]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/pluto/kernel.c
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- applied patch from andreas
[thirdparty/strongswan.git] / src / pluto / kernel.c
CommitLineData
997358a6
MW		 1/* routines that interface with the kernel's IPsec mechanism
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
9820c0e2 15 * RCSID $Id: kernel.c,v 1.26 2006/04/29 18:16:02 as Exp $
997358a6
MW		 16 */
17
18#include <stddef.h>
19#include <string.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <errno.h>
23#include <wait.h>
24#include <unistd.h>
25#include <fcntl.h>
26#include <sys/queue.h>
27
28#include <sys/stat.h>
29#include <sys/socket.h>
30#include <netinet/in.h>
31#include <arpa/inet.h>
32
33#include <freeswan.h>
34#include <freeswan/ipsec_policy.h>
35
36#ifdef KLIPS
37#include <signal.h>
38#include <sys/time.h> /* for select(2) */
39#include <sys/types.h> /* for select(2) */
40#include <pfkeyv2.h>
41#include <pfkey.h>
42#include "kameipsec.h"
43#endif /* KLIPS */
44
45#include "constants.h"
46#include "defs.h"
47#include "rnd.h"
48#include "id.h"
49#include "connections.h"
50#include "state.h"
51#include "timer.h"
52#include "kernel.h"
53#include "kernel_netlink.h"
54#include "kernel_pfkey.h"
55#include "kernel_noklips.h"
56#include "log.h"
57#include "ca.h"
58#include "server.h"
59#include "whack.h" /* for RC_LOG_SERIOUS */
60#include "keys.h"
61
62#ifdef NAT_TRAVERSAL
63#include "packet.h" /* for pb_stream in nat_traversal.h */
64#include "nat_traversal.h"
65#endif
66
67#include "alg_info.h"
68#include "kernel_alg.h"
69
70
71bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */
72
73/* How far can IPsec messages arrive out of order before the anti-replay
74 * logic loses track and swats them? 64 is the best KLIPS can do.
75 * And 32 is the best XFRM can do...
76 */
77#define REPLAY_WINDOW 64
78#define REPLAY_WINDOW_XFRM 32
79
80/* test if the routes required for two different connections agree
81 * It is assumed that the destination subnets agree; we are only
82 * testing that the interfaces and nexthops match.
83 */
84#define routes_agree(c, d) ((c)->interface == (d)->interface \
85 && sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
86
87#ifndef KLIPS
88
89bool no_klips = TRUE; /* don't actually use KLIPS */
90
91#else /* !KLIPS */
92
93/* bare (connectionless) shunt (eroute) table
94 *
95 * Bare shunts are those that don't "belong" to a connection.
96 * This happens because some %trapped traffic hasn't yet or cannot be
97 * assigned to a connection. The usual reason is that we cannot discover
98 * the peer SG. Another is that even when the peer has been discovered,
99 * it may be that no connection matches all the particulars.
100 * We record them so that, with scanning, we can discover
101 * which %holds are news and which others should expire.
102 */
103
104#define SHUNT_SCAN_INTERVAL (60 * 2) /* time between scans of eroutes */
105
106/* SHUNT_PATIENCE only has resolution down to a multiple of the sample rate,
107 * SHUNT_SCAN_INTERVAL.
108 * By making SHUNT_PATIENCE an odd multiple of half of SHUNT_SCAN_INTERVAL,
109 * we minimize the effects of jitter.
110 */
111#define SHUNT_PATIENCE (SHUNT_SCAN_INTERVAL * 15 / 2) /* inactivity timeout */
112
113struct bare_shunt {
114 policy_prio_t policy_prio;
115 ip_subnet ours;
116 ip_subnet his;
117 ip_said said;
118 int transport_proto;
119 unsigned long count;
120 time_t last_activity;
121 char *why;
122 struct bare_shunt *next;
123};
124
125static struct bare_shunt *bare_shunts = NULL;
126
127#ifdef DEBUG
128static void
129DBG_bare_shunt(const char *op, const struct bare_shunt *bs)
130{
131 DBG(DBG_KLIPS,
132 {
133 int ourport = ntohs(portof(&(bs)->ours.addr));
134 int hisport = ntohs(portof(&(bs)->his.addr));
135 char ourst[SUBNETTOT_BUF];
136 char hist[SUBNETTOT_BUF];
137 char sat[SATOT_BUF];
138 char prio[POLICY_PRIO_BUF];
139
140 subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
141 subnettot(&(bs)->his, 0, hist, sizeof(hist));
142 satot(&(bs)->said, 0, sat, sizeof(sat));
143 fmt_policy_prio(bs->policy_prio, prio);
144 DBG_log("%s bare shunt %p %s:%d -> %s:%d => %s:%d %s %s"
145 , op, (const void *)(bs), ourst, ourport, hist, hisport
146 , sat, (bs)->transport_proto, prio, (bs)->why);
147 });
148}
149#else /* !DEBUG */
150#define DBG_bare_shunt(op, bs) {}
151#endif /* !DEBUG */
152
153/* The orphaned_holds table records %holds for which we
154 * scan_proc_shunts found no representation of in any connection.
155 * The corresponding ACQUIRE message might have been lost.
156 */
157struct eroute_info *orphaned_holds = NULL;
158
159/* forward declaration */
160static bool shunt_eroute(struct connection *c
161 , struct spd_route *sr
162 , enum routing_t rt_kind
163 , unsigned int op, const char *opname);
164static void set_text_said(char *text_said
165 , const ip_address *dst
166 , ipsec_spi_t spi
167 , int proto);
168
169bool no_klips = FALSE; /* don't actually use KLIPS */
170
171static const struct pfkey_proto_info null_proto_info[2] = {
172 {
173 proto: IPPROTO_ESP,
174 encapsulation: ENCAPSULATION_MODE_TRANSPORT,
175 reqid: 0
176 },
177 {
178 proto: 0,
179 encapsulation: 0,
180 reqid: 0
181 }
182};
183
184void
185record_and_initiate_opportunistic(const ip_subnet *ours
186 , const ip_subnet *his
187 , int transport_proto
188 , const char *why)
189{
190 passert(samesubnettype(ours, his));
191
192 /* Add to bare shunt list.
193 * We need to do this because the shunt was installed by KLIPS
194 * which can't do this itself.
195 */
196 {
197 struct bare_shunt *bs = alloc_thing(struct bare_shunt, "bare shunt");
198
199 bs->why = clone_str(why, "story for bare shunt");
200 bs->ours = *ours;
201 bs->his = *his;
202 bs->transport_proto = transport_proto;
203 bs->policy_prio = BOTTOM_PRIO;
204
205 bs->said.proto = SA_INT;
206 bs->said.spi = htonl(SPI_HOLD);
207 bs->said.dst = *aftoinfo(subnettypeof(ours))->any;
208
209 bs->count = 0;
210 bs->last_activity = now();
211
212 bs->next = bare_shunts;
213 bare_shunts = bs;
214 DBG_bare_shunt("add", bs);
215 }
216
217 /* actually initiate opportunism */
218 {
219 ip_address src, dst;
220
221 networkof(ours, &src);
222 networkof(his, &dst);
223 initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
224 }
225
226 /* if present, remove from orphaned_holds list.
227 * NOTE: we do this last in case ours or his is a pointer into a member.
228 */
229 {
230 struct eroute_info **pp, *p;
231
232 for (pp = &orphaned_holds; (p = *pp) != NULL; pp = &p->next)
233 {
234 if (samesubnet(ours, &p->ours)
235 && samesubnet(his, &p->his)
236 && transport_proto == p->transport_proto
237 && portof(&ours->addr) == portof(&p->ours.addr)
238 && portof(&his->addr) == portof(&p->his.addr))
239 {
240 *pp = p->next;
241 pfree(p);
242 break;
243 }
244 }
245 }
246}
247
248#endif /* KLIPS */
249
250static unsigned get_proto_reqid(unsigned base, int proto)
251{
252 switch (proto)
253 {
254 default:
255 case IPPROTO_COMP:
256 base++;
257 /* fall through */
258 case IPPROTO_ESP:
259 base++;
260 /* fall through */
261 case IPPROTO_AH:
262 break;
263 }
264
265 return base;
266}
267
268/* Generate Unique SPI numbers.
269 *
270 * The specs say that the number must not be less than IPSEC_DOI_SPI_MIN.
271 * Pluto generates numbers not less than IPSEC_DOI_SPI_OUR_MIN,
272 * reserving numbers in between for manual keying (but we cannot so
273 * restrict numbers generated by our peer).
274 * XXX This should be replaced by a call to the kernel when
275 * XXX we get an API.
276 * The returned SPI is in network byte order.
277 * We use a random number as the initial SPI so that there is
278 * a good chance that different Pluto instances will choose
279 * different SPIs. This is good for two reasons.
280 * - the keying material for the initiator and responder only
281 * differs if the SPIs differ.
282 * - if Pluto is restarted, it would otherwise recycle the SPI
283 * numbers and confuse everything. When the kernel generates
284 * SPIs, this will no longer matter.
285 * We then allocate numbers sequentially. Thus we don't have to
286 * check if the number was previously used (assuming that no
287 * SPI lives longer than 4G of its successors).
288 */
289ipsec_spi_t
290get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr, bool tunnel)
291{
292 static ipsec_spi_t spi = 0; /* host order, so not returned directly! */
293 char text_said[SATOT_BUF];
294
295 set_text_said(text_said, &sr->this.host_addr, 0, proto);
296
297 if (kernel_ops->get_spi)
298 return kernel_ops->get_spi(&sr->that.host_addr
299 , &sr->this.host_addr, proto, tunnel
300 , get_proto_reqid(sr->reqid, proto)
301 , IPSEC_DOI_SPI_OUR_MIN, 0xffffffff
302 , text_said);
303
304 spi++;
305 while (spi < IPSEC_DOI_SPI_OUR_MIN || spi == ntohl(avoid))
306 get_rnd_bytes((u_char *)&spi, sizeof(spi));
307
308 DBG(DBG_CONTROL,
309 {
310 ipsec_spi_t spi_net = htonl(spi);
311
312 DBG_dump("generate SPI:", (u_char *)&spi_net, sizeof(spi_net));
313 });
314
315 return htonl(spi);
316}
317
318/* Generate Unique CPI numbers.
319 * The result is returned as an SPI (4 bytes) in network order!
320 * The real bits are in the nework-low-order 2 bytes.
321 * Modelled on get_ipsec_spi, but range is more limited:
322 * 256-61439.
323 * If we can't find one easily, return 0 (a bad SPI,
324 * no matter what order) indicating failure.
325 */
326ipsec_spi_t
327get_my_cpi(struct spd_route *sr, bool tunnel)
328{
329 static cpi_t
330 first_busy_cpi = 0,
331 latest_cpi;
332 char text_said[SATOT_BUF];
333
334 set_text_said(text_said, &sr->this.host_addr, 0, IPPROTO_COMP);
335
336 if (kernel_ops->get_spi)
337 return kernel_ops->get_spi(&sr->that.host_addr
338 , &sr->this.host_addr, IPPROTO_COMP, tunnel
339 , get_proto_reqid(sr->reqid, IPPROTO_COMP)
340 , IPCOMP_FIRST_NEGOTIATED, IPCOMP_LAST_NEGOTIATED
341 , text_said);
342
343 while (!(IPCOMP_FIRST_NEGOTIATED <= first_busy_cpi && first_busy_cpi < IPCOMP_LAST_NEGOTIATED))
344 {
345 get_rnd_bytes((u_char *)&first_busy_cpi, sizeof(first_busy_cpi));
346 latest_cpi = first_busy_cpi;
347 }
348
349 latest_cpi++;
350
351 if (latest_cpi == first_busy_cpi)
352 find_my_cpi_gap(&latest_cpi, &first_busy_cpi);
353
354 if (latest_cpi > IPCOMP_LAST_NEGOTIATED)
355 latest_cpi = IPCOMP_FIRST_NEGOTIATED;
356
357 return htonl((ipsec_spi_t)latest_cpi);
358}
359
360/* invoke the updown script to do the routing and firewall commands required
361 *
362 * The user-specified updown script is run. Parameters are fed to it in
363 * the form of environment variables. All such environment variables
364 * have names starting with "PLUTO_".
365 *
366 * The operation to be performed is specified by PLUTO_VERB. This
367 * verb has a suffix "-host" if the client on this end is just the
368 * host; otherwise the suffix is "-client". If the address family
369 * of the host is IPv6, an extra suffix of "-v6" is added.
