ipsec status lists IPCOMP CPIs
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 *
19 * $Id$
20 */
21
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <sys/time.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <netinet/in.h>
30 #include <pthread.h>
31 #include <unistd.h>
32 #include <fcntl.h>
33 #include <errno.h>
34 #include <string.h>
35 #include <net/if.h>
36 #include <sys/ioctl.h>
37
38 #include "kernel_interface.h"
39
40 #include <daemon.h>
41 #include <utils/linked_list.h>
42 #include <processing/jobs/delete_child_sa_job.h>
43 #include <processing/jobs/rekey_child_sa_job.h>
44 #include <processing/jobs/acquire_job.h>
45 #include <processing/jobs/callback_job.h>
46 #include <processing/jobs/roam_job.h>
47
48 /** required for Linux 2.6.26 kernel and later */
49 #ifndef XFRM_STATE_AF_UNSPEC
50 #define XFRM_STATE_AF_UNSPEC 32
51 #endif
52
53 /** routing table for routes installed by us */
54 #ifndef IPSEC_ROUTING_TABLE
55 #define IPSEC_ROUTING_TABLE 100
56 #endif
57 #ifndef IPSEC_ROUTING_TABLE_PRIO
58 #define IPSEC_ROUTING_TABLE_PRIO 100
59 #endif
60
61 /** default priority of installed policies */
62 #define PRIO_LOW 3000
63 #define PRIO_HIGH 2000
64
65 /** delay before firing roam jobs (ms) */
66 #define ROAM_DELAY 100
67
68 #define BUFFER_SIZE 1024
69
70 /**
71 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
72 * 'usual' netlink data x like 'struct xfrm_usersa_info'
73 */
74 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
75 /**
76 * returns a pointer to the next rtattr following rta.
77 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
78 */
79 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
80 /**
81 * returns the total size of attached rta data
82 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
83 */
84 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
85
86 typedef struct kernel_algorithm_t kernel_algorithm_t;
87
88 /**
89 * Mapping from the algorithms defined in IKEv2 to
90 * kernel level algorithm names and their key length
91 */
92 struct kernel_algorithm_t {
93 /**
94 * Identifier specified in IKEv2
95 */
96 int ikev2_id;
97
98 /**
99 * Name of the algorithm, as used as kernel identifier
100 */
101 char *name;
102
103 /**
104 * Key length in bits, if fixed size
105 */
106 u_int key_size;
107 };
108
109 ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
110 "in",
111 "out",
112 "fwd"
113 );
114
115 #define END_OF_LIST -1
116
117 /**
118 * Algorithms for encryption
119 */
120 static kernel_algorithm_t encryption_algs[] = {
121 /* {ENCR_DES_IV64, "***", 0}, */
122 {ENCR_DES, "des", 64},
123 {ENCR_3DES, "des3_ede", 192},
124 /* {ENCR_RC5, "***", 0}, */
125 /* {ENCR_IDEA, "***", 0}, */
126 {ENCR_CAST, "cast128", 0},
127 {ENCR_BLOWFISH, "blowfish", 0},
128 /* {ENCR_3IDEA, "***", 0}, */
129 /* {ENCR_DES_IV32, "***", 0}, */
130 {ENCR_NULL, "cipher_null", 0},
131 {ENCR_AES_CBC, "aes", 0},
132 /* {ENCR_AES_CTR, "***", 0}, */
133 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))", 64}, /* key_size = ICV size */
134 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))", 96}, /* key_size = ICV size */
135 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))", 128}, /* key_size = ICV size */
136 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))", 64}, /* key_size = ICV size */
137 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))", 96}, /* key_size = ICV size */
138 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))", 128}, /* key_size = ICV size */
139 {END_OF_LIST, NULL, 0},
140 };
141
142 /**
143 * Algorithms for integrity protection
144 */
145 static kernel_algorithm_t integrity_algs[] = {
146 {AUTH_HMAC_MD5_96, "md5", 128},
147 {AUTH_HMAC_SHA1_96, "sha1", 160},
148 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
149 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
150 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
151 /* {AUTH_DES_MAC, "***", 0}, */
152 /* {AUTH_KPDK_MD5, "***", 0}, */
153 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
154 {END_OF_LIST, NULL, 0},
155 };
156
157 /**
158 * Algorithms for IPComp
159 */
160 static kernel_algorithm_t compression_algs[] = {
161 /* {IPCOMP_OUI, "***", 0}, */
162 {IPCOMP_DEFLATE, "deflate", 0},
163 {IPCOMP_LZS, "lzs", 0},
164 {IPCOMP_LZJH, "lzjh", 0},
165 {END_OF_LIST, NULL, 0},
166 };
167
168 /**
169 * Look up a kernel algorithm name and its key size
170 */
171 static char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
172 u_int16_t ikev2_algo, u_int16_t *key_size)
173 {
174 while (kernel_algo->ikev2_id != END_OF_LIST)
175 {
176 if (ikev2_algo == kernel_algo->ikev2_id)
177 {
178 /* match, evaluate key length */
179 if (key_size && *key_size == 0)
180 { /* update key size if not set */
181 *key_size = kernel_algo->key_size;
182 }
183 return kernel_algo->name;
184 }
185 kernel_algo++;
186 }
187 return NULL;
188 }
189
190 typedef struct route_entry_t route_entry_t;
191
192 /**
193 * installed routing entry
194 */
195 struct route_entry_t {
196
197 /** Index of the interface the route is bound to */
198 int if_index;
199
200 /** Source ip of the route */
201 host_t *src_ip;
202
203 /** gateway for this route */
204 host_t *gateway;
205
206 /** Destination net */
207 chunk_t dst_net;
208
209 /** Destination net prefixlen */
210 u_int8_t prefixlen;
211 };
212
213 /**
214 * destroy an route_entry_t object
215 */
216 static void route_entry_destroy(route_entry_t *this)
217 {
218 this->src_ip->destroy(this->src_ip);
219 this->gateway->destroy(this->gateway);
220 chunk_free(&this->dst_net);
221 free(this);
222 }
223
224 typedef struct policy_entry_t policy_entry_t;
225
226 /**
227 * installed kernel policy.
