]>
Commit | Line | Data |
---|---|---|
997358a6 MW |
1 | /* routines that interface with the kernel's IPsec mechanism |
2 | * Copyright (C) 1997 Angelos D. Keromytis. | |
3 | * Copyright (C) 1998-2002 D. Hugh Redelmeier. | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify it | |
6 | * under the terms of the GNU General Public License as published by the | |
7 | * Free Software Foundation; either version 2 of the License, or (at your | |
8 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
9 | * | |
10 | * This program is distributed in the hope that it will be useful, but | |
11 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
12 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
13 | * for more details. | |
14 | * | |
9820c0e2 | 15 | * RCSID $Id: kernel.c,v 1.26 2006/04/29 18:16:02 as Exp $ |
997358a6 MW |
16 | */ |
17 | ||
18 | #include <stddef.h> | |
19 | #include <string.h> | |
20 | #include <stdio.h> | |
21 | #include <stdlib.h> | |
22 | #include <errno.h> | |
23 | #include <wait.h> | |
24 | #include <unistd.h> | |
25 | #include <fcntl.h> | |
26 | #include <sys/queue.h> | |
27 | ||
28 | #include <sys/stat.h> | |
29 | #include <sys/socket.h> | |
30 | #include <netinet/in.h> | |
31 | #include <arpa/inet.h> | |
32 | ||
33 | #include <freeswan.h> | |
34 | #include <freeswan/ipsec_policy.h> | |
35 | ||
36 | #ifdef KLIPS | |
37 | #include <signal.h> | |
38 | #include <sys/time.h> /* for select(2) */ | |
39 | #include <sys/types.h> /* for select(2) */ | |
40 | #include <pfkeyv2.h> | |
41 | #include <pfkey.h> | |
42 | #include "kameipsec.h" | |
43 | #endif /* KLIPS */ | |
44 | ||
45 | #include "constants.h" | |
46 | #include "defs.h" | |
47 | #include "rnd.h" | |
48 | #include "id.h" | |
49 | #include "connections.h" | |
50 | #include "state.h" | |
51 | #include "timer.h" | |
52 | #include "kernel.h" | |
53 | #include "kernel_netlink.h" | |
54 | #include "kernel_pfkey.h" | |
55 | #include "kernel_noklips.h" | |
56 | #include "log.h" | |
57 | #include "ca.h" | |
58 | #include "server.h" | |
59 | #include "whack.h" /* for RC_LOG_SERIOUS */ | |
60 | #include "keys.h" | |
61 | ||
62 | #ifdef NAT_TRAVERSAL | |
63 | #include "packet.h" /* for pb_stream in nat_traversal.h */ | |
64 | #include "nat_traversal.h" | |
65 | #endif | |
66 | ||
67 | #include "alg_info.h" | |
68 | #include "kernel_alg.h" | |
69 | ||
70 | ||
71 | bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */ | |
72 | ||
73 | /* How far can IPsec messages arrive out of order before the anti-replay | |
74 | * logic loses track and swats them? 64 is the best KLIPS can do. | |
75 | * And 32 is the best XFRM can do... | |
76 | */ | |
77 | #define REPLAY_WINDOW 64 | |
78 | #define REPLAY_WINDOW_XFRM 32 | |
79 | ||
80 | /* test if the routes required for two different connections agree | |
81 | * It is assumed that the destination subnets agree; we are only | |
82 | * testing that the interfaces and nexthops match. | |
83 | */ | |
84 | #define routes_agree(c, d) ((c)->interface == (d)->interface \ | |
85 | && sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop)) | |
86 | ||
87 | #ifndef KLIPS | |
88 | ||
89 | bool no_klips = TRUE; /* don't actually use KLIPS */ | |
90 | ||
91 | #else /* !KLIPS */ | |
92 | ||
93 | /* bare (connectionless) shunt (eroute) table | |
94 | * | |
95 | * Bare shunts are those that don't "belong" to a connection. | |
96 | * This happens because some %trapped traffic hasn't yet or cannot be | |
97 | * assigned to a connection. The usual reason is that we cannot discover | |
98 | * the peer SG. Another is that even when the peer has been discovered, | |
99 | * it may be that no connection matches all the particulars. | |
100 | * We record them so that, with scanning, we can discover | |
101 | * which %holds are news and which others should expire. | |
102 | */ | |
103 | ||
104 | #define SHUNT_SCAN_INTERVAL (60 * 2) /* time between scans of eroutes */ | |
105 | ||
106 | /* SHUNT_PATIENCE only has resolution down to a multiple of the sample rate, | |
107 | * SHUNT_SCAN_INTERVAL. | |
108 | * By making SHUNT_PATIENCE an odd multiple of half of SHUNT_SCAN_INTERVAL, | |
109 | * we minimize the effects of jitter. | |
110 | */ | |
111 | #define SHUNT_PATIENCE (SHUNT_SCAN_INTERVAL * 15 / 2) /* inactivity timeout */ | |
112 | ||
113 | struct bare_shunt { | |
114 | policy_prio_t policy_prio; | |
115 | ip_subnet ours; | |
116 | ip_subnet his; | |
117 | ip_said said; | |
118 | int transport_proto; | |
119 | unsigned long count; | |
120 | time_t last_activity; | |
121 | char *why; | |
122 | struct bare_shunt *next; | |
123 | }; | |
124 | ||
125 | static struct bare_shunt *bare_shunts = NULL; | |
126 | ||
127 | #ifdef DEBUG | |
128 | static void | |
129 | DBG_bare_shunt(const char *op, const struct bare_shunt *bs) | |
130 | { | |
131 | DBG(DBG_KLIPS, | |
132 | { | |
133 | int ourport = ntohs(portof(&(bs)->ours.addr)); | |
134 | int hisport = ntohs(portof(&(bs)->his.addr)); | |
135 | char ourst[SUBNETTOT_BUF]; | |
136 | char hist[SUBNETTOT_BUF]; | |
137 | char sat[SATOT_BUF]; | |
138 | char prio[POLICY_PRIO_BUF]; | |
139 | ||
140 | subnettot(&(bs)->ours, 0, ourst, sizeof(ourst)); | |
141 | subnettot(&(bs)->his, 0, hist, sizeof(hist)); | |
142 | satot(&(bs)->said, 0, sat, sizeof(sat)); | |
143 | fmt_policy_prio(bs->policy_prio, prio); | |
144 | DBG_log("%s bare shunt %p %s:%d -> %s:%d => %s:%d %s %s" | |
145 | , op, (const void *)(bs), ourst, ourport, hist, hisport | |
146 | , sat, (bs)->transport_proto, prio, (bs)->why); | |
147 | }); | |
148 | } | |
149 | #else /* !DEBUG */ | |
150 | #define DBG_bare_shunt(op, bs) {} | |
151 | #endif /* !DEBUG */ | |
152 | ||
153 | /* The orphaned_holds table records %holds for which we | |
154 | * scan_proc_shunts found no representation of in any connection. | |
155 | * The corresponding ACQUIRE message might have been lost. | |
156 | */ | |
157 | struct eroute_info *orphaned_holds = NULL; | |
158 | ||
159 | /* forward declaration */ | |
160 | static bool shunt_eroute(struct connection *c | |
161 | , struct spd_route *sr | |
162 | , enum routing_t rt_kind | |
163 | , unsigned int op, const char *opname); | |
164 | static void set_text_said(char *text_said | |
165 | , const ip_address *dst | |
166 | , ipsec_spi_t spi | |
167 | , int proto); | |
168 | ||
169 | bool no_klips = FALSE; /* don't actually use KLIPS */ | |
170 | ||
171 | static const struct pfkey_proto_info null_proto_info[2] = { | |
172 | { | |
173 | proto: IPPROTO_ESP, | |
174 | encapsulation: ENCAPSULATION_MODE_TRANSPORT, | |
175 | reqid: 0 | |
176 | }, | |
177 | { | |
178 | proto: 0, | |
179 | encapsulation: 0, | |
180 | reqid: 0 | |
181 | } | |
182 | }; | |
183 | ||
184 | void | |
185 | record_and_initiate_opportunistic(const ip_subnet *ours | |
186 | , const ip_subnet *his | |
187 | , int transport_proto | |
188 | , const char *why) | |
189 | { | |
190 | passert(samesubnettype(ours, his)); | |
191 | ||
192 | /* Add to bare shunt list. | |
193 | * We need to do this because the shunt was installed by KLIPS | |
194 | * which can't do this itself. | |
195 | */ | |
196 | { | |
197 | struct bare_shunt *bs = alloc_thing(struct bare_shunt, "bare shunt"); | |
198 | ||
199 | bs->why = clone_str(why, "story for bare shunt"); | |
200 | bs->ours = *ours; | |
201 | bs->his = *his; | |
202 | bs->transport_proto = transport_proto; | |
203 | bs->policy_prio = BOTTOM_PRIO; | |
204 | ||
205 | bs->said.proto = SA_INT; | |
206 | bs->said.spi = htonl(SPI_HOLD); | |
207 | bs->said.dst = *aftoinfo(subnettypeof(ours))->any; | |
208 | ||
209 | bs->count = 0; | |
210 | bs->last_activity = now(); | |
211 | ||
212 | bs->next = bare_shunts; | |
213 | bare_shunts = bs; | |
214 | DBG_bare_shunt("add", bs); | |
215 | } | |
216 | ||
217 | /* actually initiate opportunism */ | |
218 | { | |
219 | ip_address src, dst; | |
220 | ||
221 | networkof(ours, &src); | |
222 | networkof(his, &dst); | |
223 | initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD); | |
224 | } | |
225 | ||
226 | /* if present, remove from orphaned_holds list. | |
227 | * NOTE: we do this last in case ours or his is a pointer into a member. | |
228 | */ | |
229 | { | |
230 | struct eroute_info **pp, *p; | |
231 | ||
232 | for (pp = &orphaned_holds; (p = *pp) != NULL; pp = &p->next) | |
233 | { | |
234 | if (samesubnet(ours, &p->ours) | |
235 | && samesubnet(his, &p->his) | |
236 | && transport_proto == p->transport_proto | |
237 | && portof(&ours->addr) == portof(&p->ours.addr) | |
238 | && portof(&his->addr) == portof(&p->his.addr)) | |
239 | { | |
240 | *pp = p->next; | |
241 | pfree(p); | |
242 | break; | |
243 | } | |
244 | } | |
245 | } | |
246 | } | |
247 | ||
248 | #endif /* KLIPS */ | |
249 | ||
250 | static unsigned get_proto_reqid(unsigned base, int proto) | |
251 | { | |
252 | switch (proto) | |
253 | { | |
254 | default: | |
255 | case IPPROTO_COMP: | |
256 | base++; | |
257 | /* fall through */ | |
258 | case IPPROTO_ESP: | |
259 | base++; | |
260 | /* fall through */ | |
261 | case IPPROTO_AH: | |
262 | break; | |
263 | } | |
264 | ||
265 | return base; | |
266 | } | |
267 | ||
268 | /* Generate Unique SPI numbers. | |
269 | * | |
270 | * The specs say that the number must not be less than IPSEC_DOI_SPI_MIN. | |
271 | * Pluto generates numbers not less than IPSEC_DOI_SPI_OUR_MIN, | |
272 | * reserving numbers in between for manual keying (but we cannot so | |
273 | * restrict numbers generated by our peer). | |
274 | * XXX This should be replaced by a call to the kernel when | |
275 | * XXX we get an API. | |
276 | * The returned SPI is in network byte order. | |
277 | * We use a random number as the initial SPI so that there is | |
278 | * a good chance that different Pluto instances will choose | |
279 | * different SPIs. This is good for two reasons. | |
280 | * - the keying material for the initiator and responder only | |
281 | * differs if the SPIs differ. | |
282 | * - if Pluto is restarted, it would otherwise recycle the SPI | |
283 | * numbers and confuse everything. When the kernel generates | |
284 | * SPIs, this will no longer matter. | |
285 | * We then allocate numbers sequentially. Thus we don't have to | |
286 | * check if the number was previously used (assuming that no | |
287 | * SPI lives longer than 4G of its successors). | |
288 | */ | |
289 | ipsec_spi_t | |
290 | get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr, bool tunnel) | |
291 | { | |
292 | static ipsec_spi_t spi = 0; /* host order, so not returned directly! */ | |
293 | char text_said[SATOT_BUF]; | |
294 | ||
295 | set_text_said(text_said, &sr->this.host_addr, 0, proto); | |
296 | ||
297 | if (kernel_ops->get_spi) | |
298 | return kernel_ops->get_spi(&sr->that.host_addr | |
299 | , &sr->this.host_addr, proto, tunnel | |
300 | , get_proto_reqid(sr->reqid, proto) | |
301 | , IPSEC_DOI_SPI_OUR_MIN, 0xffffffff | |
302 | , text_said); | |
303 | ||
304 | spi++; | |
305 | while (spi < IPSEC_DOI_SPI_OUR_MIN || spi == ntohl(avoid)) | |
306 | get_rnd_bytes((u_char *)&spi, sizeof(spi)); | |
307 | ||
308 | DBG(DBG_CONTROL, | |
309 | { | |
310 | ipsec_spi_t spi_net = htonl(spi); | |
311 | ||
312 | DBG_dump("generate SPI:", (u_char *)&spi_net, sizeof(spi_net)); | |
313 | }); | |
314 | ||
315 | return htonl(spi); | |
316 | } | |
317 | ||
318 | /* Generate Unique CPI numbers. | |
319 | * The result is returned as an SPI (4 bytes) in network order! | |
320 | * The real bits are in the nework-low-order 2 bytes. | |
321 | * Modelled on get_ipsec_spi, but range is more limited: | |
322 | * 256-61439. | |
323 | * If we can't find one easily, return 0 (a bad SPI, | |
324 | * no matter what order) indicating failure. | |
325 | */ | |
326 | ipsec_spi_t | |
327 | get_my_cpi(struct spd_route *sr, bool tunnel) | |
328 | { | |
329 | static cpi_t | |
330 | first_busy_cpi = 0, | |
331 | latest_cpi; | |
332 | char text_said[SATOT_BUF]; | |
333 | ||
334 | set_text_said(text_said, &sr->this.host_addr, 0, IPPROTO_COMP); | |
335 | ||
336 | if (kernel_ops->get_spi) | |
337 | return kernel_ops->get_spi(&sr->that.host_addr | |
338 | , &sr->this.host_addr, IPPROTO_COMP, tunnel | |
339 | , get_proto_reqid(sr->reqid, IPPROTO_COMP) | |
340 | , IPCOMP_FIRST_NEGOTIATED, IPCOMP_LAST_NEGOTIATED | |
341 | , text_said); | |
342 | ||
343 | while (!(IPCOMP_FIRST_NEGOTIATED <= first_busy_cpi && first_busy_cpi < IPCOMP_LAST_NEGOTIATED)) | |
344 | { | |
345 | get_rnd_bytes((u_char *)&first_busy_cpi, sizeof(first_busy_cpi)); | |
346 | latest_cpi = first_busy_cpi; | |
347 | } | |
348 | ||
349 | latest_cpi++; | |
350 | ||
351 | if (latest_cpi == first_busy_cpi) | |
352 | find_my_cpi_gap(&latest_cpi, &first_busy_cpi); | |
353 | ||
354 | if (latest_cpi > IPCOMP_LAST_NEGOTIATED) | |
355 | latest_cpi = IPCOMP_FIRST_NEGOTIATED; | |
356 | ||
357 | return htonl((ipsec_spi_t)latest_cpi); | |
358 | } | |
359 | ||
360 | /* invoke the updown script to do the routing and firewall commands required | |
361 | * | |
