projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Remove policies in kernel interfaces based on their priority.
[strongswan.git] / src / libhydra / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008-2011 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <sys/types.h>
18 #include <sys/socket.h>
19
20 #ifdef __FreeBSD__
21 #include <limits.h> /* for LONG_MAX */
22 #endif
23
24 #ifdef HAVE_NET_PFKEYV2_H
25 #include <net/pfkeyv2.h>
26 #else
27 #include <stdint.h>
28 #include <linux/pfkeyv2.h>
29 #endif
30
31 #ifdef SADB_X_EXT_NAT_T_TYPE
32 #define HAVE_NATT
33 #endif
34
35 #ifdef HAVE_NETIPSEC_IPSEC_H
36 #include <netipsec/ipsec.h>
37 #elif defined(HAVE_NETINET6_IPSEC_H)
38 #include <netinet6/ipsec.h>
39 #else
40 #include <linux/ipsec.h>
41 #endif
42
43 #ifdef HAVE_NATT
44 #ifdef HAVE_LINUX_UDP_H
45 #include <linux/udp.h>
46 #else
47 #include <netinet/udp.h>
48 #endif /*HAVE_LINUX_UDP_H*/
49 #endif /*HAVE_NATT*/
50
51 #include <unistd.h>
52 #include <time.h>
53 #include <errno.h>
54
55 #include "kernel_pfkey_ipsec.h"
56
57 #include <hydra.h>
58 #include <debug.h>
59 #include <utils/host.h>
60 #include <utils/linked_list.h>
61 #include <utils/hashtable.h>
62 #include <threading/thread.h>
63 #include <threading/mutex.h>
64 #include <processing/jobs/callback_job.h>
65
66 /** non linux specific */
67 #ifndef IPPROTO_COMP
68 #ifdef IPPROTO_IPCOMP
69 #define IPPROTO_COMP IPPROTO_IPCOMP
70 #endif
71 #endif
72
73 #ifndef SADB_X_AALG_SHA2_256HMAC
74 #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
75 #define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
76 #define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
77 #endif
78
79 #ifndef SADB_X_EALG_AESCBC
80 #define SADB_X_EALG_AESCBC SADB_X_EALG_AES
81 #endif
82
83 #ifndef SADB_X_EALG_CASTCBC
84 #define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
85 #endif
86
87 #ifndef SOL_IP
88 #define SOL_IP IPPROTO_IP
89 #define SOL_IPV6 IPPROTO_IPV6
90 #endif
91
92 /** from linux/in.h */
93 #ifndef IP_IPSEC_POLICY
94 #define IP_IPSEC_POLICY 16
95 #endif
96
97 /** missing on uclibc */
98 #ifndef IPV6_IPSEC_POLICY
99 #define IPV6_IPSEC_POLICY 34
100 #endif
101
102 /** default priority of installed policies */
103 #define PRIO_BASE 512
104
105 #ifdef __APPLE__
106 /** from xnu/bsd/net/pfkeyv2.h */
107 #define SADB_X_EXT_NATT 0x002
108 struct sadb_sa_2 {
109 struct sadb_sa sa;
110 u_int16_t sadb_sa_natt_port;
111 u_int16_t sadb_reserved0;
112 u_int32_t sadb_reserved1;
113 };
114 #endif
115
116 /** buffer size for PF_KEY messages */
117 #define PFKEY_BUFFER_SIZE 4096
118
119 /** PF_KEY messages are 64 bit aligned */
120 #define PFKEY_ALIGNMENT 8
121 /** aligns len to 64 bits */
122 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
123 /** calculates the properly padded length in 64 bit chunks */
124 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
125 /** calculates user mode length i.e. in bytes */
126 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
127
128 /** given a PF_KEY message header and an extension this updates the length in the header */
129 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
130 /** given a PF_KEY message header this returns a pointer to the next extension */
131 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
132 /** copy an extension and append it to a PF_KEY message */
133 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
134 /** given a PF_KEY extension this returns a pointer to the next extension */
135 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
136 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
137 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
138 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
139 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
140 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
141 (ext)->sadb_ext_len <= (len))
142
143 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
144
145 /**
146 * Private variables and functions of kernel_pfkey class.
147 */
148 struct private_kernel_pfkey_ipsec_t
149 {
150 /**
151 * Public part of the kernel_pfkey_t object.
152 */
153 kernel_pfkey_ipsec_t public;
154
155 /**
156 * mutex to lock access to various lists
157 */
158 mutex_t *mutex;
159
160 /**
161 * List of installed policies (policy_entry_t)
162 */
163 linked_list_t *policies;
164
165 /**
166 * Hash table of IPsec SAs using policies (ipsec_sa_t)
167 */
168 hashtable_t *sas;
169
170 /**
171 * whether to install routes along policies
172 */
173 bool install_routes;
174
175 /**
176 * job receiving PF_KEY events
177 */
178 callback_job_t *job;
179
180 /**
181 * mutex to lock access to the PF_KEY socket
182 */
183 mutex_t *mutex_pfkey;
184
185 /**
186 * PF_KEY socket to communicate with the kernel
187 */
188 int socket;
189
190 /**
191 * PF_KEY socket to receive acquire and expire events
192 */
193 int socket_events;
194
195 /**
196 * sequence number for messages sent to the kernel
197 */
198 int seq;
199 };
200
201 typedef struct route_entry_t route_entry_t;
202
203 /**
204 * installed routing entry
205 */
206 struct route_entry_t {
207 /** name of the interface the route is bound to */
208 char *if_name;
209
210 /** source ip of the route */
211 host_t *src_ip;
212
213 /** gateway for this route */
214 host_t *gateway;
215
216 /** destination net */
217 chunk_t dst_net;
218
219 /** destination net prefixlen */
220 u_int8_t prefixlen;
221 };
222
223 /**
224 * destroy an route_entry_t object
225 */
226 static void route_entry_destroy(route_entry_t *this)
227 {
228 free(this->if_name);
229 DESTROY_IF(this->src_ip);
230 DESTROY_IF(this->gateway);
231 chunk_free(&this->dst_net);
232 free(this);
233 }
234
235 /**
236 * compare two route_entry_t objects
237 */
238 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
239 {
240 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
241 a->src_ip->equals(a->src_ip, b->src_ip) &&
242 a->gateway->equals(a->gateway, b->gateway) &&
243 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
244 }
245
246 typedef struct ipsec_sa_t ipsec_sa_t;
247
248 /**
249 * IPsec SA assigned to a policy.
250 */
251 struct ipsec_sa_t {
252 /** Source address of this SA */
253 host_t *src;
254
255 /** Destination address of this SA */
256 host_t *dst;
257
258 /** Description of this SA */
259 ipsec_sa_cfg_t cfg;
260
261 /** Reference count for this SA */
262 refcount_t refcount;
263 };
264
265 /**
266 * Hash function for ipsec_sa_t objects
267 */
268 static u_int ipsec_sa_hash(ipsec_sa_t *sa)
269 {
270 return chunk_hash_inc(sa->src->get_address(sa->src),
271 chunk_hash_inc(sa->dst->get_address(sa->dst),
272 chunk_hash(chunk_from_thing(sa->cfg))));
273 }
274
275 /**
276 * Equality function for ipsec_sa_t objects
277 */
278 static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
279 {
280 return sa->src->ip_equals(sa->src, other_sa->src) &&
281 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
282 memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
283 }
284
285 /**
286 * Allocate or reference an IPsec SA object
287 */
288 static ipsec_sa_t *ipsec_sa_create(private_kernel_pfkey_ipsec_t *this,
289 host_t *src, host_t *dst,
290 ipsec_sa_cfg_t *cfg)
291 {
292 ipsec_sa_t *sa, *found;
293 INIT(sa,
294 .src = src,
295 .dst = dst,
296 .cfg = *cfg,
297 );
298 found = this->sas->get(this->sas, sa);
299 if (!found)
300 {
301 sa->src = src->clone(src);
302 sa->dst = dst->clone(dst);
303 this->sas->put(this->sas, sa, sa);
304 }
305 else
306 {
307 free(sa);
308 sa = found;
309 }
310 ref_get(&sa->refcount);
311 return sa;
312 }
313
314 /**
315 * Release and destroy an IPsec SA object
316 */
317 static void ipsec_sa_destroy(private_kernel_pfkey_ipsec_t *this,
318 ipsec_sa_t *sa)
319 {
320 if (ref_put(&sa->refcount))
321 {
322 this->sas->remove(this->sas, sa);
323 DESTROY_IF(sa->src);
324 DESTROY_IF(sa->dst);
325 free(sa);
326 }
327 }
328
329 typedef struct policy_sa_t policy_sa_t;
330 typedef struct policy_sa_fwd_t policy_sa_fwd_t;
331
332 /**
333 * Mapping between a policy and an IPsec SA.
334 */
335 struct policy_sa_t {
336 /** Priority assigned to the policy when installed with this SA */
337 u_int32_t priority;
338
339 /** Type of the policy */
340 policy_type_t type;
341
342 /** Assigned SA */
343 ipsec_sa_t *sa;
344 };
345
346 /**
347 * For forward policies we also cache the traffic selectors in order to install
348 * the route.