370 *
371 * "prepare-host" and "prepare-client" are used to delete a route
372 * that may exist (due to forces outside of Pluto). It is used to
373 * prepare for pluto creating a route.
374 *
375 * "route-host" and "route-client" are used to install a route.
376 * Since routing is based only on destination, the PLUTO_MY_CLIENT_*
377 * values are probably of no use (using them may signify a bug).
378 *
379 * "unroute-host" and "unroute-client" are used to delete a route.
380 * Since routing is based only on destination, the PLUTO_MY_CLIENT_*
381 * values are probably of no use (using them may signify a bug).
382 *
383 * "up-host" and "up-client" are run when an eroute is added (not replaced).
384 * They are useful for adjusting a firewall: usually for adding a rule
385 * to let processed packets flow between clients. Note that only
386 * one eroute may exist for a pair of client subnets but inbound
387 * IPsec SAs may persist without an eroute.
388 *
389 * "down-host" and "down-client" are run when an eroute is deleted.
390 * They are useful for adjusting a firewall.
391 */
392
393#ifndef DEFAULT_UPDOWN
394# define DEFAULT_UPDOWN "ipsec _updown"
395#endif
396
397static bool
398do_command(struct connection *c, struct spd_route *sr, const char *verb)
399{
400 char cmd[1536]; /* arbitrary limit on shell command length */
401 const char *verb_suffix;
402
403 /* figure out which verb suffix applies */
404 {
405 const char *hs, *cs;
406
407 switch (addrtypeof(&sr->this.host_addr))
408 {
409 case AF_INET:
410 hs = "-host";
411 cs = "-client";
412 break;
413 case AF_INET6:
414 hs = "-host-v6";
415 cs = "-client-v6";
416 break;
417 default:
418 loglog(RC_LOG_SERIOUS, "unknown address family");
419 return FALSE;
420 }
421 verb_suffix = subnetisaddr(&sr->this.client, &sr->this.host_addr)
422 ? hs : cs;
423 }
424
425 /* form the command string */
426 {
427 char
428 nexthop_str[sizeof("PLUTO_NEXT_HOP='' ") +ADDRTOT_BUF] = "",
429 srcip_str[sizeof("PLUTO_MY_SOURCEIP='' ")+ADDRTOT_BUF] = "",
430 me_str[ADDRTOT_BUF],
431 myid_str[BUF_LEN],
432 myclient_str[SUBNETTOT_BUF],
433 myclientnet_str[ADDRTOT_BUF],
434 myclientmask_str[ADDRTOT_BUF],
435 peer_str[ADDRTOT_BUF],
436 peerid_str[BUF_LEN],
437 peerclient_str[SUBNETTOT_BUF],
438 peerclientnet_str[ADDRTOT_BUF],
439 peerclientmask_str[ADDRTOT_BUF],
440 peerca_str[BUF_LEN],
441 secure_myid_str[BUF_LEN] = "",
442 secure_peerid_str[BUF_LEN] = "",
443 secure_peerca_str[BUF_LEN] = "";
444 ip_address ta;
445 pubkey_list_t *p;
446
447 if (addrbytesptr(&sr->this.host_nexthop, NULL)
448 && !isanyaddr(&sr->this.host_nexthop))
449 {
450 char *n;
451
452 strcpy(nexthop_str, "PLUTO_NEXT_HOP='");
453 n = nexthop_str + strlen(nexthop_str);
454
455 addrtot(&sr->this.host_nexthop, 0
456 ,n , sizeof(nexthop_str)-strlen(nexthop_str));
457 strncat(nexthop_str, "' ", sizeof(nexthop_str));
458 }
459
460 if (addrbytesptr(&sr->this.host_srcip, NULL)
461 && !isanyaddr(&sr->this.host_srcip))
462 {
463 char *n;
464
465 strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
466 n = srcip_str + strlen(srcip_str);
467
468 addrtot(&sr->this.host_srcip, 0
469 ,n , sizeof(srcip_str)-strlen(srcip_str));
470 strncat(srcip_str, "' ", sizeof(srcip_str));
471 }
472
473 addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
474 idtoa(&sr->this.id, myid_str, sizeof(myid_str));
475 escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
476 subnettot(&sr->this.client, 0, myclient_str, sizeof(myclientnet_str));
477 networkof(&sr->this.client, &ta);
478 addrtot(&ta, 0, myclientnet_str, sizeof(myclientnet_str));
479 maskof(&sr->this.client, &ta);
480 addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
481
482 addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
483 idtoa(&sr->that.id, peerid_str, sizeof(peerid_str));
484 escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
485 subnettot(&sr->that.client, 0, peerclient_str, sizeof(peerclientnet_str));
486 networkof(&sr->that.client, &ta);
487 addrtot(&ta, 0, peerclientnet_str, sizeof(peerclientnet_str));
488 maskof(&sr->that.client, &ta);
489 addrtot(&ta, 0, peerclientmask_str, sizeof(peerclientmask_str));
490
491 for (p = pubkeys; p != NULL; p = p->next)
492 {
493 pubkey_t *key = p->key;
494 int pathlen;
495
496 if (key->alg == PUBKEY_ALG_RSA && same_id(&sr->that.id, &key->id)
497 && trusted_ca(key->issuer, sr->that.ca, &pathlen))
498 {
499 dntoa_or_null(peerca_str, BUF_LEN, key->issuer, "");
500 escape_metachar(peerca_str, secure_peerca_str, sizeof(secure_peerca_str));
501 break;
502 }
503 }
504
505 if (-1 == snprintf(cmd, sizeof(cmd)
506 , "2>&1 " /* capture stderr along with stdout */
507 "PLUTO_VERSION='1.1' " /* change VERSION when interface spec changes */
508 "PLUTO_VERB='%s%s' "
509 "PLUTO_CONNECTION='%s' "
510 "%s" /* optional PLUTO_NEXT_HOP */
511 "PLUTO_INTERFACE='%s' "
512 "%s" /* optional PLUTO_HOST_ACCESS */
513 "PLUTO_REQID='%u' "
514 "PLUTO_ME='%s' "
515 "PLUTO_MY_ID='%s' "
516 "PLUTO_MY_CLIENT='%s' "
517 "PLUTO_MY_CLIENT_NET='%s' "
518 "PLUTO_MY_CLIENT_MASK='%s' "
519 "PLUTO_MY_PORT='%u' "
520 "PLUTO_MY_PROTOCOL='%u' "
521 "PLUTO_PEER='%s' "
522 "PLUTO_PEER_ID='%s' "
523 "PLUTO_PEER_CLIENT='%s' "
524 "PLUTO_PEER_CLIENT_NET='%s' "
525 "PLUTO_PEER_CLIENT_MASK='%s' "
526 "PLUTO_PEER_PORT='%u' "
527 "PLUTO_PEER_PROTOCOL='%u' "
528 "PLUTO_PEER_CA='%s' "
529 "%s" /* optional PLUTO_MY_SRCIP */
530 "%s" /* actual script */
531 , verb, verb_suffix
532 , c->name
533 , nexthop_str
534 , c->interface->vname
535 , sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : ""
536 , sr->reqid + 1 /* ESP requid */
537 , me_str
538 , secure_myid_str
539 , myclient_str
540 , myclientnet_str
541 , myclientmask_str
542 , sr->this.port
543 , sr->this.protocol
544 , peer_str
545 , secure_peerid_str
546 , peerclient_str
547 , peerclientnet_str
548 , peerclientmask_str
549 , sr->that.port
550 , sr->that.protocol
551 , secure_peerca_str
552 , srcip_str
553 , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
554 {
555 loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
556 return FALSE;
557 }
558 }
559
560 DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
561 , verb, verb_suffix, cmd));
562
563#ifdef KLIPS
564 if (!no_klips)
565 {
566 /* invoke the script, catching stderr and stdout
567 * It may be of concern that some file descriptors will
568 * be inherited. For the ones under our control, we
569 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
570 * Any used by library routines (perhaps the resolver or syslog)
571 * will remain.
572 */
573 FILE *f = popen(cmd, "r");
574
575 if (f == NULL)
576 {
577 loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
578 return FALSE;
579 }
580
581 /* log any output */
582 for (;;)
583 {
584 /* if response doesn't fit in this buffer, it will be folded */
585 char resp[256];
586
587 if (fgets(resp, sizeof(resp), f) == NULL)
588 {
589 if (ferror(f))
590 {
591 log_errno((e, "fgets failed on output of %s%s command"
592 , verb, verb_suffix));
593 return FALSE;
594 }
595 else
596 {
597 passert(feof(f));
598 break;
599 }
600 }
601 else
602 {
603 char *e = resp + strlen(resp);
604
605 if (e > resp && e[-1] == '\n')
606 e[-1] = '\0'; /* trim trailing '\n' */
607 plog("%s%s output: %s", verb, verb_suffix, resp);
608 }
609 }
610
611 /* report on and react to return code */
612 {
613 int r = pclose(f);
614
615 if (r == -1)
616 {
617 log_errno((e, "pclose failed for %s%s command"
618 , verb, verb_suffix));
619 return FALSE;
620 }
621 else if (WIFEXITED(r))
622 {
623 if (WEXITSTATUS(r) != 0)
624 {
625 loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
626 , verb, verb_suffix, WEXITSTATUS(r));
627 return FALSE;
628 }
629 }
630 else if (WIFSIGNALED(r))
631 {
632 loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
633 , verb, verb_suffix, WTERMSIG(r));
634 return FALSE;
635 }
636 else
637 {
638 loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
639 , verb, verb_suffix, r);
640 return FALSE;
641 }
642 }
643 }
644#endif /* KLIPS */
645 return TRUE;
646}
647
648/* Check that we can route (and eroute). Diagnose if we cannot. */
649
650enum routability {
651 route_impossible = 0,
652 route_easy = 1,
653 route_nearconflict = 2,
654 route_farconflict = 3
655};
656
657static enum routability
658could_route(struct connection *c)
659{
660 struct spd_route *esr, *rosr;
661 struct connection *ero /* who, if anyone, owns our eroute? */
662 , *ro = route_owner(c, &rosr, &ero, &esr); /* who owns our route? */
663
664 /* it makes no sense to route a connection that is ISAKMP-only */
665 if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
666 {
667 loglog(RC_ROUTE, "cannot route an ISAKMP-only connection");
668 return route_impossible;
669 }
670
671 /* if this is a Road Warrior template, we cannot route.
672 * Opportunistic template is OK.
673 */
674 if (c->kind == CK_TEMPLATE && !(c->policy & POLICY_OPPO))
675 {
676 loglog(RC_ROUTE, "cannot route Road Warrior template");
677 return route_impossible;
678 }
679
680 /* if we don't know nexthop, we cannot route */
681 if (isanyaddr(&c->spd.this.host_nexthop))
682 {
683 loglog(RC_ROUTE, "cannot route connection without knowing our nexthop");
684 return route_impossible;
685 }
686
687 /* if routing would affect IKE messages, reject */
688 if (!no_klips
689#ifdef NAT_TRAVERSAL
690 && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
691#endif
692 && c->spd.this.host_port != IKE_UDP_PORT
693 && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
694 {
695 loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
696 return route_impossible;
697 }
698
699 /* If there is already a route for peer's client subnet
700 * and it disagrees about interface or nexthop, we cannot steal it.
701 * Note: if this connection is already routed (perhaps for another
702 * state object), the route will agree.
703 * This is as it should be -- it will arise during rekeying.
704 */
705 if (ro != NULL && !routes_agree(ro, c))
706 {
707 loglog(RC_LOG_SERIOUS, "cannot route -- route already in use for \"%s\""
708 , ro->name);
709 return route_impossible; /* another connection already
710 using the eroute */
711 }
712
713#ifdef KLIPS
714 /* if there is an eroute for another connection, there is a problem */
715 if (ero != NULL && ero != c)
716 {
717 struct connection *ero2, *ero_top;
718 struct connection *inside, *outside;
719
720 /*
721 * note, wavesec (PERMANENT) goes *outside* and
722 * OE goes *inside* (TEMPLATE)
723 */
724 inside = NULL;
725 outside= NULL;
726 if (ero->kind == CK_PERMANENT
727 && c->kind == CK_TEMPLATE)
728 {
729 outside = ero;
730 inside = c;
731 }
732 else if (c->kind == CK_PERMANENT
733 && ero->kind == CK_TEMPLATE)
734 {
735 outside = c;
736 inside = ero;
737 }
738
739 /* okay, check again, with correct order */
740 if (outside && outside->kind == CK_PERMANENT
741 && inside && inside->kind == CK_TEMPLATE)
742 {
743 char inst[CONN_INST_BUF];
744
745 /* this is a co-terminal attempt of the "near" kind. */
746 /* when chaining, we chain from inside to outside */
747
748 /* XXX permit multiple deep connections? */
749 passert(inside->policy_next == NULL);
750
751 inside->policy_next = outside;
752
753 /* since we are going to steal the eroute from the secondary
754 * policy, we need to make sure that it no longer thinks that
755 * it owns the eroute.