228 */
229 struct policy_entry_t {
230
231 /** direction of this policy: in, out, forward */
232 u_int8_t direction;
233
234 /** reqid of the policy */
235 u_int32_t reqid;
236
237 /** parameters of installed policy */
238 struct xfrm_selector sel;
239
240 /** associated route installed for this policy */
241 route_entry_t *route;
242
243 /** by how many CHILD_SA's this policy is used */
244 u_int refcount;
245 };
246
247 typedef struct addr_entry_t addr_entry_t;
248
249 /**
250 * IP address in an inface_entry_t
251 */
252 struct addr_entry_t {
253
254 /** The ip address */
255 host_t *ip;
256
257 /** virtual IP managed by us */
258 bool virtual;
259
260 /** scope of the address */
261 u_char scope;
262
263 /** Number of times this IP is used, if virtual */
264 u_int refcount;
265 };
266
267 /**
268 * destroy a addr_entry_t object
269 */
270 static void addr_entry_destroy(addr_entry_t *this)
271 {
272 this->ip->destroy(this->ip);
273 free(this);
274 }
275
276 typedef struct iface_entry_t iface_entry_t;
277
278 /**
279 * A network interface on this system, containing addr_entry_t's
280 */
281 struct iface_entry_t {
282
283 /** interface index */
284 int ifindex;
285
286 /** name of the interface */
287 char ifname[IFNAMSIZ];
288
289 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
290 u_int flags;
291
292 /** list of addresses as host_t */
293 linked_list_t *addrs;
294 };
295
296 /**
297 * destroy an interface entry
298 */
299 static void iface_entry_destroy(iface_entry_t *this)
300 {
301 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
302 free(this);
303 }
304
305 typedef struct private_kernel_interface_t private_kernel_interface_t;
306
307 /**
308 * Private variables and functions of kernel_interface class.
309 */
310 struct private_kernel_interface_t {
311 /**
312 * Public part of the kernel_interface_t object.
313 */
314 kernel_interface_t public;
315
316 /**
317 * mutex to lock access to netlink socket
318 */
319 pthread_mutex_t nl_mutex;
320
321 /**
322 * mutex to lock access to various lists
323 */
324 pthread_mutex_t mutex;
325
326 /**
327 * condition variable to signal virtual IP add/removal
328 */
329 pthread_cond_t cond;
330
331 /**
332 * List of installed policies (policy_entry_t)
333 */
334 linked_list_t *policies;
335
336 /**
337 * Cached list of interfaces and its adresses (iface_entry_t)
338 */
339 linked_list_t *ifaces;
340
341 /**
342 * iterator used in hook()
343 */
344 iterator_t *hiter;
345
346 /**
347 * job receiving netlink events
348 */
349 callback_job_t *job;
350
351 /**
352 * current sequence number for netlink request
353 */
354 int seq;
355
356 /**
357 * Netlink xfrm socket (IPsec)
358 */
359 int socket_xfrm;
360
361 /**
362 * netlink xfrm socket to receive acquire and expire events
363 */
364 int socket_xfrm_events;
365
366 /**
367 * Netlink rt socket (routing)
368 */
369 int socket_rt;
370
371 /**
372 * Netlink rt socket to receive address change events
373 */
374 int socket_rt_events;
375
376 /**
377 * time of the last roam_job
378 */
379 struct timeval last_roam;
380
381 /**
382 * whether to install routes along policies
383 */
384 bool install_routes;
385
386 /**
387 * routing table to install routes
388 */
389 int routing_table;
390
391 /**
392 * priority of used routing table
393 */
394 int routing_table_prio;
395 };
396
397 /**
398 * convert a IKEv2 specific protocol identifier to the kernel one
399 */
400 static u_int8_t proto_ike2kernel(protocol_id_t proto)
401 {
402 switch (proto)
403 {
404 case PROTO_ESP:
405 return IPPROTO_ESP;
406 case PROTO_AH:
407 return IPPROTO_AH;
408 default:
409 return proto;
410 }
411 }
412
413 /**
414 * reverse of ike2kernel
415 */
416 static protocol_id_t proto_kernel2ike(u_int8_t proto)
417 {
418 switch (proto)
419 {
420 case IPPROTO_ESP:
421 return PROTO_ESP;
422 case IPPROTO_AH:
423 return PROTO_AH;
424 default:
425 return proto;
426 }
427 }
428
429 /**
430 * convert a host_t to a struct xfrm_address
431 */
432 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
433 {
434 chunk_t chunk = host->get_address(host);
435 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
436 }
437
438 /**
439 * convert a traffic selector address range to subnet and its mask.
440 */
441 static void ts2subnet(traffic_selector_t* ts,
442 xfrm_address_t *net, u_int8_t *mask)
443 {
444 /* there is no way to do this cleanly, as the address range may
445 * be anything else but a subnet. We use from_addr as subnet
446 * and try to calculate a usable subnet mask.
447 */
448 int byte, bit;
449 bool found = FALSE;
450 chunk_t from, to;
451 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
452
453 from = ts->get_from_address(ts);
454 to = ts->get_to_address(ts);
455
456 *mask = (size * 8);
457 /* go trough all bits of the addresses, beginning in the front.
458 * as long as they are equal, the subnet gets larger
459 */
460 for (byte = 0; byte < size; byte++)
461 {
462 for (bit = 7; bit >= 0; bit--)
463 {
464 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
465 {
466 *mask = ((7 - bit) + (byte * 8));
467 found = TRUE;
468 break;
469 }
470 }
471 if (found)
472 {
473 break;
474 }
475 }
476 memcpy(net, from.ptr, from.len);
477 chunk_free(&from);
478 chunk_free(&to);
479 }
480
481 /**
482 * convert a traffic selector port range to port/portmask
483 */
484 static void ts2ports(traffic_selector_t* ts,
485 u_int16_t *port, u_int16_t *mask)
486 {
487 /* linux does not seem to accept complex portmasks. Only
488 * any or a specific port is allowed. We set to any, if we have
489 * a port range, or to a specific, if we have one port only.
