summaryrefslogtreecommitdiff
path: root/src/pluto/kernel.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/pluto/kernel.c')
-rw-r--r--src/pluto/kernel.c2114
1 files changed, 0 insertions, 2114 deletions
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
deleted file mode 100644
index e4729ef08..000000000
--- a/src/pluto/kernel.c
+++ /dev/null
@@ -1,2114 +0,0 @@
-/* routines that interface with the kernel's IPsec mechanism
- *
- * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2009 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
- *
- * Copyright (C) 1998-2002 D. Hugh Redelmeier
- * Copyright (C) 1997 Angelos D. Keromytis
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stddef.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <sys/queue.h>
-#include <sys/wait.h>
-
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <freeswan.h>
-
-#include <library.h>
-#include <hydra.h>
-#include <crypto/rngs/rng.h>
-#include <kernel/kernel_listener.h>
-
-#include <signal.h>
-#include <sys/time.h> /* for select(2) */
-#include <sys/types.h> /* for select(2) */
-#include <pfkeyv2.h>
-#include <pfkey.h>
-#include "kameipsec.h"
-
-#include "constants.h"
-#include "defs.h"
-#include "connections.h"
-#include "state.h"
-#include "timer.h"
-#include "kernel.h"
-#include "kernel_pfkey.h"
-#include "log.h"
-#include "ca.h"
-#include "server.h"
-#include "whack.h" /* for RC_LOG_SERIOUS */
-#include "keys.h"
-#include "crypto.h"
-#include "nat_traversal.h"
-#include "alg_info.h"
-#include "kernel_alg.h"
-#include "pluto.h"
-
-
-bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */
-
-/* test if the routes required for two different connections agree
- * It is assumed that the destination subnets agree; we are only
- * testing that the interfaces and nexthops match.
- */
-#define routes_agree(c, d) ((c)->interface == (d)->interface \
- && sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
-
-/* forward declaration */
-static bool shunt_eroute(connection_t *c, struct spd_route *sr,
- enum routing_t rt_kind, unsigned int op,
- const char *opname);
-
-static void set_text_said(char *text_said, const ip_address *dst,
- ipsec_spi_t spi, int proto);
-
-/**
- * Default IPsec SA config (e.g. to install trap policies).
- */
-static ipsec_sa_cfg_t null_ipsec_sa = {
- .mode = MODE_TRANSPORT,
- .esp = {
- .use = TRUE,
- },
-};
-
-/**
- * Helper function that converts an ip_subnet to a traffic_selector_t.
- */
-static traffic_selector_t *traffic_selector_from_subnet(const ip_subnet *client,
- const u_int8_t proto)
-{
- traffic_selector_t *ts;
- host_t *net;
- net = host_create_from_sockaddr((sockaddr_t*)&client->addr);
- ts = traffic_selector_create_from_subnet(net, client->maskbits, proto,
- net->get_port(net));
- return ts;
-}
-
-/**
- * Helper function that converts a traffic_selector_t to an ip_subnet.
- */
-static ip_subnet subnet_from_traffic_selector(traffic_selector_t *ts)
-{
- ip_subnet subnet;
- host_t *net;
- u_int8_t mask;
- ts->to_subnet(ts, &net, &mask);
- subnet.addr = *(ip_address*)net->get_sockaddr(net);
- subnet.maskbits = mask;
- net->destroy(net);
- return subnet;
-}
-
-
-void record_and_initiate_opportunistic(const ip_subnet *ours,
- const ip_subnet *his,
- int transport_proto, const char *why)
-{
- ip_address src, dst;
- passert(samesubnettype(ours, his));
-
- /* actually initiate opportunism */
- networkof(ours, &src);
- networkof(his, &dst);
- initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
-}
-
-/* Generate Unique SPI numbers.
- *
- * The returned SPI is in network byte order.
- */
-ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr,
- bool tunnel)
-{
- host_t *host_src, *host_dst;
- u_int32_t spi;
-
- host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
- host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
-
- if (hydra->kernel_interface->get_spi(hydra->kernel_interface, host_src,
- host_dst, proto, sr->reqid, &spi) != SUCCESS)
- {
- spi = 0;
- }
-
- host_src->destroy(host_src);
- host_dst->destroy(host_dst);
-
- return spi;
-}
-
-/* Generate Unique CPI numbers.
- * The result is returned as an SPI (4 bytes) in network order!
- * The real bits are in the nework-low-order 2 bytes.
- */
-ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel)
-{
- host_t *host_src, *host_dst;
- u_int16_t cpi;
-
- host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
- host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
-
- if (hydra->kernel_interface->get_cpi(hydra->kernel_interface, host_src,
- host_dst, sr->reqid, &cpi) != SUCCESS)
-
- {
- cpi = 0;
- }
-
- host_src->destroy(host_src);
- host_dst->destroy(host_dst);
-
- return htonl((u_int32_t)ntohs(cpi));
-}
-
-/* Replace the shell metacharacters ', \, ", `, and $ in a character string
- * by escape sequences consisting of their octal values
- */
-static void escape_metachar(const char *src, char *dst, size_t dstlen)
-{
- while (*src != '\0' && dstlen > 4)
- {
- switch (*src)
- {
- case '\'':
- case '\\':
- case '"':
- case '`':
- case '$':
- sprintf(dst,"\\%s%o", (*src < 64)?"0":"", *src);
- dst += 4;
- dstlen -= 4;
- break;
- default:
- *dst++ = *src;
- dstlen--;
- }
- src++;
- }
- *dst = '\0';
-}
-
-/* invoke the updown script to do the routing and firewall commands required
- *
- * The user-specified updown script is run. Parameters are fed to it in
- * the form of environment variables. All such environment variables
- * have names starting with "PLUTO_".
- *
- * The operation to be performed is specified by PLUTO_VERB. This
- * verb has a suffix "-host" if the client on this end is just the
- * host; otherwise the suffix is "-client". If the address family
- * of the host is IPv6, an extra suffix of "-v6" is added.
- *
- * "prepare-host" and "prepare-client" are used to delete a route
- * that may exist (due to forces outside of Pluto). It is used to
- * prepare for pluto creating a route.
- *
- * "route-host" and "route-client" are used to install a route.
- * Since routing is based only on destination, the PLUTO_MY_CLIENT_*
- * values are probably of no use (using them may signify a bug).
- *
- * "unroute-host" and "unroute-client" are used to delete a route.
- * Since routing is based only on destination, the PLUTO_MY_CLIENT_*
- * values are probably of no use (using them may signify a bug).
- *
- * "up-host" and "up-client" are run when an eroute is added (not replaced).
- * They are useful for adjusting a firewall: usually for adding a rule
- * to let processed packets flow between clients. Note that only
- * one eroute may exist for a pair of client subnets but inbound
- * IPsec SAs may persist without an eroute.
- *
- * "down-host" and "down-client" are run when an eroute is deleted.
- * They are useful for adjusting a firewall.
