2 * Copyright (C) 2008-2015 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * Copyright (C) 2014 Nanoteq Pty Ltd
19 * Permission is hereby granted, free of charge, to any person obtaining a copy
20 * of this software and associated documentation files (the "Software"), to deal
21 * in the Software without restriction, including without limitation the rights
22 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
23 * copies of the Software, and to permit persons to whom the Software is
24 * furnished to do so, subject to the following conditions:
26 * The above copyright notice and this permission notice shall be included in
27 * all copies or substantial portions of the Software.
29 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
30 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
31 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
32 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
33 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
34 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
39 #include <sys/types.h>
40 #include <sys/socket.h>
43 #include <limits.h> /* for LONG_MAX */
46 #ifdef HAVE_NET_PFKEYV2_H
47 #include <net/pfkeyv2.h>
49 #include <linux/pfkeyv2.h>
52 #ifdef SADB_X_EXT_NAT_T_TYPE
56 #ifdef HAVE_NETIPSEC_IPSEC_H
57 #include <netipsec/ipsec.h>
58 #elif defined(HAVE_NETINET6_IPSEC_H)
59 #include <netinet6/ipsec.h>
61 #include <linux/ipsec.h>
65 #ifdef HAVE_LINUX_UDP_H
66 #include <linux/udp.h>
68 #include <netinet/udp.h>
69 #endif /*HAVE_LINUX_UDP_H*/
76 #include <sys/sysctl.h>
79 #include "kernel_pfkey_ipsec.h"
82 #include <utils/debug.h>
83 #include <networking/host.h>
84 #include <collections/linked_list.h>
85 #include <collections/hashtable.h>
86 #include <threading/mutex.h>
88 /** non linux specific */
91 #define IPPROTO_COMP IPPROTO_IPCOMP
95 #ifndef SADB_X_AALG_SHA2_256HMAC
96 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
97 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
98 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
101 #ifndef SADB_X_EALG_AESCBC
102 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
105 #ifndef SADB_X_EALG_CASTCBC
106 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
109 #if !defined(SADB_X_EALG_AES_GCM_ICV8) && defined(SADB_X_EALG_AESGCM8)
110 #define SADB_X_EALG_AES_GCM_ICV8 SADB_X_EALG_AESGCM8
111 #define SADB_X_EALG_AES_GCM_ICV12 SADB_X_EALG_AESGCM12
112 #define SADB_X_EALG_AES_GCM_ICV16 SADB_X_EALG_AESGCM16
116 #define SOL_IP IPPROTO_IP
117 #define SOL_IPV6 IPPROTO_IPV6
120 /** from linux/in.h */
121 #ifndef IP_IPSEC_POLICY
122 #define IP_IPSEC_POLICY 16
125 /** missing on uclibc */
126 #ifndef IPV6_IPSEC_POLICY
127 #define IPV6_IPSEC_POLICY 34
130 /* from linux/udp.h */
132 #define UDP_ENCAP 100
135 #ifndef UDP_ENCAP_ESPINUDP
136 #define UDP_ENCAP_ESPINUDP 2
139 /* this is not defined on some platforms */
141 #define SOL_UDP IPPROTO_UDP
144 /** base priority for installed policies */
145 #define PRIO_BASE 384
148 /** from xnu/bsd/net/pfkeyv2.h */
149 #define SADB_X_EXT_NATT 0x002
152 u_int16_t sadb_sa_natt_port
;
153 u_int16_t sadb_reserved0
;
154 u_int32_t sadb_reserved1
;
158 /** buffer size for PF_KEY messages */
159 #define PFKEY_BUFFER_SIZE 4096
161 /** PF_KEY messages are 64 bit aligned */
162 #define PFKEY_ALIGNMENT 8
163 /** aligns len to 64 bits */
164 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
165 /** calculates the properly padded length in 64 bit chunks */
166 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
167 /** calculates user mode length i.e. in bytes */
168 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
170 /** given a PF_KEY message header and an extension this updates the length in the header */
171 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
172 /** given a PF_KEY message header this returns a pointer to the next extension */
173 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
174 /** copy an extension and append it to a PF_KEY message */
175 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
176 /** given a PF_KEY extension this returns a pointer to the next extension */
177 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
178 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
179 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
180 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
181 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
182 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
183 (ext)->sadb_ext_len <= (len))
185 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t
;
188 * Private variables and functions of kernel_pfkey class.
190 struct private_kernel_pfkey_ipsec_t
193 * Public part of the kernel_pfkey_t object.
195 kernel_pfkey_ipsec_t
public;
198 * mutex to lock access to various lists
203 * List of installed policies (policy_entry_t)
205 linked_list_t
*policies
;
208 * List of exclude routes (exclude_route_t)
210 linked_list_t
*excludes
;
213 * Hash table of IPsec SAs using policies (ipsec_sa_t)
218 * whether to install routes along policies
223 * mutex to lock access to the PF_KEY socket
225 mutex_t
*mutex_pfkey
;
228 * PF_KEY socket to communicate with the kernel
233 * PF_KEY socket to receive acquire and expire events
238 * sequence number for messages sent to the kernel
243 typedef struct exclude_route_t exclude_route_t
;
246 * Exclude route definition
248 struct exclude_route_t
{
249 /** destination address of exclude */
251 /** source address for route */
253 /** nexthop exclude has been installed */
255 /** references to this route */
260 * clean up a route exclude entry
262 static void exclude_route_destroy(exclude_route_t
*this)
264 this->dst
->destroy(this->dst
);
265 this->src
->destroy(this->src
);
266 this->gtw
->destroy(this->gtw
);
270 typedef struct route_entry_t route_entry_t
;
273 * installed routing entry
275 struct route_entry_t
{
276 /** name of the interface the route is bound to */
279 /** source ip of the route */
282 /** gateway for this route */
285 /** destination net */
288 /** destination net prefixlen */
291 /** reference to exclude route, if any */
292 exclude_route_t
*exclude
;
296 * destroy an route_entry_t object
298 static void route_entry_destroy(route_entry_t
*this)
301 DESTROY_IF(this->src_ip
);
302 DESTROY_IF(this->gateway
);
303 chunk_free(&this->dst_net
);
308 * compare two route_entry_t objects
310 static bool route_entry_equals(route_entry_t
*a
, route_entry_t
*b
)
312 return a
->if_name
&& b
->if_name
&& streq(a
->if_name
, b
->if_name
) &&
313 a
->src_ip
->ip_equals(a
->src_ip
, b
->src_ip
) &&
314 a
->gateway
&& b
->gateway
&&
315 a
->gateway
->ip_equals(a
->gateway
, b
->gateway
) &&
316 chunk_equals(a
->dst_net
, b
->dst_net
) && a
->prefixlen
== b
->prefixlen
;
319 typedef struct ipsec_sa_t ipsec_sa_t
;
322 * IPsec SA assigned to a policy.
325 /** Source address of this SA */
328 /** Destination address of this SA */
331 /** Description of this SA */
334 /** Reference count for this SA */
339 * Hash function for ipsec_sa_t objects
341 static u_int
ipsec_sa_hash(ipsec_sa_t
*sa
)
343 return chunk_hash_inc(sa
->src
->get_address(sa
->src
),
344 chunk_hash_inc(sa
->dst
->get_address(sa
->dst
),
345 chunk_hash(chunk_from_thing(sa
->cfg
))));
349 * Equality function for ipsec_sa_t objects
351 static bool ipsec_sa_equals(ipsec_sa_t
*sa
, ipsec_sa_t
*other_sa
)
353 return sa
->src
->ip_equals(sa
->src
, other_sa
->src
) &&
354 sa
->dst
->ip_equals(sa
->dst
, other_sa
->dst
) &&
355 memeq(&sa
->cfg
, &other_sa
->cfg
, sizeof(ipsec_sa_cfg_t
));
359 * Allocate or reference an IPsec SA object
361 static ipsec_sa_t
*ipsec_sa_create(private_kernel_pfkey_ipsec_t
*this,
362 host_t
*src
, host_t
*dst
,
365 ipsec_sa_t
*sa
, *found
;
371 found
= this->sas
->get(this->sas
, sa
);
374 sa
->src
= src
->clone(src
);
375 sa
->dst
= dst
->clone(dst
);
376 this->sas
->put(this->sas
, sa
, sa
);
383 ref_get(&sa
->refcount
);
388 * Release and destroy an IPsec SA object
390 static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t
*this,
393 if (ref_put(&sa
->refcount
))
395 this->sas
->remove(this->sas
, sa
);
402 typedef struct policy_sa_t policy_sa_t
;
403 typedef struct policy_sa_in_t policy_sa_in_t
;
406 * Mapping between a policy and an IPsec SA.
409 /** Priority assigned to the policy when installed with this SA */
412 /** Type of the policy */
420 * For input policies we also cache the traffic selectors in order to install
423 struct policy_sa_in_t
{
424 /** Generic interface */
427 /** Source traffic selector of this policy */
428 traffic_selector_t
*src_ts
;
430 /** Destination traffic selector of this policy */
431 traffic_selector_t
*dst_ts
;
435 * Create a policy_sa(_in)_t object
437 static policy_sa_t
*policy_sa_create(private_kernel_pfkey_ipsec_t
*this,
438 policy_dir_t dir
, policy_type_t type
, host_t
*src
, host_t
*dst
,
439 traffic_selector_t
*src_ts
, traffic_selector_t
*dst_ts
, ipsec_sa_cfg_t
*cfg
)
443 if (dir
== POLICY_IN
)
447 .src_ts
= src_ts
->clone(src_ts
),
448 .dst_ts
= dst_ts
->clone(dst_ts
),
450 policy
= &in
->generic
;
454 INIT(policy
, .priority
= 0);
457 policy
->sa
= ipsec_sa_create(this, src
, dst
, cfg
);
462 * Destroy a policy_sa(_in)_t object
464 static void policy_sa_destroy(policy_sa_t
*policy
, policy_dir_t
*dir
,
465 private_kernel_pfkey_ipsec_t
*this)
467 if (*dir
== POLICY_IN
)
469 policy_sa_in_t
*in
= (policy_sa_in_t
*)policy
;
470 in
->src_ts
->destroy(in
->src_ts
);
471 in
->dst_ts
->destroy(in
->dst_ts
);
473 ipsec_sa_destroy(this, policy
->sa
);
477 typedef struct policy_entry_t policy_entry_t
;
480 * installed kernel policy.