362 | * The user-specified updown script is run. Parameters are fed to it in | |
363 | * the form of environment variables. All such environment variables | |
364 | * have names starting with "PLUTO_". | |
365 | * | |
366 | * The operation to be performed is specified by PLUTO_VERB. This | |
367 | * verb has a suffix "-host" if the client on this end is just the | |
368 | * host; otherwise the suffix is "-client". If the address family | |
369 | * of the host is IPv6, an extra suffix of "-v6" is added. | |
370 | * | |
371 | * "prepare-host" and "prepare-client" are used to delete a route | |
372 | * that may exist (due to forces outside of Pluto). It is used to | |
373 | * prepare for pluto creating a route. | |
374 | * | |
375 | * "route-host" and "route-client" are used to install a route. | |
376 | * Since routing is based only on destination, the PLUTO_MY_CLIENT_* | |
377 | * values are probably of no use (using them may signify a bug). | |
378 | * | |
379 | * "unroute-host" and "unroute-client" are used to delete a route. | |
380 | * Since routing is based only on destination, the PLUTO_MY_CLIENT_* | |
381 | * values are probably of no use (using them may signify a bug). | |
382 | * | |
383 | * "up-host" and "up-client" are run when an eroute is added (not replaced). | |
384 | * They are useful for adjusting a firewall: usually for adding a rule | |
385 | * to let processed packets flow between clients. Note that only | |
386 | * one eroute may exist for a pair of client subnets but inbound | |
387 | * IPsec SAs may persist without an eroute. | |
388 | * | |
389 | * "down-host" and "down-client" are run when an eroute is deleted. | |
390 | * They are useful for adjusting a firewall. | |
391 | */ | |
392 | ||
393 | #ifndef DEFAULT_UPDOWN | |
394 | # define DEFAULT_UPDOWN "ipsec _updown" | |
395 | #endif | |
396 | ||
397 | static bool | |
398 | do_command(struct connection *c, struct spd_route *sr, const char *verb) | |
399 | { | |
400 | char cmd[1536]; /* arbitrary limit on shell command length */ | |
401 | const char *verb_suffix; | |
402 | ||
403 | /* figure out which verb suffix applies */ | |
404 | { | |
405 | const char *hs, *cs; | |
406 | ||
407 | switch (addrtypeof(&sr->this.host_addr)) | |
408 | { | |
409 | case AF_INET: | |
410 | hs = "-host"; | |
411 | cs = "-client"; | |
412 | break; | |
413 | case AF_INET6: | |
414 | hs = "-host-v6"; | |
415 | cs = "-client-v6"; | |
416 | break; | |
417 | default: | |
418 | loglog(RC_LOG_SERIOUS, "unknown address family"); | |
419 | return FALSE; | |
420 | } | |
421 | verb_suffix = subnetisaddr(&sr->this.client, &sr->this.host_addr) | |
422 | ? hs : cs; | |
423 | } | |
424 | ||
425 | /* form the command string */ | |
426 | { | |
427 | char | |
428 | nexthop_str[sizeof("PLUTO_NEXT_HOP='' ") +ADDRTOT_BUF] = "", | |
429 | srcip_str[sizeof("PLUTO_MY_SOURCEIP='' ")+ADDRTOT_BUF] = "", | |
430 | me_str[ADDRTOT_BUF], | |
431 | myid_str[BUF_LEN], | |
432 | myclient_str[SUBNETTOT_BUF], | |
433 | myclientnet_str[ADDRTOT_BUF], | |
434 | myclientmask_str[ADDRTOT_BUF], | |
435 | peer_str[ADDRTOT_BUF], | |
436 | peerid_str[BUF_LEN], | |
437 | peerclient_str[SUBNETTOT_BUF], | |
438 | peerclientnet_str[ADDRTOT_BUF], | |
439 | peerclientmask_str[ADDRTOT_BUF], | |
440 | peerca_str[BUF_LEN], | |
441 | secure_myid_str[BUF_LEN] = "", | |
442 | secure_peerid_str[BUF_LEN] = "", | |
443 | secure_peerca_str[BUF_LEN] = ""; | |
444 | ip_address ta; | |
445 | pubkey_list_t *p; | |
446 | ||
447 | if (addrbytesptr(&sr->this.host_nexthop, NULL) | |
448 | && !isanyaddr(&sr->this.host_nexthop)) | |
449 | { | |
450 | char *n; | |
451 | ||
452 | strcpy(nexthop_str, "PLUTO_NEXT_HOP='"); | |
453 | n = nexthop_str + strlen(nexthop_str); | |
454 | ||
455 | addrtot(&sr->this.host_nexthop, 0 | |
456 | ,n , sizeof(nexthop_str)-strlen(nexthop_str)); | |
457 | strncat(nexthop_str, "' ", sizeof(nexthop_str)); | |
458 | } | |
459 | ||
460 | if (addrbytesptr(&sr->this.host_srcip, NULL) | |
461 | && !isanyaddr(&sr->this.host_srcip)) | |
462 | { | |
463 | char *n; | |
464 | ||
465 | strcpy(srcip_str, "PLUTO_MY_SOURCEIP='"); | |
466 | n = srcip_str + strlen(srcip_str); | |
467 | ||
468 | addrtot(&sr->this.host_srcip, 0 | |
469 | ,n , sizeof(srcip_str)-strlen(srcip_str)); | |
470 | strncat(srcip_str, "' ", sizeof(srcip_str)); | |
471 | } | |
472 | ||
473 | addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str)); | |
474 | idtoa(&sr->this.id, myid_str, sizeof(myid_str)); | |
475 | escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str)); | |
476 | subnettot(&sr->this.client, 0, myclient_str, sizeof(myclientnet_str)); | |
477 | networkof(&sr->this.client, &ta); | |
478 | addrtot(&ta, 0, myclientnet_str, sizeof(myclientnet_str)); | |
479 | maskof(&sr->this.client, &ta); | |
480 | addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str)); | |
481 | ||
482 | addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str)); | |
483 | idtoa(&sr->that.id, peerid_str, sizeof(peerid_str)); | |
484 | escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str)); | |
485 | subnettot(&sr->that.client, 0, peerclient_str, sizeof(peerclientnet_str)); | |
486 | networkof(&sr->that.client, &ta); | |
487 | addrtot(&ta, 0, peerclientnet_str, sizeof(peerclientnet_str)); | |
488 | maskof(&sr->that.client, &ta); | |
489 | addrtot(&ta, 0, peerclientmask_str, sizeof(peerclientmask_str)); | |
490 | ||
491 | for (p = pubkeys; p != NULL; p = p->next) | |
492 | { | |
493 | pubkey_t *key = p->key; | |
494 | int pathlen; | |
495 | ||
496 | if (key->alg == PUBKEY_ALG_RSA && same_id(&sr->that.id, &key->id) | |
497 | && trusted_ca(key->issuer, sr->that.ca, &pathlen)) | |
498 | { | |
499 | dntoa_or_null(peerca_str, BUF_LEN, key->issuer, ""); | |
500 | escape_metachar(peerca_str, secure_peerca_str, sizeof(secure_peerca_str)); | |
501 | break; | |
502 | } | |
503 | } | |
504 | ||
505 | if (-1 == snprintf(cmd, sizeof(cmd) | |
506 | , "2>&1 " /* capture stderr along with stdout */ | |
507 | "PLUTO_VERSION='1.1' " /* change VERSION when interface spec changes */ | |
508 | "PLUTO_VERB='%s%s' " | |
509 | "PLUTO_CONNECTION='%s' " | |
510 | "%s" /* optional PLUTO_NEXT_HOP */ | |
511 | "PLUTO_INTERFACE='%s' " | |
512 | "%s" /* optional PLUTO_HOST_ACCESS */ | |
513 | "PLUTO_REQID='%u' " | |
514 | "PLUTO_ME='%s' " | |
515 | "PLUTO_MY_ID='%s' " | |
516 | "PLUTO_MY_CLIENT='%s' " | |
517 | "PLUTO_MY_CLIENT_NET='%s' " | |
518 | "PLUTO_MY_CLIENT_MASK='%s' " | |
519 | "PLUTO_MY_PORT='%u' " | |
520 | "PLUTO_MY_PROTOCOL='%u' " | |
521 | "PLUTO_PEER='%s' " | |
522 | "PLUTO_PEER_ID='%s' " | |
523 | "PLUTO_PEER_CLIENT='%s' " | |
524 | "PLUTO_PEER_CLIENT_NET='%s' " | |
525 | "PLUTO_PEER_CLIENT_MASK='%s' " | |
526 | "PLUTO_PEER_PORT='%u' " | |
527 | "PLUTO_PEER_PROTOCOL='%u' " | |
528 | "PLUTO_PEER_CA='%s' " | |
529 | "%s" /* optional PLUTO_MY_SRCIP */ | |
530 | "%s" /* actual script */ | |
531 | , verb, verb_suffix | |
532 | , c->name | |
533 | , nexthop_str | |
534 | , c->interface->vname | |
535 | , sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : "" | |
536 | , sr->reqid + 1 /* ESP requid */ | |
537 | , me_str | |
538 | , secure_myid_str | |
539 | , myclient_str | |
540 | , myclientnet_str | |
541 | , myclientmask_str | |
542 | , sr->this.port | |
543 | , sr->this.protocol | |
544 | , peer_str | |
545 | , secure_peerid_str | |
546 | , peerclient_str | |
547 | , peerclientnet_str | |
548 | , peerclientmask_str | |
549 | , sr->that.port | |
550 | , sr->that.protocol | |
551 | , secure_peerca_str | |
552 | , srcip_str | |
553 | , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown)) | |
554 | { | |
555 | loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix); | |
556 | return FALSE; | |
557 | } | |
558 | } | |
559 | ||
560 | DBG(DBG_CONTROL, DBG_log("executing %s%s: %s" | |
561 | , verb, verb_suffix, cmd)); | |
562 | ||
563 | #ifdef KLIPS | |
564 | if (!no_klips) | |
565 | { | |
566 | /* invoke the script, catching stderr and stdout | |
567 | * It may be of concern that some file descriptors will | |
568 | * be inherited. For the ones under our control, we | |
569 | * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this. | |
570 | * Any used by library routines (perhaps the resolver or syslog) | |
571 | * will remain. | |
572 | */ | |
573 | FILE *f = popen(cmd, "r"); | |
574 | ||
575 | if (f == NULL) | |
576 | { | |
577 | loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix); | |
578 | return FALSE; | |
579 | } | |
580 | ||
581 | /* log any output */ | |
582 | for (;;) | |
583 | { | |
584 | /* if response doesn't fit in this buffer, it will be folded */ | |
585 | char resp[256]; | |
586 | ||
587 | if (fgets(resp, sizeof(resp), f) == NULL) | |
588 | { | |
589 | if (ferror(f)) | |
590 | { | |
591 | log_errno((e, "fgets failed on output of %s%s command" | |
592 | , verb, verb_suffix)); | |
593 | return FALSE; | |
594 | } | |
595 | else | |
596 | { | |
597 | passert(feof(f)); | |
598 | break; | |
599 | } | |
600 | } | |
601 | else | |
602 | { | |
603 | char *e = resp + strlen(resp); | |
604 | ||
605 | if (e > resp && e[-1] == '\n') | |
606 | e[-1] = '\0'; /* trim trailing '\n' */ | |
607 | plog("%s%s output: %s", verb, verb_suffix, resp); | |
608 | } | |
609 | } | |
610 | ||
611 | /* report on and react to return code */ | |
612 | { | |
613 | int r = pclose(f); | |
614 | ||
615 | if (r == -1) | |
616 | { | |
617 | log_errno((e, "pclose failed for %s%s command" | |
618 | , verb, verb_suffix)); | |
619 | return FALSE; | |
620 | } | |
621 | else if (WIFEXITED(r)) | |
622 | { | |
623 | if (WEXITSTATUS(r) != 0) | |
624 | { | |
625 | loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d" | |
626 | , verb, verb_suffix, WEXITSTATUS(r)); | |
627 | return FALSE; | |
628 | } | |
629 | } | |
630 | else if (WIFSIGNALED(r)) | |
631 | { | |
632 | loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d" | |
633 | , verb, verb_suffix, WTERMSIG(r)); | |
634 | return FALSE; | |
635 | } | |
636 | else | |
637 | { | |
638 | loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d" | |
639 | , verb, verb_suffix, r); | |
640 | return FALSE; | |
641 | } | |
642 | } | |
643 | } | |
644 | #endif /* KLIPS */ | |
645 | return TRUE; | |
646 | } | |
647 | ||
648 | /* Check that we can route (and eroute). Diagnose if we cannot. */ | |
649 | ||
650 | enum routability { | |
651 | route_impossible = 0, | |
652 | route_easy = 1, | |
653 | route_nearconflict = 2, | |
654 | route_farconflict = 3 | |
655 | }; | |
656 | ||
657 | static enum routability | |
658 | could_route(struct connection *c) | |
659 | { | |
660 | struct spd_route *esr, *rosr; | |
661 | struct connection *ero /* who, if anyone, owns our eroute? */ | |
662 | , *ro = route_owner(c, &rosr, &ero, &esr); /* who owns our route? */ | |
663 | ||
664 | /* it makes no sense to route a connection that is ISAKMP-only */ | |
665 | if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy)) | |
666 | { | |
667 | loglog(RC_ROUTE, "cannot route an ISAKMP-only connection"); | |
668 | return route_impossible; | |
669 | } | |
670 | ||
671 | /* if this is a Road Warrior template, we cannot route. | |
672 | * Opportunistic template is OK. | |
673 | */ | |
674 | if (c->kind == CK_TEMPLATE && !(c->policy & POLICY_OPPO)) | |
675 | { | |
676 | loglog(RC_ROUTE, "cannot route Road Warrior template"); | |
677 | return route_impossible; | |
678 | } | |
679 | ||
680 | /* if we don't know nexthop, we cannot route */ | |
681 | if (isanyaddr(&c->spd.this.host_nexthop)) | |
682 | { | |
683 | loglog(RC_ROUTE, "cannot route connection without knowing our nexthop"); | |
684 | return route_impossible; | |
685 | } | |
686 | ||
687 | /* if routing would affect IKE messages, reject */ | |
688 | if (!no_klips | |
689 | #ifdef NAT_TRAVERSAL | |
690 | && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT | |
691 | #endif | |
692 | && c->spd.this.host_port != IKE_UDP_PORT | |
693 | && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client)) | |
694 | { | |
695 | loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client"); | |
696 | return route_impossible; | |
697 | } | |
698 | ||
699 | /* If there is already a route for peer's client subnet | |
700 | * and it disagrees about interface or nexthop, we cannot steal it. | |
701 | * Note: if this connection is already routed (perhaps for another | |
702 | * state object), the route will agree. | |
703 | * This is as it should be -- it will arise during rekeying. | |
704 | */ | |
705 | if (ro != NULL && !routes_agree(ro, c)) | |
706 | { | |
707 | loglog(RC_LOG_SERIOUS, "cannot route -- route already in use for \"%s\"" | |
708 | , ro->name); | |
709 | return route_impossible; /* another connection already | |
710 | using the eroute */ | |
711 | } | |
712 | ||
713 | #ifdef KLIPS | |
714 | /* if there is an eroute for another connection, there is a problem */ | |
715 | if (ero != NULL && ero != c) | |
716 | { | |
717 | struct connection *ero2, *ero_top; | |
