t len;
980
981 addr->sadb_address_exttype = type;
982 addr->sadb_address_proto = proto;
983 addr->sadb_address_prefixlen = prefixlen;
984 len = hostcpy(addr + 1, host, include_port);
985 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
986 PFKEY_EXT_ADD(msg, addr);
987 }
988
989 /**
990 * adds an empty address extension to the given sadb_msg
991 */
992 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
993 {
994 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
995 sizeof(struct sockaddr_in6);
996 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
997 addr->sadb_address_exttype = type;
998 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
999 saddr->sa_family = family;
1000 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
1001 saddr->sa_len = len;
1002 #endif
1003 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
1004 PFKEY_EXT_ADD(msg, addr);
1005 }
1006
1007 #ifdef HAVE_NATT
1008 /**
1009 * add udp encap extensions to a sadb_msg
1010 */
1011 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
1012 {
1013 struct sadb_x_nat_t_type* nat_type;
1014 struct sadb_x_nat_t_port* nat_port;
1015
1016 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
1017 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
1018 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(*nat_type));
1019 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
1020 PFKEY_EXT_ADD(msg, nat_type);
1021
1022 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
1023 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
1024 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
1025 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
1026 PFKEY_EXT_ADD(msg, nat_port);
1027
1028 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
1029 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
1030 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
1031 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
1032 PFKEY_EXT_ADD(msg, nat_port);
1033 }
1034 #endif /*HAVE_NATT*/
1035
1036 /**
1037 * Convert a sadb_address to a traffic_selector
1038 */
1039 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
1040 {
1041 traffic_selector_t *ts;
1042 host_t *host;
1043 u_int8_t proto;
1044
1045 proto = address->sadb_address_proto;
1046 proto = proto == IPSEC_PROTO_ANY ? 0 : proto;
1047
1048 /* The Linux 2.6 kernel does not set the protocol and port information
1049 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
1050 */
1051 host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
1052 ts = traffic_selector_create_from_subnet(host,
1053 address->sadb_address_prefixlen,
1054 proto, host->get_port(host),
1055 host->get_port(host) ?: 65535);
1056 return ts;
1057 }
1058
1059 /**
1060 * Parses a pfkey message received from the kernel
1061 */
1062 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
1063 {
1064 struct sadb_ext* ext;
1065 size_t len;
1066
1067 memset(out, 0, sizeof(pfkey_msg_t));
1068 out->msg = msg;
1069
1070 len = msg->sadb_msg_len;
1071 len -= PFKEY_LEN(sizeof(struct sadb_msg));
1072
1073 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
1074
1075 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
1076 {
1077 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
1078 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
1079 ext->sadb_ext_len > len)
1080 {
1081 DBG1(DBG_KNL, "length of %N extension is invalid",
1082 sadb_ext_type_names, ext->sadb_ext_type);
1083 break;
1084 }
1085
1086 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
1087 {
1088 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid",
1089 ext->sadb_ext_type);
1090 break;
1091 }
1092
1093 if (out->ext[ext->sadb_ext_type])
1094 {
1095 DBG1(DBG_KNL, "duplicate %N extension",
1096 sadb_ext_type_names, ext->sadb_ext_type);
1097 break;
1098 }
1099
1100 out->ext[ext->sadb_ext_type] = ext;
1101 ext = PFKEY_EXT_NEXT_LEN(ext, len);
1102 }
1103
1104 if (len)
1105 {
1106 DBG1(DBG_KNL, "PF_KEY message length is invalid");
1107 return FAILED;
1108 }
1109
1110 return SUCCESS;
1111 }
1112
1113 /**
1114 * Send a message to a specific PF_KEY socket and handle the response.
1115 */
1116 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
1117 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
1118 {
1119 unsigned char buf[PFKEY_BUFFER_SIZE];
1120 struct sadb_msg *msg;
1121 int in_len, len;
1122
1123 this->mutex_pfkey->lock(this->mutex_pfkey);
1124
1125 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
1126 * in particular the behavior in response to an SADB_ACQUIRE. */
1127 in->sadb_msg_seq = ++this->seq;
1128 in->sadb_msg_pid = getpid();
1129
1130 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
1131
1132 while (TRUE)
1133 {
1134 len = send(socket, in, in_len, 0);
1135
1136 if (len != in_len)
1137 {
1138 if (errno == EINTR)
1139 {
1140 /* interrupted, try again */
1141 continue;
1142 }
1143 this->mutex_pfkey->unlock(this->mutex_pfkey);
1144 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s",
1145 strerror(errno));
1146 return FAILED;
1147 }
1148 break;
1149 }
1150
1151 while (TRUE)
1152 {
1153 msg = (struct sadb_msg*)buf;
1154
1155 len = recv(socket, buf, sizeof(buf), 0);
1156
1157 if (len < 0)
1158 {
1159 if (errno == EINTR)
1160 {
1161 DBG1(DBG_KNL, "got interrupted");
1162 /* interrupted, try again */
1163 continue;
1164 }
1165 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s",
1166 strerror(errno));
1167 this->mutex_pfkey->unlock(this->mutex_pfkey);
1168 return FAILED;
1169 }
1170 if (len < sizeof(struct sadb_msg) ||
1171 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1172 {
1173 DBG1(DBG_KNL, "received corrupted PF_KEY message");
1174 this->mutex_pfkey->unlock(this->mutex_pfkey);
1175 return FAILED;
1176 }
1177 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1178 {
1179 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY "
1180 "message");
1181 this->mutex_pfkey->unlock(this->mutex_pfkey);
1182 return FAILED;
1183 }
1184 if (msg->sadb_msg_pid != in->sadb_msg_pid)
1185 {
1186 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
1187 continue;
1188 }
1189 if (msg->sadb_msg_seq != this->seq)
1190 {
1191 DBG2(DBG_KNL, "received PF_KEY message with unexpected sequence "
1192 "number, was %d expected %d", msg->sadb_msg_seq,
1193 this->seq);
1194 if (msg->sadb_msg_seq == 0)
1195 {
1196 /* FreeBSD and Mac OS X do this for the response to
1197 * SADB_X_SPDGET (but not for the response to SADB_GET).
1198 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
1199 }
1200 else if (msg->sadb_msg_seq < this->seq)
1201 {
1202 continue;
1203 }
1204 else
1205 {
1206 this->mutex_pfkey->unlock(this->mutex_pfkey);
1207 return FAILED;
1208 }
1209 }
1210 if (msg->sadb_msg_type != in->sadb_msg_type)
1211 {
1212 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
1213 "was %d expected %d, ignoring", msg->sadb_msg_type,
1214 in->sadb_msg_type);
1215 }
1216 break;
1217 }
1218
1219 *out_len = len;
1220 *out = (struct sadb_msg*)malloc(len);
1221 memcpy(*out, buf, len);
1222
1223 this->mutex_pfkey->unlock(this->mutex_pfkey);
1224 return SUCCESS;
1225 }
1226
1227 /**
1228 * Send a message to the default PF_KEY socket and handle the response.