482 struct policy_entry_t
{
483 /** Index assigned by the kernel */
486 /** Direction of this policy: in, out, forward */
489 /** Parameters of installed policy */
491 /** Subnet and port */
499 /** Associated route installed for this policy */
500 route_entry_t
*route
;
502 /** List of SAs this policy is used by, ordered by priority */
503 linked_list_t
*used_by
;
507 * Create a policy_entry_t object
509 static policy_entry_t
*create_policy_entry(traffic_selector_t
*src_ts
,
510 traffic_selector_t
*dst_ts
,
513 policy_entry_t
*policy
;
520 src_ts
->to_subnet(src_ts
, &policy
->src
.net
, &policy
->src
.mask
);
521 dst_ts
->to_subnet(dst_ts
, &policy
->dst
.net
, &policy
->dst
.mask
);
523 /* src or dest proto may be "any" (0), use more restrictive one */
524 proto
= max(src_ts
->get_protocol(src_ts
), dst_ts
->get_protocol(dst_ts
));
525 /* map the ports to ICMP type/code how the Linux kernel expects them, that
526 * is, type in src, code in dst */
527 if (proto
== IPPROTO_ICMP
|| proto
== IPPROTO_ICMPV6
)
529 port
= max(policy
->src
.net
->get_port(policy
->src
.net
),
530 policy
->dst
.net
->get_port(policy
->dst
.net
));
531 policy
->src
.net
->set_port(policy
->src
.net
,
532 traffic_selector_icmp_type(port
));
533 policy
->dst
.net
->set_port(policy
->dst
.net
,
534 traffic_selector_icmp_code(port
));
538 proto
= IPSEC_PROTO_ANY
;
540 policy
->src
.proto
= policy
->dst
.proto
= proto
;
546 * Destroy a policy_entry_t object
548 static void policy_entry_destroy(policy_entry_t
*policy
,
549 private_kernel_pfkey_ipsec_t
*this)
553 route_entry_destroy(policy
->route
);
557 policy
->used_by
->invoke_function(policy
->used_by
,
558 (linked_list_invoke_t
)policy_sa_destroy
,
559 &policy
->direction
, this);
560 policy
->used_by
->destroy(policy
->used_by
);
562 DESTROY_IF(policy
->src
.net
);
563 DESTROY_IF(policy
->dst
.net
);
568 * compares two policy_entry_t
570 static inline bool policy_entry_equals(policy_entry_t
*current
,
571 policy_entry_t
*policy
)
573 return current
->direction
== policy
->direction
&&
574 current
->src
.proto
== policy
->src
.proto
&&
575 current
->dst
.proto
== policy
->dst
.proto
&&
576 current
->src
.mask
== policy
->src
.mask
&&
577 current
->dst
.mask
== policy
->dst
.mask
&&
578 current
->src
.net
->equals(current
->src
.net
, policy
->src
.net
) &&
579 current
->dst
.net
->equals(current
->dst
.net
, policy
->dst
.net
);
583 * compare the given kernel index with that of a policy
585 static inline bool policy_entry_match_byindex(policy_entry_t
*current
,
588 return current
->index
== *index
;
592 * Calculate the priority of a policy
594 static inline u_int32_t
get_priority(policy_entry_t
*policy
,
595 policy_priority_t prio
)
597 u_int32_t priority
= PRIO_BASE
;
600 case POLICY_PRIORITY_FALLBACK
:
603 case POLICY_PRIORITY_ROUTED
:
606 case POLICY_PRIORITY_DEFAULT
:
609 case POLICY_PRIORITY_PASS
:
612 /* calculate priority based on selector size, small size = high prio */
613 priority
-= policy
->src
.mask
;
614 priority
-= policy
->dst
.mask
;
615 priority
<<= 2; /* make some room for the two flags */
616 priority
+= policy
->src
.net
->get_port(policy
->src
.net
) ||
617 policy
->dst
.net
->get_port(policy
->dst
.net
) ?
619 priority
+= policy
->src
.proto
!= IPSEC_PROTO_ANY ?
0 : 1;
623 typedef struct pfkey_msg_t pfkey_msg_t
;
628 * PF_KEY message base
630 struct sadb_msg
*msg
;
633 * PF_KEY message extensions
636 struct sadb_ext
*ext
[SADB_EXT_MAX
+ 1];
638 struct sadb_ext
*reserved
; /* SADB_EXT_RESERVED */
639 struct sadb_sa
*sa
; /* SADB_EXT_SA */
640 struct sadb_lifetime
*lft_current
; /* SADB_EXT_LIFETIME_CURRENT */
641 struct sadb_lifetime
*lft_hard
; /* SADB_EXT_LIFETIME_HARD */
642 struct sadb_lifetime
*lft_soft
; /* SADB_EXT_LIFETIME_SOFT */
643 struct sadb_address
*src
; /* SADB_EXT_ADDRESS_SRC */
644 struct sadb_address
*dst
; /* SADB_EXT_ADDRESS_DST */
645 struct sadb_address
*proxy
; /* SADB_EXT_ADDRESS_PROXY */
646 struct sadb_key
*key_auth
; /* SADB_EXT_KEY_AUTH */
647 struct sadb_key
*key_encr
; /* SADB_EXT_KEY_ENCRYPT */
648 struct sadb_ident
*id_src
; /* SADB_EXT_IDENTITY_SRC */
649 struct sadb_ident
*id_dst
; /* SADB_EXT_IDENTITY_DST */
650 struct sadb_sens
*sensitivity
; /* SADB_EXT_SENSITIVITY */
651 struct sadb_prop
*proposal
; /* SADB_EXT_PROPOSAL */
652 struct sadb_supported
*supported_auth
; /* SADB_EXT_SUPPORTED_AUTH */
653 struct sadb_supported
*supported_encr
; /* SADB_EXT_SUPPORTED_ENCRYPT */
654 struct sadb_spirange
*spirange
; /* SADB_EXT_SPIRANGE */
655 struct sadb_x_kmprivate
*x_kmprivate
; /* SADB_X_EXT_KMPRIVATE */
656 struct sadb_x_policy
*x_policy
; /* SADB_X_EXT_POLICY */
657 struct sadb_x_sa2
*x_sa2
; /* SADB_X_EXT_SA2 */
658 struct sadb_x_nat_t_type
*x_natt_type
; /* SADB_X_EXT_NAT_T_TYPE */
659 struct sadb_x_nat_t_port
*x_natt_sport
; /* SADB_X_EXT_NAT_T_SPORT */
660 struct sadb_x_nat_t_port
*x_natt_dport
; /* SADB_X_EXT_NAT_T_DPORT */
661 struct sadb_address
*x_natt_oa
; /* SADB_X_EXT_NAT_T_OA */
662 struct sadb_x_sec_ctx
*x_sec_ctx
; /* SADB_X_EXT_SEC_CTX */
663 struct sadb_x_kmaddress
*x_kmaddress
; /* SADB_X_EXT_KMADDRESS */
664 } __attribute__((__packed__
));
668 ENUM(sadb_ext_type_names
, SADB_EXT_RESERVED
, SADB_EXT_MAX
,
671 "SADB_EXT_LIFETIME_CURRENT",
672 "SADB_EXT_LIFETIME_HARD",
673 "SADB_EXT_LIFETIME_SOFT",
674 "SADB_EXT_ADDRESS_SRC",
675 "SADB_EXT_ADDRESS_DST",
676 "SADB_EXT_ADDRESS_PROXY",
678 "SADB_EXT_KEY_ENCRYPT",
679 "SADB_EXT_IDENTITY_SRC",
680 "SADB_EXT_IDENTITY_DST",
681 "SADB_EXT_SENSITIVITY",
683 "SADB_EXT_SUPPORTED_AUTH",
684 "SADB_EXT_SUPPORTED_ENCRYPT",
686 "SADB_X_EXT_KMPRIVATE",
689 "SADB_X_EXT_NAT_T_TYPE",
690 "SADB_X_EXT_NAT_T_SPORT",
691 "SADB_X_EXT_NAT_T_DPORT",
692 "SADB_X_EXT_NAT_T_OA",
693 "SADB_X_EXT_SEC_CTX",
694 "SADB_X_EXT_KMADDRESS"
698 * convert a protocol identifier to the PF_KEY sa type
700 static u_int8_t
proto2satype(u_int8_t proto
)
705 return SADB_SATYPE_ESP
;
707 return SADB_SATYPE_AH
;
709 return SADB_X_SATYPE_IPCOMP
;
716 * convert a PF_KEY sa type to a protocol identifier
718 static u_int8_t
satype2proto(u_int8_t satype
)
722 case SADB_SATYPE_ESP
:
726 case SADB_X_SATYPE_IPCOMP
:
734 * convert the general ipsec mode to the one defined in ipsec.h
736 static u_int8_t
mode2kernel(ipsec_mode_t mode
)
741 return IPSEC_MODE_TRANSPORT
;
743 return IPSEC_MODE_TUNNEL
;
744 #ifdef HAVE_IPSEC_MODE_BEET
746 return IPSEC_MODE_BEET
;
754 * convert the general policy direction to the one defined in ipsec.h
756 static u_int8_t
dir2kernel(policy_dir_t dir
)
761 return IPSEC_DIR_INBOUND
;
763 return IPSEC_DIR_OUTBOUND
;
764 #ifdef HAVE_IPSEC_DIR_FWD
766 return IPSEC_DIR_FWD
;
769 return IPSEC_DIR_INVALID
;
774 * convert the policy type to the one defined in ipsec.h
776 static inline u_int16_t
type2kernel(policy_type_t type
)
781 return IPSEC_POLICY_IPSEC
;
783 return IPSEC_POLICY_NONE
;
785 return IPSEC_POLICY_DISCARD
;
790 #ifdef SADB_X_MIGRATE
792 * convert the policy direction in ipsec.h to the general one.
794 static policy_dir_t
kernel2dir(u_int8_t dir
)
798 case IPSEC_DIR_INBOUND
:
800 case IPSEC_DIR_OUTBOUND
:
802 #ifdef HAVE_IPSEC_DIR_FWD
810 #endif /*SADB_X_MIGRATE*/
812 typedef struct kernel_algorithm_t kernel_algorithm_t
;
815 * Mapping of IKEv2 algorithms to PF_KEY algorithms
817 struct kernel_algorithm_t
{
819 * Identifier specified in IKEv2
824 * Identifier as defined in pfkeyv2.h
829 #define END_OF_LIST -1
832 * Algorithms for encryption
834 static kernel_algorithm_t encryption_algs
[] = {
835 /* {ENCR_DES_IV64, 0 }, */
836 {ENCR_DES
, SADB_EALG_DESCBC
},
837 {ENCR_3DES
, SADB_EALG_3DESCBC
},
838 /* {ENCR_RC5, 0 }, */
839 /* {ENCR_IDEA, 0 }, */
840 {ENCR_CAST
, SADB_X_EALG_CASTCBC
},
841 {ENCR_BLOWFISH
, SADB_X_EALG_BLOWFISHCBC
},
842 /* {ENCR_3IDEA, 0 }, */
843 /* {ENCR_DES_IV32, 0 }, */
844 {ENCR_NULL
, SADB_EALG_NULL
},
845 {ENCR_AES_CBC
, SADB_X_EALG_AESCBC
},
846 #ifdef SADB_X_EALG_AESCTR
847 {ENCR_AES_CTR
, SADB_X_EALG_AESCTR
},
849 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
850 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
851 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
852 #ifdef SADB_X_EALG_AES_GCM_ICV8 /* assume the others are defined too */
853 {ENCR_AES_GCM_ICV8
, SADB_X_EALG_AES_GCM_ICV8
},
854 {ENCR_AES_GCM_ICV12
, SADB_X_EALG_AES_GCM_ICV12
},
855 {ENCR_AES_GCM_ICV16
, SADB_X_EALG_AES_GCM_ICV16
},
861 * Algorithms for integrity protection
863 static kernel_algorithm_t integrity_algs
[] = {
864 {AUTH_HMAC_MD5_96
, SADB_AALG_MD5HMAC
},
865 {AUTH_HMAC_SHA1_96
, SADB_AALG_SHA1HMAC
},
866 {AUTH_HMAC_SHA2_256_128
, SADB_X_AALG_SHA2_256HMAC
},
867 {AUTH_HMAC_SHA2_384_192
, SADB_X_AALG_SHA2_384HMAC
},
868 {AUTH_HMAC_SHA2_512_256
, SADB_X_AALG_SHA2_512HMAC
},
869 /* {AUTH_DES_MAC, 0, }, */
870 /* {AUTH_KPDK_MD5, 0, }, */
871 #ifdef SADB_X_AALG_AES_XCBC_MAC
872 {AUTH_AES_XCBC_96
, SADB_X_AALG_AES_XCBC_MAC
, },
878 * Algorithms for IPComp, unused yet
880 static kernel_algorithm_t compression_algs
[] = {
881 /* {IPCOMP_OUI, 0 }, */
882 {IPCOMP_DEFLATE
, SADB_X_CALG_DEFLATE
},
883 #ifdef SADB_X_CALG_LZS
884 {IPCOMP_LZS
, SADB_X_CALG_LZS
},
886 #ifdef SADB_X_CALG_LZJH
887 {IPCOMP_LZJH
, SADB_X_CALG_LZJH
},
893 * Look up a kernel algorithm ID and its key size
895 static int lookup_algorithm(transform_type_t type
, int ikev2
)
897 kernel_algorithm_t
*list
;
902 case ENCRYPTION_ALGORITHM
:
903 list
= encryption_algs
;
905 case INTEGRITY_ALGORITHM
:
906 list
= integrity_algs
;
908 case COMPRESSION_ALGORITHM
:
909 list
= compression_algs
;
914 while (list
->ikev2
!= END_OF_LIST
)
916 if (ikev2
== list
->ikev2
)
922 hydra
->kernel_interface
->lookup_algorithm(hydra
->kernel_interface
, ikev2
,
928 * Helper to set a port in a sockaddr_t, the port has to be in host order
930 static void set_port(sockaddr_t
*addr
, u_int16_t port
)
932 switch (addr
->sa_family
)
936 struct sockaddr_in
*sin
= (struct sockaddr_in
*)addr
;
937 sin
->sin_port
= htons(port
);
942 struct sockaddr_in6
*sin6
= (struct sockaddr_in6
*)addr
;
943 sin6
->sin6_port
= htons(port
);
950 * Copy a host_t as sockaddr_t to the given memory location.
