cfc66e8036a622282036c0c7d9c0ed838ebe1b2b
[strongswan.git] / src / libhydra / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2010 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <hydra.h>
58 #include <debug.h>
59 #include <utils/host.h>
60 #include <utils/linked_list.h>
61 #include <threading/thread.h>
62 #include <threading/mutex.h>
63 #include <processing/jobs/callback_job.h>
64
65 /** non linux specific */
66 #ifndef IPPROTO_COMP
67 #ifdef IPPROTO_IPCOMP
68 #define IPPROTO_COMP IPPROTO_IPCOMP
69 #endif
70 #endif
71
72 #ifndef SADB_X_AALG_SHA2_256HMAC
73 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
74 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
75 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
76 #endif
77
78 #ifndef SADB_X_EALG_AESCBC
79 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
80 #endif
81
82 #ifndef SADB_X_EALG_CASTCBC
83 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
84 #endif
85
86 #ifndef SOL_IP
87 #define SOL_IP IPPROTO_IP
88 #define SOL_IPV6 IPPROTO_IPV6
89 #endif
90
91 /** from linux/in.h */
92 #ifndef IP_IPSEC_POLICY
93 #define IP_IPSEC_POLICY 16
94 #endif
95
96 /** missing on uclibc */
97 #ifndef IPV6_IPSEC_POLICY
98 #define IPV6_IPSEC_POLICY 34
99 #endif
100
101 /** default priority of installed policies */
102 #define PRIO_LOW 1024
103 #define PRIO_HIGH 512
104
105 #ifdef __APPLE__
106 /** from xnu/bsd/net/pfkeyv2.h */
107 #define SADB_X_EXT_NATT 0x002
108 struct sadb_sa_2 {
109 struct sadb_sa sa;
110 u_int16_t sadb_sa_natt_port;
111 u_int16_t sadb_reserved0;
112 u_int32_t sadb_reserved1;
113 };
114 #endif
115
116 /** buffer size for PF_KEY messages */
117 #define PFKEY_BUFFER_SIZE 4096
118
119 /** PF_KEY messages are 64 bit aligned */
120 #define PFKEY_ALIGNMENT 8
121 /** aligns len to 64 bits */
122 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
123 /** calculates the properly padded length in 64 bit chunks */
124 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
125 /** calculates user mode length i.e. in bytes */
126 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
127
128 /** given a PF_KEY message header and an extension this updates the length in the header */
129 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
130 /** given a PF_KEY message header this returns a pointer to the next extension */
131 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
132 /** copy an extension and append it to a PF_KEY message */
133 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
134 /** given a PF_KEY extension this returns a pointer to the next extension */
135 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
136 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
137 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
138 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
139 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
140 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len <= (len))
142
143 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
144
145 /**
146 * Private variables and functions of kernel_pfkey class.
147 */
148 struct private_kernel_pfkey_ipsec_t
149 {
150 /**
151 * Public part of the kernel_pfkey_t object.
152 */
153 kernel_pfkey_ipsec_t public;
154
155 /**
156 * mutex to lock access to various lists
157 */
158 mutex_t *mutex;
159
160 /**
161 * List of installed policies (policy_entry_t)
162 */
163 linked_list_t *policies;
164
165 /**
166 * whether to install routes along policies
167 */
168 bool install_routes;
169
170 /**
171 * job receiving PF_KEY events
172 */
173 callback_job_t *job;
174
175 /**
176 * mutex to lock access to the PF_KEY socket
177 */
178 mutex_t *mutex_pfkey;
179
180 /**
181 * PF_KEY socket to communicate with the kernel
182 */
183 int socket;
184
185 /**
186 * PF_KEY socket to receive acquire and expire events
187 */
188 int socket_events;
189
190 /**
191 * sequence number for messages sent to the kernel
192 */
193 int seq;
194 };
195
196 typedef struct route_entry_t route_entry_t;
197
198 /**
199 * installed routing entry
200 */
201 struct route_entry_t {
202 /** Name of the interface the route is bound to */
203 char *if_name;
204
205 /** Source ip of the route */
206 host_t *src_ip;
207
208 /** gateway for this route */
209 host_t *gateway;
210
211 /** Destination net */
212 chunk_t dst_net;
213
214 /** Destination net prefixlen */
215 u_int8_t prefixlen;
216 };
217
218 /**
219 * destroy an route_entry_t object
220 */
221 static void route_entry_destroy(route_entry_t *this)
222 {
223 free(this->if_name);
224 DESTROY_IF(this->src_ip);
225 DESTROY_IF(this->gateway);
226 chunk_free(&this->dst_net);
227 free(this);
228 }
229
230 typedef struct policy_entry_t policy_entry_t;
231
232 /**
233 * installed kernel policy.
234 */
235 struct policy_entry_t {
236
237 /** reqid of this policy */
238 u_int32_t reqid;
239
240 /** index assigned by the kernel */
241 u_int32_t index;
242
243 /** direction of this policy: in, out, forward */
244 u_int8_t direction;
245
246 /** parameters of installed policy */
247 struct {
248 /** subnet and port */
249 host_t *net;
250 /** subnet mask */
251 u_int8_t mask;
252 /** protocol */
253 u_int8_t proto;
254 } src, dst;
255
256 /** associated route installed for this policy */
257 route_entry_t *route;
258
259 /** by how many CHILD_SA's this policy is used */
260 u_int refcount;
261 };
262
263 /**
264 * create a policy_entry_t object
265 */
266 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
267 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
268 {
269 policy_entry_t *policy = malloc_thing(policy_entry_t);
270 policy->reqid = reqid;
271 policy->index = 0;
272 policy->direction = dir;
273 policy->route = NULL;
274 policy->refcount = 0;
275
276 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
277 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
278
279 /* src or dest proto may be "any" (0), use more restrictive one */
280 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
281 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
282 policy->dst.proto = policy->src.proto;
283
284 return policy;
285 }
286
287 /**
288 * destroy a policy_entry_t object
289 */
290 static void policy_entry_destroy(policy_entry_t *this)
291 {
292 DESTROY_IF(this->src.net);
293 DESTROY_IF(this->dst.net);
294 if (this->route)
295 {
296 route_entry_destroy(this->route);
297 }
298 free(this);
299 }
300
301 /**
302 * compares two policy_entry_t
303 */
304 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
305 {
306 return current->direction == policy->direction &&
307 current->src.proto == policy->src.proto &&
308 current->dst.proto == policy->dst.proto &&
309 current->src.mask == policy->src.mask &&
310 current->dst.mask == policy->dst.mask &&
311 current->src.net->equals(current->src.net, policy->src.net) &&
312 current->dst.net->equals(current->dst.net, policy->dst.net);
313 }
314
315 /**
316 * compare the given kernel index with that of a policy
317 */
318 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
319 {
320 return current->index == *index;
321 }
322
323 typedef struct pfkey_msg_t pfkey_msg_t;
324
325 struct pfkey_msg_t