1229 */
1230 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
1231 struct sadb_msg *in, struct sadb_msg **out,
1232 size_t *out_len)
1233 {
1234 return pfkey_send_socket(this, this->socket, in, out, out_len);
1235 }
1236
1237 /**
1238 * Process a SADB_ACQUIRE message from the kernel
1239 */
1240 static void process_acquire(private_kernel_pfkey_ipsec_t *this,
1241 struct sadb_msg* msg)
1242 {
1243 pfkey_msg_t response;
1244 u_int32_t index, reqid = 0;
1245 traffic_selector_t *src_ts, *dst_ts;
1246 policy_entry_t *policy;
1247 policy_sa_t *sa;
1248
1249 switch (msg->sadb_msg_satype)
1250 {
1251 case SADB_SATYPE_UNSPEC:
1252 case SADB_SATYPE_ESP:
1253 case SADB_SATYPE_AH:
1254 break;
1255 default:
1256 /* acquire for AH/ESP only */
1257 return;
1258 }
1259 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
1260
1261 if (parse_pfkey_message(msg, &response) != SUCCESS)
1262 {
1263 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
1264 return;
1265 }
1266
1267 index = response.x_policy->sadb_x_policy_id;
1268 this->mutex->lock(this->mutex);
1269 if (this->policies->find_first(this->policies,
1270 (linked_list_match_t)policy_entry_match_byindex,
1271 (void**)&policy, &index) == SUCCESS &&
1272 policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
1273 {
1274 reqid = sa->sa->cfg.reqid;
1275 }
1276 else
1277 {
1278 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
1279 "matching policy found", index);
1280 }
1281 this->mutex->unlock(this->mutex);
1282
1283 src_ts = sadb_address2ts(response.src);
1284 dst_ts = sadb_address2ts(response.dst);
1285
1286 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
1287 dst_ts);
1288 }
1289
1290 /**
1291 * Process a SADB_EXPIRE message from the kernel
1292 */
1293 static void process_expire(private_kernel_pfkey_ipsec_t *this,
1294 struct sadb_msg* msg)
1295 {
1296 pfkey_msg_t response;
1297 u_int8_t protocol;
1298 u_int32_t spi;
1299 host_t *dst;
1300 bool hard;
1301
1302 DBG2(DBG_KNL, "received an SADB_EXPIRE");
1303
1304 if (parse_pfkey_message(msg, &response) != SUCCESS)
1305 {
1306 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
1307 return;
1308 }
1309
1310 protocol = satype2proto(msg->sadb_msg_satype);
1311 spi = response.sa->sadb_sa_spi;
1312 hard = response.lft_hard != NULL;
1313
1314 if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
1315 {
1316 dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
1317 if (dst)
1318 {
1319 hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
1320 spi, dst, hard);
1321 dst->destroy(dst);
1322 }
1323 }
1324 }
1325
1326 #ifdef SADB_X_MIGRATE
1327 /**
1328 * Process a SADB_X_MIGRATE message from the kernel
1329 */
1330 static void process_migrate(private_kernel_pfkey_ipsec_t *this,
1331 struct sadb_msg* msg)
1332 {
1333 pfkey_msg_t response;
1334 traffic_selector_t *src_ts, *dst_ts;
1335 policy_dir_t dir;
1336 u_int32_t reqid = 0;
1337 host_t *local = NULL, *remote = NULL;
1338
1339 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
1340
1341 if (parse_pfkey_message(msg, &response) != SUCCESS)
1342 {
1343 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
1344 return;
1345 }
1346 src_ts = sadb_address2ts(response.src);
1347 dst_ts = sadb_address2ts(response.dst);
1348 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
1349 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
1350 policy_dir_names, dir);
1351
1352 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
1353 if (response.x_kmaddress)
1354 {
1355 sockaddr_t *local_addr, *remote_addr;
1356 u_int32_t local_len;
1357
1358 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
1359 local = host_create_from_sockaddr(local_addr);
1360 local_len = (local_addr->sa_family == AF_INET6)?
1361 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
1362 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1363 remote = host_create_from_sockaddr(remote_addr);
1364 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1365 }
1366
1367 if (src_ts && dst_ts && local && remote)
1368 {
1369 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
1370 src_ts, dst_ts, dir, local, remote);
1371 }
1372 else
1373 {
1374 DESTROY_IF(src_ts);
1375 DESTROY_IF(dst_ts);
1376 DESTROY_IF(local);
1377 DESTROY_IF(remote);
1378 }
1379 }
1380 #endif /*SADB_X_MIGRATE*/
1381
1382 #ifdef SADB_X_NAT_T_NEW_MAPPING
1383 /**
1384 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1385 */
1386 static void process_mapping(private_kernel_pfkey_ipsec_t *this,
1387 struct sadb_msg* msg)
1388 {
1389 pfkey_msg_t response;
1390 u_int32_t spi;
1391 sockaddr_t *sa;
1392 host_t *dst, *new;
1393
1394 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1395
1396 if (parse_pfkey_message(msg, &response) != SUCCESS)
1397 {
1398 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1399 return;
1400 }
1401
1402 if (!response.x_sa2)
1403 {
1404 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1405 "information");
1406 return;
1407 }
1408
1409 spi = response.sa->sadb_sa_spi;
1410
1411 if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
1412 {
1413 return;
1414 }
1415
1416 sa = (sockaddr_t*)(response.dst + 1);
1417 dst = host_create_from_sockaddr(sa);
1418 switch (sa->sa_family)
1419 {
1420 case AF_INET:
1421 {
1422 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1423 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1424 break;
1425 }
1426 case AF_INET6:
1427 {
1428 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1429 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1430 break;
1431 }
1432 default:
1433 break;
1434 }
1435 if (dst)
1436 {
1437 new = host_create_from_sockaddr(sa);
1438 if (new)
1439 {
1440 hydra->kernel_interface->mapping(hydra->kernel_interface,
1441 IPPROTO_ESP, spi, dst, new);
1442 new->destroy(new);
1443 }
1444 dst->destroy(dst);
1445 }
1446 }
1447 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1448
1449 /**
1450 * Receives events from kernel
1451 */
1452 static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd,
1453 watcher_event_t event)
1454 {
1455 unsigned char buf[PFKEY_BUFFER_SIZE];
1456 struct sadb_msg *msg = (struct sadb_msg*)buf;
1457 int len;
1458
1459 len = recvfrom(this->socket_events, buf, sizeof(buf), MSG_DONTWAIT, NULL, 0);
1460 if (len < 0)
1461 {
1462 switch (errno)
1463 {
1464 case EINTR:
1465 /* interrupted, try again */
1466 return TRUE;
1467 case EAGAIN:
1468 /* no data ready, select again */
1469 return TRUE;
1470 default:
1471 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1472 sleep(1);
1473 return TRUE;
1474 }
1475 }
1476
1477 if (len < sizeof(struct sadb_msg) ||
1478 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1479 {
1480 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1481 return TRUE;
1482 }
1483 if (msg->sadb_msg_pid != 0)
1484 { /* not from kernel. not interested, try another one */
1485 return TRUE;
1486 }
1487 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1488 {
1489 DBG1(DBG_KNL, "buffer was too small to receive the complete "
1490 "PF_KEY message");
1491 return TRUE;
1492 }
1493
1494 switch (msg->sadb_msg_type)
1495 {
1496 case SADB_ACQUIRE:
1497 process_acquire(this, msg);
1498 break;
1499 case SADB_EXPIRE:
1500 process_expire(this, msg);
1501 break;
1502 #ifdef SADB_X_MIGRATE
1503 case SADB_X_MIGRATE:
1504 process_migrate(this, msg);
1505 break;
1506 #endif /*SADB_X_MIGRATE*/
1507 #ifdef SADB_X_NAT_T_NEW_MAPPING
1508 case SADB_X_NAT_T_NEW_MAPPING:
1509 process_mapping(this, msg);
1510 break;
1511 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1512 default:
1513 break;
1514 }
1515
1516 return TRUE;
1517 }
1518
1519 /**
1520 * Get an SPI for a specific protocol from the kernel.