490 */
491 u_int16_t from, to;
492
493 from = ts->get_from_port(ts);
494 to = ts->get_to_port(ts);
495
496 if (from == to)
497 {
498 *port = htons(from);
499 *mask = ~0;
500 }
501 else
502 {
503 *port = 0;
504 *mask = 0;
505 }
506 }
507
508 /**
509 * convert a pair of traffic_selectors to a xfrm_selector
510 */
511 static struct xfrm_selector ts2selector(traffic_selector_t *src,
512 traffic_selector_t *dst)
513 {
514 struct xfrm_selector sel;
515
516 memset(&sel, 0, sizeof(sel));
517 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
518 /* src or dest proto may be "any" (0), use more restrictive one */
519 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
520 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
521 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
522 ts2ports(dst, &sel.dport, &sel.dport_mask);
523 ts2ports(src, &sel.sport, &sel.sport_mask);
524 sel.ifindex = 0;
525 sel.user = 0;
526
527 return sel;
528 }
529
530 /**
531 * Creates an rtattr and adds it to the netlink message
532 */
533 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
534 size_t buflen)
535 {
536 struct rtattr *rta;
537
538 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
539 {
540 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
541 return;
542 }
543
544 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
545 rta->rta_type = rta_type;
546 rta->rta_len = RTA_LENGTH(data.len);
547 memcpy(RTA_DATA(rta), data.ptr, data.len);
548 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
549 }
550
551 /**
552 * process a XFRM_MSG_ACQUIRE from kernel
553 */
554 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
555 {
556 u_int32_t reqid = 0;
557 int proto = 0;
558 job_t *job;
559 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
560 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
561
562 if (RTA_OK(rtattr, rtsize))
563 {
564 if (rtattr->rta_type == XFRMA_TMPL)
565 {
566 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
567 reqid = tmpl->reqid;
568 proto = tmpl->id.proto;
569 }
570 }
571 switch (proto)
572 {
573 case 0:
574 case IPPROTO_ESP:
575 case IPPROTO_AH:
576 break;
577 default:
578 /* acquire for AH/ESP only, not for IPCOMP */
579 return;
580 }
581 if (reqid == 0)
582 {
583 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
584 return;
585 }
586 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
587 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
588 job = (job_t*)acquire_job_create(reqid);
589 charon->processor->queue_job(charon->processor, job);
590 }
591
592 /**
593 * process a XFRM_MSG_EXPIRE from kernel
594 */
595 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
596 {
597 job_t *job;
598 protocol_id_t protocol;
599 u_int32_t spi, reqid;
600 struct xfrm_user_expire *expire;
601
602 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
603 protocol = proto_kernel2ike(expire->state.id.proto);
604 spi = expire->state.id.spi;
605 reqid = expire->state.reqid;
606
607 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
608
609 if (protocol != PROTO_ESP && protocol != PROTO_AH)
610 {
611 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%d} "
612 "which is not a CHILD_SA", ntohl(spi), reqid);
613 return;
614 }
615
616 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
617 expire->hard ? "delete" : "rekey", protocol_id_names,
618 protocol, ntohl(spi), reqid);
619 if (expire->hard)
620 {
621 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
622 }
623 else
624 {
625 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
626 }
627 charon->processor->queue_job(charon->processor, job);
628 }
629
630 /**
631 * start a roaming job. We delay it for a second and fire only one job
632 * for multiple events. Otherwise we would create two many jobs.
633 */
634 static void fire_roam_job(private_kernel_interface_t *this, bool address)
635 {
636 struct timeval now;
637
638 if (gettimeofday(&now, NULL) == 0)
639 {
640 if (timercmp(&now, &this->last_roam, >))
641 {
642 now.tv_usec += ROAM_DELAY * 1000;
643 while (now.tv_usec > 1000000)
644 {
645 now.tv_sec++;
646 now.tv_usec -= 1000000;
647 }
648 this->last_roam = now;
649 charon->scheduler->schedule_job(charon->scheduler,
650 (job_t*)roam_job_create(address), ROAM_DELAY);
651 }
652 }
653 }
654
655 /**
656 * process RTM_NEWLINK/RTM_DELLINK from kernel
657 */
658 static void process_link(private_kernel_interface_t *this,
659 struct nlmsghdr *hdr, bool event)
660 {
661 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
662 struct rtattr *rta = IFLA_RTA(msg);
663 size_t rtasize = IFLA_PAYLOAD (hdr);
664 iterator_t *iterator;
665 iface_entry_t *current, *entry = NULL;
666 char *name = NULL;
667 bool update = FALSE;
668
669 while(RTA_OK(rta, rtasize))
670 {
671 switch (rta->rta_type)
672 {
673 case IFLA_IFNAME:
674 name = RTA_DATA(rta);
675 break;
676 }
677 rta = RTA_NEXT(rta, rtasize);
678 }
679 if (!name)
680 {
681 name = "(unknown)";
682 }
683
684 switch (hdr->nlmsg_type)
685 {
686 case RTM_NEWLINK:
687 {
688 if (msg->ifi_flags & IFF_LOOPBACK)
689 { /* ignore loopback interfaces */
690 break;
691 }
692 iterator = this->ifaces->create_iterator_locked(this->ifaces,
693 &this->mutex);
694 while (iterator->iterate(iterator, (void**)&current))
695 {
696 if (current->ifindex == msg->ifi_index)
697 {
698 entry = current;
699 break;
700 }
701 }
702 if (!entry)
703 {
704 entry = malloc_thing(iface_entry_t);
705 entry->ifindex = msg->ifi_index;
706 entry->flags = 0;
707 entry->addrs = linked_list_create();
708 this->ifaces->insert_last(this->ifaces, entry);
709 }
710 memcpy(entry->ifname, name, IFNAMSIZ);
711 entry->ifname[IFNAMSIZ-1] = '\0';
712 if (event)
713 {
714 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
715 {
716 update = TRUE;
717 DBG1(DBG_KNL, "interface %s activated", name);
718 }
719 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
720 {
721 update = TRUE;
722 DBG1(DBG_KNL, "interface %s deactivated", name);
723 }
724 }
725 entry->flags = msg->ifi_flags;
726 iterator->destroy(iterator);
727 break;
728 }
729 case RTM_DELLINK:
730 {
731 iterator = this->ifaces->create_iterator_locked(this->ifaces,
732 &this->mutex);
733 while (iterator->iterate(iterator, (void**)&current))
734 {
735 if (current->ifindex == msg->ifi_index)
736 {
737 /* we do not remove it, as an address may be added to a