718 | struct connection *inside, *outside; | |
719 | ||
720 | /* | |
721 | * note, wavesec (PERMANENT) goes *outside* and | |
722 | * OE goes *inside* (TEMPLATE) | |
723 | */ | |
724 | inside = NULL; | |
725 | outside= NULL; | |
726 | if (ero->kind == CK_PERMANENT | |
727 | && c->kind == CK_TEMPLATE) | |
728 | { | |
729 | outside = ero; | |
730 | inside = c; | |
731 | } | |
732 | else if (c->kind == CK_PERMANENT | |
733 | && ero->kind == CK_TEMPLATE) | |
734 | { | |
735 | outside = c; | |
736 | inside = ero; | |
737 | } | |
738 | ||
739 | /* okay, check again, with correct order */ | |
740 | if (outside && outside->kind == CK_PERMANENT | |
741 | && inside && inside->kind == CK_TEMPLATE) | |
742 | { | |
743 | char inst[CONN_INST_BUF]; | |
744 | ||
745 | /* this is a co-terminal attempt of the "near" kind. */ | |
746 | /* when chaining, we chain from inside to outside */ | |
747 | ||
748 | /* XXX permit multiple deep connections? */ | |
749 | passert(inside->policy_next == NULL); | |
750 | ||
751 | inside->policy_next = outside; | |
752 | ||
753 | /* since we are going to steal the eroute from the secondary | |
754 | * policy, we need to make sure that it no longer thinks that | |
755 | * it owns the eroute. | |
756 | */ | |
757 | outside->spd.eroute_owner = SOS_NOBODY; | |
758 | outside->spd.routing = RT_UNROUTED_KEYED; | |
759 | ||
760 | /* set the priority of the new eroute owner to be higher | |
761 | * than that of the current eroute owner | |
762 | */ | |
763 | inside->prio = outside->prio + 1; | |
764 | ||
765 | fmt_conn_instance(inside, inst); | |
766 | ||
767 | loglog(RC_LOG_SERIOUS | |
768 | , "conflict on eroute (%s), switching eroute to %s and linking %s" | |
769 | , inst, inside->name, outside->name); | |
770 | ||
771 | return route_nearconflict; | |
772 | } | |
773 | ||
774 | /* look along the chain of policies for one with the same name */ | |
775 | ero_top = ero; | |
776 | ||
777 | for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next) | |
778 | { | |
779 | if (ero2->kind == CK_TEMPLATE | |
780 | && streq(ero2->name, c->name)) | |
781 | break; | |
782 | } | |
783 | ||
784 | /* If we fell of the end of the list, then we found no TEMPLATE | |
785 | * so there must be a conflict that we can't resolve. | |
786 | * As the names are not equal, then we aren't replacing/rekeying. | |
787 | */ | |
788 | if (ero2 == NULL) | |
789 | { | |
790 | char inst[CONN_INST_BUF]; | |
791 | ||
792 | fmt_conn_instance(ero, inst); | |
793 | ||
794 | loglog(RC_LOG_SERIOUS | |
795 | , "cannot install eroute -- it is in use for \"%s\"%s #%lu" | |
796 | , ero->name, inst, esr->eroute_owner); | |
797 | return FALSE; /* another connection already using the eroute */ | |
798 | } | |
799 | } | |
800 | #endif /* KLIPS */ | |
801 | return route_easy; | |
802 | } | |
803 | ||
804 | bool | |
805 | trap_connection(struct connection *c) | |
806 | { | |
807 | switch (could_route(c)) | |
808 | { | |
809 | case route_impossible: | |
810 | return FALSE; | |
811 | ||
812 | case route_nearconflict: | |
813 | case route_easy: | |
814 | /* RT_ROUTED_TUNNEL is treated specially: we don't override | |
815 | * because we don't want to lose track of the IPSEC_SAs etc. | |
816 | */ | |
817 | if (c->spd.routing < RT_ROUTED_TUNNEL) | |
818 | { | |
819 | return route_and_eroute(c, &c->spd, NULL); | |
820 | } | |
821 | return TRUE; | |
822 | ||
823 | case route_farconflict: | |
824 | return FALSE; | |
825 | } | |
826 | ||
827 | return FALSE; | |
828 | } | |
829 | ||
830 | /* delete any eroute for a connection and unroute it if route isn't shared */ | |
831 | void | |
832 | unroute_connection(struct connection *c) | |
833 | { | |
834 | struct spd_route *sr; | |
835 | enum routing_t cr; | |
836 | ||
837 | for (sr = &c->spd; sr; sr = sr->next) | |
838 | { | |
839 | cr = sr->routing; | |
840 | ||
841 | if (erouted(cr)) | |
842 | { | |
843 | /* cannot handle a live one */ | |
844 | passert(sr->routing != RT_ROUTED_TUNNEL); | |
845 | #ifdef KLIPS | |
846 | shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete"); | |
847 | #endif | |
848 | } | |
849 | ||
850 | sr->routing = RT_UNROUTED; /* do now so route_owner won't find us */ | |
851 | ||
852 | /* only unroute if no other connection shares it */ | |
853 | if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL) | |
854 | (void) do_command(c, sr, "unroute"); | |
855 | } | |
856 | } | |
857 | ||
858 | ||
859 | #ifdef KLIPS | |
860 | ||
861 | static void | |
862 | set_text_said(char *text_said, const ip_address *dst, ipsec_spi_t spi, int proto) | |
863 | { | |
864 | ip_said said; | |
865 | ||
866 | initsaid(dst, spi, proto, &said); | |
867 | satot(&said, 0, text_said, SATOT_BUF); | |
868 | } | |
869 | ||
870 | /* find an entry in the bare_shunt table. | |
871 | * Trick: return a pointer to the pointer to the entry; | |
872 | * this allows the entry to be deleted. | |
873 | */ | |
874 | static struct bare_shunt ** | |
875 | bare_shunt_ptr(const ip_subnet *ours, const ip_subnet *his, int transport_proto) | |
876 | { | |
877 | struct bare_shunt *p, **pp; | |
878 | ||
879 | for (pp = &bare_shunts; (p = *pp) != NULL; pp = &p->next) | |
880 | { | |
881 | if (samesubnet(ours, &p->ours) | |
882 | && samesubnet(his, &p->his) | |
883 | && transport_proto == p->transport_proto | |
884 | && portof(&ours->addr) == portof(&p->ours.addr) | |
885 | && portof(&his->addr) == portof(&p->his.addr)) | |
886 | return pp; | |
887 | } | |
888 | return NULL; | |
889 | } | |
890 | ||
891 | /* free a bare_shunt entry, given a pointer to the pointer */ | |
892 | static void | |
893 | free_bare_shunt(struct bare_shunt **pp) | |
894 | { | |
895 | if (pp == NULL) | |
896 | { | |
897 | DBG(DBG_CONTROL, | |
898 | DBG_log("delete bare shunt: null pointer") | |
899 | ) | |
900 | } | |
901 | else | |
902 | { | |
903 | struct bare_shunt *p = *pp; | |
904 | ||
905 | *pp = p->next; | |
906 | DBG_bare_shunt("delete", p); | |
907 | pfree(p->why); | |
908 | pfree(p); | |
909 | } | |
910 | } | |
911 | ||
912 | void | |
913 | show_shunt_status(void) | |
914 | { | |
915 | struct bare_shunt *bs; | |
916 | ||
917 | for (bs = bare_shunts; bs != NULL; bs = bs->next) | |
918 | { | |
919 | /* Print interesting fields. Ignore count and last_active. */ | |
920 | ||
921 | int ourport = ntohs(portof(&bs->ours.addr)); | |
922 | int hisport = ntohs(portof(&bs->his.addr)); | |
923 | char ourst[SUBNETTOT_BUF]; | |
924 | char hist[SUBNETTOT_BUF]; | |
925 | char sat[SATOT_BUF]; | |
926 | char prio[POLICY_PRIO_BUF]; | |
927 | ||
928 | subnettot(&(bs)->ours, 0, ourst, sizeof(ourst)); | |
929 | subnettot(&(bs)->his, 0, hist, sizeof(hist)); | |
930 | satot(&(bs)->said, 0, sat, sizeof(sat)); | |
931 | fmt_policy_prio(bs->policy_prio, prio); | |
932 | ||
933 | whack_log(RC_COMMENT, "%s:%d -> %s:%d => %s:%d %s %s" | |
934 | , ourst, ourport, hist, hisport, sat, bs->transport_proto | |
935 | , prio, bs->why); | |
936 | } | |
9820c0e2 MW |
937 | if (bare_shunts != NULL) |
938 | whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */ | |
997358a6 MW |
939 | } |
940 | ||
941 | /* Setup an IPsec route entry. | |
942 | * op is one of the ERO_* operators. | |
943 | */ | |
944 | ||
945 | static bool | |
946 | raw_eroute(const ip_address *this_host | |
947 | , const ip_subnet *this_client | |
948 | , const ip_address *that_host | |
949 | , const ip_subnet *that_client | |
950 | , ipsec_spi_t spi | |
951 | , unsigned int proto | |
952 | , unsigned int satype | |
953 | , unsigned int transport_proto | |
954 | , const struct pfkey_proto_info *proto_info | |
955 | , time_t use_lifetime | |
956 | , unsigned int op | |
957 | , const char *opname USED_BY_DEBUG) | |
958 | { | |
959 | char text_said[SATOT_BUF]; | |
960 | ||
961 | set_text_said(text_said, that_host, spi, proto); | |
962 | ||
963 | DBG(DBG_CONTROL | DBG_KLIPS, | |
964 | { | |
965 | int sport = ntohs(portof(&this_client->addr)); | |
966 | int dport = ntohs(portof(&that_client->addr)); | |
967 | char mybuf[SUBNETTOT_BUF]; | |
968 | char peerbuf[SUBNETTOT_BUF]; | |
969 | ||
970 | subnettot(this_client, 0, mybuf, sizeof(mybuf)); | |
971 | subnettot(that_client, 0, peerbuf, sizeof(peerbuf)); | |
972 | DBG_log("%s eroute %s:%d -> %s:%d => %s:%d" | |
973 | , opname, mybuf, sport, peerbuf, dport | |
974 | , text_said, transport_proto); | |
975 | }); | |
976 | ||
977 | return kernel_ops->raw_eroute(this_host, this_client | |
978 | , that_host, that_client, spi, satype, transport_proto, proto_info | |
979 | , use_lifetime, op, text_said); | |
980 | } | |
981 | ||
982 | /* test to see if %hold remains */ | |
983 | bool | |
984 | has_bare_hold(const ip_address *src, const ip_address *dst, int transport_proto) | |
985 | { | |
986 | ip_subnet this_client, that_client; | |
987 | struct bare_shunt **bspp; | |
988 | ||
989 | passert(addrtypeof(src) == addrtypeof(dst)); | |
990 | happy(addrtosubnet(src, &this_client)); | |
991 | happy(addrtosubnet(dst, &that_client)); | |
992 | bspp = bare_shunt_ptr(&this_client, &that_client, transport_proto); | |
993 | return bspp != NULL | |
994 | && (*bspp)->said.proto == SA_INT && (*bspp)->said.spi == htonl(SPI_HOLD); | |
995 | } | |
996 | ||
997 | ||
998 | /* Replace (or delete) a shunt that is in the bare_shunts table. | |
999 | * Issues the PF_KEY commands and updates the bare_shunts table. | |
1000 | */ | |
1001 | bool | |
1002 | replace_bare_shunt(const ip_address *src, const ip_address *dst | |
1003 | , policy_prio_t policy_prio | |
1004 | , ipsec_spi_t shunt_spi /* in host order! */ | |
1005 | , bool repl /* if TRUE, replace; if FALSE, delete */ | |
1006 | , unsigned int transport_proto | |
1007 | , const char *why) | |
1008 | { | |
1009 | ip_subnet this_client, that_client; | |
1010 | ip_subnet this_broad_client, that_broad_client; | |
1011 | const ip_address *null_host = aftoinfo(addrtypeof(src))->any; | |
1012 | ||
1013 | passert(addrtypeof(src) == addrtypeof(dst)); | |
1014 | happy(addrtosubnet(src, &this_client)); | |
1015 | happy(addrtosubnet(dst, &that_client)); | |
1016 | this_broad_client = this_client; | |
1017 | that_broad_client = that_client; | |
1018 | setportof(0, &this_broad_client.addr); | |
1019 | setportof(0, &that_broad_client.addr); | |
1020 | ||
1021 | if (repl) | |
1022 | { | |
1023 | struct bare_shunt **bs_pp = bare_shunt_ptr(&this_broad_client | |
1024 | , &that_broad_client, 0); | |
1025 | ||
1026 | /* is there already a broad host-to-host bare shunt? */ | |
1027 | if (bs_pp == NULL) | |
1028 | { | |
1029 | if (raw_eroute(null_host, &this_broad_client, null_host, &that_broad_client | |
1030 | , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT | |
1031 | , 0, null_proto_info | |
1032 | , SHUNT_PATIENCE, ERO_ADD, why)) | |
1033 | { | |
1034 | struct bare_shunt *bs = alloc_thing(struct bare_shunt, "bare shunt"); | |
1035 | ||
1036 | bs->ours = this_broad_client; | |
1037 | bs->his = that_broad_client; | |
1038 | bs->transport_proto = 0; | |
1039 | bs->said.proto = SA_INT; | |
1040 | bs->why = clone_str(why, "bare shunt story"); | |
1041 | bs->policy_prio = policy_prio; | |
1042 | bs->said.spi = htonl(shunt_spi); | |
1043 | bs->said.dst = *null_host; | |
1044 | bs->count = 0; | |
1045 | bs->last_activity = now(); | |
1046 | bs->next = bare_shunts; | |
1047 | bare_shunts = bs; | |
1048 | DBG_bare_shunt("add", bs); | |
1049 | } | |
1050 | } | |
1051 | shunt_spi = SPI_HOLD; | |
1052 | } | |
1053 | ||
1054 | if (raw_eroute(null_host, &this_client, null_host, &that_client | |
1055 | , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT | |
1056 | , transport_proto, null_proto_info | |
1057 | , SHUNT_PATIENCE, ERO_DELETE, why)) | |
1058 | { | |
1059 | struct bare_shunt **bs_pp = bare_shunt_ptr(&this_client, &that_client | |
1060 | , transport_proto); | |
1061 | ||
1062 | /* delete bare eroute */ | |
1063 | free_bare_shunt(bs_pp); | |
1064 | return TRUE; | |
1065 | } | |
1066 | else | |
1067 | { | |
1068 | return FALSE; | |
1069 | } | |
1070 | } | |
1071 | ||
1072 | static bool | |
1073 | eroute_connection(struct spd_route *sr | |
1074 | , ipsec_spi_t spi, unsigned int proto, unsigned int satype | |
1075 | , const struct pfkey_proto_info *proto_info | |
1076 | , unsigned int op, const char *opname) | |
1077 | { | |
1078 | const ip_address *peer = &sr->that.host_addr; | |
1079 | char buf2[256]; | |
1080 | ||
1081 | snprintf(buf2, sizeof(buf2) | |
1082 | , "eroute_connection %s", opname); | |
1083 | ||
1084 | if (proto == SA_INT) | |
1085 | peer = aftoinfo(addrtypeof(peer))->any; | |
1086 | ||
1087 | return raw_eroute(&sr->this.host_addr, &sr->this.client | |
1088 | , peer | |
1089 | , &sr->that.client | |
1090 | , spi, proto, satype | |
1091 | , sr->this.protocol, proto_info, 0, op, buf2); | |
1092 | } | |
1093 | ||
1094 | /* assign a bare hold to a connection */ | |
1095 | ||
1096 | bool | |
1097 | assign_hold(struct connection *c USED_BY_DEBUG | |
1098 | , struct spd_route *sr | |
1099 | , int transport_proto | |
1100 | , const ip_address *src, const ip_address *dst) | |