- */
-
-#ifndef DEFAULT_UPDOWN
-# define DEFAULT_UPDOWN "ipsec _updown"
-#endif
-
-static bool do_command(connection_t *c, struct spd_route *sr, struct state *st,
- const char *verb)
-{
- char cmd[1536]; /* arbitrary limit on shell command length */
- const char *verb_suffix;
-
- /* figure out which verb suffix applies */
- {
- const char *hs, *cs;
-
- switch (addrtypeof(&sr->this.host_addr))
- {
- case AF_INET:
- hs = "-host";
- cs = "-client";
- break;
- case AF_INET6:
- hs = "-host-v6";
- cs = "-client-v6";
- break;
- default:
- loglog(RC_LOG_SERIOUS, "unknown address family");
- return FALSE;
- }
- verb_suffix = subnetisaddr(&sr->this.client, &sr->this.host_addr)
- ? hs : cs;
- }
-
- /* form the command string */
- {
- char
- nexthop_str[sizeof("PLUTO_NEXT_HOP='' ") +ADDRTOT_BUF] = "",
- srcip_str[sizeof("PLUTO_MY_SOURCEIP='' ")+ADDRTOT_BUF] = "",
- me_str[ADDRTOT_BUF],
- myid_str[BUF_LEN],
- myclient_str[SUBNETTOT_BUF],
- myclientnet_str[ADDRTOT_BUF],
- myclientmask_str[ADDRTOT_BUF],
- peer_str[ADDRTOT_BUF],
- peerid_str[BUF_LEN],
- peerclient_str[SUBNETTOT_BUF],
- peerclientnet_str[ADDRTOT_BUF],
- peerclientmask_str[ADDRTOT_BUF],
- peerca_str[BUF_LEN],
- mark_in[BUF_LEN] = "",
- mark_out[BUF_LEN] = "",
- udp_encap[BUF_LEN] = "",
- xauth_id_str[BUF_LEN] = "",
- secure_myid_str[BUF_LEN] = "",
- secure_peerid_str[BUF_LEN] = "",
- secure_peerca_str[BUF_LEN] = "",
- secure_xauth_id_str[BUF_LEN] = "";
- ip_address ta;
- pubkey_list_t *p;
-
- if (addrbytesptr(&sr->this.host_nexthop, NULL)
- && !isanyaddr(&sr->this.host_nexthop))
- {
- char *n;
-
- strcpy(nexthop_str, "PLUTO_NEXT_HOP='");
- n = nexthop_str + strlen(nexthop_str);
-
- addrtot(&sr->this.host_nexthop, 0
- ,n , sizeof(nexthop_str)-strlen(nexthop_str));
- strncat(nexthop_str, "' ", sizeof(nexthop_str));
- }
-
- if (!sr->this.host_srcip->is_anyaddr(sr->this.host_srcip))
- {
- char *n;
-
- strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
- n = srcip_str + strlen(srcip_str);
- snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H",
- sr->this.host_srcip);
- strncat(srcip_str, "' ", sizeof(srcip_str));
- }
-
- if (sr->mark_in.value)
- {
- snprintf(mark_in, sizeof(mark_in), "PLUTO_MARK_IN='%u/0x%08x' ",
- sr->mark_in.value, sr->mark_in.mask);
- }
-
- if (sr->mark_out.value)
- {
- snprintf(mark_out, sizeof(mark_out), "PLUTO_MARK_OUT='%u/0x%08x' ",
- sr->mark_out.value, sr->mark_out.mask);
- }
-
- if (st && (st->nat_traversal & NAT_T_DETECTED))
- {
- snprintf(udp_encap, sizeof(udp_encap), "PLUTO_UDP_ENC='%u' ",
- sr->that.host_port);
- }
-
- addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
- snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
- escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
- subnettot(&sr->this.client, 0, myclient_str, sizeof(myclientnet_str));
- networkof(&sr->this.client, &ta);
- addrtot(&ta, 0, myclientnet_str, sizeof(myclientnet_str));
- maskof(&sr->this.client, &ta);
- addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
-
- if (c->xauth_identity &&
- c->xauth_identity->get_type(c->xauth_identity) != ID_ANY)
- {
- snprintf(xauth_id_str, sizeof(xauth_id_str), "%Y", c->xauth_identity);
- escape_metachar(xauth_id_str, secure_xauth_id_str,
- sizeof(secure_xauth_id_str));
- snprintf(xauth_id_str, sizeof(xauth_id_str), "PLUTO_XAUTH_ID='%s' ",
- secure_xauth_id_str);
- }
-
- addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
- snprintf(peerid_str, sizeof(peerid_str), "%Y", sr->that.id);
- escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
- subnettot(&sr->that.client, 0, peerclient_str, sizeof(peerclientnet_str));
- networkof(&sr->that.client, &ta);
- addrtot(&ta, 0, peerclientnet_str, sizeof(peerclientnet_str));
- maskof(&sr->that.client, &ta);
- addrtot(&ta, 0, peerclientmask_str, sizeof(peerclientmask_str));
-
- for (p = pubkeys; p != NULL; p = p->next)
- {
- pubkey_t *key = p->key;
- key_type_t type = key->public_key->get_type(key->public_key);
- int pathlen;
-
- if (type == KEY_RSA &&
- sr->that.id->equals(sr->that.id, key->id) &&
- trusted_ca(key->issuer, sr->that.ca, &pathlen))
- {
- if (key->issuer)
- {
- snprintf(peerca_str, BUF_LEN, "%Y", key->issuer);
- escape_metachar(peerca_str, secure_peerca_str, BUF_LEN);
- }
- else
- {
- secure_peerca_str[0] = '\0';
- }
- break;
- }
- }
-
- if (-1 == snprintf(cmd, sizeof(cmd)
- , "2>&1 " /* capture stderr along with stdout */
- "PLUTO_VERSION='1.1' " /* change VERSION when interface spec changes */
- "PLUTO_VERB='%s%s' "
- "PLUTO_CONNECTION='%s' "
- "%s" /* optional PLUTO_NEXT_HOP */
- "PLUTO_INTERFACE='%s' "
- "%s" /* optional PLUTO_HOST_ACCESS */
- "PLUTO_REQID='%u' "
- "PLUTO_ME='%s' "
- "PLUTO_MY_ID='%s' "
- "PLUTO_MY_CLIENT='%s' "
- "PLUTO_MY_CLIENT_NET='%s' "
- "PLUTO_MY_CLIENT_MASK='%s' "
- "PLUTO_MY_PORT='%u' "
- "PLUTO_MY_PROTOCOL='%u' "
- "PLUTO_PEER='%s' "
- "PLUTO_PEER_ID='%s' "
- "PLUTO_PEER_CLIENT='%s' "
- "PLUTO_PEER_CLIENT_NET='%s' "
- "PLUTO_PEER_CLIENT_MASK='%s' "
- "PLUTO_PEER_PORT='%u' "
- "PLUTO_PEER_PROTOCOL='%u' "
- "PLUTO_PEER_CA='%s' "
- "%s" /* optional PLUTO_MY_SRCIP */
- "%s" /* optional PLUTO_XAUTH_ID */
- "%s" /* optional PLUTO_MARK_IN */
- "%s" /* optional PLUTO_MARK_OUT */
- "%s" /* optional PLUTO_UDP_ENC */
- "%s" /* actual script */
- , verb, verb_suffix
- , c->name
- , nexthop_str
- , c->interface->vname
- , sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : ""
- , sr->reqid
- , me_str
- , secure_myid_str
- , myclient_str
- , myclientnet_str
- , myclientmask_str
- , sr->this.port
- , sr->this.protocol
- , peer_str
- , secure_peerid_str
- , peerclient_str
- , peerclientnet_str
- , peerclientmask_str
- , sr->that.port
- , sr->that.protocol
- , secure_peerca_str
- , srcip_str
- , xauth_id_str
- , mark_in
- , mark_out
- , udp_encap
- , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
- {
- loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
- return FALSE;
- }
- }
-
- DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
- , verb, verb_suffix, cmd));
-
- /* invoke the script, catching stderr and stdout
- * It may be of concern that some file descriptors will
- * be inherited. For the ones under our control, we
- * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
- * Any used by library routines (perhaps the resolver or syslog)
- * will remain.
