summaryrefslogtreecommitdiff
path: root/src/pluto/kernel.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/pluto/kernel.c')
-rw-r--r--src/pluto/kernel.c2216
1 files changed, 621 insertions, 1595 deletions
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index dd7ed8893..e57822ffb 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1,7 +1,11 @@
/* routines that interface with the kernel's IPsec mechanism
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002 D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier
+ * Copyright (C) 1997 Angelos D. Keromytis
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -32,16 +36,16 @@
#include <freeswan.h>
#include <library.h>
+#include <hydra.h>
#include <crypto/rngs/rng.h>
+#include <kernel/kernel_listener.h>
-#ifdef KLIPS
#include <signal.h>
#include <sys/time.h> /* for select(2) */
#include <sys/types.h> /* for select(2) */
#include <pfkeyv2.h>
#include <pfkey.h>
#include "kameipsec.h"
-#endif /* KLIPS */
#include "constants.h"
#include "defs.h"
@@ -49,28 +53,21 @@
#include "state.h"
#include "timer.h"
#include "kernel.h"
-#include "kernel_netlink.h"
#include "kernel_pfkey.h"
-#include "kernel_noklips.h"
#include "log.h"
#include "ca.h"
#include "server.h"
#include "whack.h" /* for RC_LOG_SERIOUS */
#include "keys.h"
+#include "crypto.h"
#include "nat_traversal.h"
#include "alg_info.h"
#include "kernel_alg.h"
+#include "pluto.h"
bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */
-/* How far can IPsec messages arrive out of order before the anti-replay
- * logic loses track and swats them? 64 is the best KLIPS can do.
- * And 32 is the best XFRM can do...
- */
-#define REPLAY_WINDOW 64
-#define REPLAY_WINDOW_XFRM 32
-
/* test if the routes required for two different connections agree
* It is assumed that the destination subnets agree; we are only
* testing that the interfaces and nexthops match.
@@ -78,282 +75,115 @@ bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */
#define routes_agree(c, d) ((c)->interface == (d)->interface \
&& sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
-#ifndef KLIPS
-
-bool no_klips = TRUE; /* don't actually use KLIPS */
-
-#else /* !KLIPS */
-
-/* bare (connectionless) shunt (eroute) table
- *
- * Bare shunts are those that don't "belong" to a connection.
- * This happens because some %trapped traffic hasn't yet or cannot be
- * assigned to a connection. The usual reason is that we cannot discover
- * the peer SG. Another is that even when the peer has been discovered,
- * it may be that no connection matches all the particulars.
- * We record them so that, with scanning, we can discover
- * which %holds are news and which others should expire.
- */
+/* forward declaration */
+static bool shunt_eroute(connection_t *c, struct spd_route *sr,
+ enum routing_t rt_kind, unsigned int op,
+ const char *opname);
-#define SHUNT_SCAN_INTERVAL (60 * 2) /* time between scans of eroutes */
+static void set_text_said(char *text_said, const ip_address *dst,
+ ipsec_spi_t spi, int proto);
-/* SHUNT_PATIENCE only has resolution down to a multiple of the sample rate,
- * SHUNT_SCAN_INTERVAL.
- * By making SHUNT_PATIENCE an odd multiple of half of SHUNT_SCAN_INTERVAL,
- * we minimize the effects of jitter.
+/**
+ * Default IPsec SA config (e.g. to install trap policies).
*/
-#define SHUNT_PATIENCE (SHUNT_SCAN_INTERVAL * 15 / 2) /* inactivity timeout */
-
-struct bare_shunt {
- policy_prio_t policy_prio;
- ip_subnet ours;
- ip_subnet his;
- ip_said said;
- int transport_proto;
- unsigned long count;
- time_t last_activity;
- char *why;
- struct bare_shunt *next;
+static ipsec_sa_cfg_t null_ipsec_sa = {
+ .mode = MODE_TRANSPORT,
+ .esp = {
+ .use = TRUE,
+ },
};
-static struct bare_shunt *bare_shunts = NULL;
-
-#ifdef DEBUG
-static void DBG_bare_shunt(const char *op, const struct bare_shunt *bs)
+/**
+ * Helper function that converts an ip_subnet to a traffic_selector_t.
+ */
+static traffic_selector_t *traffic_selector_from_subnet(const ip_subnet *client,
+ const u_int8_t proto)
{
- DBG(DBG_KLIPS,
- {
- int ourport = ntohs(portof(&(bs)->ours.addr));
- int hisport = ntohs(portof(&(bs)->his.addr));
- char ourst[SUBNETTOT_BUF];
- char hist[SUBNETTOT_BUF];
- char sat[SATOT_BUF];
- char prio[POLICY_PRIO_BUF];
-
- subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
- subnettot(&(bs)->his, 0, hist, sizeof(hist));
- satot(&(bs)->said, 0, sat, sizeof(sat));
- fmt_policy_prio(bs->policy_prio, prio);
- DBG_log("%s bare shunt %p %s:%d -> %s:%d => %s:%d %s %s"
- , op, (const void *)(bs), ourst, ourport, hist, hisport
- , sat, (bs)->transport_proto, prio, (bs)->why);
- });
+ traffic_selector_t *ts;
+ host_t *net;
+ net = host_create_from_sockaddr((sockaddr_t*)&client->addr);
+ ts = traffic_selector_create_from_subnet(net, client->maskbits, proto,
+ net->get_port(net));
+ return ts;
}
-#else /* !DEBUG */
-#define DBG_bare_shunt(op, bs) {}
-#endif /* !DEBUG */
-/* The orphaned_holds table records %holds for which we
- * scan_proc_shunts found no representation of in any connection.
- * The corresponding ACQUIRE message might have been lost.
+/**
+ * Helper function that converts a traffic_selector_t to an ip_subnet.
*/
-struct eroute_info *orphaned_holds = NULL;
-
-/* forward declaration */
-static bool shunt_eroute(connection_t *c, struct spd_route *sr,
- enum routing_t rt_kind, unsigned int op,
- const char *opname);
-
-static void set_text_said(char *text_said, const ip_address *dst,
- ipsec_spi_t spi, int proto);
-
-bool no_klips = FALSE; /* don't actually use KLIPS */
+static ip_subnet subnet_from_traffic_selector(traffic_selector_t *ts)
+{
+ ip_subnet subnet;
+ host_t *net;
+ u_int8_t mask;
+ ts->to_subnet(ts, &net, &mask);
+ subnet.addr = *(ip_address*)net->get_sockaddr(net);
+ subnet.maskbits = mask;
+ net->destroy(net);
+ return subnet;
+}
-static const struct pfkey_proto_info null_proto_info[2] = {
- {
- proto: IPPROTO_ESP,
- encapsulation: ENCAPSULATION_MODE_TRANSPORT,
- reqid: 0
- },
- {
- proto: 0,
- encapsulation: 0,
- reqid: 0
- }
-};
void record_and_initiate_opportunistic(const ip_subnet *ours,
const ip_subnet *his,
int transport_proto, const char *why)
{
+ ip_address src, dst;
passert(samesubnettype(ours, his));
- /* Add to bare shunt list.
- * We need to do this because the shunt was installed by KLIPS
- * which can't do this itself.
- */
- {
- struct bare_shunt *bs = malloc_thing(struct bare_shunt);
-
- bs->why = clone_str(why);
- bs->ours = *ours;
- bs->his = *his;
- bs->transport_proto = transport_proto;
- bs->policy_prio = BOTTOM_PRIO;
-
- bs->said.proto = SA_INT;
- bs->said.spi = htonl(SPI_HOLD);
- bs->said.dst = *aftoinfo(subnettypeof(ours))->any;
-
- bs->count = 0;
- bs->last_activity = now();
-
- bs->next = bare_shunts;
- bare_shunts = bs;
- DBG_bare_shunt("add", bs);
- }
-
/* actually initiate opportunism */
- {
- ip_address src, dst;
-
- networkof(ours, &src);
- networkof(his, &dst);
- initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
- }
-
- /* if present, remove from orphaned_holds list.
- * NOTE: we do this last in case ours or his is a pointer into a member.
- */
- {
- struct eroute_info **pp, *p;
-
- for (pp = &orphaned_holds; (p = *pp) != NULL; pp = &p->next)
- {
- if (samesubnet(ours, &p->ours)
- && samesubnet(his, &p->his)
- && transport_proto == p->transport_proto
- && portof(&ours->addr) == portof(&p->ours.addr)
- && portof(&his->addr) == portof(&p->his.addr))
- {
- *pp = p->next;
- free(p);
- break;
- }
- }
- }
-}
-
-#endif /* KLIPS */
-
-static unsigned get_proto_reqid(unsigned base, int proto)
-{
- switch (proto)
- {
- default:
- case IPPROTO_COMP:
- base++;
- /* fall through */
- case IPPROTO_ESP:
- base++;
- /* fall through */
- case IPPROTO_AH:
- break;
- }
-
- return base;
+ networkof(ours, &src);
+ networkof(his, &dst);
+ initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
}
/* Generate Unique SPI numbers.
*
- * The specs say that the number must not be less than IPSEC_DOI_SPI_MIN.
- * Pluto generates numbers not less than IPSEC_DOI_SPI_OUR_MIN,
- * reserving numbers in between for manual keying (but we cannot so
- * restrict numbers generated by our peer).
- * XXX This should be replaced by a call to the kernel when
- * XXX we get an API.
* The returned SPI is in network byte order.
- * We use a random number as the initial SPI so that there is
- * a good chance that different Pluto instances will choose
- * different SPIs. This is good for two reasons.
- * - the keying material for the initiator and responder only
- * differs if the SPIs differ.
- * - if Pluto is restarted, it would otherwise recycle the SPI
- * numbers and confuse everything. When the kernel generates
- * SPIs, this will no longer matter.
- * We then allocate numbers sequentially. Thus we don't have to
- * check if the number was previously used (assuming that no
- * SPI lives longer than 4G of its successors).
*/
ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr,
bool tunnel)
{
- static ipsec_spi_t spi = 0; /* host order, so not returned directly! */
- char text_said[SATOT_BUF];
- rng_t *rng;
+ host_t *host_src, *host_dst;
+ u_int32_t spi;
- set_text_said(text_said, &sr->this.host_addr, 0, proto);
+ host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
+ host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
- if (kernel_ops->get_spi)
+ if (hydra->kernel_interface->get_spi(hydra->kernel_interface, host_src,
+ host_dst, proto, sr->reqid, &spi) != SUCCESS)
{
- return kernel_ops->get_spi(&sr->that.host_addr
- , &sr->this.host_addr, proto, tunnel
- , get_proto_reqid(sr->reqid, proto)
- , IPSEC_DOI_SPI_OUR_MIN, 0xffffffff
- , text_said);
+ spi = 0;
}
- spi++;
- rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- while (spi < IPSEC_DOI_SPI_OUR_MIN || spi == ntohl(avoid))
- {
- rng->get_bytes(rng, sizeof(spi), (u_char *)&spi);
- }
- rng->destroy(rng);
- DBG(DBG_CONTROL,
- {
- ipsec_spi_t spi_net = htonl(spi);
-
- DBG_dump("generate SPI:", (u_char *)&spi_net, sizeof(spi_net));
- });
+ host_src->destroy(host_src);
+ host_dst->destroy(host_dst);
- return htonl(spi);
+ return spi;
}
/* Generate Unique CPI numbers.