756 */
757 outside->spd.eroute_owner = SOS_NOBODY;
758 outside->spd.routing = RT_UNROUTED_KEYED;
759
760 /* set the priority of the new eroute owner to be higher
761 * than that of the current eroute owner
762 */
763 inside->prio = outside->prio + 1;
764
765 fmt_conn_instance(inside, inst);
766
767 loglog(RC_LOG_SERIOUS
768 , "conflict on eroute (%s), switching eroute to %s and linking %s"
769 , inst, inside->name, outside->name);
770
771 return route_nearconflict;
772 }
773
774 /* look along the chain of policies for one with the same name */
775 ero_top = ero;
776
777 for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
778 {
779 if (ero2->kind == CK_TEMPLATE
780 && streq(ero2->name, c->name))
781 break;
782 }
783
784 /* If we fell of the end of the list, then we found no TEMPLATE
785 * so there must be a conflict that we can't resolve.
786 * As the names are not equal, then we aren't replacing/rekeying.
787 */
788 if (ero2 == NULL)
789 {
790 char inst[CONN_INST_BUF];
791
792 fmt_conn_instance(ero, inst);
793
794 loglog(RC_LOG_SERIOUS
795 , "cannot install eroute -- it is in use for \"%s\"%s #%lu"
796 , ero->name, inst, esr->eroute_owner);
797 return FALSE; /* another connection already using the eroute */
798 }
799 }
800#endif /* KLIPS */
801 return route_easy;
802}
803
804bool
805trap_connection(struct connection *c)
806{
807 switch (could_route(c))
808 {
809 case route_impossible:
810 return FALSE;
811
812 case route_nearconflict:
813 case route_easy:
814 /* RT_ROUTED_TUNNEL is treated specially: we don't override
815 * because we don't want to lose track of the IPSEC_SAs etc.
816 */
817 if (c->spd.routing < RT_ROUTED_TUNNEL)
818 {
819 return route_and_eroute(c, &c->spd, NULL);
820 }
821 return TRUE;
822
823 case route_farconflict:
824 return FALSE;
825 }
826
827 return FALSE;
828}
829
830/* delete any eroute for a connection and unroute it if route isn't shared */
831void
832unroute_connection(struct connection *c)
833{
834 struct spd_route *sr;
835 enum routing_t cr;
836
837 for (sr = &c->spd; sr; sr = sr->next)
838 {
839 cr = sr->routing;
840
841 if (erouted(cr))
842 {
843 /* cannot handle a live one */
844 passert(sr->routing != RT_ROUTED_TUNNEL);
845#ifdef KLIPS
846 shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
847#endif
848 }
849
850 sr->routing = RT_UNROUTED; /* do now so route_owner won't find us */
851
852 /* only unroute if no other connection shares it */
853 if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
854 (void) do_command(c, sr, "unroute");
855 }
856}
857
858
859#ifdef KLIPS
860
861static void
862set_text_said(char *text_said, const ip_address *dst, ipsec_spi_t spi, int proto)
863{
864 ip_said said;
865
866 initsaid(dst, spi, proto, &said);
867 satot(&said, 0, text_said, SATOT_BUF);
868}
869
870/* find an entry in the bare_shunt table.
871 * Trick: return a pointer to the pointer to the entry;
872 * this allows the entry to be deleted.
873 */
874static struct bare_shunt **
875bare_shunt_ptr(const ip_subnet *ours, const ip_subnet *his, int transport_proto)
876{
877 struct bare_shunt *p, **pp;
878
879 for (pp = &bare_shunts; (p = *pp) != NULL; pp = &p->next)
880 {
881 if (samesubnet(ours, &p->ours)
882 && samesubnet(his, &p->his)
883 && transport_proto == p->transport_proto
884 && portof(&ours->addr) == portof(&p->ours.addr)
885 && portof(&his->addr) == portof(&p->his.addr))
886 return pp;
887 }
888 return NULL;
889}
890
891/* free a bare_shunt entry, given a pointer to the pointer */
892static void
893free_bare_shunt(struct bare_shunt **pp)
894{
895 if (pp == NULL)
896 {
897 DBG(DBG_CONTROL,
898 DBG_log("delete bare shunt: null pointer")
899 )
900 }
901 else
902 {
903 struct bare_shunt *p = *pp;
904
905 *pp = p->next;
906 DBG_bare_shunt("delete", p);
907 pfree(p->why);
908 pfree(p);
909 }
910}
911
912void
913show_shunt_status(void)
914{
915 struct bare_shunt *bs;
916
917 for (bs = bare_shunts; bs != NULL; bs = bs->next)
918 {
919 /* Print interesting fields. Ignore count and last_active. */
920
921 int ourport = ntohs(portof(&bs->ours.addr));
922 int hisport = ntohs(portof(&bs->his.addr));
923 char ourst[SUBNETTOT_BUF];
924 char hist[SUBNETTOT_BUF];
925 char sat[SATOT_BUF];
926 char prio[POLICY_PRIO_BUF];
927
928 subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
929 subnettot(&(bs)->his, 0, hist, sizeof(hist));
930 satot(&(bs)->said, 0, sat, sizeof(sat));
931 fmt_policy_prio(bs->policy_prio, prio);
932
933 whack_log(RC_COMMENT, "%s:%d -> %s:%d => %s:%d %s %s"
934 , ourst, ourport, hist, hisport, sat, bs->transport_proto
935 , prio, bs->why);
936 }
9820c0e2
MW		 937 if (bare_shunts != NULL)
938 whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
997358a6
MW		 939}
940
941/* Setup an IPsec route entry.
942 * op is one of the ERO_* operators.
943 */
944
945static bool
946raw_eroute(const ip_address *this_host
947 , const ip_subnet *this_client
948 , const ip_address *that_host
949 , const ip_subnet *that_client
950 , ipsec_spi_t spi
951 , unsigned int proto
952 , unsigned int satype
953 , unsigned int transport_proto
954 , const struct pfkey_proto_info *proto_info
955 , time_t use_lifetime
956 , unsigned int op
957 , const char *opname USED_BY_DEBUG)
958{
959 char text_said[SATOT_BUF];
960
961 set_text_said(text_said, that_host, spi, proto);
962
963 DBG(DBG_CONTROL | DBG_KLIPS,
964 {
965 int sport = ntohs(portof(&this_client->addr));
966 int dport = ntohs(portof(&that_client->addr));
967 char mybuf[SUBNETTOT_BUF];
968 char peerbuf[SUBNETTOT_BUF];
969
970 subnettot(this_client, 0, mybuf, sizeof(mybuf));
971 subnettot(that_client, 0, peerbuf, sizeof(peerbuf));
972 DBG_log("%s eroute %s:%d -> %s:%d => %s:%d"
973 , opname, mybuf, sport, peerbuf, dport
974 , text_said, transport_proto);
975 });
976
977 return kernel_ops->raw_eroute(this_host, this_client
978 , that_host, that_client, spi, satype, transport_proto, proto_info
979 , use_lifetime, op, text_said);
980}
981
982/* test to see if %hold remains */
983bool
984has_bare_hold(const ip_address *src, const ip_address *dst, int transport_proto)
985{
986 ip_subnet this_client, that_client;
987 struct bare_shunt **bspp;
988
989 passert(addrtypeof(src) == addrtypeof(dst));
990 happy(addrtosubnet(src, &this_client));
991 happy(addrtosubnet(dst, &that_client));
992 bspp = bare_shunt_ptr(&this_client, &that_client, transport_proto);
993 return bspp != NULL
994 && (*bspp)->said.proto == SA_INT && (*bspp)->said.spi == htonl(SPI_HOLD);
995}
996
997
998/* Replace (or delete) a shunt that is in the bare_shunts table.
999 * Issues the PF_KEY commands and updates the bare_shunts table.
1000 */
1001bool
1002replace_bare_shunt(const ip_address *src, const ip_address *dst
1003 , policy_prio_t policy_prio
1004 , ipsec_spi_t shunt_spi /* in host order! */
1005 , bool repl /* if TRUE, replace; if FALSE, delete */
1006 , unsigned int transport_proto
1007 , const char *why)
1008{
1009 ip_subnet this_client, that_client;
1010 ip_subnet this_broad_client, that_broad_client;
1011 const ip_address *null_host = aftoinfo(addrtypeof(src))->any;
1012
1013 passert(addrtypeof(src) == addrtypeof(dst));
1014 happy(addrtosubnet(src, &this_client));
1015 happy(addrtosubnet(dst, &that_client));
1016 this_broad_client = this_client;
1017 that_broad_client = that_client;
1018 setportof(0, &this_broad_client.addr);
1019 setportof(0, &that_broad_client.addr);
1020
1021 if (repl)
1022 {
1023 struct bare_shunt **bs_pp = bare_shunt_ptr(&this_broad_client
1024 , &that_broad_client, 0);
1025
1026 /* is there already a broad host-to-host bare shunt? */
1027 if (bs_pp == NULL)
1028 {
1029 if (raw_eroute(null_host, &this_broad_client, null_host, &that_broad_client
1030 , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
1031 , 0, null_proto_info
1032 , SHUNT_PATIENCE, ERO_ADD, why))
1033 {
1034 struct bare_shunt *bs = alloc_thing(struct bare_shunt, "bare shunt");
1035
1036 bs->ours = this_broad_client;
1037 bs->his = that_broad_client;
1038 bs->transport_proto = 0;
1039 bs->said.proto = SA_INT;
1040 bs->why = clone_str(why, "bare shunt story");
1041 bs->policy_prio = policy_prio;
1042 bs->said.spi = htonl(shunt_spi);
1043 bs->said.dst = *null_host;
1044 bs->count = 0;
1045 bs->last_activity = now();
1046 bs->next = bare_shunts;
1047 bare_shunts = bs;
1048 DBG_bare_shunt("add", bs);
1049 }
1050 }
1051 shunt_spi = SPI_HOLD;
1052 }
1053
1054 if (raw_eroute(null_host, &this_client, null_host, &that_client
1055 , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
1056 , transport_proto, null_proto_info
1057 , SHUNT_PATIENCE, ERO_DELETE, why))
1058 {
1059 struct bare_shunt **bs_pp = bare_shunt_ptr(&this_client, &that_client
1060 , transport_proto);
1061
1062 /* delete bare eroute */
1063 free_bare_shunt(bs_pp);
1064 return TRUE;
1065 }
1066 else
1067 {
1068 return FALSE;
1069 }
1070}
1071
1072static bool
1073eroute_connection(struct spd_route *sr
1074, ipsec_spi_t spi, unsigned int proto, unsigned int satype
1075, const struct pfkey_proto_info *proto_info
1076, unsigned int op, const char *opname)
1077{
1078 const ip_address *peer = &sr->that.host_addr;
1079 char buf2[256];
1080
1081 snprintf(buf2, sizeof(buf2)
1082 , "eroute_connection %s", opname);
1083
1084 if (proto == SA_INT)
1085 peer = aftoinfo(addrtypeof(peer))->any;
1086
1087 return raw_eroute(&sr->this.host_addr, &sr->this.client
1088 , peer
1089 , &sr->that.client
1090 , spi, proto, satype
1091 , sr->this.protocol, proto_info, 0, op, buf2);
1092}
1093
1094/* assign a bare hold to a connection */
1095
1096bool
1097assign_hold(struct connection *c USED_BY_DEBUG
1098 , struct spd_route *sr
1099 , int transport_proto
1100 , const ip_address *src, const ip_address *dst)
1101{
1102 /* either the automatically installed %hold eroute is broad enough
1103 * or we try to add a broader one and delete the automatic one.
1104 * Beware: this %hold might be already handled, but still squeak
1105 * through because of a race.