- */
- FILE *f = popen(cmd, "r");
-
- if (f == NULL)
- {
- loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
- return FALSE;
- }
-
- /* log any output */
- for (;;)
- {
- /* if response doesn't fit in this buffer, it will be folded */
- char resp[256];
-
- if (fgets(resp, sizeof(resp), f) == NULL)
- {
- if (ferror(f))
- {
- log_errno((e, "fgets failed on output of %s%s command"
- , verb, verb_suffix));
- return FALSE;
- }
- else
- {
- passert(feof(f));
- break;
- }
- }
- else
- {
- char *e = resp + strlen(resp);
-
- if (e > resp && e[-1] == '\n')
- e[-1] = '\0'; /* trim trailing '\n' */
- plog("%s%s output: %s", verb, verb_suffix, resp);
- }
- }
-
- /* report on and react to return code */
- {
- int r = pclose(f);
-
- if (r == -1)
- {
- log_errno((e, "pclose failed for %s%s command"
- , verb, verb_suffix));
- return FALSE;
- }
- else if (WIFEXITED(r))
- {
- if (WEXITSTATUS(r) != 0)
- {
- loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
- , verb, verb_suffix, WEXITSTATUS(r));
- return FALSE;
- }
- }
- else if (WIFSIGNALED(r))
- {
- loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
- , verb, verb_suffix, WTERMSIG(r));
- return FALSE;
- }
- else
- {
- loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
- , verb, verb_suffix, r);
- return FALSE;
- }
- }
- return TRUE;
-}
-
-/* Check that we can route (and eroute). Diagnose if we cannot. */
-
-enum routability {
- route_impossible = 0,
- route_easy = 1,
- route_nearconflict = 2,
- route_farconflict = 3
-};
-
-static enum routability could_route(connection_t *c)
-{
- struct spd_route *esr, *rosr;
- connection_t *ero /* who, if anyone, owns our eroute? */
- , *ro = route_owner(c, &rosr, &ero, &esr); /* who owns our route? */
-
- /* it makes no sense to route a connection that is ISAKMP-only */
- if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
- {
- loglog(RC_ROUTE, "cannot route an ISAKMP-only connection");
- return route_impossible;
- }
-
- /* if this is a Road Warrior template, we cannot route.
- * Opportunistic template is OK.
- */
- if (c->kind == CK_TEMPLATE && !(c->policy & POLICY_OPPO))
- {
- loglog(RC_ROUTE, "cannot route Road Warrior template");
- return route_impossible;
- }
-
- /* if we don't know nexthop, we cannot route */
- if (isanyaddr(&c->spd.this.host_nexthop))
- {
- loglog(RC_ROUTE, "cannot route connection without knowing our nexthop");
- return route_impossible;
- }
-
- /* if routing would affect IKE messages, reject */
- if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
- && c->spd.this.host_port != IKE_UDP_PORT
- && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
- {
- loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
- return route_impossible;
- }
-
- /* If there is already a route for peer's client subnet
- * and it disagrees about interface or nexthop, we cannot steal it.
- * Note: if this connection is already routed (perhaps for another
- * state object), the route will agree.
- * This is as it should be -- it will arise during rekeying.
- */
- if (ro != NULL && !routes_agree(ro, c))
- {
- loglog(RC_LOG_SERIOUS, "cannot route -- route already in use for \"%s\""
- , ro->name);
- return route_impossible; /* another connection already
- using the eroute */
- }
-
- /* if there is an eroute for another connection, there is a problem */
- if (ero != NULL && ero != c)
- {
- connection_t *ero2, *ero_top;
- connection_t *inside, *outside;
-
- /*
- * note, wavesec (PERMANENT) goes *outside* and
- * OE goes *inside* (TEMPLATE)
- */
- inside = NULL;
- outside= NULL;
- if (ero->kind == CK_PERMANENT
- && c->kind == CK_TEMPLATE)
- {
- outside = ero;
- inside = c;
- }
- else if (c->kind == CK_PERMANENT
- && ero->kind == CK_TEMPLATE)
- {
- outside = c;
- inside = ero;
- }
-
- /* okay, check again, with correct order */
- if (outside && outside->kind == CK_PERMANENT
- && inside && inside->kind == CK_TEMPLATE)
- {
- char inst[CONN_INST_BUF];
-
- /* this is a co-terminal attempt of the "near" kind. */
- /* when chaining, we chain from inside to outside */
-
- /* XXX permit multiple deep connections? */
- passert(inside->policy_next == NULL);
-
- inside->policy_next = outside;
-
- /* since we are going to steal the eroute from the secondary
- * policy, we need to make sure that it no longer thinks that
- * it owns the eroute.
- */
- outside->spd.eroute_owner = SOS_NOBODY;
- outside->spd.routing = RT_UNROUTED_KEYED;
-
- /* set the priority of the new eroute owner to be higher
- * than that of the current eroute owner
- */
- inside->prio = outside->prio + 1;
-
- fmt_conn_instance(inside, inst);
-
- loglog(RC_LOG_SERIOUS
- , "conflict on eroute (%s), switching eroute to %s and linking %s"
- , inst, inside->name, outside->name);
-
- return route_nearconflict;
- }
-
- /* look along the chain of policies for one with the same name */
- ero_top = ero;
-
- for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
- {
- if (ero2->kind == CK_TEMPLATE
- && streq(ero2->name, c->name))
- break;
- }
-
- /* If we fell of the end of the list, then we found no TEMPLATE
- * so there must be a conflict that we can't resolve.
- * As the names are not equal, then we aren't replacing/rekeying.
- */
- if (ero2 == NULL)
- {
- char inst[CONN_INST_BUF];
-
- fmt_conn_instance(ero, inst);
-
- loglog(RC_LOG_SERIOUS
- , "cannot install eroute -- it is in use for \"%s\"%s #%lu"
- , ero->name, inst, esr->eroute_owner);
- return route_impossible;
- }
- }
- return route_easy;
-}
-
-bool trap_connection(connection_t *c)
-{
- switch (could_route(c))
- {
- case route_impossible:
- return FALSE;
-
- case route_nearconflict:
- case route_easy:
- /* RT_ROUTED_TUNNEL is treated specially: we don't override
- * because we don't want to lose track of the IPSEC_SAs etc.
- */
- if (c->spd.routing < RT_ROUTED_TUNNEL)
- {
- return route_and_eroute(c, &c->spd, NULL);
- }
- return TRUE;
-
- case route_farconflict:
- return FALSE;
- }
-
- return FALSE;
-}
-
-/**
- * Delete any eroute for a connection and unroute it if route isn't shared
- */
-void unroute_connection(connection_t *c)
-{
- struct spd_route *sr;
- enum routing_t cr;
-
- for (sr = &c->spd; sr; sr = sr->next)
- {
- cr = sr->routing;
-
- if (erouted(cr))
- {
- /* cannot handle a live one */
- passert(sr->routing != RT_ROUTED_TUNNEL);
- shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
- }
-
- sr->routing = RT_UNROUTED; /* do now so route_owner won't find us */
-
- /* only unroute if no other connection shares it */
- if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
- {
- (void) do_command(c, sr, NULL, "unroute");
- }
- }
-}
-
-
-static void set_text_said(char *text_said, const ip_address *dst,
- ipsec_spi_t spi, int proto)
-{
- ip_said said;
-
- initsaid(dst, spi, proto, &said);
- satot(&said, 0, text_said, SATOT_BUF);
-}
-
-
-/**
- * Setup an IPsec route entry.
- * op is one of the ERO_* operators.