1101 | { | |
1102 | /* either the automatically installed %hold eroute is broad enough | |
1103 | * or we try to add a broader one and delete the automatic one. | |
1104 | * Beware: this %hold might be already handled, but still squeak | |
1105 | * through because of a race. | |
1106 | */ | |
1107 | enum routing_t ro = sr->routing /* routing, old */ | |
1108 | , rn = ro; /* routing, new */ | |
1109 | ||
1110 | passert(LHAS(LELEM(CK_PERMANENT) | LELEM(CK_INSTANCE), c->kind)); | |
1111 | /* figure out what routing should become */ | |
1112 | switch (ro) | |
1113 | { | |
1114 | case RT_UNROUTED: | |
1115 | rn = RT_UNROUTED_HOLD; | |
1116 | break; | |
1117 | case RT_ROUTED_PROSPECTIVE: | |
1118 | rn = RT_ROUTED_HOLD; | |
1119 | break; | |
1120 | default: | |
1121 | /* no change: this %hold is old news and should just be deleted */ | |
1122 | break; | |
1123 | } | |
1124 | ||
1125 | /* we need a broad %hold, not the narrow one. | |
1126 | * First we ensure that there is a broad %hold. | |
1127 | * There may already be one (race condition): no need to create one. | |
1128 | * There may already be a %trap: replace it. | |
1129 | * There may not be any broad eroute: add %hold. | |
1130 | * Once the broad %hold is in place, delete the narrow one. | |
1131 | */ | |
1132 | if (rn != ro) | |
1133 | { | |
1134 | if (erouted(ro) | |
1135 | ? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT | |
1136 | , null_proto_info | |
1137 | , ERO_REPLACE, "replace %trap with broad %hold") | |
1138 | : !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT | |
1139 | , null_proto_info | |
1140 | , ERO_ADD, "add broad %hold")) | |
1141 | { | |
1142 | return FALSE; | |
1143 | } | |
1144 | } | |
1145 | if (!replace_bare_shunt(src, dst, BOTTOM_PRIO, SPI_HOLD, FALSE | |
1146 | , transport_proto, "delete narrow %hold")) | |
1147 | { | |
1148 | return FALSE; | |
1149 | } | |
1150 | sr->routing = rn; | |
1151 | return TRUE; | |
1152 | } | |
1153 | ||
1154 | /* install or remove eroute for SA Group */ | |
1155 | static bool | |
1156 | sag_eroute(struct state *st, struct spd_route *sr | |
1157 | , unsigned op, const char *opname) | |
1158 | { | |
1159 | u_int inner_proto = 0; | |
1160 | u_int inner_satype = 0; | |
1161 | ipsec_spi_t inner_spi = 0; | |
1162 | struct pfkey_proto_info proto_info[4]; | |
1163 | int i; | |
1164 | bool tunnel; | |
1165 | ||
1166 | /* figure out the SPI and protocol (in two forms) | |
1167 | * for the innermost transformation. | |
1168 | */ | |
1169 | ||
1170 | i = sizeof(proto_info) / sizeof(proto_info[0]) - 1; | |
1171 | proto_info[i].proto = 0; | |
1172 | tunnel = FALSE; | |
1173 | ||
1174 | if (st->st_ah.present) | |
1175 | { | |
1176 | inner_spi = st->st_ah.attrs.spi; | |
1177 | inner_proto = SA_AH; | |
1178 | inner_satype = SADB_SATYPE_AH; | |
1179 | ||
1180 | i--; | |
1181 | proto_info[i].proto = IPPROTO_AH; | |
1182 | proto_info[i].encapsulation = st->st_ah.attrs.encapsulation; | |
1183 | tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL; | |
1184 | proto_info[i].reqid = sr->reqid; | |
1185 | } | |
1186 | ||
1187 | if (st->st_esp.present) | |
1188 | { | |
1189 | inner_spi = st->st_esp.attrs.spi; | |
1190 | inner_proto = SA_ESP; | |
1191 | inner_satype = SADB_SATYPE_ESP; | |
1192 | ||
1193 | i--; | |
1194 | proto_info[i].proto = IPPROTO_ESP; | |
1195 | proto_info[i].encapsulation = st->st_esp.attrs.encapsulation; | |
1196 | tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL; | |
1197 | proto_info[i].reqid = sr->reqid + 1; | |
1198 | } | |
1199 | ||
1200 | if (st->st_ipcomp.present) | |
1201 | { | |
1202 | inner_spi = st->st_ipcomp.attrs.spi; | |
1203 | inner_proto = SA_COMP; | |
1204 | inner_satype = SADB_X_SATYPE_COMP; | |
1205 | ||
1206 | i--; | |
1207 | proto_info[i].proto = IPPROTO_COMP; | |
1208 | proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation; | |
1209 | tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL; | |
1210 | proto_info[i].reqid = sr->reqid + 2; | |
1211 | } | |
1212 | ||
1213 | if (i == sizeof(proto_info) / sizeof(proto_info[0]) - 1) | |
1214 | { | |
1215 | impossible(); /* no transform at all! */ | |
1216 | } | |
1217 | ||
1218 | if (tunnel) | |
1219 | { | |
1220 | int j; | |
1221 | ||
1222 | inner_spi = st->st_tunnel_out_spi; | |
1223 | inner_proto = SA_IPIP; | |
1224 | inner_satype = SADB_X_SATYPE_IPIP; | |
1225 | ||
1226 | proto_info[i].encapsulation = ENCAPSULATION_MODE_TUNNEL; | |
1227 | for (j = i + 1; proto_info[j].proto; j++) | |
1228 | { | |
1229 | proto_info[j].encapsulation = ENCAPSULATION_MODE_TRANSPORT; | |
1230 | } | |
1231 | } | |
1232 | ||
1233 | return eroute_connection(sr | |
1234 | , inner_spi, inner_proto, inner_satype, proto_info + i | |
1235 | , op, opname); | |
1236 | } | |
1237 | ||
1238 | /* compute a (host-order!) SPI to implement the policy in connection c */ | |
1239 | ipsec_spi_t | |
1240 | shunt_policy_spi(struct connection *c, bool prospective) | |
1241 | { | |
1242 | /* note: these are in host order :-( */ | |
1243 | static const ipsec_spi_t shunt_spi[] = | |
1244 | { | |
1245 | SPI_TRAP, /* --initiateontraffic */ | |
1246 | SPI_PASS, /* --pass */ | |
1247 | SPI_DROP, /* --drop */ | |
1248 | SPI_REJECT, /* --reject */ | |
1249 | }; | |
1250 | ||
1251 | static const ipsec_spi_t fail_spi[] = | |
1252 | { | |
1253 | 0, /* --none*/ | |
1254 | SPI_PASS, /* --failpass */ | |
1255 | SPI_DROP, /* --faildrop */ | |
1256 | SPI_REJECT, /* --failreject */ | |
1257 | }; | |
1258 | ||
1259 | return prospective | |
1260 | ? shunt_spi[(c->policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT] | |
1261 | : fail_spi[(c->policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT]; | |
1262 | } | |
1263 | ||
1264 | /* Add/replace/delete a shunt eroute. | |
1265 | * Such an eroute determines the fate of packets without the use | |
1266 | * of any SAs. These are defaults, in effect. | |
1267 | * If a negotiation has not been attempted, use %trap. | |
1268 | * If negotiation has failed, the choice between %trap/%pass/%drop/%reject | |
1269 | * is specified in the policy of connection c. | |
1270 | */ | |
1271 | static bool | |
1272 | shunt_eroute(struct connection *c | |
1273 | , struct spd_route *sr | |
1274 | , enum routing_t rt_kind | |
1275 | , unsigned int op, const char *opname) | |
1276 | { | |
1277 | /* We are constructing a special SAID for the eroute. | |
1278 | * The destination doesn't seem to matter, but the family does. | |
1279 | * The protocol is SA_INT -- mark this as shunt. | |
1280 | * The satype has no meaning, but is required for PF_KEY header! | |
1281 | * The SPI signifies the kind of shunt. | |
1282 | */ | |
1283 | ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE); | |
1284 | bool ok; | |
1285 | ||
1286 | if (spi == 0) | |
1287 | { | |
1288 | /* we're supposed to end up with no eroute: rejig op and opname */ | |
1289 | switch (op) | |
1290 | { | |
1291 | case ERO_REPLACE: | |
1292 | /* replace with nothing == delete */ | |
1293 | op = ERO_DELETE; | |
1294 | opname = "delete"; | |
1295 | break; | |
1296 | case ERO_ADD: | |
1297 | /* add nothing == do nothing */ | |
1298 | return TRUE; | |
1299 | case ERO_DELETE: | |
1300 | /* delete remains delete */ | |
1301 | break; | |
1302 | default: | |
1303 | bad_case(op); | |
1304 | } | |
1305 | } | |
1306 | if (sr->routing == RT_ROUTED_ECLIPSED && c->kind == CK_TEMPLATE) | |
1307 | { | |
1308 | /* We think that we have an eroute, but we don't. | |
1309 | * Adjust the request and account for eclipses. | |
1310 | */ | |
1311 | passert(eclipsable(sr)); | |
1312 | switch (op) | |
1313 | { | |
1314 | case ERO_REPLACE: | |
1315 | /* really an add */ | |
1316 | op = ERO_ADD; | |
1317 | opname = "replace eclipsed"; | |
1318 | eclipse_count--; | |
1319 | break; | |
1320 | case ERO_DELETE: | |
1321 | /* delete unnecessary: we don't actually have an eroute */ | |
1322 | eclipse_count--; | |
1323 | return TRUE; | |
1324 | case ERO_ADD: | |
1325 | default: | |
1326 | bad_case(op); | |
1327 | } | |
1328 | } | |
1329 | else if (eclipse_count > 0 && op == ERO_DELETE && eclipsable(sr)) | |
1330 | { | |
1331 | /* maybe we are uneclipsing something */ | |
1332 | struct spd_route *esr; | |
1333 | struct connection *ue = eclipsed(c, &esr); | |
1334 | ||
1335 | if (ue != NULL) | |
1336 | { | |
1337 | esr->routing = RT_ROUTED_PROSPECTIVE; | |
1338 | return shunt_eroute(ue, esr | |
1339 | , RT_ROUTED_PROSPECTIVE, ERO_REPLACE, "restoring eclipsed"); | |
1340 | } | |
1341 | } | |
1342 | ||
1343 | ok = TRUE; | |
1344 | if (kernel_ops->inbound_eroute) | |
1345 | { | |
1346 | ok = raw_eroute(&c->spd.that.host_addr, &c->spd.that.client | |
1347 | , &c->spd.this.host_addr, &c->spd.this.client | |
1348 | , htonl(spi), SA_INT, SADB_X_SATYPE_INT | |
1349 | , 0, null_proto_info, 0 | |
1350 | , op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), opname); | |
1351 | } | |
1352 | return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT | |
1353 | , null_proto_info, op, opname) && ok; | |
1354 | } | |
1355 | ||
1356 | ||
1357 | /* | |
1358 | * This is only called when s is a likely SAID with trailing protocol i.e. | |
1359 | * it has the form :- | |
1360 | * | |
1361 | * %<keyword>:p | |
1362 | * <ip-proto><spi>@a.b.c.d:p | |
1363 | * | |
1364 | * The task here is to remove the ":p" part so that the rest can be read | |
1365 | * by another routine. | |
1366 | */ | |
1367 | static const char * | |
1368 | read_proto(const char * s, size_t * len, int * transport_proto) | |
1369 | { | |
1370 | const char * p; | |
1371 | const char * ugh; | |
1372 | unsigned long proto; | |
1373 | size_t l; | |
1374 | ||
1375 | l = *len; | |
1376 | p = memchr(s, ':', l); | |
1377 | if (p == 0) { | |
1378 | *transport_proto = 0; | |
1379 | return 0; | |
1380 | } | |
1381 | ugh = ttoul(p+1, l-((p-s)+1), 10, &proto); | |
1382 | if (ugh != 0) | |
1383 | return ugh; | |
1384 | if (proto > 65535) | |
1385 | return "protocol number is too large, legal range is 0-65535"; | |
1386 | *len = p-s; | |
1387 | *transport_proto = proto; | |
1388 | return 0; | |
1389 | } | |
1390 | ||
1391 | ||
1392 | /* scan /proc/net/ipsec_eroute every once in a while, looking for: | |
1393 | * | |
1394 | * - %hold shunts of which Pluto isn't aware. This situation could | |
1395 | * be caused by lost ACQUIRE messages. When found, they will | |
1396 | * added to orphan_holds. This in turn will lead to Opportunistic | |
1397 | * initiation. | |
1398 | * | |
1399 | * - other kinds of shunts that haven't been used recently. These will be | |
1400 | * deleted. They represent OE failures. | |
1401 | * | |
1402 | * - recording recent uses of tunnel eroutes so that rekeying decisions | |
1403 | * can be made for OE connections. | |
1404 | * | |
1405 | * Here are some sample lines: | |
1406 | * 10 10.3.2.1.0/24 -> 0.0.0.0/0 => %trap | |
1407 | * 259 10.3.2.1.115/32 -> 10.19.75.161/32 => tun0x1002@10.19.75.145 | |
1408 | * 71 10.44.73.97/32 -> 0.0.0.0/0 => %trap | |
1409 | * 4119 10.44.73.97/32 -> 10.114.121.41/32 => %pass | |
1410 | * Newer versions of KLIPS start each line with a 32-bit packet count. | |
1411 | * If available, the count is used to detect whether a %pass shunt is in use. | |
1412 | * | |
1413 | * NOTE: execution time is quadratic in the number of eroutes since the | |
1414 | * searching for each is sequential. If this becomes a problem, faster | |
1415 | * searches could be implemented (hash or radix tree, for example). | |
1416 | */ | |
1417 | void | |
1418 | scan_proc_shunts(void) | |
1419 | { | |
1420 | static const char procname[] = "/proc/net/ipsec_eroute"; | |
1421 | FILE *f; | |
1422 | time_t nw = now(); | |
1423 | int lino; | |
1424 | struct eroute_info *expired = NULL; | |
1425 | ||
1426 | event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL); | |
1427 | ||
1428 | DBG(DBG_CONTROL, | |
1429 | DBG_log("scanning for shunt eroutes") | |
1430 | ) | |
1431 | ||
1432 | /* free any leftover entries: they will be refreshed if still current */ | |
1433 | while (orphaned_holds != NULL) | |
1434 | { | |
1435 | struct eroute_info *p = orphaned_holds; | |
1436 | ||
1437 | orphaned_holds = p->next; | |
1438 | pfree(orphaned_holds); | |
1439 | } | |
1440 | ||
1441 | /* decode the /proc file. Don't do anything strenuous to it | |
1442 | * (certainly no PF_KEY stuff) to minimize the chance that it | |
1443 | * might change underfoot. | |
1444 | */ | |
1445 | ||
1446 | f = fopen(procname, "r"); | |
1447 | if (f == NULL) | |
1448 | return; | |
1449 | ||
1450 | /* for each line... */ | |
1451 | for (lino = 1; ; lino++) | |
1452 | { | |
1453 | unsigned char buf[1024]; /* should be big enough */ | |
1454 | chunk_t field[10]; /* 10 is loose upper bound */ | |
1455 | chunk_t *ff = NULL; /* fixed fields (excluding optional count) */ | |
1456 | int fi; | |
1457 | struct eroute_info eri; | |
1458 | char *cp; | |
1459 | err_t context = "" | |
1460 | , ugh = NULL; | |
1461 | ||
1462 | cp = fgets(buf, sizeof(buf), f); | |