349 */
350 struct policy_sa_fwd_t {
351 /** Generic interface */
352 policy_sa_t generic;
353
354 /** Source traffic selector of this policy */
355 traffic_selector_t *src_ts;
356
357 /** Destination traffic selector of this policy */
358 traffic_selector_t *dst_ts;
359 };
360
361 /**
362 * Create a policy_sa(_fwd)_t object
363 */
364 static policy_sa_t *policy_sa_create(private_kernel_pfkey_ipsec_t *this,
365 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
366 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, ipsec_sa_cfg_t *cfg)
367 {
368 policy_sa_t *policy;
369
370 if (dir == POLICY_FWD)
371 {
372 policy_sa_fwd_t *fwd;
373 INIT(fwd,
374 .src_ts = src_ts->clone(src_ts),
375 .dst_ts = dst_ts->clone(dst_ts),
376 );
377 policy = &fwd->generic;
378 }
379 else
380 {
381 INIT(policy);
382 }
383 policy->type = type;
384 policy->sa = ipsec_sa_create(this, src, dst, cfg);
385 return policy;
386 }
387
388 /**
389 * Destroy a policy_sa(_fwd)_t object
390 */
391 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
392 private_kernel_pfkey_ipsec_t *this)
393 {
394 if (*dir == POLICY_FWD)
395 {
396 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
397 fwd->src_ts->destroy(fwd->src_ts);
398 fwd->dst_ts->destroy(fwd->dst_ts);
399 }
400 ipsec_sa_destroy(this, policy->sa);
401 free(policy);
402 }
403
404 typedef struct policy_entry_t policy_entry_t;
405
406 /**
407 * installed kernel policy.
408 */
409 struct policy_entry_t {
410 /** Index assigned by the kernel */
411 u_int32_t index;
412
413 /** Direction of this policy: in, out, forward */
414 u_int8_t direction;
415
416 /** Parameters of installed policy */
417 struct {
418 /** Subnet and port */
419 host_t *net;
420 /** Subnet mask */
421 u_int8_t mask;
422 /** Protocol */
423 u_int8_t proto;
424 } src, dst;
425
426 /** Associated route installed for this policy */
427 route_entry_t *route;
428
429 /** List of SAs this policy is used by, ordered by priority */
430 linked_list_t *used_by;
431 };
432
433 /**
434 * Create a policy_entry_t object
435 */
436 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
437 traffic_selector_t *dst_ts,
438 policy_dir_t dir)
439 {
440 policy_entry_t *policy;
441 INIT(policy,
442 .direction = dir,
443 );
444
445 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
446 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
447
448 /* src or dest proto may be "any" (0), use more restrictive one */
449 policy->src.proto = max(src_ts->get_protocol(src_ts),
450 dst_ts->get_protocol(dst_ts));
451 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
452 policy->dst.proto = policy->src.proto;
453
454 return policy;
455 }
456
457 /**
458 * Destroy a policy_entry_t object
459 */
460 static void policy_entry_destroy(policy_entry_t *policy,
461 private_kernel_pfkey_ipsec_t *this)
462 {
463 if (policy->route)
464 {
465 route_entry_destroy(policy->route);
466 }
467 if (policy->used_by)
468 {
469 policy->used_by->invoke_function(policy->used_by,
470 (linked_list_invoke_t)policy_sa_destroy,
471 &policy->direction, this);
472 policy->used_by->destroy(policy->used_by);
473 }
474 DESTROY_IF(policy->src.net);
475 DESTROY_IF(policy->dst.net);
476 free(policy);
477 }
478
479 /**
480 * compares two policy_entry_t
481 */
482 static inline bool policy_entry_equals(policy_entry_t *current,
483 policy_entry_t *policy)
484 {
485 return current->direction == policy->direction &&
486 current->src.proto == policy->src.proto &&
487 current->dst.proto == policy->dst.proto &&
488 current->src.mask == policy->src.mask &&
489 current->dst.mask == policy->dst.mask &&
490 current->src.net->equals(current->src.net, policy->src.net) &&
491 current->dst.net->equals(current->dst.net, policy->dst.net);
492 }
493
494 /**
495 * compare the given kernel index with that of a policy
496 */
497 static inline bool policy_entry_match_byindex(policy_entry_t *current,
498 u_int32_t *index)
499 {
500 return current->index == *index;
501 }
502
503 /**
504 * Calculate the priority of a policy
505 */
506 static inline u_int32_t get_priority(policy_entry_t *policy,
507 policy_priority_t prio)
508 {
509 u_int32_t priority = PRIO_BASE;
510 switch (prio)
511 {
512 case POLICY_PRIORITY_ROUTED:
513 priority <<= 1;
514 /* fall-through */
515 case POLICY_PRIORITY_DEFAULT:
516 break;
517 }
518 /* calculate priority based on selector size, small size = high prio */
519 priority -= policy->src.mask;
520 priority -= policy->dst.mask;
521 priority <<= 2; /* make some room for the two flags */
522 priority += policy->src.net->get_port(policy->src.net) ||
523 policy->dst.net->get_port(policy->dst.net) ?
524 0 : 2;
525 priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1;
526 return priority;
527 }
528
529 typedef struct pfkey_msg_t pfkey_msg_t;
530
531 struct pfkey_msg_t
532 {
533 /**
534 * PF_KEY message base
535 */
536 struct sadb_msg *msg;
537
538 /**
539 * PF_KEY message extensions
540 */
541 union {
542 struct sadb_ext *ext[SADB_EXT_MAX + 1];
543 struct {
544 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
545 struct sadb_sa *sa; /* SADB_EXT_SA */
546 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
547 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
548 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
549 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
550 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
551 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
552 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
553 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
554 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
555 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
556 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
557 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
558 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
559 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
560 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
561 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
562 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
563 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
564 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
565 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
566 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
567 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
568 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
569 struct sadb_x_kmaddress *x_kmaddress; /* SADB_X_EXT_KMADDRESS */
570 } __attribute__((__packed__));
571 };
572 };
573
574 ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
575 "SADB_EXT_RESERVED",
576 "SADB_EXT_SA",
577 "SADB_EXT_LIFETIME_CURRENT",
578 "SADB_EXT_LIFETIME_HARD",
579 "SADB_EXT_LIFETIME_SOFT",
580 "SADB_EXT_ADDRESS_SRC",
581 "SADB_EXT_ADDRESS_DST",
582 "SADB_EXT_ADDRESS_PROXY",
583 "SADB_EXT_KEY_AUTH",
584 "SADB_EXT_KEY_ENCRYPT",
585 "SADB_EXT_IDENTITY_SRC",
586 "SADB_EXT_IDENTITY_DST",
587 "SADB_EXT_SENSITIVITY",
588 "SADB_EXT_PROPOSAL",
589 "SADB_EXT_SUPPORTED_AUTH",
590 "SADB_EXT_SUPPORTED_ENCRYPT",
591 "SADB_EXT_SPIRANGE",
592 "SADB_X_EXT_KMPRIVATE",
593 "SADB_X_EXT_POLICY",
594 "SADB_X_EXT_SA2",
595 "SADB_X_EXT_NAT_T_TYPE",
596 "SADB_X_EXT_NAT_T_SPORT",
597 "SADB_X_EXT_NAT_T_DPORT",
598 "SADB_X_EXT_NAT_T_OA",
599 "SADB_X_EXT_SEC_CTX",
600 "SADB_X_EXT_KMADDRESS"
601 );
602
603 /**
604 * convert a protocol identifier to the PF_KEY sa type
605 */
606 static u_int8_t proto2satype(u_int8_t proto)
607 {
608 switch (proto)
609 {
610 case IPPROTO_ESP:
611 return SADB_SATYPE_ESP;
612 case IPPROTO_AH:
613 return SADB_SATYPE_AH;
614 case IPPROTO_COMP:
615 return SADB_X_SATYPE_IPCOMP;
616 default:
617 return proto;
618 }
619 }
620
621 /**
622 * convert a PF_KEY sa type to a protocol identifier
623 */
624 static u_int8_t satype2proto(u_int8_t satype)
625 {
626 switch (satype)
627 {
628 case SADB_SATYPE_ESP:
629 return IPPROTO_ESP;
630 case SADB_SATYPE_AH:
631 return IPPROTO_AH;
632 case SADB_X_SATYPE_IPCOMP:
633 return IPPROTO_COMP;
634 default:
635 return satype;
636 }
637 }
638
639 /**
640 * convert the general ipsec mode to the one defined in ipsec.h
641 */
642 static u_int8_t mode2kernel(ipsec_mode_t mode)
643 {
644 switch (mode)
645 {
646 case MODE_TRANSPORT:
647 return IPSEC_MODE_TRANSPORT;
648 case MODE_TUNNEL:
649 return IPSEC_MODE_TUNNEL;
650 #ifdef HAVE_IPSEC_MODE_BEET
651 case MODE_BEET:
652 return IPSEC_MODE_BEET;
653 #endif
654 default:
655 return mode;
656 }
657 }
658
659 /**
660 * convert the general policy direction to the one defined in ipsec.h
661 */
662 static u_int8_t dir2kernel(policy_dir_t dir)
663 {
664 switch (dir)
665 {
666 case POLICY_IN:
667 return IPSEC_DIR_INBOUND;
668 case POLICY_OUT:
669 return IPSEC_DIR_OUTBOUND;
670 #ifdef HAVE_IPSEC_DIR_FWD
671 case POLICY_FWD:
672 return IPSEC_DIR_FWD;
673 #endif
674 default:
675 return IPSEC_DIR_INVALID;
676 }
677 }
678
679 /**
680 * convert the policy type to the one defined in ipsec.h
681 */
682 static inline u_int16_t type2kernel(policy_type_t type)
683 {
684 switch (type)
685 {
686 case POLICY_IPSEC:
687 return IPSEC_POLICY_IPSEC;
688 case POLICY_PASS:
689 return IPSEC_POLICY_NONE;
690 case POLICY_DROP:
691 return IPSEC_POLICY_DISCARD;
692 }
693 return type;
694 }
695
696 #ifdef SADB_X_MIGRATE
697 /**
698 * convert the policy direction in ipsec.h to the general one.