1521 */
1522
1523 static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
1524 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
1525 u_int32_t *spi)
1526 {
1527 unsigned char request[PFKEY_BUFFER_SIZE];
1528 struct sadb_msg *msg, *out;
1529 struct sadb_spirange *range;
1530 pfkey_msg_t response;
1531 u_int32_t received_spi = 0;
1532 size_t len;
1533
1534 memset(&request, 0, sizeof(request));
1535
1536 msg = (struct sadb_msg*)request;
1537 msg->sadb_msg_version = PF_KEY_V2;
1538 msg->sadb_msg_type = SADB_GETSPI;
1539 msg->sadb_msg_satype = proto2satype(proto);
1540 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1541
1542 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
1543 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
1544
1545 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1546 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1547 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1548 range->sadb_spirange_min = min;
1549 range->sadb_spirange_max = max;
1550 PFKEY_EXT_ADD(msg, range);
1551
1552 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1553 {
1554 if (out->sadb_msg_errno)
1555 {
1556 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1557 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1558 }
1559 else if (parse_pfkey_message(out, &response) == SUCCESS)
1560 {
1561 received_spi = response.sa->sadb_sa_spi;
1562 }
1563 free(out);
1564 }
1565
1566 if (received_spi == 0)
1567 {
1568 return FAILED;
1569 }
1570
1571 *spi = received_spi;
1572 return SUCCESS;
1573 }
1574
1575 METHOD(kernel_ipsec_t, get_spi, status_t,
1576 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1577 u_int8_t protocol, u_int32_t *spi)
1578 {
1579 if (get_spi_internal(this, src, dst, protocol,
1580 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
1581 {
1582 DBG1(DBG_KNL, "unable to get SPI");
1583 return FAILED;
1584 }
1585
1586 DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
1587 return SUCCESS;
1588 }
1589
1590 METHOD(kernel_ipsec_t, get_cpi, status_t,
1591 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1592 u_int16_t *cpi)
1593 {
1594 u_int32_t received_spi = 0;
1595
1596 DBG2(DBG_KNL, "getting CPI");
1597
1598 if (get_spi_internal(this, src, dst, IPPROTO_COMP,
1599 0x100, 0xEFFF, &received_spi) != SUCCESS)
1600 {
1601 DBG1(DBG_KNL, "unable to get CPI");
1602 return FAILED;
1603 }
1604
1605 *cpi = htons((u_int16_t)ntohl(received_spi));
1606
1607 DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
1608 return SUCCESS;
1609 }
1610
1611 METHOD(kernel_ipsec_t, add_sa, status_t,
1612 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1613 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
1614 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
1615 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
1616 u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
1617 bool initiator, bool encap, bool esn, bool inbound, bool update,
1618 linked_list_t *src_ts, linked_list_t *dst_ts)
1619 {
1620 unsigned char request[PFKEY_BUFFER_SIZE];
1621 struct sadb_msg *msg, *out;
1622 struct sadb_sa *sa;
1623 struct sadb_x_sa2 *sa2;
1624 struct sadb_lifetime *lft;
1625 struct sadb_key *key;
1626 size_t len;
1627
1628 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
1629 * we are in the recursive call below */
1630 if (ipcomp != IPCOMP_NONE && cpi != 0)
1631 {
1632 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
1633 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
1634 tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
1635 chunk_empty, mode, ipcomp, 0, 0, FALSE, FALSE, FALSE, inbound,
1636 update, NULL, NULL);
1637 ipcomp = IPCOMP_NONE;
1638 /* use transport mode ESP SA, IPComp uses tunnel mode */
1639 mode = MODE_TRANSPORT;
1640 }
1641
1642 if (update)
1643 {
1644 /* As we didn't know the reqid during SPI allocation, we used reqid
1645 * zero. Unfortunately we can't SADB_UPDATE to the new reqid, hence we
1646 * have to delete the SPI allocation state manually. The reqid
1647 * selector does not count for that, therefore we have to delete
1648 * that state before installing the new SA to avoid deleting the
1649 * the new state after installing it. */
1650 mark_t zeromark = {0, 0};
1651
1652 if (this->public.interface.del_sa(&this->public.interface,
1653 src, dst, spi, protocol, 0, zeromark) != SUCCESS)
1654 {
1655 DBG1(DBG_KNL, "deleting SPI allocation SA failed");
1656 }
1657 }
1658
1659 memset(&request, 0, sizeof(request));
1660
1661 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
1662 ntohl(spi), reqid);
1663
1664 msg = (struct sadb_msg*)request;
1665 msg->sadb_msg_version = PF_KEY_V2;
1666 msg->sadb_msg_type = SADB_ADD;
1667 msg->sadb_msg_satype = proto2satype(protocol);
1668 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1669
1670 #ifdef __APPLE__
1671 if (encap)
1672 {
1673 struct sadb_sa_2 *sa_2;
1674 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1675 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1676 sa = &sa_2->sa;
1677 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1678 len = sizeof(struct sadb_sa_2);
1679 }
1680 else
1681 #endif
1682 {
1683 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1684 len = sizeof(struct sadb_sa);
1685 }
1686 sa->sadb_sa_exttype = SADB_EXT_SA;
1687 sa->sadb_sa_len = PFKEY_LEN(len);
1688 sa->sadb_sa_spi = spi;
1689 if (protocol == IPPROTO_COMP)
1690 {
1691 sa->sadb_sa_encrypt = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
1692 }
1693 else
1694 {
1695 /* Linux interprets sadb_sa_replay as number of packets/bits in the
1696 * replay window, whereas on BSD it's the size of the window in bytes */
1697 #ifdef __linux__
1698 sa->sadb_sa_replay = min(replay_window, 32);
1699 #else
1700 sa->sadb_sa_replay = (replay_window + 7) / 8;
1701 #endif
1702 sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
1703 sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
1704 }
1705 PFKEY_EXT_ADD(msg, sa);
1706
1707 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1708 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1709 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1710 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1711 sa2->sadb_x_sa2_reqid = reqid;
1712 PFKEY_EXT_ADD(msg, sa2);
1713
1714 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
1715 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
1716
1717 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1718 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1719 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1720 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1721 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1722 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1723 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1724 PFKEY_EXT_ADD(msg, lft);
1725
1726 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1727 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1728 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1729 lft->sadb_lifetime_allocations = lifetime->packets.life;
1730 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1731 lft->sadb_lifetime_addtime = lifetime->time.life;
1732 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1733 PFKEY_EXT_ADD(msg, lft);
1734
1735 if (enc_alg != ENCR_UNDEFINED)
1736 {
1737 if (!sa->sadb_sa_encrypt)
1738 {
1739 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1740 encryption_algorithm_names, enc_alg);
1741 return FAILED;
1742 }
1743 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1744 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1745
1746 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1747 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1748 key->sadb_key_bits = enc_key.len * 8;
1749 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1750 memcpy(key + 1, enc_key.ptr, enc_key.len);
1751
1752 PFKEY_EXT_ADD(msg, key);
1753 }
1754
1755 if (int_alg != AUTH_UNDEFINED)
1756 {
1757 if (!sa->sadb_sa_auth)
1758 {
1759 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1760 integrity_algorithm_names, int_alg);
1761 return FAILED;
1762 }
1763 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1764 integrity_algorithm_names, int_alg, int_key.len * 8);
1765
1766 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1767 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1768 key->sadb_key_bits = int_key.len * 8;
1769 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1770 memcpy(key + 1, int_key.ptr, int_key.len);
1771
1772 PFKEY_EXT_ADD(msg, key);
1773 }
1774
1775 #ifdef HAVE_NATT
1776 if (encap)
1777 {
1778 add_encap_ext(msg, src, dst);
1779 }
1780 #endif /*HAVE_NATT*/
1781
1782 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1783 {
1784 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1785 return FAILED;
1786 }
1787 else if (out->sadb_msg_errno)
1788 {
1789 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1790 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1791 free(out);
1792 return FAILED;
1793 }
1794
1795 free(out);
1796 return SUCCESS;
1797 }
1798
1799 METHOD(kernel_ipsec_t, update_sa, status_t,
1800 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1801 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1802 bool encap, bool new_encap, mark_t mark)
1803 {
1804 unsigned char request[PFKEY_BUFFER_SIZE];
1805 struct sadb_msg *msg, *out;
1806 struct sadb_sa *sa;
1807 pfkey_msg_t response;
1808 size_t len;
1809
1810 /* we can't update the SA if any of the ip addresses have changed.