326 {
327 /**
328 * PF_KEY message base
329 */
330 struct sadb_msg *msg;
331
332 /**
333 * PF_KEY message extensions
334 */
335 union {
336 struct sadb_ext *ext[SADB_EXT_MAX + 1];
337 struct {
338 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
339 struct sadb_sa *sa; /* SADB_EXT_SA */
340 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
341 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
342 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
343 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
344 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
345 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
346 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
347 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
348 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
349 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
350 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
351 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
352 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
353 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
354 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
355 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
356 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
357 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
358 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
359 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
360 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
361 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
362 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
363 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
364 } __attribute__((__packed__));
365 };
366 };
367
368 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
369 "SADB_EXT_RESERVED",
370 "SADB_EXT_SA",
371 "SADB_EXT_LIFETIME_CURRENT",
372 "SADB_EXT_LIFETIME_HARD",
373 "SADB_EXT_LIFETIME_SOFT",
374 "SADB_EXT_ADDRESS_SRC",
375 "SADB_EXT_ADDRESS_DST",
376 "SADB_EXT_ADDRESS_PROXY",
377 "SADB_EXT_KEY_AUTH",
378 "SADB_EXT_KEY_ENCRYPT",
379 "SADB_EXT_IDENTITY_SRC",
380 "SADB_EXT_IDENTITY_DST",
381 "SADB_EXT_SENSITIVITY",
382 "SADB_EXT_PROPOSAL",
383 "SADB_EXT_SUPPORTED_AUTH",
384 "SADB_EXT_SUPPORTED_ENCRYPT",
385 "SADB_EXT_SPIRANGE",
386 "SADB_X_EXT_KMPRIVATE",
387 "SADB_X_EXT_POLICY",
388 "SADB_X_EXT_SA2",
389 "SADB_X_EXT_NAT_T_TYPE",
390 "SADB_X_EXT_NAT_T_SPORT",
391 "SADB_X_EXT_NAT_T_DPORT",
392 "SADB_X_EXT_NAT_T_OA",
393 "SADB_X_EXT_SEC_CTX",
394 "SADB_X_EXT_KMADDRESS"
395 );
396
397 /**
398 * convert a protocol identifier to the PF_KEY sa type
399 */
400 static u_int8_t proto2satype(u_int8_t proto)
401 {
402 switch (proto)
403 {
404 case IPPROTO_ESP:
405 return SADB_SATYPE_ESP;
406 case IPPROTO_AH:
407 return SADB_SATYPE_AH;
408 case IPPROTO_COMP:
409 return SADB_X_SATYPE_IPCOMP;
410 default:
411 return proto;
412 }
413 }
414
415 /**
416 * convert a PF_KEY sa type to a protocol identifier
417 */
418 static u_int8_t satype2proto(u_int8_t satype)
419 {
420 switch (satype)
421 {
422 case SADB_SATYPE_ESP:
423 return IPPROTO_ESP;
424 case SADB_SATYPE_AH:
425 return IPPROTO_AH;
426 case SADB_X_SATYPE_IPCOMP:
427 return IPPROTO_COMP;
428 default:
429 return satype;
430 }
431 }
432
433 /**
434 * convert the general ipsec mode to the one defined in ipsec.h
435 */
436 static u_int8_t mode2kernel(ipsec_mode_t mode)
437 {
438 switch (mode)
439 {
440 case MODE_TRANSPORT:
441 return IPSEC_MODE_TRANSPORT;
442 case MODE_TUNNEL:
443 return IPSEC_MODE_TUNNEL;
444 #ifdef HAVE_IPSEC_MODE_BEET
445 case MODE_BEET:
446 return IPSEC_MODE_BEET;
447 #endif
448 default:
449 return mode;
450 }
451 }
452
453 /**
454 * convert the general policy direction to the one defined in ipsec.h
455 */
456 static u_int8_t dir2kernel(policy_dir_t dir)
457 {
458 switch (dir)
459 {
460 case POLICY_IN:
461 return IPSEC_DIR_INBOUND;
462 case POLICY_OUT:
463 return IPSEC_DIR_OUTBOUND;
464 #ifdef HAVE_IPSEC_DIR_FWD
465 case POLICY_FWD:
466 return IPSEC_DIR_FWD;
467 #endif
468 default:
469 return IPSEC_DIR_INVALID;
470 }
471 }
472
473 #ifdef SADB_X_MIGRATE
474 /**
475 * convert the policy direction in ipsec.h to the general one.
476 */
477 static policy_dir_t kernel2dir(u_int8_t dir)
478 {
479 switch (dir)
480 {
481 case IPSEC_DIR_INBOUND:
482 return POLICY_IN;
483 case IPSEC_DIR_OUTBOUND:
484 return POLICY_OUT;
485 #ifdef HAVE_IPSEC_DIR_FWD
486 case IPSEC_DIR_FWD:
487 return POLICY_FWD;
488 #endif
489 default:
490 return dir;
491 }
492 }
493 #endif /*SADB_X_MIGRATE*/
494
495 typedef struct kernel_algorithm_t kernel_algorithm_t;
496
497 /**
498 * Mapping of IKEv2 algorithms to PF_KEY algorithms
499 */
500 struct kernel_algorithm_t {
501 /**
502 * Identifier specified in IKEv2
503 */
504 int ikev2;
505
506 /**
507 * Identifier as defined in pfkeyv2.h
508 */
509 int kernel;
510 };
511
512 #define END_OF_LIST -1
513
514 /**
515 * Algorithms for encryption
516 */
517 static kernel_algorithm_t encryption_algs[] = {
518 /* {ENCR_DES_IV64, 0 }, */
519 {ENCR_DES, SADB_EALG_DESCBC },
520 {ENCR_3DES, SADB_EALG_3DESCBC },
521 /* {ENCR_RC5, 0 }, */
522 /* {ENCR_IDEA, 0 }, */
523 {ENCR_CAST, SADB_X_EALG_CASTCBC },
524 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
525 /* {ENCR_3IDEA, 0 }, */
526 /* {ENCR_DES_IV32, 0 }, */
527 {ENCR_NULL, SADB_EALG_NULL },
528 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
529 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
530 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
531 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
532 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
533 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
534 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
535 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
536 {END_OF_LIST, 0 },
537 };
538
539 /**
540 * Algorithms for integrity protection
541 */
542 static kernel_algorithm_t integrity_algs[] = {
543 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
544 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
545 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
546 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
547 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
548 /* {AUTH_DES_MAC, 0, }, */
549 /* {AUTH_KPDK_MD5, 0, }, */
550 #ifdef SADB_X_AALG_AES_XCBC_MAC
551 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
552 #endif
553 {END_OF_LIST, 0, },
554 };
555
556 #if 0
557 /**
558 * Algorithms for IPComp, unused yet
559 */
560 static kernel_algorithm_t compression_algs[] = {
561 /* {IPCOMP_OUI, 0 }, */
562 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
563 {IPCOMP_LZS, SADB_X_CALG_LZS },
564 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
565 {END_OF_LIST, 0 },
566 };
567 #endif
568
569 /**
570 * Look up a kernel algorithm ID and its key size
571 */
572 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
573 {
574 while (list->ikev2 != END_OF_LIST)
575 {
576 if (ikev2 == list->ikev2)
577 {
578 return list->kernel;
579 }
580 list++;
581 }
582 return 0;
583 }
584
585 /**
586 * Copy a host_t as sockaddr_t to the given memory location. Ports are
587 * reset to zero as per RFC 2367.