699 */
700 static policy_dir_t kernel2dir(u_int8_t dir)
701 {
702 switch (dir)
703 {
704 case IPSEC_DIR_INBOUND:
705 return POLICY_IN;
706 case IPSEC_DIR_OUTBOUND:
707 return POLICY_OUT;
708 #ifdef HAVE_IPSEC_DIR_FWD
709 case IPSEC_DIR_FWD:
710 return POLICY_FWD;
711 #endif
712 default:
713 return dir;
714 }
715 }
716 #endif /*SADB_X_MIGRATE*/
717
718 typedef struct kernel_algorithm_t kernel_algorithm_t;
719
720 /**
721 * Mapping of IKEv2 algorithms to PF_KEY algorithms
722 */
723 struct kernel_algorithm_t {
724 /**
725 * Identifier specified in IKEv2
726 */
727 int ikev2;
728
729 /**
730 * Identifier as defined in pfkeyv2.h
731 */
732 int kernel;
733 };
734
735 #define END_OF_LIST -1
736
737 /**
738 * Algorithms for encryption
739 */
740 static kernel_algorithm_t encryption_algs[] = {
741 /* {ENCR_DES_IV64, 0 }, */
742 {ENCR_DES, SADB_EALG_DESCBC },
743 {ENCR_3DES, SADB_EALG_3DESCBC },
744 /* {ENCR_RC5, 0 }, */
745 /* {ENCR_IDEA, 0 }, */
746 {ENCR_CAST, SADB_X_EALG_CASTCBC },
747 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
748 /* {ENCR_3IDEA, 0 }, */
749 /* {ENCR_DES_IV32, 0 }, */
750 {ENCR_NULL, SADB_EALG_NULL },
751 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
752 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
753 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
754 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
755 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
756 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
757 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
758 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
759 {END_OF_LIST, 0 },
760 };
761
762 /**
763 * Algorithms for integrity protection
764 */
765 static kernel_algorithm_t integrity_algs[] = {
766 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
767 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
768 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
769 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
770 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
771 /* {AUTH_DES_MAC, 0, }, */
772 /* {AUTH_KPDK_MD5, 0, }, */
773 #ifdef SADB_X_AALG_AES_XCBC_MAC
774 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
775 #endif
776 {END_OF_LIST, 0, },
777 };
778
779 #if 0
780 /**
781 * Algorithms for IPComp, unused yet
782 */
783 static kernel_algorithm_t compression_algs[] = {
784 /* {IPCOMP_OUI, 0 }, */
785 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
786 {IPCOMP_LZS, SADB_X_CALG_LZS },
787 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
788 {END_OF_LIST, 0 },
789 };
790 #endif
791
792 /**
793 * Look up a kernel algorithm ID and its key size
794 */
795 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
796 {
797 while (list->ikev2 != END_OF_LIST)
798 {
799 if (ikev2 == list->ikev2)
800 {
801 return list->kernel;
802 }
803 list++;
804 }
805 return 0;
806 }
807
808 /**
809 * Copy a host_t as sockaddr_t to the given memory location. Ports are
810 * reset to zero as per RFC 2367.
811 * @return the number of bytes copied
812 */
813 static size_t hostcpy(void *dest, host_t *host)
814 {
815 sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest;
816 socklen_t *len = host->get_sockaddr_len(host);
817 memcpy(dest, addr, *len);
818 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
819 dest_addr->sa_len = *len;
820 #endif
821 switch (dest_addr->sa_family)
822 {
823 case AF_INET:
824 {
825 struct sockaddr_in *sin = dest;
826 sin->sin_port = 0;
827 break;
828 }
829 case AF_INET6:
830 {
831 struct sockaddr_in6 *sin6 = dest;
832 sin6->sin6_port = 0;
833 break;
834 }
835 }
836 return *len;
837 }
838
839 /**
840 * add a host behind an sadb_address extension
841 */
842 static void host2ext(host_t *host, struct sadb_address *ext)
843 {
844 size_t len = hostcpy(ext + 1, host);
845 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len);
846 }
847
848 /**
849 * add a host to the given sadb_msg
850 */
851 static void add_addr_ext(struct sadb_msg *msg, host_t *host, u_int16_t type,
852 u_int8_t proto, u_int8_t prefixlen)
853 {
854 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
855 addr->sadb_address_exttype = type;
856 addr->sadb_address_proto = proto;
857 addr->sadb_address_prefixlen = prefixlen;
858 host2ext(host, addr);
859 PFKEY_EXT_ADD(msg, addr);
860 }
861
862 /**
863 * adds an empty address extension to the given sadb_msg
864 */
865 static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
866 {
867 socklen_t len = (family == AF_INET) ? sizeof(struct sockaddr_in) :
868 sizeof(struct sockaddr_in6);
869 struct sadb_address *addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
870 addr->sadb_address_exttype = type;
871 sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
872 saddr->sa_family = family;
873 #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
874 saddr->sa_len = len;
875 #endif
876 addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
877 PFKEY_EXT_ADD(msg, addr);
878 }
879
880 #ifdef HAVE_NATT
881 /**
882 * add udp encap extensions to a sadb_msg
883 */
884 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
885 {
886 struct sadb_x_nat_t_type* nat_type;
887 struct sadb_x_nat_t_port* nat_port;
888
889 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
890 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
891 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(*nat_type));
892 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
893 PFKEY_EXT_ADD(msg, nat_type);
894
895 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
896 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
897 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
898 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
899 PFKEY_EXT_ADD(msg, nat_port);
900
901 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
902 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
903 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(*nat_port));
904 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
905 PFKEY_EXT_ADD(msg, nat_port);
906 }
907 #endif /*HAVE_NATT*/
908
909 /**
910 * Convert a sadb_address to a traffic_selector
911 */
912 static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
913 {
914 traffic_selector_t *ts;
915 host_t *host;
916
917 /* The Linux 2.6 kernel does not set the protocol and port information
918 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
919 */
920 host = host_create_from_sockaddr((sockaddr_t*)&address[1]);
921 ts = traffic_selector_create_from_subnet(host,
922 address->sadb_address_prefixlen,
923 address->sadb_address_proto,
924 host->get_port(host));
925 return ts;
926 }
927
928 /**
929 * Parses a pfkey message received from the kernel
930 */
931 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
932 {
933 struct sadb_ext* ext;
934 size_t len;
935
936 memset(out, 0, sizeof(pfkey_msg_t));
937 out->msg = msg;
938
939 len = msg->sadb_msg_len;
940 len -= PFKEY_LEN(sizeof(struct sadb_msg));
941
942 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
943
944 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
945 {
946 DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
947 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
948 ext->sadb_ext_len > len)
949 {
950 DBG1(DBG_KNL, "length of %N extension is invalid",
951 sadb_ext_type_names, ext->sadb_ext_type);
952 break;
953 }
954
955 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
956 {
957 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid",
958 ext->sadb_ext_type);
959 break;
960 }
961
962 if (out->ext[ext->sadb_ext_type])
963 {
964 DBG1(DBG_KNL, "duplicate %N extension",
965 sadb_ext_type_names, ext->sadb_ext_type);
966 break;
967 }
968
969 out->ext[ext->sadb_ext_type] = ext;
970 ext = PFKEY_EXT_NEXT_LEN(ext, len);
971 }
972
973 if (len)
974 {
975 DBG1(DBG_KNL, "PF_KEY message length is invalid");
976 return FAILED;
977 }
978
979 return SUCCESS;
980 }
981
982 /**
983 * Send a message to a specific PF_KEY socket and handle the response.