* The result is returned as an SPI (4 bytes) in network order!
* The real bits are in the nework-low-order 2 bytes.
- * Modelled on get_ipsec_spi, but range is more limited:
- * 256-61439.
- * If we can't find one easily, return 0 (a bad SPI,
- * no matter what order) indicating failure.
*/
ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel)
{
- static cpi_t first_busy_cpi = 0, latest_cpi;
- char text_said[SATOT_BUF];
- rng_t *rng;
+ host_t *host_src, *host_dst;
+ u_int16_t cpi;
- set_text_said(text_said, &sr->this.host_addr, 0, IPPROTO_COMP);
+ host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
+ host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
- if (kernel_ops->get_spi)
- {
- return kernel_ops->get_spi(&sr->that.host_addr
- , &sr->this.host_addr, IPPROTO_COMP, tunnel
- , get_proto_reqid(sr->reqid, IPPROTO_COMP)
- , IPCOMP_FIRST_NEGOTIATED, IPCOMP_LAST_NEGOTIATED
- , text_said);
- }
+ if (hydra->kernel_interface->get_cpi(hydra->kernel_interface, host_src,
+ host_dst, sr->reqid, &cpi) != SUCCESS)
- rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
- while (!(IPCOMP_FIRST_NEGOTIATED <= first_busy_cpi && first_busy_cpi < IPCOMP_LAST_NEGOTIATED))
{
- rng->get_bytes(rng, sizeof(first_busy_cpi), (u_char *)&first_busy_cpi);
- latest_cpi = first_busy_cpi;
+ cpi = 0;
}
- rng->destroy(rng);
- latest_cpi++;
+ host_src->destroy(host_src);
+ host_dst->destroy(host_dst);
- if (latest_cpi == first_busy_cpi)
- {
- find_my_cpi_gap(&latest_cpi, &first_busy_cpi);
- }
- if (latest_cpi > IPCOMP_LAST_NEGOTIATED)
- {
- latest_cpi = IPCOMP_FIRST_NEGOTIATED;
- }
- return htonl((ipsec_spi_t)latest_cpi);
+ return htonl((u_int32_t)ntohs(cpi));
}
/* Replace the shell metacharacters ', \, ", `, and $ in a character string
@@ -420,7 +250,7 @@ static void escape_metachar(const char *src, char *dst, size_t dstlen)
# define DEFAULT_UPDOWN "ipsec _updown"
#endif
-static bool do_command(connection_t *c, struct spd_route *sr,
+static bool do_command(connection_t *c, struct spd_route *sr, struct state *st,
const char *verb)
{
char cmd[1536]; /* arbitrary limit on shell command length */
@@ -464,6 +294,9 @@ static bool do_command(connection_t *c, struct spd_route *sr,
peerclientnet_str[ADDRTOT_BUF],
peerclientmask_str[ADDRTOT_BUF],
peerca_str[BUF_LEN],
+ mark_in[BUF_LEN] = "",
+ mark_out[BUF_LEN] = "",
+ udp_encap[BUF_LEN] = "",
xauth_id_str[BUF_LEN] = "",
secure_myid_str[BUF_LEN] = "",
secure_peerid_str[BUF_LEN] = "",
@@ -491,11 +324,29 @@ static bool do_command(connection_t *c, struct spd_route *sr,
strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
n = srcip_str + strlen(srcip_str);
- snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H",
+ snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H",
sr->this.host_srcip);
strncat(srcip_str, "' ", sizeof(srcip_str));
}
+ if (sr->mark_in.value)
+ {
+ snprintf(mark_in, sizeof(mark_in), "PLUTO_MARK_IN='%u/0x%08x' ",
+ sr->mark_in.value, sr->mark_in.mask);
+ }
+
+ if (sr->mark_out.value)
+ {
+ snprintf(mark_out, sizeof(mark_out), "PLUTO_MARK_OUT='%u/0x%08x' ",
+ sr->mark_out.value, sr->mark_out.mask);
+ }
+
+ if (st && (st->nat_traversal & NAT_T_DETECTED))
+ {
+ snprintf(udp_encap, sizeof(udp_encap), "PLUTO_UDP_ENC='%u' ",
+ sr->that.host_port);
+ }
+
addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
@@ -536,7 +387,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
{
if (key->issuer)
{
- snprintf(peerca_str, BUF_LEN, "%Y", key->issuer);
+ snprintf(peerca_str, BUF_LEN, "%Y", key->issuer);
escape_metachar(peerca_str, secure_peerca_str, BUF_LEN);
}
else
@@ -573,13 +424,16 @@ static bool do_command(connection_t *c, struct spd_route *sr,
"PLUTO_PEER_CA='%s' "
"%s" /* optional PLUTO_MY_SRCIP */
"%s" /* optional PLUTO_XAUTH_ID */
+ "%s" /* optional PLUTO_MARK_IN */
+ "%s" /* optional PLUTO_MARK_OUT */
+ "%s" /* optional PLUTO_UDP_ENC */
"%s" /* actual script */
, verb, verb_suffix
, c->name
, nexthop_str
, c->interface->vname
, sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : ""
- , sr->reqid + 1 /* ESP requid */
+ , sr->reqid
, me_str
, secure_myid_str
, myclient_str
@@ -597,6 +451,9 @@ static bool do_command(connection_t *c, struct spd_route *sr,
, secure_peerca_str
, srcip_str
, xauth_id_str
+ , mark_in
+ , mark_out
+ , udp_encap
, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
{
loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
@@ -607,88 +464,83 @@ static bool do_command(connection_t *c, struct spd_route *sr,
DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
, verb, verb_suffix, cmd));
-#ifdef KLIPS
- if (!no_klips)
+ /* invoke the script, catching stderr and stdout
+ * It may be of concern that some file descriptors will
+ * be inherited. For the ones under our control, we
+ * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
+ * Any used by library routines (perhaps the resolver or syslog)
+ * will remain.
+ */
+ FILE *f = popen(cmd, "r");
+
+ if (f == NULL)
{
- /* invoke the script, catching stderr and stdout
- * It may be of concern that some file descriptors will
- * be inherited. For the ones under our control, we
- * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
- * Any used by library routines (perhaps the resolver or syslog)
- * will remain.
- */
- FILE *f = popen(cmd, "r");
+ loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
+ return FALSE;
+ }
- if (f == NULL)
- {
- loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
- return FALSE;
- }
+ /* log any output */
+ for (;;)
+ {
+ /* if response doesn't fit in this buffer, it will be folded */
+ char resp[256];
- /* log any output */
- for (;;)
+ if (fgets(resp, sizeof(resp), f) == NULL)
{
- /* if response doesn't fit in this buffer, it will be folded */
- char resp[256];
-
- if (fgets(resp, sizeof(resp), f) == NULL)
+ if (ferror(f))
{
- if (ferror(f))
- {
- log_errno((e, "fgets failed on output of %s%s command"
- , verb, verb_suffix));
- return FALSE;
- }
- else
- {
- passert(feof(f));
- break;
- }
+ log_errno((e, "fgets failed on output of %s%s command"
+ , verb, verb_suffix));
+ return FALSE;
}
else
{
- char *e = resp + strlen(resp);
-
- if (e > resp && e[-1] == '\n')
- e[-1] = '\0'; /* trim trailing '\n' */
- plog("%s%s output: %s", verb, verb_suffix, resp);
+ passert(feof(f));
+ break;
}
}
-
- /* report on and react to return code */
+ else
{
- int r = pclose(f);
+ char *e = resp + strlen(resp);
- if (r == -1)
- {
- log_errno((e, "pclose failed for %s%s command"
- , verb, verb_suffix));
- return FALSE;
- }
- else if (WIFEXITED(r))
- {
- if (WEXITSTATUS(r) != 0)
- {
- loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
- , verb, verb_suffix, WEXITSTATUS(r));
- return FALSE;
- }
- }
- else if (WIFSIGNALED(r))
- {
- loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
- , verb, verb_suffix, WTERMSIG(r));
- return FALSE;
- }
- else
+ if (e > resp && e[-1] == '\n')
+ e[-1] = '\0'; /* trim trailing '\n' */
+ plog("%s%s output: %s", verb, verb_suffix, resp);
+ }
+ }
+
+ /* report on and react to return code */
+ {
+ int r = pclose(f);
+
+ if (r == -1)
+ {
+ log_errno((e, "pclose failed for %s%s command"
+ , verb, verb_suffix));
+ return FALSE;
+ }
+ else if (WIFEXITED(r))
+ {
+ if (WEXITSTATUS(r) != 0)
{
- loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
- , verb, verb_suffix, r);
+ loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
+ , verb, verb_suffix, WEXITSTATUS(r));
return FALSE;
}
}
+ else if (WIFSIGNALED(r))
+ {
+ loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
+ , verb, verb_suffix, WTERMSIG(r));
+ return FALSE;
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
+ , verb, verb_suffix, r);
+ return FALSE;
+ }
}
-#endif /* KLIPS */
return TRUE;
}
@@ -731,10 +583,9 @@ static enum routability could_route(connection_t *c)
}
/* if routing would affect IKE messages, reject */
- if (!no_klips
- && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
- && c->spd.this.host_port != IKE_UDP_PORT
- && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
+ if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
+ && c->spd.this.host_port != IKE_UDP_PORT
+ && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
{
loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
return route_impossible;
@@ -754,7 +605,6 @@ static enum routability could_route(connection_t *c)
using the eroute */
}
-#ifdef KLIPS
/* if there is an eroute for another connection, there is a problem */
if (ero != NULL && ero != c)
{
@@ -838,10 +688,9 @@ static enum routability could_route(connection_t *c)
loglog(RC_LOG_SERIOUS
, "cannot install eroute -- it is in use for \"%s\"%s #%lu"
, ero->name, inst, esr->eroute_owner);
- return FALSE; /* another connection already using the eroute */
+ return route_impossible;
}
}
-#endif /* KLIPS */
return route_easy;
}
@@ -886,9 +735,7 @@ void unroute_connection(connection_t *c)
{
/* cannot handle a live one */
passert(sr->routing != RT_ROUTED_TUNNEL);
-#ifdef KLIPS
shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
-#endif
}
sr->routing = RT_UNROUTED; /* do now so route_owner won't find us */
@@ -896,14 +743,12 @@ void unroute_connection(connection_t *c)
/* only unroute if no other connection shares it */
if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
{
- (void) do_command(c, sr, "unroute");
+ (void) do_command(c, sr, NULL, "unroute");
}
}
}
-#ifdef KLIPS
-
static void set_text_said(char *text_said, const ip_address *dst,
ipsec_spi_t spi, int proto)
{
@@ -913,99 +758,36 @@ static void set_text_said(char *text_said, const ip_address *dst,
satot(&said, 0, text_said, SATOT_BUF);
}
-/* find an entry in the bare_shunt table.