951 * @return the number of bytes copied
953 static size_t hostcpy(void *dest
, host_t
*host
, bool include_port
)
955 sockaddr_t
*addr
= host
->get_sockaddr(host
), *dest_addr
= dest
;
956 socklen_t
*len
= host
->get_sockaddr_len(host
);
958 memcpy(dest
, addr
, *len
);
959 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
960 dest_addr
->sa_len
= *len
;
964 set_port(dest_addr
, 0);
970 * add a host to the given sadb_msg
972 static void add_addr_ext(struct sadb_msg
*msg
, host_t
*host
, u_int16_t type
,
973 u_int8_t proto
, u_int8_t prefixlen
, bool include_port
)
975 struct sadb_address
*addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
978 addr
->sadb_address_exttype
= type
;
979 addr
->sadb_address_proto
= proto
;
980 addr
->sadb_address_prefixlen
= prefixlen
;
981 len
= hostcpy(addr
+ 1, host
, include_port
);
982 addr
->sadb_address_len
= PFKEY_LEN(sizeof(*addr
) + len
);
983 PFKEY_EXT_ADD(msg
, addr
);
987 * adds an empty address extension to the given sadb_msg
989 static void add_anyaddr_ext(struct sadb_msg
*msg
, int family
, u_int8_t type
)
991 socklen_t len
= (family
== AF_INET
) ?
sizeof(struct sockaddr_in
) :
992 sizeof(struct sockaddr_in6
);
993 struct sadb_address
*addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
994 addr
->sadb_address_exttype
= type
;
995 sockaddr_t
*saddr
= (sockaddr_t
*)(addr
+ 1);
996 saddr
->sa_family
= family
;
997 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
1000 addr
->sadb_address_len
= PFKEY_LEN(sizeof(*addr
) + len
);
1001 PFKEY_EXT_ADD(msg
, addr
);
1006 * add udp encap extensions to a sadb_msg
1008 static void add_encap_ext(struct sadb_msg
*msg
, host_t
*src
, host_t
*dst
)
1010 struct sadb_x_nat_t_type
* nat_type
;
1011 struct sadb_x_nat_t_port
* nat_port
;
1013 nat_type
= (struct sadb_x_nat_t_type
*)PFKEY_EXT_ADD_NEXT(msg
);
1014 nat_type
->sadb_x_nat_t_type_exttype
= SADB_X_EXT_NAT_T_TYPE
;
1015 nat_type
->sadb_x_nat_t_type_len
= PFKEY_LEN(sizeof(*nat_type
));
1016 nat_type
->sadb_x_nat_t_type_type
= UDP_ENCAP_ESPINUDP
;
1017 PFKEY_EXT_ADD(msg
, nat_type
);
1019 nat_port
= (struct sadb_x_nat_t_port
*)PFKEY_EXT_ADD_NEXT(msg
);
1020 nat_port
->sadb_x_nat_t_port_exttype
= SADB_X_EXT_NAT_T_SPORT
;
1021 nat_port
->sadb_x_nat_t_port_len
= PFKEY_LEN(sizeof(*nat_port
));
1022 nat_port
->sadb_x_nat_t_port_port
= htons(src
->get_port(src
));
1023 PFKEY_EXT_ADD(msg
, nat_port
);
1025 nat_port
= (struct sadb_x_nat_t_port
*)PFKEY_EXT_ADD_NEXT(msg
);
1026 nat_port
->sadb_x_nat_t_port_exttype
= SADB_X_EXT_NAT_T_DPORT
;
1027 nat_port
->sadb_x_nat_t_port_len
= PFKEY_LEN(sizeof(*nat_port
));
1028 nat_port
->sadb_x_nat_t_port_port
= htons(dst
->get_port(dst
));
1029 PFKEY_EXT_ADD(msg
, nat_port
);
1031 #endif /*HAVE_NATT*/
1034 * Convert a sadb_address to a traffic_selector
1036 static traffic_selector_t
* sadb_address2ts(struct sadb_address
*address
)
1038 traffic_selector_t
*ts
;
1042 proto
= address
->sadb_address_proto
;
1043 proto
= proto
== IPSEC_PROTO_ANY ?
0 : proto
;
1045 /* The Linux 2.6 kernel does not set the protocol and port information
1046 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
1048 host
= host_create_from_sockaddr((sockaddr_t
*)&address
[1]);
1049 ts
= traffic_selector_create_from_subnet(host
,
1050 address
->sadb_address_prefixlen
,
1051 proto
, host
->get_port(host
),
1052 host
->get_port(host
) ?
: 65535);
1057 * Parses a pfkey message received from the kernel
1059 static status_t
parse_pfkey_message(struct sadb_msg
*msg
, pfkey_msg_t
*out
)
1061 struct sadb_ext
* ext
;
1064 memset(out
, 0, sizeof(pfkey_msg_t
));
1067 len
= msg
->sadb_msg_len
;
1068 len
-= PFKEY_LEN(sizeof(struct sadb_msg
));
1070 ext
= (struct sadb_ext
*)(((char*)msg
) + sizeof(struct sadb_msg
));
1072 while (len
>= PFKEY_LEN(sizeof(struct sadb_ext
)))
1074 DBG3(DBG_KNL
, " %N", sadb_ext_type_names
, ext
->sadb_ext_type
);
1075 if (ext
->sadb_ext_len
< PFKEY_LEN(sizeof(struct sadb_ext
)) ||
1076 ext
->sadb_ext_len
> len
)
1078 DBG1(DBG_KNL
, "length of %N extension is invalid",
1079 sadb_ext_type_names
, ext
->sadb_ext_type
);
1083 if ((ext
->sadb_ext_type
> SADB_EXT_MAX
) || (!ext
->sadb_ext_type
))
1085 DBG1(DBG_KNL
, "type of PF_KEY extension (%d) is invalid",
1086 ext
->sadb_ext_type
);
1090 if (out
->ext
[ext
->sadb_ext_type
])
1092 DBG1(DBG_KNL
, "duplicate %N extension",
1093 sadb_ext_type_names
, ext
->sadb_ext_type
);
1097 out
->ext
[ext
->sadb_ext_type
] = ext
;
1098 ext
= PFKEY_EXT_NEXT_LEN(ext
, len
);
1103 DBG1(DBG_KNL
, "PF_KEY message length is invalid");
1111 * Send a message to a specific PF_KEY socket and handle the response.
1113 static status_t
pfkey_send_socket(private_kernel_pfkey_ipsec_t
*this, int socket
,
1114 struct sadb_msg
*in
, struct sadb_msg
**out
, size_t *out_len
)
1116 unsigned char buf
[PFKEY_BUFFER_SIZE
];
1117 struct sadb_msg
*msg
;
1120 this->mutex_pfkey
->lock(this->mutex_pfkey
);
1122 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
1123 * in particular the behavior in response to an SADB_ACQUIRE. */
1124 in
->sadb_msg_seq
= ++this->seq
;
1125 in
->sadb_msg_pid
= getpid();
1127 in_len
= PFKEY_USER_LEN(in
->sadb_msg_len
);
1131 len
= send(socket
, in
, in_len
, 0);
1137 /* interrupted, try again */
1140 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1141 DBG1(DBG_KNL
, "error sending to PF_KEY socket: %s",
1150 msg
= (struct sadb_msg
*)buf
;
1152 len
= recv(socket
, buf
, sizeof(buf
), 0);
1158 DBG1(DBG_KNL
, "got interrupted");
1159 /* interrupted, try again */
1162 DBG1(DBG_KNL
, "error reading from PF_KEY socket: %s",
1164 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1167 if (len
< sizeof(struct sadb_msg
) ||
1168 msg
->sadb_msg_len
< PFKEY_LEN(sizeof(struct sadb_msg
)))
1170 DBG1(DBG_KNL
, "received corrupted PF_KEY message");
1171 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1174 if (msg
->sadb_msg_len
> len
/ PFKEY_ALIGNMENT
)
1176 DBG1(DBG_KNL
, "buffer was too small to receive the complete PF_KEY "
1178 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1181 if (msg
->sadb_msg_pid
!= in
->sadb_msg_pid
)
1183 DBG2(DBG_KNL
, "received PF_KEY message is not intended for us");
1186 if (msg
->sadb_msg_seq
!= this->seq
)
1188 DBG2(DBG_KNL
, "received PF_KEY message with unexpected sequence "
1189 "number, was %d expected %d", msg
->sadb_msg_seq
,
1191 if (msg
->sadb_msg_seq
== 0)
1193 /* FreeBSD and Mac OS X do this for the response to
1194 * SADB_X_SPDGET (but not for the response to SADB_GET).
1195 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
1197 else if (msg
->sadb_msg_seq
< this->seq
)
1203 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1207 if (msg
->sadb_msg_type
!= in
->sadb_msg_type
)
1209 DBG2(DBG_KNL
, "received PF_KEY message of wrong type, "
1210 "was %d expected %d, ignoring", msg
->sadb_msg_type
,
1217 *out
= (struct sadb_msg
*)malloc(len
);
1218 memcpy(*out
, buf
, len
);
1220 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
1225 * Send a message to the default PF_KEY socket and handle the response.
1227 static status_t
pfkey_send(private_kernel_pfkey_ipsec_t
*this,
1228 struct sadb_msg
*in
, struct sadb_msg
**out
,
1231 return pfkey_send_socket(this, this->socket
, in
, out
, out_len
);
1235 * Process a SADB_ACQUIRE message from the kernel
1237 static void process_acquire(private_kernel_pfkey_ipsec_t
*this,
1238 struct sadb_msg
* msg
)
1240 pfkey_msg_t response
;
1241 u_int32_t index
, reqid
= 0;
1242 traffic_selector_t
*src_ts
, *dst_ts
;
1243 policy_entry_t
*policy
;
1246 switch (msg
->sadb_msg_satype
)
1248 case SADB_SATYPE_UNSPEC
:
1249 case SADB_SATYPE_ESP
:
1250 case SADB_SATYPE_AH
:
1253 /* acquire for AH/ESP only */
1256 DBG2(DBG_KNL
, "received an SADB_ACQUIRE");
1258 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
1260 DBG1(DBG_KNL
, "parsing SADB_ACQUIRE from kernel failed");
1264 index
= response
.x_policy
->sadb_x_policy_id
;
1265 this->mutex
->lock(this->mutex
);
1266 if (this->policies
->find_first(this->policies
,
1267 (linked_list_match_t
)policy_entry_match_byindex
,
1268 (void**)&policy
, &index
) == SUCCESS
&&
1269 policy
->used_by
->get_first(policy
->used_by
, (void**)&sa
) == SUCCESS
)
1271 reqid
= sa
->sa
->cfg
.reqid
;
1275 DBG1(DBG_KNL
, "received an SADB_ACQUIRE with policy id %d but no "
1276 "matching policy found", index
);
1278 this->mutex
->unlock(this->mutex
);
1280 src_ts
= sadb_address2ts(response
.src
);
1281 dst_ts
= sadb_address2ts(response
.dst
);
1283 hydra
->kernel_interface
->acquire(hydra
->kernel_interface
, reqid
, src_ts
,
1288 * Process a SADB_EXPIRE message from the kernel
1290 static void process_expire(private_kernel_pfkey_ipsec_t
*this,
1291 struct sadb_msg
* msg
)
1293 pfkey_msg_t response
;
1299 DBG2(DBG_KNL
, "received an SADB_EXPIRE");
1301 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
1303 DBG1(DBG_KNL
, "parsing SADB_EXPIRE from kernel failed");
1307 protocol
= satype2proto(msg
->sadb_msg_satype
);
1308 spi
= response
.sa
->sadb_sa_spi
;
1309 hard
= response
.lft_hard
!= NULL
;
1311 if (protocol
== IPPROTO_ESP
|| protocol
== IPPROTO_AH
)
1313 dst
= host_create_from_sockaddr((sockaddr_t
*)(response
.dst
+ 1));
1316 hydra
->kernel_interface
->expire(hydra
->kernel_interface
, protocol
,
1323 #ifdef SADB_X_MIGRATE
1325 * Process a SADB_X_MIGRATE message from the kernel
1327 static void process_migrate(private_kernel_pfkey_ipsec_t
*this,
1328 struct sadb_msg
* msg
)
1330 pfkey_msg_t response
;
1331 traffic_selector_t
*src_ts
, *dst_ts
;
1333 u_int32_t reqid
= 0;
1334 host_t
*local
= NULL
, *remote
= NULL
;
1336 DBG2(DBG_KNL
, "received an SADB_X_MIGRATE");
1338 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
1340 DBG1(DBG_KNL
, "parsing SADB_X_MIGRATE from kernel failed");
1343 src_ts
= sadb_address2ts(response
.src
);
1344 dst_ts
= sadb_address2ts(response
.dst
);
1345 dir
= kernel2dir(response
.x_policy
->sadb_x_policy_dir
);
1346 DBG2(DBG_KNL
, " policy %R === %R %N, id %u", src_ts
, dst_ts
,
1347 policy_dir_names
, dir
);
1349 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
1350 if (response
.x_kmaddress
)
1352 sockaddr_t
*local_addr
, *remote_addr
;
1353 u_int32_t local_len
;
1355 local_addr
= (sockaddr_t
*)&response
.x_kmaddress
[1];
1356 local
= host_create_from_sockaddr(local_addr
);
1357 local_len
= (local_addr
->sa_family
== AF_INET6
)?