984 */
985 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
986 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
987 {
988 unsigned char buf[PFKEY_BUFFER_SIZE];
989 struct sadb_msg *msg;
990 int in_len, len;
991
992 this->mutex_pfkey->lock(this->mutex_pfkey);
993
994 /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
995 * in particular the behavior in response to an SADB_ACQUIRE. */
996 in->sadb_msg_seq = ++this->seq;
997 in->sadb_msg_pid = getpid();
998
999 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
1000
1001 while (TRUE)
1002 {
1003 len = send(socket, in, in_len, 0);
1004
1005 if (len != in_len)
1006 {
1007 if (errno == EINTR)
1008 {
1009 /* interrupted, try again */
1010 continue;
1011 }
1012 this->mutex_pfkey->unlock(this->mutex_pfkey);
1013 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s",
1014 strerror(errno));
1015 return FAILED;
1016 }
1017 break;
1018 }
1019
1020 while (TRUE)
1021 {
1022 msg = (struct sadb_msg*)buf;
1023
1024 len = recv(socket, buf, sizeof(buf), 0);
1025
1026 if (len < 0)
1027 {
1028 if (errno == EINTR)
1029 {
1030 DBG1(DBG_KNL, "got interrupted");
1031 /* interrupted, try again */
1032 continue;
1033 }
1034 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s",
1035 strerror(errno));
1036 this->mutex_pfkey->unlock(this->mutex_pfkey);
1037 return FAILED;
1038 }
1039 if (len < sizeof(struct sadb_msg) ||
1040 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1041 {
1042 DBG1(DBG_KNL, "received corrupted PF_KEY message");
1043 this->mutex_pfkey->unlock(this->mutex_pfkey);
1044 return FAILED;
1045 }
1046 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1047 {
1048 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY "
1049 "message");
1050 this->mutex_pfkey->unlock(this->mutex_pfkey);
1051 return FAILED;
1052 }
1053 if (msg->sadb_msg_pid != in->sadb_msg_pid)
1054 {
1055 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
1056 continue;
1057 }
1058 if (msg->sadb_msg_seq != this->seq)
1059 {
1060 DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
1061 "number, was %d expected %d", msg->sadb_msg_seq,
1062 this->seq);
1063 if (msg->sadb_msg_seq == 0)
1064 {
1065 /* FreeBSD and Mac OS X do this for the response to
1066 * SADB_X_SPDGET (but not for the response to SADB_GET).
1067 * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
1068 }
1069 else if (msg->sadb_msg_seq < this->seq)
1070 {
1071 continue;
1072 }
1073 else
1074 {
1075 this->mutex_pfkey->unlock(this->mutex_pfkey);
1076 return FAILED;
1077 }
1078 }
1079 if (msg->sadb_msg_type != in->sadb_msg_type)
1080 {
1081 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
1082 "was %d expected %d, ignoring", msg->sadb_msg_type,
1083 in->sadb_msg_type);
1084 }
1085 break;
1086 }
1087
1088 *out_len = len;
1089 *out = (struct sadb_msg*)malloc(len);
1090 memcpy(*out, buf, len);
1091
1092 this->mutex_pfkey->unlock(this->mutex_pfkey);
1093 return SUCCESS;
1094 }
1095
1096 /**
1097 * Send a message to the default PF_KEY socket and handle the response.
1098 */
1099 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
1100 struct sadb_msg *in, struct sadb_msg **out,
1101 size_t *out_len)
1102 {
1103 return pfkey_send_socket(this, this->socket, in, out, out_len);
1104 }
1105
1106 /**
1107 * Process a SADB_ACQUIRE message from the kernel
1108 */
1109 static void process_acquire(private_kernel_pfkey_ipsec_t *this,
1110 struct sadb_msg* msg)
1111 {
1112 pfkey_msg_t response;
1113 u_int32_t index, reqid = 0;
1114 traffic_selector_t *src_ts, *dst_ts;
1115 policy_entry_t *policy;
1116 policy_sa_t *sa;
1117
1118 switch (msg->sadb_msg_satype)
1119 {
1120 case SADB_SATYPE_UNSPEC:
1121 case SADB_SATYPE_ESP:
1122 case SADB_SATYPE_AH:
1123 break;
1124 default:
1125 /* acquire for AH/ESP only */
1126 return;
1127 }
1128 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
1129
1130 if (parse_pfkey_message(msg, &response) != SUCCESS)
1131 {
1132 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
1133 return;
1134 }
1135
1136 index = response.x_policy->sadb_x_policy_id;
1137 this->mutex->lock(this->mutex);
1138 if (this->policies->find_first(this->policies,
1139 (linked_list_match_t)policy_entry_match_byindex,
1140 (void**)&policy, &index) == SUCCESS &&
1141 policy->used_by->get_first(policy->used_by, (void**)&sa) == SUCCESS)
1142 {
1143 reqid = sa->sa->cfg.reqid;
1144 }
1145 else
1146 {
1147 DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no "
1148 "matching policy found", index);
1149 }
1150 this->mutex->unlock(this->mutex);
1151
1152 src_ts = sadb_address2ts(response.src);
1153 dst_ts = sadb_address2ts(response.dst);
1154
1155 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
1156 dst_ts);
1157 }
1158
1159 /**
1160 * Process a SADB_EXPIRE message from the kernel
1161 */
1162 static void process_expire(private_kernel_pfkey_ipsec_t *this,
1163 struct sadb_msg* msg)
1164 {
1165 pfkey_msg_t response;
1166 u_int8_t protocol;
1167 u_int32_t spi, reqid;
1168 bool hard;
1169
1170 DBG2(DBG_KNL, "received an SADB_EXPIRE");
1171
1172 if (parse_pfkey_message(msg, &response) != SUCCESS)
1173 {
1174 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
1175 return;
1176 }
1177
1178 protocol = satype2proto(msg->sadb_msg_satype);
1179 spi = response.sa->sadb_sa_spi;
1180 reqid = response.x_sa2->sadb_x_sa2_reqid;
1181 hard = response.lft_hard != NULL;
1182
1183 if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
1184 {
1185 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and "
1186 "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
1187 return;
1188 }
1189
1190 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
1191 spi, hard);
1192 }
1193
1194 #ifdef SADB_X_MIGRATE
1195 /**
1196 * Process a SADB_X_MIGRATE message from the kernel
1197 */
1198 static void process_migrate(private_kernel_pfkey_ipsec_t *this,
1199 struct sadb_msg* msg)
1200 {
1201 pfkey_msg_t response;
1202 traffic_selector_t *src_ts, *dst_ts;
1203 policy_dir_t dir;
1204 u_int32_t reqid = 0;
1205 host_t *local = NULL, *remote = NULL;
1206
1207 DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
1208
1209 if (parse_pfkey_message(msg, &response) != SUCCESS)
1210 {
1211 DBG1(DBG_KNL, "parsing SADB_X_MIGRATE from kernel failed");
1212 return;
1213 }
1214 src_ts = sadb_address2ts(response.src);
1215 dst_ts = sadb_address2ts(response.dst);
1216 dir = kernel2dir(response.x_policy->sadb_x_policy_dir);
1217 DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
1218 policy_dir_names, dir);
1219
1220 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
1221 if (response.x_kmaddress)
1222 {
1223 sockaddr_t *local_addr, *remote_addr;
1224 u_int32_t local_len;
1225
1226 local_addr = (sockaddr_t*)&response.x_kmaddress[1];
1227 local = host_create_from_sockaddr(local_addr);
1228 local_len = (local_addr->sa_family == AF_INET6)?