1106 */
1107 enum routing_t ro = sr->routing /* routing, old */
1108 , rn = ro; /* routing, new */
1109
1110 passert(LHAS(LELEM(CK_PERMANENT) | LELEM(CK_INSTANCE), c->kind));
1111 /* figure out what routing should become */
1112 switch (ro)
1113 {
1114 case RT_UNROUTED:
1115 rn = RT_UNROUTED_HOLD;
1116 break;
1117 case RT_ROUTED_PROSPECTIVE:
1118 rn = RT_ROUTED_HOLD;
1119 break;
1120 default:
1121 /* no change: this %hold is old news and should just be deleted */
1122 break;
1123 }
1124
1125 /* we need a broad %hold, not the narrow one.
1126 * First we ensure that there is a broad %hold.
1127 * There may already be one (race condition): no need to create one.
1128 * There may already be a %trap: replace it.
1129 * There may not be any broad eroute: add %hold.
1130 * Once the broad %hold is in place, delete the narrow one.
1131 */
1132 if (rn != ro)
1133 {
1134 if (erouted(ro)
1135 ? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
1136 , null_proto_info
1137 , ERO_REPLACE, "replace %trap with broad %hold")
1138 : !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
1139 , null_proto_info
1140 , ERO_ADD, "add broad %hold"))
1141 {
1142 return FALSE;
1143 }
1144 }
1145 if (!replace_bare_shunt(src, dst, BOTTOM_PRIO, SPI_HOLD, FALSE
1146 , transport_proto, "delete narrow %hold"))
1147 {
1148 return FALSE;
1149 }
1150 sr->routing = rn;
1151 return TRUE;
1152}
1153
1154/* install or remove eroute for SA Group */
1155static bool
1156sag_eroute(struct state *st, struct spd_route *sr
1157 , unsigned op, const char *opname)
1158{
1159 u_int inner_proto = 0;
1160 u_int inner_satype = 0;
1161 ipsec_spi_t inner_spi = 0;
1162 struct pfkey_proto_info proto_info[4];
1163 int i;
1164 bool tunnel;
1165
1166 /* figure out the SPI and protocol (in two forms)
1167 * for the innermost transformation.
1168 */
1169
1170 i = sizeof(proto_info) / sizeof(proto_info[0]) - 1;
1171 proto_info[i].proto = 0;
1172 tunnel = FALSE;
1173
1174 if (st->st_ah.present)
1175 {
1176 inner_spi = st->st_ah.attrs.spi;
1177 inner_proto = SA_AH;
1178 inner_satype = SADB_SATYPE_AH;
1179
1180 i--;
1181 proto_info[i].proto = IPPROTO_AH;
1182 proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
1183 tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
1184 proto_info[i].reqid = sr->reqid;
1185 }
1186
1187 if (st->st_esp.present)
1188 {
1189 inner_spi = st->st_esp.attrs.spi;
1190 inner_proto = SA_ESP;
1191 inner_satype = SADB_SATYPE_ESP;
1192
1193 i--;
1194 proto_info[i].proto = IPPROTO_ESP;
1195 proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
1196 tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
1197 proto_info[i].reqid = sr->reqid + 1;
1198 }
1199
1200 if (st->st_ipcomp.present)
1201 {
1202 inner_spi = st->st_ipcomp.attrs.spi;
1203 inner_proto = SA_COMP;
1204 inner_satype = SADB_X_SATYPE_COMP;
1205
1206 i--;
1207 proto_info[i].proto = IPPROTO_COMP;
1208 proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
1209 tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
1210 proto_info[i].reqid = sr->reqid + 2;
1211 }
1212
1213 if (i == sizeof(proto_info) / sizeof(proto_info[0]) - 1)
1214 {
1215 impossible(); /* no transform at all! */
1216 }
1217
1218 if (tunnel)
1219 {
1220 int j;
1221
1222 inner_spi = st->st_tunnel_out_spi;
1223 inner_proto = SA_IPIP;
1224 inner_satype = SADB_X_SATYPE_IPIP;
1225
1226 proto_info[i].encapsulation = ENCAPSULATION_MODE_TUNNEL;
1227 for (j = i + 1; proto_info[j].proto; j++)
1228 {
1229 proto_info[j].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
1230 }
1231 }
1232
1233 return eroute_connection(sr
1234 , inner_spi, inner_proto, inner_satype, proto_info + i
1235 , op, opname);
1236}
1237
1238/* compute a (host-order!) SPI to implement the policy in connection c */
1239ipsec_spi_t
1240shunt_policy_spi(struct connection *c, bool prospective)
1241{
1242 /* note: these are in host order :-( */
1243 static const ipsec_spi_t shunt_spi[] =
1244 {
1245 SPI_TRAP, /* --initiateontraffic */
1246 SPI_PASS, /* --pass */
1247 SPI_DROP, /* --drop */
1248 SPI_REJECT, /* --reject */
1249 };
1250
1251 static const ipsec_spi_t fail_spi[] =
1252 {
1253 0, /* --none*/
1254 SPI_PASS, /* --failpass */
1255 SPI_DROP, /* --faildrop */
1256 SPI_REJECT, /* --failreject */
1257 };
1258
1259 return prospective
1260 ? shunt_spi[(c->policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT]
1261 : fail_spi[(c->policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT];
1262}
1263
1264/* Add/replace/delete a shunt eroute.
1265 * Such an eroute determines the fate of packets without the use
1266 * of any SAs. These are defaults, in effect.
1267 * If a negotiation has not been attempted, use %trap.
1268 * If negotiation has failed, the choice between %trap/%pass/%drop/%reject
1269 * is specified in the policy of connection c.
1270 */
1271static bool
1272shunt_eroute(struct connection *c
1273, struct spd_route *sr
1274, enum routing_t rt_kind
1275, unsigned int op, const char *opname)
1276{
1277 /* We are constructing a special SAID for the eroute.
1278 * The destination doesn't seem to matter, but the family does.
1279 * The protocol is SA_INT -- mark this as shunt.
1280 * The satype has no meaning, but is required for PF_KEY header!
1281 * The SPI signifies the kind of shunt.
1282 */
1283 ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE);
1284 bool ok;
1285
1286 if (spi == 0)
1287 {
1288 /* we're supposed to end up with no eroute: rejig op and opname */
1289 switch (op)
1290 {
1291 case ERO_REPLACE:
1292 /* replace with nothing == delete */
1293 op = ERO_DELETE;
1294 opname = "delete";
1295 break;
1296 case ERO_ADD:
1297 /* add nothing == do nothing */
1298 return TRUE;
1299 case ERO_DELETE:
1300 /* delete remains delete */
1301 break;
1302 default:
1303 bad_case(op);
1304 }
1305 }
1306 if (sr->routing == RT_ROUTED_ECLIPSED && c->kind == CK_TEMPLATE)
1307 {
1308 /* We think that we have an eroute, but we don't.
1309 * Adjust the request and account for eclipses.
1310 */
1311 passert(eclipsable(sr));
1312 switch (op)
1313 {
1314 case ERO_REPLACE:
1315 /* really an add */
1316 op = ERO_ADD;
1317 opname = "replace eclipsed";
1318 eclipse_count--;
1319 break;
1320 case ERO_DELETE:
1321 /* delete unnecessary: we don't actually have an eroute */
1322 eclipse_count--;
1323 return TRUE;
1324 case ERO_ADD:
1325 default:
1326 bad_case(op);
1327 }
1328 }
1329 else if (eclipse_count > 0 && op == ERO_DELETE && eclipsable(sr))
1330 {
1331 /* maybe we are uneclipsing something */
1332 struct spd_route *esr;
1333 struct connection *ue = eclipsed(c, &esr);
1334
1335 if (ue != NULL)
1336 {
1337 esr->routing = RT_ROUTED_PROSPECTIVE;
1338 return shunt_eroute(ue, esr
1339 , RT_ROUTED_PROSPECTIVE, ERO_REPLACE, "restoring eclipsed");
1340 }
1341 }
1342
1343 ok = TRUE;
1344 if (kernel_ops->inbound_eroute)
1345 {
1346 ok = raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
1347 , &c->spd.this.host_addr, &c->spd.this.client
1348 , htonl(spi), SA_INT, SADB_X_SATYPE_INT
1349 , 0, null_proto_info, 0
1350 , op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), opname);
1351 }
1352 return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT
1353 , null_proto_info, op, opname) && ok;
1354}
1355
1356
1357/*
1358 * This is only called when s is a likely SAID with trailing protocol i.e.
1359 * it has the form :-
1360 *
1361 * %<keyword>:p
1362 * <ip-proto><spi>@a.b.c.d:p
1363 *
1364 * The task here is to remove the ":p" part so that the rest can be read
1365 * by another routine.
1366 */
1367static const char *
1368read_proto(const char * s, size_t * len, int * transport_proto)
1369{
1370 const char * p;
1371 const char * ugh;
1372 unsigned long proto;
1373 size_t l;
1374
1375 l = *len;
1376 p = memchr(s, ':', l);
1377 if (p == 0) {
1378 *transport_proto = 0;
1379 return 0;
1380 }
1381 ugh = ttoul(p+1, l-((p-s)+1), 10, &proto);
1382 if (ugh != 0)
1383 return ugh;
1384 if (proto > 65535)
1385 return "protocol number is too large, legal range is 0-65535";
1386 *len = p-s;
1387 *transport_proto = proto;
1388 return 0;
1389}
1390
1391
1392/* scan /proc/net/ipsec_eroute every once in a while, looking for:
1393 *
1394 * - %hold shunts of which Pluto isn't aware. This situation could
1395 * be caused by lost ACQUIRE messages. When found, they will
1396 * added to orphan_holds. This in turn will lead to Opportunistic
1397 * initiation.
1398 *
1399 * - other kinds of shunts that haven't been used recently. These will be
1400 * deleted. They represent OE failures.
1401 *
1402 * - recording recent uses of tunnel eroutes so that rekeying decisions
1403 * can be made for OE connections.
1404 *
1405 * Here are some sample lines:
1406 * 10 10.3.2.1.0/24 -> 0.0.0.0/0 => %trap
1407 * 259 10.3.2.1.115/32 -> 10.19.75.161/32 => tun0x1002@10.19.75.145
1408 * 71 10.44.73.97/32 -> 0.0.0.0/0 => %trap
1409 * 4119 10.44.73.97/32 -> 10.114.121.41/32 => %pass
1410 * Newer versions of KLIPS start each line with a 32-bit packet count.
1411 * If available, the count is used to detect whether a %pass shunt is in use.
1412 *
1413 * NOTE: execution time is quadratic in the number of eroutes since the
1414 * searching for each is sequential. If this becomes a problem, faster
1415 * searches could be implemented (hash or radix tree, for example).
1416 */
1417void
1418scan_proc_shunts(void)
1419{
1420 static const char procname[] = "/proc/net/ipsec_eroute";
1421 FILE *f;
1422 time_t nw = now();
1423 int lino;
1424 struct eroute_info *expired = NULL;
1425
1426 event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
1427
1428 DBG(DBG_CONTROL,
1429 DBG_log("scanning for shunt eroutes")
1430 )
1431
1432 /* free any leftover entries: they will be refreshed if still current */
1433 while (orphaned_holds != NULL)
1434 {
1435 struct eroute_info *p = orphaned_holds;
1436
1437 orphaned_holds = p->next;
1438 pfree(orphaned_holds);
1439 }
1440
1441 /* decode the /proc file. Don't do anything strenuous to it
1442 * (certainly no PF_KEY stuff) to minimize the chance that it
1443 * might change underfoot.
1444 */
1445
1446 f = fopen(procname, "r");
1447 if (f == NULL)
1448 return;
1449
1450 /* for each line... */
1451 for (lino = 1; ; lino++)
1452 {
1453 unsigned char buf[1024]; /* should be big enough */
1454 chunk_t field[10]; /* 10 is loose upper bound */
1455 chunk_t *ff = NULL; /* fixed fields (excluding optional count) */
1456 int fi;
1457 struct eroute_info eri;
1458 char *cp;
1459 err_t context = ""
1460 , ugh = NULL;
1461
1462 cp = fgets(buf, sizeof(buf), f);
1463 if (cp == NULL)
1464 break;
1465
1466 /* break out each field
1467 * Note: if there are too many fields, just stop;
1468 * it will be diagnosed a little later.