1358 sizeof(struct sockaddr_in6
) : sizeof(struct sockaddr_in
);
1359 remote_addr
= (sockaddr_t
*)((u_int8_t
*)local_addr
+ local_len
);
1360 remote
= host_create_from_sockaddr(remote_addr
);
1361 DBG2(DBG_KNL
, " kmaddress: %H...%H", local
, remote
);
1364 if (src_ts
&& dst_ts
&& local
&& remote
)
1366 hydra
->kernel_interface
->migrate(hydra
->kernel_interface
, reqid
,
1367 src_ts
, dst_ts
, dir
, local
, remote
);
1377 #endif /*SADB_X_MIGRATE*/
1379 #ifdef SADB_X_NAT_T_NEW_MAPPING
1381 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1383 static void process_mapping(private_kernel_pfkey_ipsec_t
*this,
1384 struct sadb_msg
* msg
)
1386 pfkey_msg_t response
;
1391 DBG2(DBG_KNL
, "received an SADB_X_NAT_T_NEW_MAPPING");
1393 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
1395 DBG1(DBG_KNL
, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1399 if (!response
.x_sa2
)
1401 DBG1(DBG_KNL
, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1406 spi
= response
.sa
->sadb_sa_spi
;
1408 if (satype2proto(msg
->sadb_msg_satype
) != IPPROTO_ESP
)
1413 sa
= (sockaddr_t
*)(response
.dst
+ 1);
1414 dst
= host_create_from_sockaddr(sa
);
1415 switch (sa
->sa_family
)
1419 struct sockaddr_in
*sin
= (struct sockaddr_in
*)sa
;
1420 sin
->sin_port
= htons(response
.x_natt_dport
->sadb_x_nat_t_port_port
);
1425 struct sockaddr_in6
*sin6
= (struct sockaddr_in6
*)sa
;
1426 sin6
->sin6_port
= htons(response
.x_natt_dport
->sadb_x_nat_t_port_port
);
1434 new = host_create_from_sockaddr(sa
);
1437 hydra
->kernel_interface
->mapping(hydra
->kernel_interface
,
1438 IPPROTO_ESP
, spi
, dst
, new);
1444 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1447 * Receives events from kernel
1449 static bool receive_events(private_kernel_pfkey_ipsec_t
*this, int fd
,
1450 watcher_event_t event
)
1452 unsigned char buf
[PFKEY_BUFFER_SIZE
];
1453 struct sadb_msg
*msg
= (struct sadb_msg
*)buf
;
1456 len
= recvfrom(this->socket_events
, buf
, sizeof(buf
), MSG_DONTWAIT
, NULL
, 0);
1462 /* interrupted, try again */
1465 /* no data ready, select again */
1468 DBG1(DBG_KNL
, "unable to receive from PF_KEY event socket");
1474 if (len
< sizeof(struct sadb_msg
) ||
1475 msg
->sadb_msg_len
< PFKEY_LEN(sizeof(struct sadb_msg
)))
1477 DBG2(DBG_KNL
, "received corrupted PF_KEY message");
1480 if (msg
->sadb_msg_pid
!= 0)
1481 { /* not from kernel. not interested, try another one */
1484 if (msg
->sadb_msg_len
> len
/ PFKEY_ALIGNMENT
)
1486 DBG1(DBG_KNL
, "buffer was too small to receive the complete "
1491 switch (msg
->sadb_msg_type
)
1494 process_acquire(this, msg
);
1497 process_expire(this, msg
);
1499 #ifdef SADB_X_MIGRATE
1500 case SADB_X_MIGRATE
:
1501 process_migrate(this, msg
);
1503 #endif /*SADB_X_MIGRATE*/
1504 #ifdef SADB_X_NAT_T_NEW_MAPPING
1505 case SADB_X_NAT_T_NEW_MAPPING
:
1506 process_mapping(this, msg
);
1508 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1517 * Get an SPI for a specific protocol from the kernel.
1520 static status_t
get_spi_internal(private_kernel_pfkey_ipsec_t
*this,
1521 host_t
*src
, host_t
*dst
, u_int8_t proto
, u_int32_t min
, u_int32_t max
,
1524 unsigned char request
[PFKEY_BUFFER_SIZE
];
1525 struct sadb_msg
*msg
, *out
;
1526 struct sadb_spirange
*range
;
1527 pfkey_msg_t response
;
1528 u_int32_t received_spi
= 0;
1531 memset(&request
, 0, sizeof(request
));
1533 msg
= (struct sadb_msg
*)request
;
1534 msg
->sadb_msg_version
= PF_KEY_V2
;
1535 msg
->sadb_msg_type
= SADB_GETSPI
;
1536 msg
->sadb_msg_satype
= proto2satype(proto
);
1537 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1539 add_addr_ext(msg
, src
, SADB_EXT_ADDRESS_SRC
, 0, 0, FALSE
);
1540 add_addr_ext(msg
, dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
1542 range
= (struct sadb_spirange
*)PFKEY_EXT_ADD_NEXT(msg
);
1543 range
->sadb_spirange_exttype
= SADB_EXT_SPIRANGE
;
1544 range
->sadb_spirange_len
= PFKEY_LEN(sizeof(struct sadb_spirange
));
1545 range
->sadb_spirange_min
= min
;
1546 range
->sadb_spirange_max
= max
;
1547 PFKEY_EXT_ADD(msg
, range
);
1549 if (pfkey_send(this, msg
, &out
, &len
) == SUCCESS
)
1551 if (out
->sadb_msg_errno
)
1553 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
1554 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1556 else if (parse_pfkey_message(out
, &response
) == SUCCESS
)
1558 received_spi
= response
.sa
->sadb_sa_spi
;
1563 if (received_spi
== 0)
1568 *spi
= received_spi
;
1572 METHOD(kernel_ipsec_t
, get_spi
, status_t
,
1573 private_kernel_pfkey_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1574 u_int8_t protocol
, u_int32_t
*spi
)
1576 if (get_spi_internal(this, src
, dst
, protocol
,
1577 0xc0000000, 0xcFFFFFFF, spi
) != SUCCESS
)
1579 DBG1(DBG_KNL
, "unable to get SPI");
1583 DBG2(DBG_KNL
, "got SPI %.8x", ntohl(*spi
));
1587 METHOD(kernel_ipsec_t
, get_cpi
, status_t
,
1588 private_kernel_pfkey_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1591 u_int32_t received_spi
= 0;
1593 DBG2(DBG_KNL
, "getting CPI");
1595 if (get_spi_internal(this, src
, dst
, IPPROTO_COMP
,
1596 0x100, 0xEFFF, &received_spi
) != SUCCESS
)
1598 DBG1(DBG_KNL
, "unable to get CPI");
1602 *cpi
= htons((u_int16_t
)ntohl(received_spi
));
1604 DBG2(DBG_KNL
, "got CPI %.4x", ntohs(*cpi
));
1608 METHOD(kernel_ipsec_t
, add_sa
, status_t
,
1609 private_kernel_pfkey_ipsec_t
*this, host_t
*src
, host_t
*dst
, u_int32_t spi
,
1610 u_int8_t protocol
, u_int32_t reqid
, mark_t mark
, u_int32_t tfc
,
1611 lifetime_cfg_t
*lifetime
, u_int16_t enc_alg
, chunk_t enc_key
,
1612 u_int16_t int_alg
, chunk_t int_key
, ipsec_mode_t mode
,
1613 u_int16_t ipcomp
, u_int16_t cpi
, u_int32_t replay_window
,
1614 bool initiator
, bool encap
, bool esn
, bool inbound
, bool update
,
1615 linked_list_t
*src_ts
, linked_list_t
*dst_ts
)
1617 unsigned char request
[PFKEY_BUFFER_SIZE
];
1618 struct sadb_msg
*msg
, *out
;
1620 struct sadb_x_sa2
*sa2
;
1621 struct sadb_lifetime
*lft
;
1622 struct sadb_key
*key
;
1625 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
1626 * we are in the recursive call below */
1627 if (ipcomp
!= IPCOMP_NONE
&& cpi
!= 0)
1629 lifetime_cfg_t lft
= {{0,0,0},{0,0,0},{0,0,0}};
1630 add_sa(this, src
, dst
, htonl(ntohs(cpi
)), IPPROTO_COMP
, reqid
, mark
,
1631 tfc
, &lft
, ENCR_UNDEFINED
, chunk_empty
, AUTH_UNDEFINED
,
1632 chunk_empty
, mode
, ipcomp
, 0, 0, FALSE
, FALSE
, FALSE
, inbound
,
1633 update
, NULL
, NULL
);
1634 ipcomp
= IPCOMP_NONE
;
1635 /* use transport mode ESP SA, IPComp uses tunnel mode */
1636 mode
= MODE_TRANSPORT
;
1641 /* As we didn't know the reqid during SPI allocation, we used reqid
1642 * zero. Unfortunately we can't SADB_UPDATE to the new reqid, hence we
1643 * have to delete the SPI allocation state manually. The reqid
1644 * selector does not count for that, therefore we have to delete
1645 * that state before installing the new SA to avoid deleting the
1646 * the new state after installing it. */
1647 mark_t zeromark
= {0, 0};
1649 if (this->public.interface
.del_sa(&this->public.interface
,
1650 src
, dst
, spi
, protocol
, 0, zeromark
) != SUCCESS
)
1652 DBG1(DBG_KNL
, "deleting SPI allocation SA failed");
1656 memset(&request
, 0, sizeof(request
));
1658 DBG2(DBG_KNL
, "adding SAD entry with SPI %.8x and reqid {%u}",
1661 msg
= (struct sadb_msg
*)request
;
1662 msg
->sadb_msg_version
= PF_KEY_V2
;
1663 msg
->sadb_msg_type
= SADB_ADD
;
1664 msg
->sadb_msg_satype
= proto2satype(protocol
);
1665 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1670 struct sadb_sa_2
*sa_2
;
1671 sa_2
= (struct sadb_sa_2
*)PFKEY_EXT_ADD_NEXT(msg
);
1672 sa_2
->sadb_sa_natt_port
= dst
->get_port(dst
);
1674 sa
->sadb_sa_flags
|= SADB_X_EXT_NATT
;
1675 len
= sizeof(struct sadb_sa_2
);
1680 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
1681 len
= sizeof(struct sadb_sa
);
1683 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
1684 sa
->sadb_sa_len
= PFKEY_LEN(len
);
1685 sa
->sadb_sa_spi
= spi
;
1686 if (protocol
== IPPROTO_COMP
)
1688 sa
->sadb_sa_encrypt
= lookup_algorithm(COMPRESSION_ALGORITHM
, ipcomp
);
1692 /* Linux interprets sadb_sa_replay as number of packets/bits in the
1693 * replay window, whereas on BSD it's the size of the window in bytes */
1695 sa
->sadb_sa_replay
= min(replay_window
, 32);
1697 sa
->sadb_sa_replay
= (replay_window
+ 7) / 8;
1699 sa
->sadb_sa_auth
= lookup_algorithm(INTEGRITY_ALGORITHM
, int_alg
);
1700 sa
->sadb_sa_encrypt
= lookup_algorithm(ENCRYPTION_ALGORITHM
, enc_alg
);
1702 PFKEY_EXT_ADD(msg
, sa
);
1704 sa2
= (struct sadb_x_sa2
*)PFKEY_EXT_ADD_NEXT(msg
);
1705 sa2
->sadb_x_sa2_exttype
= SADB_X_EXT_SA2
;
1706 sa2
->sadb_x_sa2_len
= PFKEY_LEN(sizeof(struct sadb_spirange
));
1707 sa2
->sadb_x_sa2_mode
= mode2kernel(mode
);
1708 sa2
->sadb_x_sa2_reqid
= reqid
;
1709 PFKEY_EXT_ADD(msg
, sa2
);
1711 add_addr_ext(msg
, src
, SADB_EXT_ADDRESS_SRC
, 0, 0, FALSE
);
1712 add_addr_ext(msg
, dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
1714 lft
= (struct sadb_lifetime
*)PFKEY_EXT_ADD_NEXT(msg
);
1715 lft
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_SOFT
;
1716 lft
->sadb_lifetime_len
= PFKEY_LEN(sizeof(struct sadb_lifetime
));
1717 lft
->sadb_lifetime_allocations
= lifetime
->packets
.rekey
;
1718 lft
->sadb_lifetime_bytes
= lifetime
->bytes
.rekey
;
1719 lft
->sadb_lifetime_addtime
= lifetime
->time
.rekey
;
1720 lft
->sadb_lifetime_usetime
= 0; /* we only use addtime */
1721 PFKEY_EXT_ADD(msg
, lft
);
1723 lft
= (struct sadb_lifetime
*)PFKEY_EXT_ADD_NEXT(msg
);
1724 lft
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
1725 lft
->sadb_lifetime_len
= PFKEY_LEN(sizeof(struct sadb_lifetime
));
1726 lft
->sadb_lifetime_allocations
= lifetime
->packets
.life
;
1727 lft
->sadb_lifetime_bytes
= lifetime
->bytes
.life
;
1728 lft
->sadb_lifetime_addtime
= lifetime
->time
.life
;
1729 lft
->sadb_lifetime_usetime
= 0; /* we only use addtime */
1730 PFKEY_EXT_ADD(msg
, lft
);
1732 if (enc_alg
!= ENCR_UNDEFINED
)
1734 if (!sa
->sadb_sa_encrypt
)
1736 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1737 encryption_algorithm_names
, enc_alg
);
1740 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1741 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
1743 key
= (struct sadb_key
*)PFKEY_EXT_ADD_NEXT(msg
);
1744 key
->sadb_key_exttype
= SADB_EXT_KEY_ENCRYPT
;
1745 key
->sadb_key_bits
= enc_key
.len
* 8;
1746 key
->sadb_key_len
= PFKEY_LEN(sizeof(struct sadb_key
) + enc_key
.len
);
1747 memcpy(key
+ 1, enc_key
.ptr
, enc_key
.len
);
1749 PFKEY_EXT_ADD(msg
, key
);
1752 if (int_alg
!= AUTH_UNDEFINED
)
1754 if (!sa
->sadb_sa_auth
)