- * Trick: return a pointer to the pointer to the entry;
- * this allows the entry to be deleted.
- */
-static struct bare_shunt** bare_shunt_ptr(const ip_subnet *ours,
- const ip_subnet *his,
- int transport_proto)
-{
- struct bare_shunt *p, **pp;
- for (pp = &bare_shunts; (p = *pp) != NULL; pp = &p->next)
- {
- if (samesubnet(ours, &p->ours)
- && samesubnet(his, &p->his)
- && transport_proto == p->transport_proto
- && portof(&ours->addr) == portof(&p->ours.addr)
- && portof(&his->addr) == portof(&p->his.addr))
- return pp;
- }
- return NULL;
-}
-
-/* free a bare_shunt entry, given a pointer to the pointer */
-static void free_bare_shunt(struct bare_shunt **pp)
-{
- if (pp == NULL)
- {
- DBG(DBG_CONTROL,
- DBG_log("delete bare shunt: null pointer")
- )
- }
- else
- {
- struct bare_shunt *p = *pp;
-
- *pp = p->next;
- DBG_bare_shunt("delete", p);
- free(p->why);
- free(p);
- }
-}
-
-void
-show_shunt_status(void)
-{
- struct bare_shunt *bs;
-
- for (bs = bare_shunts; bs != NULL; bs = bs->next)
- {
- /* Print interesting fields. Ignore count and last_active. */
-
- int ourport = ntohs(portof(&bs->ours.addr));
- int hisport = ntohs(portof(&bs->his.addr));
- char ourst[SUBNETTOT_BUF];
- char hist[SUBNETTOT_BUF];
- char sat[SATOT_BUF];
- char prio[POLICY_PRIO_BUF];
-
- subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
- subnettot(&(bs)->his, 0, hist, sizeof(hist));
- satot(&(bs)->said, 0, sat, sizeof(sat));
- fmt_policy_prio(bs->policy_prio, prio);
-
- whack_log(RC_COMMENT, "%s:%d -> %s:%d => %s:%d %s %s"
- , ourst, ourport, hist, hisport, sat, bs->transport_proto
- , prio, bs->why);
- }
- if (bare_shunts != NULL)
- whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
-}
-
-/* Setup an IPsec route entry.
+/**
+ * Setup an IPsec route entry.
* op is one of the ERO_* operators.
*/
-
static bool raw_eroute(const ip_address *this_host,
const ip_subnet *this_client,
const ip_address *that_host,
const ip_subnet *that_client,
+ mark_t mark,
ipsec_spi_t spi,
unsigned int proto,
unsigned int satype,
unsigned int transport_proto,
- const struct pfkey_proto_info *proto_info,
- time_t use_lifetime,
+ ipsec_sa_cfg_t *sa,
unsigned int op,
const char *opname USED_BY_DEBUG)
{
+ traffic_selector_t *ts_src, *ts_dst;
+ host_t *host_src, *host_dst;
+ policy_type_t type = POLICY_IPSEC;
+ policy_dir_t dir = POLICY_OUT;
char text_said[SATOT_BUF];
+ bool ok = TRUE, routed = FALSE,
+ deleting = (op & ERO_MASK) == ERO_DELETE,
+ replacing = op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT);
set_text_said(text_said, that_host, spi, proto);
- DBG(DBG_CONTROL | DBG_KLIPS,
+ DBG(DBG_CONTROL | DBG_KERNEL,
{
int sport = ntohs(portof(&this_client->addr));
int dport = ntohs(portof(&that_client->addr));
@@ -1019,104 +801,86 @@ static bool raw_eroute(const ip_address *this_host,
, text_said, transport_proto);
});
- return kernel_ops->raw_eroute(this_host, this_client
- , that_host, that_client, spi, satype, transport_proto, proto_info
- , use_lifetime, op, text_said);
-}
-
-/* test to see if %hold remains */
-bool has_bare_hold(const ip_address *src, const ip_address *dst,
- int transport_proto)
-{
- ip_subnet this_client, that_client;
- struct bare_shunt **bspp;
-
- passert(addrtypeof(src) == addrtypeof(dst));
- happy(addrtosubnet(src, &this_client));
- happy(addrtosubnet(dst, &that_client));
- bspp = bare_shunt_ptr(&this_client, &that_client, transport_proto);
- return bspp != NULL
- && (*bspp)->said.proto == SA_INT && (*bspp)->said.spi == htonl(SPI_HOLD);
-}
+ if (satype == SADB_X_SATYPE_INT)
+ {
+ switch (ntohl(spi))
+ {
+ case SPI_PASS:
+ type = POLICY_PASS;
+ break;
+ case SPI_DROP:
+ case SPI_REJECT:
+ type = POLICY_DROP;
+ break;
+ case SPI_TRAP:
+ case SPI_TRAPSUBNET:
+ case SPI_HOLD:
+ if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+ {
+ return TRUE;
+ }
+ routed = TRUE;
+ break;
+ }
+ }
+ if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+ {
+ dir = POLICY_IN;
+ }
-/* Replace (or delete) a shunt that is in the bare_shunts table.
- * Issues the PF_KEY commands and updates the bare_shunts table.
- */
-bool replace_bare_shunt(const ip_address *src, const ip_address *dst,
- policy_prio_t policy_prio, ipsec_spi_t shunt_spi,
- bool repl, unsigned int transport_proto, const char *why)
-{
- ip_subnet this_client, that_client;
- ip_subnet this_broad_client, that_broad_client;
- const ip_address *null_host = aftoinfo(addrtypeof(src))->any;
+ host_src = host_create_from_sockaddr((sockaddr_t*)this_host);
+ host_dst = host_create_from_sockaddr((sockaddr_t*)that_host);
+ ts_src = traffic_selector_from_subnet(this_client, transport_proto);
+ ts_dst = traffic_selector_from_subnet(that_client, transport_proto);
- passert(addrtypeof(src) == addrtypeof(dst));
- happy(addrtosubnet(src, &this_client));
- happy(addrtosubnet(dst, &that_client));
- this_broad_client = this_client;
- that_broad_client = that_client;
- setportof(0, &this_broad_client.addr);
- setportof(0, &that_broad_client.addr);
+ if (deleting || replacing)
+ {
+ hydra->kernel_interface->del_policy(hydra->kernel_interface,
+ ts_src, ts_dst, dir, mark, routed);
+ }
- if (repl)
+ if (!deleting)
{
- struct bare_shunt **bs_pp = bare_shunt_ptr(&this_broad_client
- , &that_broad_client, 0);
+ ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
+ host_src, host_dst, ts_src, ts_dst, dir, type, sa,
+ mark, routed) == SUCCESS;
+ }
- /* is there already a broad host-to-host bare shunt? */
- if (bs_pp == NULL)
+ if (dir == POLICY_IN)
+ { /* handle forward policy */
+ dir = POLICY_FWD;
+ if (deleting || replacing)
{
- if (raw_eroute(null_host, &this_broad_client, null_host, &that_broad_client
- , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
- , 0, null_proto_info
- , SHUNT_PATIENCE, ERO_ADD, why))
- {
- struct bare_shunt *bs = malloc_thing(struct bare_shunt);
-
- bs->ours = this_broad_client;
- bs->his = that_broad_client;
- bs->transport_proto = 0;
- bs->said.proto = SA_INT;
- bs->why = clone_str(why);
- bs->policy_prio = policy_prio;
- bs->said.spi = htonl(shunt_spi);
- bs->said.dst = *null_host;
- bs->count = 0;
- bs->last_activity = now();
- bs->next = bare_shunts;
- bare_shunts = bs;
- DBG_bare_shunt("add", bs);
- }
+ hydra->kernel_interface->del_policy(hydra->kernel_interface,
+ ts_src, ts_dst, dir, mark, routed);
+ }
+
+ if (!deleting && ok &&
+ (sa->mode == MODE_TUNNEL || satype == SADB_X_SATYPE_INT))
+ {
+ ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
+ host_src, host_dst, ts_src, ts_dst, dir, type, sa,
+ mark, routed) == SUCCESS;
}
- shunt_spi = SPI_HOLD;
}
- if (raw_eroute(null_host, &this_client, null_host, &that_client
- , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
- , transport_proto, null_proto_info
- , SHUNT_PATIENCE, ERO_DELETE, why))
- {
- struct bare_shunt **bs_pp = bare_shunt_ptr(&this_client, &that_client
- , transport_proto);
+ host_src->destroy(host_src);
+ host_dst->destroy(host_dst);
+ ts_src->destroy(ts_src);
+ ts_dst->destroy(ts_dst);
- /* delete bare eroute */
- free_bare_shunt(bs_pp);
- return TRUE;
- }
- else
- {
- return FALSE;
- }
+ return ok;
}
static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
unsigned int proto, unsigned int satype,
- const struct pfkey_proto_info *proto_info,
- unsigned int op, const char *opname)
+ ipsec_sa_cfg_t *sa, unsigned int op,
+ const char *opname)
{
const ip_address *peer = &sr->that.host_addr;
char buf2[256];
+ bool ok;
snprintf(buf2, sizeof(buf2)
, "eroute_connection %s", opname);
@@ -1125,11 +889,13 @@ static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
{
peer = aftoinfo(addrtypeof(peer))->any;
}
- return raw_eroute(&sr->this.host_addr, &sr->this.client
- , peer
- , &sr->that.client
- , spi, proto, satype
- , sr->this.protocol, proto_info, 0, op, buf2);
+ ok = raw_eroute(peer, &sr->that.client,
+ &sr->this.host_addr, &sr->this.client, sr->mark_in,
+ spi, proto, satype, sr->this.protocol,
+ sa, op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), buf2);
+ return raw_eroute(&sr->this.host_addr, &sr->this.client, peer,
+ &sr->that.client, sr->mark_out, spi, proto, satype,
+ sr->this.protocol, sa, op, buf2) && ok;
}
/* assign a bare hold to a connection */
@@ -1162,31 +928,24 @@ bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr,
break;
}
- /* we need a broad %hold, not the narrow one.
+ /* We need a broad %hold
* First we ensure that there is a broad %hold.
* There may already be one (race condition): no need to create one.
* There may already be a %trap: replace it.