738 * "down" interface and we wan't to know that. */
739 current->flags = msg->ifi_flags;
740 break;
741 }
742 }
743 iterator->destroy(iterator);
744 break;
745 }
746 }
747
748 /* send an update to all IKE_SAs */
749 if (update && event)
750 {
751 fire_roam_job(this, TRUE);
752 }
753 }
754
755 /**
756 * process RTM_NEWADDR/RTM_DELADDR from kernel
757 */
758 static void process_addr(private_kernel_interface_t *this,
759 struct nlmsghdr *hdr, bool event)
760 {
761 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
762 struct rtattr *rta = IFA_RTA(msg);
763 size_t rtasize = IFA_PAYLOAD (hdr);
764 host_t *host = NULL;
765 iterator_t *ifaces, *addrs;
766 iface_entry_t *iface;
767 addr_entry_t *addr;
768 chunk_t local = chunk_empty, address = chunk_empty;
769 bool update = FALSE, found = FALSE, changed = FALSE;
770
771 while(RTA_OK(rta, rtasize))
772 {
773 switch (rta->rta_type)
774 {
775 case IFA_LOCAL:
776 local.ptr = RTA_DATA(rta);
777 local.len = RTA_PAYLOAD(rta);
778 break;
779 case IFA_ADDRESS:
780 address.ptr = RTA_DATA(rta);
781 address.len = RTA_PAYLOAD(rta);
782 break;
783 }
784 rta = RTA_NEXT(rta, rtasize);
785 }
786
787 /* For PPP interfaces, we need the IFA_LOCAL address,
788 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
789 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
790 if (local.ptr)
791 {
792 host = host_create_from_chunk(msg->ifa_family, local, 0);
793 }
794 else if (address.ptr)
795 {
796 host = host_create_from_chunk(msg->ifa_family, address, 0);
797 }
798
799 if (host == NULL)
800 { /* bad family? */
801 return;
802 }
803
804 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
805 while (ifaces->iterate(ifaces, (void**)&iface))
806 {
807 if (iface->ifindex == msg->ifa_index)
808 {
809 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
810 while (addrs->iterate(addrs, (void**)&addr))
811 {
812 if (host->ip_equals(host, addr->ip))
813 {
814 found = TRUE;
815 if (hdr->nlmsg_type == RTM_DELADDR)
816 {
817 changed = TRUE;
818 addrs->remove(addrs);
819 if (!addr->virtual)
820 {
821 DBG1(DBG_KNL, "%H disappeared from %s",
822 host, iface->ifname);
823 }
824 addr_entry_destroy(addr);
825 }
826 else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
827 {
828 addr->refcount = 1;
829 }
830 }
831 }
832 addrs->destroy(addrs);
833
834 if (hdr->nlmsg_type == RTM_NEWADDR)
835 {
836 if (!found)
837 {
838 found = TRUE;
839 changed = TRUE;
840 addr = malloc_thing(addr_entry_t);
841 addr->ip = host->clone(host);
842 addr->virtual = FALSE;
843 addr->refcount = 1;
844 addr->scope = msg->ifa_scope;
845
846 iface->addrs->insert_last(iface->addrs, addr);
847 if (event)
848 {
849 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
850 }
851 }
852 }
853 if (found && (iface->flags & IFF_UP))
854 {
855 update = TRUE;
856 }
857 break;
858 }
859 }
860 ifaces->destroy(ifaces);
861 host->destroy(host);
862
863 /* send an update to all IKE_SAs */
864 if (update && event && changed)
865 {
866 fire_roam_job(this, TRUE);
867 }
868 }
869
870 /**
871 * Receives events from kernel
872 */
873 static job_requeue_t receive_events(private_kernel_interface_t *this)
874 {
875 char response[1024];
876 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
877 struct sockaddr_nl addr;
878 socklen_t addr_len = sizeof(addr);
879 int len, oldstate, maxfd, selected;
880 fd_set rfds;
881
882 FD_ZERO(&rfds);
883 FD_SET(this->socket_xfrm_events, &rfds);
884 FD_SET(this->socket_rt_events, &rfds);
885 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
886
887 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
888 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
889 pthread_setcancelstate(oldstate, NULL);
890 if (selected <= 0)
891 {
892 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
893 return JOB_REQUEUE_FAIR;
894 }
895 if (FD_ISSET(this->socket_xfrm_events, &rfds))
896 {
897 selected = this->socket_xfrm_events;
898 }
899 else if (FD_ISSET(this->socket_rt_events, &rfds))
900 {
901 selected = this->socket_rt_events;
902 }
903 else
904 {
905 return JOB_REQUEUE_DIRECT;
906 }
907
908 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
909 (struct sockaddr*)&addr, &addr_len);
910 if (len < 0)
911 {
912 switch (errno)
913 {
914 case EINTR:
915 /* interrupted, try again */
916 return JOB_REQUEUE_DIRECT;
917 case EAGAIN:
918 /* no data ready, select again */
919 return JOB_REQUEUE_DIRECT;
920 default:
921 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
922 sleep(1);
923 return JOB_REQUEUE_FAIR;
924 }
925 }
926 if (addr.nl_pid != 0)
927 { /* not from kernel. not interested, try another one */
928 return JOB_REQUEUE_DIRECT;
929 }
930
931 while (NLMSG_OK(hdr, len))
932 {
933 /* looks good so far, dispatch netlink message */
934 if (selected == this->socket_xfrm_events)
935 {
936 switch (hdr->nlmsg_type)
937 {
938 case XFRM_MSG_ACQUIRE:
939 process_acquire(this, hdr);
940 break;
941 case XFRM_MSG_EXPIRE:
942 process_expire(this, hdr);
943 break;
944 default:
945 break;
946 }
947 }
948 else if (selected == this->socket_rt_events)
949 {
950 switch (hdr->nlmsg_type)
951 {
952 case RTM_NEWADDR:
953 case RTM_DELADDR:
954 process_addr(this, hdr, TRUE);
955 pthread_cond_signal(&this->cond);
956 break;
957 case RTM_NEWLINK:
958 case RTM_DELLINK:
959 process_link(this, hdr, TRUE);
960 pthread_cond_signal(&this->cond);
961 break;
962 case RTM_NEWROUTE:
963 case RTM_DELROUTE:
964 fire_roam_job(this, FALSE);
965 break;
966 default:
967 break;
968 }
969 }
970 hdr = NLMSG_NEXT(hdr, len);
971 }
972 return JOB_REQUEUE_DIRECT;
973 }
974
975 /**
976 * send a netlink message and wait for a reply
977 */
978 static status_t netlink_send(private_kernel_interface_t *this,
979 int socket, struct nlmsghdr *in,
980 struct nlmsghdr **out, size_t *out_len)
981 {
982 int len, addr_len;
983 struct sockaddr_nl addr;
984 chunk_t result = chunk_empty, tmp;
985 struct nlmsghdr *msg, peek;
986
987 pthread_mutex_lock(&this->nl_mutex);
988
989 in->nlmsg_seq = ++this->seq;
990 in->nlmsg_pid = getpid();
991
992 memset(&addr, 0, sizeof(addr));
993 addr.nl_family = AF_NETLINK;
994 addr.nl_pid = 0;
995 addr.nl_groups = 0;
996
997 while (TRUE)
998 {
999 len = sendto(socket, in, in->nlmsg_len, 0,
1000 (struct sockaddr*)&addr, sizeof(addr));
1001
1002 if (len != in->nlmsg_len)
1003 {
1004 if (errno == EINTR)
1005 {
1006 /* interrupted, try again */