- */
-static bool raw_eroute(const ip_address *this_host,
- const ip_subnet *this_client,
- const ip_address *that_host,
- const ip_subnet *that_client,
- mark_t mark,
- ipsec_spi_t spi,
- unsigned int proto,
- unsigned int satype,
- unsigned int transport_proto,
- ipsec_sa_cfg_t *sa,
- unsigned int op,
- const char *opname USED_BY_DEBUG)
-{
- traffic_selector_t *ts_src, *ts_dst;
- host_t *host_src, *host_dst;
- policy_type_t type = POLICY_IPSEC;
- policy_dir_t dir = POLICY_OUT;
- policy_priority_t priority = POLICY_PRIORITY_DEFAULT;
- char text_said[SATOT_BUF];
- bool ok = TRUE,
- deleting = (op & ERO_MASK) == ERO_DELETE,
- replacing = op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT);
-
- set_text_said(text_said, that_host, spi, proto);
-
- DBG(DBG_CONTROL | DBG_KERNEL,
- {
- int sport = ntohs(portof(&this_client->addr));
- int dport = ntohs(portof(&that_client->addr));
- char mybuf[SUBNETTOT_BUF];
- char peerbuf[SUBNETTOT_BUF];
-
- subnettot(this_client, 0, mybuf, sizeof(mybuf));
- subnettot(that_client, 0, peerbuf, sizeof(peerbuf));
- DBG_log("%s eroute %s:%d -> %s:%d => %s:%d"
- , opname, mybuf, sport, peerbuf, dport
- , text_said, transport_proto);
- });
-
- if (satype == SADB_X_SATYPE_INT)
- {
- switch (ntohl(spi))
- {
- case SPI_PASS:
- type = POLICY_PASS;
- break;
- case SPI_DROP:
- case SPI_REJECT:
- type = POLICY_DROP;
- break;
- case SPI_TRAP:
- case SPI_TRAPSUBNET:
- case SPI_HOLD:
- if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
- {
- return TRUE;
- }
- priority = POLICY_PRIORITY_ROUTED;
- break;
- }
- }
-
- if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
- {
- dir = POLICY_IN;
- }
-
- host_src = host_create_from_sockaddr((sockaddr_t*)this_host);
- host_dst = host_create_from_sockaddr((sockaddr_t*)that_host);
- ts_src = traffic_selector_from_subnet(this_client, transport_proto);
- ts_dst = traffic_selector_from_subnet(that_client, transport_proto);
-
- if (deleting || replacing)
- {
- hydra->kernel_interface->del_policy(hydra->kernel_interface,
- ts_src, ts_dst, dir, sa->reqid, mark, priority);
- }
-
- if (!deleting)
- {
- ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
- host_src, host_dst, ts_src, ts_dst, dir, type, sa,
- mark, priority) == SUCCESS;
- }
-
- if (dir == POLICY_IN)
- { /* handle forward policy */
- dir = POLICY_FWD;
- if (deleting || replacing)
- {
- hydra->kernel_interface->del_policy(hydra->kernel_interface,
- ts_src, ts_dst, dir, sa->reqid, mark, priority);
- }
-
- if (!deleting && ok &&
- (sa->mode == MODE_TUNNEL || satype == SADB_X_SATYPE_INT))
- {
- ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
- host_src, host_dst, ts_src, ts_dst, dir, type, sa,
- mark, priority) == SUCCESS;
- }
- }
-
- host_src->destroy(host_src);
- host_dst->destroy(host_dst);
- ts_src->destroy(ts_src);
- ts_dst->destroy(ts_dst);
-
- return ok;
-}
-
-static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
- unsigned int proto, unsigned int satype,
- ipsec_sa_cfg_t *sa, unsigned int op,
- const char *opname)
-{
- const ip_address *peer = &sr->that.host_addr;
- char buf2[256];
- bool ok;
-
- snprintf(buf2, sizeof(buf2)
- , "eroute_connection %s", opname);
-
- if (proto == SA_INT)
- {
- peer = aftoinfo(addrtypeof(peer))->any;
- }
- ok = raw_eroute(peer, &sr->that.client,
- &sr->this.host_addr, &sr->this.client, sr->mark_in,
- spi, proto, satype, sr->this.protocol,
- sa, op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), buf2);
- return raw_eroute(&sr->this.host_addr, &sr->this.client, peer,
- &sr->that.client, sr->mark_out, spi, proto, satype,
- sr->this.protocol, sa, op, buf2) && ok;
-}
-
-/* assign a bare hold to a connection */
-
-bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr,
- int transport_proto,
- const ip_address *src,
- const ip_address *dst)
-{
- /* either the automatically installed %hold eroute is broad enough
- * or we try to add a broader one and delete the automatic one.
- * Beware: this %hold might be already handled, but still squeak
- * through because of a race.
- */
- enum routing_t ro = sr->routing /* routing, old */
- , rn = ro; /* routing, new */
-
- passert(LHAS(LELEM(CK_PERMANENT) | LELEM(CK_INSTANCE), c->kind));
- /* figure out what routing should become */
- switch (ro)
- {
- case RT_UNROUTED:
- rn = RT_UNROUTED_HOLD;
- break;
- case RT_ROUTED_PROSPECTIVE:
- rn = RT_ROUTED_HOLD;
- break;
- default:
- /* no change: this %hold is old news and should just be deleted */
- break;
- }
-
- /* We need a broad %hold
- * First we ensure that there is a broad %hold.
- * There may already be one (race condition): no need to create one.
- * There may already be a %trap: replace it.
- * There may not be any broad eroute: add %hold.
- */
- if (rn != ro)
- {
- if (erouted(ro)
- ? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
- &null_ipsec_sa, ERO_REPLACE,
- "replace %trap with broad %hold")
- : !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
- &null_ipsec_sa, ERO_ADD, "add broad %hold"))
- {
- return FALSE;
- }
- }
- sr->routing = rn;
- return TRUE;
-}
-
-/* install or remove eroute for SA Group */
-static bool sag_eroute(struct state *st, struct spd_route *sr,
- unsigned op, const char *opname)
-{
- u_int inner_proto, inner_satype;
- ipsec_spi_t inner_spi = 0;
- ipsec_sa_cfg_t sa = {
- .mode = MODE_TRANSPORT,
- };
- bool tunnel = FALSE;
-
- if (st->st_ah.present)
- {
- inner_spi = st->st_ah.attrs.spi;
- inner_proto = SA_AH;
- inner_satype = SADB_SATYPE_AH;
- sa.ah.use = TRUE;
- sa.ah.spi = inner_spi;
- tunnel |= st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
- }
-
- if (st->st_esp.present)
- {
- inner_spi = st->st_esp.attrs.spi;
- inner_proto = SA_ESP;
- inner_satype = SADB_SATYPE_ESP;
- sa.esp.use = TRUE;
- sa.esp.spi = inner_spi;
- tunnel |= st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
- }
-
- if (st->st_ipcomp.present)
- {
- inner_spi = st->st_ipcomp.attrs.spi;
- inner_proto = SA_COMP;
- inner_satype = SADB_X_SATYPE_COMP;
- sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
- sa.ipcomp.cpi = htons(ntohl(inner_spi));
- tunnel |= st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
- }
-
- if (!sa.ah.use && !sa.esp.use && !sa.ipcomp.transform)
- {
- impossible(); /* no transform at all! */
- }
-
- if (tunnel)
- {
- inner_spi = st->st_tunnel_out_spi;
- inner_proto = SA_IPIP;
- inner_satype = SADB_X_SATYPE_IPIP;
- sa.mode = MODE_TUNNEL;
- }
-
- sa.reqid = sr->reqid;
-
- return eroute_connection(sr, inner_spi, inner_proto, inner_satype,
- &sa, op, opname);
-}
-
-/* compute a (host-order!) SPI to implement the policy in connection c */
-ipsec_spi_t
-shunt_policy_spi(connection_t *c, bool prospective)
-{
- /* note: these are in host order :-( */
- static const ipsec_spi_t shunt_spi[] =
- {
- SPI_TRAP, /* --initiateontraffic */
- SPI_PASS, /* --pass */
- SPI_DROP, /* --drop */
- SPI_REJECT, /* --reject */
- };
-
- static const ipsec_spi_t fail_spi[] =
- {
- 0, /* --none*/
- SPI_PASS, /* --failpass */
- SPI_DROP, /* --faildrop */
- SPI_REJECT, /* --failreject */
- };
-
- return prospective
- ? shunt_spi[(c->policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT]
- : fail_spi[(c->policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT];
-}
-
-/* Add/replace/delete a shunt eroute.