* There may not be any broad eroute: add %hold.
- * Once the broad %hold is in place, delete the narrow one.
*/
if (rn != ro)
{
if (erouted(ro)
- ? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
- , null_proto_info
- , ERO_REPLACE, "replace %trap with broad %hold")
- : !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
- , null_proto_info
- , ERO_ADD, "add broad %hold"))
+ ? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
+ &null_ipsec_sa, ERO_REPLACE,
+ "replace %trap with broad %hold")
+ : !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
+ &null_ipsec_sa, ERO_ADD, "add broad %hold"))
{
return FALSE;
}
}
- if (!replace_bare_shunt(src, dst, BOTTOM_PRIO, SPI_HOLD, FALSE
- , transport_proto, "delete narrow %hold"))
- {
- return FALSE;
- }
sr->routing = rn;
return TRUE;
}
@@ -1195,32 +954,21 @@ bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr,
static bool sag_eroute(struct state *st, struct spd_route *sr,
unsigned op, const char *opname)
{
- u_int inner_proto = 0;
- u_int inner_satype = 0;
+ u_int inner_proto, inner_satype;
ipsec_spi_t inner_spi = 0;
- struct pfkey_proto_info proto_info[4];
- int i;
- bool tunnel;
-
- /* figure out the SPI and protocol (in two forms)
- * for the innermost transformation.
- */
-
- i = sizeof(proto_info) / sizeof(proto_info[0]) - 1;
- proto_info[i].proto = 0;
- tunnel = FALSE;
+ ipsec_sa_cfg_t sa = {
+ .mode = MODE_TRANSPORT,
+ };
+ bool tunnel = FALSE;
if (st->st_ah.present)
{
inner_spi = st->st_ah.attrs.spi;
inner_proto = SA_AH;
inner_satype = SADB_SATYPE_AH;
-
- i--;
- proto_info[i].proto = IPPROTO_AH;
- proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
- tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
- proto_info[i].reqid = sr->reqid;
+ sa.ah.use = TRUE;
+ sa.ah.spi = inner_spi;
+ tunnel |= st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
}
if (st->st_esp.present)
@@ -1228,12 +976,9 @@ static bool sag_eroute(struct state *st, struct spd_route *sr,
inner_spi = st->st_esp.attrs.spi;
inner_proto = SA_ESP;
inner_satype = SADB_SATYPE_ESP;
-
- i--;
- proto_info[i].proto = IPPROTO_ESP;
- proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
- tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
- proto_info[i].reqid = sr->reqid + 1;
+ sa.esp.use = TRUE;
+ sa.esp.spi = inner_spi;
+ tunnel |= st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
}
if (st->st_ipcomp.present)
@@ -1241,37 +986,28 @@ static bool sag_eroute(struct state *st, struct spd_route *sr,
inner_spi = st->st_ipcomp.attrs.spi;
inner_proto = SA_COMP;
inner_satype = SADB_X_SATYPE_COMP;
-
- i--;
- proto_info[i].proto = IPPROTO_COMP;
- proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
- tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
- proto_info[i].reqid = sr->reqid + 2;
+ sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
+ sa.ipcomp.cpi = htons(ntohl(inner_spi));
+ tunnel |= st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
}
- if (i == sizeof(proto_info) / sizeof(proto_info[0]) - 1)
+ if (!sa.ah.use && !sa.esp.use && !sa.ipcomp.transform)
{
impossible(); /* no transform at all! */
}
if (tunnel)
{
- int j;
-
inner_spi = st->st_tunnel_out_spi;
inner_proto = SA_IPIP;
inner_satype = SADB_X_SATYPE_IPIP;
-
- proto_info[i].encapsulation = ENCAPSULATION_MODE_TUNNEL;
- for (j = i + 1; proto_info[j].proto; j++)
- {
- proto_info[j].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
- }
+ sa.mode = MODE_TUNNEL;
}
- return eroute_connection(sr
- , inner_spi, inner_proto, inner_satype, proto_info + i
- , op, opname);
+ sa.reqid = sr->reqid;
+
+ return eroute_connection(sr, inner_spi, inner_proto, inner_satype,
+ &sa, op, opname);
}
/* compute a (host-order!) SPI to implement the policy in connection c */
@@ -1318,7 +1054,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
* The SPI signifies the kind of shunt.
*/
ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE);
- bool ok;
if (spi == 0)
{
@@ -1377,599 +1112,120 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
}
}
- ok = TRUE;
- if (kernel_ops->inbound_eroute)
- {
- ok = raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
- , &c->spd.this.host_addr, &c->spd.this.client
- , htonl(spi), SA_INT, SADB_X_SATYPE_INT
- , 0, null_proto_info, 0
- , op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), opname);
- }
- return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT
- , null_proto_info, op, opname) && ok;
-}
-
-
-/*
- * This is only called when s is a likely SAID with trailing protocol i.e.
- * it has the form :-
- *
- * %<keyword>:p
- * <ip-proto><spi>@a.b.c.d:p
- *
- * The task here is to remove the ":p" part so that the rest can be read
- * by another routine.
- */
-static const char *read_proto(const char * s, size_t * len, int * transport_proto)
-{
- const char * p;
- const char * ugh;
- unsigned long proto;
- size_t l;
-
- l = *len;
- p = memchr(s, ':', l);
- if (p == 0)
- {
- *transport_proto = 0;
- return 0;
- }
- ugh = ttoul(p+1, l-((p-s)+1), 10, &proto);
- if (ugh != 0)
- {
- return ugh;
- }
- if (proto > 65535)
- {
- return "protocol number is too large, legal range is 0-65535";
- }
- *len = p-s;
- *transport_proto = proto;
- return 0;
+ return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT,
+ &null_ipsec_sa, op, opname);
}
-
-/* scan /proc/net/ipsec_eroute every once in a while, looking for:
- *
- * - %hold shunts of which Pluto isn't aware. This situation could
- * be caused by lost ACQUIRE messages. When found, they will
- * added to orphan_holds. This in turn will lead to Opportunistic
- * initiation.
- *
- * - other kinds of shunts that haven't been used recently. These will be
- * deleted. They represent OE failures.
- *
- * - recording recent uses of tunnel eroutes so that rekeying decisions
- * can be made for OE connections.
- *
- * Here are some sample lines:
- * 10 10.3.2.1.0/24 -> 0.0.0.0/0 => %trap
- * 259 10.3.2.1.115/32 -> 10.19.75.161/32 => tun0x1002@10.19.75.145
- * 71 10.44.73.97/32 -> 0.0.0.0/0 => %trap
- * 4119 10.44.73.97/32 -> 10.114.121.41/32 => %pass
- * Newer versions of KLIPS start each line with a 32-bit packet count.
- * If available, the count is used to detect whether a %pass shunt is in use.
- *
- * NOTE: execution time is quadratic in the number of eroutes since the
- * searching for each is sequential. If this becomes a problem, faster
- * searches could be implemented (hash or radix tree, for example).
- */
-void scan_proc_shunts(void)
-{
- static const char procname[] = "/proc/net/ipsec_eroute";
- FILE *f;
- time_t nw = now();
- int lino;
- struct eroute_info *expired = NULL;
-
- event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
-
- DBG(DBG_CONTROL,
- DBG_log("scanning for shunt eroutes")
- )
-
- /* free any leftover entries: they will be refreshed if still current */
- while (orphaned_holds != NULL)
- {
- struct eroute_info *p = orphaned_holds;
-
- orphaned_holds = p->next;
- free(orphaned_holds);
- }
-
- /* decode the /proc file. Don't do anything strenuous to it
- * (certainly no PF_KEY stuff) to minimize the chance that it
- * might change underfoot.
- */
-
- f = fopen(procname, "r");
- if (f == NULL)
- {
- return;
- }
-
- /* for each line... */
- for (lino = 1; ; lino++)
- {
- unsigned char buf[1024]; /* should be big enough */
- chunk_t field[10]; /* 10 is loose upper bound */
- chunk_t *ff = NULL; /* fixed fields (excluding optional count) */
- int fi;
- struct eroute_info eri;
- char *cp;
- err_t context = ""
- , ugh = NULL;
-
- cp = fgets(buf, sizeof(buf), f);
- if (cp == NULL)
- {
- break;
- }
-
- /* break out each field
- * Note: if there are too many fields, just stop;
- * it will be diagnosed a little later.
- */
- for (fi = 0; fi < (int)countof(field); fi++)
- {
- static const char sep[] = " \t\n"; /* field-separating whitespace */
- size_t w;
-
- cp += strspn(cp, sep); /* find start of field */
- w = strcspn(cp, sep); /* find width of field */
- field[fi] = chunk_create(cp, w);
- cp += w;
- if (w == 0)
- {
- break;
- }
- }
-
- /* This odd do-hickey is to share error reporting code.
- * A break will get to that common code. The setting
- * of "ugh" and "context" parameterize it.
- */
- do {
- /* Old entries have no packet count; new ones do.
- * check if things are as they should be.
- */
- if (fi == 5)
- {
- ff = &field[0]; /* old form, with no count */
- }
- else if (fi == 6)
- {
- ff = &field[1]; /* new form, with count */
- }
- else
- {
- ugh = "has wrong number of fields";
- break;
- }
-
- if (ff[1].len != 2
- || strncmp(ff[1].ptr, "->", 2) != 0
- || ff[3].len != 2
- || strncmp(ff[3].ptr, "=>", 2) != 0)
- {
- ugh = "is missing -> or =>";
- break;
- }
-
- /* actually digest fields of interest */
-
- /* packet count */
-
- eri.count = 0;
- if (ff != field)
- {
- context = "count field is malformed: ";
- ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count);
- if (ugh != NULL)
- {
- break;
- }
- }
-
- /* our client */
-
- context = "source subnet field malformed: ";
- ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours);
- if (ugh != NULL)
- {
- break;
- }
-
- /* his client */
-
- context = "destination subnet field malformed: ";
- ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his);
- if (ugh != NULL)
- {
- break;
- }
-
- /* SAID */
-
- context = "SA ID field malformed: ";
- ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto);
- if (ugh != NULL)
- {
- break;
- }
- ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said);
- } while (FALSE);
-
- if (ugh != NULL)
- {
- plog("INTERNAL ERROR: %s line %d %s%s"
- , procname, lino, context, ugh);
- continue; /* ignore rest of line */
- }
-
- /* Now we have decoded eroute, let's consider it.
- * For shunt eroutes:
- *
- * %hold: if not known, add to orphaned_holds list for initiation
- * because ACQUIRE might have been lost.
- *
- * %pass, %drop, %reject: determine if idle; if so, blast it away.
- * Can occur bare (if DNS provided insufficient information)
- * or with a connection (failure context).
- * Could even be installed by ipsec manual.
- *
- * %trap: always welcome.