1756 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1757 integrity_algorithm_names
, int_alg
);
1760 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
1761 integrity_algorithm_names
, int_alg
, int_key
.len
* 8);
1763 key
= (struct sadb_key
*)PFKEY_EXT_ADD_NEXT(msg
);
1764 key
->sadb_key_exttype
= SADB_EXT_KEY_AUTH
;
1765 key
->sadb_key_bits
= int_key
.len
* 8;
1766 key
->sadb_key_len
= PFKEY_LEN(sizeof(struct sadb_key
) + int_key
.len
);
1767 memcpy(key
+ 1, int_key
.ptr
, int_key
.len
);
1769 PFKEY_EXT_ADD(msg
, key
);
1775 add_encap_ext(msg
, src
, dst
);
1777 #endif /*HAVE_NATT*/
1779 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1781 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x", ntohl(spi
));
1784 else if (out
->sadb_msg_errno
)
1786 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x: %s (%d)",
1787 ntohl(spi
), strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1796 METHOD(kernel_ipsec_t
, update_sa
, status_t
,
1797 private_kernel_pfkey_ipsec_t
*this, u_int32_t spi
, u_int8_t protocol
,
1798 u_int16_t cpi
, host_t
*src
, host_t
*dst
, host_t
*new_src
, host_t
*new_dst
,
1799 bool encap
, bool new_encap
, mark_t mark
)
1801 unsigned char request
[PFKEY_BUFFER_SIZE
];
1802 struct sadb_msg
*msg
, *out
;
1804 pfkey_msg_t response
;
1807 /* we can't update the SA if any of the ip addresses have changed.
1808 * that's because we can't use SADB_UPDATE and by deleting and readding the
1809 * SA the sequence numbers would get lost */
1810 if (!src
->ip_equals(src
, new_src
) ||
1811 !dst
->ip_equals(dst
, new_dst
))
1813 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x: address "
1814 "changes are not supported", ntohl(spi
));
1815 return NOT_SUPPORTED
;
1818 /* if IPComp is used, we first update the IPComp SA */
1821 update_sa(this, htonl(ntohs(cpi
)), IPPROTO_COMP
, 0,
1822 src
, dst
, new_src
, new_dst
, FALSE
, FALSE
, mark
);
1825 memset(&request
, 0, sizeof(request
));
1827 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x", ntohl(spi
));
1829 msg
= (struct sadb_msg
*)request
;
1830 msg
->sadb_msg_version
= PF_KEY_V2
;
1831 msg
->sadb_msg_type
= SADB_GET
;
1832 msg
->sadb_msg_satype
= proto2satype(protocol
);
1833 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1835 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
1836 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
1837 sa
->sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa
));
1838 sa
->sadb_sa_spi
= spi
;
1839 PFKEY_EXT_ADD(msg
, sa
);
1841 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1842 * it is not used for anything. */
1843 add_anyaddr_ext(msg
, dst
->get_family(dst
), SADB_EXT_ADDRESS_SRC
);
1844 add_addr_ext(msg
, dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
1846 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1848 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x", ntohl(spi
));
1851 else if (out
->sadb_msg_errno
)
1853 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x: %s (%d)",
1854 ntohl(spi
), strerror(out
->sadb_msg_errno
),
1855 out
->sadb_msg_errno
);
1859 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
1861 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x: parsing "
1862 "response from kernel failed", ntohl(spi
));
1867 DBG2(DBG_KNL
, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1868 ntohl(spi
), src
, dst
, new_src
, new_dst
);
1870 memset(&request
, 0, sizeof(request
));
1872 msg
= (struct sadb_msg
*)request
;
1873 msg
->sadb_msg_version
= PF_KEY_V2
;
1874 msg
->sadb_msg_type
= SADB_UPDATE
;
1875 msg
->sadb_msg_satype
= proto2satype(protocol
);
1876 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1880 struct sadb_sa_2
*sa_2
;
1881 sa_2
= (struct sadb_sa_2
*)PFKEY_EXT_ADD_NEXT(msg
);
1882 sa_2
->sa
.sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa_2
));
1883 memcpy(&sa_2
->sa
, response
.sa
, sizeof(struct sadb_sa
));
1886 sa_2
->sadb_sa_natt_port
= new_dst
->get_port(new_dst
);
1887 sa_2
->sa
.sadb_sa_flags
|= SADB_X_EXT_NATT
;
1891 PFKEY_EXT_COPY(msg
, response
.sa
);
1893 PFKEY_EXT_COPY(msg
, response
.x_sa2
);
1895 PFKEY_EXT_COPY(msg
, response
.src
);
1896 PFKEY_EXT_COPY(msg
, response
.dst
);
1898 PFKEY_EXT_COPY(msg
, response
.lft_soft
);
1899 PFKEY_EXT_COPY(msg
, response
.lft_hard
);
1901 if (response
.key_encr
)
1903 PFKEY_EXT_COPY(msg
, response
.key_encr
);
1906 if (response
.key_auth
)
1908 PFKEY_EXT_COPY(msg
, response
.key_auth
);
1914 add_encap_ext(msg
, new_src
, new_dst
);
1916 #endif /*HAVE_NATT*/
1920 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1922 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1925 else if (out
->sadb_msg_errno
)
1927 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x: %s (%d)",
1928 ntohl(spi
), strerror(out
->sadb_msg_errno
),
1929 out
->sadb_msg_errno
);
1938 METHOD(kernel_ipsec_t
, query_sa
, status_t
,
1939 private_kernel_pfkey_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1940 u_int32_t spi
, u_int8_t protocol
, mark_t mark
,
1941 u_int64_t
*bytes
, u_int64_t
*packets
, time_t *time
)
1943 unsigned char request
[PFKEY_BUFFER_SIZE
];
1944 struct sadb_msg
*msg
, *out
;
1946 pfkey_msg_t response
;
1949 memset(&request
, 0, sizeof(request
));
1951 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x", ntohl(spi
));
1953 msg
= (struct sadb_msg
*)request
;
1954 msg
->sadb_msg_version
= PF_KEY_V2
;
1955 msg
->sadb_msg_type
= SADB_GET
;
1956 msg
->sadb_msg_satype
= proto2satype(protocol
);
1957 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1959 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
1960 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
1961 sa
->sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa
));
1962 sa
->sadb_sa_spi
= spi
;
1963 PFKEY_EXT_ADD(msg
, sa
);
1965 /* the Linux Kernel doesn't care for the src address, but other systems do
1968 add_addr_ext(msg
, src
, SADB_EXT_ADDRESS_SRC
, 0, 0, FALSE
);
1969 add_addr_ext(msg
, dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
1971 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1973 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x", ntohl(spi
));
1976 else if (out
->sadb_msg_errno
)
1978 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x: %s (%d)",
1979 ntohl(spi
), strerror(out
->sadb_msg_errno
),
1980 out
->sadb_msg_errno
);
1984 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
1986 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x", ntohl(spi
));
1992 *bytes
= response
.lft_current
->sadb_lifetime_bytes
;
1996 /* at least on Linux and FreeBSD this contains the number of packets */
1997 *packets
= response
.lft_current
->sadb_lifetime_allocations
;
2002 /* OS X uses the "last" time of use in usetime */
2003 *time
= response
.lft_current
->sadb_lifetime_usetime
;
2004 #else /* !__APPLE__ */
2005 /* on Linux, sadb_lifetime_usetime is set to the "first" time of use,
2006 * which is actually correct according to PF_KEY. We have to query
2007 * policies for the last usetime. */
2009 #endif /* !__APPLE__ */
2016 METHOD(kernel_ipsec_t
, del_sa
, status_t
,
2017 private_kernel_pfkey_ipsec_t
*this, host_t
*src
, host_t
*dst
,
2018 u_int32_t spi
, u_int8_t protocol
, u_int16_t cpi
, mark_t mark
)
2020 unsigned char request
[PFKEY_BUFFER_SIZE
];
2021 struct sadb_msg
*msg
, *out
;
2025 /* if IPComp was used, we first delete the additional IPComp SA */
2028 del_sa(this, src
, dst
, htonl(ntohs(cpi
)), IPPROTO_COMP
, 0, mark
);
2031 memset(&request
, 0, sizeof(request
));
2033 DBG2(DBG_KNL
, "deleting SAD entry with SPI %.8x", ntohl(spi
));
2035 msg
= (struct sadb_msg
*)request
;
2036 msg
->sadb_msg_version
= PF_KEY_V2
;
2037 msg
->sadb_msg_type
= SADB_DELETE
;
2038 msg
->sadb_msg_satype
= proto2satype(protocol
);
2039 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2041 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
2042 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
2043 sa
->sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa
));
2044 sa
->sadb_sa_spi
= spi
;
2045 PFKEY_EXT_ADD(msg
, sa
);
2047 /* the Linux Kernel doesn't care for the src address, but other systems do
2050 add_addr_ext(msg
, src
, SADB_EXT_ADDRESS_SRC
, 0, 0, FALSE
);
2051 add_addr_ext(msg
, dst
, SADB_EXT_ADDRESS_DST
, 0, 0, FALSE
);
2053 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2055 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x", ntohl(spi
));
2058 else if (out
->sadb_msg_errno
)
2060 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x: %s (%d)",
2061 ntohl(spi
), strerror(out
->sadb_msg_errno
),
2062 out
->sadb_msg_errno
);
2067 DBG2(DBG_KNL
, "deleted SAD entry with SPI %.8x", ntohl(spi
));
2072 METHOD(kernel_ipsec_t
, flush_sas
, status_t
,
2073 private_kernel_pfkey_ipsec_t
*this)
2075 unsigned char request
[PFKEY_BUFFER_SIZE
];
2076 struct sadb_msg
*msg
, *out
;
2081 { SADB_SATYPE_AH
, "AH" },
2082 { SADB_SATYPE_ESP
, "ESP" },
2083 { SADB_X_SATYPE_IPCOMP
, "IPComp" },
2088 memset(&request
, 0, sizeof(request
));
2090 msg
= (struct sadb_msg
*)request
;
2091 msg
->sadb_msg_version
= PF_KEY_V2
;
2092 msg
->sadb_msg_type
= SADB_FLUSH
;
2093 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2095 for (i
= 0; i
< countof(protos
); i
++)
2097 DBG2(DBG_KNL
, "flushing all %s SAD entries", protos
[i
].name
);
2099 msg
->sadb_msg_satype
= protos
[i
].proto
;
2100 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2102 DBG1(DBG_KNL
, "unable to flush %s SAD entries", protos
[i
].name
);
2105 else if (out
->sadb_msg_errno
)
2107 DBG1(DBG_KNL
, "unable to flush %s SAD entries: %s (%d)",
2108 protos
[i
].name
, strerror(out
->sadb_msg_errno
),
2109 out
->sadb_msg_errno
);
2119 * Add an explicit exclude route to a routing entry
2121 static void add_exclude_route(private_kernel_pfkey_ipsec_t
*this,
2122 route_entry_t
*route
, host_t
*src
, host_t
*dst
)
2124 enumerator_t
*enumerator
;
2125 exclude_route_t
*exclude
;
2128 enumerator
= this->excludes
->create_enumerator(this->excludes
);
2129 while (enumerator
->enumerate(enumerator
, &exclude
))
2131 if (dst
->ip_equals(dst
, exclude
->dst
))
2133 route
->exclude
= exclude
;
2137 enumerator
->destroy(enumerator
);
2139 if (!route
->exclude
)
2141 DBG2(DBG_KNL
, "installing new exclude route for %H src %H", dst
, src
);
2142 gtw
= hydra
->kernel_interface
->get_nexthop(hydra
->kernel_interface
,
2146 char *if_name
= NULL
;
2148 if (hydra
->kernel_interface
->get_interface(
2149 hydra
->kernel_interface
, src
, &if_name
) &&
2150 hydra
->kernel_interface
->add_route(hydra
->kernel_interface
,
2151 dst
->get_address(dst
),
2152 dst
->get_family(dst
) == AF_INET ?