1469 */
1470 for (fi = 0; fi < (int)elemsof(field); fi++)
1471 {
1472 static const char sep[] = " \t\n"; /* field-separating whitespace */
1473 size_t w;
1474
1475 cp += strspn(cp, sep); /* find start of field */
1476 w = strcspn(cp, sep); /* find width of field */
1477 setchunk(field[fi], cp, w);
1478 cp += w;
1479 if (w == 0)
1480 break;
1481 }
1482
1483 /* This odd do-hickey is to share error reporting code.
1484 * A break will get to that common code. The setting
1485 * of "ugh" and "context" parameterize it.
1486 */
1487 do {
1488 /* Old entries have no packet count; new ones do.
1489 * check if things are as they should be.
1490 */
1491 if (fi == 5)
1492 ff = &field[0]; /* old form, with no count */
1493 else if (fi == 6)
1494 ff = &field[1]; /* new form, with count */
1495 else
1496 {
1497 ugh = "has wrong number of fields";
1498 break;
1499 }
1500
1501 if (ff[1].len != 2
1502 || strncmp(ff[1].ptr, "->", 2) != 0
1503 || ff[3].len != 2
1504 || strncmp(ff[3].ptr, "=>", 2) != 0)
1505 {
1506 ugh = "is missing -> or =>";
1507 break;
1508 }
1509
1510 /* actually digest fields of interest */
1511
1512 /* packet count */
1513
1514 eri.count = 0;
1515 if (ff != field)
1516 {
1517 context = "count field is malformed: ";
1518 ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count);
1519 if (ugh != NULL)
1520 break;
1521 }
1522
1523 /* our client */
1524
1525 context = "source subnet field malformed: ";
1526 ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours);
1527 if (ugh != NULL)
1528 break;
1529
1530 /* his client */
1531
1532 context = "destination subnet field malformed: ";
1533 ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his);
1534 if (ugh != NULL)
1535 break;
1536
1537 /* SAID */
1538
1539 context = "SA ID field malformed: ";
1540 ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto);
1541 if (ugh != NULL)
1542 break;
1543 ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said);
1544 } while (FALSE);
1545
1546 if (ugh != NULL)
1547 {
1548 plog("INTERNAL ERROR: %s line %d %s%s"
1549 , procname, lino, context, ugh);
1550 continue; /* ignore rest of line */
1551 }
1552
1553 /* Now we have decoded eroute, let's consider it.
1554 * For shunt eroutes:
1555 *
1556 * %hold: if not known, add to orphaned_holds list for initiation
1557 * because ACQUIRE might have been lost.
1558 *
1559 * %pass, %drop, %reject: determine if idle; if so, blast it away.
1560 * Can occur bare (if DNS provided insufficient information)
1561 * or with a connection (failure context).
1562 * Could even be installed by ipsec manual.
1563 *
1564 * %trap: always welcome.
1565 *
1566 * For other eroutes: find state and record count change
1567 */
1568 if (eri.said.proto == SA_INT)
1569 {
1570 /* shunt eroute */
1571 switch (ntohl(eri.said.spi))
1572 {
1573 case SPI_HOLD:
1574 if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL
1575 && shunt_owner(&eri.ours, &eri.his) == NULL)
1576 {
1577 int ourport = ntohs(portof(&eri.ours.addr));
1578 int hisport = ntohs(portof(&eri.his.addr));
1579 char ourst[SUBNETTOT_BUF];
1580 char hist[SUBNETTOT_BUF];
1581 char sat[SATOT_BUF];
1582
1583 subnettot(&eri.ours, 0, ourst, sizeof(ourst));
1584 subnettot(&eri.his, 0, hist, sizeof(hist));
1585 satot(&eri.said, 0, sat, sizeof(sat));
1586
1587 DBG(DBG_CONTROL,
1588 DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d"
1589 , ourst, ourport, hist, hisport, sat, eri.transport_proto)
1590 )
1591 eri.next = orphaned_holds;
1592 orphaned_holds = clone_thing(eri, "orphaned %hold");
1593 }
1594 break;
1595
1596 case SPI_PASS:
1597 case SPI_DROP:
1598 case SPI_REJECT:
1599 /* nothing sensible to do if we don't have counts */
1600 if (ff != field)
1601 {
1602 struct bare_shunt **bs_pp
1603 = bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto);
1604
1605 if (bs_pp != NULL)
1606 {
1607 struct bare_shunt *bs = *bs_pp;
1608
1609 if (eri.count != bs->count)
1610 {
1611 bs->count = eri.count;
1612 bs->last_activity = nw;
1613 }
1614 else if (nw - bs->last_activity > SHUNT_PATIENCE)
1615 {
1616 eri.next = expired;
1617 expired = clone_thing(eri, "expired %pass");
1618 }
1619 }
1620 }
1621 break;
1622
1623 case SPI_TRAP:
1624 break;
1625
1626 default:
1627 bad_case(ntohl(eri.said.spi));
1628 }
1629 }
1630 else
1631 {
1632 /* regular (non-shunt) eroute */
1633 state_eroute_usage(&eri.ours, &eri.his, eri.count, nw);
1634 }
1635 } /* for each line */
1636 fclose(f);
1637
1638 /* Now that we've finished processing the /proc file,
1639 * it is safe to delete the expired %pass shunts.
1640 */
1641 while (expired != NULL)
1642 {
1643 struct eroute_info *p = expired;
1644 ip_address src, dst;
1645
1646 networkof(&p->ours, &src);
1647 networkof(&p->his, &dst);
1648 (void) replace_bare_shunt(&src, &dst
1649 , BOTTOM_PRIO /* not used because we are deleting. This value is a filler */
1650 , SPI_PASS /* not used because we are deleting. This value is a filler */
1651 , FALSE, p->transport_proto, "delete expired bare shunts");
1652 expired = p->next;
1653 pfree(p);
1654 }
1655}
1656
1657static bool
1658del_spi(ipsec_spi_t spi, int proto
1659, const ip_address *src, const ip_address *dest)
1660{
1661 char text_said[SATOT_BUF];
1662 struct kernel_sa sa;
1663
1664 set_text_said(text_said, dest, spi, proto);
1665
1666 DBG(DBG_KLIPS, DBG_log("delete %s", text_said));
1667
1668 memset(&sa, 0, sizeof(sa));
1669 sa.spi = spi;
1670 sa.proto = proto;
1671 sa.src = src;
1672 sa.dst = dest;
1673 sa.text_said = text_said;
1674
1675 return kernel_ops->del_sa(&sa);
1676}
1677
1678/* Setup a pair of SAs. Code taken from setsa.c and spigrp.c, in
1679 * ipsec-0.5.
1680 */
1681
1682static bool
1683setup_half_ipsec_sa(struct state *st, bool inbound)
1684{
1685 /* Build an inbound or outbound SA */
1686
1687 struct connection *c = st->st_connection;
1688 ip_subnet src, dst;
1689 ip_subnet src_client, dst_client;
1690 ipsec_spi_t inner_spi = 0;
1691 u_int proto = 0;
1692 u_int satype = SADB_SATYPE_UNSPEC;
1693 bool replace;
1694
1695 /* SPIs, saved for spigrouping or undoing, if necessary */
1696 struct kernel_sa
1697 said[EM_MAXRELSPIS],
1698 *said_next = said;
1699
1700 char text_said[SATOT_BUF];
1701 int encapsulation;
1702
1703 replace = inbound && (kernel_ops->get_spi != NULL);
1704
1705 src.maskbits = 0;
1706 dst.maskbits = 0;
1707
1708 if (inbound)
1709 {
1710 src.addr = c->spd.that.host_addr;
1711 dst.addr = c->spd.this.host_addr;
1712 src_client = c->spd.that.client;
1713 dst_client = c->spd.this.client;
1714 }
1715 else
1716 {
1717 src.addr = c->spd.this.host_addr,
1718 dst.addr = c->spd.that.host_addr;
1719 src_client = c->spd.this.client;
1720 dst_client = c->spd.that.client;
1721 }
1722
1723 encapsulation = ENCAPSULATION_MODE_TRANSPORT;
1724 if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
1725 || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
1726 || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
1727 {
1728 encapsulation = ENCAPSULATION_MODE_TUNNEL;
1729 }
1730
1731 memset(said, 0, sizeof(said));
1732
1733 /* If we are tunnelling, set up IP in IP pseudo SA */
1734
1735 if (kernel_ops->inbound_eroute)
1736 {
1737 inner_spi = 256;
1738 proto = SA_IPIP;
1739 satype = SADB_SATYPE_UNSPEC;
1740 }
1741 else if (encapsulation == ENCAPSULATION_MODE_TUNNEL)
1742 {
1743 /* XXX hack alert -- we SHOULD NOT HAVE TO HAVE A DIFFERENT SPI
1744 * XXX FOR IP-in-IP ENCAPSULATION!
1745 */
1746
1747 ipsec_spi_t ipip_spi;
1748
1749 /* Allocate an SPI for the tunnel.
1750 * Since our peer will never see this,
1751 * and it comes from its own number space,
1752 * it is purely a local implementation wart.
1753 */
1754 {
1755 static ipsec_spi_t last_tunnel_spi = IPSEC_DOI_SPI_OUR_MIN;
1756
1757 ipip_spi = htonl(++last_tunnel_spi);
1758 if (inbound)
1759 st->st_tunnel_in_spi = ipip_spi;
1760 else
1761 st->st_tunnel_out_spi = ipip_spi;
1762 }
1763
1764 set_text_said(text_said
1765 , &c->spd.that.host_addr, ipip_spi, SA_IPIP);
1766
1767 said_next->src = &src.addr;
1768 said_next->dst = &dst.addr;
1769 said_next->src_client = &src_client;
1770 said_next->dst_client = &dst_client;
1771 said_next->spi = ipip_spi;
1772 said_next->satype = SADB_X_SATYPE_IPIP;
1773 said_next->text_said = text_said;
1774
1775 if (!kernel_ops->add_sa(said_next, replace))
1776 goto fail;
1777
1778 said_next++;
1779
1780 inner_spi = ipip_spi;
1781 proto = SA_IPIP;
1782 satype = SADB_X_SATYPE_IPIP;
1783 }
1784
1785 /* set up IPCOMP SA, if any */
1786
1787 if (st->st_ipcomp.present)
1788 {
1789 ipsec_spi_t ipcomp_spi = inbound? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
1790 unsigned compalg;
1791
1792 switch (st->st_ipcomp.attrs.transid)
1793 {
1794 case IPCOMP_DEFLATE:
1795 compalg = SADB_X_CALG_DEFLATE;
1796 break;
1797
1798 default:
1799 loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented"
1800 , enum_name(&ipcomp_transformid_names, st->st_ipcomp.attrs.transid));
1801 goto fail;
1802 }
1803
1804 set_text_said(text_said, &dst.addr, ipcomp_spi, SA_COMP);
1805
1806 said_next->src = &src.addr;
1807 said_next->dst = &dst.addr;
1808 said_next->src_client = &src_client;
1809 said_next->dst_client = &dst_client;
1810 said_next->spi = ipcomp_spi;
1811 said_next->satype = SADB_X_SATYPE_COMP;
1812 said_next->compalg = compalg;
1813 said_next->encapsulation = encapsulation;
1814 said_next->reqid = c->spd.reqid + 2;
1815 said_next->text_said = text_said;
1816
1817 if (!kernel_ops->add_sa(said_next, replace))
1818 goto fail;
1819
1820 said_next++;
1821
1822 encapsulation = ENCAPSULATION_MODE_TRANSPORT;
1823 }
1824
1825 /* set up ESP SA, if any */
1826
1827 if (st->st_esp.present)
1828 {
1829 ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
1830 u_char *esp_dst_keymat = inbound? st->st_esp.our_keymat : st->st_esp.peer_keymat;
1831 const struct esp_info *ei;
1832 u_int16_t key_len;
1833
1834 static const struct esp_info esp_info[] = {
1835 { ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
1836 0, HMAC_MD5_KEY_LEN,
1837 SADB_EALG_NULL, SADB_AALG_MD5_HMAC },
1838 { ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
1839 0, HMAC_SHA1_KEY_LEN,
1840 SADB_EALG_NULL, SADB_AALG_SHA1_HMAC },
1841
1842 { ESP_DES, AUTH_ALGORITHM_NONE,
1843 DES_CBC_BLOCK_SIZE, 0,
1844 SADB_EALG_DES_CBC, SADB_AALG_NONE },
1845 { ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
1846 DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
1847 SADB_EALG_DES_CBC, SADB_AALG_MD5_HMAC },
1848 { ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
1849 DES_CBC_BLOCK_SIZE,
1850 HMAC_SHA1_KEY_LEN, SADB_EALG_DES_CBC, SADB_AALG_SHA1_HMAC },
1851
1852 { ESP_3DES, AUTH_ALGORITHM_NONE,
1853 DES_CBC_BLOCK_SIZE * 3, 0,
1854 SADB_EALG_3DES_CBC, SADB_AALG_NONE },
1855 { ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
1856 DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
1857 SADB_EALG_3DES_CBC, SADB_AALG_MD5_HMAC },
1858 { ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
1859 DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
1860 SADB_EALG_3DES_CBC, SADB_AALG_SHA1_HMAC },
1861 };
1862
1863#ifdef NAT_TRAVERSAL
1864 u_int8_t natt_type = 0;
1865 u_int16_t natt_sport = 0, natt_dport = 0;
1866 ip_address natt_oa;
1867
1868 if (st->nat_traversal & NAT_T_DETECTED) {
1869 natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
1870 ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
1871 natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
1872 natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
1873 natt_oa = st->nat_oa;
1874 }
1875#endif
1876
1877 for (ei = esp_info; ; ei++)
1878 {
1879 if (ei == &esp_info[elemsof(esp_info)])
1880 {
1881 /* Check for additional kernel alg */
1882#ifndef NO_KERNEL_ALG
1883 if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
1884 st->st_esp.attrs.auth))!=NULL) {
1885 break;
1886 }
1887#endif
1888
1889 /* note: enum_show may use a static buffer, so two
1890 * calls in one printf would be a mistake.