- *
- * For other eroutes: find state and record count change
- */
- if (eri.said.proto == SA_INT)
- {
- /* shunt eroute */
- switch (ntohl(eri.said.spi))
- {
- case SPI_HOLD:
- if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL
- && shunt_owner(&eri.ours, &eri.his) == NULL)
- {
- int ourport = ntohs(portof(&eri.ours.addr));
- int hisport = ntohs(portof(&eri.his.addr));
- char ourst[SUBNETTOT_BUF];
- char hist[SUBNETTOT_BUF];
- char sat[SATOT_BUF];
-
- subnettot(&eri.ours, 0, ourst, sizeof(ourst));
- subnettot(&eri.his, 0, hist, sizeof(hist));
- satot(&eri.said, 0, sat, sizeof(sat));
-
- DBG(DBG_CONTROL,
- DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d"
- , ourst, ourport, hist, hisport, sat, eri.transport_proto)
- )
- eri.next = orphaned_holds;
- orphaned_holds = clone_thing(eri);
- }
- break;
-
- case SPI_PASS:
- case SPI_DROP:
- case SPI_REJECT:
- /* nothing sensible to do if we don't have counts */
- if (ff != field)
- {
- struct bare_shunt **bs_pp
- = bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto);
-
- if (bs_pp != NULL)
- {
- struct bare_shunt *bs = *bs_pp;
-
- if (eri.count != bs->count)
- {
- bs->count = eri.count;
- bs->last_activity = nw;
- }
- else if (nw - bs->last_activity > SHUNT_PATIENCE)
- {
- eri.next = expired;
- expired = clone_thing(eri);
- }
- }
- }
- break;
-
- case SPI_TRAP:
- break;
-
- default:
- bad_case(ntohl(eri.said.spi));
- }
- }
- else
- {
- /* regular (non-shunt) eroute */
- state_eroute_usage(&eri.ours, &eri.his, eri.count, nw);
- }
- } /* for each line */
- fclose(f);
-
- /* Now that we've finished processing the /proc file,
- * it is safe to delete the expired %pass shunts.
- */
- while (expired != NULL)
- {
- struct eroute_info *p = expired;
- ip_address src, dst;
-
- networkof(&p->ours, &src);
- networkof(&p->his, &dst);
- (void) replace_bare_shunt(&src, &dst
- , BOTTOM_PRIO /* not used because we are deleting. This value is a filler */
- , SPI_PASS /* not used because we are deleting. This value is a filler */
- , FALSE, p->transport_proto, "delete expired bare shunts");
- expired = p->next;
- free(p);
- }
-}
-
-static bool del_spi(ipsec_spi_t spi, int proto,
- const ip_address *src, const ip_address *dest)
-{
- char text_said[SATOT_BUF];
- struct kernel_sa sa;
-
- set_text_said(text_said, dest, spi, proto);
-
- DBG(DBG_KLIPS, DBG_log("delete %s", text_said));
-
- memset(&sa, 0, sizeof(sa));
- sa.spi = spi;
- sa.proto = proto;
- sa.src = src;
- sa.dst = dest;
- sa.text_said = text_said;
-
- return kernel_ops->del_sa(&sa);
-}
-
-/* Setup a pair of SAs. Code taken from setsa.c and spigrp.c, in
- * ipsec-0.5.
- */
-
static bool setup_half_ipsec_sa(struct state *st, bool inbound)
{
- /* Build an inbound or outbound SA */
-
+ host_t *host_src, *host_dst;
connection_t *c = st->st_connection;
- ip_subnet src, dst;
- ip_subnet src_client, dst_client;
- ipsec_spi_t inner_spi = 0;
- u_int proto = 0;
- u_int satype = SADB_SATYPE_UNSPEC;
- bool replace;
-
- /* SPIs, saved for spigrouping or undoing, if necessary */
- struct kernel_sa
- said[EM_MAXRELSPIS],
- *said_next = said;
-
- char text_said[SATOT_BUF];
- int encapsulation;
-
- replace = inbound && (kernel_ops->get_spi != NULL);
-
- src.maskbits = 0;
- dst.maskbits = 0;
-
+ struct end *src, *dst;
+ ipsec_mode_t mode = MODE_TRANSPORT;
+ ipsec_sa_cfg_t sa = { .mode = 0 };
+ lifetime_cfg_t lt_none = { .time = { .rekey = 0 } };
+ mark_t mark;
+ bool ok = TRUE;
+ /* SPIs, saved for undoing, if necessary */
+ struct kernel_sa said[EM_MAXRELSPIS], *said_next = said;
if (inbound)
{
- src.addr = c->spd.that.host_addr;
- dst.addr = c->spd.this.host_addr;
- src_client = c->spd.that.client;
- dst_client = c->spd.this.client;
+ src = &c->spd.that;
+ dst = &c->spd.this;
+ mark = c->spd.mark_in;
}
else
{
- src.addr = c->spd.this.host_addr,
- dst.addr = c->spd.that.host_addr;
- src_client = c->spd.this.client;
- dst_client = c->spd.that.client;
+ src = &c->spd.this;
+ dst = &c->spd.that;
+ mark = c->spd.mark_out;
}
- encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+ host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
+
if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
{
- encapsulation = ENCAPSULATION_MODE_TUNNEL;
+ mode = MODE_TUNNEL;
}
- memset(said, 0, sizeof(said));
-
- /* If we are tunnelling, set up IP in IP pseudo SA */
-
- if (kernel_ops->inbound_eroute)
- {
- inner_spi = 256;
- proto = SA_IPIP;
- satype = SADB_SATYPE_UNSPEC;
- }
- else if (encapsulation == ENCAPSULATION_MODE_TUNNEL)
- {
- /* XXX hack alert -- we SHOULD NOT HAVE TO HAVE A DIFFERENT SPI
- * XXX FOR IP-in-IP ENCAPSULATION!
- */
-
- ipsec_spi_t ipip_spi;
-
- /* Allocate an SPI for the tunnel.
- * Since our peer will never see this,
- * and it comes from its own number space,
- * it is purely a local implementation wart.
- */
- {
- static ipsec_spi_t last_tunnel_spi = IPSEC_DOI_SPI_OUR_MIN;
-
- ipip_spi = htonl(++last_tunnel_spi);
- if (inbound)
- {
- st->st_tunnel_in_spi = ipip_spi;
- }
- else
- {
- st->st_tunnel_out_spi = ipip_spi;
- }
- }
-
- set_text_said(text_said
- , &c->spd.that.host_addr, ipip_spi, SA_IPIP);
-
- said_next->src = &src.addr;
- said_next->dst = &dst.addr;
- said_next->src_client = &src_client;
- said_next->dst_client = &dst_client;
- said_next->spi = ipip_spi;
- said_next->satype = SADB_X_SATYPE_IPIP;
- said_next->text_said = text_said;
-
- if (!kernel_ops->add_sa(said_next, replace))
- goto fail;
-
- said_next++;
+ sa.mode = mode;
+ sa.reqid = c->spd.reqid;
- inner_spi = ipip_spi;
- proto = SA_IPIP;
- satype = SADB_X_SATYPE_IPIP;
- }
+ memset(said, 0, sizeof(said));
/* set up IPCOMP SA, if any */
if (st->st_ipcomp.present)
{
- ipsec_spi_t ipcomp_spi = inbound? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
- unsigned compalg;
+ ipsec_spi_t ipcomp_spi = inbound ? st->st_ipcomp.our_spi
+ : st->st_ipcomp.attrs.spi;
switch (st->st_ipcomp.attrs.transid)
{
case IPCOMP_DEFLATE:
- compalg = SADB_X_CALG_DEFLATE;
break;
default:
- loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented"
- , enum_name(&ipcomp_transformid_names, st->st_ipcomp.attrs.transid));
+ loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented",
+ enum_name(&ipcomp_transformid_names,
+ st->st_ipcomp.attrs.transid));
goto fail;
}
- set_text_said(text_said, &dst.addr, ipcomp_spi, SA_COMP);
+ sa.ipcomp.cpi = htons(ntohl(ipcomp_spi));
+ sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
- said_next->src = &src.addr;
- said_next->dst = &dst.addr;
- said_next->src_client = &src_client;
- said_next->dst_client = &dst_client;
said_next->spi = ipcomp_spi;
- said_next->satype = SADB_X_SATYPE_COMP;
- said_next->compalg = compalg;
- said_next->encapsulation = encapsulation;
- said_next->reqid = c->spd.reqid + 2;
- said_next->text_said = text_said;
+ said_next->proto = IPPROTO_COMP;
- if (!kernel_ops->add_sa(said_next, replace))
+ if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
+ host_dst, ipcomp_spi, said_next->proto, c->spd.reqid,
+ mark, &lt_none, ENCR_UNDEFINED, chunk_empty,
+ AUTH_UNDEFINED, chunk_empty, mode,
+ st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE,
+ inbound, NULL, NULL) != SUCCESS)
{
goto fail;
}
said_next++;
- encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ mode = MODE_TRANSPORT;
}
/* set up ESP SA, if any */
if (st->st_esp.present)
{
- ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
- u_char *esp_dst_keymat = inbound? st->st_esp.our_keymat : st->st_esp.peer_keymat;
+ ipsec_spi_t esp_spi = inbound ? st->st_esp.our_spi
+ : st->st_esp.attrs.spi;
+ u_char *esp_dst_keymat = inbound ? st->st_esp.our_keymat
+ : st->st_esp.peer_keymat;
+ bool encap = st->nat_traversal & NAT_T_DETECTED;
+ encryption_algorithm_t enc_alg;
+ integrity_algorithm_t auth_alg;
const struct esp_info *ei;
+ chunk_t enc_key, auth_key;
u_int16_t key_len;
- static const struct esp_info esp_info[] = {
- { ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
- 0, HMAC_MD5_KEY_LEN,
- SADB_EALG_NULL, SADB_AALG_MD5HMAC },
- { ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
- 0, HMAC_SHA1_KEY_LEN,
- SADB_EALG_NULL, SADB_AALG_SHA1HMAC },
-
- { ESP_DES, AUTH_ALGORITHM_NONE,
- DES_CBC_BLOCK_SIZE, 0,
- SADB_EALG_DESCBC, SADB_AALG_NONE },
- { ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
- DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
- SADB_EALG_DESCBC, SADB_AALG_MD5HMAC },
- { ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
- DES_CBC_BLOCK_SIZE,
- HMAC_SHA1_KEY_LEN, SADB_EALG_DESCBC, SADB_AALG_SHA1HMAC },
-
- { ESP_3DES, AUTH_ALGORITHM_NONE,
- DES_CBC_BLOCK_SIZE * 3, 0,
- SADB_EALG_3DESCBC, SADB_AALG_NONE },
- { ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
- DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
- SADB_EALG_3DESCBC, SADB_AALG_MD5HMAC },
- { ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
- DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
- SADB_EALG_3DESCBC, SADB_AALG_SHA1HMAC },
- };
-
- u_int8_t natt_type = 0;
- u_int16_t natt_sport = 0;
- u_int16_t natt_dport = 0;
- ip_address natt_oa;
-
- if (st->nat_traversal & NAT_T_DETECTED)
- {
- natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
- ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
- natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
- natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
- natt_oa = st->nat_oa;
- }
-
- for (ei = esp_info; ; ei++)
+ if ((ei = kernel_alg_esp_info(st->st_esp.attrs.transid,
+ st->st_esp.attrs.auth)) == NULL)
{
- if (ei == &esp_info[countof(esp_info)])
- {
- /* Check for additional kernel alg */
- if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
- st->st_esp.attrs.auth))!=NULL)
- {
- break;
- }
-
- /* note: enum_show may use a static buffer, so two
- * calls in one printf would be a mistake.