1811 * that's because we can't use SADB_UPDATE and by deleting and readding the
1812 * SA the sequence numbers would get lost */
1813 if (!src->ip_equals(src, new_src) ||
1814 !dst->ip_equals(dst, new_dst))
1815 {
1816 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address "
1817 "changes are not supported", ntohl(spi));
1818 return NOT_SUPPORTED;
1819 }
1820
1821 /* if IPComp is used, we first update the IPComp SA */
1822 if (cpi)
1823 {
1824 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1825 src, dst, new_src, new_dst, FALSE, FALSE, mark);
1826 }
1827
1828 memset(&request, 0, sizeof(request));
1829
1830 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1831
1832 msg = (struct sadb_msg*)request;
1833 msg->sadb_msg_version = PF_KEY_V2;
1834 msg->sadb_msg_type = SADB_GET;
1835 msg->sadb_msg_satype = proto2satype(protocol);
1836 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1837
1838 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1839 sa->sadb_sa_exttype = SADB_EXT_SA;
1840 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1841 sa->sadb_sa_spi = spi;
1842 PFKEY_EXT_ADD(msg, sa);
1843
1844 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1845 * it is not used for anything. */
1846 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1847 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
1848
1849 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1850 {
1851 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1852 return FAILED;
1853 }
1854 else if (out->sadb_msg_errno)
1855 {
1856 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1857 ntohl(spi), strerror(out->sadb_msg_errno),
1858 out->sadb_msg_errno);
1859 free(out);
1860 return FAILED;
1861 }
1862 else if (parse_pfkey_message(out, &response) != SUCCESS)
1863 {
1864 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing "
1865 "response from kernel failed", ntohl(spi));
1866 free(out);
1867 return FAILED;
1868 }
1869
1870 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1871 ntohl(spi), src, dst, new_src, new_dst);
1872
1873 memset(&request, 0, sizeof(request));
1874
1875 msg = (struct sadb_msg*)request;
1876 msg->sadb_msg_version = PF_KEY_V2;
1877 msg->sadb_msg_type = SADB_UPDATE;
1878 msg->sadb_msg_satype = proto2satype(protocol);
1879 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1880
1881 #ifdef __APPLE__
1882 {
1883 struct sadb_sa_2 *sa_2;
1884 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1885 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1886 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1887 if (encap)
1888 {
1889 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1890 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1891 }
1892 }
1893 #else
1894 PFKEY_EXT_COPY(msg, response.sa);
1895 #endif
1896 PFKEY_EXT_COPY(msg, response.x_sa2);
1897
1898 PFKEY_EXT_COPY(msg, response.src);
1899 PFKEY_EXT_COPY(msg, response.dst);
1900
1901 PFKEY_EXT_COPY(msg, response.lft_soft);
1902 PFKEY_EXT_COPY(msg, response.lft_hard);
1903
1904 if (response.key_encr)
1905 {
1906 PFKEY_EXT_COPY(msg, response.key_encr);
1907 }
1908
1909 if (response.key_auth)
1910 {
1911 PFKEY_EXT_COPY(msg, response.key_auth);
1912 }
1913
1914 #ifdef HAVE_NATT
1915 if (new_encap)
1916 {
1917 add_encap_ext(msg, new_src, new_dst);
1918 }
1919 #endif /*HAVE_NATT*/
1920
1921 free(out);
1922
1923 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1924 {
1925 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1926 return FAILED;
1927 }
1928 else if (out->sadb_msg_errno)
1929 {
1930 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1931 ntohl(spi), strerror(out->sadb_msg_errno),
1932 out->sadb_msg_errno);
1933 free(out);
1934 return FAILED;
1935 }
1936 free(out);
1937
1938 return SUCCESS;
1939 }
1940
1941 METHOD(kernel_ipsec_t, query_sa, status_t,
1942 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1943 u_int32_t spi, u_int8_t protocol, mark_t mark,
1944 u_int64_t *bytes, u_int64_t *packets, time_t *time)
1945 {
1946 unsigned char request[PFKEY_BUFFER_SIZE];
1947 struct sadb_msg *msg, *out;
1948 struct sadb_sa *sa;
1949 pfkey_msg_t response;
1950 size_t len;
1951
1952 memset(&request, 0, sizeof(request));
1953
1954 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1955
1956 msg = (struct sadb_msg*)request;
1957 msg->sadb_msg_version = PF_KEY_V2;
1958 msg->sadb_msg_type = SADB_GET;
1959 msg->sadb_msg_satype = proto2satype(protocol);
1960 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1961
1962 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1963 sa->sadb_sa_exttype = SADB_EXT_SA;
1964 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1965 sa->sadb_sa_spi = spi;
1966 PFKEY_EXT_ADD(msg, sa);
1967
1968 /* the Linux Kernel doesn't care for the src address, but other systems do
1969 * (e.g. FreeBSD)
1970 */
1971 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
1972 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
1973
1974 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1975 {
1976 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1977 return FAILED;
1978 }
1979 else if (out->sadb_msg_errno)
1980 {
1981 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1982 ntohl(spi), strerror(out->sadb_msg_errno),
1983 out->sadb_msg_errno);
1984 free(out);
1985 return FAILED;
1986 }
1987 else if (parse_pfkey_message(out, &response) != SUCCESS)
1988 {
1989 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1990 free(out);
1991 return FAILED;
1992 }
1993 if (bytes)
1994 {
1995 *bytes = response.lft_current->sadb_lifetime_bytes;
1996 }
1997 if (packets)
1998 {
1999 /* at least on Linux and FreeBSD this contains the number of packets */
2000 *packets = response.lft_current->sadb_lifetime_allocations;
2001 }
2002 if (time)
2003 {
2004 #ifdef __APPLE__
2005 /* OS X uses the "last" time of use in usetime */
2006 *time = response.lft_current->sadb_lifetime_usetime;
2007 #else /* !__APPLE__ */