1229 sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in);
1230 remote_addr = (sockaddr_t*)((u_int8_t*)local_addr + local_len);
1231 remote = host_create_from_sockaddr(remote_addr);
1232 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1233 }
1234
1235 if (src_ts && dst_ts && local && remote)
1236 {
1237 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
1238 src_ts, dst_ts, dir, local, remote);
1239 }
1240 else
1241 {
1242 DESTROY_IF(src_ts);
1243 DESTROY_IF(dst_ts);
1244 DESTROY_IF(local);
1245 DESTROY_IF(remote);
1246 }
1247 }
1248 #endif /*SADB_X_MIGRATE*/
1249
1250 #ifdef SADB_X_NAT_T_NEW_MAPPING
1251 /**
1252 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
1253 */
1254 static void process_mapping(private_kernel_pfkey_ipsec_t *this,
1255 struct sadb_msg* msg)
1256 {
1257 pfkey_msg_t response;
1258 u_int32_t spi, reqid;
1259 sockaddr_t *sa;
1260 host_t *host;
1261
1262 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
1263
1264 if (parse_pfkey_message(msg, &response) != SUCCESS)
1265 {
1266 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
1267 return;
1268 }
1269
1270 if (!response.x_sa2)
1271 {
1272 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
1273 "information");
1274 return;
1275 }
1276
1277 spi = response.sa->sadb_sa_spi;
1278 reqid = response.x_sa2->sadb_x_sa2_reqid;
1279
1280 if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
1281 {
1282 return;
1283 }
1284
1285 sa = (sockaddr_t*)(response.dst + 1);
1286 switch (sa->sa_family)
1287 {
1288 case AF_INET:
1289 {
1290 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
1291 sin->sin_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1292 }
1293 case AF_INET6:
1294 {
1295 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
1296 sin6->sin6_port = htons(response.x_natt_dport->sadb_x_nat_t_port_port);
1297 }
1298 default:
1299 break;
1300 }
1301
1302 host = host_create_from_sockaddr(sa);
1303 if (host)
1304 {
1305 hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
1306 spi, host);
1307 }
1308 }
1309 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1310
1311 /**
1312 * Receives events from kernel
1313 */
1314 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
1315 {
1316 unsigned char buf[PFKEY_BUFFER_SIZE];
1317 struct sadb_msg *msg = (struct sadb_msg*)buf;
1318 bool oldstate;
1319 int len;
1320
1321 oldstate = thread_cancelability(TRUE);
1322 len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
1323 thread_cancelability(oldstate);
1324
1325 if (len < 0)
1326 {
1327 switch (errno)
1328 {
1329 case EINTR:
1330 /* interrupted, try again */
1331 return JOB_REQUEUE_DIRECT;
1332 case EAGAIN:
1333 /* no data ready, select again */
1334 return JOB_REQUEUE_DIRECT;
1335 default:
1336 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
1337 sleep(1);
1338 return JOB_REQUEUE_FAIR;
1339 }
1340 }
1341
1342 if (len < sizeof(struct sadb_msg) ||
1343 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
1344 {
1345 DBG2(DBG_KNL, "received corrupted PF_KEY message");
1346 return JOB_REQUEUE_DIRECT;
1347 }
1348 if (msg->sadb_msg_pid != 0)
1349 { /* not from kernel. not interested, try another one */
1350 return JOB_REQUEUE_DIRECT;
1351 }
1352 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
1353 {
1354 DBG1(DBG_KNL, "buffer was too small to receive the complete "
1355 "PF_KEY message");
1356 return JOB_REQUEUE_DIRECT;
1357 }
1358
1359 switch (msg->sadb_msg_type)
1360 {
1361 case SADB_ACQUIRE:
1362 process_acquire(this, msg);
1363 break;
1364 case SADB_EXPIRE:
1365 process_expire(this, msg);
1366 break;
1367 #ifdef SADB_X_MIGRATE
1368 case SADB_X_MIGRATE:
1369 process_migrate(this, msg);
1370 break;
1371 #endif /*SADB_X_MIGRATE*/
1372 #ifdef SADB_X_NAT_T_NEW_MAPPING
1373 case SADB_X_NAT_T_NEW_MAPPING:
1374 process_mapping(this, msg);
1375 break;
1376 #endif /*SADB_X_NAT_T_NEW_MAPPING*/
1377 default:
1378 break;
1379 }
1380
1381 return JOB_REQUEUE_DIRECT;
1382 }
1383
1384 METHOD(kernel_ipsec_t, get_spi, status_t,
1385 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1386 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
1387 {
1388 unsigned char request[PFKEY_BUFFER_SIZE];
1389 struct sadb_msg *msg, *out;
1390 struct sadb_x_sa2 *sa2;
1391 struct sadb_spirange *range;
1392 pfkey_msg_t response;
1393 u_int32_t received_spi = 0;
1394 size_t len;
1395
1396 memset(&request, 0, sizeof(request));
1397
1398 msg = (struct sadb_msg*)request;
1399 msg->sadb_msg_version = PF_KEY_V2;
1400 msg->sadb_msg_type = SADB_GETSPI;
1401 msg->sadb_msg_satype = proto2satype(protocol);
1402 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1403
1404 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1405 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1406 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1407 sa2->sadb_x_sa2_reqid = reqid;
1408 PFKEY_EXT_ADD(msg, sa2);
1409
1410 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1411 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1412
1413 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
1414 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
1415 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1416 range->sadb_spirange_min = 0xc0000000;
1417 range->sadb_spirange_max = 0xcFFFFFFF;
1418 PFKEY_EXT_ADD(msg, range);
1419
1420 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
1421 {
1422 if (out->sadb_msg_errno)
1423 {
1424 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1425 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1426 }
1427 else if (parse_pfkey_message(out, &response) == SUCCESS)
1428 {
1429 received_spi = response.sa->sadb_sa_spi;
1430 }
1431 free(out);
1432 }
1433
1434 if (received_spi == 0)
1435 {
1436 return FAILED;
1437 }
1438
1439 *spi = received_spi;
1440 return SUCCESS;
1441 }
1442
1443 METHOD(kernel_ipsec_t, get_cpi, status_t,
1444 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1445 u_int32_t reqid, u_int16_t *cpi)
1446 {
1447 return FAILED;
1448 }
1449
1450 METHOD(kernel_ipsec_t, add_sa, status_t,
1451 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
1452 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
1453 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
1454 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
1455 u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
1456 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
1457 {
1458 unsigned char request[PFKEY_BUFFER_SIZE];
1459 struct sadb_msg *msg, *out;
1460 struct sadb_sa *sa;
1461 struct sadb_x_sa2 *sa2;
1462 struct sadb_lifetime *lft;
1463 struct sadb_key *key;
1464 size_t len;
1465
1466 memset(&request, 0, sizeof(request));
1467
1468 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
1469 ntohl(spi), reqid);
1470
1471 msg = (struct sadb_msg*)request;
1472 msg->sadb_msg_version = PF_KEY_V2;
1473 msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
1474 msg->sadb_msg_satype = proto2satype(protocol);
1475 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1476
1477 #ifdef __APPLE__
1478 if (encap)
1479 {
1480 struct sadb_sa_2 *sa_2;
1481 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1482 sa_2->sadb_sa_natt_port = dst->get_port(dst);
1483 sa = &sa_2->sa;
1484 sa->sadb_sa_flags |= SADB_X_EXT_NATT;
1485 len = sizeof(struct sadb_sa_2);
1486 }
1487 else
1488 #endif
1489 {
1490 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1491 len = sizeof(struct sadb_sa);
1492 }
1493 sa->sadb_sa_exttype = SADB_EXT_SA;
1494 sa->sadb_sa_len = PFKEY_LEN(len);
1495 sa->sadb_sa_spi = spi;
1496 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1497 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
1498 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
1499 PFKEY_EXT_ADD(msg, sa);
1500
1501 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1502 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1503 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1504 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1505 sa2->sadb_x_sa2_reqid = reqid;
1506 PFKEY_EXT_ADD(msg, sa2);
1507
1508 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1509 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1510
1511 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1512 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1513 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1514 lft->sadb_lifetime_allocations = lifetime->packets.rekey;
1515 lft->sadb_lifetime_bytes = lifetime->bytes.rekey;
1516 lft->sadb_lifetime_addtime = lifetime->time.rekey;
1517 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1518 PFKEY_EXT_ADD(msg, lft);
1519
1520 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1521 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1522 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1523 lft->sadb_lifetime_allocations = lifetime->packets.life;
1524 lft->sadb_lifetime_bytes = lifetime->bytes.life;
1525 lft->sadb_lifetime_addtime = lifetime->time.life;
1526 lft->sadb_lifetime_usetime = 0; /* we only use addtime */
1527 PFKEY_EXT_ADD(msg, lft);
1528
1529 if (enc_alg != ENCR_UNDEFINED)
1530 {
1531 if (!sa->sadb_sa_encrypt)
1532 {
1533 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1534 encryption_algorithm_names, enc_alg);
1535 return FAILED;
1536 }
1537 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1538 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1539
1540 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1541 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1542 key->sadb_key_bits = enc_key.len * 8;
1543 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1544 memcpy(key + 1, enc_key.ptr, enc_key.len);
1545
1546 PFKEY_EXT_ADD(msg, key);
1547 }
1548
1549 if (int_alg != AUTH_UNDEFINED)
1550 {
1551 if (!sa->sadb_sa_auth)
1552 {
1553 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1554 integrity_algorithm_names, int_alg);
1555 return FAILED;
1556 }
1557 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1558 integrity_algorithm_names, int_alg, int_key.len * 8);
1559
1560 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1561 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1562 key->sadb_key_bits = int_key.len * 8;
1563 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1564 memcpy(key + 1, int_key.ptr, int_key.len);
1565
1566 PFKEY_EXT_ADD(msg, key);
1567 }
1568
1569 if (ipcomp != IPCOMP_NONE)
1570 {
1571 /*TODO*/
1572 }
1573
1574 #ifdef HAVE_NATT
1575 if (encap)
1576 {
1577 add_encap_ext(msg, src, dst);
1578 }
1579 #endif /*HAVE_NATT*/
1580
1581 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1582 {
1583 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1584 return FAILED;
1585 }
1586 else if (out->sadb_msg_errno)
1587 {
1588 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1589 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1590 free(out);
1591 return FAILED;
1592 }
1593
1594 free(out);
1595 return SUCCESS;
1596 }
1597
1598 METHOD(kernel_ipsec_t, update_sa, status_t,
1599 private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1600 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1601 bool encap, bool new_encap, mark_t mark)
1602 {
1603 unsigned char request[PFKEY_BUFFER_SIZE];
1604 struct sadb_msg *msg, *out;
1605 struct sadb_sa *sa;
1606 pfkey_msg_t response;
1607 size_t len;
1608
1609 /* we can't update the SA if any of the ip addresses have changed.