588 * @return the number of bytes copied
589 */
590 static size_t hostcpy(void *dest, host_t *host)
591 {
592 sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
593 socklen_t *len = host->get_sockaddr_len(host);
594 memcpy(dest, addr, *len);
595 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
596 dest_addr->sa_len = *len;
597 #endif
598 switch (dest_addr->sa_family)
599 {
600 case AF_INET:
601 {
602 struct sockaddr_in *sin = dest;
603 sin->sin_port = 0;
604 break;
605 }
606 case AF_INET6:
607 {
608 struct sockaddr_in6 *sin6 = dest;
609 sin6->sin6_port = 0;
610 break;
611 }
612 }
613 return *len;
614 }
615
616 /**
617 * add a host behind an sadb_address extension
618 */
619 static void host2ext(host_t *host, struct sadb_address *ext)
620 {
621 size_t len = hostcpy(ext + 1, host);
622 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
623 }
624
625 /**
626 * add a host to the given sadb_msg
627 */
628 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
629 u_int8_t proto, u_int8_t prefixlen)
630 {
631 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
632 addr->sadb_address_exttype = type;
633 addr->sadb_address_proto = proto;
634 addr->sadb_address_prefixlen = prefixlen;
635 host2ext(host, addr);
636 PFKEY_EXT_ADD(msg, addr);
637 }
638
639 /**
640 * adds an empty address extension to the given sadb_msg
641 */
642 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
643 {
644 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
645 sizeof(struct sockaddr_in6);
646 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
647 addr->sadb_address_exttype = type;
648 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
649 saddr->sa_family = family;
650 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
651 saddr->sa_len = len;
652 #endif
653 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
654 PFKEY_EXT_ADD(msg, addr);
655 }
656
657 #ifdef HAVE_NATT
658 /**
659 * add udp encap extensions to a sadb_msg
660 */
661 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
662 {
663 struct sadb_x_nat_t_type* nat_type;
664 struct sadb_x_nat_t_port* nat_port;
665
666 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
667 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
668 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
669 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
670 PFKEY_EXT_ADD(msg, nat_type);
671
672 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
673 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
674 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
675 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
676 PFKEY_EXT_ADD(msg, nat_port);
677
678 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
679 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
680 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
681 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
682 PFKEY_EXT_ADD(msg, nat_port);
683 }
684 #endif /*HAVE_NATT*/
685
686 /**
687 * Convert a sadb_address to a traffic_selector
688 */
689 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
690 {
691 traffic_selector_t *ts;
692 host_t *host;
693
694 /* The Linux 2.6 kernel does not set the protocol and port information
695 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
696 */
697 host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
698 ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
699 address->sadb_address_proto, host->get_port(host));
700 return ts;
701 }
702
703 /**
704 * Parses a pfkey message received from the kernel
705 */
706 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
707 {
708 struct sadb_ext* ext;
709 size_t len;
710
711 memset(out, 0, sizeof(pfkey_msg_t));
712 out->msg = msg;
713
714 len = msg->sadb_msg_len;
715 len -= PFKEY_LEN(sizeof(struct sadb_msg));
716
717 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
718
719 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
720 {
721 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
722 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
723 ext->sadb_ext_len > len)
724 {
725 DBG1(DBG_KNL, "length of %N extension is invalid",
726 sadb_ext_type_names, ext->sadb_ext_type);
727 break;
728 }
729
730 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
731 {
732 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
733 break;
734 }
735
736 if (out->ext[ext->sadb_ext_type])
737 {
738 DBG1(DBG_KNL, "duplicate %N extension",
739 sadb_ext_type_names, ext->sadb_ext_type);
740 break;
741 }
742
743 out->ext[ext->sadb_ext_type] = ext;
744 ext = PFKEY_EXT_NEXT_LEN(ext, len);
745 }
746
747 if (len)
748 {
749 DBG1(DBG_KNL, "PF_KEY message length is invalid");
750 return FAILED;
751 }
752
753 return SUCCESS;
754 }
755
756 /**
757 * Send a message to a specific PF_KEY socket and handle the response.
758 */
759 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
760 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
761 {
762 unsigned char buf[PFKEY_BUFFER_SIZE];
763 struct sadb_msg *msg;
764 int in_len, len;
765
766 this->mutex_pfkey->lock(this->mutex_pfkey);
767
768 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
769 * in particular the behavior in response to an SADB_ACQUIRE. */
770 in->sadb_msg_seq = ++this->seq;
771 in->sadb_msg_pid = getpid();
772
773 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
774
775 while (TRUE)
776 {
777 len = send(socket, in, in_len, 0);
778
779 if (len != in_len)
780 {
781 if (errno == EINTR)
782 {
783 /* interrupted, try again */
784 continue;
785 }
786 this->mutex_pfkey->unlock(this->mutex_pfkey);
787 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
788 return FAILED;
789 }
790 break;
791 }
792
793 while (TRUE)
794 {
795 msg = (struct sadb_msg*)buf;
796
797 len = recv(socket, buf, sizeof(buf), 0);
798
799 if (len < 0)
800 {
801 if (errno == EINTR)
802 {
803 DBG1(DBG_KNL, "got interrupted");
804 /* interrupted, try again */
805 continue;
806 }
807 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
808 this->mutex_pfkey->unlock(this->mutex_pfkey);
809 return FAILED;
810 }
811 if (len < sizeof(struct sadb_msg) ||
812 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
813 {
814 DBG1(DBG_KNL, "received corrupted PF_KEY message");
815 this->mutex_pfkey->unlock(this->mutex_pfkey);
816 return FAILED;
817 }
818 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
819 {
820 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
821 this->mutex_pfkey->unlock(this->mutex_pfkey);
822 return FAILED;
823 }
824 if (msg->sadb_msg_pid != in->sadb_msg_pid)
825 {
826 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
827 continue;
828 }
829 if (msg->sadb_msg_seq != this->seq)
830 {
831 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
832 "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
833 if (msg->sadb_msg_seq == 0)
834 {
835 /* FreeBSD and Mac OS X do this for the response to
836 * SADB_X_SPDGET (but not for the response to SADB_GET).
837 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
838 }
839 else if (msg->sadb_msg_seq < this->seq)
840 {
841 continue;
842 }
843 else
844 {
845 this->mutex_pfkey->unlock(this->mutex_pfkey);
846 return FAILED;
847 }
848 }
849 if (msg->sadb_msg_type != in->sadb_msg_type)
850 {
851 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
852 "was %d expected %d, ignoring",
853 msg->sadb_msg_type, in->sadb_msg_type);
854 }
855 break;
856 }
857
858 *out_len = len;
859 *out = (struct sadb_msg*)malloc(len);
860 memcpy(*out, buf, len);
861
862 this->mutex_pfkey->unlock(this->mutex_pfkey);
863
864 return SUCCESS;
865 }
866
867 /**
868 * Send a message to the default PF_KEY socket and handle the response.