1891 * enum_name does the same job, without a static buffer,
1892 * assuming the name will be found.
1893 */
1894 loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
1895 , enum_name(&esp_transformid_names, st->st_esp.attrs.transid)
1896 , enum_name(&auth_alg_names, st->st_esp.attrs.auth));
1897 goto fail;
1898 }
1899
1900 if (st->st_esp.attrs.transid == ei->transid
1901 && st->st_esp.attrs.auth == ei->auth)
1902 break;
1903 }
1904
1905 key_len = st->st_esp.attrs.key_len/8;
1906 if (key_len) {
1907 /* XXX: must change to check valid _range_ key_len */
1908 if (key_len > ei->enckeylen) {
1909 loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
1910 enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
1911 (int)key_len, (int)ei->enckeylen);
1912 goto fail;
1913 }
1914 } else {
1915 key_len = ei->enckeylen;
1916 }
1917 /* Grrrrr.... f*cking 7 bits jurassic algos */
1918
1919 /* 168 bits in kernel, need 192 bits for keymat_len */
1920 if (ei->transid == ESP_3DES && key_len == 21)
1921 key_len = 24;
1922
1923 /* 56 bits in kernel, need 64 bits for keymat_len */
1924 if (ei->transid == ESP_DES && key_len == 7)
1925 key_len = 8;
1926
1927 /* divide up keying material */
1928 /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */
1929 DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING,
1930 if(st->st_esp.keymat_len != key_len + ei->authkeylen)
1931 DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
1932 st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
1933 );
1934 passert(st->st_esp.keymat_len == key_len + ei->authkeylen);
1935
1936 set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
1937
1938 said_next->src = &src.addr;
1939 said_next->dst = &dst.addr;
1940 said_next->src_client = &src_client;
1941 said_next->dst_client = &dst_client;
1942 said_next->spi = esp_spi;
1943 said_next->satype = SADB_SATYPE_ESP;
1944 said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
1945 said_next->authalg = ei->authalg;
1946 said_next->authkeylen = ei->authkeylen;
1947 /* said_next->authkey = esp_dst_keymat + ei->enckeylen; */
1948 said_next->authkey = esp_dst_keymat + key_len;
1949 said_next->encalg = ei->encryptalg;
1950 /* said_next->enckeylen = ei->enckeylen; */
1951 said_next->enckeylen = key_len;
1952 said_next->enckey = esp_dst_keymat;
1953 said_next->encapsulation = encapsulation;
1954 said_next->reqid = c->spd.reqid + 1;
1955#ifdef NAT_TRAVERSAL
1956 said_next->natt_sport = natt_sport;
1957 said_next->natt_dport = natt_dport;
1958 said_next->transid = st->st_esp.attrs.transid;
1959 said_next->natt_type = natt_type;
1960 said_next->natt_oa = &natt_oa;
1961#endif
1962 said_next->text_said = text_said;
1963
1964 if (!kernel_ops->add_sa(said_next, replace))
1965 goto fail;
1966
1967 said_next++;
1968
1969 encapsulation = ENCAPSULATION_MODE_TRANSPORT;
1970 }
1971
1972 /* set up AH SA, if any */
1973
1974 if (st->st_ah.present)
1975 {
1976 ipsec_spi_t ah_spi = inbound? st->st_ah.our_spi : st->st_ah.attrs.spi;
1977 u_char *ah_dst_keymat = inbound? st->st_ah.our_keymat : st->st_ah.peer_keymat;
1978
1979 unsigned char authalg;
1980
1981 switch (st->st_ah.attrs.auth)
1982 {
1983 case AUTH_ALGORITHM_HMAC_MD5:
1984 authalg = SADB_AALG_MD5_HMAC;
1985 break;
1986
1987 case AUTH_ALGORITHM_HMAC_SHA1:
1988 authalg = SADB_AALG_SHA1_HMAC;
1989 break;
1990
1991 default:
1992 loglog(RC_LOG_SERIOUS, "%s not implemented yet"
1993 , enum_show(&auth_alg_names, st->st_ah.attrs.auth));
1994 goto fail;
1995 }
1996
1997 set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
1998
1999 said_next->src = &src.addr;
2000 said_next->dst = &dst.addr;
2001 said_next->src_client = &src_client;
2002 said_next->dst_client = &dst_client;
2003 said_next->spi = ah_spi;
2004 said_next->satype = SADB_SATYPE_AH;
2005 said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
2006 said_next->authalg = authalg;
2007 said_next->authkeylen = st->st_ah.keymat_len;
2008 said_next->authkey = ah_dst_keymat;
2009 said_next->encapsulation = encapsulation;
2010 said_next->reqid = c->spd.reqid;
2011 said_next->text_said = text_said;
2012
2013 if (!kernel_ops->add_sa(said_next, replace))
2014 goto fail;
2015
2016 said_next++;
2017
2018 encapsulation = ENCAPSULATION_MODE_TRANSPORT;
2019 }
2020
2021 if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
2022 || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
2023 || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
2024 {
2025 encapsulation = ENCAPSULATION_MODE_TUNNEL;
2026 }
2027
2028 if (kernel_ops->inbound_eroute ? c->spd.eroute_owner == SOS_NOBODY
2029 : encapsulation == ENCAPSULATION_MODE_TUNNEL)
2030 {
2031 /* If inbound, and policy does not specifie DISABLEARRIVALCHECK,
2032 * tell KLIPS to enforce the IP addresses appropriate for this tunnel.
2033 * Note reversed ends.
2034 * Not much to be done on failure.
2035 */
2036 if (inbound && (c->policy & POLICY_DISABLEARRIVALCHECK) == 0)
2037 {
2038 struct pfkey_proto_info proto_info[4];
2039 int i = 0;
2040
2041 if (st->st_ipcomp.present)
2042 {
2043 proto_info[i].proto = IPPROTO_COMP;
2044 proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
2045 proto_info[i].reqid = c->spd.reqid + 2;
2046 i++;
2047 }
2048
2049 if (st->st_esp.present)
2050 {
2051 proto_info[i].proto = IPPROTO_ESP;
2052 proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
2053 proto_info[i].reqid = c->spd.reqid + 1;
2054 i++;
2055 }
2056
2057 if (st->st_ah.present)
2058 {
2059 proto_info[i].proto = IPPROTO_AH;
2060 proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
2061 proto_info[i].reqid = c->spd.reqid;
2062 i++;
2063 }
2064
2065 proto_info[i].proto = 0;
2066
2067 if (kernel_ops->inbound_eroute
2068 && encapsulation == ENCAPSULATION_MODE_TUNNEL)
2069 {
2070 proto_info[0].encapsulation = ENCAPSULATION_MODE_TUNNEL;
2071 for (i = 1; proto_info[i].proto; i++)
2072 {
2073 proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
2074 }
2075 }
2076
2077 /* MCR - should be passed a spd_eroute structure here */
2078 (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
2079 , &c->spd.this.host_addr, &c->spd.this.client
2080 , inner_spi, proto, satype, c->spd.this.protocol
2081 , proto_info, 0
2082 , ERO_ADD_INBOUND, "add inbound");
2083 }
2084 }
2085
2086 /* If there are multiple SPIs, group them. */
2087
2088 if (kernel_ops->grp_sa && said_next > &said[1])
2089 {
2090 struct kernel_sa *s;
2091
2092 /* group SAs, two at a time, inner to outer (backwards in said[])
2093 * The grouping is by pairs. So if said[] contains ah esp ipip,
2094 * the grouping would be ipip:esp, esp:ah.
2095 */
2096 for (s = said; s < said_next-1; s++)
2097 {
2098 char
2099 text_said0[SATOT_BUF],
2100 text_said1[SATOT_BUF];
2101
2102 /* group s[1] and s[0], in that order */
2103
2104 set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto);
2105 set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto);
2106
2107 DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0));
2108
2109 s[0].text_said = text_said0;
2110 s[1].text_said = text_said1;
2111
2112 if (!kernel_ops->grp_sa(s + 1, s))
2113 goto fail;
2114 }
2115 /* could update said, but it will not be used */
2116 }
2117
2118 return TRUE;
2119
2120fail:
2121 {
2122 /* undo the done SPIs */
2123 while (said_next-- != said)
2124 (void) del_spi(said_next->spi, said_next->proto
2125 , &src.addr, said_next->dst);
2126 return FALSE;
2127 }
2128}
2129
2130/* teardown_ipsec_sa is a canibalized version of setup_ipsec_sa */
2131
2132static bool
2133teardown_half_ipsec_sa(struct state *st, bool inbound)
2134{
2135 /* We need to delete AH, ESP, and IP in IP SPIs.
2136 * But if there is more than one, they have been grouped
2137 * so deleting any one will do. So we just delete the
2138 * first one found. It may or may not be the only one.