32 : 128,
2153 gtw
, src
, if_name
) == SUCCESS
)
2156 .dst
= dst
->clone(dst
),
2157 .src
= src
->clone(src
),
2158 .gtw
= gtw
->clone(gtw
),
2161 route
->exclude
= exclude
;
2162 this->excludes
->insert_last(this->excludes
, exclude
);
2166 DBG1(DBG_KNL
, "installing exclude route for %H failed", dst
);
2173 DBG1(DBG_KNL
, "gateway lookup for for %H failed", dst
);
2179 * Remove an exclude route attached to a routing entry
2181 static void remove_exclude_route(private_kernel_pfkey_ipsec_t
*this,
2182 route_entry_t
*route
)
2186 enumerator_t
*enumerator
;
2187 exclude_route_t
*exclude
;
2188 bool removed
= FALSE
;
2191 enumerator
= this->excludes
->create_enumerator(this->excludes
);
2192 while (enumerator
->enumerate(enumerator
, &exclude
))
2194 if (route
->exclude
== exclude
)
2196 if (--exclude
->refs
== 0)
2198 this->excludes
->remove_at(this->excludes
, enumerator
);
2204 enumerator
->destroy(enumerator
);
2208 char *if_name
= NULL
;
2210 dst
= route
->exclude
->dst
;
2211 DBG2(DBG_KNL
, "uninstalling exclude route for %H src %H",
2212 dst
, route
->exclude
->src
);
2213 if (hydra
->kernel_interface
->get_interface(
2214 hydra
->kernel_interface
,
2215 route
->exclude
->src
, &if_name
) &&
2216 hydra
->kernel_interface
->del_route(hydra
->kernel_interface
,
2217 dst
->get_address(dst
),
2218 dst
->get_family(dst
) == AF_INET ?
32 : 128,
2219 route
->exclude
->gtw
, route
->exclude
->src
,
2220 if_name
) != SUCCESS
)
2222 DBG1(DBG_KNL
, "uninstalling exclude route for %H failed", dst
);
2224 exclude_route_destroy(route
->exclude
);
2227 route
->exclude
= NULL
;
2232 * Try to install a route to the given inbound policy
2234 static bool install_route(private_kernel_pfkey_ipsec_t
*this,
2235 policy_entry_t
*policy
, policy_sa_in_t
*in
)
2237 route_entry_t
*route
, *old
;
2238 host_t
*host
, *src
, *dst
;
2241 if (hydra
->kernel_interface
->get_address_by_ts(hydra
->kernel_interface
,
2242 in
->dst_ts
, &host
, &is_virtual
) != SUCCESS
)
2247 /* switch src/dst, as we handle an IN policy */
2248 src
= in
->generic
.sa
->dst
;
2249 dst
= in
->generic
.sa
->src
;
2252 .prefixlen
= policy
->src
.mask
,
2254 .dst_net
= chunk_clone(policy
->src
.net
->get_address(policy
->src
.net
)),
2257 if (!dst
->is_anyaddr(dst
))
2259 route
->gateway
= hydra
->kernel_interface
->get_nexthop(
2260 hydra
->kernel_interface
, dst
, -1, src
);
2262 /* if the IP is virtual, we install the route over the interface it has
2263 * been installed on. Otherwise we use the interface we use for IKE, as
2264 * this is required for example on Linux. */
2267 src
= route
->src_ip
;
2271 { /* for shunt policies */
2272 route
->gateway
= hydra
->kernel_interface
->get_nexthop(
2273 hydra
->kernel_interface
, policy
->src
.net
,
2274 policy
->src
.mask
, route
->src_ip
);
2276 /* we don't have a source address, use the address we found */
2277 src
= route
->src_ip
;
2280 /* get interface for route, using source address */
2281 if (!hydra
->kernel_interface
->get_interface(hydra
->kernel_interface
,
2282 src
, &route
->if_name
))
2284 route_entry_destroy(route
);
2290 old
= policy
->route
;
2292 if (route_entry_equals(old
, route
))
2293 { /* such a route already exists */
2294 route_entry_destroy(route
);
2297 /* uninstall previously installed route */
2298 if (hydra
->kernel_interface
->del_route(hydra
->kernel_interface
,
2299 old
->dst_net
, old
->prefixlen
, old
->gateway
,
2300 old
->src_ip
, old
->if_name
) != SUCCESS
)
2302 DBG1(DBG_KNL
, "error uninstalling route installed with policy "
2303 "%R === %R %N", in
->src_ts
, in
->dst_ts
,
2304 policy_dir_names
, policy
->direction
);
2306 route_entry_destroy(old
);
2307 policy
->route
= NULL
;
2310 /* if remote traffic selector covers the IKE peer, add an exclude route */
2311 if (hydra
->kernel_interface
->get_features(
2312 hydra
->kernel_interface
) & KERNEL_REQUIRE_EXCLUDE_ROUTE
)
2314 if (in
->src_ts
->is_host(in
->src_ts
, dst
))
2316 DBG1(DBG_KNL
, "can't install route for %R === %R %N, conflicts "
2317 "with IKE traffic", in
->src_ts
, in
->dst_ts
, policy_dir_names
,
2319 route_entry_destroy(route
);
2322 if (in
->src_ts
->includes(in
->src_ts
, dst
))
2324 add_exclude_route(this, route
, in
->generic
.sa
->dst
, dst
);
2328 DBG2(DBG_KNL
, "installing route: %R via %H src %H dev %s",
2329 in
->src_ts
, route
->gateway
, route
->src_ip
, route
->if_name
);
2331 switch (hydra
->kernel_interface
->add_route(hydra
->kernel_interface
,
2332 route
->dst_net
, route
->prefixlen
, route
->gateway
,
2333 route
->src_ip
, route
->if_name
))
2336 /* route exists, do not uninstall */
2337 remove_exclude_route(this, route
);
2338 route_entry_destroy(route
);
2341 /* cache the installed route */
2342 policy
->route
= route
;
2345 DBG1(DBG_KNL
, "installing route failed: %R via %H src %H dev %s",
2346 in
->src_ts
, route
->gateway
, route
->src_ip
, route
->if_name
);
2347 remove_exclude_route(this, route
);
2348 route_entry_destroy(route
);
2354 * Add or update a policy in the kernel.
2356 * Note: The mutex has to be locked when entering this function.
2358 static status_t
add_policy_internal(private_kernel_pfkey_ipsec_t
*this,
2359 policy_entry_t
*policy
, policy_sa_t
*mapping
, bool update
)
2361 unsigned char request
[PFKEY_BUFFER_SIZE
];
2362 struct sadb_msg
*msg
, *out
;
2363 struct sadb_x_policy
*pol
;
2364 struct sadb_x_ipsecrequest
*req
;
2365 ipsec_sa_t
*ipsec
= mapping
->sa
;
2366 pfkey_msg_t response
;
2368 ipsec_mode_t proto_mode
;
2371 memset(&request
, 0, sizeof(request
));
2373 msg
= (struct sadb_msg
*)request
;
2374 msg
->sadb_msg_version
= PF_KEY_V2
;
2375 msg
->sadb_msg_type
= update ? SADB_X_SPDUPDATE
: SADB_X_SPDADD
;
2376 msg
->sadb_msg_satype
= 0;
2377 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2379 pol
= (struct sadb_x_policy
*)PFKEY_EXT_ADD_NEXT(msg
);
2380 pol
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
2381 pol
->sadb_x_policy_len
= PFKEY_LEN(sizeof(struct sadb_x_policy
));
2382 pol
->sadb_x_policy_id
= 0;
2383 pol
->sadb_x_policy_dir
= dir2kernel(policy
->direction
);
2384 pol
->sadb_x_policy_type
= type2kernel(mapping
->type
);
2385 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
2386 pol
->sadb_x_policy_priority
= mapping
->priority
;
2389 /* one or more sadb_x_ipsecrequest extensions are added to the
2390 * sadb_x_policy extension */
2391 proto_mode
= ipsec
->cfg
.mode
;
2393 req
= (struct sadb_x_ipsecrequest
*)(pol
+ 1);
2395 if (ipsec
->cfg
.ipcomp
.transform
!= IPCOMP_NONE
)
2397 req
->sadb_x_ipsecrequest_proto
= IPPROTO_COMP
;
2399 /* !!! the length here MUST be in octets instead of 64 bit words */
2400 req
->sadb_x_ipsecrequest_len
= sizeof(struct sadb_x_ipsecrequest
);
2401 req
->sadb_x_ipsecrequest_mode
= mode2kernel(ipsec
->cfg
.mode
);
2402 req
->sadb_x_ipsecrequest_reqid
= ipsec
->cfg
.reqid
;
2403 req
->sadb_x_ipsecrequest_level
= (policy
->direction
== POLICY_OUT
) ?