- * enum_name does the same job, without a static buffer,
- * assuming the name will be found.
- */
- loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
- , enum_name(&esp_transform_names, st->st_esp.attrs.transid)
- , enum_name(&auth_alg_names, st->st_esp.attrs.auth));
- goto fail;
- }
-
- if (st->st_esp.attrs.transid == ei->transid &&
- st->st_esp.attrs.auth == ei->auth)
- {
- break;
- }
+ loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s"
+ " not implemented yet",
+ enum_name(&esp_transform_names, st->st_esp.attrs.transid),
+ enum_name(&auth_alg_names, st->st_esp.attrs.auth));
+ goto fail;
}
- key_len = st->st_esp.attrs.key_len/8;
+ key_len = st->st_esp.attrs.key_len / 8;
if (key_len)
{
/* XXX: must change to check valid _range_ key_len */
if (key_len > ei->enckeylen)
{
- loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
+ loglog(RC_LOG_SERIOUS, "ESP transform %s: key_len=%d > %d",
enum_name(&esp_transform_names, st->st_esp.attrs.transid),
(int)key_len, (int)ei->enckeylen);
goto fail;
@@ -2012,290 +1268,144 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
break;
}
- /* divide up keying material */
- set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
- said_next->src = &src.addr;
- said_next->dst = &dst.addr;
- said_next->src_client = &src_client;
- said_next->dst_client = &dst_client;
- said_next->spi = esp_spi;
- said_next->satype = SADB_SATYPE_ESP;
- said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
- REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
- said_next->authalg = ei->authalg;
- said_next->authkeylen = ei->authkeylen;
- said_next->authkey = esp_dst_keymat + key_len;
- said_next->encalg = ei->encryptalg;
- said_next->enckeylen = key_len;
- said_next->enckey = esp_dst_keymat;
- said_next->encapsulation = encapsulation;
- said_next->reqid = c->spd.reqid + 1;
- said_next->natt_sport = natt_sport;
- said_next->natt_dport = natt_dport;
- said_next->transid = st->st_esp.attrs.transid;
- said_next->natt_type = natt_type;
- said_next->natt_oa = &natt_oa;
- said_next->text_said = text_said;
-
- if (!kernel_ops->add_sa(said_next, replace))
+ if (encap)
{
- goto fail;
+ host_src->set_port(host_src, src->host_port);
+ host_dst->set_port(host_dst, dst->host_port);
+ // st->nat_oa is currently unused
}
- said_next++;
- encapsulation = ENCAPSULATION_MODE_TRANSPORT;
- }
-
- /* set up AH SA, if any */
- if (st->st_ah.present)
- {
- ipsec_spi_t ah_spi = inbound? st->st_ah.our_spi : st->st_ah.attrs.spi;
- u_char *ah_dst_keymat = inbound? st->st_ah.our_keymat : st->st_ah.peer_keymat;
+ /* divide up keying material */
+ enc_alg = encryption_algorithm_from_esp(st->st_esp.attrs.transid);
+ enc_key.ptr = esp_dst_keymat;
+ enc_key.len = key_len;
+ auth_alg = integrity_algorithm_from_esp(st->st_esp.attrs.auth);
+ auth_alg = auth_alg ? : AUTH_UNDEFINED;
+ auth_key.ptr = esp_dst_keymat + key_len;
+ auth_key.len = ei->authkeylen;
- unsigned char authalg;
+ sa.esp.use = TRUE;
+ sa.esp.spi = esp_spi;
- switch (st->st_ah.attrs.auth)
- {
- case AUTH_ALGORITHM_HMAC_MD5:
- authalg = SADB_AALG_MD5HMAC;
- break;
- case AUTH_ALGORITHM_HMAC_SHA1:
- authalg = SADB_AALG_SHA1HMAC;
- break;
- default:
- loglog(RC_LOG_SERIOUS, "%s not implemented yet",
- enum_show(&auth_alg_names, st->st_ah.attrs.auth));
- goto fail;
- }
+ said_next->spi = esp_spi;
+ said_next->proto = IPPROTO_ESP;
- set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
- said_next->src = &src.addr;
- said_next->dst = &dst.addr;
- said_next->src_client = &src_client;
- said_next->dst_client = &dst_client;
- said_next->spi = ah_spi;
- said_next->satype = SADB_SATYPE_AH;
- said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
- REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
- said_next->authalg = authalg;
- said_next->authkeylen = st->st_ah.keymat_len;
- said_next->authkey = ah_dst_keymat;
- said_next->encapsulation = encapsulation;
- said_next->reqid = c->spd.reqid;
- said_next->text_said = text_said;
-
- if (!kernel_ops->add_sa(said_next, replace))
+ if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
+ host_dst, esp_spi, said_next->proto, c->spd.reqid,
+ mark, &lt_none, enc_alg, enc_key,
+ auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
+ encap, inbound, NULL, NULL) != SUCCESS)
{
goto fail;
}
said_next++;
- encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ mode = MODE_TRANSPORT;
}
- if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
- || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
- || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
- {
- encapsulation = ENCAPSULATION_MODE_TUNNEL;
- }
+ /* set up AH SA, if any */
- if (kernel_ops->inbound_eroute ? c->spd.eroute_owner == SOS_NOBODY
- : encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ if (st->st_ah.present)
{
- /* If inbound, and policy does not specifie DISABLEARRIVALCHECK,
- * tell KLIPS to enforce the IP addresses appropriate for this tunnel.
- * Note reversed ends.
- * Not much to be done on failure.
- */
- if (inbound && (c->policy & POLICY_DISABLEARRIVALCHECK) == 0)
- {
- struct pfkey_proto_info proto_info[4];
- int i = 0;
-
- if (st->st_ipcomp.present)
- {
- proto_info[i].proto = IPPROTO_COMP;
- proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
- proto_info[i].reqid = c->spd.reqid + 2;
- i++;
- }
-
- if (st->st_esp.present)
- {
- proto_info[i].proto = IPPROTO_ESP;
- proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
- proto_info[i].reqid = c->spd.reqid + 1;
- i++;
- }
-
- if (st->st_ah.present)
- {
- proto_info[i].proto = IPPROTO_AH;
- proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
- proto_info[i].reqid = c->spd.reqid;
- i++;
- }
-
- proto_info[i].proto = 0;
-
- if (kernel_ops->inbound_eroute
- && encapsulation == ENCAPSULATION_MODE_TUNNEL)
- {
- proto_info[0].encapsulation = ENCAPSULATION_MODE_TUNNEL;
- for (i = 1; proto_info[i].proto; i++)
- {
- proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
- }
- }
+ ipsec_spi_t ah_spi = inbound ? st->st_ah.our_spi
+ : st->st_ah.attrs.spi;
+ u_char *ah_dst_keymat = inbound ? st->st_ah.our_keymat
+ : st->st_ah.peer_keymat;
+ integrity_algorithm_t auth_alg;
+ chunk_t auth_key;
- /* MCR - should be passed a spd_eroute structure here */
- (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
- , &c->spd.this.host_addr, &c->spd.this.client
- , inner_spi, proto, satype, c->spd.this.protocol
- , proto_info, 0
- , ERO_ADD_INBOUND, "add inbound");
- }
- }
+ auth_alg = integrity_algorithm_from_esp(st->st_ah.attrs.auth);
+ auth_key.ptr = ah_dst_keymat;
+ auth_key.len = st->st_ah.keymat_len;
- /* If there are multiple SPIs, group them. */
+ sa.ah.use = TRUE;
+ sa.ah.spi = ah_spi;
- if (kernel_ops->grp_sa && said_next > &said[1])
- {
- struct kernel_sa *s;
+ said_next->spi = ah_spi;
+ said_next->proto = IPPROTO_AH;
- /* group SAs, two at a time, inner to outer (backwards in said[])
- * The grouping is by pairs. So if said[] contains ah esp ipip,
- * the grouping would be ipip:esp, esp:ah.
- */
- for (s = said; s < said_next-1; s++)
+ if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
+ host_dst, ah_spi, said_next->proto, c->spd.reqid,
+ mark, &lt_none, ENCR_UNDEFINED, chunk_empty,
+ auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
+ FALSE, inbound, NULL, NULL) != SUCCESS)
{
- char
- text_said0[SATOT_BUF],
- text_said1[SATOT_BUF];
-
- /* group s[1] and s[0], in that order */
-
- set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto);
- set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto);
-
- DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0));
-
- s[0].text_said = text_said0;
- s[1].text_said = text_said1;
-
- if (!kernel_ops->grp_sa(s + 1, s))
- {
- goto fail;
- }
+ goto fail;
}
- /* could update said, but it will not be used */
+ said_next++;
+ mode = MODE_TRANSPORT;
}
- return TRUE;
+ goto cleanup;
fail:
+ /* undo the done SPIs */
+ while (said_next-- != said)
{
- /* undo the done SPIs */
- while (said_next-- != said)
- {
- (void) del_spi(said_next->spi, said_next->proto, &src.addr,
- said_next->dst);
- }
- return FALSE;
+ hydra->kernel_interface->del_sa(hydra->kernel_interface, host_src,
+ host_dst, said_next->spi,
+ said_next->proto, 0 /* cpi */,
+ mark);
}
-}
+ ok = FALSE;
-/* teardown_ipsec_sa is a canibalized version of setup_ipsec_sa */
+cleanup:
+ host_src->destroy(host_src);
+ host_dst->destroy(host_dst);
+ return ok;
+}
static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
{
- /* We need to delete AH, ESP, and IP in IP SPIs.
- * But if there is more than one, they have been grouped
- * so deleting any one will do. So we just delete the
- * first one found. It may or may not be the only one.