2008 /* on Linux, sadb_lifetime_usetime is set to the "first" time of use,
2009 * which is actually correct according to PF_KEY. We have to query
2010 * policies for the last usetime. */
2011 *time = 0;
2012 #endif /* !__APPLE__ */
2013 }
2014
2015 free(out);
2016 return SUCCESS;
2017 }
2018
2019 METHOD(kernel_ipsec_t, del_sa, status_t,
2020 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
2021 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
2022 {
2023 unsigned char request[PFKEY_BUFFER_SIZE];
2024 struct sadb_msg *msg, *out;
2025 struct sadb_sa *sa;
2026 size_t len;
2027
2028 /* if IPComp was used, we first delete the additional IPComp SA */
2029 if (cpi)
2030 {
2031 del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
2032 }
2033
2034 memset(&request, 0, sizeof(request));
2035
2036 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
2037
2038 msg = (struct sadb_msg*)request;
2039 msg->sadb_msg_version = PF_KEY_V2;
2040 msg->sadb_msg_type = SADB_DELETE;
2041 msg->sadb_msg_satype = proto2satype(protocol);
2042 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2043
2044 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
2045 sa->sadb_sa_exttype = SADB_EXT_SA;
2046 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
2047 sa->sadb_sa_spi = spi;
2048 PFKEY_EXT_ADD(msg, sa);
2049
2050 /* the Linux Kernel doesn't care for the src address, but other systems do
2051 * (e.g. FreeBSD)
2052 */
2053 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
2054 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
2055
2056 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2057 {
2058 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
2059 return FAILED;
2060 }
2061 else if (out->sadb_msg_errno)
2062 {
2063 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
2064 ntohl(spi), strerror(out->sadb_msg_errno),
2065 out->sadb_msg_errno);
2066 free(out);
2067 return FAILED;
2068 }
2069
2070 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
2071 free(out);
2072 return SUCCESS;
2073 }
2074
2075 METHOD(kernel_ipsec_t, flush_sas, status_t,
2076 private_kernel_pfkey_ipsec_t *this)
2077 {
2078 unsigned char request[PFKEY_BUFFER_SIZE];
2079 struct sadb_msg *msg, *out;
2080 struct {
2081 u_int8_t proto;
2082 char *name;
2083 } protos[] = {
2084 { SADB_SATYPE_AH, "AH" },
2085 { SADB_SATYPE_ESP, "ESP" },
2086 { SADB_X_SATYPE_IPCOMP, "IPComp" },
2087 };
2088 size_t len;
2089 int i;
2090
2091 memset(&request, 0, sizeof(request));
2092
2093 msg = (struct sadb_msg*)request;
2094 msg->sadb_msg_version = PF_KEY_V2;
2095 msg->sadb_msg_type = SADB_FLUSH;
2096 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2097
2098 for (i = 0; i < countof(protos); i++)
2099 {
2100 DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
2101
2102 msg->sadb_msg_satype = protos[i].proto;
2103 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2104 {
2105 DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
2106 return FAILED;
2107 }
2108 else if (out->sadb_msg_errno)
2109 {
2110 DBG1(DBG_KNL, "unable to flush %s SAD entries: %s (%d)",
2111 protos[i].name, strerror(out->sadb_msg_errno),
2112 out->sadb_msg_errno);
2113 free(out);
2114 return FAILED;
2115 }
2116 free(out);
2117 }
2118 return SUCCESS;
2119 }
2120
2121 /**
2122 * Add an explicit exclude route to a routing entry
2123 */
2124 static void add_exclude_route(private_kernel_pfkey_ipsec_t *this,
2125 route_entry_t *route, host_t *src, host_t *dst)
2126 {
2127 enumerator_t *enumerator;
2128 exclude_route_t *exclude;
2129 host_t *gtw;
2130
2131 enumerator = this->excludes->create_enumerator(this->excludes);
2132 while (enumerator->enumerate(enumerator, &exclude))
2133 {
2134 if (dst->ip_equals(dst, exclude->dst))
2135 {
2136 route->exclude = exclude;
2137 exclude->refs++;
2138 }
2139 }
2140 enumerator->destroy(enumerator);
2141
2142 if (!route->exclude)
2143 {
2144 DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
2145 gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
2146 dst, -1, NULL);
2147 if (gtw)
2148 {
2149 char *if_name = NULL;
2150
2151 if (hydra->kernel_interface->get_interface(
2152 hydra->kernel_interface, src, &if_name) &&
2153 hydra->kernel_interface->add_route(hydra->kernel_interface,
2154 dst->get_address(dst),
2155 dst->get_family(dst) == AF_INET ? 32 : 128,
2156 gtw, src, if_name) == SUCCESS)
2157 {
2158 INIT(exclude,
2159 .dst = dst->clone(dst),
2160 .src = src->clone(src),
2161 .gtw = gtw->clone(gtw),
2162 .refs = 1,
2163 );
2164 route->exclude = exclude;
2165 this->excludes->insert_last(this->excludes, exclude);
2166 }
2167 else
2168 {
2169 DBG1(DBG_KNL, "installing exclude route for %H failed", dst);
2170 }
2171 gtw->destroy(gtw);
2172 free(if_name);
2173 }
2174 else
2175 {
2176 DBG1(DBG_KNL, "gateway lookup for for %H failed", dst);
2177 }
2178 }
2179 }
2180
2181 /**
2182 * Remove an exclude route attached to a routing entry
2183 */
2184 static void remove_exclude_route(private_kernel_pfkey_ipsec_t *this,
2185 route_entry_t *route)
2186 {
2187 if (route->exclude)
2188 {
2189 enumerator_t *enumerator;
2190 exclude_route_t *exclude;
2191 bool removed = FALSE;
2192 host_t *dst;
2193
2194 enumerator = this->excludes->create_enumerator(this->excludes);
2195 while (enumerator->enumerate(enumerator, &exclude))
2196 {
2197 if (route->exclude == exclude)
2198 {
2199 if (--exclude->refs == 0)
2200 {
2201 this->excludes->remove_at(this->excludes, enumerator);
2202 removed = TRUE;
2203 break;
2204 }
2205 }
2206 }
2207 enumerator->destroy(enumerator);
2208
2209 if (removed)
2210 {
2211 char *if_name = NULL;
2212
2213 dst = route->exclude->dst;
2214 DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
2215 dst, route->exclude->src);
2216 if (hydra->kernel_interface->get_interface(
2217 hydra->kernel_interface,
2218 route->exclude->src, &if_name) &&
2219 hydra->kernel_interface->del_route(hydra->kernel_interface,
2220 dst->get_address(dst),
2221 dst->get_family(dst) == AF_INET ? 32 : 128,