2404 IPSEC_LEVEL_UNIQUE
: IPSEC_LEVEL_USE
;
2405 if (ipsec
->cfg
.mode
== MODE_TUNNEL
)
2407 len
= hostcpy(req
+ 1, ipsec
->src
, FALSE
);
2408 req
->sadb_x_ipsecrequest_len
+= len
;
2409 len
= hostcpy((char*)(req
+ 1) + len
, ipsec
->dst
, FALSE
);
2410 req
->sadb_x_ipsecrequest_len
+= len
;
2411 /* use transport mode for other SAs */
2412 proto_mode
= MODE_TRANSPORT
;
2415 pol
->sadb_x_policy_len
+= PFKEY_LEN(req
->sadb_x_ipsecrequest_len
);
2416 req
= (struct sadb_x_ipsecrequest
*)((char*)(req
) +
2417 req
->sadb_x_ipsecrequest_len
);
2420 req
->sadb_x_ipsecrequest_proto
= ipsec
->cfg
.esp
.use ? IPPROTO_ESP
2422 /* !!! the length here MUST be in octets instead of 64 bit words */
2423 req
->sadb_x_ipsecrequest_len
= sizeof(struct sadb_x_ipsecrequest
);
2424 req
->sadb_x_ipsecrequest_mode
= mode2kernel(proto_mode
);
2425 req
->sadb_x_ipsecrequest_reqid
= ipsec
->cfg
.reqid
;
2426 req
->sadb_x_ipsecrequest_level
= IPSEC_LEVEL_UNIQUE
;
2427 if (proto_mode
== MODE_TUNNEL
)
2429 len
= hostcpy(req
+ 1, ipsec
->src
, FALSE
);
2430 req
->sadb_x_ipsecrequest_len
+= len
;
2431 len
= hostcpy((char*)(req
+ 1) + len
, ipsec
->dst
, FALSE
);
2432 req
->sadb_x_ipsecrequest_len
+= len
;
2435 pol
->sadb_x_policy_len
+= PFKEY_LEN(req
->sadb_x_ipsecrequest_len
);
2436 PFKEY_EXT_ADD(msg
, pol
);
2438 add_addr_ext(msg
, policy
->src
.net
, SADB_EXT_ADDRESS_SRC
, policy
->src
.proto
,
2439 policy
->src
.mask
, TRUE
);
2440 add_addr_ext(msg
, policy
->dst
.net
, SADB_EXT_ADDRESS_DST
, policy
->dst
.proto
,
2441 policy
->dst
.mask
, TRUE
);
2444 { /* on FreeBSD a lifetime has to be defined to be able to later query
2445 * the current use time. */
2446 struct sadb_lifetime
*lft
;
2447 lft
= (struct sadb_lifetime
*)PFKEY_EXT_ADD_NEXT(msg
);
2448 lft
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
2449 lft
->sadb_lifetime_len
= PFKEY_LEN(sizeof(struct sadb_lifetime
));
2450 lft
->sadb_lifetime_addtime
= LONG_MAX
;
2451 PFKEY_EXT_ADD(msg
, lft
);
2455 this->mutex
->unlock(this->mutex
);
2457 status
= pfkey_send(this, msg
, &out
, &len
);
2458 if (status
== SUCCESS
&& !update
&& out
->sadb_msg_errno
== EEXIST
)
2460 DBG1(DBG_KNL
, "policy already exists, try to update it");
2462 msg
->sadb_msg_type
= SADB_X_SPDUPDATE
;
2463 status
= pfkey_send(this, msg
, &out
, &len
);
2465 if (status
!= SUCCESS
)
2469 else if (out
->sadb_msg_errno
)
2471 DBG1(DBG_KNL
, "unable to %s policy: %s (%d)",
2472 update ?
"update" : "add", strerror(out
->sadb_msg_errno
),
2473 out
->sadb_msg_errno
);
2477 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
2479 DBG1(DBG_KNL
, "unable to %s policy: parsing response from kernel "
2480 "failed", update ?
"update" : "add");
2485 /* we try to find the policy again and update the kernel index */
2486 this->mutex
->lock(this->mutex
);
2487 if (this->policies
->find_first(this->policies
, NULL
,
2488 (void**)&policy
) != SUCCESS
)
2490 DBG2(DBG_KNL
, "unable to update index, the policy is already gone, "
2492 this->mutex
->unlock(this->mutex
);
2496 policy
->index
= response
.x_policy
->sadb_x_policy_id
;
2499 /* install a route, if:
2500 * - this is an inbound policy (to just get one for each child)
2501 * - we are in tunnel mode or install a bypass policy
2502 * - routing is not disabled via strongswan.conf
2504 if (policy
->direction
== POLICY_IN
&& this->install_routes
&&
2505 (mapping
->type
!= POLICY_IPSEC
|| ipsec
->cfg
.mode
!= MODE_TRANSPORT
))
2507 install_route(this, policy
, (policy_sa_in_t
*)mapping
);
2509 this->mutex
->unlock(this->mutex
);
2513 METHOD(kernel_ipsec_t
, add_policy
, status_t
,
2514 private_kernel_pfkey_ipsec_t
*this, host_t
*src
, host_t
*dst
,
2515 traffic_selector_t
*src_ts
, traffic_selector_t
*dst_ts
,
2516 policy_dir_t direction
, policy_type_t type
, ipsec_sa_cfg_t
*sa
,
2517 mark_t mark
, policy_priority_t priority
)
2519 policy_entry_t
*policy
, *found
= NULL
;
2520 policy_sa_t
*assigned_sa
, *current_sa
;
2521 enumerator_t
*enumerator
;
2524 if (dir2kernel(direction
) == IPSEC_DIR_INVALID
)
2525 { /* FWD policies are not supported on all platforms */
2529 /* create a policy */
2530 policy
= create_policy_entry(src_ts
, dst_ts
, direction
);
2532 /* find a matching policy */
2533 this->mutex
->lock(this->mutex
);
2534 if (this->policies
->find_first(this->policies
,
2535 (linked_list_match_t
)policy_entry_equals
,
2536 (void**)&found
, policy
) == SUCCESS
)
2537 { /* use existing policy */
2538 DBG2(DBG_KNL
, "policy %R === %R %N already exists, increasing "
2539 "refcount", src_ts
, dst_ts
, policy_dir_names
, direction
);
2540 policy_entry_destroy(policy
, this);
2544 { /* use the new one, if we have no such policy */
2545 this->policies
->insert_first(this->policies
, policy
);
2546 policy
->used_by
= linked_list_create();
2549 /* cache the assigned IPsec SA */
2550 assigned_sa
= policy_sa_create(this, direction
, type
, src
, dst
, src_ts
,
2552 assigned_sa
->priority
= get_priority(policy
, priority
);
2554 /* insert the SA according to its priority */
2555 enumerator
= policy
->used_by
->create_enumerator(policy
->used_by
);
2556 while (enumerator
->enumerate(enumerator
, (void**)¤t_sa
))
2558 if (current_sa
->priority
>= assigned_sa
->priority
)
2564 policy
->used_by
->insert_before(policy
->used_by
, enumerator
, assigned_sa
);
2565 enumerator
->destroy(enumerator
);
2568 { /* we don't update the policy if the priority is lower than that of the
2569 * currently installed one */
2570 this->mutex
->unlock(this->mutex
);
2574 DBG2(DBG_KNL
, "%s policy %R === %R %N",
2575 found ?
"updating" : "adding", src_ts
, dst_ts
,
2576 policy_dir_names
, direction
);
2578 if (add_policy_internal(this, policy
, assigned_sa
, found
) != SUCCESS
)
2580 DBG1(DBG_KNL
, "unable to %s policy %R === %R %N",
2581 found ?
"update" : "add", src_ts
, dst_ts
,
2582 policy_dir_names
, direction
);
2588 METHOD(kernel_ipsec_t
, query_policy
, status_t
,
2589 private_kernel_pfkey_ipsec_t
*this, traffic_selector_t
*src_ts
,
2590 traffic_selector_t
*dst_ts
, policy_dir_t direction
, mark_t mark
,
2593 unsigned char request
[PFKEY_BUFFER_SIZE
];
2594 struct sadb_msg
*msg
, *out
;
2595 struct sadb_x_policy
*pol
;
2596 policy_entry_t
*policy
, *found
= NULL
;
2597 pfkey_msg_t response
;
2600 if (dir2kernel(direction
) == IPSEC_DIR_INVALID
)
2601 { /* FWD policies are not supported on all platforms */
2605 DBG2(DBG_KNL
, "querying policy %R === %R %N", src_ts
, dst_ts
,
2606 policy_dir_names
, direction
);
2608 /* create a policy */
2609 policy
= create_policy_entry(src_ts
, dst_ts
, direction
);
2611 /* find a matching policy */
2612 this->mutex
->lock(this->mutex
);
2613 if (this->policies
->find_first(this->policies
,
2614 (linked_list_match_t
)policy_entry_equals
,
2615 (void**)&found
, policy
) != SUCCESS
)
2617 DBG1(DBG_KNL
, "querying policy %R === %R %N failed, not found", src_ts
,
2618 dst_ts
, policy_dir_names
, direction
);
2619 policy_entry_destroy(policy
, this);
2620 this->mutex
->unlock(this->mutex
);
2623 policy_entry_destroy(policy
, this);
2626 memset(&request
, 0, sizeof(request
));
2628 msg
= (struct sadb_msg
*)request
;
2629 msg
->sadb_msg_version
= PF_KEY_V2
;
2630 msg
->sadb_msg_type
= SADB_X_SPDGET
;
2631 msg
->sadb_msg_satype
= 0;
2632 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2634 pol
= (struct sadb_x_policy
*)PFKEY_EXT_ADD_NEXT(msg
);
2635 pol
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
2636 pol
->sadb_x_policy_id
= policy
->index
;
2637 pol
->sadb_x_policy_len
= PFKEY_LEN(sizeof(struct sadb_x_policy
));
2638 pol
->sadb_x_policy_dir
= dir2kernel(direction
);
2639 pol
->sadb_x_policy_type
= IPSEC_POLICY_IPSEC
;
2640 PFKEY_EXT_ADD(msg
, pol
);
2642 add_addr_ext(msg
, policy
->src
.net
, SADB_EXT_ADDRESS_SRC
, policy
->src
.proto
,
2643 policy
->src
.mask
, TRUE
);
2644 add_addr_ext(msg
, policy
->dst
.net
, SADB_EXT_ADDRESS_DST
, policy
->dst
.proto
,
2645 policy
->dst
.mask
, TRUE
);
2647 this->mutex
->unlock(this->mutex
);
2649 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2651 DBG1(DBG_KNL
, "unable to query policy %R === %R %N", src_ts
, dst_ts
,
2652 policy_dir_names
, direction
);
2655 else if (out
->sadb_msg_errno
)
2657 DBG1(DBG_KNL
, "unable to query policy %R === %R %N: %s (%d)", src_ts
,
2658 dst_ts
, policy_dir_names
, direction
,
2659 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
2663 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
2665 DBG1(DBG_KNL
, "unable to query policy %R === %R %N: parsing response "
2666 "from kernel failed", src_ts
, dst_ts
, policy_dir_names
,
2671 else if (response
.lft_current
== NULL
)
2673 DBG2(DBG_KNL
, "unable to query policy %R === %R %N: kernel reports no "
2674 "use time", src_ts
, dst_ts
, policy_dir_names
, direction
);
2679 /* we need the monotonic time, but the kernel returns system time. */
2680 if (response
.lft_current
->sadb_lifetime_usetime
)
2682 *use_time
= time_monotonic(NULL
) -
2683 (time(NULL
) - response
.lft_current
->sadb_lifetime_usetime
);
2693 METHOD(kernel_ipsec_t
, del_policy
, status_t
,
2694 private_kernel_pfkey_ipsec_t
*this, host_t
*src
, host_t
*dst
,
2695 traffic_selector_t
*src_ts
, traffic_selector_t
*dst_ts
,
2696 policy_dir_t direction
, policy_type_t type
, ipsec_sa_cfg_t
*sa
,
2697 mark_t mark
, policy_priority_t prio
)
2699 unsigned char request
[PFKEY_BUFFER_SIZE
];
2700 struct sadb_msg
*msg
, *out
;
2701 struct sadb_x_policy
*pol
;
2702 policy_entry_t
*policy
, *found
= NULL
;
2703 policy_sa_t
*mapping
, *to_remove
= NULL
;
2704 enumerator_t
*enumerator
;
2705 bool first
= TRUE
, is_installed
= TRUE
;
2708 ipsec_sa_t assigned_sa
= {
2714 if (dir2kernel(direction
) == IPSEC_DIR_INVALID
)
2715 { /* FWD policies are not supported on all platforms */
2719 DBG2(DBG_KNL
, "deleting policy %R === %R %N", src_ts
, dst_ts
,
2720 policy_dir_names
, direction
);