1007 continue;
1008 }
1009 pthread_mutex_unlock(&this->nl_mutex);
1010 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
1011 return FAILED;
1012 }
1013 break;
1014 }
1015
1016 while (TRUE)
1017 {
1018 char buf[4096];
1019 tmp.len = sizeof(buf);
1020 tmp.ptr = buf;
1021 msg = (struct nlmsghdr*)tmp.ptr;
1022
1023 memset(&addr, 0, sizeof(addr));
1024 addr.nl_family = AF_NETLINK;
1025 addr.nl_pid = getpid();
1026 addr.nl_groups = 0;
1027 addr_len = sizeof(addr);
1028
1029 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
1030 (struct sockaddr*)&addr, &addr_len);
1031
1032 if (len < 0)
1033 {
1034 if (errno == EINTR)
1035 {
1036 DBG1(DBG_KNL, "got interrupted");
1037 /* interrupted, try again */
1038 continue;
1039 }
1040 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
1041 pthread_mutex_unlock(&this->nl_mutex);
1042 return FAILED;
1043 }
1044 if (!NLMSG_OK(msg, len))
1045 {
1046 DBG1(DBG_KNL, "received corrupted netlink message");
1047 pthread_mutex_unlock(&this->nl_mutex);
1048 return FAILED;
1049 }
1050 if (msg->nlmsg_seq != this->seq)
1051 {
1052 DBG1(DBG_KNL, "received invalid netlink sequence number");
1053 if (msg->nlmsg_seq < this->seq)
1054 {
1055 continue;
1056 }
1057 pthread_mutex_unlock(&this->nl_mutex);
1058 return FAILED;
1059 }
1060
1061 tmp.len = len;
1062 result = chunk_cata("cc", result, tmp);
1063
1064 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
1065 * numbers to detect multi header messages */
1066 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
1067 (struct sockaddr*)&addr, &addr_len);
1068
1069 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
1070 {
1071 /* seems to be multipart */
1072 continue;
1073 }
1074 break;
1075 }
1076
1077 *out_len = result.len;
1078 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
1079
1080 pthread_mutex_unlock(&this->nl_mutex);
1081
1082 return SUCCESS;
1083 }
1084
1085 /**
1086 * send a netlink message and wait for its acknowlegde
1087 */
1088 static status_t netlink_send_ack(private_kernel_interface_t *this,
1089 int socket, struct nlmsghdr *in)
1090 {
1091 struct nlmsghdr *out, *hdr;
1092 size_t len;
1093
1094 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
1095 {
1096 return FAILED;
1097 }
1098 hdr = out;
1099 while (NLMSG_OK(hdr, len))
1100 {
1101 switch (hdr->nlmsg_type)
1102 {
1103 case NLMSG_ERROR:
1104 {
1105 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
1106
1107 if (err->error)
1108 {
1109 if (-err->error == EEXIST)
1110 { /* do not report existing routes */
1111 free(out);
1112 return ALREADY_DONE;
1113 }
1114 DBG1(DBG_KNL, "received netlink error: %s (%d)",
1115 strerror(-err->error), -err->error);
1116 free(out);
1117 return FAILED;
1118 }
1119 free(out);
1120 return SUCCESS;
1121 }
1122 default:
1123 hdr = NLMSG_NEXT(hdr, len);
1124 continue;
1125 case NLMSG_DONE:
1126 break;
1127 }
1128 break;
1129 }
1130 DBG1(DBG_KNL, "netlink request not acknowlegded");
1131 free(out);
1132 return FAILED;
1133 }
1134
1135 /**
1136 * Initialize a list of local addresses.
1137 */
1138 static status_t init_address_list(private_kernel_interface_t *this)
1139 {
1140 char request[BUFFER_SIZE];
1141 struct nlmsghdr *out, *current, *in;
1142 struct rtgenmsg *msg;
1143 size_t len;
1144 iterator_t *ifaces, *addrs;
1145 iface_entry_t *iface;
1146 addr_entry_t *addr;
1147
1148 DBG1(DBG_KNL, "listening on interfaces:");
1149
1150 memset(&request, 0, sizeof(request));
1151
1152 in = (struct nlmsghdr*)&request;
1153 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1154 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1155 msg = (struct rtgenmsg*)NLMSG_DATA(in);
1156 msg->rtgen_family = AF_UNSPEC;
1157
1158 /* get all links */
1159 in->nlmsg_type = RTM_GETLINK;
1160 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1161 {
1162 return FAILED;
1163 }
1164 current = out;
1165 while (NLMSG_OK(current, len))
1166 {
1167 switch (current->nlmsg_type)
1168 {
1169 case NLMSG_DONE:
1170 break;
1171 case RTM_NEWLINK:
1172 process_link(this, current, FALSE);
1173 /* fall through */
1174 default:
1175 current = NLMSG_NEXT(current, len);
1176 continue;
1177 }
1178 break;
1179 }
1180 free(out);
1181
1182 /* get all interface addresses */
1183 in->nlmsg_type = RTM_GETADDR;
1184 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1185 {
1186 return FAILED;
1187 }
1188 current = out;
1189 while (NLMSG_OK(current, len))
1190 {
1191 switch (current->nlmsg_type)
1192 {
1193 case NLMSG_DONE:
1194 break;
1195 case RTM_NEWADDR:
1196 process_addr(this, current, FALSE);
1197 /* fall through */
1198 default:
1199 current = NLMSG_NEXT(current, len);
1200 continue;
1201 }
1202 break;
1203 }
1204 free(out);
1205
1206 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1207 while (ifaces->iterate(ifaces, (void**)&iface))
1208 {
1209 if (iface->flags & IFF_UP)
1210 {
1211 DBG1(DBG_KNL, " %s", iface->ifname);
1212 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1213 while (addrs->iterate(addrs, (void**)&addr))
1214 {
1215 DBG1(DBG_KNL, " %H", addr->ip);
1216 }
1217 addrs->destroy(addrs);
1218 }
1219 }
1220 ifaces->destroy(ifaces);
1221 return SUCCESS;
1222 }
1223
1224 /**
1225 * iterator hook to iterate over addrs
1226 */
1227 static hook_result_t addr_hook(private_kernel_interface_t *this,
1228 addr_entry_t *in, host_t **out)
1229 {
1230 if (in->virtual)
1231 { /* skip virtual interfaces added by us */
1232 return HOOK_SKIP;
1233 }
1234 if (in->scope >= RT_SCOPE_LINK)
1235 { /* skip addresses with a unusable scope */
1236 return HOOK_SKIP;
1237 }
1238 *out = in->ip;
1239 return HOOK_NEXT;
1240 }
1241
1242 /**
1243 * iterator hook to iterate over ifaces
1244 */
1245 static hook_result_t iface_hook(private_kernel_interface_t *this,
1246 iface_entry_t *in, host_t **out)
1247 {
1248 if (!(in->flags & IFF_UP))
1249 { /* skip interfaces not up */
1250 return HOOK_SKIP;
1251 }
1252
1253 if (this->hiter == NULL)
1254 {
1255 this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
1256 this->hiter->set_iterator_hook(this->hiter,
1257 (iterator_hook_t*)addr_hook, this);
1258 }
1259 while (this->hiter->iterate(this->hiter, (void**)out))
1260 {
1261 return HOOK_AGAIN;
1262 }
1263 this->hiter->destroy(this->hiter);
1264 this->hiter = NULL;
1265 return HOOK_SKIP;
1266 }
1267
1268 /**
1269 * Implements kernel_interface_t.create_address_iterator.