2222 route->exclude->gtw, route->exclude->src,
2223 if_name) != SUCCESS)
2224 {
2225 DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
2226 }
2227 exclude_route_destroy(route->exclude);
2228 free(if_name);
2229 }
2230 route->exclude = NULL;
2231 }
2232 }
2233
2234 /**
2235 * Try to install a route to the given inbound policy
2236 */
2237 static bool install_route(private_kernel_pfkey_ipsec_t *this,
2238 policy_entry_t *policy, policy_sa_in_t *in)
2239 {
2240 route_entry_t *route, *old;
2241 host_t *host, *src, *dst;
2242 bool is_virtual;
2243
2244 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
2245 in->dst_ts, &host, &is_virtual) != SUCCESS)
2246 {
2247 return FALSE;
2248 }
2249
2250 /* switch src/dst, as we handle an IN policy */
2251 src = in->generic.sa->dst;
2252 dst = in->generic.sa->src;
2253
2254 INIT(route,
2255 .prefixlen = policy->src.mask,
2256 .src_ip = host,
2257 .dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)),
2258 );
2259
2260 if (!dst->is_anyaddr(dst))
2261 {
2262 route->gateway = hydra->kernel_interface->get_nexthop(
2263 hydra->kernel_interface, dst, -1, src);
2264
2265 /* if the IP is virtual, we install the route over the interface it has
2266 * been installed on. Otherwise we use the interface we use for IKE, as
2267 * this is required for example on Linux. */
2268 if (is_virtual)
2269 {
2270 src = route->src_ip;
2271 }
2272 }
2273 else
2274 { /* for shunt policies */
2275 route->gateway = hydra->kernel_interface->get_nexthop(
2276 hydra->kernel_interface, policy->src.net,
2277 policy->src.mask, route->src_ip);
2278
2279 /* we don't have a source address, use the address we found */
2280 src = route->src_ip;
2281 }
2282
2283 /* get interface for route, using source address */
2284 if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
2285 src, &route->if_name))
2286 {
2287 route_entry_destroy(route);
2288 return FALSE;
2289 }
2290
2291 if (policy->route)
2292 {
2293 old = policy->route;
2294
2295 if (route_entry_equals(old, route))
2296 { /* such a route already exists */
2297 route_entry_destroy(route);
2298 return TRUE;
2299 }
2300 /* uninstall previously installed route */
2301 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2302 old->dst_net, old->prefixlen, old->gateway,
2303 old->src_ip, old->if_name) != SUCCESS)
2304 {
2305 DBG1(DBG_KNL, "error uninstalling route installed with policy "
2306 "%R === %R %N", in->src_ts, in->dst_ts,
2307 policy_dir_names, policy->direction);
2308 }
2309 route_entry_destroy(old);
2310 policy->route = NULL;
2311 }
2312
2313 /* if remote traffic selector covers the IKE peer, add an exclude route */
2314 if (hydra->kernel_interface->get_features(
2315 hydra->kernel_interface) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
2316 {
2317 if (in->src_ts->is_host(in->src_ts, dst))
2318 {
2319 DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts "
2320 "with IKE traffic", in->src_ts, in->dst_ts, policy_dir_names,
2321 policy->direction);
2322 route_entry_destroy(route);
2323 return FALSE;
2324 }
2325 if (in->src_ts->includes(in->src_ts, dst))
2326 {
2327 add_exclude_route(this, route, in->generic.sa->dst, dst);
2328 }
2329 }
2330
2331 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
2332 in->src_ts, route->gateway, route->src_ip, route->if_name);
2333
2334 switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
2335 route->dst_net, route->prefixlen, route->gateway,
2336 route->src_ip, route->if_name))
2337 {
2338 case ALREADY_DONE:
2339 /* route exists, do not uninstall */
2340 remove_exclude_route(this, route);
2341 route_entry_destroy(route);
2342 return TRUE;
2343 case SUCCESS:
2344 /* cache the installed route */
2345 policy->route = route;
2346 return TRUE;
2347 default:
2348 DBG1(DBG_KNL, "installing route failed: %R via %H src %H dev %s",
2349 in->src_ts, route->gateway, route->src_ip, route->if_name);
2350 remove_exclude_route(this, route);
2351 route_entry_destroy(route);
2352 return FALSE;
2353 }
2354 }
2355
2356 /**
2357 * Add or update a policy in the kernel.
2358 *
2359 * Note: The mutex has to be locked when entering this function.
2360 */
2361 static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
2362 policy_entry_t *policy, policy_sa_t *mapping, bool update)
2363 {
2364 unsigned char request[PFKEY_BUFFER_SIZE];
2365 struct sadb_msg *msg, *out;
2366 struct sadb_x_policy *pol;
2367 struct sadb_x_ipsecrequest *req;
2368 ipsec_sa_t *ipsec = mapping->sa;
2369 pfkey_msg_t response;
2370 size_t len;
2371 ipsec_mode_t proto_mode;
2372 status_t status;
2373
2374 memset(&request, 0, sizeof(request));
2375
2376 msg = (struct sadb_msg*)request;
2377 msg->sadb_msg_version = PF_KEY_V2;
2378 msg->sadb_msg_type = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
2379 msg->sadb_msg_satype = 0;
2380 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2381
2382 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2383 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2384 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2385 pol->sadb_x_policy_id = 0;
2386 pol->sadb_x_policy_dir = dir2kernel(policy->direction);
2387 pol->sadb_x_policy_type = type2kernel(mapping->type);
2388 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
2389 pol->sadb_x_policy_priority = mapping->priority;
2390 #endif
2391
2392 /* one or more sadb_x_ipsecrequest extensions are added to the
2393 * sadb_x_policy extension */
2394 proto_mode = ipsec->cfg.mode;
2395
2396 req = (struct sadb_x_ipsecrequest*)(pol + 1);
2397
2398 if (ipsec->cfg.ipcomp.transform != IPCOMP_NONE)
2399 {
2400 req->sadb_x_ipsecrequest_proto = IPPROTO_COMP;
2401
2402 /* !!! the length here MUST be in octets instead of 64 bit words */
2403 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
2404 req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode);
2405 req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
2406 req->sadb_x_ipsecrequest_level = (policy->direction == POLICY_OUT) ?