- * Such an eroute determines the fate of packets without the use
- * of any SAs. These are defaults, in effect.
- * If a negotiation has not been attempted, use %trap.
- * If negotiation has failed, the choice between %trap/%pass/%drop/%reject
- * is specified in the policy of connection c.
- */
-static bool shunt_eroute(connection_t *c, struct spd_route *sr,
- enum routing_t rt_kind,
- unsigned int op, const char *opname)
-{
- /* We are constructing a special SAID for the eroute.
- * The destination doesn't seem to matter, but the family does.
- * The protocol is SA_INT -- mark this as shunt.
- * The satype has no meaning, but is required for PF_KEY header!
- * The SPI signifies the kind of shunt.
- */
- ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE);
-
- if (spi == 0)
- {
- /* we're supposed to end up with no eroute: rejig op and opname */
- switch (op)
- {
- case ERO_REPLACE:
- /* replace with nothing == delete */
- op = ERO_DELETE;
- opname = "delete";
- break;
- case ERO_ADD:
- /* add nothing == do nothing */
- return TRUE;
- case ERO_DELETE:
- /* delete remains delete */
- break;
- default:
- bad_case(op);
- }
- }
- if (sr->routing == RT_ROUTED_ECLIPSED && c->kind == CK_TEMPLATE)
- {
- /* We think that we have an eroute, but we don't.
- * Adjust the request and account for eclipses.
- */
- passert(eclipsable(sr));
- switch (op)
- {
- case ERO_REPLACE:
- /* really an add */
- op = ERO_ADD;
- opname = "replace eclipsed";
- eclipse_count--;
- break;
- case ERO_DELETE:
- /* delete unnecessary: we don't actually have an eroute */
- eclipse_count--;
- return TRUE;
- case ERO_ADD:
- default:
- bad_case(op);
- }
- }
- else if (eclipse_count > 0 && op == ERO_DELETE && eclipsable(sr))
- {
- /* maybe we are uneclipsing something */
- struct spd_route *esr;
- connection_t *ue = eclipsed(c, &esr);
-
- if (ue != NULL)
- {
- esr->routing = RT_ROUTED_PROSPECTIVE;
- return shunt_eroute(ue, esr
- , RT_ROUTED_PROSPECTIVE, ERO_REPLACE, "restoring eclipsed");
- }
- }
-
- return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT,
- &null_ipsec_sa, op, opname);
-}
-
-static bool setup_half_ipsec_sa(struct state *st, bool inbound)
-{
- host_t *host_src, *host_dst;
- connection_t *c = st->st_connection;
- struct end *src, *dst;
- ipsec_mode_t mode = MODE_TRANSPORT;
- ipsec_sa_cfg_t sa = { .mode = 0 };
- lifetime_cfg_t lt_none = { .time = { .rekey = 0 } };
- mark_t mark;
- bool ok = TRUE;
- /* SPIs, saved for undoing, if necessary */
- struct kernel_sa said[EM_MAXRELSPIS], *said_next = said;
- if (inbound)
- {
- src = &c->spd.that;
- dst = &c->spd.this;
- mark = c->spd.mark_in;
- }
- else
- {
- src = &c->spd.this;
- dst = &c->spd.that;
- mark = c->spd.mark_out;
- }
-
- host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
- host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
-
- if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
- || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
- || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
- {
- mode = MODE_TUNNEL;
- }
-
- sa.mode = mode;
- sa.reqid = c->spd.reqid;
-
- memset(said, 0, sizeof(said));
-
- /* set up IPCOMP SA, if any */
-
- if (st->st_ipcomp.present)
- {
- ipsec_spi_t ipcomp_spi = inbound ? st->st_ipcomp.our_spi
- : st->st_ipcomp.attrs.spi;
-
- switch (st->st_ipcomp.attrs.transid)
- {
- case IPCOMP_DEFLATE:
- break;
-
- default:
- loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented",
- enum_name(&ipcomp_transformid_names,
- st->st_ipcomp.attrs.transid));
- goto fail;
- }
-
- sa.ipcomp.cpi = htons(ntohl(ipcomp_spi));
- sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
-
- said_next->spi = ipcomp_spi;
- said_next->proto = IPPROTO_COMP;
-
- if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
- host_dst, ipcomp_spi, said_next->proto, c->spd.reqid,
- mark, 0, &lt_none, ENCR_UNDEFINED, chunk_empty,
- AUTH_UNDEFINED, chunk_empty, mode,
- st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, FALSE,
- inbound, NULL, NULL) != SUCCESS)
- {
- goto fail;
- }
- said_next++;
- mode = MODE_TRANSPORT;
- }
-
- /* set up ESP SA, if any */
-
- if (st->st_esp.present)
- {
- ipsec_spi_t esp_spi = inbound ? st->st_esp.our_spi
- : st->st_esp.attrs.spi;
- u_char *esp_dst_keymat = inbound ? st->st_esp.our_keymat
- : st->st_esp.peer_keymat;
- bool encap = st->nat_traversal & NAT_T_DETECTED;
- encryption_algorithm_t enc_alg;
- integrity_algorithm_t auth_alg;
- const struct esp_info *ei;
- chunk_t enc_key, auth_key;
- u_int16_t key_len;
-
- if ((ei = kernel_alg_esp_info(st->st_esp.attrs.transid,
- st->st_esp.attrs.auth)) == NULL)
- {
- loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s"
- " not implemented yet",
- enum_name(&esp_transform_names, st->st_esp.attrs.transid),
- enum_name(&auth_alg_names, st->st_esp.attrs.auth));
- goto fail;
- }
-
- key_len = st->st_esp.attrs.key_len / 8;
- if (key_len)
- {
- /* XXX: must change to check valid _range_ key_len */
- if (key_len > ei->enckeylen)
- {
- loglog(RC_LOG_SERIOUS, "ESP transform %s: key_len=%d > %d",
- enum_name(&esp_transform_names, st->st_esp.attrs.transid),
- (int)key_len, (int)ei->enckeylen);
- goto fail;
- }
- }
- else
- {
- key_len = ei->enckeylen;
- }
-
- switch (ei->transid)
- {
- case ESP_3DES:
- /* 168 bits in kernel, need 192 bits for keymat_len */
- if (key_len == 21)
- {
- key_len = 24;
- }
- break;
- case ESP_DES:
- /* 56 bits in kernel, need 64 bits for keymat_len */
- if (key_len == 7)
- {
- key_len = 8;
- }
- break;
- case ESP_AES_CCM_8:
- case ESP_AES_CCM_12:
- case ESP_AES_CCM_16:
- key_len += 3;
- break;
- case ESP_AES_GCM_8:
- case ESP_AES_GCM_12:
- case ESP_AES_GCM_16:
- case ESP_AES_CTR:
- case ESP_AES_GMAC:
- key_len += 4;
- break;
- default:
- break;
- }
-
- if (encap)
- {
- host_src->set_port(host_src, src->host_port);
- host_dst->set_port(host_dst, dst->host_port);
- // st->nat_oa is currently unused
- }
-
- /* divide up keying material */
- enc_alg = encryption_algorithm_from_esp(st->st_esp.attrs.transid);
- enc_key.ptr = esp_dst_keymat;
- enc_key.len = key_len;
- auth_alg = integrity_algorithm_from_esp(st->st_esp.attrs.auth);
- auth_alg = auth_alg ? : AUTH_UNDEFINED;
- auth_key.ptr = esp_dst_keymat + key_len;
- auth_key.len = ei->authkeylen;
-
- sa.esp.use = TRUE;
- sa.esp.spi = esp_spi;
-
- said_next->spi = esp_spi;
- said_next->proto = IPPROTO_ESP;
-
- if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
- host_dst, esp_spi, said_next->proto, c->spd.reqid,
- mark, 0, &lt_none, enc_alg, enc_key,
- auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
- encap, FALSE, inbound, NULL, NULL) != SUCCESS)
- {
- goto fail;
- }
- said_next++;
- mode = MODE_TRANSPORT;
- }
-
- /* set up AH SA, if any */
-
- if (st->st_ah.present)
- {
- ipsec_spi_t ah_spi = inbound ? st->st_ah.our_spi
- : st->st_ah.attrs.spi;