1463 | if (cp == NULL) | |
1464 | break; | |
1465 | ||
1466 | /* break out each field | |
1467 | * Note: if there are too many fields, just stop; | |
1468 | * it will be diagnosed a little later. | |
1469 | */ | |
1470 | for (fi = 0; fi < (int)elemsof(field); fi++) | |
1471 | { | |
1472 | static const char sep[] = " \t\n"; /* field-separating whitespace */ | |
1473 | size_t w; | |
1474 | ||
1475 | cp += strspn(cp, sep); /* find start of field */ | |
1476 | w = strcspn(cp, sep); /* find width of field */ | |
1477 | setchunk(field[fi], cp, w); | |
1478 | cp += w; | |
1479 | if (w == 0) | |
1480 | break; | |
1481 | } | |
1482 | ||
1483 | /* This odd do-hickey is to share error reporting code. | |
1484 | * A break will get to that common code. The setting | |
1485 | * of "ugh" and "context" parameterize it. | |
1486 | */ | |
1487 | do { | |
1488 | /* Old entries have no packet count; new ones do. | |
1489 | * check if things are as they should be. | |
1490 | */ | |
1491 | if (fi == 5) | |
1492 | ff = &field[0]; /* old form, with no count */ | |
1493 | else if (fi == 6) | |
1494 | ff = &field[1]; /* new form, with count */ | |
1495 | else | |
1496 | { | |
1497 | ugh = "has wrong number of fields"; | |
1498 | break; | |
1499 | } | |
1500 | ||
1501 | if (ff[1].len != 2 | |
1502 | || strncmp(ff[1].ptr, "->", 2) != 0 | |
1503 | || ff[3].len != 2 | |
1504 | || strncmp(ff[3].ptr, "=>", 2) != 0) | |
1505 | { | |
1506 | ugh = "is missing -> or =>"; | |
1507 | break; | |
1508 | } | |
1509 | ||
1510 | /* actually digest fields of interest */ | |
1511 | ||
1512 | /* packet count */ | |
1513 | ||
1514 | eri.count = 0; | |
1515 | if (ff != field) | |
1516 | { | |
1517 | context = "count field is malformed: "; | |
1518 | ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count); | |
1519 | if (ugh != NULL) | |
1520 | break; | |
1521 | } | |
1522 | ||
1523 | /* our client */ | |
1524 | ||
1525 | context = "source subnet field malformed: "; | |
1526 | ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours); | |
1527 | if (ugh != NULL) | |
1528 | break; | |
1529 | ||
1530 | /* his client */ | |
1531 | ||
1532 | context = "destination subnet field malformed: "; | |
1533 | ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his); | |
1534 | if (ugh != NULL) | |
1535 | break; | |
1536 | ||
1537 | /* SAID */ | |
1538 | ||
1539 | context = "SA ID field malformed: "; | |
1540 | ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto); | |
1541 | if (ugh != NULL) | |
1542 | break; | |
1543 | ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said); | |
1544 | } while (FALSE); | |
1545 | ||
1546 | if (ugh != NULL) | |
1547 | { | |
1548 | plog("INTERNAL ERROR: %s line %d %s%s" | |
1549 | , procname, lino, context, ugh); | |
1550 | continue; /* ignore rest of line */ | |
1551 | } | |
1552 | ||
1553 | /* Now we have decoded eroute, let's consider it. | |
1554 | * For shunt eroutes: | |
1555 | * | |
1556 | * %hold: if not known, add to orphaned_holds list for initiation | |
1557 | * because ACQUIRE might have been lost. | |
1558 | * | |
1559 | * %pass, %drop, %reject: determine if idle; if so, blast it away. | |
1560 | * Can occur bare (if DNS provided insufficient information) | |
1561 | * or with a connection (failure context). | |
1562 | * Could even be installed by ipsec manual. | |
1563 | * | |
1564 | * %trap: always welcome. | |
1565 | * | |
1566 | * For other eroutes: find state and record count change | |
1567 | */ | |
1568 | if (eri.said.proto == SA_INT) | |
1569 | { | |
1570 | /* shunt eroute */ | |
1571 | switch (ntohl(eri.said.spi)) | |
1572 | { | |
1573 | case SPI_HOLD: | |
1574 | if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL | |
1575 | && shunt_owner(&eri.ours, &eri.his) == NULL) | |
1576 | { | |
1577 | int ourport = ntohs(portof(&eri.ours.addr)); | |
1578 | int hisport = ntohs(portof(&eri.his.addr)); | |
1579 | char ourst[SUBNETTOT_BUF]; | |
1580 | char hist[SUBNETTOT_BUF]; | |
1581 | char sat[SATOT_BUF]; | |
1582 | ||
1583 | subnettot(&eri.ours, 0, ourst, sizeof(ourst)); | |
1584 | subnettot(&eri.his, 0, hist, sizeof(hist)); | |
1585 | satot(&eri.said, 0, sat, sizeof(sat)); | |
1586 | ||
1587 | DBG(DBG_CONTROL, | |
1588 | DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d" | |
1589 | , ourst, ourport, hist, hisport, sat, eri.transport_proto) | |
1590 | ) | |
1591 | eri.next = orphaned_holds; | |
1592 | orphaned_holds = clone_thing(eri, "orphaned %hold"); | |
1593 | } | |
1594 | break; | |
1595 | ||
1596 | case SPI_PASS: | |
1597 | case SPI_DROP: | |
1598 | case SPI_REJECT: | |
1599 | /* nothing sensible to do if we don't have counts */ | |
1600 | if (ff != field) | |
1601 | { | |
1602 | struct bare_shunt **bs_pp | |
1603 | = bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto); | |
1604 | ||
1605 | if (bs_pp != NULL) | |
1606 | { | |
1607 | struct bare_shunt *bs = *bs_pp; | |
1608 | ||
1609 | if (eri.count != bs->count) | |
1610 | { | |
1611 | bs->count = eri.count; | |
1612 | bs->last_activity = nw; | |
1613 | } | |
1614 | else if (nw - bs->last_activity > SHUNT_PATIENCE) | |
1615 | { | |
1616 | eri.next = expired; | |
1617 | expired = clone_thing(eri, "expired %pass"); | |
1618 | } | |
1619 | } | |
1620 | } | |
1621 | break; | |
1622 | ||
1623 | case SPI_TRAP: | |
1624 | break; | |
1625 | ||
1626 | default: | |
1627 | bad_case(ntohl(eri.said.spi)); | |
1628 | } | |
1629 | } | |
1630 | else | |
1631 | { | |
1632 | /* regular (non-shunt) eroute */ | |
1633 | state_eroute_usage(&eri.ours, &eri.his, eri.count, nw); | |
1634 | } | |
1635 | } /* for each line */ | |
1636 | fclose(f); | |
1637 | ||
1638 | /* Now that we've finished processing the /proc file, | |
1639 | * it is safe to delete the expired %pass shunts. | |
1640 | */ | |
1641 | while (expired != NULL) | |
1642 | { | |
1643 | struct eroute_info *p = expired; | |
1644 | ip_address src, dst; | |
1645 | ||
1646 | networkof(&p->ours, &src); | |
1647 | networkof(&p->his, &dst); | |
1648 | (void) replace_bare_shunt(&src, &dst | |
1649 | , BOTTOM_PRIO /* not used because we are deleting. This value is a filler */ | |
1650 | , SPI_PASS /* not used because we are deleting. This value is a filler */ | |
1651 | , FALSE, p->transport_proto, "delete expired bare shunts"); | |
1652 | expired = p->next; | |
1653 | pfree(p); | |
1654 | } | |
1655 | } | |
1656 | ||
1657 | static bool | |
1658 | del_spi(ipsec_spi_t spi, int proto | |
1659 | , const ip_address *src, const ip_address *dest) | |
1660 | { | |
1661 | char text_said[SATOT_BUF]; | |
1662 | struct kernel_sa sa; | |
1663 | ||
1664 | set_text_said(text_said, dest, spi, proto); | |
1665 | ||
1666 | DBG(DBG_KLIPS, DBG_log("delete %s", text_said)); | |
1667 | ||
1668 | memset(&sa, 0, sizeof(sa)); | |
1669 | sa.spi = spi; | |
1670 | sa.proto = proto; | |
1671 | sa.src = src; | |
1672 | sa.dst = dest; | |
1673 | sa.text_said = text_said; | |
1674 | ||
1675 | return kernel_ops->del_sa(&sa); | |
1676 | } | |
1677 | ||
1678 | /* Setup a pair of SAs. Code taken from setsa.c and spigrp.c, in | |
1679 | * ipsec-0.5. | |
1680 | */ | |
1681 | ||
1682 | static bool | |
1683 | setup_half_ipsec_sa(struct state *st, bool inbound) | |
1684 | { | |
1685 | /* Build an inbound or outbound SA */ | |
1686 | ||
1687 | struct connection *c = st->st_connection; | |
1688 | ip_subnet src, dst; | |
1689 | ip_subnet src_client, dst_client; | |
1690 | ipsec_spi_t inner_spi = 0; | |
1691 | u_int proto = 0; | |
1692 | u_int satype = SADB_SATYPE_UNSPEC; | |
1693 | bool replace; | |
1694 | ||
1695 | /* SPIs, saved for spigrouping or undoing, if necessary */ | |
1696 | struct kernel_sa | |
1697 | said[EM_MAXRELSPIS], | |
1698 | *said_next = said; | |
1699 | ||
1700 | char text_said[SATOT_BUF]; | |
1701 | int encapsulation; | |
1702 | ||
1703 | replace = inbound && (kernel_ops->get_spi != NULL); | |
1704 | ||
1705 | src.maskbits = 0; | |
1706 | dst.maskbits = 0; | |
1707 | ||
1708 | if (inbound) | |
1709 | { | |
1710 | src.addr = c->spd.that.host_addr; | |
1711 | dst.addr = c->spd.this.host_addr; | |
1712 | src_client = c->spd.that.client; | |
1713 | dst_client = c->spd.this.client; | |
1714 | } | |
1715 | else | |
1716 | { | |
1717 | src.addr = c->spd.this.host_addr, | |
1718 | dst.addr = c->spd.that.host_addr; | |
1719 | src_client = c->spd.this.client; | |
1720 | dst_client = c->spd.that.client; | |
1721 | } | |
1722 | ||
1723 | encapsulation = ENCAPSULATION_MODE_TRANSPORT; | |
1724 | if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL | |
1725 | || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL | |
1726 | || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL) | |
1727 | { | |
1728 | encapsulation = ENCAPSULATION_MODE_TUNNEL; | |
1729 | } | |
1730 | ||
1731 | memset(said, 0, sizeof(said)); | |
1732 | ||
1733 | /* If we are tunnelling, set up IP in IP pseudo SA */ | |
1734 | ||
1735 | if (kernel_ops->inbound_eroute) | |
1736 | { | |
1737 | inner_spi = 256; | |
1738 | proto = SA_IPIP; | |
1739 | satype = SADB_SATYPE_UNSPEC; | |
1740 | } | |
1741 | else if (encapsulation == ENCAPSULATION_MODE_TUNNEL) | |
1742 | { | |
1743 | /* XXX hack alert -- we SHOULD NOT HAVE TO HAVE A DIFFERENT SPI | |
1744 | * XXX FOR IP-in-IP ENCAPSULATION! | |
1745 | */ | |
1746 | ||
1747 | ipsec_spi_t ipip_spi; | |
1748 | ||
1749 | /* Allocate an SPI for the tunnel. | |
1750 | * Since our peer will never see this, | |
1751 | * and it comes from its own number space, | |
1752 | * it is purely a local implementation wart. | |
1753 | */ | |
1754 | { | |
1755 | static ipsec_spi_t last_tunnel_spi = IPSEC_DOI_SPI_OUR_MIN; | |
1756 | ||
1757 | ipip_spi = htonl(++last_tunnel_spi); | |
1758 | if (inbound) | |
1759 | st->st_tunnel_in_spi = ipip_spi; | |
1760 | else | |
1761 | st->st_tunnel_out_spi = ipip_spi; | |
1762 | } | |
1763 | ||
1764 | set_text_said(text_said | |
1765 | , &c->spd.that.host_addr, ipip_spi, SA_IPIP); | |
1766 | ||
1767 | said_next->src = &src.addr; | |
1768 | said_next->dst = &dst.addr; | |
1769 | said_next->src_client = &src_client; | |
1770 | said_next->dst_client = &dst_client; | |
1771 | said_next->spi = ipip_spi; | |
1772 | said_next->satype = SADB_X_SATYPE_IPIP; | |
1773 | said_next->text_said = text_said; | |
1774 | ||
1775 | if (!kernel_ops->add_sa(said_next, replace)) | |
1776 | goto fail; | |
1777 | ||
1778 | said_next++; | |
1779 | ||
1780 | inner_spi = ipip_spi; | |
1781 | proto = SA_IPIP; | |
1782 | satype = SADB_X_SATYPE_IPIP; | |
1783 | } | |
1784 | ||
1785 | /* set up IPCOMP SA, if any */ | |
1786 | ||
1787 | if (st->st_ipcomp.present) | |
1788 | { | |
1789 | ipsec_spi_t ipcomp_spi = inbound? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi; | |
1790 | unsigned compalg; | |
1791 | ||
1792 | switch (st->st_ipcomp.attrs.transid) | |
1793 | { | |
1794 | case IPCOMP_DEFLATE: | |
1795 | compalg = SADB_X_CALG_DEFLATE; | |
1796 | break; | |
1797 | ||
1798 | default: | |
1799 | loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented" | |
1800 | , enum_name(&ipcomp_transformid_names, st->st_ipcomp.attrs.transid)); | |
1801 | goto fail; | |
1802 | } | |
1803 | ||
1804 | set_text_said(text_said, &dst.addr, ipcomp_spi, SA_COMP); | |
1805 | ||
1806 | said_next->src = &src.addr; | |
1807 | said_next->dst = &dst.addr; | |
1808 | said_next->src_client = &src_client; | |
1809 | said_next->dst_client = &dst_client; | |
1810 | said_next->spi = ipcomp_spi; | |
1811 | said_next->satype = SADB_X_SATYPE_COMP; | |
1812 | said_next->compalg = compalg; | |
1813 | said_next->encapsulation = encapsulation; | |
1814 | said_next->reqid = c->spd.reqid + 2; | |
1815 | said_next->text_said = text_said; | |
1816 | ||
1817 | if (!kernel_ops->add_sa(said_next, replace)) | |
1818 | goto fail; | |
1819 | ||
1820 | said_next++; | |
1821 | ||
1822 | encapsulation = ENCAPSULATION_MODE_TRANSPORT; | |
1823 | } | |
1824 | ||
1825 | /* set up ESP SA, if any */ | |
1826 | ||
1827 | if (st->st_esp.present) | |
1828 | { | |
1829 | ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi; | |
1830 | u_char *esp_dst_keymat = inbound? st->st_esp.our_keymat : st->st_esp.peer_keymat; | |
1831 | const struct esp_info *ei; | |
1832 | u_int16_t key_len; | |
1833 | ||
1834 | static const struct esp_info esp_info[] = { | |
1835 | { ESP_NULL, AUTH_ALGORITHM_HMAC_MD5, | |
1836 | 0, HMAC_MD5_KEY_LEN, | |
1837 | SADB_EALG_NULL, SADB_AALG_MD5_HMAC }, | |
1838 | { ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1, | |
1839 | 0, HMAC_SHA1_KEY_LEN, | |
1840 | SADB_EALG_NULL, SADB_AALG_SHA1_HMAC }, | |
1841 | ||
1842 | { ESP_DES, AUTH_ALGORITHM_NONE, | |
1843 | DES_CBC_BLOCK_SIZE, 0, | |
1844 | SADB_EALG_DES_CBC, SADB_AALG_NONE }, | |
1845 | { ESP_DES, AUTH_ALGORITHM_HMAC_MD5, | |
1846 | DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN, | |
1847 | SADB_EALG_DES_CBC, SADB_AALG_MD5_HMAC }, | |
1848 | { ESP_DES, AUTH_ALGORITHM_HMAC_SHA1, | |
1849 | DES_CBC_BLOCK_SIZE, | |
1850 | HMAC_SHA1_KEY_LEN, SADB_EALG_DES_CBC, SADB_AALG_SHA1_HMAC }, | |