1610 * that's because we can't use SADB_UPDATE and by deleting and readding the
1611 * SA the sequence numbers would get lost */
1612 if (!src->ip_equals(src, new_src) ||
1613 !dst->ip_equals(dst, new_dst))
1614 {
1615 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: address "
1616 "changes are not supported", ntohl(spi));
1617 return NOT_SUPPORTED;
1618 }
1619
1620 memset(&request, 0, sizeof(request));
1621
1622 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1623
1624 msg = (struct sadb_msg*)request;
1625 msg->sadb_msg_version = PF_KEY_V2;
1626 msg->sadb_msg_type = SADB_GET;
1627 msg->sadb_msg_satype = proto2satype(protocol);
1628 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1629
1630 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1631 sa->sadb_sa_exttype = SADB_EXT_SA;
1632 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1633 sa->sadb_sa_spi = spi;
1634 PFKEY_EXT_ADD(msg, sa);
1635
1636 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1637 * it is not used for anything. */
1638 add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
1639 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1640
1641 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1642 {
1643 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1644 return FAILED;
1645 }
1646 else if (out->sadb_msg_errno)
1647 {
1648 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1649 ntohl(spi), strerror(out->sadb_msg_errno),
1650 out->sadb_msg_errno);
1651 free(out);
1652 return FAILED;
1653 }
1654 else if (parse_pfkey_message(out, &response) != SUCCESS)
1655 {
1656 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing "
1657 "response from kernel failed", ntohl(spi));
1658 free(out);
1659 return FAILED;
1660 }
1661
1662 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1663 ntohl(spi), src, dst, new_src, new_dst);
1664
1665 memset(&request, 0, sizeof(request));
1666
1667 msg = (struct sadb_msg*)request;
1668 msg->sadb_msg_version = PF_KEY_V2;
1669 msg->sadb_msg_type = SADB_UPDATE;
1670 msg->sadb_msg_satype = proto2satype(protocol);
1671 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1672
1673 #ifdef __APPLE__
1674 {
1675 struct sadb_sa_2 *sa_2;
1676 sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
1677 sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
1678 memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
1679 if (encap)
1680 {
1681 sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
1682 sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
1683 }
1684 }
1685 #else
1686 PFKEY_EXT_COPY(msg, response.sa);
1687 #endif
1688 PFKEY_EXT_COPY(msg, response.x_sa2);
1689
1690 PFKEY_EXT_COPY(msg, response.src);
1691 PFKEY_EXT_COPY(msg, response.dst);
1692
1693 PFKEY_EXT_COPY(msg, response.lft_soft);
1694 PFKEY_EXT_COPY(msg, response.lft_hard);
1695
1696 if (response.key_encr)
1697 {
1698 PFKEY_EXT_COPY(msg, response.key_encr);
1699 }
1700
1701 if (response.key_auth)
1702 {
1703 PFKEY_EXT_COPY(msg, response.key_auth);
1704 }
1705
1706 #ifdef HAVE_NATT
1707 if (new_encap)
1708 {
1709 add_encap_ext(msg, new_src, new_dst);
1710 }
1711 #endif /*HAVE_NATT*/
1712
1713 free(out);
1714
1715 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1716 {
1717 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1718 return FAILED;
1719 }
1720 else if (out->sadb_msg_errno)
1721 {
1722 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1723 ntohl(spi), strerror(out->sadb_msg_errno),
1724 out->sadb_msg_errno);
1725 free(out);
1726 return FAILED;
1727 }
1728 free(out);
1729
1730 return SUCCESS;
1731 }
1732
1733 METHOD(kernel_ipsec_t, query_sa, status_t,
1734 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1735 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
1736 {
1737 unsigned char request[PFKEY_BUFFER_SIZE];
1738 struct sadb_msg *msg, *out;
1739 struct sadb_sa *sa;
1740 pfkey_msg_t response;
1741 size_t len;
1742
1743 memset(&request, 0, sizeof(request));
1744
1745 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1746
1747 msg = (struct sadb_msg*)request;
1748 msg->sadb_msg_version = PF_KEY_V2;
1749 msg->sadb_msg_type = SADB_GET;
1750 msg->sadb_msg_satype = proto2satype(protocol);
1751 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1752
1753 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1754 sa->sadb_sa_exttype = SADB_EXT_SA;
1755 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1756 sa->sadb_sa_spi = spi;
1757 PFKEY_EXT_ADD(msg, sa);
1758
1759 /* the Linux Kernel doesn't care for the src address, but other systems do
1760 * (e.g. FreeBSD)
1761 */
1762 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1763 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1764
1765 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1766 {
1767 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1768 return FAILED;
1769 }
1770 else if (out->sadb_msg_errno)
1771 {
1772 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1773 ntohl(spi), strerror(out->sadb_msg_errno),
1774 out->sadb_msg_errno);
1775 free(out);
1776 return FAILED;
1777 }
1778 else if (parse_pfkey_message(out, &response) != SUCCESS)
1779 {
1780 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1781 free(out);
1782 return FAILED;
1783 }
1784 *bytes = response.lft_current->sadb_lifetime_bytes;
1785
1786 free(out);
1787 return SUCCESS;
1788 }
1789
1790 METHOD(kernel_ipsec_t, del_sa, status_t,
1791 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
1792 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
1793 {
1794 unsigned char request[PFKEY_BUFFER_SIZE];
1795 struct sadb_msg *msg, *out;
1796 struct sadb_sa *sa;
1797 size_t len;
1798
1799 memset(&request, 0, sizeof(request));
1800
1801 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1802
1803 msg = (struct sadb_msg*)request;
1804 msg->sadb_msg_version = PF_KEY_V2;
1805 msg->sadb_msg_type = SADB_DELETE;
1806 msg->sadb_msg_satype = proto2satype(protocol);
1807 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1808
1809 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1810 sa->sadb_sa_exttype = SADB_EXT_SA;
1811 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1812 sa->sadb_sa_spi = spi;
1813 PFKEY_EXT_ADD(msg, sa);
1814
1815 /* the Linux Kernel doesn't care for the src address, but other systems do
1816 * (e.g. FreeBSD)
1817 */
1818 add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
1819 add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
1820
1821 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1822 {
1823 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1824 return FAILED;
1825 }
1826 else if (out->sadb_msg_errno)
1827 {
1828 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1829 ntohl(spi), strerror(out->sadb_msg_errno),
1830 out->sadb_msg_errno);
1831 free(out);
1832 return FAILED;
1833 }
1834
1835 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1836 free(out);
1837 return SUCCESS;
1838 }
1839
1840 /**
1841 * Add or update a policy in the kernel.
1842 *
1843 * Note: The mutex has to be locked when entering this function.
1844 */
1845 static status_t add_policy_internal(private_kernel_pfkey_ipsec_t *this,
1846 policy_entry_t *policy, policy_sa_t *mapping, bool update)
1847 {
1848 unsigned char request[PFKEY_BUFFER_SIZE];
1849 struct sadb_msg *msg, *out;
1850 struct sadb_x_policy *pol;
1851 struct sadb_x_ipsecrequest *req;
1852 ipsec_sa_t *ipsec = mapping->sa;
1853 pfkey_msg_t response;
1854 size_t len;
1855
1856 memset(&request, 0, sizeof(request));
1857
1858 msg = (struct sadb_msg*)request;
1859 msg->sadb_msg_version = PF_KEY_V2;
1860 msg->sadb_msg_type = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1861 msg->sadb_msg_satype = 0;
1862 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1863
1864 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1865 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1866 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1867 pol->sadb_x_policy_id = 0;
1868 pol->sadb_x_policy_dir = dir2kernel(policy->direction);
1869 pol->sadb_x_policy_type = type2kernel(mapping->type);
1870 #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
1871 pol->sadb_x_policy_priority = mapping->priority;
1872 #endif
1873
1874 /* one or more sadb_x_ipsecrequest extensions are added to the
1875 * sadb_x_policy extension */
1876 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1877 req->sadb_x_ipsecrequest_proto = ipsec->cfg.esp.use ? IPPROTO_ESP
1878 : IPPROTO_AH;
1879 /* !!! the length here MUST be in octets instead of 64 bit words */
1880 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1881 req->sadb_x_ipsecrequest_mode = mode2kernel(ipsec->cfg.mode);
1882 req->sadb_x_ipsecrequest_reqid = ipsec->cfg.reqid;
1883 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1884 if (ipsec->cfg.mode == MODE_TUNNEL)
1885 {
1886 len = hostcpy(req + 1, ipsec->src);
1887 req->sadb_x_ipsecrequest_len += len;
1888 len = hostcpy((char*)(req + 1) + len, ipsec->dst);
1889 req->sadb_x_ipsecrequest_len += len;
1890 }
1891
1892 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1893 PFKEY_EXT_ADD(msg, pol);
1894
1895 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
1896 policy->src.mask);
1897 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
1898 policy->dst.mask);
1899
1900 #ifdef __FreeBSD__
1901 { /* on FreeBSD a lifetime has to be defined to be able to later query
1902 * the current use time. */
1903 struct sadb_lifetime *lft;