- u_char *ah_dst_keymat = inbound ? st->st_ah.our_keymat
- : st->st_ah.peer_keymat;
- integrity_algorithm_t auth_alg;
- chunk_t auth_key;
-
- auth_alg = integrity_algorithm_from_esp(st->st_ah.attrs.auth);
- auth_key.ptr = ah_dst_keymat;
- auth_key.len = st->st_ah.keymat_len;
-
- sa.ah.use = TRUE;
- sa.ah.spi = ah_spi;
-
- said_next->spi = ah_spi;
- said_next->proto = IPPROTO_AH;
-
- if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
- host_dst, ah_spi, said_next->proto, c->spd.reqid,
- mark, 0, &lt_none, ENCR_UNDEFINED, chunk_empty,
- auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
- FALSE, FALSE, inbound, NULL, NULL) != SUCCESS)
- {
- goto fail;
- }
- said_next++;
- mode = MODE_TRANSPORT;
- }
-
- goto cleanup;
-
-fail:
- /* undo the done SPIs */
- while (said_next-- != said)
- {
- hydra->kernel_interface->del_sa(hydra->kernel_interface, host_src,
- host_dst, said_next->spi,
- said_next->proto, 0 /* cpi */,
- mark);
- }
- ok = FALSE;
-
-cleanup:
- host_src->destroy(host_src);
- host_dst->destroy(host_dst);
- return ok;
-}
-
-static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
-{
- connection_t *c = st->st_connection;
- const struct end *src, *dst;
- host_t *host_src, *host_dst;
- ipsec_spi_t spi;
- mark_t mark;
- bool result = TRUE;
-
- if (inbound)
- {
- src = &c->spd.that;
- dst = &c->spd.this;
- mark = c->spd.mark_in;
- }
- else
- {
- src = &c->spd.this;
- dst = &c->spd.that;
- mark = c->spd.mark_out;
- }
-
- host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
- host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
-
- if (st->st_ah.present)
- {
- spi = inbound ? st->st_ah.our_spi : st->st_ah.attrs.spi;
- result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
- host_src, host_dst, spi, IPPROTO_AH,
- 0 /* cpi */, mark) == SUCCESS;
- }
-
- if (st->st_esp.present)
- {
- spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
- result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
- host_src, host_dst, spi, IPPROTO_ESP,
- 0 /* cpi */, mark) == SUCCESS;
- }
-
- if (st->st_ipcomp.present)
- {
- spi = inbound ? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
- result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
- host_src, host_dst, spi, IPPROTO_COMP,
- 0 /* cpi */, mark) == SUCCESS;
- }
-
- host_src->destroy(host_src);
- host_dst->destroy(host_dst);
-
- return result;
-}
-
-/*
- * get information about a given sa
- */
-bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
-{
- connection_t *c = st->st_connection;
- traffic_selector_t *ts_src = NULL, *ts_dst = NULL;
- host_t *host_src = NULL, *host_dst = NULL;
- const struct end *src, *dst;
- ipsec_spi_t spi;
- mark_t mark;
- u_int64_t bytes_kernel = 0;
- bool result = FALSE;
-
- *use_time = UNDEFINED_TIME;
-
- if (!st->st_esp.present)
- {
- goto failed;
- }
-
- if (inbound)
- {
- src = &c->spd.that;
- dst = &c->spd.this;
- mark = c->spd.mark_in;
- spi = st->st_esp.our_spi;
- }
- else
- {
- src = &c->spd.this;
- dst = &c->spd.that;
- mark = c->spd.mark_out;
- spi = st->st_esp.attrs.spi;
- }
-
- host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
- host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
-
- switch(hydra->kernel_interface->query_sa(hydra->kernel_interface, host_src,
- host_dst, spi, IPPROTO_ESP,
- mark, &bytes_kernel))
- {
- case FAILED:
- goto failed;
- case SUCCESS:
- *bytes = bytes_kernel;
- break;
- case NOT_SUPPORTED:
- default:
- break;
- }
-
- if (st->st_serialno == c->spd.eroute_owner)
- {
- u_int32_t time_kernel;
-
- ts_src = traffic_selector_from_subnet(&src->client, src->protocol);
- ts_dst = traffic_selector_from_subnet(&dst->client, dst->protocol);
-
- if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
- ts_src, ts_dst, inbound ? POLICY_IN : POLICY_OUT,
- mark, &time_kernel) != SUCCESS)
- {
- goto failed;
- }
- *use_time = time_kernel;
-
- if (inbound &&
- st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
- {
- if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
- ts_src, ts_dst, POLICY_FWD, mark,
- &time_kernel) != SUCCESS)
- {
- goto failed;
- }
- *use_time = max(*use_time, time_kernel);
- }
- }
-
- result = TRUE;
-
-failed:
- DESTROY_IF(host_src);
- DESTROY_IF(host_dst);
- DESTROY_IF(ts_src);
- DESTROY_IF(ts_dst);
- return result;
-}
-
-/**
- * Handler for kernel events (called by thread-pool thread)
- */
-kernel_listener_t *kernel_handler;
-
-/**
- * Data for acquire events
- */
-typedef struct {
- /** Subnets */
- ip_subnet src, dst;
- /** Transport protocol */
- int proto;
-} acquire_data_t;
-
-/**
- * Callback for acquire events (called by main thread)
- */
-void handle_acquire(acquire_data_t *this)
-{
- record_and_initiate_opportunistic(&this->src, &this->dst, this->proto,
- "%acquire");
-}
-
-METHOD(kernel_listener_t, acquire, bool,
- kernel_listener_t *this, u_int32_t reqid,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
-{
- if (src_ts && dst_ts)
- {
- acquire_data_t *data;
- DBG(DBG_CONTROL,
- DBG_log("creating acquire event for policy %R === %R "
- "with reqid {%u}", src_ts, dst_ts, reqid));
- INIT(data,
- .src = subnet_from_traffic_selector(src_ts),
- .dst = subnet_from_traffic_selector(dst_ts),
- .proto = src_ts->get_protocol(src_ts),
- );
- pluto->events->queue(pluto->events, (void*)handle_acquire, data, free);
- }
- else
- {
- DBG(DBG_CONTROL,
- DBG_log("ignoring acquire without traffic selectors for policy "
- "with reqid {%u}", reqid));
- }
- DESTROY_IF(src_ts);
- DESTROY_IF(dst_ts);
- return TRUE;
-}
-
-/**
- * Data for mapping events
- */
-typedef struct {
- /** reqid, spi of affected SA */
- u_int32_t reqid, spi;
- /** new endpont */
- ip_address new_end;
-} mapping_data_t;
-
-/**
- * Callback for mapping events (called by main thread)
- */
-void handle_mapping(mapping_data_t *this)
-{
- process_nat_t_new_mapping(this->reqid, this->spi, &this->new_end);
-}
-
-
-METHOD(kernel_listener_t, mapping, bool,
- kernel_listener_t *this, u_int32_t reqid, u_int32_t spi, host_t *remote)
-{
- mapping_data_t *data;
- DBG(DBG_CONTROL,
- DBG_log("creating mapping event for SA with SPI %.8x and reqid {%u}",
- spi, reqid));
- INIT(data,
- .reqid = reqid,
- .spi = spi,
- .new_end = *(ip_address*)remote->get_sockaddr(remote),
- );
- pluto->events->queue(pluto->events, (void*)handle_mapping, data, free);
- return TRUE;
-}
-
-void init_kernel(void)
-{
- /* register SA types that we can negotiate */
- can_do_IPcomp = FALSE; /* until we get a response from the kernel */
- pfkey_register();
-
- INIT(kernel_handler,
- .acquire = _acquire,
- .mapping = _mapping,
- );
- hydra->kernel_interface->add_listener(hydra->kernel_interface,
- kernel_handler);
-}
-
-void kernel_finalize()
-{
- hydra->kernel_interface->remove_listener(hydra->kernel_interface,
- kernel_handler);
- free(kernel_handler);
-}
-
-/* Note: install_inbound_ipsec_sa is only used by the Responder.