1851 | ||
1852 | { ESP_3DES, AUTH_ALGORITHM_NONE, | |
1853 | DES_CBC_BLOCK_SIZE * 3, 0, | |
1854 | SADB_EALG_3DES_CBC, SADB_AALG_NONE }, | |
1855 | { ESP_3DES, AUTH_ALGORITHM_HMAC_MD5, | |
1856 | DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN, | |
1857 | SADB_EALG_3DES_CBC, SADB_AALG_MD5_HMAC }, | |
1858 | { ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1, | |
1859 | DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN, | |
1860 | SADB_EALG_3DES_CBC, SADB_AALG_SHA1_HMAC }, | |
1861 | }; | |
1862 | ||
1863 | #ifdef NAT_TRAVERSAL | |
1864 | u_int8_t natt_type = 0; | |
1865 | u_int16_t natt_sport = 0, natt_dport = 0; | |
1866 | ip_address natt_oa; | |
1867 | ||
1868 | if (st->nat_traversal & NAT_T_DETECTED) { | |
1869 | natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ? | |
1870 | ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE; | |
1871 | natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port; | |
1872 | natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; | |
1873 | natt_oa = st->nat_oa; | |
1874 | } | |
1875 | #endif | |
1876 | ||
1877 | for (ei = esp_info; ; ei++) | |
1878 | { | |
1879 | if (ei == &esp_info[elemsof(esp_info)]) | |
1880 | { | |
1881 | /* Check for additional kernel alg */ | |
1882 | #ifndef NO_KERNEL_ALG | |
1883 | if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid, | |
1884 | st->st_esp.attrs.auth))!=NULL) { | |
1885 | break; | |
1886 | } | |
1887 | #endif | |
1888 | ||
1889 | /* note: enum_show may use a static buffer, so two | |
1890 | * calls in one printf would be a mistake. | |
1891 | * enum_name does the same job, without a static buffer, | |
1892 | * assuming the name will be found. | |
1893 | */ | |
1894 | loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet" | |
1895 | , enum_name(&esp_transformid_names, st->st_esp.attrs.transid) | |
1896 | , enum_name(&auth_alg_names, st->st_esp.attrs.auth)); | |
1897 | goto fail; | |
1898 | } | |
1899 | ||
1900 | if (st->st_esp.attrs.transid == ei->transid | |
1901 | && st->st_esp.attrs.auth == ei->auth) | |
1902 | break; | |
1903 | } | |
1904 | ||
1905 | key_len = st->st_esp.attrs.key_len/8; | |
1906 | if (key_len) { | |
1907 | /* XXX: must change to check valid _range_ key_len */ | |
1908 | if (key_len > ei->enckeylen) { | |
1909 | loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d", | |
1910 | enum_name(&esp_transformid_names, st->st_esp.attrs.transid), | |
1911 | (int)key_len, (int)ei->enckeylen); | |
1912 | goto fail; | |
1913 | } | |
1914 | } else { | |
1915 | key_len = ei->enckeylen; | |
1916 | } | |
1917 | /* Grrrrr.... f*cking 7 bits jurassic algos */ | |
1918 | ||
1919 | /* 168 bits in kernel, need 192 bits for keymat_len */ | |
1920 | if (ei->transid == ESP_3DES && key_len == 21) | |
1921 | key_len = 24; | |
1922 | ||
1923 | /* 56 bits in kernel, need 64 bits for keymat_len */ | |
1924 | if (ei->transid == ESP_DES && key_len == 7) | |
1925 | key_len = 8; | |
1926 | ||
1927 | /* divide up keying material */ | |
1928 | /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */ | |
1929 | DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, | |
1930 | if(st->st_esp.keymat_len != key_len + ei->authkeylen) | |
1931 | DBG_log("keymat_len=%d key_len=%d authkeylen=%d", | |
1932 | st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen); | |
1933 | ); | |
1934 | passert(st->st_esp.keymat_len == key_len + ei->authkeylen); | |
1935 | ||
1936 | set_text_said(text_said, &dst.addr, esp_spi, SA_ESP); | |
1937 | ||
1938 | said_next->src = &src.addr; | |
1939 | said_next->dst = &dst.addr; | |
1940 | said_next->src_client = &src_client; | |
1941 | said_next->dst_client = &dst_client; | |
1942 | said_next->spi = esp_spi; | |
1943 | said_next->satype = SADB_SATYPE_ESP; | |
1944 | said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM; | |
1945 | said_next->authalg = ei->authalg; | |
1946 | said_next->authkeylen = ei->authkeylen; | |
1947 | /* said_next->authkey = esp_dst_keymat + ei->enckeylen; */ | |
1948 | said_next->authkey = esp_dst_keymat + key_len; | |
1949 | said_next->encalg = ei->encryptalg; | |
1950 | /* said_next->enckeylen = ei->enckeylen; */ | |
1951 | said_next->enckeylen = key_len; | |
1952 | said_next->enckey = esp_dst_keymat; | |
1953 | said_next->encapsulation = encapsulation; | |
1954 | said_next->reqid = c->spd.reqid + 1; | |
1955 | #ifdef NAT_TRAVERSAL | |
1956 | said_next->natt_sport = natt_sport; | |
1957 | said_next->natt_dport = natt_dport; | |
1958 | said_next->transid = st->st_esp.attrs.transid; | |
1959 | said_next->natt_type = natt_type; | |
1960 | said_next->natt_oa = &natt_oa; | |
1961 | #endif | |
1962 | said_next->text_said = text_said; | |
1963 | ||
1964 | if (!kernel_ops->add_sa(said_next, replace)) | |
1965 | goto fail; | |
1966 | ||
1967 | said_next++; | |
1968 | ||
1969 | encapsulation = ENCAPSULATION_MODE_TRANSPORT; | |
1970 | } | |
1971 | ||
1972 | /* set up AH SA, if any */ | |
1973 | ||
1974 | if (st->st_ah.present) | |
1975 | { | |
1976 | ipsec_spi_t ah_spi = inbound? st->st_ah.our_spi : st->st_ah.attrs.spi; | |
1977 | u_char *ah_dst_keymat = inbound? st->st_ah.our_keymat : st->st_ah.peer_keymat; | |
1978 | ||
1979 | unsigned char authalg; | |
1980 | ||
1981 | switch (st->st_ah.attrs.auth) | |
1982 | { | |
1983 | case AUTH_ALGORITHM_HMAC_MD5: | |
1984 | authalg = SADB_AALG_MD5_HMAC; | |
1985 | break; | |
1986 | ||
1987 | case AUTH_ALGORITHM_HMAC_SHA1: | |
1988 | authalg = SADB_AALG_SHA1_HMAC; | |
1989 | break; | |
1990 | ||
1991 | default: | |
1992 | loglog(RC_LOG_SERIOUS, "%s not implemented yet" | |
1993 | , enum_show(&auth_alg_names, st->st_ah.attrs.auth)); | |
1994 | goto fail; | |
1995 | } | |
1996 | ||
1997 | set_text_said(text_said, &dst.addr, ah_spi, SA_AH); | |
1998 | ||
1999 | said_next->src = &src.addr; | |
2000 | said_next->dst = &dst.addr; | |
2001 | said_next->src_client = &src_client; | |
2002 | said_next->dst_client = &dst_client; | |
2003 | said_next->spi = ah_spi; | |
2004 | said_next->satype = SADB_SATYPE_AH; | |
2005 | said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM; | |
2006 | said_next->authalg = authalg; | |
2007 | said_next->authkeylen = st->st_ah.keymat_len; | |
2008 | said_next->authkey = ah_dst_keymat; | |
2009 | said_next->encapsulation = encapsulation; | |
2010 | said_next->reqid = c->spd.reqid; | |
2011 | said_next->text_said = text_said; | |
2012 | ||
2013 | if (!kernel_ops->add_sa(said_next, replace)) | |
2014 | goto fail; | |
2015 | ||
2016 | said_next++; | |
2017 | ||
2018 | encapsulation = ENCAPSULATION_MODE_TRANSPORT; | |
2019 | } | |
2020 | ||
2021 | if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL | |
2022 | || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL | |
2023 | || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL) | |
2024 | { | |
2025 | encapsulation = ENCAPSULATION_MODE_TUNNEL; | |
2026 | } | |
2027 | ||
2028 | if (kernel_ops->inbound_eroute ? c->spd.eroute_owner == SOS_NOBODY | |
2029 | : encapsulation == ENCAPSULATION_MODE_TUNNEL) | |
2030 | { | |
2031 | /* If inbound, and policy does not specifie DISABLEARRIVALCHECK, | |
2032 | * tell KLIPS to enforce the IP addresses appropriate for this tunnel. | |
2033 | * Note reversed ends. | |
2034 | * Not much to be done on failure. | |
2035 | */ | |
2036 | if (inbound && (c->policy & POLICY_DISABLEARRIVALCHECK) == 0) | |
2037 | { | |
2038 | struct pfkey_proto_info proto_info[4]; | |
2039 | int i = 0; | |
2040 | ||
2041 | if (st->st_ipcomp.present) | |
2042 | { | |
2043 | proto_info[i].proto = IPPROTO_COMP; | |
2044 | proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation; | |
2045 | proto_info[i].reqid = c->spd.reqid + 2; | |
2046 | i++; | |
2047 | } | |
2048 | ||
2049 | if (st->st_esp.present) | |
2050 | { | |
2051 | proto_info[i].proto = IPPROTO_ESP; | |
2052 | proto_info[i].encapsulation = st->st_esp.attrs.encapsulation; | |
2053 | proto_info[i].reqid = c->spd.reqid + 1; | |
2054 | i++; | |
2055 | } | |
2056 | ||
2057 | if (st->st_ah.present) | |
2058 | { | |
2059 | proto_info[i].proto = IPPROTO_AH; | |
2060 | proto_info[i].encapsulation = st->st_ah.attrs.encapsulation; | |
2061 | proto_info[i].reqid = c->spd.reqid; | |
2062 | i++; | |
2063 | } | |
2064 | ||
2065 | proto_info[i].proto = 0; | |
2066 | ||
2067 | if (kernel_ops->inbound_eroute | |
2068 | && encapsulation == ENCAPSULATION_MODE_TUNNEL) | |
2069 | { | |
2070 | proto_info[0].encapsulation = ENCAPSULATION_MODE_TUNNEL; | |
2071 | for (i = 1; proto_info[i].proto; i++) | |
2072 | { | |
2073 | proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT; | |
2074 | } | |
2075 | } | |
2076 | ||
2077 | /* MCR - should be passed a spd_eroute structure here */ | |
2078 | (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client | |
2079 | , &c->spd.this.host_addr, &c->spd.this.client | |
2080 | , inner_spi, proto, satype, c->spd.this.protocol | |
2081 | , proto_info, 0 | |
2082 | , ERO_ADD_INBOUND, "add inbound"); | |
2083 | } | |
2084 | } | |
2085 | ||
2086 | /* If there are multiple SPIs, group them. */ | |
2087 | ||
2088 | if (kernel_ops->grp_sa && said_next > &said[1]) | |
2089 | { | |
2090 | struct kernel_sa *s; | |
2091 | ||
2092 | /* group SAs, two at a time, inner to outer (backwards in said[]) | |
2093 | * The grouping is by pairs. So if said[] contains ah esp ipip, | |
2094 | * the grouping would be ipip:esp, esp:ah. | |
2095 | */ | |
2096 | for (s = said; s < said_next-1; s++) | |
2097 | { | |
2098 | char | |
2099 | text_said0[SATOT_BUF], | |
2100 | text_said1[SATOT_BUF]; | |
2101 | ||
2102 | /* group s[1] and s[0], in that order */ | |
2103 | ||
2104 | set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto); | |
2105 | set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto); | |
2106 | ||
2107 | DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0)); | |
2108 | ||
2109 | s[0].text_said = text_said0; | |
2110 | s[1].text_said = text_said1; | |
2111 | ||
2112 | if (!kernel_ops->grp_sa(s + 1, s)) | |
2113 | goto fail; | |
2114 | } | |
2115 | /* could update said, but it will not be used */ | |
2116 | } | |
2117 | ||
2118 | return TRUE; | |
2119 | ||
2120 | fail: | |
2121 | { | |
2122 | /* undo the done SPIs */ | |
2123 | while (said_next-- != said) | |
2124 | (void) del_spi(said_next->spi, said_next->proto | |
2125 | , &src.addr, said_next->dst); | |
2126 | return FALSE; | |
2127 | } | |
2128 | } | |
2129 | ||
2130 | /* teardown_ipsec_sa is a canibalized version of setup_ipsec_sa */ | |
2131 | ||
2132 | static bool | |
2133 | teardown_half_ipsec_sa(struct state *st, bool inbound) | |
2134 | { | |
2135 | /* We need to delete AH, ESP, and IP in IP SPIs. | |
2136 | * But if there is more than one, they have been grouped | |
2137 | * so deleting any one will do. So we just delete the | |
2138 | * first one found. It may or may not be the only one. | |
2139 | */ | |
2140 | struct connection *c = st->st_connection; | |
2141 | struct { | |
2142 | unsigned proto; | |
2143 | struct ipsec_proto_info *info; | |
2144 | } protos[4]; | |
2145 | int i; | |
2146 | bool result; | |
2147 | ||
2148 | i = 0; | |
2149 | if (kernel_ops->inbound_eroute && inbound | |
2150 | && c->spd.eroute_owner == SOS_NOBODY) | |
2151 | { | |
2152 | (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client | |
2153 | , &c->spd.this.host_addr, &c->spd.this.client | |
2154 | , 256, IPSEC_PROTO_ANY, SADB_SATYPE_UNSPEC, c->spd.this.protocol | |
2155 | , null_proto_info, 0 | |
2156 | , ERO_DEL_INBOUND, "delete inbound"); | |
2157 | } | |
2158 | ||
2159 | if (!kernel_ops->grp_sa) | |
2160 | { | |
2161 | if (st->st_ah.present) | |
2162 | { | |
2163 | protos[i].info = &st->st_ah; | |
2164 | protos[i].proto = SA_AH; | |
2165 | i++; | |
2166 | } | |
2167 | ||
2168 | if (st->st_esp.present) | |
2169 | { | |
2170 | protos[i].info = &st->st_esp; | |
2171 | protos[i].proto = SA_ESP; | |
2172 | i++; | |
2173 | } | |
2174 | ||
2175 | if (st->st_ipcomp.present) | |
2176 | { | |
2177 | protos[i].info = &st->st_ipcomp; | |
2178 | protos[i].proto = SA_COMP; | |
2179 | i++; | |
2180 | } | |
2181 | } | |
2182 | else if (st->st_ah.present) | |
2183 | { | |
2184 | protos[i].info = &st->st_ah; | |
2185 | protos[i].proto = SA_AH; | |
2186 | i++; | |
2187 | } | |
2188 | else if (st->st_esp.present) | |
2189 | { | |
2190 | protos[i].info = &st->st_esp; | |
2191 | protos[i].proto = SA_ESP; | |
2192 | i++; | |
2193 | } | |
2194 | else | |
2195 | { | |
2196 | impossible(); /* neither AH nor ESP in outbound SA bundle! */ | |
2197 | } | |
2198 | protos[i].proto = 0; | |
2199 | ||
2200 | result = TRUE; | |
2201 | for (i = 0; protos[i].proto; i++) | |
2202 | { | |
2203 | unsigned proto = protos[i].proto; | |
2204 | ipsec_spi_t spi; | |
2205 | const ip_address *src, *dst; | |
2206 | ||
2207 | if (inbound) | |
2208 | { | |
2209 | spi = protos[i].info->our_spi; | |
2210 | src = &c->spd.that.host_addr; | |
2211 | dst = &c->spd.this.host_addr; | |
2212 | } | |
2213 | else | |
2214 | { | |