869 */
870 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
871 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
872 {
873 return pfkey_send_socket(this, this->socket, in, out, out_len);
874 }
875
876 /**
877 * Process a SADB_ACQUIRE message from the kernel
878 */
879 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
880 {
881 pfkey_msg_t response;
882 u_int32_t index, reqid = 0;
883 traffic_selector_t *src_ts, *dst_ts;
884 policy_entry_t *policy;
885
886 switch (msg->sadb_msg_satype)
887 {
888 case SADB_SATYPE_UNSPEC:
889 case SADB_SATYPE_ESP:
890 case SADB_SATYPE_AH:
891 break;
892 default:
893 /* acquire for AH/ESP only */
894 return;
895 }
896 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
897
898 if (parse_pfkey_message(msg, &response) != SUCCESS)
899 {
900 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
901 return;
902 }
903
904 index = response.x_policy->sadb_x_policy_id;
905 this->mutex->lock(this->mutex);
906 if (this->policies->find_first(this->policies,
907 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) == SUCCESS)
908 {
909 reqid = policy->reqid;
910 }
911 else
912 {
913 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no"
914 " matching policy found", index);
915 }
916 src_ts = sadb_address2ts(response.src);
917 dst_ts = sadb_address2ts(response.dst);
918 this->mutex->unlock(this->mutex);
919
920 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
921 dst_ts);
922 }
923
924 /**
925 * Process a SADB_EXPIRE message from the kernel
926 */
927 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
928 {
929 pfkey_msg_t response;
930 u_int8_t protocol;
931 u_int32_t spi, reqid;
932 bool hard;
933
934 DBG2(DBG_KNL, "received an SADB_EXPIRE");
935
936 if (parse_pfkey_message(msg, &response) != SUCCESS)
937 {
938 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
939 return;
940 }
941
942 protocol = satype2proto(msg->sadb_msg_satype);
943 spi = response.sa->sadb_sa_spi;
944 reqid = response.x_sa2->sadb_x_sa2_reqid;
945 hard = response.lft_hard != NULL;
946
947 if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
948 {
949 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
950 "which is not a CHILD_SA", ntohl(spi), reqid);
951 return;
952 }
953
954 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
955 spi, hard);
956 }
957
958 #ifdef SADB_X_MIGRATE
959 /**
960 * Process a SADB_X_MIGRATE message from the kernel
961 */
962 static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
963 {
964 pfkey_msg_t response;
965 traffic_selector_t *src_ts, *dst_ts;
966 policy_dir_t dir;
967 u_int32_t reqid = 0;
968 host_t *local = NULL, *remote = NULL;
969
970 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
971
972 if (parse_pfkey_message(msg, &response) != SUCCESS)
973 {
974 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
975 return;
976 }
977 src_ts = sadb_address2ts(response.src);
978 dst_ts = sadb_address2ts(response.dst);
979 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
980 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
981 policy_dir_names, dir);
982
983 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
984 if (response.x_kmaddress)
985 {
986 sockaddr_t *local_addr, *remote_addr;
987 u_int32_t local_len;
988
989 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
990 local = host_create_from_sockaddr(local_addr);
991 local_len = (local_addr->sa_family == AF_INET6)?
992 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
993 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
994 remote = host_create_from_sockaddr(remote_addr);
995 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
996 }
997
998 if (src_ts && dst_ts && local && remote)
999 {
1000 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
1001 src_ts, dst_ts, dir, local, remote);
1002 }
1003 else
1004 {
1005 DESTROY_IF(src_ts);
1006 DESTROY_IF(dst_ts);
1007 DESTROY_IF(local);
1008 DESTROY_IF(remote);
1009 }
1010 }
1011 #endif /*SADB_X_MIGRATE*/
1012
1013 #ifdef SADB_X_NAT_T_NEW_MAPPING
1014 /**
1015 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1016 */
1017 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
1018 {
1019 pfkey_msg_t response;
1020 u_int32_t spi, reqid;
1021 host_t *host;
1022
1023 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1024
1025 if (parse_pfkey_message(msg, &response) != SUCCESS)
1026 {
1027 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1028 return;
1029 }
1030
1031 if (!response.x_sa2)
1032 {
1033 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1034 "information");
1035 return;
1036 }
1037
1038 spi = response.sa->sadb_sa_spi;
1039 reqid = response.x_sa2->sadb_x_sa2_reqid;
1040
1041 if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP)
1042 {
1043 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
1044 switch (sa->sa_family)
1045 {
1046 case AF_INET:
1047 {
1048 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1049 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1050 }
1051 case AF_INET6:
1052 {
1053 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1054 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1055 }
1056 default:
1057 break;
1058 }
1059 host = host_create_from_sockaddr(sa);
1060 if (host)
1061 {
1062 hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
1063 spi, host);
1064 }
1065 }
1066 }
1067 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1068
1069 /**
1070 * Receives events from kernel
1071 */
1072 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1073 {
1074 unsigned char buf[PFKEY_BUFFER_SIZE];
1075 struct sadb_msg *msg = (struct sadb_msg*)buf;
1076 int len;
1077 bool oldstate;
1078
1079 oldstate = thread_cancelability(TRUE);
1080 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1081 thread_cancelability(oldstate);
1082
1083 if (len < 0)
1084 {
1085 switch (errno)
1086 {
1087 case EINTR:
1088 /* interrupted, try again */
1089 return JOB_REQUEUE_DIRECT;
1090 case EAGAIN:
1091 /* no data ready, select again */
1092 return JOB_REQUEUE_DIRECT;
1093 default:
1094 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1095 sleep(1);
1096 return JOB_REQUEUE_FAIR;
1097 }
1098 }
1099
1100 if (len < sizeof(struct sadb_msg) ||
1101 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1102 {
1103 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1104 return JOB_REQUEUE_DIRECT;
1105 }
1106 if (msg->sadb_msg_pid != 0)
1107 { /* not from kernel. not interested, try another one */
1108 return JOB_REQUEUE_DIRECT;
1109 }
1110 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1111 {
1112 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
1113 return JOB_REQUEUE_DIRECT;
1114 }
1115
1116 switch (msg->sadb_msg_type)
1117 {
1118 case SADB_ACQUIRE:
1119 process_acquire(this, msg);
1120 break;
1121 case SADB_EXPIRE:
1122 process_expire(this, msg);
1123 break;
1124 #ifdef SADB_X_MIGRATE
1125 case SADB_X_MIGRATE:
1126 process_migrate(this, msg);
1127 break;
1128 #endif /*SADB_X_MIGRATE*/
1129 #ifdef SADB_X_NAT_T_NEW_MAPPING
1130 case SADB_X_NAT_T_NEW_MAPPING:
1131 process_mapping(this, msg);
1132 break;
1133 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1134 default:
1135 break;
1136 }
1137
1138 return JOB_REQUEUE_DIRECT;
1139 }
1140
1141 METHOD(kernel_ipsec_t, get_spi, status_t,