1904 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1905 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1906 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1907 lft->sadb_lifetime_addtime = LONG_MAX;
1908 PFKEY_EXT_ADD(msg, lft);
1909 }
1910 #endif
1911
1912 this->mutex->unlock(this->mutex);
1913
1914 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1915 {
1916 return FAILED;
1917 }
1918 else if (out->sadb_msg_errno)
1919 {
1920 DBG1(DBG_KNL, "unable to %s policy: %s (%d)",
1921 update ? "update" : "add", strerror(out->sadb_msg_errno),
1922 out->sadb_msg_errno);
1923 free(out);
1924 return FAILED;
1925 }
1926 else if (parse_pfkey_message(out, &response) != SUCCESS)
1927 {
1928 DBG1(DBG_KNL, "unable to %s policy: parsing response from kernel "
1929 "failed", update ? "update" : "add");
1930 free(out);
1931 return FAILED;
1932 }
1933
1934 /* we try to find the policy again and update the kernel index */
1935 this->mutex->lock(this->mutex);
1936 if (this->policies->find_last(this->policies, NULL,
1937 (void**)&policy) != SUCCESS)
1938 {
1939 DBG2(DBG_KNL, "unable to update index, the policy is already gone, "
1940 "ignoring");
1941 this->mutex->unlock(this->mutex);
1942 free(out);
1943 return SUCCESS;
1944 }
1945 policy->index = response.x_policy->sadb_x_policy_id;
1946 free(out);
1947
1948 /* install a route, if:
1949 * - this is a forward policy (to just get one for each child)
1950 * - we are in tunnel mode
1951 * - routing is not disabled via strongswan.conf
1952 */
1953 if (policy->direction == POLICY_FWD &&
1954 ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
1955 {
1956 route_entry_t *route = malloc_thing(route_entry_t);
1957 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
1958
1959 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
1960 fwd->dst_ts, &route->src_ip) == SUCCESS)
1961 {
1962 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1963 route->gateway = hydra->kernel_interface->get_nexthop(
1964 hydra->kernel_interface, ipsec->src);
1965 /* install route via outgoing interface */
1966 route->if_name = hydra->kernel_interface->get_interface(
1967 hydra->kernel_interface, ipsec->dst);
1968 route->dst_net = chunk_clone(policy->src.net->get_address(
1969 policy->src.net));
1970 route->prefixlen = policy->src.mask;
1971
1972 if (!route->if_name)
1973 {
1974 this->mutex->unlock(this->mutex);
1975 route_entry_destroy(route);
1976 return SUCCESS;
1977 }
1978
1979 if (policy->route)
1980 {
1981 route_entry_t *old = policy->route;
1982 if (route_entry_equals(old, route))
1983 { /* keep previously installed route */
1984 this->mutex->unlock(this->mutex);
1985 route_entry_destroy(route);
1986 return SUCCESS;
1987 }
1988 /* uninstall previously installed route */
1989 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
1990 old->dst_net, old->prefixlen, old->gateway,
1991 old->src_ip, old->if_name) != SUCCESS)
1992 {
1993 DBG1(DBG_KNL, "error uninstalling route installed with "
1994 "policy %R === %R %N", fwd->src_ts,
1995 fwd->dst_ts, policy_dir_names,
1996 policy->direction);
1997 }
1998 route_entry_destroy(old);
1999 policy->route = NULL;
2000 }
2001
2002 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
2003 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
2004 switch (hydra->kernel_interface->add_route(
2005 hydra->kernel_interface, route->dst_net,
2006 route->prefixlen, route->gateway,
2007 route->src_ip, route->if_name))
2008 {
2009 default:
2010 DBG1(DBG_KNL, "unable to install source route for %H",
2011 route->src_ip);
2012 /* FALL */
2013 case ALREADY_DONE:
2014 /* route exists, do not uninstall */
2015 route_entry_destroy(route);
2016 break;
2017 case SUCCESS:
2018 /* cache the installed route */
2019 policy->route = route;
2020 break;
2021 }
2022 }
2023 else
2024 {
2025 free(route);
2026 }
2027 }
2028 this->mutex->unlock(this->mutex);
2029 return SUCCESS;
2030 }
2031
2032 METHOD(kernel_ipsec_t, add_policy, status_t,
2033 private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
2034 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
2035 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
2036 mark_t mark, policy_priority_t priority)
2037 {
2038 policy_entry_t *policy, *found = NULL;
2039 policy_sa_t *assigned_sa, *current_sa;
2040 enumerator_t *enumerator;
2041 bool update = TRUE;
2042
2043 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2044 { /* FWD policies are not supported on all platforms */
2045 return SUCCESS;
2046 }
2047
2048 /* create a policy */
2049 policy = create_policy_entry(src_ts, dst_ts, direction);
2050
2051 /* find a matching policy */
2052 this->mutex->lock(this->mutex);
2053 if (this->policies->find_first(this->policies,
2054 (linked_list_match_t)policy_entry_equals,
2055 (void**)&found, policy) == SUCCESS)
2056 { /* use existing policy */
2057 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
2058 "refcount", src_ts, dst_ts, policy_dir_names, direction);
2059 policy_entry_destroy(policy, this);
2060 policy = found;
2061 }
2062 else
2063 { /* use the new one, if we have no such policy */
2064 this->policies->insert_last(this->policies, policy);
2065 policy->used_by = linked_list_create();
2066 }
2067
2068 /* cache the assigned IPsec SA */
2069 assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
2070 dst_ts, sa);
2071 assigned_sa->priority = get_priority(policy, priority);
2072
2073 /* insert the SA according to its priority */
2074 enumerator = policy->used_by->create_enumerator(policy->used_by);
2075 while (enumerator->enumerate(enumerator, (void**)&current_sa))
2076 {
2077 if (current_sa->priority >= assigned_sa->priority)
2078 {
2079 break;
2080 }
2081 update = FALSE;
2082 }
2083 policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
2084 enumerator->destroy(enumerator);
2085
2086 if (!update)
2087 { /* we don't update the policy if the priority is lower than that of the
2088 * currently installed one */
2089 this->mutex->unlock(this->mutex);
2090 return SUCCESS;
2091 }
2092
2093 DBG2(DBG_KNL, "%s policy %R === %R %N",
2094 found ? "updating" : "adding", src_ts, dst_ts,
2095 policy_dir_names, direction);
2096
2097 if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2098 {
2099 DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
2100 found ? "update" : "add", src_ts, dst_ts,
2101 policy_dir_names, direction);
2102 return FAILED;
2103 }
2104 return SUCCESS;
2105 }
2106
2107 METHOD(kernel_ipsec_t, query_policy, status_t,
2108 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2109 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
2110 u_int32_t *use_time)
2111 {
2112 unsigned char request[PFKEY_BUFFER_SIZE];
2113 struct sadb_msg *msg, *out;
2114 struct sadb_x_policy *pol;
2115 policy_entry_t *policy, *found = NULL;
2116 pfkey_msg_t response;
2117 size_t len;
2118
2119 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2120 { /* FWD policies are not supported on all platforms */
2121 return NOT_FOUND;
2122 }
2123
2124 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2125 policy_dir_names, direction);
2126
2127 /* create a policy */
2128 policy = create_policy_entry(src_ts, dst_ts, direction);
2129
2130 /* find a matching policy */
2131 this->mutex->lock(this->mutex);
2132 if (this->policies->find_first(this->policies,
2133 (linked_list_match_t)policy_entry_equals,
2134 (void**)&found, policy) != SUCCESS)
2135 {
2136 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
2137 dst_ts, policy_dir_names, direction);
2138 policy_entry_destroy(policy, this);
2139 this->mutex->unlock(this->mutex);
2140 return NOT_FOUND;
2141 }
2142 policy_entry_destroy(policy, this);
2143 policy = found;
2144
2145 memset(&request, 0, sizeof(request));
2146
2147 msg = (struct sadb_msg*)request;
2148 msg->sadb_msg_version = PF_KEY_V2;
2149 msg->sadb_msg_type = SADB_X_SPDGET;
2150 msg->sadb_msg_satype = 0;
2151 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2152
2153 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2154 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2155 pol->sadb_x_policy_id = policy->index;
2156 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2157 pol->sadb_x_policy_dir = dir2kernel(direction);
2158 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
2159 PFKEY_EXT_ADD(msg, pol);
2160
2161 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2162 policy->src.mask);
2163 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2164 policy->dst.mask);
2165
2166 this->mutex->unlock(this->mutex);
2167
2168 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2169 {
2170 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2171 policy_dir_names, direction);
2172 return FAILED;
2173 }
2174 else if (out->sadb_msg_errno)
2175 {
2176 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
2177 dst_ts, policy_dir_names, direction,
2178 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2179 free(out);
2180 return FAILED;
2181 }
2182 else if (parse_pfkey_message(out, &response) != SUCCESS)
2183 {
2184 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
2185 "from kernel failed", src_ts, dst_ts, policy_dir_names,
2186 direction);
2187 free(out);
2188 return FAILED;
2189 }
2190 else if (response.lft_current == NULL)
2191 {
2192 DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
2193 "use time", src_ts, dst_ts, policy_dir_names, direction);
2194 free(out);
2195 return FAILED;
2196 }
2197
2198 /* we need the monotonic time, but the kernel returns system time. */
2199 if (response.lft_current->sadb_lifetime_usetime)
2200 {
2201 *use_time = time_monotonic(NULL) -
2202 (time(NULL) - response.lft_current->sadb_lifetime_usetime);