2139 */
2140 struct connection *c = st->st_connection;
2141 struct {
2142 unsigned proto;
2143 struct ipsec_proto_info *info;
2144 } protos[4];
2145 int i;
2146 bool result;
2147
2148 i = 0;
2149 if (kernel_ops->inbound_eroute && inbound
2150 && c->spd.eroute_owner == SOS_NOBODY)
2151 {
2152 (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
2153 , &c->spd.this.host_addr, &c->spd.this.client
2154 , 256, IPSEC_PROTO_ANY, SADB_SATYPE_UNSPEC, c->spd.this.protocol
2155 , null_proto_info, 0
2156 , ERO_DEL_INBOUND, "delete inbound");
2157 }
2158
2159 if (!kernel_ops->grp_sa)
2160 {
2161 if (st->st_ah.present)
2162 {
2163 protos[i].info = &st->st_ah;
2164 protos[i].proto = SA_AH;
2165 i++;
2166 }
2167
2168 if (st->st_esp.present)
2169 {
2170 protos[i].info = &st->st_esp;
2171 protos[i].proto = SA_ESP;
2172 i++;
2173 }
2174
2175 if (st->st_ipcomp.present)
2176 {
2177 protos[i].info = &st->st_ipcomp;
2178 protos[i].proto = SA_COMP;
2179 i++;
2180 }
2181 }
2182 else if (st->st_ah.present)
2183 {
2184 protos[i].info = &st->st_ah;
2185 protos[i].proto = SA_AH;
2186 i++;
2187 }
2188 else if (st->st_esp.present)
2189 {
2190 protos[i].info = &st->st_esp;
2191 protos[i].proto = SA_ESP;
2192 i++;
2193 }
2194 else
2195 {
2196 impossible(); /* neither AH nor ESP in outbound SA bundle! */
2197 }
2198 protos[i].proto = 0;
2199
2200 result = TRUE;
2201 for (i = 0; protos[i].proto; i++)
2202 {
2203 unsigned proto = protos[i].proto;
2204 ipsec_spi_t spi;
2205 const ip_address *src, *dst;
2206
2207 if (inbound)
2208 {
2209 spi = protos[i].info->our_spi;
2210 src = &c->spd.that.host_addr;
2211 dst = &c->spd.this.host_addr;
2212 }
2213 else
2214 {
2215 spi = protos[i].info->attrs.spi;
2216 src = &c->spd.this.host_addr;
2217 dst = &c->spd.that.host_addr;
2218 }
2219
2220 result &= del_spi(spi, proto, src, dst);
2221 }
2222 return result;
2223}
2224
2225/*
2226 * get information about a given sa
2227 */
2228bool
2229get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
2230{
2231 char text_said[SATOT_BUF];
2232 struct kernel_sa sa;
2233 struct connection *c = st->st_connection;
2234
2235 *use_time = UNDEFINED_TIME;
2236
2237 if (kernel_ops->get_sa == NULL || !st->st_esp.present)
2238 return FALSE;
2239
2240 memset(&sa, 0, sizeof(sa));
2241 sa.proto = SA_ESP;
2242
2243 if (inbound)
2244 {
2245 sa.src = &c->spd.that.host_addr;
2246 sa.dst = &c->spd.this.host_addr;
2247 sa.spi = st->st_esp.our_spi;
2248 }
2249 else
2250 {
2251 sa.src = &c->spd.this.host_addr;
2252 sa.dst = &c->spd.that.host_addr;
2253 sa.spi = st->st_esp.attrs.spi;
2254 }
2255 set_text_said(text_said, sa.dst, sa.spi, sa.proto);
2256
2257 sa.text_said = text_said;
2258
2259 DBG(DBG_KLIPS,
2260 DBG_log("get %s", text_said)
2261 )
2262 if (!kernel_ops->get_sa(&sa, bytes))
2263 return FALSE;
2264 DBG(DBG_KLIPS,
2265 DBG_log(" current: %d bytes", *bytes)
2266 )
2267
2268 if (st->st_serialno == c->spd.eroute_owner)
2269 {
2270 DBG(DBG_KLIPS,
2271 DBG_log("get %sbound policy with reqid %u"
2272 , inbound? "in":"out", (u_int)c->spd.reqid + 1)
2273 )
2274 sa.transport_proto = c->spd.this.protocol;
2275 sa.encapsulation = st->st_esp.attrs.encapsulation;
2276
2277 if (inbound)
2278 {
2279 sa.src_client = &c->spd.that.client;
2280 sa.dst_client = &c->spd.this.client;
2281 }
2282 else
2283 {
2284 sa.src_client = &c->spd.this.client;
2285 sa.dst_client = &c->spd.that.client;
2286 }
2287 if (!kernel_ops->get_policy(&sa, inbound, use_time))
2288 return FALSE;
2289 DBG(DBG_KLIPS,
2290 DBG_log(" use_time: %s", timetoa(use_time, FALSE))
2291 )
2292 }
2293 return TRUE;
2294}
2295
2296const struct kernel_ops *kernel_ops;
2297
2298#endif /* KLIPS */
2299
2300void
2301init_kernel(void)
2302{
2303#ifdef KLIPS
2304
2305 if (no_klips)
2306 {
2307 kernel_ops = &noklips_kernel_ops;
2308 return;
2309 }
2310
2311 init_pfkey();
2312
2313 kernel_ops = &klips_kernel_ops;
2314
2315#if defined(linux) && defined(KERNEL26_SUPPORT)
2316 {
2317 bool linux_ipsec = 0;
2318 struct stat buf;
2319
2320 linux_ipsec = (stat("/proc/net/pfkey", &buf) == 0);
2321 if (linux_ipsec)
2322 {
2323 plog("Using Linux 2.6 IPsec interface code");
2324 kernel_ops = &linux_kernel_ops;
2325 }
2326 else
2327 {
2328 plog("Using KLIPS IPsec interface code");
2329 }
2330 }
2331#endif
2332
2333 if (kernel_ops->init)
2334 {
2335 kernel_ops->init();
2336 }
2337
2338 /* register SA types that we can negotiate */
2339 can_do_IPcomp = FALSE; /* until we get a response from KLIPS */
2340 kernel_ops->pfkey_register();
2341
2342 if (!kernel_ops->policy_lifetime)
2343 {
2344 event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
2345 }
2346#endif
2347}
2348
2349/* Note: install_inbound_ipsec_sa is only used by the Responder.
2350 * The Responder will subsequently use install_ipsec_sa for the outbound.
2351 * The Initiator uses install_ipsec_sa to install both at once.
2352 */
2353bool
2354install_inbound_ipsec_sa(struct state *st)
2355{
2356 struct connection *const c = st->st_connection;
2357
2358 /* If our peer has a fixed-address client, check if we already
2359 * have a route for that client that conflicts. We will take this
2360 * as proof that that route and the connections using it are
2361 * obsolete and should be eliminated. Interestingly, this is
2362 * the only case in which we can tell that a connection is obsolete.
2363 */
2364 passert(c->kind == CK_PERMANENT || c->kind == CK_INSTANCE);
2365 if (c->spd.that.has_client)
2366 {
2367 for (;;)
2368 {
2369 struct spd_route *esr;
2370 struct connection *o = route_owner(c, &esr, NULL, NULL);
2371
2372 if (o == NULL)
2373 break; /* nobody has a route */
2374
2375 /* note: we ignore the client addresses at this end */
2376 if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr)
2377 && o->interface == c->interface)
2378 break; /* existing route is compatible */
2379
2380 if (o->kind == CK_TEMPLATE && streq(o->name, c->name))
2381 break; /* ??? is this good enough?? */
2382
2383 loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route"
2384 , o->name, ip_str(&o->spd.that.host_addr));
2385 release_connection(o, FALSE);
2386 }
2387 }
2388
2389 DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa() checking if we can route"));
2390 /* check that we will be able to route and eroute */
2391 switch (could_route(c))
2392 {
2393 case route_easy:
2394 case route_nearconflict:
2395 break;
2396
2397 default:
2398 return FALSE;
2399 }
2400
2401#ifdef KLIPS
2402 /* (attempt to) actually set up the SAs */
2403 return setup_half_ipsec_sa(st, TRUE);
2404#else /* !KLIPS */
2405 DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()"));
2406 return TRUE;
2407#endif /* !KLIPS */
2408}
2409
2410/* Install a route and then a prospective shunt eroute or an SA group eroute.
2411 * Assumption: could_route gave a go-ahead.
2412 * Any SA Group must have already been created.
2413 * On failure, steps will be unwound.
2414 */
2415bool
2416route_and_eroute(struct connection *c USED_BY_KLIPS
2417 , struct spd_route *sr USED_BY_KLIPS
2418 , struct state *st USED_BY_KLIPS)
2419{
2420#ifdef KLIPS
2421 struct spd_route *esr;
2422 struct spd_route *rosr;
2423 struct connection *ero /* who, if anyone, owns our eroute? */
2424 , *ro = route_owner(c, &rosr, &ero, &esr);
2425 bool eroute_installed = FALSE
2426 , firewall_notified = FALSE
2427 , route_installed = FALSE;
2428
2429 struct connection *ero_top;
2430 struct bare_shunt **bspp;
2431
2432 DBG(DBG_CONTROLMORE,
2433 DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu"
2434 , c->name
2435 , (c->policy_next ? c->policy_next->name : "none")
2436 , ero ? ero->name : "null"
2437 , esr
2438 , ro ? ro->name : "null"
2439 , rosr
2440 , st ? st->st_serialno : 0));
2441
2442 /* look along the chain of policies for one with the same name */
2443 ero_top = ero;
2444
2445#if 0
2446 /* XXX - mcr this made sense before, and likely will make sense
2447 * again, so I'l leaving this to remind me what is up */
2448 if (ero!= NULL && ero->routing == RT_UNROUTED_KEYED)
2449 ero = NULL;
2450
2451 for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
2452 if ((ero2->kind == CK_TEMPLATE || ero2->kind==CK_SECONDARY)
2453 && streq(ero2->name, c->name))
2454 break;
2455#endif
2456
2457 bspp = (ero == NULL)
2458 ? bare_shunt_ptr(&sr->this.client, &sr->that.client, sr->this.protocol)
2459 : NULL;
2460
2461 /* install the eroute */
2462
2463 passert(bspp == NULL || ero == NULL); /* only one non-NULL */
2464
2465 if (bspp != NULL || ero != NULL)
2466 {
2467 /* We're replacing an eroute */
2468
2469 /* if no state provided, then install a shunt for later */
2470 if (st == NULL)
2471 eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
2472 , ERO_REPLACE, "replace");
2473 else
2474 eroute_installed = sag_eroute(st, sr, ERO_REPLACE, "replace");
2475
2476#if 0
2477 /* XXX - MCR. I previously felt that this was a bogus check */
2478 if (ero != NULL && ero != c && esr != sr)
2479 {
2480 /* By elimination, we must be eclipsing ero. Check. */
2481 passert(ero->kind == CK_TEMPLATE && streq(ero->name, c->name));
2482 passert(LHAS(LELEM(RT_ROUTED_PROSPECTIVE) | LELEM(RT_ROUTED_ECLIPSED)
2483 , esr->routing));
2484 passert(samesubnet(&esr->this.client, &sr->this.client)
2485 && samesubnet(&esr->that.client, &sr->that.client));
2486 }
2487#endif
2488 /* remember to free bspp iff we make it out of here alive */
2489 }
2490 else
2491 {
2492 /* we're adding an eroute */
2493
2494 /* if no state provided, then install a shunt for later */
2495 if (st == NULL)
2496 eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
2497 , ERO_ADD, "add");
2498 else
2499 eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
2500 }
2501
2502 /* notify the firewall of a new tunnel */
2503
2504 if (eroute_installed)
2505 {
2506 /* do we have to notify the firewall? Yes, if we are installing
2507 * a tunnel eroute and the firewall wasn't notified
2508 * for a previous tunnel with the same clients. Any Previous
2509 * tunnel would have to be for our connection, so the actual
2510 * test is simple.
2511 */
2512 firewall_notified = st == NULL /* not a tunnel eroute */
2513 || sr->eroute_owner != SOS_NOBODY /* already notified */
2514 || do_command(c, sr, "up"); /* go ahead and notify */
2515 }
2516
2517 /* install the route */
2518
2519 DBG(DBG_CONTROL,
2520 DBG_log("route_and_eroute: firewall_notified: %s"
2521 , firewall_notified ? "true" : "false"));
2522 if (!firewall_notified)
2523 {
2524 /* we're in trouble -- don't do routing */
2525 }
2526 else if (ro == NULL)
2527 {
2528 /* a new route: no deletion required, but preparation is */
2529 (void) do_command(c, sr, "prepare"); /* just in case; ignore failure */
2530 route_installed = do_command(c, sr, "route");
2531 }
2532 else if (routed(sr->routing)
2533 || routes_agree(ro, c))
2534 {
2535 route_installed = TRUE; /* nothing to be done */
2536 }
2537 else
2538 {
2539 /* Some other connection must own the route
2540 * and the route must disagree. But since could_route
2541 * must have allowed our stealing it, we'll do so.
2542 *
2543 * A feature of LINUX allows us to install the new route
2544 * before deleting the old if the nexthops differ.
2545 * This reduces the "window of vulnerability" when packets
2546 * might flow in the clear.
2547 */
2548 if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
2549 {
2550 (void) do_command(ro, sr, "unroute");
2551 route_installed = do_command(c, sr, "route");
2552 }
2553 else
2554 {
2555 route_installed = do_command(c, sr, "route");
2556 (void) do_command(ro, sr, "unroute");
2557 }
2558
2559 /* record unrouting */
2560 if (route_installed)
2561 {
2562 do {
2563 passert(!erouted(rosr->routing));
2564 rosr->routing = RT_UNROUTED;
2565
2566 /* no need to keep old value */
2567 ro = route_owner(c, &rosr, NULL, NULL);
2568 } while (ro != NULL);
2569 }
2570 }
2571
2572 /* all done -- clean up */
2573 if (route_installed)
2574 {
2575 /* Success! */
2576
2577 if (bspp != NULL)
2578 {
2579 free_bare_shunt(bspp);
2580 }
2581 else if (ero != NULL && ero != c)
2582 {
2583 /* check if ero is an ancestor of c. */
2584 struct connection *ero2;
2585
2586 for (ero2 = c; ero2 != NULL && ero2 != c; ero2 = ero2->policy_next)
2587 ;
2588
2589 if (ero2 == NULL)
2590 {
2591 /* By elimination, we must be eclipsing ero. Checked above. */
2592 if (ero->spd.routing != RT_ROUTED_ECLIPSED)
2593 {
2594 ero->spd.routing = RT_ROUTED_ECLIPSED;
2595 eclipse_count++;
2596 }
2597 }
2598 }
2599
2600 if (st == NULL)
2601 {
2602 passert(sr->eroute_owner == SOS_NOBODY);
2603 sr->routing = RT_ROUTED_PROSPECTIVE;
2604 }
2605 else
2606 {
2607 char cib[CONN_INST_BUF];
2608 sr->routing = RT_ROUTED_TUNNEL;
2609
2610 DBG(DBG_CONTROL,
2611 DBG_log("route_and_eroute: instance \"%s\"%s, setting eroute_owner {spd=%p,sr=%p} to #%ld (was #%ld) (newest_ipsec_sa=#%ld)"
2612 , st->st_connection->name
2613 , (fmt_conn_instance(st->st_connection, cib), cib)
2614 , &st->st_connection->spd, sr
2615 , st->st_serialno
2616 , sr->eroute_owner
2617 , st->st_connection->newest_ipsec_sa));
2618 sr->eroute_owner = st->st_serialno;
2619 }
2620
2621 return TRUE;
2622 }
2623 else
2624 {
2625 /* Failure! Unwind our work. */
2626 if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
2627 (void) do_command(c, sr, "down");
2628
2629 if (eroute_installed)
2630 {
2631 /* Restore original eroute, if we can.