1142 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1143 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
1144 {
1145 unsigned char request[PFKEY_BUFFER_SIZE];
1146 struct sadb_msg *msg, *out;
1147 struct sadb_x_sa2 *sa2;
1148 struct sadb_spirange *range;
1149 pfkey_msg_t response;
1150 u_int32_t received_spi = 0;
1151 size_t len;
1152
1153 memset(&request, 0, sizeof(request));
1154
1155 msg = (struct sadb_msg*)request;
1156 msg->sadb_msg_version = PF_KEY_V2;
1157 msg->sadb_msg_type = SADB_GETSPI;
1158 msg->sadb_msg_satype = proto2satype(protocol);
1159 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1160
1161 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1162 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1163 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1164 sa2->sadb_x_sa2_reqid = reqid;
1165 PFKEY_EXT_ADD(msg, sa2);
1166
1167 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1168 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1169
1170 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1171 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1172 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1173 range->sadb_spirange_min = 0xc0000000;
1174 range->sadb_spirange_max = 0xcFFFFFFF;
1175 PFKEY_EXT_ADD(msg, range);
1176
1177 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1178 {
1179 if (out->sadb_msg_errno)
1180 {
1181 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1182 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1183 }
1184 else if (parse_pfkey_message(out, &response) == SUCCESS)
1185 {
1186 received_spi = response.sa->sadb_sa_spi;
1187 }
1188 free(out);
1189 }
1190
1191 if (received_spi == 0)
1192 {
1193 return FAILED;
1194 }
1195
1196 *spi = received_spi;
1197 return SUCCESS;
1198 }
1199
1200 METHOD(kernel_ipsec_t, get_cpi, status_t,
1201 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1202 u_int32_t reqid, u_int16_t *cpi)
1203 {
1204 return FAILED;
1205 }
1206
1207 METHOD(kernel_ipsec_t, add_sa, status_t,
1208 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1209 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
1210 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
1211 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
1212 u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
1213 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
1214 {
1215 unsigned char request[PFKEY_BUFFER_SIZE];
1216 struct sadb_msg *msg, *out;
1217 struct sadb_sa *sa;
1218 struct sadb_x_sa2 *sa2;
1219 struct sadb_lifetime *lft;
1220 struct sadb_key *key;
1221 size_t len;
1222
1223 memset(&request, 0, sizeof(request));
1224
1225 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi), reqid);
1226
1227 msg = (struct sadb_msg*)request;
1228 msg->sadb_msg_version = PF_KEY_V2;
1229 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1230 msg->sadb_msg_satype = proto2satype(protocol);
1231 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1232
1233 #ifdef __APPLE__
1234 if (encap)
1235 {
1236 struct sadb_sa_2 *sa_2;
1237 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1238 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1239 sa = &sa_2->sa;
1240 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1241 len = sizeof(struct sadb_sa_2);
1242 }
1243 else
1244 #endif
1245 {
1246 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1247 len = sizeof(struct sadb_sa);
1248 }
1249 sa->sadb_sa_exttype = SADB_EXT_SA;
1250 sa->sadb_sa_len = PFKEY_LEN(len);
1251 sa->sadb_sa_spi = spi;
1252 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1253 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1254 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1255 PFKEY_EXT_ADD(msg, sa);
1256
1257 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1258 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1259 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1260 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1261 sa2->sadb_x_sa2_reqid = reqid;
1262 PFKEY_EXT_ADD(msg, sa2);
1263
1264 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1265 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1266
1267 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1268 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1269 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1270 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1271 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1272 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1273 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1274 PFKEY_EXT_ADD(msg, lft);
1275
1276 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1277 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1278 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1279 lft->sadb_lifetime_allocations = lifetime->packets.life;
1280 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1281 lft->sadb_lifetime_addtime = lifetime->time.life;
1282 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1283 PFKEY_EXT_ADD(msg, lft);
1284
1285 if (enc_alg != ENCR_UNDEFINED)
1286 {
1287 if (!sa->sadb_sa_encrypt)
1288 {
1289 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1290 encryption_algorithm_names, enc_alg);
1291 return FAILED;
1292 }
1293 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1294 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1295
1296 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1297 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1298 key->sadb_key_bits = enc_key.len * 8;
1299 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1300 memcpy(key + 1, enc_key.ptr, enc_key.len);
1301
1302 PFKEY_EXT_ADD(msg, key);
1303 }
1304
1305 if (int_alg != AUTH_UNDEFINED)
1306 {
1307 if (!sa->sadb_sa_auth)
1308 {
1309 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1310 integrity_algorithm_names, int_alg);
1311 return FAILED;
1312 }
1313 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1314 integrity_algorithm_names, int_alg, int_key.len * 8);
1315
1316 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1317 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1318 key->sadb_key_bits = int_key.len * 8;
1319 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1320 memcpy(key + 1, int_key.ptr, int_key.len);
1321
1322 PFKEY_EXT_ADD(msg, key);
1323 }
1324
1325 if (ipcomp != IPCOMP_NONE)
1326 {
1327 /*TODO*/
1328 }
1329
1330 #ifdef HAVE_NATT
1331 if (encap)
1332 {
1333 add_encap_ext(msg, src, dst);
1334 }
1335 #endif /*HAVE_NATT*/
1336
1337 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1338 {
1339 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1340 return FAILED;
1341 }
1342 else if (out->sadb_msg_errno)
1343 {
1344 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1345 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1346 free(out);
1347 return FAILED;
1348 }
1349
1350 free(out);
1351 return SUCCESS;
1352 }
1353
1354 METHOD(kernel_ipsec_t, update_sa, status_t,
1355 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1356 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1357 bool encap, bool new_encap, mark_t mark)
1358 {
1359 unsigned char request[PFKEY_BUFFER_SIZE];
1360 struct sadb_msg *msg, *out;
1361 struct sadb_sa *sa;
1362 pfkey_msg_t response;
1363 size_t len;
1364
1365 /* we can't update the SA if any of the ip addresses have changed.