2407 IPSEC_LEVEL_UNIQUE : IPSEC_LEVEL_USE;
2408 if (ipsec->cfg.mode == MODE_TUNNEL)
2409 {
2410 len = hostcpy(req + 1, ipsec->src, FALSE);
2411 req->sadb_x_ipsecrequest_len += len;
2412 len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE);
2413 req->sadb_x_ipsecrequest_len += len;
2414 /* use transport mode for other SAs */
2415 proto_mode = MODE_TRANSPORT;
2416 }
2417
2418 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
2419 req = (struct sadb_x_ipsecrequest*)((char*)(req) +
2420 req->sadb_x_ipsecrequest_len);
2421 }
2422
2423 req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP
2424 : IPPROTO_AH;
2425 /* !!! the length here MUST be in octets instead of 64 bit words */
2426 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
2427 req->sadb_x_ipsecrequest_mode = mode2kernel(proto_mode);
2428 req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
2429 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
2430 if (proto_mode == MODE_TUNNEL)
2431 {
2432 len = hostcpy(req + 1, ipsec->src, FALSE);
2433 req->sadb_x_ipsecrequest_len += len;
2434 len = hostcpy((char*)(req + 1) + len, ipsec->dst, FALSE);
2435 req->sadb_x_ipsecrequest_len += len;
2436 }
2437
2438 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
2439 PFKEY_EXT_ADD(msg, pol);
2440
2441 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2442 policy->src.mask, TRUE);
2443 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2444 policy->dst.mask, TRUE);
2445
2446 #ifdef __FreeBSD__
2447 { /* on FreeBSD a lifetime has to be defined to be able to later query
2448 * the current use time. */
2449 struct sadb_lifetime *lft;
2450 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
2451 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
2452 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
2453 lft->sadb_lifetime_addtime = LONG_MAX;
2454 PFKEY_EXT_ADD(msg, lft);
2455 }
2456 #endif
2457
2458 this->mutex->unlock(this->mutex);
2459
2460 status = pfkey_send(this, msg, &out, &len);
2461 if (status == SUCCESS && !update && out->sadb_msg_errno == EEXIST)
2462 {
2463 DBG1(DBG_KNL, "policy already exists, try to update it");
2464 free(out);
2465 msg->sadb_msg_type = SADB_X_SPDUPDATE;
2466 status = pfkey_send(this, msg, &out, &len);
2467 }
2468 if (status != SUCCESS)
2469 {
2470 return FAILED;
2471 }
2472 else if (out->sadb_msg_errno)
2473 {
2474 DBG1(DBG_KNL, "unable to %s policy: %s (%d)",
2475 update ? "update" : "add", strerror(out->sadb_msg_errno),
2476 out->sadb_msg_errno);
2477 free(out);
2478 return FAILED;
2479 }
2480 else if (parse_pfkey_message(out, &response) != SUCCESS)
2481 {
2482 DBG1(DBG_KNL, "unable to %s policy: parsing response from kernel "
2483 "failed", update ? "update" : "add");
2484 free(out);
2485 return FAILED;
2486 }
2487
2488 /* we try to find the policy again and update the kernel index */
2489 this->mutex->lock(this->mutex);
2490 if (this->policies->find_first(this->policies, NULL,
2491 (void**)&policy) != SUCCESS)
2492 {
2493 DBG2(DBG_KNL, "unable to update index, the policy is already gone, "
2494 "ignoring");
2495 this->mutex->unlock(this->mutex);
2496 free(out);
2497 return SUCCESS;
2498 }
2499 policy->index = response.x_policy->sadb_x_policy_id;
2500 free(out);
2501
2502 /* install a route, if:
2503 * - this is an inbound policy (to just get one for each child)
2504 * - we are in tunnel mode or install a bypass policy
2505 * - routing is not disabled via strongswan.conf
2506 */
2507 if (policy->direction == POLICY_IN && this->install_routes &&
2508 (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
2509 {
2510 install_route(this, policy, (policy_sa_in_t*)mapping);
2511 }
2512 this->mutex->unlock(this->mutex);
2513 return SUCCESS;
2514 }
2515
2516 METHOD(kernel_ipsec_t, add_policy, status_t,
2517 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
2518 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
2519 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
2520 mark_t mark, policy_priority_t priority)
2521 {
2522 policy_entry_t *policy, *found = NULL;
2523 policy_sa_t *assigned_sa, *current_sa;
2524 enumerator_t *enumerator;
2525 bool update = TRUE;
2526
2527 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2528 { /* FWD policies are not supported on all platforms */
2529 return SUCCESS;
2530 }
2531
2532 /* create a policy */
2533 policy = create_policy_entry(src_ts, dst_ts, direction);
2534
2535 /* find a matching policy */
2536 this->mutex->lock(this->mutex);
2537 if (this->policies->find_first(this->policies,
2538 (linked_list_match_t)policy_entry_equals,
2539 (void**)&found, policy) == SUCCESS)
2540 { /* use existing policy */
2541 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
2542 "refcount", src_ts, dst_ts, policy_dir_names, direction);
2543 policy_entry_destroy(policy, this);
2544 policy = found;
2545 }
2546 else
2547 { /* use the new one, if we have no such policy */
2548 this->policies->insert_first(this->policies, policy);
2549 policy->used_by = linked_list_create();
2550 }
2551
2552 /* cache the assigned IPsec SA */
2553 assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
2554 dst_ts, sa);
2555 assigned_sa->priority = get_priority(policy, priority);
2556
2557 /* insert the SA according to its priority */
2558 enumerator = policy->used_by->create_enumerator(policy->used_by);
2559 while (enumerator->enumerate(enumerator, (void**)&current_sa))
2560 {
2561 if (current_sa->priority >= assigned_sa->priority)
2562 {
2563 break;
2564 }
2565 update = FALSE;
2566 }
2567 policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
2568 enumerator->destroy(enumerator);
2569
2570 if (!update)
2571 { /* we don't update the policy if the priority is lower than that of the
2572 * currently installed one */
2573 this->mutex->unlock(this->mutex);
2574 return SUCCESS;
2575 }
2576
2577 DBG2(DBG_KNL, "%s policy %R === %R %N",
2578 found ? "updating" : "adding", src_ts, dst_ts,
2579 policy_dir_names, direction);
2580
2581 if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2582 {
2583 DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
2584 found ? "update" : "add", src_ts, dst_ts,
2585 policy_dir_names, direction);
2586 return FAILED;
2587 }
2588 return SUCCESS;
2589 }
2590
2591 METHOD(kernel_ipsec_t, query_policy, status_t,
2592 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2593 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
2594 time_t *use_time)
2595 {
2596 unsigned char request[PFKEY_BUFFER_SIZE];
2597 struct sadb_msg *msg, *out;
2598 struct sadb_x_policy *pol;
2599 policy_entry_t *policy, *found = NULL;
2600 pfkey_msg_t response;
2601 size_t len;
2602
2603 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2604 { /* FWD policies are not supported on all platforms */
2605 return NOT_FOUND;
2606 }
2607
2608 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2609 policy_dir_names, direction);
2610
2611 /* create a policy */
2612 policy = create_policy_entry(src_ts, dst_ts, direction);
2613
2614 /* find a matching policy */
2615 this->mutex->lock(this->mutex);
2616 if (this->policies->find_first(this->policies,
2617 (linked_list_match_t)policy_entry_equals,
2618 (void**)&found, policy) != SUCCESS)
2619 {
2620 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
2621 dst_ts, policy_dir_names, direction);
2622 policy_entry_destroy(policy, this);
2623 this->mutex->unlock(this->mutex);
2624 return NOT_FOUND;
2625 }
2626 policy_entry_destroy(policy, this);
2627 policy = found;
2628
2629 memset(&request, 0, sizeof(request));
2630
2631 msg = (struct sadb_msg*)request;
2632 msg->sadb_msg_version = PF_KEY_V2;
2633 msg->sadb_msg_type = SADB_X_SPDGET;
2634 msg->sadb_msg_satype = 0;
2635 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2636
2637 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2638 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2639 pol->sadb_x_policy_id = policy->index;
2640 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2641 pol->sadb_x_policy_dir = dir2kernel(direction);
2642 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2643 PFKEY_EXT_ADD(msg, pol);
2644
2645 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2646 policy->src.mask, TRUE);