1270 */
1271 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1272 {
1273 iterator_t *iterator;
1274
1275 /* This iterator is not only hooked, is is double-hooked. As we have stored
1276 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
1277 * entries in each interface we iterate. This does the iface_hook. The
1278 * addr_hook returns the ip instead of the addr_entry. */
1279
1280 iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1281 iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
1282 return iterator;
1283 }
1284
1285 /**
1286 * implementation of kernel_interface_t.get_interface_name
1287 */
1288 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1289 {
1290 iterator_t *ifaces, *addrs;
1291 iface_entry_t *iface;
1292 addr_entry_t *addr;
1293 char *name = NULL;
1294
1295 DBG2(DBG_KNL, "getting interface name for %H", ip);
1296
1297 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1298 while (ifaces->iterate(ifaces, (void**)&iface))
1299 {
1300 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1301 while (addrs->iterate(addrs, (void**)&addr))
1302 {
1303 if (ip->ip_equals(ip, addr->ip))
1304 {
1305 name = strdup(iface->ifname);
1306 break;
1307 }
1308 }
1309 addrs->destroy(addrs);
1310 if (name)
1311 {
1312 break;
1313 }
1314 }
1315 ifaces->destroy(ifaces);
1316
1317 if (name)
1318 {
1319 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1320 }
1321 else
1322 {
1323 DBG2(DBG_KNL, "%H is not a local address", ip);
1324 }
1325 return name;
1326 }
1327
1328 /**
1329 * Tries to find an ip address of a local interface that is included in the
1330 * supplied traffic selector.
1331 */
1332 static status_t get_address_by_ts(private_kernel_interface_t *this,
1333 traffic_selector_t *ts, host_t **ip)
1334 {
1335 iterator_t *ifaces, *addrs;
1336 iface_entry_t *iface;
1337 addr_entry_t *addr;
1338 host_t *host;
1339 int family;
1340 bool found = FALSE;
1341
1342 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1343
1344 /* if we have a family which includes localhost, we do not
1345 * search for an IP, we use the default */
1346 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1347
1348 if (family == AF_INET)
1349 {
1350 host = host_create_from_string("127.0.0.1", 0);
1351 }
1352 else
1353 {
1354 host = host_create_from_string("::1", 0);
1355 }
1356
1357 if (ts->includes(ts, host))
1358 {
1359 *ip = host_create_any(family);
1360 host->destroy(host);
1361 DBG2(DBG_KNL, "using host %H", *ip);
1362 return SUCCESS;
1363 }
1364 host->destroy(host);
1365
1366 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1367 while (ifaces->iterate(ifaces, (void**)&iface))
1368 {
1369 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1370 while (addrs->iterate(addrs, (void**)&addr))
1371 {
1372 if (ts->includes(ts, addr->ip))
1373 {
1374 found = TRUE;
1375 *ip = addr->ip->clone(addr->ip);
1376 break;
1377 }
1378 }
1379 addrs->destroy(addrs);
1380 if (found)
1381 {
1382 break;
1383 }
1384 }
1385 ifaces->destroy(ifaces);
1386
1387 if (!found)
1388 {
1389 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1390 return FAILED;
1391 }
1392 DBG2(DBG_KNL, "using host %H", *ip);
1393 return SUCCESS;
1394 }
1395
1396 /**
1397 * get the interface of a local address
1398 */
1399 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1400 {
1401 iterator_t *ifaces, *addrs;
1402 iface_entry_t *iface;
1403 addr_entry_t *addr;
1404 int ifindex = 0;
1405
1406 DBG2(DBG_KNL, "getting iface for %H", ip);
1407
1408 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1409 while (ifaces->iterate(ifaces, (void**)&iface))
1410 {
1411 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1412 while (addrs->iterate(addrs, (void**)&addr))
1413 {
1414 if (ip->ip_equals(ip, addr->ip))
1415 {
1416 ifindex = iface->ifindex;
1417 break;
1418 }
1419 }
1420 addrs->destroy(addrs);
1421 if (ifindex)
1422 {
1423 break;
1424 }
1425 }
1426 ifaces->destroy(ifaces);
1427
1428 if (ifindex == 0)
1429 {
1430 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1431 }
1432 return ifindex;
1433 }
1434
1435 /**
1436 * get the refcount of a virtual ip
1437 */
1438 static int get_vip_refcount(private_kernel_interface_t *this, host_t* ip)
1439 {
1440 iterator_t *ifaces, *addrs;
1441 iface_entry_t *iface;
1442 addr_entry_t *addr;
1443 int refcount = 0;
1444
1445 ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
1446 while (ifaces->iterate(ifaces, (void**)&iface))
1447 {
1448 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1449 while (addrs->iterate(addrs, (void**)&addr))
1450 {
1451 if (addr->virtual && (iface->flags & IFF_UP) &&
1452 ip->ip_equals(ip, addr->ip))
1453 {
1454 refcount = addr->refcount;
1455 break;
1456 }
1457 }
1458 addrs->destroy(addrs);
1459 if (refcount)
1460 {
1461 break;
1462 }
1463 }
1464 ifaces->destroy(ifaces);
1465
1466 return refcount;
1467 }
1468
1469 /**
1470 * Manages the creation and deletion of ip addresses on an interface.
1471 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1472 */
1473 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1474 int flags, int if_index, host_t *ip)
1475 {
1476 unsigned char request[BUFFER_SIZE];
1477 struct nlmsghdr *hdr;
1478 struct ifaddrmsg *msg;
1479 chunk_t chunk;
1480
1481 memset(&request, 0, sizeof(request));
1482
1483 chunk = ip->get_address(ip);
1484
1485 hdr = (struct nlmsghdr*)request;
1486 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1487 hdr->nlmsg_type = nlmsg_type;
1488 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1489
1490 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1491 msg->ifa_family = ip->get_family(ip);
1492 msg->ifa_flags = 0;
1493 msg->ifa_prefixlen = 8 * chunk.len;
1494 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1495 msg->ifa_index = if_index;
1496
1497 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1498
1499 return netlink_send_ack(this, this->socket_rt, hdr);
1500 }
1501
1502 /**
1503 * Manages source routes in the routing table.
1504 * By setting the appropriate nlmsg_type, the route added or r.