2215 | spi = protos[i].info->attrs.spi; | |
2216 | src = &c->spd.this.host_addr; | |
2217 | dst = &c->spd.that.host_addr; | |
2218 | } | |
2219 | ||
2220 | result &= del_spi(spi, proto, src, dst); | |
2221 | } | |
2222 | return result; | |
2223 | } | |
2224 | ||
2225 | /* | |
2226 | * get information about a given sa | |
2227 | */ | |
2228 | bool | |
2229 | get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) | |
2230 | { | |
2231 | char text_said[SATOT_BUF]; | |
2232 | struct kernel_sa sa; | |
2233 | struct connection *c = st->st_connection; | |
2234 | ||
2235 | *use_time = UNDEFINED_TIME; | |
2236 | ||
2237 | if (kernel_ops->get_sa == NULL || !st->st_esp.present) | |
2238 | return FALSE; | |
2239 | ||
2240 | memset(&sa, 0, sizeof(sa)); | |
2241 | sa.proto = SA_ESP; | |
2242 | ||
2243 | if (inbound) | |
2244 | { | |
2245 | sa.src = &c->spd.that.host_addr; | |
2246 | sa.dst = &c->spd.this.host_addr; | |
2247 | sa.spi = st->st_esp.our_spi; | |
2248 | } | |
2249 | else | |
2250 | { | |
2251 | sa.src = &c->spd.this.host_addr; | |
2252 | sa.dst = &c->spd.that.host_addr; | |
2253 | sa.spi = st->st_esp.attrs.spi; | |
2254 | } | |
2255 | set_text_said(text_said, sa.dst, sa.spi, sa.proto); | |
2256 | ||
2257 | sa.text_said = text_said; | |
2258 | ||
2259 | DBG(DBG_KLIPS, | |
2260 | DBG_log("get %s", text_said) | |
2261 | ) | |
2262 | if (!kernel_ops->get_sa(&sa, bytes)) | |
2263 | return FALSE; | |
2264 | DBG(DBG_KLIPS, | |
2265 | DBG_log(" current: %d bytes", *bytes) | |
2266 | ) | |
2267 | ||
2268 | if (st->st_serialno == c->spd.eroute_owner) | |
2269 | { | |
2270 | DBG(DBG_KLIPS, | |
2271 | DBG_log("get %sbound policy with reqid %u" | |
2272 | , inbound? "in":"out", (u_int)c->spd.reqid + 1) | |
2273 | ) | |
2274 | sa.transport_proto = c->spd.this.protocol; | |
2275 | sa.encapsulation = st->st_esp.attrs.encapsulation; | |
2276 | ||
2277 | if (inbound) | |
2278 | { | |
2279 | sa.src_client = &c->spd.that.client; | |
2280 | sa.dst_client = &c->spd.this.client; | |
2281 | } | |
2282 | else | |
2283 | { | |
2284 | sa.src_client = &c->spd.this.client; | |
2285 | sa.dst_client = &c->spd.that.client; | |
2286 | } | |
2287 | if (!kernel_ops->get_policy(&sa, inbound, use_time)) | |
2288 | return FALSE; | |
2289 | DBG(DBG_KLIPS, | |
2290 | DBG_log(" use_time: %s", timetoa(use_time, FALSE)) | |
2291 | ) | |
2292 | } | |
2293 | return TRUE; | |
2294 | } | |
2295 | ||
2296 | const struct kernel_ops *kernel_ops; | |
2297 | ||
2298 | #endif /* KLIPS */ | |
2299 | ||
2300 | void | |
2301 | init_kernel(void) | |
2302 | { | |
2303 | #ifdef KLIPS | |
2304 | ||
2305 | if (no_klips) | |
2306 | { | |
2307 | kernel_ops = &noklips_kernel_ops; | |
2308 | return; | |
2309 | } | |
2310 | ||
2311 | init_pfkey(); | |
2312 | ||
2313 | kernel_ops = &klips_kernel_ops; | |
2314 | ||
2315 | #if defined(linux) && defined(KERNEL26_SUPPORT) | |
2316 | { | |
2317 | bool linux_ipsec = 0; | |
2318 | struct stat buf; | |
2319 | ||
2320 | linux_ipsec = (stat("/proc/net/pfkey", &buf) == 0); | |
2321 | if (linux_ipsec) | |
2322 | { | |
2323 | plog("Using Linux 2.6 IPsec interface code"); | |
2324 | kernel_ops = &linux_kernel_ops; | |
2325 | } | |
2326 | else | |
2327 | { | |
2328 | plog("Using KLIPS IPsec interface code"); | |
2329 | } | |
2330 | } | |
2331 | #endif | |
2332 | ||
2333 | if (kernel_ops->init) | |
2334 | { | |
2335 | kernel_ops->init(); | |
2336 | } | |
2337 | ||
2338 | /* register SA types that we can negotiate */ | |
2339 | can_do_IPcomp = FALSE; /* until we get a response from KLIPS */ | |
2340 | kernel_ops->pfkey_register(); | |
2341 | ||
2342 | if (!kernel_ops->policy_lifetime) | |
2343 | { | |
2344 | event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL); | |
2345 | } | |
2346 | #endif | |
2347 | } | |
2348 | ||
2349 | /* Note: install_inbound_ipsec_sa is only used by the Responder. | |
2350 | * The Responder will subsequently use install_ipsec_sa for the outbound. | |
2351 | * The Initiator uses install_ipsec_sa to install both at once. | |
2352 | */ | |
2353 | bool | |
2354 | install_inbound_ipsec_sa(struct state *st) | |
2355 | { | |
2356 | struct connection *const c = st->st_connection; | |
2357 | ||
2358 | /* If our peer has a fixed-address client, check if we already | |
2359 | * have a route for that client that conflicts. We will take this | |
2360 | * as proof that that route and the connections using it are | |
2361 | * obsolete and should be eliminated. Interestingly, this is | |
2362 | * the only case in which we can tell that a connection is obsolete. | |
2363 | */ | |
2364 | passert(c->kind == CK_PERMANENT || c->kind == CK_INSTANCE); | |
2365 | if (c->spd.that.has_client) | |
2366 | { | |
2367 | for (;;) | |
2368 | { | |
2369 | struct spd_route *esr; | |
2370 | struct connection *o = route_owner(c, &esr, NULL, NULL); | |
2371 | ||
2372 | if (o == NULL) | |
2373 | break; /* nobody has a route */ | |
2374 | ||
2375 | /* note: we ignore the client addresses at this end */ | |
2376 | if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) | |
2377 | && o->interface == c->interface) | |
2378 | break; /* existing route is compatible */ | |
2379 | ||
2380 | if (o->kind == CK_TEMPLATE && streq(o->name, c->name)) | |
2381 | break; /* ??? is this good enough?? */ | |
2382 | ||
2383 | loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route" | |
2384 | , o->name, ip_str(&o->spd.that.host_addr)); | |
2385 | release_connection(o, FALSE); | |
2386 | } | |
2387 | } | |
2388 | ||
2389 | DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa() checking if we can route")); | |
2390 | /* check that we will be able to route and eroute */ | |
2391 | switch (could_route(c)) | |
2392 | { | |
2393 | case route_easy: | |
2394 | case route_nearconflict: | |
2395 | break; | |
2396 | ||
2397 | default: | |
2398 | return FALSE; | |
2399 | } | |
2400 | ||
2401 | #ifdef KLIPS | |
2402 | /* (attempt to) actually set up the SAs */ | |
2403 | return setup_half_ipsec_sa(st, TRUE); | |
2404 | #else /* !KLIPS */ | |
2405 | DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()")); | |
2406 | return TRUE; | |
2407 | #endif /* !KLIPS */ | |
2408 | } | |
2409 | ||
2410 | /* Install a route and then a prospective shunt eroute or an SA group eroute. | |
2411 | * Assumption: could_route gave a go-ahead. | |
2412 | * Any SA Group must have already been created. | |
2413 | * On failure, steps will be unwound. | |
2414 | */ | |
2415 | bool | |
2416 | route_and_eroute(struct connection *c USED_BY_KLIPS | |
2417 | , struct spd_route *sr USED_BY_KLIPS | |
2418 | , struct state *st USED_BY_KLIPS) | |
2419 | { | |
2420 | #ifdef KLIPS | |
2421 | struct spd_route *esr; | |
2422 | struct spd_route *rosr; | |
2423 | struct connection *ero /* who, if anyone, owns our eroute? */ | |
2424 | , *ro = route_owner(c, &rosr, &ero, &esr); | |
2425 | bool eroute_installed = FALSE | |
2426 | , firewall_notified = FALSE | |
2427 | , route_installed = FALSE; | |
2428 | ||
2429 | struct connection *ero_top; | |
2430 | struct bare_shunt **bspp; | |
2431 | ||
2432 | DBG(DBG_CONTROLMORE, | |
2433 | DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu" | |
2434 | , c->name | |
2435 | , (c->policy_next ? c->policy_next->name : "none") | |
2436 | , ero ? ero->name : "null" | |
2437 | , esr | |
2438 | , ro ? ro->name : "null" | |
2439 | , rosr | |
2440 | , st ? st->st_serialno : 0)); | |
2441 | ||
2442 | /* look along the chain of policies for one with the same name */ | |
2443 | ero_top = ero; | |
2444 | ||
2445 | #if 0 | |
2446 | /* XXX - mcr this made sense before, and likely will make sense | |
2447 | * again, so I'l leaving this to remind me what is up */ | |
2448 | if (ero!= NULL && ero->routing == RT_UNROUTED_KEYED) | |
2449 | ero = NULL; | |
2450 | ||
2451 | for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next) | |
2452 | if ((ero2->kind == CK_TEMPLATE || ero2->kind==CK_SECONDARY) | |
2453 | && streq(ero2->name, c->name)) | |
2454 | break; | |
2455 | #endif | |
2456 | ||
2457 | bspp = (ero == NULL) | |
2458 | ? bare_shunt_ptr(&sr->this.client, &sr->that.client, sr->this.protocol) | |
2459 | : NULL; | |
2460 | ||
2461 | /* install the eroute */ | |
2462 | ||
2463 | passert(bspp == NULL || ero == NULL); /* only one non-NULL */ | |
2464 | ||
2465 | if (bspp != NULL || ero != NULL) | |
2466 | { | |
2467 | /* We're replacing an eroute */ | |
2468 | ||
2469 | /* if no state provided, then install a shunt for later */ | |
2470 | if (st == NULL) | |
2471 | eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE | |
2472 | , ERO_REPLACE, "replace"); | |
2473 | else | |
2474 | eroute_installed = sag_eroute(st, sr, ERO_REPLACE, "replace"); | |
2475 | ||
2476 | #if 0 | |
2477 | /* XXX - MCR. I previously felt that this was a bogus check */ | |
2478 | if (ero != NULL && ero != c && esr != sr) | |
2479 | { | |
2480 | /* By elimination, we must be eclipsing ero. Check. */ | |
2481 | passert(ero->kind == CK_TEMPLATE && streq(ero->name, c->name)); | |
2482 | passert(LHAS(LELEM(RT_ROUTED_PROSPECTIVE) | LELEM(RT_ROUTED_ECLIPSED) | |
2483 | , esr->routing)); | |
2484 | passert(samesubnet(&esr->this.client, &sr->this.client) | |
2485 | && samesubnet(&esr->that.client, &sr->that.client)); | |
2486 | } | |
2487 | #endif | |
2488 | /* remember to free bspp iff we make it out of here alive */ | |
2489 | } | |
2490 | else | |
2491 | { | |
2492 | /* we're adding an eroute */ | |
2493 | ||
2494 | /* if no state provided, then install a shunt for later */ | |
2495 | if (st == NULL) | |
2496 | eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE | |
2497 | , ERO_ADD, "add"); | |
2498 | else | |
2499 | eroute_installed = sag_eroute(st, sr, ERO_ADD, "add"); | |
2500 | } | |
2501 | ||
2502 | /* notify the firewall of a new tunnel */ | |
2503 | ||
2504 | if (eroute_installed) | |
2505 | { | |
2506 | /* do we have to notify the firewall? Yes, if we are installing | |
2507 | * a tunnel eroute and the firewall wasn't notified | |
2508 | * for a previous tunnel with the same clients. Any Previous | |
2509 | * tunnel would have to be for our connection, so the actual | |
2510 | * test is simple. | |
2511 | */ | |
2512 | firewall_notified = st == NULL /* not a tunnel eroute */ | |
2513 | || sr->eroute_owner != SOS_NOBODY /* already notified */ | |
2514 | || do_command(c, sr, "up"); /* go ahead and notify */ | |
2515 | } | |
2516 | ||
2517 | /* install the route */ | |
2518 | ||
2519 | DBG(DBG_CONTROL, | |
2520 | DBG_log("route_and_eroute: firewall_notified: %s" | |
2521 | , firewall_notified ? "true" : "false")); | |
2522 | if (!firewall_notified) | |
2523 | { | |
2524 | /* we're in trouble -- don't do routing */ | |
2525 | } | |
2526 | else if (ro == NULL) | |
2527 | { | |
2528 | /* a new route: no deletion required, but preparation is */ | |
2529 | (void) do_command(c, sr, "prepare"); /* just in case; ignore failure */ | |
2530 | route_installed = do_command(c, sr, "route"); | |
2531 | } | |
2532 | else if (routed(sr->routing) | |
2533 | || routes_agree(ro, c)) | |
2534 | { | |
2535 | route_installed = TRUE; /* nothing to be done */ | |
2536 | } | |
2537 | else | |
2538 | { | |
2539 | /* Some other connection must own the route | |
2540 | * and the route must disagree. But since could_route | |
2541 | * must have allowed our stealing it, we'll do so. | |
2542 | * | |
2543 | * A feature of LINUX allows us to install the new route | |
2544 | * before deleting the old if the nexthops differ. | |
2545 | * This reduces the "window of vulnerability" when packets | |
2546 | * might flow in the clear. | |
2547 | */ | |
2548 | if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop)) | |
2549 | { | |
2550 | (void) do_command(ro, sr, "unroute"); | |
2551 | route_installed = do_command(c, sr, "route"); | |
2552 | } | |
2553 | else | |
2554 | { | |
2555 | route_installed = do_command(c, sr, "route"); | |
2556 | (void) do_command(ro, sr, "unroute"); | |
2557 | } | |
2558 | ||
2559 | /* record unrouting */ | |
2560 | if (route_installed) | |
2561 | { | |
2562 | do { | |
2563 | passert(!erouted(rosr->routing)); | |
2564 | rosr->routing = RT_UNROUTED; | |
2565 | ||
2566 | /* no need to keep old value */ | |
2567 | ro = route_owner(c, &rosr, NULL, NULL); | |
2568 | } while (ro != NULL); | |
2569 | } | |
2570 | } | |
2571 | ||
2572 | /* all done -- clean up */ | |
2573 | if (route_installed) | |
2574 | { | |
2575 | /* Success! */ | |
2576 | ||
2577 | if (bspp != NULL) | |
2578 | { | |
2579 | free_bare_shunt(bspp); | |
2580 | } | |
2581 | else if (ero != NULL && ero != c) | |
2582 | { | |
2583 | /* check if ero is an ancestor of c. */ | |
2584 | struct connection *ero2; | |
2585 | ||
2586 | for (ero2 = c; ero2 != NULL && ero2 != c; ero2 = ero2->policy_next) | |
2587 | ; | |
2588 | ||
2589 | if (ero2 == NULL) | |
2590 | { | |
2591 | /* By elimination, we must be eclipsing ero. Checked above. */ | |
2592 | if (ero->spd.routing != RT_ROUTED_ECLIPSED) | |
2593 | { | |