1366 * that's because we can't use SADB_UPDATE and by deleting and readding the
1367 * SA the sequence numbers would get lost */
1368 if (!src->ip_equals(src, new_src) ||
1369 !dst->ip_equals(dst, new_dst))
1370 {
1371 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address changes"
1372 " are not supported", ntohl(spi));
1373 return NOT_SUPPORTED;
1374 }
1375
1376 memset(&request, 0, sizeof(request));
1377
1378 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1379
1380 msg = (struct sadb_msg*)request;
1381 msg->sadb_msg_version = PF_KEY_V2;
1382 msg->sadb_msg_type = SADB_GET;
1383 msg->sadb_msg_satype = proto2satype(protocol);
1384 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1385
1386 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1387 sa->sadb_sa_exttype = SADB_EXT_SA;
1388 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1389 sa->sadb_sa_spi = spi;
1390 PFKEY_EXT_ADD(msg, sa);
1391
1392 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1393 * it is not used for anything. */
1394 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1395 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1396
1397 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1398 {
1399 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1400 ntohl(spi));
1401 return FAILED;
1402 }
1403 else if (out->sadb_msg_errno)
1404 {
1405 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1406 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1407 free(out);
1408 return FAILED;
1409 }
1410 else if (parse_pfkey_message(out, &response) != SUCCESS)
1411 {
1412 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1413 "from kernel failed", ntohl(spi));
1414 free(out);
1415 return FAILED;
1416 }
1417
1418 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1419 ntohl(spi), src, dst, new_src, new_dst);
1420
1421 memset(&request, 0, sizeof(request));
1422
1423 msg = (struct sadb_msg*)request;
1424 msg->sadb_msg_version = PF_KEY_V2;
1425 msg->sadb_msg_type = SADB_UPDATE;
1426 msg->sadb_msg_satype = proto2satype(protocol);
1427 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1428
1429 #ifdef __APPLE__
1430 {
1431 struct sadb_sa_2 *sa_2;
1432 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1433 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1434 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1435 if (encap)
1436 {
1437 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1438 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1439 }
1440 }
1441 #else
1442 PFKEY_EXT_COPY(msg, response.sa);
1443 #endif
1444 PFKEY_EXT_COPY(msg, response.x_sa2);
1445
1446 PFKEY_EXT_COPY(msg, response.src);
1447 PFKEY_EXT_COPY(msg, response.dst);
1448
1449 PFKEY_EXT_COPY(msg, response.lft_soft);
1450 PFKEY_EXT_COPY(msg, response.lft_hard);
1451
1452 if (response.key_encr)
1453 {
1454 PFKEY_EXT_COPY(msg, response.key_encr);
1455 }
1456
1457 if (response.key_auth)
1458 {
1459 PFKEY_EXT_COPY(msg, response.key_auth);
1460 }
1461
1462 #ifdef HAVE_NATT
1463 if (new_encap)
1464 {
1465 add_encap_ext(msg, new_src, new_dst);
1466 }
1467 #endif /*HAVE_NATT*/
1468
1469 free(out);
1470
1471 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1472 {
1473 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1474 return FAILED;
1475 }
1476 else if (out->sadb_msg_errno)
1477 {
1478 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1479 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1480 free(out);
1481 return FAILED;
1482 }
1483 free(out);
1484
1485 return SUCCESS;
1486 }
1487
1488 METHOD(kernel_ipsec_t, query_sa, status_t,
1489 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1490 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
1491 {
1492 unsigned char request[PFKEY_BUFFER_SIZE];
1493 struct sadb_msg *msg, *out;
1494 struct sadb_sa *sa;
1495 pfkey_msg_t response;
1496 size_t len;
1497
1498 memset(&request, 0, sizeof(request));
1499
1500 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1501
1502 msg = (struct sadb_msg*)request;
1503 msg->sadb_msg_version = PF_KEY_V2;
1504 msg->sadb_msg_type = SADB_GET;
1505 msg->sadb_msg_satype = proto2satype(protocol);
1506 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1507
1508 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1509 sa->sadb_sa_exttype = SADB_EXT_SA;
1510 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1511 sa->sadb_sa_spi = spi;
1512 PFKEY_EXT_ADD(msg, sa);
1513
1514 /* the Linux Kernel doesn't care for the src address, but other systems do
1515 * (e.g. FreeBSD)
1516 */
1517 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1518 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1519
1520 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1521 {
1522 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1523 return FAILED;
1524 }
1525 else if (out->sadb_msg_errno)
1526 {
1527 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1528 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1529 free(out);
1530 return FAILED;
1531 }
1532 else if (parse_pfkey_message(out, &response) != SUCCESS)
1533 {
1534 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1535 free(out);
1536 return FAILED;
1537 }
1538 *bytes = response.lft_current->sadb_lifetime_bytes;
1539
1540 free(out);
1541 return SUCCESS;
1542 }
1543
1544 METHOD(kernel_ipsec_t, del_sa, status_t,
1545 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1546 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
1547 {
1548 unsigned char request[PFKEY_BUFFER_SIZE];
1549 struct sadb_msg *msg, *out;
1550 struct sadb_sa *sa;
1551 size_t len;
1552
1553 memset(&request, 0, sizeof(request));
1554
1555 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1556
1557 msg = (struct sadb_msg*)request;
1558 msg->sadb_msg_version = PF_KEY_V2;
1559 msg->sadb_msg_type = SADB_DELETE;
1560 msg->sadb_msg_satype = proto2satype(protocol);
1561 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1562
1563 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1564 sa->sadb_sa_exttype = SADB_EXT_SA;
1565 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1566 sa->sadb_sa_spi = spi;
1567 PFKEY_EXT_ADD(msg, sa);
1568
1569 /* the Linux Kernel doesn't care for the src address, but other systems do
1570 * (e.g. FreeBSD)
1571 */
1572 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1573 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1574
1575 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1576 {
1577 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1578 return FAILED;
1579 }
1580 else if (out->sadb_msg_errno)
1581 {
1582 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1583 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1584 free(out);
1585 return FAILED;
1586 }
1587
1588 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1589 free(out);
1590 return SUCCESS;
1591 }
1592
1593 METHOD(kernel_ipsec_t, add_policy, status_t,
1594 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1595 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
1596 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
1597 mark_t mark, bool routed)
1598 {
1599 unsigned char request[PFKEY_BUFFER_SIZE];
1600 struct sadb_msg *msg, *out;
1601 struct sadb_x_policy *pol;
1602 struct sadb_x_ipsecrequest *req;
1603 policy_entry_t *policy, *found = NULL;
1604 pfkey_msg_t response;
1605 size_t len;
1606
1607 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1608 {
1609 /* FWD policies are not supported on all platforms */
1610 return SUCCESS;
1611 }
1612
1613 /* create a policy */
1614 policy = create_policy_entry(src_ts, dst_ts, direction, sa->reqid);
1615
1616 /* find a matching policy */
1617 this->mutex->lock(this->mutex);
1618 if (this->policies->find_first(this->policies,
1619 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1620 {
1621 /* use existing policy, but cache the most recent reqid */
1622 found->refcount++;
1623 found->reqid = policy->reqid;
1624 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1625 "refcount", src_ts, dst_ts,
1626 policy_dir_names, direction);
1627 policy_entry_destroy(policy);
1628 policy = found;
1629 }
1630 else
1631 {
1632 /* apply the new one, if we have no such policy */
1633 this->policies->insert_last(this->policies, policy);
1634 policy->refcount = 1;
1635 }
1636
1637 memset(&request, 0, sizeof(request));
1638
1639 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1640 policy_dir_names, direction);
1641