1505 */
1506 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1507 int flags, route_entry_t *route)
1508 {
1509 unsigned char request[BUFFER_SIZE];
1510 struct nlmsghdr *hdr;
1511 struct rtmsg *msg;
1512 chunk_t chunk;
1513
1514 /* if route is 0.0.0.0/0, we can't install it, as it would
1515 * overwrite the default route. Instead, we add two routes:
1516 * 0.0.0.0/1 and 128.0.0.0/1 */
1517 if (this->routing_table == 0 && route->prefixlen == 0)
1518 {
1519 route_entry_t half;
1520 status_t status;
1521
1522 half.dst_net = chunk_alloca(route->dst_net.len);
1523 memset(half.dst_net.ptr, 0, half.dst_net.len);
1524 half.src_ip = route->src_ip;
1525 half.gateway = route->gateway;
1526 half.if_index = route->if_index;
1527 half.prefixlen = 1;
1528
1529 status = manage_srcroute(this, nlmsg_type, flags, &half);
1530 half.dst_net.ptr[0] |= 0x80;
1531 status = manage_srcroute(this, nlmsg_type, flags, &half);
1532 return status;
1533 }
1534
1535 memset(&request, 0, sizeof(request));
1536
1537 hdr = (struct nlmsghdr*)request;
1538 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1539 hdr->nlmsg_type = nlmsg_type;
1540 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1541
1542 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1543 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1544 msg->rtm_dst_len = route->prefixlen;
1545 msg->rtm_table = this->routing_table;
1546 msg->rtm_protocol = RTPROT_STATIC;
1547 msg->rtm_type = RTN_UNICAST;
1548 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1549
1550 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1551 chunk = route->src_ip->get_address(route->src_ip);
1552 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1553 chunk = route->gateway->get_address(route->gateway);
1554 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1555 chunk.ptr = (char*)&route->if_index;
1556 chunk.len = sizeof(route->if_index);
1557 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1558
1559 return netlink_send_ack(this, this->socket_rt, hdr);
1560 }
1561
1562 /**
1563 * create or delete an rule to use our routing table
1564 */
1565 static status_t manage_rule(private_kernel_interface_t *this, int nlmsg_type,
1566 u_int32_t table, u_int32_t prio)
1567 {
1568 unsigned char request[BUFFER_SIZE];
1569 struct nlmsghdr *hdr;
1570 struct rtmsg *msg;
1571 chunk_t chunk;
1572
1573 memset(&request, 0, sizeof(request));
1574 hdr = (struct nlmsghdr*)request;
1575 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1576 hdr->nlmsg_type = nlmsg_type;
1577 if (nlmsg_type == RTM_NEWRULE)
1578 {
1579 hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
1580 }
1581 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1582
1583 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1584 msg->rtm_table = table;
1585 msg->rtm_family = AF_INET;
1586 msg->rtm_protocol = RTPROT_BOOT;
1587 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1588 msg->rtm_type = RTN_UNICAST;
1589
1590 chunk = chunk_from_thing(prio);
1591 add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
1592
1593 return netlink_send_ack(this, this->socket_rt, hdr);
1594 }
1595
1596 /**
1597 * check if an address (chunk) addr is in subnet (net with net_len net bits)
1598 */
1599 static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
1600 {
1601 int bit, byte;
1602
1603 if (addr.len != net.len)
1604 {
1605 return FALSE;
1606 }
1607 /* scan through all bits, beginning in the front */
1608 for (byte = 0; byte < addr.len; byte++)
1609 {
1610 for (bit = 7; bit >= 0; bit--)
1611 {
1612 /* check if bits are equal (or we reached the end of the net) */
1613 if (bit + byte * 8 > net_len)
1614 {
1615 return TRUE;
1616 }
1617 if (((1<<bit) & addr.ptr[byte]) != ((1<<bit) & net.ptr[byte]))
1618 {
1619 return FALSE;
1620 }
1621 }
1622 }
1623 return TRUE;
1624 }
1625
1626 /**
1627 * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1628 */
1629 static host_t *get_route(private_kernel_interface_t *this, host_t *dest,
1630 bool nexthop)
1631 {
1632 unsigned char request[BUFFER_SIZE];
1633 struct nlmsghdr *hdr, *out, *current;
1634 struct rtmsg *msg;
1635 chunk_t chunk;
1636 size_t len;
1637 int best = -1;
1638 host_t *src = NULL, *gtw = NULL;
1639
1640 DBG2(DBG_KNL, "getting address to reach %H", dest);
1641
1642 memset(&request, 0, sizeof(request));
1643
1644 hdr = (struct nlmsghdr*)request;
1645 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
1646 hdr->nlmsg_type = RTM_GETROUTE;
1647 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1648
1649 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1650 msg->rtm_family = dest->get_family(dest);
1651
1652 chunk = dest->get_address(dest);
1653 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1654
1655 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1656 {
1657 DBG1(DBG_KNL, "getting address to %H failed", dest);
1658 return NULL;
1659 }
1660 current = out;
1661 while (NLMSG_OK(current, len))
1662 {
1663 switch (current->nlmsg_type)
1664 {
1665 case NLMSG_DONE:
1666 break;
1667 case RTM_NEWROUTE:
1668 {
1669 struct rtattr *rta;
1670 size_t rtasize;
1671 chunk_t rta_gtw, rta_src, rta_dst;
1672 u_int32_t rta_oif = 0;
1673
1674 rta_gtw = rta_src = rta_dst = chunk_empty;
1675 msg = (struct rtmsg*)(NLMSG_DATA(current));
1676 rta = RTM_RTA(msg);
1677 rtasize = RTM_PAYLOAD(current);
1678 while (RTA_OK(rta, rtasize))
1679 {
1680 switch (rta->rta_type)
1681 {
1682 case RTA_PREFSRC:
1683 rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1684 break;
1685 case RTA_GATEWAY:
1686 rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1687 break;
1688 case RTA_DST:
1689 rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1690 break;
1691 case RTA_OIF:
1692 if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
1693 {
1694 rta_oif = *(u_int32_t*)RTA_DATA(rta);
1695 }
1696 break;
1697 }
1698 rta = RTA_NEXT(rta, rtasize);
1699 }
1700
1701 /* apply the route if:
1702 * - it is not from our own ipsec routing table
1703 * - is better than a previous one
1704 * - is the default route or
1705 * - its destination net contains our destination
1706 */
1707 if ((this->routing_table == 0 ||msg->rtm_table != this->routing_table)
1708 && msg->rtm_dst_len > best
1709 && (msg->rtm_dst_len == 0 || /* default route */
1710 (rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
1711 {
1712 iterator_t *ifaces, *addrs;
1713 iface_entry_t *iface;
1714 addr_entry_t *addr;
1715
1716 best = msg->rtm_dst_len;
1717 if (nexthop)
1718 {
1719 DESTROY_IF(gtw);
1720 gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
1721 }
1722 else if (rta_src.ptr)
1723 {
1724 DESTROY_IF(src);
1725 src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
1726 if (get_vip_refcount(this, src))
1727 { /* skip source address if it is installed by us */
1728 DESTROY_IF(src);
1729 src = NULL;
1730 current = NLMSG_NEXT(current, len);
1731 continue;
1732 }
1733 }
1734 else
1735 {
1736 /* no source addr, get one from the interfaces */
1737 ifaces = this->ifaces->create_iterator_locked(
1738 this->ifaces, &this->mutex);
1739 while (ifaces->iterate(ifaces, (void**)&iface))
1740 {
1741 if (iface->ifindex == rta_oif)
1742 {
1743 addrs = iface->addrs->create_iterator(
1744 iface->addrs, TRUE);
1745 while (addrs->iterate(addrs, (void**)&addr))
1746 {
1747 chunk_t ip = addr->ip->get_address(addr->ip);
1748 if (msg->rtm_dst_len == 0
1749 || addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
1750 {
1751 DESTROY_IF(src);
1752 src = addr->ip->clone(addr->ip);
1753 break;
1754 }
1755 }
1756 addrs->destroy(addrs);
1757 }
1758 }
1759 ifaces->destroy(ifaces);
1760 }
1761 }
1762 /* FALL through */
1763 }
1764 default:
1765 current = NLMSG_NEXT(current, len);
1766 continue;
1767 }
1768 break;
1769 }
1770 free(out);
1771
1772 if (nexthop)
1773 {
1774 if (gtw)
1775 {
1776 return gtw;
1777 }
1778 return dest->clone(dest);
1779 }
1780 return src;
1781 }
1782
1783 /**
1784 * Implementation of kernel_interface_t.get_source_addr.