2594 | ero->spd.routing = RT_ROUTED_ECLIPSED; | |
2595 | eclipse_count++; | |
2596 | } | |
2597 | } | |
2598 | } | |
2599 | ||
2600 | if (st == NULL) | |
2601 | { | |
2602 | passert(sr->eroute_owner == SOS_NOBODY); | |
2603 | sr->routing = RT_ROUTED_PROSPECTIVE; | |
2604 | } | |
2605 | else | |
2606 | { | |
2607 | char cib[CONN_INST_BUF]; | |
2608 | sr->routing = RT_ROUTED_TUNNEL; | |
2609 | ||
2610 | DBG(DBG_CONTROL, | |
2611 | DBG_log("route_and_eroute: instance \"%s\"%s, setting eroute_owner {spd=%p,sr=%p} to #%ld (was #%ld) (newest_ipsec_sa=#%ld)" | |
2612 | , st->st_connection->name | |
2613 | , (fmt_conn_instance(st->st_connection, cib), cib) | |
2614 | , &st->st_connection->spd, sr | |
2615 | , st->st_serialno | |
2616 | , sr->eroute_owner | |
2617 | , st->st_connection->newest_ipsec_sa)); | |
2618 | sr->eroute_owner = st->st_serialno; | |
2619 | } | |
2620 | ||
2621 | return TRUE; | |
2622 | } | |
2623 | else | |
2624 | { | |
2625 | /* Failure! Unwind our work. */ | |
2626 | if (firewall_notified && sr->eroute_owner == SOS_NOBODY) | |
2627 | (void) do_command(c, sr, "down"); | |
2628 | ||
2629 | if (eroute_installed) | |
2630 | { | |
2631 | /* Restore original eroute, if we can. | |
2632 | * Since there is nothing much to be done if the restoration | |
2633 | * fails, ignore success or failure. | |
2634 | */ | |
2635 | if (bspp != NULL) | |
2636 | { | |
2637 | /* Restore old bare_shunt. | |
2638 | * I don't think that this case is very likely. | |
2639 | * Normally a bare shunt would have been assigned | |
2640 | * to a connection before we've gotten this far. | |
2641 | */ | |
2642 | struct bare_shunt *bs = *bspp; | |
2643 | ||
2644 | (void) raw_eroute(&bs->said.dst /* should be useless */ | |
2645 | , &bs->ours | |
2646 | , &bs->said.dst /* should be useless */ | |
2647 | , &bs->his | |
2648 | , bs->said.spi /* network order */ | |
2649 | , SA_INT | |
2650 | , SADB_X_SATYPE_INT | |
2651 | , 0 | |
2652 | , null_proto_info | |
2653 | , SHUNT_PATIENCE | |
2654 | , ERO_REPLACE, "restore"); | |
2655 | } | |
2656 | else if (ero != NULL) | |
2657 | { | |
2658 | /* restore ero's former glory */ | |
2659 | if (esr->eroute_owner == SOS_NOBODY) | |
2660 | { | |
2661 | /* note: normal or eclipse case */ | |
2662 | (void) shunt_eroute(ero, esr | |
2663 | , esr->routing, ERO_REPLACE, "restore"); | |
2664 | } | |
2665 | else | |
2666 | { | |
2667 | /* Try to find state that owned eroute. | |
2668 | * Don't do anything if it cannot be found. | |
2669 | * This case isn't likely since we don't run | |
2670 | * the updown script when replacing a SA group | |
2671 | * with its successor (for the same conn). | |
2672 | */ | |
2673 | struct state *ost = state_with_serialno(esr->eroute_owner); | |
2674 | ||
2675 | if (ost != NULL) | |
2676 | (void) sag_eroute(ost, esr, ERO_REPLACE, "restore"); | |
2677 | } | |
2678 | } | |
2679 | else | |
2680 | { | |
2681 | /* there was no previous eroute: delete whatever we installed */ | |
2682 | if (st == NULL) | |
2683 | (void) shunt_eroute(c, sr | |
2684 | , sr->routing, ERO_DELETE, "delete"); | |
2685 | else | |
2686 | (void) sag_eroute(st, sr | |
2687 | , ERO_DELETE, "delete"); | |
2688 | } | |
2689 | } | |
2690 | ||
2691 | return FALSE; | |
2692 | } | |
2693 | #else /* !KLIPS */ | |
2694 | return TRUE; | |
2695 | #endif /* !KLIPS */ | |
2696 | } | |
2697 | ||
2698 | bool | |
2699 | install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) | |
2700 | { | |
2701 | #ifdef KLIPS | |
2702 | struct spd_route *sr; | |
2703 | ||
2704 | DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s" | |
2705 | , st->st_serialno | |
2706 | , inbound_also? | |
2707 | "inbound and outbound" : "outbound only")); | |
2708 | ||
2709 | switch (could_route(st->st_connection)) | |
2710 | { | |
2711 | case route_easy: | |
2712 | case route_nearconflict: | |
2713 | break; | |
2714 | ||
2715 | default: | |
2716 | return FALSE; | |
2717 | } | |
2718 | ||
2719 | /* (attempt to) actually set up the SA group */ | |
2720 | if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) | |
2721 | || !setup_half_ipsec_sa(st, FALSE)) | |
2722 | return FALSE; | |
2723 | ||
2724 | for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next) | |
2725 | { | |
2726 | DBG(DBG_CONTROL, DBG_log("sr for #%ld: %s" | |
2727 | , st->st_serialno | |
2728 | , enum_name(&routing_story, sr->routing))); | |
2729 | ||
2730 | /* | |
2731 | * if the eroute owner is not us, then make it us. | |
2732 | * See test co-terminal-02, pluto-rekey-01, pluto-unit-02/oppo-twice | |
2733 | */ | |
2734 | pexpect(sr->eroute_owner == SOS_NOBODY | |
2735 | || sr->routing >= RT_ROUTED_TUNNEL); | |
2736 | ||
2737 | if (sr->eroute_owner != st->st_serialno | |
2738 | && sr->routing != RT_UNROUTED_KEYED) | |
2739 | { | |
2740 | if (!route_and_eroute(st->st_connection, sr, st)) | |
2741 | { | |
2742 | delete_ipsec_sa(st, FALSE); | |
2743 | /* XXX go and unroute any SRs that were successfully | |
2744 | * routed already. | |
2745 | */ | |
2746 | return FALSE; | |
2747 | } | |
2748 | } | |
2749 | } | |
2750 | #else /* !KLIPS */ | |
2751 | DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s" | |
2752 | , inbound_also? "inbound and oubound" : "outbound only")); | |
2753 | ||
2754 | switch (could_route(st->st_connection)) | |
2755 | { | |
2756 | case route_easy: | |
2757 | case route_nearconflict: | |
2758 | break; | |
2759 | ||
2760 | default: | |
2761 | return FALSE; | |
2762 | } | |
2763 | ||
2764 | ||
2765 | #endif /* !KLIPS */ | |
2766 | ||
2767 | return TRUE; | |
2768 | } | |
2769 | ||
2770 | /* delete an IPSEC SA. | |
2771 | * we may not succeed, but we bull ahead anyway because | |
2772 | * we cannot do anything better by recognizing failure | |
2773 | */ | |
2774 | void | |
2775 | delete_ipsec_sa(struct state *st USED_BY_KLIPS, bool inbound_only USED_BY_KLIPS) | |
2776 | { | |
2777 | #ifdef KLIPS | |
2778 | if (!inbound_only) | |
2779 | { | |
2780 | /* If the state is the eroute owner, we must adjust | |
2781 | * the routing for the connection. | |
2782 | */ | |
2783 | struct connection *c = st->st_connection; | |
2784 | struct spd_route *sr; | |
2785 | ||
2786 | passert(st->st_connection); | |
2787 | ||
2788 | for (sr = &c->spd; sr; sr = sr->next) | |
2789 | { | |
2790 | if (sr->eroute_owner == st->st_serialno | |
2791 | && sr->routing == RT_ROUTED_TUNNEL) | |
2792 | { | |
2793 | sr->eroute_owner = SOS_NOBODY; | |
2794 | ||
2795 | /* Routing should become RT_ROUTED_FAILURE, | |
2796 | * but if POLICY_FAIL_NONE, then we just go | |
2797 | * right back to RT_ROUTED_PROSPECTIVE as if no | |
2798 | * failure happened. | |
2799 | */ | |
2800 | sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE | |
2801 | ? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE; | |
2802 | ||
2803 | (void) do_command(c, sr, "down"); | |
2804 | if ((c->policy & POLICY_DONT_REKEY) | |
2805 | && c->kind == CK_INSTANCE) | |
2806 | { | |
2807 | /* in this special case, even if the connection | |
2808 | * is still alive (due to an ISAKMP SA), | |
2809 | * we get rid of routing. | |
2810 | * Even though there is still an eroute, the c->routing | |
2811 | * setting will convince unroute_connection to delete it. | |
2812 | * unroute_connection would be upset if c->routing == RT_ROUTED_TUNNEL | |
2813 | */ | |
2814 | unroute_connection(c); | |
2815 | } | |
2816 | else | |
2817 | { | |
2818 | (void) shunt_eroute(c, sr, sr->routing, ERO_REPLACE, "replace with shunt"); | |
2819 | } | |
2820 | } | |
2821 | } | |
2822 | (void) teardown_half_ipsec_sa(st, FALSE); | |
2823 | } | |
2824 | (void) teardown_half_ipsec_sa(st, TRUE); | |
2825 | #else /* !KLIPS */ | |
2826 | DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()")); | |
2827 | #endif /* !KLIPS */ | |
2828 | } | |
2829 | #ifdef NAT_TRAVERSAL | |
2830 | #ifdef KLIPS | |
2831 | static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound) | |
2832 | { | |
2833 | struct connection *c = st->st_connection; | |
2834 | char text_said[SATOT_BUF]; | |
2835 | struct kernel_sa sa; | |
2836 | ip_address | |
2837 | src = inbound? c->spd.that.host_addr : c->spd.this.host_addr, | |
2838 | dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr; | |
2839 | ||
2840 | ||
2841 | ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi; | |
2842 | ||
2843 | u_int16_t | |
2844 | natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port, | |
2845 | natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; | |
2846 | ||
2847 | set_text_said(text_said, &dst, esp_spi, SA_ESP); | |
2848 | ||
2849 | memset(&sa, 0, sizeof(sa)); | |
2850 | sa.spi = esp_spi; | |
2851 | sa.src = &src; | |
2852 | sa.dst = &dst; | |
2853 | sa.text_said = text_said; | |
2854 | sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth); | |
2855 | sa.natt_sport = natt_sport; | |
2856 | sa.natt_dport = natt_dport; | |
2857 | sa.transid = st->st_esp.attrs.transid; | |
2858 | ||
2859 | return kernel_ops->add_sa(&sa, TRUE); | |
2860 | ||
2861 | } | |
2862 | #endif | |
2863 | ||
2864 | bool update_ipsec_sa (struct state *st USED_BY_KLIPS) | |
2865 | { | |
2866 | #ifdef KLIPS | |
2867 | if (IS_IPSEC_SA_ESTABLISHED(st->st_state)) { | |
2868 | if ((st->st_esp.present) && ( | |
2869 | (!update_nat_t_ipsec_esp_sa (st, TRUE)) || | |
2870 | (!update_nat_t_ipsec_esp_sa (st, FALSE)))) { | |
2871 | return FALSE; | |
2872 | } | |
2873 | } | |
2874 | else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state)) { | |
2875 | if ((st->st_esp.present) && (!update_nat_t_ipsec_esp_sa (st, FALSE))) { | |
2876 | return FALSE; | |
2877 | } | |
2878 | } | |
2879 | else { | |
2880 | DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, | |
2881 | st->st_state); | |
2882 | return FALSE; | |
2883 | } | |
2884 | return TRUE; | |
2885 | #else /* !KLIPS */ | |
2886 | DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()")); | |
2887 | return TRUE; | |
2888 | #endif /* !KLIPS */ | |
2889 | } | |
2890 | #endif | |
2891 | ||
2892 | /* Check if there was traffic on given SA during the last idle_max | |
2893 | * seconds. If TRUE, the SA was idle and DPD exchange should be performed. | |
2894 | * If FALSE, DPD is not necessary. We also return TRUE for errors, as they | |
2895 | * could mean that the SA is broken and needs to be replace anyway. | |
2896 | */ | |
2897 | bool | |
2898 | was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time) | |
2899 | { | |
2900 | static const char procname[] = "/proc/net/ipsec_spi"; | |
2901 | FILE *f; | |
2902 | char buf[1024]; | |
2903 | u_int bytes; | |
2904 | int ret = TRUE; | |
2905 | ||
2906 | passert(st != NULL); | |
2907 | ||
2908 | f = fopen(procname, "r"); | |
2909 | if (f == NULL) | |
2910 | { | |
2911 | /* Can't open the file, perhaps were are on 26sec? */ | |
2912 | time_t use_time; | |
2913 | ||
2914 | if (get_sa_info(st, TRUE, &bytes, &use_time) | |
2915 | && use_time != UNDEFINED_TIME) | |
2916 | { | |
2917 | *idle_time = time(NULL) - use_time; | |
2918 | ret = *idle_time >= idle_max; | |
2919 | } | |
2920 | } | |
2921 | else | |
2922 | { | |
2923 | while (f != NULL) | |
2924 | { | |
2925 | char *line; | |
2926 | char text_said[SATOT_BUF]; | |
2927 | u_int8_t proto = 0; | |
2928 | ip_address dst; | |
2929 | ip_said said; | |
2930 | ipsec_spi_t spi = 0; | |
2931 | static const char idle[] = "idle="; | |
2932 | ||
2933 | dst = st->st_connection->spd.this.host_addr; /* inbound SA */ | |
2934 | if (st->st_ah.present) | |
2935 | { | |
2936 | proto = SA_AH; | |
2937 | spi = st->st_ah.our_spi; | |
2938 | } | |
2939 | if (st->st_esp.present) | |
2940 | { | |
2941 | proto = SA_ESP; | |
2942 | spi = st->st_esp.our_spi; | |
2943 | } | |
2944 | ||
2945 | if (proto == 0 && spi == 0) | |
2946 | { | |
2947 | ret = TRUE; | |
2948 | break; | |
2949 | } | |
2950 | ||
2951 | initsaid(&dst, spi, proto, &said); | |
2952 | satot(&said, 'x', text_said, SATOT_BUF); | |
2953 | ||
2954 | line = fgets(buf, sizeof(buf), f); | |
2955 | if (line == NULL) | |
2956 | { | |
2957 | /* Reached end of list */ | |
2958 | ret = TRUE; | |
2959 | break; | |
2960 | } | |
2961 | ||
2962 | if (strncmp(line, text_said, strlen(text_said)) == 0) | |
2963 | { | |
2964 | /* we found a match, now try to find idle= */ | |
2965 | char *p = strstr(line, idle); | |
2966 | ||
2967 | if (p == NULL) | |
2968 | { | |
2969 | /* SAs which haven't been used yet don't have it */ | |
2970 | ret = TRUE; /* it didn't have traffic */ | |
2971 | break; | |
2972 | } | |
2973 | p += sizeof(idle)-1; | |
2974 | if (*p == '\0') | |
2975 | { | |
2976 | ret = TRUE; /* be paranoid */ | |
2977 | break; | |
2978 | } | |
2979 | if (sscanf(p, "%d", (int *) idle_time) <= 0) | |
2980 | { | |
2981 | ret = TRUE; | |
2982 | break; | |
2983 | } | |
2984 | if (*idle_time >= idle_max) | |
2985 | { | |
2986 | ret = TRUE; | |
2987 | break; | |
2988 | } | |
2989 | else | |
2990 | { | |
2991 | ret = FALSE; | |
2992 | break; | |
2993 | } | |
2994 | } | |
2995 | } | |
2996 | fclose(f); | |
2997 | } | |
2998 | return ret; | |
2999 | } |