- * The Responder will subsequently use install_ipsec_sa for the outbound.
- * The Initiator uses install_ipsec_sa to install both at once.
- */
-bool install_inbound_ipsec_sa(struct state *st)
-{
- connection_t *const c = st->st_connection;
-
- /* If our peer has a fixed-address client, check if we already
- * have a route for that client that conflicts. We will take this
- * as proof that that route and the connections using it are
- * obsolete and should be eliminated. Interestingly, this is
- * the only case in which we can tell that a connection is obsolete.
- */
- passert(c->kind == CK_PERMANENT || c->kind == CK_INSTANCE);
- if (c->spd.that.has_client)
- {
- for (;;)
- {
- struct spd_route *esr;
- connection_t *o = route_owner(c, &esr, NULL, NULL);
-
- if (o == NULL)
- {
- break; /* nobody has a route */
- }
-
- /* note: we ignore the client addresses at this end */
- if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) &&
- o->interface == c->interface)
- {
- break; /* existing route is compatible */
- }
-
- if (o->kind == CK_TEMPLATE && streq(o->name, c->name))
- {
- break; /* ??? is this good enough?? */
- }
-
- loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route"
- , o->name, ip_str(&o->spd.that.host_addr));
- release_connection(o, FALSE);
- }
- }
-
- DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa() checking if we can route"));
- /* check that we will be able to route and eroute */
- switch (could_route(c))
- {
- case route_easy:
- case route_nearconflict:
- break;
- default:
- return FALSE;
- }
-
- /* (attempt to) actually set up the SAs */
- return setup_half_ipsec_sa(st, TRUE);
-}
-
-/* Install a route and then a prospective shunt eroute or an SA group eroute.
- * Assumption: could_route gave a go-ahead.
- * Any SA Group must have already been created.
- * On failure, steps will be unwound.
- */
-bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
-{
- struct spd_route *esr;
- struct spd_route *rosr;
- connection_t *ero /* who, if anyone, owns our eroute? */
- , *ro = route_owner(c, &rosr, &ero, &esr);
- bool eroute_installed = FALSE
- , firewall_notified = FALSE
- , route_installed = FALSE;
-
- connection_t *ero_top;
-
- DBG(DBG_CONTROLMORE,
- DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu"
- , c->name
- , (c->policy_next ? c->policy_next->name : "none")
- , ero ? ero->name : "null"
- , esr
- , ro ? ro->name : "null"
- , rosr
- , st ? st->st_serialno : 0));
-
- /* look along the chain of policies for one with the same name */
- ero_top = ero;
-
-#if 0
- /* XXX - mcr this made sense before, and likely will make sense
- * again, so I'l leaving this to remind me what is up */
- if (ero!= NULL && ero->routing == RT_UNROUTED_KEYED)
- ero = NULL;
-
- for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
- if ((ero2->kind == CK_TEMPLATE || ero2->kind==CK_SECONDARY)
- && streq(ero2->name, c->name))
- break;
-#endif
-
- /* install the eroute */
-
- if (ero != NULL)
- {
- /* We're replacing an eroute */
-
- /* if no state provided, then install a shunt for later */
- if (st == NULL)
- {
- eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
- , ERO_REPLACE, "replace");
- }
- else
- {
- eroute_installed = sag_eroute(st, sr, ERO_REPLACE, "replace");
- }
-#if 0
- /* XXX - MCR. I previously felt that this was a bogus check */
- if (ero != NULL && ero != c && esr != sr)
- {
- /* By elimination, we must be eclipsing ero. Check. */
- passert(ero->kind == CK_TEMPLATE && streq(ero->name, c->name));
- passert(LHAS(LELEM(RT_ROUTED_PROSPECTIVE) | LELEM(RT_ROUTED_ECLIPSED)
- , esr->routing));
- passert(samesubnet(&esr->this.client, &sr->this.client)
- && samesubnet(&esr->that.client, &sr->that.client));
- }
-#endif
- }
- else
- {
- /* we're adding an eroute */
-
- /* if no state provided, then install a shunt for later */
- if (st == NULL)
- {
- eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
- , ERO_ADD, "add");
- }
- else
- {
- eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
- }
- }
-
- /* notify the firewall of a new tunnel */
-
- if (eroute_installed)
- {
- /* do we have to notify the firewall? Yes, if we are installing
- * a tunnel eroute and the firewall wasn't notified
- * for a previous tunnel with the same clients. Any Previous
- * tunnel would have to be for our connection, so the actual
- * test is simple.
- */
- firewall_notified = st == NULL /* not a tunnel eroute */
- || sr->eroute_owner != SOS_NOBODY /* already notified */
- || do_command(c, sr, st, "up"); /* go ahead and notify */
- }
-
- /* install the route */
-
- DBG(DBG_CONTROL,
- DBG_log("route_and_eroute: firewall_notified: %s"
- , firewall_notified ? "true" : "false"));
- if (!firewall_notified)
- {
- /* we're in trouble -- don't do routing */
- }
- else if (ro == NULL)
- {
- /* a new route: no deletion required, but preparation is */
- (void) do_command(c, sr, st, "prepare"); /* just in case; ignore failure */
- route_installed = do_command(c, sr, st, "route");
- }
- else if (routed(sr->routing) || routes_agree(ro, c))
- {
- route_installed = TRUE; /* nothing to be done */
- }
- else
- {
- /* Some other connection must own the route
- * and the route must disagree. But since could_route
- * must have allowed our stealing it, we'll do so.
- *
- * A feature of LINUX allows us to install the new route
- * before deleting the old if the nexthops differ.
- * This reduces the "window of vulnerability" when packets
- * might flow in the clear.