1642 msg = (struct sadb_msg*)request;
1643 msg->sadb_msg_version = PF_KEY_V2;
1644 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1645 msg->sadb_msg_satype = 0;
1646 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1647
1648 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1649 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1650 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1651 pol->sadb_x_policy_id = 0;
1652 pol->sadb_x_policy_dir = dir2kernel(direction);
1653 switch (type)
1654 {
1655 case POLICY_IPSEC:
1656 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1657 break;
1658 case POLICY_PASS:
1659 pol->sadb_x_policy_type = IPSEC_POLICY_NONE;
1660 break;
1661 case POLICY_DROP:
1662 pol->sadb_x_policy_type = IPSEC_POLICY_DISCARD;
1663 break;
1664 }
1665 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1666 /* calculate priority based on selector size, small size = high prio */
1667 pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
1668 pol->sadb_x_policy_priority -= policy->src.mask;
1669 pol->sadb_x_policy_priority -= policy->dst.mask;
1670 pol->sadb_x_policy_priority <<= 2; /* make some room for the flags */
1671 pol->sadb_x_policy_priority += policy->src.net->get_port(policy->src.net) ||
1672 policy->dst.net->get_port(policy->dst.net) ? 0 : 2;
1673 pol->sadb_x_policy_priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
1674 #endif
1675
1676 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1677 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1678 req->sadb_x_ipsecrequest_proto = sa->esp.use ? IPPROTO_ESP : IPPROTO_AH;
1679 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1680 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1681 req->sadb_x_ipsecrequest_mode = mode2kernel(sa->mode);
1682 req->sadb_x_ipsecrequest_reqid = sa->reqid;
1683 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1684 if (sa->mode == MODE_TUNNEL)
1685 {
1686 len = hostcpy(req + 1, src);
1687 req->sadb_x_ipsecrequest_len += len;
1688 len = hostcpy((char*)(req + 1) + len, dst);
1689 req->sadb_x_ipsecrequest_len += len;
1690 }
1691
1692 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1693 PFKEY_EXT_ADD(msg, pol);
1694
1695 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1696 policy->src.mask);
1697 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1698 policy->dst.mask);
1699
1700 #ifdef __FreeBSD__
1701 { /* on FreeBSD a lifetime has to be defined to be able to later query
1702 * the current use time. */
1703 struct sadb_lifetime *lft;
1704 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1705 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1706 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1707 lft->sadb_lifetime_addtime = LONG_MAX;
1708 PFKEY_EXT_ADD(msg, lft);
1709 }
1710 #endif
1711
1712 this->mutex->unlock(this->mutex);
1713
1714 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1715 {
1716 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1717 policy_dir_names, direction);
1718 return FAILED;
1719 }
1720 else if (out->sadb_msg_errno)
1721 {
1722 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1723 policy_dir_names, direction,
1724 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1725 free(out);
1726 return FAILED;
1727 }
1728 else if (parse_pfkey_message(out, &response) != SUCCESS)
1729 {
1730 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1731 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1732 free(out);
1733 return FAILED;
1734 }
1735
1736 this->mutex->lock(this->mutex);
1737
1738 /* we try to find the policy again and update the kernel index */
1739 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1740 {
1741 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1742 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1743 this->mutex->unlock(this->mutex);
1744 free(out);
1745 return SUCCESS;
1746 }
1747 policy->index = response.x_policy->sadb_x_policy_id;
1748 free(out);
1749
1750 /* install a route, if:
1751 * - we are NOT updating a policy
1752 * - this is a forward policy (to just get one for each child)
1753 * - we are in tunnel mode
1754 * - we are not using IPv6 (does not work correctly yet!)
1755 * - routing is not disabled via strongswan.conf
1756 */
1757 if (policy->route == NULL && direction == POLICY_FWD &&
1758 sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1759 this->install_routes)
1760 {
1761 route_entry_t *route = malloc_thing(route_entry_t);
1762
1763 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
1764 dst_ts, &route->src_ip) == SUCCESS)
1765 {
1766 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1767 route->gateway = hydra->kernel_interface->get_nexthop(
1768 hydra->kernel_interface, src);
1769 route->if_name = hydra->kernel_interface->get_interface(
1770 hydra->kernel_interface, dst);
1771 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1772 route->prefixlen = policy->src.mask;
1773
1774 if (route->if_name)
1775 {
1776 switch (hydra->kernel_interface->add_route(
1777 hydra->kernel_interface, route->dst_net,
1778 route->prefixlen, route->gateway,
1779 route->src_ip, route->if_name))
1780 {
1781 default:
1782 DBG1(DBG_KNL, "unable to install source route for %H",
1783 route->src_ip);
1784 /* FALL */
1785 case ALREADY_DONE:
1786 /* route exists, do not uninstall */
1787 route_entry_destroy(route);
1788 break;
1789 case SUCCESS:
1790 /* cache the installed route */
1791 policy->route = route;
1792 break;
1793 }
1794 }
1795 else
1796 {
1797 route_entry_destroy(route);
1798 }
1799 }
1800 else
1801 {
1802 free(route);
1803 }
1804 }
1805
1806 this->mutex->unlock(this->mutex);
1807
1808 return SUCCESS;
1809 }
1810
1811 METHOD(kernel_ipsec_t, query_policy, status_t,
1812 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
1813 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
1814 u_int32_t *use_time)
1815 {
1816 unsigned char request[PFKEY_BUFFER_SIZE];
1817 struct sadb_msg *msg, *out;
1818 struct sadb_x_policy *pol;
1819 policy_entry_t *policy, *found = NULL;
1820 pfkey_msg_t response;
1821 size_t len;
1822
1823 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1824 {
1825 /* FWD policies are not supported on all platforms */
1826 return NOT_FOUND;
1827 }
1828
1829 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1830 policy_dir_names, direction);
1831
1832 /* create a policy */
1833 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1834
1835 /* find a matching policy */
1836 this->mutex->lock(this->mutex);
1837 if (this->policies->find_first(this->policies,
1838 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1839 {
1840 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1841 dst_ts, policy_dir_names, direction);
1842 policy_entry_destroy(policy);
1843 this->mutex->unlock(this->mutex);
1844 return NOT_FOUND;
1845 }
1846 policy_entry_destroy(policy);
1847 policy = found;
1848
1849 memset(&request, 0, sizeof(request));
1850
1851 msg = (struct sadb_msg*)request;
1852 msg->sadb_msg_version = PF_KEY_V2;
1853 msg->sadb_msg_type = SADB_X_SPDGET;
1854 msg->sadb_msg_satype = 0;
1855 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1856
1857 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1858 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1859 pol->sadb_x_policy_id = policy->index;
1860 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1861 pol->sadb_x_policy_dir = dir2kernel(direction);
1862 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1863 PFKEY_EXT_ADD(msg, pol);
1864
1865 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1866 policy->src.mask);
1867 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1868 policy->dst.mask);
1869
1870 this->mutex->unlock(this->mutex);
1871
1872 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1873 {
1874 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1875 policy_dir_names, direction);
1876 return FAILED;
1877 }
1878 else if (out->sadb_msg_errno)
1879 {
1880 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1881 dst_ts, policy_dir_names, direction,
1882 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1883 free(out);
1884 return FAILED;
1885 }
1886 else if (parse_pfkey_message(out, &response) != SUCCESS)
1887 {
1888 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1889 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1890 free(out);
1891 return FAILED;
1892 }
1893 else if (response.lft_current == NULL)
1894 {