2722 /* create a policy */
2723 policy
= create_policy_entry(src_ts
, dst_ts
, direction
);
2725 /* find a matching policy */
2726 this->mutex
->lock(this->mutex
);
2727 if (this->policies
->find_first(this->policies
,
2728 (linked_list_match_t
)policy_entry_equals
,
2729 (void**)&found
, policy
) != SUCCESS
)
2731 DBG1(DBG_KNL
, "deleting policy %R === %R %N failed, not found", src_ts
,
2732 dst_ts
, policy_dir_names
, direction
);
2733 policy_entry_destroy(policy
, this);
2734 this->mutex
->unlock(this->mutex
);
2737 policy_entry_destroy(policy
, this);
2740 /* remove mapping to SA by reqid and priority, if multiple match, which
2741 * could happen when rekeying due to an address change, remove the oldest */
2742 priority
= get_priority(policy
, prio
);
2743 enumerator
= policy
->used_by
->create_enumerator(policy
->used_by
);
2744 while (enumerator
->enumerate(enumerator
, (void**)&mapping
))
2746 if (priority
== mapping
->priority
&&
2747 ipsec_sa_equals(mapping
->sa
, &assigned_sa
))
2749 to_remove
= mapping
;
2750 is_installed
= first
;
2752 else if (priority
< mapping
->priority
)
2758 enumerator
->destroy(enumerator
);
2760 { /* sanity check */
2761 this->mutex
->unlock(this->mutex
);
2764 policy
->used_by
->remove(policy
->used_by
, to_remove
, NULL
);
2765 mapping
= to_remove
;
2767 if (policy
->used_by
->get_count(policy
->used_by
) > 0)
2768 { /* policy is used by more SAs, keep in kernel */
2769 DBG2(DBG_KNL
, "policy still used by another CHILD_SA, not removed");
2770 policy_sa_destroy(mapping
, &direction
, this);
2773 { /* no need to update as the policy was not installed for this SA */
2774 this->mutex
->unlock(this->mutex
);
2778 DBG2(DBG_KNL
, "updating policy %R === %R %N", src_ts
, dst_ts
,
2779 policy_dir_names
, direction
);
2780 policy
->used_by
->get_first(policy
->used_by
, (void**)&mapping
);
2781 if (add_policy_internal(this, policy
, mapping
, TRUE
) != SUCCESS
)
2783 DBG1(DBG_KNL
, "unable to update policy %R === %R %N",
2784 src_ts
, dst_ts
, policy_dir_names
, direction
);
2790 memset(&request
, 0, sizeof(request
));
2792 msg
= (struct sadb_msg
*)request
;
2793 msg
->sadb_msg_version
= PF_KEY_V2
;
2794 msg
->sadb_msg_type
= SADB_X_SPDDELETE
;
2795 msg
->sadb_msg_satype
= 0;
2796 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2798 pol
= (struct sadb_x_policy
*)PFKEY_EXT_ADD_NEXT(msg
);
2799 pol
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
2800 pol
->sadb_x_policy_len
= PFKEY_LEN(sizeof(struct sadb_x_policy
));
2801 pol
->sadb_x_policy_dir
= dir2kernel(direction
);
2802 pol
->sadb_x_policy_type
= type2kernel(mapping
->type
);
2803 PFKEY_EXT_ADD(msg
, pol
);
2805 add_addr_ext(msg
, policy
->src
.net
, SADB_EXT_ADDRESS_SRC
, policy
->src
.proto
,
2806 policy
->src
.mask
, TRUE
);
2807 add_addr_ext(msg
, policy
->dst
.net
, SADB_EXT_ADDRESS_DST
, policy
->dst
.proto
,
2808 policy
->dst
.mask
, TRUE
);
2812 route_entry_t
*route
= policy
->route
;
2813 if (hydra
->kernel_interface
->del_route(hydra
->kernel_interface
,
2814 route
->dst_net
, route
->prefixlen
, route
->gateway
,
2815 route
->src_ip
, route
->if_name
) != SUCCESS
)
2817 DBG1(DBG_KNL
, "error uninstalling route installed with "
2818 "policy %R === %R %N", src_ts
, dst_ts
,
2819 policy_dir_names
, direction
);
2821 remove_exclude_route(this, route
);
2824 this->policies
->remove(this->policies
, found
, NULL
);
2825 policy_sa_destroy(mapping
, &direction
, this);
2826 policy_entry_destroy(policy
, this);
2827 this->mutex
->unlock(this->mutex
);
2829 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2831 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N", src_ts
, dst_ts
,
2832 policy_dir_names
, direction
);
2835 else if (out
->sadb_msg_errno
)
2837 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N: %s (%d)", src_ts
,
2838 dst_ts
, policy_dir_names
, direction
,
2839 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
2847 METHOD(kernel_ipsec_t
, flush_policies
, status_t
,
2848 private_kernel_pfkey_ipsec_t
*this)
2850 unsigned char request
[PFKEY_BUFFER_SIZE
];
2851 struct sadb_msg
*msg
, *out
;
2854 memset(&request
, 0, sizeof(request
));
2856 DBG2(DBG_KNL
, "flushing all policies from SPD");
2858 msg
= (struct sadb_msg
*)request
;
2859 msg
->sadb_msg_version
= PF_KEY_V2
;
2860 msg
->sadb_msg_type
= SADB_X_SPDFLUSH
;
2861 msg
->sadb_msg_satype
= SADB_SATYPE_UNSPEC
;
2862 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2864 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
2866 DBG1(DBG_KNL
, "unable to flush SPD entries");
2869 else if (out
->sadb_msg_errno
)
2871 DBG1(DBG_KNL
, "unable to flush SPD entries: %s (%d)",
2872 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
2881 * Register a socket for ACQUIRE/EXPIRE messages
2883 static status_t
register_pfkey_socket(private_kernel_pfkey_ipsec_t
*this,
2886 unsigned char request
[PFKEY_BUFFER_SIZE
];
2887 struct sadb_msg
*msg
, *out
;
2890 memset(&request
, 0, sizeof(request
));
2892 msg
= (struct sadb_msg
*)request
;
2893 msg
->sadb_msg_version
= PF_KEY_V2
;
2894 msg
->sadb_msg_type
= SADB_REGISTER
;
2895 msg
->sadb_msg_satype
= satype
;
2896 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
2898 if (pfkey_send_socket(this, this->socket_events
, msg
, &out
, &len
) != SUCCESS
)
2900 DBG1(DBG_KNL
, "unable to register PF_KEY socket");
2903 else if (out
->sadb_msg_errno
)
2905 DBG1(DBG_KNL
, "unable to register PF_KEY socket: %s (%d)",
2906 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
2914 METHOD(kernel_ipsec_t
, bypass_socket
, bool,
2915 private_kernel_pfkey_ipsec_t
*this, int fd
, int family
)
2917 struct sadb_x_policy policy
;
2918 u_int sol
, ipsec_policy
;
2925 ipsec_policy
= IP_IPSEC_POLICY
;
2931 ipsec_policy
= IPV6_IPSEC_POLICY
;
2938 memset(&policy
, 0, sizeof(policy
));
2939 policy
.sadb_x_policy_len
= sizeof(policy
) / sizeof(u_int64_t
);
2940 policy
.sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
2941 policy
.sadb_x_policy_type
= IPSEC_POLICY_BYPASS
;
2943 policy
.sadb_x_policy_dir
= IPSEC_DIR_OUTBOUND
;
2944 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
2946 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
2950 policy
.sadb_x_policy_dir
= IPSEC_DIR_INBOUND
;
2951 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
2953 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
2960 METHOD(kernel_ipsec_t
, enable_udp_decap
, bool,
2961 private_kernel_pfkey_ipsec_t
*this, int fd
, int family
, u_int16_t port
)
2964 int type
= UDP_ENCAP_ESPINUDP
;
2966 if (setsockopt(fd
, SOL_UDP
, UDP_ENCAP
, &type
, sizeof(type
)) < 0)
2968 DBG1(DBG_KNL
, "unable to set UDP_ENCAP: %s", strerror(errno
));
2971 #else /* __APPLE__ */
2974 if (sysctlbyname("net.inet.ipsec.esp_port", NULL
, NULL
, &intport
,
2975 sizeof(intport
)) != 0)
2977 DBG1(DBG_KNL
, "could not set net.inet.ipsec.esp_port to %d: %s",
2978 port
, strerror(errno
));
2981 #endif /* __APPLE__ */
2986 METHOD(kernel_ipsec_t
, destroy
, void,
2987 private_kernel_pfkey_ipsec_t
*this)
2989 if (this->socket
> 0)
2991 close(this->socket
);
2993 if (this->socket_events
> 0)
2995 lib
->watcher
->remove(lib
->watcher
, this->socket_events
);
2996 close(this->socket_events
);
2998 this->policies
->invoke_function(this->policies
,
2999 (linked_list_invoke_t
)policy_entry_destroy
,
3001 this->policies
->destroy(this->policies
);
3002 this->excludes
->destroy(this->excludes
);
3003 this->sas
->destroy(this->sas
);
3004 this->mutex
->destroy(this->mutex
);
3005 this->mutex_pfkey
->destroy(this->mutex_pfkey
);
3010 * Described in header.
3012 kernel_pfkey_ipsec_t
*kernel_pfkey_ipsec_create()
3014 private_kernel_pfkey_ipsec_t
*this;
3015 bool register_for_events
= TRUE
;
3021 .get_spi
= _get_spi
,
3022 .get_cpi
= _get_cpi
,
3024 .update_sa
= _update_sa
,
3025 .query_sa
= _query_sa
,
3027 .flush_sas
= _flush_sas
,
3028 .add_policy
= _add_policy
,
3029 .query_policy
= _query_policy
,
3030 .del_policy
= _del_policy
,
3031 .flush_policies
= _flush_policies
,
3032 .bypass_socket
= _bypass_socket
,
3033 .enable_udp_decap
= _enable_udp_decap
,
3034 .destroy
= _destroy
,
3037 .policies
= linked_list_create(),
3038 .excludes
= linked_list_create(),
3039 .sas
= hashtable_create((hashtable_hash_t
)ipsec_sa_hash
,
3040 (hashtable_equals_t
)ipsec_sa_equals
, 32),
3041 .mutex
= mutex_create(MUTEX_TYPE_DEFAULT
),
3042 .mutex_pfkey
= mutex_create(MUTEX_TYPE_DEFAULT
),
3043 .install_routes
= lib
->settings
->get_bool(lib
->settings
,
3044 "%s.install_routes", TRUE
,
3048 if (streq(lib
->ns
, "starter"))
3049 { /* starter has no threads, so we do not register for kernel events */
3050 register_for_events
= FALSE
;
3053 /* create a PF_KEY socket to communicate with the kernel */
3054 this->socket
= socket(PF_KEY
, SOCK_RAW
, PF_KEY_V2
);
3055 if (this->socket
<= 0)
3057 DBG1(DBG_KNL
, "unable to create PF_KEY socket");
3062 if (register_for_events
)
3064 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
3065 this->socket_events
= socket(PF_KEY
, SOCK_RAW
, PF_KEY_V2
);
3066 if (this->socket_events
<= 0)
3068 DBG1(DBG_KNL
, "unable to create PF_KEY event socket");
3073 rcv_buffer
= lib
->settings
->get_int(lib
->settings
,
3074 "%s.plugins.kernel-pfkey.events_buffer_size", 0, lib
->ns
);
3077 if (setsockopt(this->socket_events
, SOL_SOCKET
, SO_RCVBUF
,
3078 &rcv_buffer
, sizeof(rcv_buffer
)) == -1)
3080 DBG1(DBG_KNL
, "unable to set receive buffer size on PF_KEY "
3081 "event socket: %s", strerror(errno
));
3085 /* register the event socket */
3086 if (register_pfkey_socket(this, SADB_SATYPE_ESP
) != SUCCESS
||
3087 register_pfkey_socket(this, SADB_SATYPE_AH
) != SUCCESS
)
3089 DBG1(DBG_KNL
, "unable to register PF_KEY event socket");
3094 lib
->watcher
->add(lib
->watcher
, this->socket_events
, WATCHER_READ
,
3095 (watcher_cb_t
)receive_events
, this);
3098 return &this->public;