- */
- if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
- {
- (void) do_command(ro, sr, st, "unroute");
- route_installed = do_command(c, sr, st, "route");
- }
- else
- {
- route_installed = do_command(c, sr, st, "route");
- (void) do_command(ro, sr, st, "unroute");
- }
-
- /* record unrouting */
- if (route_installed)
- {
- do {
- passert(!erouted(rosr->routing));
- rosr->routing = RT_UNROUTED;
-
- /* no need to keep old value */
- ro = route_owner(c, &rosr, NULL, NULL);
- } while (ro != NULL);
- }
- }
-
- /* all done -- clean up */
- if (route_installed)
- {
- /* Success! */
-
- if (ero != NULL && ero != c)
- {
- /* check if ero is an ancestor of c. */
- connection_t *ero2;
-
- for (ero2 = c; ero2 != NULL && ero2 != c; ero2 = ero2->policy_next)
- ;
-
- if (ero2 == NULL)
- {
- /* By elimination, we must be eclipsing ero. Checked above. */
- if (ero->spd.routing != RT_ROUTED_ECLIPSED)
- {
- ero->spd.routing = RT_ROUTED_ECLIPSED;
- eclipse_count++;
- }
- }
- }
-
- if (st == NULL)
- {
- passert(sr->eroute_owner == SOS_NOBODY);
- sr->routing = RT_ROUTED_PROSPECTIVE;
- }
- else
- {
- char cib[CONN_INST_BUF];
- sr->routing = RT_ROUTED_TUNNEL;
-
- DBG(DBG_CONTROL,
- DBG_log("route_and_eroute: instance \"%s\"%s, setting eroute_owner {spd=%p,sr=%p} to #%ld (was #%ld) (newest_ipsec_sa=#%ld)"
- , st->st_connection->name
- , (fmt_conn_instance(st->st_connection, cib), cib)
- , &st->st_connection->spd, sr
- , st->st_serialno
- , sr->eroute_owner
- , st->st_connection->newest_ipsec_sa));
- sr->eroute_owner = st->st_serialno;
- }
-
- return TRUE;
- }
- else
- {
- /* Failure! Unwind our work. */
- if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
- (void) do_command(c, sr, st, "down");
-
- if (eroute_installed)
- {
- /* Restore original eroute, if we can.
- * Since there is nothing much to be done if the restoration
- * fails, ignore success or failure.
- */
- if (ero != NULL)
- {
- /* restore ero's former glory */
- if (esr->eroute_owner == SOS_NOBODY)
- {
- /* note: normal or eclipse case */
- (void) shunt_eroute(ero, esr
- , esr->routing, ERO_REPLACE, "restore");
- }
- else
- {
- /* Try to find state that owned eroute.
- * Don't do anything if it cannot be found.
- * This case isn't likely since we don't run
- * the updown script when replacing a SA group
- * with its successor (for the same conn).
- */
- struct state *ost = state_with_serialno(esr->eroute_owner);
-
- if (ost != NULL)
- (void) sag_eroute(ost, esr, ERO_REPLACE, "restore");
- }
- }
- else
- {
- /* there was no previous eroute: delete whatever we installed */
- if (st == NULL)
- {
- (void) shunt_eroute(c, sr, sr->routing, ERO_DELETE, "delete");
- }
- else
- {
- (void) sag_eroute(st, sr, ERO_DELETE, "delete");
- }
- }
- }
-
- return FALSE;
- }
-}
-
-bool install_ipsec_sa(struct state *st, bool inbound_also)
-{
- struct spd_route *sr;
-
- DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
- , st->st_serialno
- , inbound_also?
- "inbound and outbound" : "outbound only"));
-
- switch (could_route(st->st_connection))
- {
- case route_easy:
- case route_nearconflict:
- break;
- default:
- return FALSE;
- }
-
- /* (attempt to) actually set up the SA group */
- if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) ||
- !setup_half_ipsec_sa(st, FALSE))
- {
- return FALSE;
- }
-
- for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next)
- {
- DBG(DBG_CONTROL, DBG_log("sr for #%ld: %s"
- , st->st_serialno
- , enum_name(&routing_story, sr->routing)));
-
- /*
- * if the eroute owner is not us, then make it us.
- * See test co-terminal-02, pluto-rekey-01, pluto-unit-02/oppo-twice
- */
- pexpect(sr->eroute_owner == SOS_NOBODY
- || sr->routing >= RT_ROUTED_TUNNEL);
-
- if (sr->eroute_owner != st->st_serialno
- && sr->routing != RT_UNROUTED_KEYED)
- {
- if (!route_and_eroute(st->st_connection, sr, st))
- {
- delete_ipsec_sa(st, FALSE);
- /* XXX go and unroute any SRs that were successfully
- * routed already.
- */
- return FALSE;
- }
- }
- }
-
- return TRUE;
-}
-
-/* delete an IPSEC SA.
- * we may not succeed, but we bull ahead anyway because
- * we cannot do anything better by recognizing failure
- */
-void delete_ipsec_sa(struct state *st, bool inbound_only)
-{
- if (!inbound_only)
- {
- /* If the state is the eroute owner, we must adjust
- * the routing for the connection.
- */
- connection_t *c = st->st_connection;
- struct spd_route *sr;
-
- passert(st->st_connection);
-
- for (sr = &c->spd; sr; sr = sr->next)
- {
- if (sr->eroute_owner == st->st_serialno
- && sr->routing == RT_ROUTED_TUNNEL)
- {
- sr->eroute_owner = SOS_NOBODY;
-
- /* Routing should become RT_ROUTED_FAILURE,
- * but if POLICY_FAIL_NONE, then we just go
- * right back to RT_ROUTED_PROSPECTIVE as if no
- * failure happened.
- */
- sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
- ? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
-
- (void) do_command(c, sr, st, "down");
- if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE)
- {
- /* in this special case, even if the connection
- * is still alive (due to an ISAKMP SA),
- * we get rid of routing.
- * Even though there is still an eroute, the c->routing
- * setting will convince unroute_connection to delete it.
- * unroute_connection would be upset if c->routing == RT_ROUTED_TUNNEL
- */
- unroute_connection(c);
- }
- else
- {
- (void) shunt_eroute(c, sr, sr->routing, ERO_REPLACE, "replace with shunt");
- }
- }
- }
- (void) teardown_half_ipsec_sa(st, FALSE);
- }
- (void) teardown_half_ipsec_sa(st, TRUE);
-}
-
-static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
-{
- connection_t *c = st->st_connection;
- host_t *host_src, *host_dst, *new_src, *new_dst;
- ipsec_spi_t spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
- struct end *src = inbound ? &c->spd.that : &c->spd.this,
- *dst = inbound ? &c->spd.this : &c->spd.that;
- mark_t mark = inbound ? c->spd.mark_in : c->spd.mark_out;
- bool result;
-
- host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
- host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
-
- new_src = host_src->clone(host_src);
- new_dst = host_dst->clone(host_dst);
- new_src->set_port(new_src, src->host_port);
- new_dst->set_port(new_dst, dst->host_port);
-
- result = hydra->kernel_interface->update_sa(hydra->kernel_interface,
- spi, IPPROTO_ESP, 0 /* cpi */, host_src, host_dst,
- new_src, new_dst, TRUE /* encap */, TRUE /* new_encap */,
- mark) == SUCCESS;
-
- host_src->destroy(host_src);
- host_dst->destroy(host_dst);
- new_src->destroy(new_src);
- new_dst->destroy(new_dst);
-
- return result;
-}
-
-bool update_ipsec_sa (struct state *st)
-{
- if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
- {
- if (st->st_esp.present && (
- (!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
- (!update_nat_t_ipsec_esp_sa (st, FALSE))))
- {
- return FALSE;
- }
- }
- else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
- {
- if (st->st_esp.present && !update_nat_t_ipsec_esp_sa (st, FALSE))
- {
- return FALSE;
- }
- }
- else
- {
- DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, st->st_state);
- return FALSE;
- }
- return TRUE;
-}
-
-/* Check if there was traffic on given SA during the last idle_max
- * seconds. If TRUE, the SA was idle and DPD exchange should be performed.
- * If FALSE, DPD is not necessary. We also return TRUE for errors, as they
- * could mean that the SA is broken and needs to be replace anyway.
- */
-bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
-{
- time_t use_time;
- u_int bytes;
- int ret = TRUE;
-
- passert(st != NULL);
-
- if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
- {
- *idle_time = time_monotonic(NULL) - use_time;
- ret = *idle_time >= idle_max;
- }
-
- return ret;
-}