2647 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2648 policy->dst.mask, TRUE);
2649
2650 this->mutex->unlock(this->mutex);
2651
2652 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2653 {
2654 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2655 policy_dir_names, direction);
2656 return FAILED;
2657 }
2658 else if (out->sadb_msg_errno)
2659 {
2660 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
2661 dst_ts, policy_dir_names, direction,
2662 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2663 free(out);
2664 return FAILED;
2665 }
2666 else if (parse_pfkey_message(out, &response) != SUCCESS)
2667 {
2668 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
2669 "from kernel failed", src_ts, dst_ts, policy_dir_names,
2670 direction);
2671 free(out);
2672 return FAILED;
2673 }
2674 else if (response.lft_current == NULL)
2675 {
2676 DBG2(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
2677 "use time", src_ts, dst_ts, policy_dir_names, direction);
2678 free(out);
2679 return FAILED;
2680 }
2681
2682 /* we need the monotonic time, but the kernel returns system time. */
2683 if (response.lft_current->sadb_lifetime_usetime)
2684 {
2685 *use_time = time_monotonic(NULL) -
2686 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
2687 }
2688 else
2689 {
2690 *use_time = 0;
2691 }
2692 free(out);
2693 return SUCCESS;
2694 }
2695
2696 METHOD(kernel_ipsec_t, del_policy, status_t,
2697 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
2698 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
2699 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
2700 mark_t mark, policy_priority_t prio)
2701 {
2702 unsigned char request[PFKEY_BUFFER_SIZE];
2703 struct sadb_msg *msg, *out;
2704 struct sadb_x_policy *pol;
2705 policy_entry_t *policy, *found = NULL;
2706 policy_sa_t *mapping, *to_remove = NULL;
2707 enumerator_t *enumerator;
2708 bool first = TRUE, is_installed = TRUE;
2709 u_int32_t priority;
2710 size_t len;
2711 ipsec_sa_t assigned_sa = {
2712 .src = src,
2713 .dst = dst,
2714 .cfg = *sa,
2715 };
2716
2717 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2718 { /* FWD policies are not supported on all platforms */
2719 return SUCCESS;
2720 }
2721
2722 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
2723 policy_dir_names, direction);
2724
2725 /* create a policy */
2726 policy = create_policy_entry(src_ts, dst_ts, direction);
2727
2728 /* find a matching policy */
2729 this->mutex->lock(this->mutex);
2730 if (this->policies->find_first(this->policies,
2731 (linked_list_match_t)policy_entry_equals,
2732 (void**)&found, policy) != SUCCESS)
2733 {
2734 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
2735 dst_ts, policy_dir_names, direction);
2736 policy_entry_destroy(policy, this);
2737 this->mutex->unlock(this->mutex);
2738 return NOT_FOUND;
2739 }
2740 policy_entry_destroy(policy, this);
2741 policy = found;
2742
2743 /* remove mapping to SA by reqid and priority, if multiple match, which
2744 * could happen when rekeying due to an address change, remove the oldest */
2745 priority = get_priority(policy, prio);
2746 enumerator = policy->used_by->create_enumerator(policy->used_by);
2747 while (enumerator->enumerate(enumerator, (void**)&mapping))
2748 {
2749 if (priority == mapping->priority &&
2750 ipsec_sa_equals(mapping->sa, &assigned_sa))
2751 {
2752 to_remove = mapping;
2753 is_installed = first;
2754 }
2755 else if (priority < mapping->priority)
2756 {
2757 break;
2758 }
2759 first = FALSE;
2760 }
2761 enumerator->destroy(enumerator);
2762 if (!to_remove)
2763 { /* sanity check */
2764 this->mutex->unlock(this->mutex);
2765 return SUCCESS;
2766 }
2767 policy->used_by->remove(policy->used_by, to_remove, NULL);
2768 mapping = to_remove;
2769
2770 if (policy->used_by->get_count(policy->used_by) > 0)
2771 { /* policy is used by more SAs, keep in kernel */
2772 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2773 policy_sa_destroy(mapping, &direction, this);
2774
2775 if (!is_installed)
2776 { /* no need to update as the policy was not installed for this SA */
2777 this->mutex->unlock(this->mutex);
2778 return SUCCESS;
2779 }
2780
2781 DBG2(DBG_KNL, "updating policy %R === %R %N", src_ts, dst_ts,
2782 policy_dir_names, direction);
2783 policy->used_by->get_first(policy->used_by, (void**)&mapping);
2784 if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS)
2785 {
2786 DBG1(DBG_KNL, "unable to update policy %R === %R %N",
2787 src_ts, dst_ts, policy_dir_names, direction);
2788 return FAILED;
2789 }
2790 return SUCCESS;
2791 }
2792
2793 memset(&request, 0, sizeof(request));
2794
2795 msg = (struct sadb_msg*)request;
2796 msg->sadb_msg_version = PF_KEY_V2;
2797 msg->sadb_msg_type = SADB_X_SPDDELETE;
2798 msg->sadb_msg_satype = 0;
2799 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2800
2801 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2802 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2803 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2804 pol->sadb_x_policy_dir = dir2kernel(direction);
2805 pol->sadb_x_policy_type = type2kernel(mapping->type);
2806 PFKEY_EXT_ADD(msg, pol);
2807
2808 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2809 policy->src.mask, TRUE);
2810 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2811 policy->dst.mask, TRUE);
2812
2813 if (policy->route)
2814 {
2815 route_entry_t *route = policy->route;
2816 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2817 route->dst_net, route->prefixlen, route->gateway,
2818 route->src_ip, route->if_name) != SUCCESS)
2819 {
2820 DBG1(DBG_KNL, "error uninstalling route installed with "
2821 "policy %R === %R %N", src_ts, dst_ts,
2822 policy_dir_names, direction);
2823 }
2824 remove_exclude_route(this, route);
2825 }
2826
2827 this->policies->remove(this->policies, found, NULL);
2828 policy_sa_destroy(mapping, &direction, this);
2829 policy_entry_destroy(policy, this);
2830 this->mutex->unlock(this->mutex);
2831
2832 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2833 {
2834 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2835 policy_dir_names, direction);
2836 return FAILED;
2837 }
2838 else if (out->sadb_msg_errno)
2839 {
2840 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2841 dst_ts, policy_dir_names, direction,
2842 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2843 free(out);
2844 return FAILED;
2845 }
2846 free(out);
2847 return SUCCESS;
2848 }
2849
2850 METHOD(kernel_ipsec_t, flush_policies, status_t,
2851 private_kernel_pfkey_ipsec_t *this)
2852 {
2853 unsigned char request[PFKEY_BUFFER_SIZE];
2854 struct sadb_msg *msg, *out;
2855 size_t len;
2856
2857 memset(&request, 0, sizeof(request));
2858
2859 DBG2(DBG_KNL, "flushing all policies from SPD");
2860
2861 msg = (struct sadb_msg*)request;
2862 msg->sadb_msg_version = PF_KEY_V2;
2863 msg->sadb_msg_type = SADB_X_SPDFLUSH;
2864 msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
2865 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2866
2867 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2868 {
2869 DBG1(DBG_KNL, "unable to flush SPD entries");
2870 return FAILED;
2871 }
2872 else if (out->sadb_msg_errno)
2873 {
2874 DBG1(DBG_KNL, "unable to flush SPD entries: %s (%d)",
2875 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2876 free(out);
2877 return FAILED;
2878 }
2879 free(out);
2880 return SUCCESS;
2881 }
2882
2883 /**
2884 * Register a socket for ACQUIRE/EXPIRE messages
2885 */
2886 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2887 u_int8_t satype)
2888 {
2889 unsigned char request[PFKEY_BUFFER_SIZE];
2890 struct sadb_msg *msg, *out;
2891 size_t len;
2892
2893 memset(&request, 0, sizeof(request));
2894
2895 msg = (struct sadb_msg*)request;
2896 msg->sadb_msg_version = PF_KEY_V2;
2897 msg->sadb_msg_type = SADB_REGISTER;
2898 msg->sadb_msg_satype = satype;
2899 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2900
2901 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2902 {
2903 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2904 return FAILED;
2905 }
2906 else if (out->sadb_msg_errno)
2907 {
2908 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2909 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2910 free(out);
2911 return FAILED;
2912 }