- */
connection_t *c = st->st_connection;
- struct {
- unsigned proto;
- struct ipsec_proto_info *info;
- } protos[4];
- int i;
- bool result;
+ const struct end *src, *dst;
+ host_t *host_src, *host_dst;
+ ipsec_spi_t spi;
+ mark_t mark;
+ bool result = TRUE;
- i = 0;
- if (kernel_ops->inbound_eroute && inbound
- && c->spd.eroute_owner == SOS_NOBODY)
+ if (inbound)
{
- (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
- , &c->spd.this.host_addr, &c->spd.this.client
- , 256, IPSEC_PROTO_ANY, SADB_SATYPE_UNSPEC, c->spd.this.protocol
- , null_proto_info, 0
- , ERO_DEL_INBOUND, "delete inbound");
+ src = &c->spd.that;
+ dst = &c->spd.this;
+ mark = c->spd.mark_in;
}
-
- if (!kernel_ops->grp_sa)
+ else
{
- if (st->st_ah.present)
- {
- protos[i].info = &st->st_ah;
- protos[i].proto = SA_AH;
- i++;
- }
+ src = &c->spd.this;
+ dst = &c->spd.that;
+ mark = c->spd.mark_out;
+ }
- if (st->st_esp.present)
- {
- protos[i].info = &st->st_esp;
- protos[i].proto = SA_ESP;
- i++;
- }
+ host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+ host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
- if (st->st_ipcomp.present)
- {
- protos[i].info = &st->st_ipcomp;
- protos[i].proto = SA_COMP;
- i++;
- }
- }
- else if (st->st_ah.present)
- {
- protos[i].info = &st->st_ah;
- protos[i].proto = SA_AH;
- i++;
- }
- else if (st->st_esp.present)
+ if (st->st_ah.present)
{
- protos[i].info = &st->st_esp;
- protos[i].proto = SA_ESP;
- i++;
+ spi = inbound ? st->st_ah.our_spi : st->st_ah.attrs.spi;
+ result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
+ host_src, host_dst, spi, IPPROTO_AH,
+ 0 /* cpi */, mark) == SUCCESS;
}
- else
+
+ if (st->st_esp.present)
{
- impossible(); /* neither AH nor ESP in outbound SA bundle! */
+ spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
+ result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
+ host_src, host_dst, spi, IPPROTO_ESP,
+ 0 /* cpi */, mark) == SUCCESS;
}
- protos[i].proto = 0;
- result = TRUE;
- for (i = 0; protos[i].proto; i++)
+ if (st->st_ipcomp.present)
{
- unsigned proto = protos[i].proto;
- ipsec_spi_t spi;
- const ip_address *src, *dst;
+ spi = inbound ? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
+ result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
+ host_src, host_dst, spi, IPPROTO_COMP,
+ 0 /* cpi */, mark) == SUCCESS;
+ }
- if (inbound)
- {
- spi = protos[i].info->our_spi;
- src = &c->spd.that.host_addr;
- dst = &c->spd.this.host_addr;
- }
- else
- {
- spi = protos[i].info->attrs.spi;
- src = &c->spd.this.host_addr;
- dst = &c->spd.that.host_addr;
- }
+ host_src->destroy(host_src);
+ host_dst->destroy(host_dst);
- result &= del_spi(spi, proto, src, dst);
- }
return result;
}
@@ -2304,126 +1414,198 @@ static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
*/
bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
{
- char text_said[SATOT_BUF];
- struct kernel_sa sa;
connection_t *c = st->st_connection;
+ traffic_selector_t *ts_src = NULL, *ts_dst = NULL;
+ host_t *host_src = NULL, *host_dst = NULL;
+ const struct end *src, *dst;
+ ipsec_spi_t spi;
+ mark_t mark;
+ u_int64_t bytes_kernel = 0;
+ bool result = FALSE;
*use_time = UNDEFINED_TIME;
- if (kernel_ops->get_sa == NULL || !st->st_esp.present)
+ if (!st->st_esp.present)
{
- return FALSE;
+ goto failed;
}
- memset(&sa, 0, sizeof(sa));
- sa.proto = SA_ESP;
if (inbound)
{
- sa.src = &c->spd.that.host_addr;
- sa.dst = &c->spd.this.host_addr;
- sa.spi = st->st_esp.our_spi;
+ src = &c->spd.that;
+ dst = &c->spd.this;
+ mark = c->spd.mark_in;
+ spi = st->st_esp.our_spi;
}
else
{
- sa.src = &c->spd.this.host_addr;
- sa.dst = &c->spd.that.host_addr;
- sa.spi = st->st_esp.attrs.spi;
+ src = &c->spd.this;
+ dst = &c->spd.that;
+ mark = c->spd.mark_out;
+ spi = st->st_esp.attrs.spi;
}
- set_text_said(text_said, sa.dst, sa.spi, sa.proto);
- sa.text_said = text_said;
+ host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+ host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
- DBG(DBG_KLIPS,
- DBG_log("get %s", text_said)
- )
- if (!kernel_ops->get_sa(&sa, bytes))
+ switch(hydra->kernel_interface->query_sa(hydra->kernel_interface, host_src,
+ host_dst, spi, IPPROTO_ESP,
+ mark, &bytes_kernel))
{
- return FALSE;
+ case FAILED:
+ goto failed;
+ case SUCCESS:
+ *bytes = bytes_kernel;
+ break;
+ case NOT_SUPPORTED:
+ default:
+ break;
}
- DBG(DBG_KLIPS,
- DBG_log(" current: %d bytes", *bytes)
- )
if (st->st_serialno == c->spd.eroute_owner)
{
- DBG(DBG_KLIPS,
- DBG_log("get %sbound policy with reqid %u"
- , inbound? "in":"out", (u_int)c->spd.reqid + 1)
- )
- sa.transport_proto = c->spd.this.protocol;
- sa.encapsulation = st->st_esp.attrs.encapsulation;
+ u_int32_t time_kernel;
- if (inbound)
- {
- sa.src_client = &c->spd.that.client;
- sa.dst_client = &c->spd.this.client;
- }
- else
+ ts_src = traffic_selector_from_subnet(&src->client, src->protocol);
+ ts_dst = traffic_selector_from_subnet(&dst->client, dst->protocol);
+
+ if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
+ ts_src, ts_dst, inbound ? POLICY_IN : POLICY_OUT,
+ mark, &time_kernel) != SUCCESS)
{
- sa.src_client = &c->spd.this.client;
- sa.dst_client = &c->spd.that.client;
+ goto failed;
}
- if (!kernel_ops->get_policy(&sa, inbound, use_time))
+ *use_time = time_kernel;
+
+ if (inbound &&
+ st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
{
- return FALSE;
+ if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
+ ts_src, ts_dst, POLICY_FWD, mark,
+ &time_kernel) != SUCCESS)
+ {
+ goto failed;
+ }
+ *use_time = max(*use_time, time_kernel);
}
- DBG(DBG_KLIPS,
- DBG_log(" use_time: %T", use_time, FALSE)
- )
}
- return TRUE;
+
+ result = TRUE;
+
+failed:
+ DESTROY_IF(host_src);
+ DESTROY_IF(host_dst);
+ DESTROY_IF(ts_src);
+ DESTROY_IF(ts_dst);
+ return result;
}
-const struct kernel_ops *kernel_ops;
+/**
+ * Handler for kernel events (called by thread-pool thread)
+ */
+kernel_listener_t *kernel_handler;
-#endif /* KLIPS */
+/**
+ * Data for acquire events
+ */
+typedef struct {
+ /** Subnets */
+ ip_subnet src, dst;
+ /** Transport protocol */
+ int proto;
+} acquire_data_t;
-void init_kernel(void)
+/**
+ * Callback for acquire events (called by main thread)
+ */
+void handle_acquire(acquire_data_t *this)
{
-#ifdef KLIPS
+ record_and_initiate_opportunistic(&this->src, &this->dst, this->proto,
+ "%acquire");
+}
- if (no_klips)
+METHOD(kernel_listener_t, acquire, bool,
+ kernel_listener_t *this, u_int32_t reqid,
+ traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+ if (src_ts && dst_ts)
{
- kernel_ops = &noklips_kernel_ops;
- return;
+ acquire_data_t *data;
+ DBG(DBG_CONTROL,
+ DBG_log("creating acquire event for policy %R === %R "
+ "with reqid {%u}", src_ts, dst_ts, reqid));
+ INIT(data,
+ .src = subnet_from_traffic_selector(src_ts),
+ .dst = subnet_from_traffic_selector(dst_ts),
+ .proto = src_ts->get_protocol(src_ts),
+ );
+ pluto->events->queue(pluto->events, (void*)handle_acquire, data, free);
}
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("ignoring acquire without traffic selectors for policy "
+ "with reqid {%u}", reqid));
+ }
+ DESTROY_IF(src_ts);
+ DESTROY_IF(dst_ts);
+ return TRUE;
+}
- init_pfkey();
-
- kernel_ops = &klips_kernel_ops;
+/**
+ * Data for mapping events
+ */
+typedef struct {
+ /** reqid, spi of affected SA */
+ u_int32_t reqid, spi;
+ /** new endpont */
+ ip_address new_end;
+} mapping_data_t;
-#if defined(linux) && defined(KERNEL26_SUPPORT)
- {
- bool linux_ipsec = 0;
- struct stat buf;
+/**
+ * Callback for mapping events (called by main thread)
+ */
+void handle_mapping(mapping_data_t *this)
+{
+ process_nat_t_new_mapping(this->reqid, this->spi, &this->new_end);
+}
- linux_ipsec = (stat("/proc/net/pfkey", &buf) == 0);
- if (linux_ipsec)
- {
- plog("Using Linux 2.6 IPsec interface code");
- kernel_ops = &linux_kernel_ops;
- }
- else
- {
- plog("Using KLIPS IPsec interface code");
- }
- }
-#endif
- if (kernel_ops->init)
- {
- kernel_ops->init();
- }
+METHOD(kernel_listener_t, mapping, bool,
+ kernel_listener_t *this, u_int32_t reqid, u_int32_t spi, host_t *remote)
+{
+ mapping_data_t *data;
+ DBG(DBG_CONTROL,
+ DBG_log("creating mapping event for SA with SPI %.8x and reqid {%u}",
+ spi, reqid));
+ INIT(data,
+ .reqid = reqid,
+ .spi = spi,
+ .new_end = *(ip_address*)remote->get_sockaddr(remote),
+ );
+ pluto->events->queue(pluto->events, (void*)handle_mapping, data, free);
+ return TRUE;
+}
+void init_kernel(void)
+{
/* register SA types that we can negotiate */
- can_do_IPcomp = FALSE; /* until we get a response from KLIPS */
- kernel_ops->pfkey_register();
+ can_do_IPcomp = FALSE; /* until we get a response from the kernel */
+ pfkey_register();
+
+ INIT(kernel_handler,
+ .acquire = _acquire,
+ .mapping = _mapping,
+ );
+ hydra->kernel_interface->add_listener(hydra->kernel_interface,
+ kernel_handler);
+}
- if (!kernel_ops->policy_lifetime)
- {
- event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
- }
-#endif
+void kernel_finalize()
+{
+ hydra->kernel_interface->remove_listener(hydra->kernel_interface,
+ kernel_handler);
+ free(kernel_handler);
}
/* Note: install_inbound_ipsec_sa is only used by the Responder.