1895 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
1896 "use time", src_ts, dst_ts, policy_dir_names, direction);
1897 free(out);
1898 return FAILED;
1899 }
1900 /* we need the monotonic time, but the kernel returns system time. */
1901 if (response.lft_current->sadb_lifetime_usetime)
1902 {
1903 *use_time = time_monotonic(NULL) -
1904 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
1905 }
1906 else
1907 {
1908 *use_time = 0;
1909 }
1910 free(out);
1911
1912 return SUCCESS;
1913 }
1914
1915 METHOD(kernel_ipsec_t, del_policy, status_t,
1916 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
1917 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
1918 mark_t mark, bool unrouted)
1919 {
1920 unsigned char request[PFKEY_BUFFER_SIZE];
1921 struct sadb_msg *msg, *out;
1922 struct sadb_x_policy *pol;
1923 policy_entry_t *policy, *found = NULL;
1924 route_entry_t *route;
1925 size_t len;
1926
1927 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
1928 {
1929 /* FWD policies are not supported on all platforms */
1930 return SUCCESS;
1931 }
1932
1933 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1934 policy_dir_names, direction);
1935
1936 /* create a policy */
1937 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1938
1939 /* find a matching policy */
1940 this->mutex->lock(this->mutex);
1941 if (this->policies->find_first(this->policies,
1942 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1943 {
1944 if (--found->refcount > 0)
1945 {
1946 /* is used by more SAs, keep in kernel */
1947 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1948 policy_entry_destroy(policy);
1949 this->mutex->unlock(this->mutex);
1950 return SUCCESS;
1951 }
1952 /* remove if last reference */
1953 this->policies->remove(this->policies, found, NULL);
1954 policy_entry_destroy(policy);
1955 policy = found;
1956 }
1957 else
1958 {
1959 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1960 dst_ts, policy_dir_names, direction);
1961 policy_entry_destroy(policy);
1962 this->mutex->unlock(this->mutex);
1963 return NOT_FOUND;
1964 }
1965 this->mutex->unlock(this->mutex);
1966
1967 memset(&request, 0, sizeof(request));
1968
1969 msg = (struct sadb_msg*)request;
1970 msg->sadb_msg_version = PF_KEY_V2;
1971 msg->sadb_msg_type = SADB_X_SPDDELETE;
1972 msg->sadb_msg_satype = 0;
1973 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1974
1975 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1976 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1977 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1978 pol->sadb_x_policy_dir = dir2kernel(direction);
1979 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1980 PFKEY_EXT_ADD(msg, pol);
1981
1982 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1983 policy->src.mask);
1984 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1985 policy->dst.mask);
1986
1987 route = policy->route;
1988 policy->route = NULL;
1989 policy_entry_destroy(policy);
1990
1991 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1992 {
1993 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1994 policy_dir_names, direction);
1995 return FAILED;
1996 }
1997 else if (out->sadb_msg_errno)
1998 {
1999 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2000 dst_ts, policy_dir_names, direction,
2001 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2002 free(out);
2003 return FAILED;
2004 }
2005 free(out);
2006
2007 if (route)
2008 {
2009 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2010 route->dst_net, route->prefixlen, route->gateway,
2011 route->src_ip, route->if_name) != SUCCESS)
2012 {
2013 DBG1(DBG_KNL, "error uninstalling route installed with "
2014 "policy %R === %R %N", src_ts, dst_ts,
2015 policy_dir_names, direction);
2016 }
2017 route_entry_destroy(route);
2018 }
2019
2020 return SUCCESS;
2021 }
2022
2023 /**
2024 * Register a socket for AQUIRE/EXPIRE messages
2025 */
2026 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2027 u_int8_t satype)
2028 {
2029 unsigned char request[PFKEY_BUFFER_SIZE];
2030 struct sadb_msg *msg, *out;
2031 size_t len;
2032
2033 memset(&request, 0, sizeof(request));
2034
2035 msg = (struct sadb_msg*)request;
2036 msg->sadb_msg_version = PF_KEY_V2;
2037 msg->sadb_msg_type = SADB_REGISTER;
2038 msg->sadb_msg_satype = satype;
2039 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2040
2041 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2042 {
2043 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2044 return FAILED;
2045 }
2046 else if (out->sadb_msg_errno)
2047 {
2048 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2049 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2050 free(out);
2051 return FAILED;
2052 }
2053 free(out);
2054 return SUCCESS;
2055 }
2056
2057 METHOD(kernel_ipsec_t, bypass_socket, bool,
2058 private_kernel_pfkey_ipsec_t *this, int fd, int family)
2059 {
2060 struct sadb_x_policy policy;
2061 u_int sol, ipsec_policy;
2062
2063 switch (family)
2064 {
2065 case AF_INET:
2066 {
2067 sol = SOL_IP;
2068 ipsec_policy = IP_IPSEC_POLICY;
2069 break;
2070 }
2071 case AF_INET6:
2072 {
2073 sol = SOL_IPV6;
2074 ipsec_policy = IPV6_IPSEC_POLICY;
2075 break;
2076 }
2077 default:
2078 return FALSE;
2079 }
2080
2081 memset(&policy, 0, sizeof(policy));
2082 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2083 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2084 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2085
2086 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2087 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2088 {
2089 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2090 strerror(errno));
2091 return FALSE;
2092 }
2093 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2094 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2095 {
2096 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2097 strerror(errno));
2098 return FALSE;
2099 }
2100 return TRUE;
2101 }
2102
2103 METHOD(kernel_ipsec_t, destroy, void,
2104 private_kernel_pfkey_ipsec_t *this)
2105 {
2106 if (this->job)
2107 {
2108 this->job->cancel(this->job);
2109 }
2110 if (this->socket > 0)
2111 {
2112 close(this->socket);
2113 }
2114 if (this->socket_events > 0)
2115 {
2116 close(this->socket_events);
2117 }
2118 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
2119 this->mutex->destroy(this->mutex);
2120 this->mutex_pfkey->destroy(this->mutex_pfkey);
2121 free(this);
2122 }
2123
2124 /*
2125 * Described in header.
2126 */
2127 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2128 {
2129 private_kernel_pfkey_ipsec_t *this;
2130
2131 INIT(this,
2132 .public = {
2133 .interface = {
2134 .get_spi = _get_spi,
2135 .get_cpi = _get_cpi,
2136 .add_sa = _add_sa,
2137 .update_sa = _update_sa,
2138 .query_sa = _query_sa,
2139 .del_sa = _del_sa,
2140 .add_policy = _add_policy,
2141 .query_policy = _query_policy,
2142 .del_policy = _del_policy,
2143 .bypass_socket = _bypass_socket,
2144 .destroy = _destroy,
2145 },
2146 },
2147 .policies = linked_list_create(),
2148 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2149 .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
2150 .install_routes = lib->settings->get_bool(lib->settings,
2151 "%s.install_routes", TRUE,
2152 hydra->daemon),
2153 );
2154
2155 if (streq(hydra->daemon, "pluto"))
2156 { /* no routes for pluto, they are installed via updown script */
2157 this->install_routes = FALSE;
2158 }
2159
2160 /* create a PF_KEY socket to communicate with the kernel */
2161 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2162 if (this->socket <= 0)
2163 {
2164 DBG1(DBG_KNL, "unable to create PF_KEY socket");
2165 destroy(this);
2166 return NULL;
2167 }
2168
2169 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2170 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2171 if (this->socket_events <= 0)
2172 {
2173 DBG1(DBG_KNL, "unable to create PF_KEY event socket");
2174 destroy(this);
2175 return NULL;
2176 }
2177
2178 /* register the event socket */
2179 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2180 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2181 {
2182 DBG1(DBG_KNL, "unable to register PF_KEY event socket");
2183 destroy(this);
2184 return NULL;
2185 }
2186
2187 this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
2188 this, NULL, NULL, JOB_PRIO_CRITICAL);
2189 lib->processor->queue_job(lib->processor, (job_t*)this->job);
2190
2191 return &this->public;
2192 }
2193