2203 }
2204 else
2205 {
2206 *use_time = 0;
2207 }
2208 free(out);
2209 return SUCCESS;
2210 }
2211
2212 METHOD(kernel_ipsec_t, del_policy, status_t,
2213 private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts,
2214 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
2215 mark_t mark, policy_priority_t prio)
2216 {
2217 unsigned char request[PFKEY_BUFFER_SIZE];
2218 struct sadb_msg *msg, *out;
2219 struct sadb_x_policy *pol;
2220 policy_entry_t *policy, *found = NULL;
2221 policy_sa_t *mapping;
2222 enumerator_t *enumerator;
2223 bool is_installed = TRUE;
2224 u_int32_t priority;
2225 size_t len;
2226
2227 if (dir2kernel(direction) == IPSEC_DIR_INVALID)
2228 { /* FWD policies are not supported on all platforms */
2229 return SUCCESS;
2230 }
2231
2232 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
2233 policy_dir_names, direction);
2234
2235 /* create a policy */
2236 policy = create_policy_entry(src_ts, dst_ts, direction);
2237
2238 /* find a matching policy */
2239 this->mutex->lock(this->mutex);
2240 if (this->policies->find_first(this->policies,
2241 (linked_list_match_t)policy_entry_equals,
2242 (void**)&found, policy) != SUCCESS)
2243 {
2244 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
2245 dst_ts, policy_dir_names, direction);
2246 policy_entry_destroy(policy, this);
2247 this->mutex->unlock(this->mutex);
2248 return NOT_FOUND;
2249 }
2250 policy_entry_destroy(policy, this);
2251 policy = found;
2252
2253 /* remove mapping to SA by reqid and priority */
2254 priority = get_priority(policy, prio);
2255 enumerator = policy->used_by->create_enumerator(policy->used_by);
2256 while (enumerator->enumerate(enumerator, (void**)&mapping))
2257 {
2258 if (reqid == mapping->sa->cfg.reqid && priority == mapping->priority)
2259 {
2260 policy->used_by->remove_at(policy->used_by, enumerator);
2261 break;
2262 }
2263 is_installed = FALSE;
2264 }
2265 enumerator->destroy(enumerator);
2266
2267 if (policy->used_by->get_count(policy->used_by) > 0)
2268 { /* policy is used by more SAs, keep in kernel */
2269 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2270 policy_sa_destroy(mapping, &direction, this);
2271
2272 if (!is_installed)
2273 { /* no need to update as the policy was not installed for this SA */
2274 this->mutex->unlock(this->mutex);
2275 return SUCCESS;
2276 }
2277
2278 DBG2(DBG_KNL, "updating policy %R === %R %N", src_ts, dst_ts,
2279 policy_dir_names, direction);
2280 policy->used_by->get_first(policy->used_by, (void**)&mapping);
2281 if (add_policy_internal(this, policy, mapping, TRUE) != SUCCESS)
2282 {
2283 DBG1(DBG_KNL, "unable to update policy %R === %R %N",
2284 src_ts, dst_ts, policy_dir_names, direction);
2285 return FAILED;
2286 }
2287 return SUCCESS;
2288 }
2289
2290 memset(&request, 0, sizeof(request));
2291
2292 msg = (struct sadb_msg*)request;
2293 msg->sadb_msg_version = PF_KEY_V2;
2294 msg->sadb_msg_type = SADB_X_SPDDELETE;
2295 msg->sadb_msg_satype = 0;
2296 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2297
2298 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
2299 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2300 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
2301 pol->sadb_x_policy_dir = dir2kernel(direction);
2302 pol->sadb_x_policy_type = type2kernel(mapping->type);
2303 PFKEY_EXT_ADD(msg, pol);
2304
2305 add_addr_ext(msg, policy->src.net, SADB_EXT_ADDRESS_SRC, policy->src.proto,
2306 policy->src.mask);
2307 add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
2308 policy->dst.mask);
2309
2310 if (policy->route)
2311 {
2312 route_entry_t *route = policy->route;
2313 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2314 route->dst_net, route->prefixlen, route->gateway,
2315 route->src_ip, route->if_name) != SUCCESS)
2316 {
2317 DBG1(DBG_KNL, "error uninstalling route installed with "
2318 "policy %R === %R %N", src_ts, dst_ts,
2319 policy_dir_names, direction);
2320 }
2321 }
2322
2323 this->policies->remove(this->policies, found, NULL);
2324 policy_sa_destroy(mapping, &direction, this);
2325 policy_entry_destroy(policy, this);
2326 this->mutex->unlock(this->mutex);
2327
2328 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
2329 {
2330 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2331 policy_dir_names, direction);
2332 return FAILED;
2333 }
2334 else if (out->sadb_msg_errno)
2335 {
2336 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
2337 dst_ts, policy_dir_names, direction,
2338 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2339 free(out);
2340 return FAILED;
2341 }
2342 free(out);
2343 return SUCCESS;
2344 }
2345
2346 /**
2347 * Register a socket for ACQUIRE/EXPIRE messages
2348 */
2349 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this,
2350 u_int8_t satype)
2351 {
2352 unsigned char request[PFKEY_BUFFER_SIZE];
2353 struct sadb_msg *msg, *out;
2354 size_t len;
2355
2356 memset(&request, 0, sizeof(request));
2357
2358 msg = (struct sadb_msg*)request;
2359 msg->sadb_msg_version = PF_KEY_V2;
2360 msg->sadb_msg_type = SADB_REGISTER;
2361 msg->sadb_msg_satype = satype;
2362 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
2363
2364 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
2365 {
2366 DBG1(DBG_KNL, "unable to register PF_KEY socket");
2367 return FAILED;
2368 }
2369 else if (out->sadb_msg_errno)
2370 {
2371 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
2372 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
2373 free(out);
2374 return FAILED;
2375 }
2376 free(out);
2377 return SUCCESS;
2378 }
2379
2380 METHOD(kernel_ipsec_t, bypass_socket, bool,
2381 private_kernel_pfkey_ipsec_t *this, int fd, int family)
2382 {
2383 struct sadb_x_policy policy;
2384 u_int sol, ipsec_policy;
2385
2386 switch (family)
2387 {
2388 case AF_INET:
2389 {
2390 sol = SOL_IP;
2391 ipsec_policy = IP_IPSEC_POLICY;
2392 break;
2393 }
2394 case AF_INET6:
2395 {
2396 sol = SOL_IPV6;
2397 ipsec_policy = IPV6_IPSEC_POLICY;
2398 break;
2399 }
2400 default:
2401 return FALSE;
2402 }
2403
2404 memset(&policy, 0, sizeof(policy));
2405 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
2406 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
2407 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
2408
2409 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
2410 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2411 {
2412 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2413 strerror(errno));
2414 return FALSE;
2415 }
2416 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
2417 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2418 {
2419 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2420 strerror(errno));
2421 return FALSE;
2422 }
2423 return TRUE;
2424 }
2425
2426 METHOD(kernel_ipsec_t, destroy, void,
2427 private_kernel_pfkey_ipsec_t *this)
2428 {
2429 if (this->job)
2430 {
2431 this->job->cancel(this->job);
2432 }
2433 if (this->socket > 0)
2434 {
2435 close(this->socket);
2436 }
2437 if (this->socket_events > 0)
2438 {
2439 close(this->socket_events);
2440 }
2441 this->policies->invoke_function(this->policies,
2442 (linked_list_invoke_t)policy_entry_destroy,
2443 this);
2444 this->policies->destroy(this->policies);
2445 this->sas->destroy(this->sas);
2446 this->mutex->destroy(this->mutex);
2447 this->mutex_pfkey->destroy(this->mutex_pfkey);
2448 free(this);
2449 }
2450
2451 /*
2452 * Described in header.
2453 */
2454 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
2455 {
2456 private_kernel_pfkey_ipsec_t *this;
2457
2458 INIT(this,
2459 .public = {
2460 .interface = {
2461 .get_spi = _get_spi,
2462 .get_cpi = _get_cpi,
2463 .add_sa = _add_sa,
2464 .update_sa = _update_sa,
2465 .query_sa = _query_sa,
2466 .del_sa = _del_sa,
2467 .add_policy = _add_policy,
2468 .query_policy = _query_policy,
2469 .del_policy = _del_policy,
2470 .bypass_socket = _bypass_socket,
2471 .destroy = _destroy,
2472 },
2473 },
2474 .policies = linked_list_create(),
2475 .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
2476 (hashtable_equals_t)ipsec_sa_equals, 32),
2477 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2478 .mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
2479 .install_routes = lib->settings->get_bool(lib->settings,
2480 "%s.install_routes", TRUE,
2481 hydra->daemon),
2482 );
2483
2484 if (streq(hydra->daemon, "pluto"))
2485 { /* no routes for pluto, they are installed via updown script */
2486 this->install_routes = FALSE;
2487 }
2488
2489 /* create a PF_KEY socket to communicate with the kernel */
2490 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2491 if (this->socket <= 0)
2492 {
2493 DBG1(DBG_KNL, "unable to create PF_KEY socket");
2494 destroy(this);
2495 return NULL;
2496 }
2497
2498 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
2499 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
2500 if (this->socket_events <= 0)
2501 {
2502 DBG1(DBG_KNL, "unable to create PF_KEY event socket");
2503 destroy(this);
2504 return NULL;
2505 }
2506
2507 /* register the event socket */
2508 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
2509 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
2510 {
2511 DBG1(DBG_KNL, "unable to register PF_KEY event socket");
2512 destroy(this);
2513 return NULL;
2514 }
2515
2516 this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
2517 this, NULL, NULL, JOB_PRIO_CRITICAL);
2518 lib->processor->queue_job(lib->processor, (job_t*)this->job);
2519
2520 return &this->public;
2521 }
2522
strongSwan - IPsec VPN