@@ -2482,13 +1664,8 @@ bool install_inbound_ipsec_sa(struct state *st)
return FALSE;
}
-#ifdef KLIPS
/* (attempt to) actually set up the SAs */
return setup_half_ipsec_sa(st, TRUE);
-#else /* !KLIPS */
- DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()"));
- return TRUE;
-#endif /* !KLIPS */
}
/* Install a route and then a prospective shunt eroute or an SA group eroute.
@@ -2496,11 +1673,8 @@ bool install_inbound_ipsec_sa(struct state *st)
* Any SA Group must have already been created.
* On failure, steps will be unwound.
*/
-bool route_and_eroute(connection_t *c USED_BY_KLIPS,
- struct spd_route *sr USED_BY_KLIPS,
- struct state *st USED_BY_KLIPS)
+bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
{
-#ifdef KLIPS
struct spd_route *esr;
struct spd_route *rosr;
connection_t *ero /* who, if anyone, owns our eroute? */
@@ -2510,7 +1684,6 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
, route_installed = FALSE;
connection_t *ero_top;
- struct bare_shunt **bspp;
DBG(DBG_CONTROLMORE,
DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu"
@@ -2537,15 +1710,9 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
break;
#endif
- bspp = (ero == NULL)
- ? bare_shunt_ptr(&sr->this.client, &sr->that.client, sr->this.protocol)
- : NULL;
-
/* install the eroute */
- passert(bspp == NULL || ero == NULL); /* only one non-NULL */
-
- if (bspp != NULL || ero != NULL)
+ if (ero != NULL)
{
/* We're replacing an eroute */
@@ -2571,7 +1738,6 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
&& samesubnet(&esr->that.client, &sr->that.client));
}
#endif
- /* remember to free bspp iff we make it out of here alive */
}
else
{
@@ -2601,7 +1767,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
*/
firewall_notified = st == NULL /* not a tunnel eroute */
|| sr->eroute_owner != SOS_NOBODY /* already notified */
- || do_command(c, sr, "up"); /* go ahead and notify */
+ || do_command(c, sr, st, "up"); /* go ahead and notify */
}
/* install the route */
@@ -2616,8 +1782,8 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
else if (ro == NULL)
{
/* a new route: no deletion required, but preparation is */
- (void) do_command(c, sr, "prepare"); /* just in case; ignore failure */
- route_installed = do_command(c, sr, "route");
+ (void) do_command(c, sr, st, "prepare"); /* just in case; ignore failure */
+ route_installed = do_command(c, sr, st, "route");
}
else if (routed(sr->routing) || routes_agree(ro, c))
{
@@ -2636,13 +1802,13 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
*/
if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
{
- (void) do_command(ro, sr, "unroute");
- route_installed = do_command(c, sr, "route");
+ (void) do_command(ro, sr, st, "unroute");
+ route_installed = do_command(c, sr, st, "route");
}
else
{
- route_installed = do_command(c, sr, "route");
- (void) do_command(ro, sr, "unroute");
+ route_installed = do_command(c, sr, st, "route");
+ (void) do_command(ro, sr, st, "unroute");
}
/* record unrouting */
@@ -2663,11 +1829,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
{
/* Success! */
- if (bspp != NULL)
- {
- free_bare_shunt(bspp);
- }
- else if (ero != NULL && ero != c)
+ if (ero != NULL && ero != c)
{
/* check if ero is an ancestor of c. */
connection_t *ero2;
@@ -2713,7 +1875,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
{
/* Failure! Unwind our work. */
if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
- (void) do_command(c, sr, "down");
+ (void) do_command(c, sr, st, "down");
if (eroute_installed)
{
@@ -2721,28 +1883,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
* Since there is nothing much to be done if the restoration
* fails, ignore success or failure.
*/
- if (bspp != NULL)
- {
- /* Restore old bare_shunt.
- * I don't think that this case is very likely.
- * Normally a bare shunt would have been assigned
- * to a connection before we've gotten this far.
- */
- struct bare_shunt *bs = *bspp;
-
- (void) raw_eroute(&bs->said.dst /* should be useless */
- , &bs->ours
- , &bs->said.dst /* should be useless */
- , &bs->his
- , bs->said.spi /* network order */
- , SA_INT
- , SADB_X_SATYPE_INT
- , 0
- , null_proto_info
- , SHUNT_PATIENCE
- , ERO_REPLACE, "restore");
- }
- else if (ero != NULL)
+ if (ero != NULL)
{
/* restore ero's former glory */
if (esr->eroute_owner == SOS_NOBODY)
@@ -2781,14 +1922,10 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
return FALSE;
}
-#else /* !KLIPS */
- return TRUE;
-#endif /* !KLIPS */
}
-bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
+bool install_ipsec_sa(struct state *st, bool inbound_also)
{
-#ifdef KLIPS
struct spd_route *sr;
DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
@@ -2838,21 +1975,6 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
}
}
}
-#else /* !KLIPS */
- DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s"
- , inbound_also? "inbound and oubound" : "outbound only"));
-
- switch (could_route(st->st_connection))
- {
- case route_easy:
- case route_nearconflict:
- break;
- default:
- return FALSE;
- }
-
-
-#endif /* !KLIPS */
return TRUE;
}
@@ -2861,10 +1983,8 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
* we may not succeed, but we bull ahead anyway because
* we cannot do anything better by recognizing failure
*/
-void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
- bool inbound_only USED_BY_KLIPS)
+void delete_ipsec_sa(struct state *st, bool inbound_only)
{
-#ifdef KLIPS
if (!inbound_only)
{
/* If the state is the eroute owner, we must adjust
@@ -2890,7 +2010,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
- (void) do_command(c, sr, "down");
+ (void) do_command(c, sr, st, "down");
if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE)
{
/* in this special case, even if the connection
@@ -2911,46 +2031,41 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
(void) teardown_half_ipsec_sa(st, FALSE);
}
(void) teardown_half_ipsec_sa(st, TRUE);
-#else /* !KLIPS */
- DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
-#endif /* !KLIPS */
}
-#ifdef KLIPS
static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
{
connection_t *c = st->st_connection;
- char text_said[SATOT_BUF];
- struct kernel_sa sa;
- ip_address
- src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
- dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
-
- ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
-
- u_int16_t
- natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
- natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
-
- set_text_said(text_said, &dst, esp_spi, SA_ESP);
-
- memset(&sa, 0, sizeof(sa));
- sa.spi = esp_spi;
- sa.src = &src;
- sa.dst = &dst;
- sa.text_said = text_said;
- sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
- sa.natt_sport = natt_sport;
- sa.natt_dport = natt_dport;
- sa.transid = st->st_esp.attrs.transid;
-
- return kernel_ops->add_sa(&sa, TRUE);
+ host_t *host_src, *host_dst, *new_src, *new_dst;
+ ipsec_spi_t spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
+ struct end *src = inbound ? &c->spd.that : &c->spd.this,
+ *dst = inbound ? &c->spd.this : &c->spd.that;
+ mark_t mark = inbound ? c->spd.mark_in : c->spd.mark_out;
+ bool result;
+
+ host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+ host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
+
+ new_src = host_src->clone(host_src);
+ new_dst = host_dst->clone(host_dst);
+ new_src->set_port(new_src, src->host_port);
+ new_dst->set_port(new_dst, dst->host_port);
+
+ result = hydra->kernel_interface->update_sa(hydra->kernel_interface,
+ spi, IPPROTO_ESP, 0 /* cpi */, host_src, host_dst,
+ new_src, new_dst, TRUE /* encap */, TRUE /* new_encap */,
+ mark) == SUCCESS;
+
+ host_src->destroy(host_src);
+ host_dst->destroy(host_dst);
+ new_src->destroy(new_src);
+ new_dst->destroy(new_dst);
+
+ return result;
}
-#endif
-bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
+bool update_ipsec_sa (struct state *st)
{
-#ifdef KLIPS
if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
{
if (st->st_esp.present && (
@@ -2973,10 +2088,6 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
return FALSE;
}
return TRUE;
-#else /* !KLIPS */
- DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
- return TRUE;
-#endif /* !KLIPS */
}
/* Check if there was traffic on given SA during the last idle_max
@@ -2986,102 +2097,17 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
*/
bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
{
- static const char procname[] = "/proc/net/ipsec_spi";
- FILE *f;
- char buf[1024];
+ time_t use_time;
u_int bytes;
int ret = TRUE;
passert(st != NULL);
- f = fopen(procname, "r");
- if (f == NULL)
+ if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
{
- /* Can't open the file, perhaps were are on 26sec? */
- time_t use_time;
-
- if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
- {
- *idle_time = time(NULL) - use_time;
- ret = *idle_time >= idle_max;
- }
+ *idle_time = time_monotonic(NULL) - use_time;
+ ret = *idle_time >= idle_max;
}
- else
- {
- while (f != NULL)
- {
- char *line;
- char text_said[SATOT_BUF];
- u_int8_t proto = 0;
- ip_address dst;
- ip_said said;
- ipsec_spi_t spi = 0;
- static const char idle[] = "idle=";
-
- dst = st->st_connection->spd.this.host_addr; /* inbound SA */
- if (st->st_ah.present)
- {
- proto = SA_AH;
- spi = st->st_ah.our_spi;
- }
- if (st->st_esp.present)
- {
- proto = SA_ESP;
- spi = st->st_esp.our_spi;
- }
-
- if (proto == 0 && spi == 0)
- {
- ret = TRUE;
- break;
- }
- initsaid(&dst, spi, proto, &said);
- satot(&said, 'x', text_said, SATOT_BUF);
-
- line = fgets(buf, sizeof(buf), f);
- if (line == NULL)
- {
- /* Reached end of list */
- ret = TRUE;
- break;
- }
-
- if (strneq(line, text_said, strlen(text_said)))
- {
- /* we found a match, now try to find idle= */
- char *p = strstr(line, idle);
-
- if (p == NULL)
- {
- /* SAs which haven't been used yet don't have it */
- ret = TRUE; /* it didn't have traffic */
- break;
- }
- p += sizeof(idle)-1;
- if (*p == '\0')
- {
- ret = TRUE; /* be paranoid */
- break;
- }
- if (sscanf(p, "%d", (int *) idle_time) <= 0)
- {
- ret = TRUE;
- break;
- }
- if (*idle_time >= idle_max)
- {
- ret = TRUE;
- break;
- }
- else
- {
- ret = FALSE;
- break;
- }
- }
- }
- fclose(f);
- }
return ret;
}