2632 * Since there is nothing much to be done if the restoration
2633 * fails, ignore success or failure.
2634 */
2635 if (bspp != NULL)
2636 {
2637 /* Restore old bare_shunt.
2638 * I don't think that this case is very likely.
2639 * Normally a bare shunt would have been assigned
2640 * to a connection before we've gotten this far.
2641 */
2642 struct bare_shunt *bs = *bspp;
2643
2644 (void) raw_eroute(&bs->said.dst /* should be useless */
2645 , &bs->ours
2646 , &bs->said.dst /* should be useless */
2647 , &bs->his
2648 , bs->said.spi /* network order */
2649 , SA_INT
2650 , SADB_X_SATYPE_INT
2651 , 0
2652 , null_proto_info
2653 , SHUNT_PATIENCE
2654 , ERO_REPLACE, "restore");
2655 }
2656 else if (ero != NULL)
2657 {
2658 /* restore ero's former glory */
2659 if (esr->eroute_owner == SOS_NOBODY)
2660 {
2661 /* note: normal or eclipse case */
2662 (void) shunt_eroute(ero, esr
2663 , esr->routing, ERO_REPLACE, "restore");
2664 }
2665 else
2666 {
2667 /* Try to find state that owned eroute.
2668 * Don't do anything if it cannot be found.
2669 * This case isn't likely since we don't run
2670 * the updown script when replacing a SA group
2671 * with its successor (for the same conn).
2672 */
2673 struct state *ost = state_with_serialno(esr->eroute_owner);
2674
2675 if (ost != NULL)
2676 (void) sag_eroute(ost, esr, ERO_REPLACE, "restore");
2677 }
2678 }
2679 else
2680 {
2681 /* there was no previous eroute: delete whatever we installed */
2682 if (st == NULL)
2683 (void) shunt_eroute(c, sr
2684 , sr->routing, ERO_DELETE, "delete");
2685 else
2686 (void) sag_eroute(st, sr
2687 , ERO_DELETE, "delete");
2688 }
2689 }
2690
2691 return FALSE;
2692 }
2693#else /* !KLIPS */
2694 return TRUE;
2695#endif /* !KLIPS */
2696}
2697
2698bool
2699install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
2700{
2701#ifdef KLIPS
2702 struct spd_route *sr;
2703
2704 DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
2705 , st->st_serialno
2706 , inbound_also?
2707 "inbound and outbound" : "outbound only"));
2708
2709 switch (could_route(st->st_connection))
2710 {
2711 case route_easy:
2712 case route_nearconflict:
2713 break;
2714
2715 default:
2716 return FALSE;
2717 }
2718
2719 /* (attempt to) actually set up the SA group */
2720 if ((inbound_also && !setup_half_ipsec_sa(st, TRUE))
2721 || !setup_half_ipsec_sa(st, FALSE))
2722 return FALSE;
2723
2724 for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next)
2725 {
2726 DBG(DBG_CONTROL, DBG_log("sr for #%ld: %s"
2727 , st->st_serialno
2728 , enum_name(&routing_story, sr->routing)));
2729
2730 /*
2731 * if the eroute owner is not us, then make it us.
2732 * See test co-terminal-02, pluto-rekey-01, pluto-unit-02/oppo-twice
2733 */
2734 pexpect(sr->eroute_owner == SOS_NOBODY
2735 || sr->routing >= RT_ROUTED_TUNNEL);
2736
2737 if (sr->eroute_owner != st->st_serialno
2738 && sr->routing != RT_UNROUTED_KEYED)
2739 {
2740 if (!route_and_eroute(st->st_connection, sr, st))
2741 {
2742 delete_ipsec_sa(st, FALSE);
2743 /* XXX go and unroute any SRs that were successfully
2744 * routed already.
2745 */
2746 return FALSE;
2747 }
2748 }
2749 }
2750#else /* !KLIPS */
2751 DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s"
2752 , inbound_also? "inbound and oubound" : "outbound only"));
2753
2754 switch (could_route(st->st_connection))
2755 {
2756 case route_easy:
2757 case route_nearconflict:
2758 break;
2759
2760 default:
2761 return FALSE;
2762 }
2763
2764
2765#endif /* !KLIPS */
2766
2767 return TRUE;
2768}
2769
2770/* delete an IPSEC SA.
2771 * we may not succeed, but we bull ahead anyway because
2772 * we cannot do anything better by recognizing failure
2773 */
2774void
2775delete_ipsec_sa(struct state *st USED_BY_KLIPS, bool inbound_only USED_BY_KLIPS)
2776{
2777#ifdef KLIPS
2778 if (!inbound_only)
2779 {
2780 /* If the state is the eroute owner, we must adjust
2781 * the routing for the connection.
2782 */
2783 struct connection *c = st->st_connection;
2784 struct spd_route *sr;
2785
2786 passert(st->st_connection);
2787
2788 for (sr = &c->spd; sr; sr = sr->next)
2789 {
2790 if (sr->eroute_owner == st->st_serialno
2791 && sr->routing == RT_ROUTED_TUNNEL)
2792 {
2793 sr->eroute_owner = SOS_NOBODY;
2794
2795 /* Routing should become RT_ROUTED_FAILURE,
2796 * but if POLICY_FAIL_NONE, then we just go
2797 * right back to RT_ROUTED_PROSPECTIVE as if no
2798 * failure happened.
2799 */
2800 sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
2801 ? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
2802
2803 (void) do_command(c, sr, "down");
2804 if ((c->policy & POLICY_DONT_REKEY)
2805 && c->kind == CK_INSTANCE)
2806 {
2807 /* in this special case, even if the connection
2808 * is still alive (due to an ISAKMP SA),
2809 * we get rid of routing.
2810 * Even though there is still an eroute, the c->routing
2811 * setting will convince unroute_connection to delete it.
2812 * unroute_connection would be upset if c->routing == RT_ROUTED_TUNNEL
2813 */
2814 unroute_connection(c);
2815 }
2816 else
2817 {
2818 (void) shunt_eroute(c, sr, sr->routing, ERO_REPLACE, "replace with shunt");
2819 }
2820 }
2821 }
2822 (void) teardown_half_ipsec_sa(st, FALSE);
2823 }
2824 (void) teardown_half_ipsec_sa(st, TRUE);
2825#else /* !KLIPS */
2826 DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
2827#endif /* !KLIPS */
2828}
2829#ifdef NAT_TRAVERSAL
2830#ifdef KLIPS
2831static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
2832{
2833 struct connection *c = st->st_connection;
2834 char text_said[SATOT_BUF];
2835 struct kernel_sa sa;
2836 ip_address
2837 src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
2838 dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
2839
2840
2841 ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
2842
2843 u_int16_t
2844 natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
2845 natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
2846
2847 set_text_said(text_said, &dst, esp_spi, SA_ESP);
2848
2849 memset(&sa, 0, sizeof(sa));
2850 sa.spi = esp_spi;
2851 sa.src = &src;
2852 sa.dst = &dst;
2853 sa.text_said = text_said;
2854 sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
2855 sa.natt_sport = natt_sport;
2856 sa.natt_dport = natt_dport;
2857 sa.transid = st->st_esp.attrs.transid;
2858
2859 return kernel_ops->add_sa(&sa, TRUE);
2860
2861}
2862#endif
2863
2864bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
2865{
2866#ifdef KLIPS
2867 if (IS_IPSEC_SA_ESTABLISHED(st->st_state)) {
2868 if ((st->st_esp.present) && (
2869 (!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
2870 (!update_nat_t_ipsec_esp_sa (st, FALSE)))) {
2871 return FALSE;
2872 }
2873 }
2874 else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state)) {
2875 if ((st->st_esp.present) && (!update_nat_t_ipsec_esp_sa (st, FALSE))) {
2876 return FALSE;
2877 }
2878 }
2879 else {
2880 DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__,
2881 st->st_state);
2882 return FALSE;
2883 }
2884 return TRUE;
2885#else /* !KLIPS */
2886 DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
2887 return TRUE;
2888#endif /* !KLIPS */
2889}
2890#endif
2891
2892/* Check if there was traffic on given SA during the last idle_max
2893 * seconds. If TRUE, the SA was idle and DPD exchange should be performed.
2894 * If FALSE, DPD is not necessary. We also return TRUE for errors, as they
2895 * could mean that the SA is broken and needs to be replace anyway.
2896 */
2897bool
2898was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
2899{
2900 static const char procname[] = "/proc/net/ipsec_spi";
2901 FILE *f;
2902 char buf[1024];
2903 u_int bytes;
2904 int ret = TRUE;
2905
2906 passert(st != NULL);
2907
2908 f = fopen(procname, "r");
2909 if (f == NULL)
2910 {
2911 /* Can't open the file, perhaps were are on 26sec? */
2912 time_t use_time;
2913
2914 if (get_sa_info(st, TRUE, &bytes, &use_time)
2915 && use_time != UNDEFINED_TIME)
2916 {
2917 *idle_time = time(NULL) - use_time;
2918 ret = *idle_time >= idle_max;
2919 }
2920 }
2921 else
2922 {
2923 while (f != NULL)
2924 {
2925 char *line;
2926 char text_said[SATOT_BUF];
2927 u_int8_t proto = 0;
2928 ip_address dst;
2929 ip_said said;
2930 ipsec_spi_t spi = 0;
2931 static const char idle[] = "idle=";
2932
2933 dst = st->st_connection->spd.this.host_addr; /* inbound SA */
2934 if (st->st_ah.present)
2935 {
2936 proto = SA_AH;
2937 spi = st->st_ah.our_spi;
2938 }
2939 if (st->st_esp.present)
2940 {
2941 proto = SA_ESP;
2942 spi = st->st_esp.our_spi;
2943 }
2944
2945 if (proto == 0 && spi == 0)
2946 {
2947 ret = TRUE;
2948 break;
2949 }
2950
2951 initsaid(&dst, spi, proto, &said);
2952 satot(&said, 'x', text_said, SATOT_BUF);
2953
2954 line = fgets(buf, sizeof(buf), f);
2955 if (line == NULL)
2956 {
2957 /* Reached end of list */
2958 ret = TRUE;
2959 break;
2960 }
2961
2962 if (strncmp(line, text_said, strlen(text_said)) == 0)
2963 {
2964 /* we found a match, now try to find idle= */
2965 char *p = strstr(line, idle);
2966
2967 if (p == NULL)
2968 {
2969 /* SAs which haven't been used yet don't have it */
2970 ret = TRUE; /* it didn't have traffic */
2971 break;
2972 }
2973 p += sizeof(idle)-1;
2974 if (*p == '\0')
2975 {
2976 ret = TRUE; /* be paranoid */
2977 break;
2978 }
2979 if (sscanf(p, "%d", (int *) idle_time) <= 0)
2980 {
2981 ret = TRUE;
2982 break;
2983 }
2984 if (*idle_time >= idle_max)
2985 {
2986 ret = TRUE;
2987 break;
2988 }
2989 else
2990 {
2991 ret = FALSE;
2992 break;
2993 }
2994 }
2995 }
2996 fclose(f);
2997 }
2998 return ret;
2999}
Unnamed repository; edit this file 'description' to name the repository.