1785 */
1786 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1787 {
1788 return get_route(this, dest, FALSE);
1789 }
1790
1791 /**
1792 * Implementation of kernel_interface_t.add_ip.
1793 */
1794 static status_t add_ip(private_kernel_interface_t *this,
1795 host_t *virtual_ip, host_t *iface_ip)
1796 {
1797 iface_entry_t *iface;
1798 addr_entry_t *addr;
1799 iterator_t *addrs, *ifaces;
1800 int ifindex;
1801
1802 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1803
1804 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1805 while (ifaces->iterate(ifaces, (void**)&iface))
1806 {
1807 bool iface_found = FALSE;
1808
1809 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1810 while (addrs->iterate(addrs, (void**)&addr))
1811 {
1812 if (iface_ip->ip_equals(iface_ip, addr->ip))
1813 {
1814 iface_found = TRUE;
1815 }
1816 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1817 {
1818 addr->refcount++;
1819 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1820 virtual_ip, iface->ifname);
1821 addrs->destroy(addrs);
1822 ifaces->destroy(ifaces);
1823 return SUCCESS;
1824 }
1825 }
1826 addrs->destroy(addrs);
1827
1828 if (iface_found)
1829 {
1830 ifindex = iface->ifindex;
1831 addr = malloc_thing(addr_entry_t);
1832 addr->ip = virtual_ip->clone(virtual_ip);
1833 addr->refcount = 0;
1834 addr->virtual = TRUE;
1835 addr->scope = RT_SCOPE_UNIVERSE;
1836 iface->addrs->insert_last(iface->addrs, addr);
1837
1838 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1839 ifindex, virtual_ip) == SUCCESS)
1840 {
1841 while (get_vip_refcount(this, virtual_ip) == 0)
1842 { /* wait until address appears */
1843 pthread_cond_wait(&this->cond, &this->mutex);
1844 }
1845 ifaces->destroy(ifaces);
1846 return SUCCESS;
1847 }
1848 ifaces->destroy(ifaces);
1849 DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1850 return FAILED;
1851 }
1852 }
1853 ifaces->destroy(ifaces);
1854
1855 DBG1(DBG_KNL, "interface address %H not found, unable to install"
1856 "virtual IP %H", iface_ip, virtual_ip);
1857 return FAILED;
1858 }
1859
1860 /**
1861 * Implementation of kernel_interface_t.del_ip.
1862 */
1863 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
1864 {
1865 iface_entry_t *iface;
1866 addr_entry_t *addr;
1867 iterator_t *addrs, *ifaces;
1868 status_t status;
1869 int ifindex;
1870
1871 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1872
1873 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1874 while (ifaces->iterate(ifaces, (void**)&iface))
1875 {
1876 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1877 while (addrs->iterate(addrs, (void**)&addr))
1878 {
1879 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1880 {
1881 ifindex = iface->ifindex;
1882 if (addr->refcount == 1)
1883 {
1884 status = manage_ipaddr(this, RTM_DELADDR, 0,
1885 ifindex, virtual_ip);
1886 if (status == SUCCESS)
1887 { /* wait until the address is really gone */
1888 while (get_vip_refcount(this, virtual_ip) > 0)
1889 {
1890 pthread_cond_wait(&this->cond, &this->mutex);
1891 }
1892 }
1893 addrs->destroy(addrs);
1894 ifaces->destroy(ifaces);
1895 return status;
1896 }
1897 else
1898 {
1899 addr->refcount--;
1900 }
1901 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1902 virtual_ip);
1903 addrs->destroy(addrs);
1904 ifaces->destroy(ifaces);
1905 return SUCCESS;
1906 }
1907 }
1908 addrs->destroy(addrs);
1909 }
1910 ifaces->destroy(ifaces);
1911
1912 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1913 return FAILED;
1914 }
1915
1916 /**
1917 * Get an SPI for a specific protocol from the kernel.
1918 */
1919 static status_t get_spi_internal(private_kernel_interface_t *this,
1920 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
1921 u_int32_t reqid, u_int32_t *spi)
1922 {
1923 unsigned char request[BUFFER_SIZE];
1924 struct nlmsghdr *hdr, *out;
1925 struct xfrm_userspi_info *userspi;
1926 u_int32_t received_spi = 0;
1927 size_t len;
1928
1929 memset(&request, 0, sizeof(request));
1930
1931 hdr = (struct nlmsghdr*)request;
1932 hdr->nlmsg_flags = NLM_F_REQUEST;
1933 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1934 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1935
1936 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1937 host2xfrm(src, &userspi->info.saddr);
1938 host2xfrm(dst, &userspi->info.id.daddr);
1939 userspi->info.id.proto = proto;
1940 userspi->info.mode = TRUE; /* tunnel mode */
1941 userspi->info.reqid = reqid;
1942 userspi->info.family = src->get_family(src);
1943 userspi->min = min;
1944 userspi->max = max;
1945
1946 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1947 {
1948 hdr = out;
1949 while (NLMSG_OK(hdr, len))
1950 {
1951 switch (hdr->nlmsg_type)
1952 {
1953 case XFRM_MSG_NEWSA:
1954 {
1955 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1956 received_spi = usersa->id.spi;
1957 break;
1958 }
1959 case NLMSG_ERROR:
1960 {
1961 struct nlmsgerr *err = NLMSG_DATA(hdr);
1962
1963 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1964 strerror(-err->error), -err->error);
1965 break;
1966 }
1967 default:
1968 hdr = NLMSG_NEXT(hdr, len);
1969 continue;
1970 case NLMSG_DONE:
1971 break;
1972 }
1973 break;
1974 }
1975 free(out);
1976 }
1977
1978 if (received_spi == 0)
1979 {
1980 return FAILED;
1981 }
1982
1983 *spi = received_spi;
1984 return SUCCESS;
1985 }
1986
1987 /**
1988 * Implementation of kernel_interface_t.get_spi.
1989 */
1990 static status_t get_spi(private_kernel_interface_t *this,
1991 host_t *src, host_t *dst,
1992 protocol_id_t protocol, u_int32_t reqid,
1993 u_int32_t *spi)
1994 {
1995 DBG2(DBG_KNL, "getting SPI for reqid {%d}", reqid);
1996
1997 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
1998 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
1999 {
2000 DBG1(DBG_KNL, "unable to get SPI for reqid {%d}", reqid);
2001 return FAILED;
2002 }
2003
2004 DBG2(DBG_KNL, "got SPI %.8x for reqid {%d}", ntohl(*spi), reqid);
2005
2006 return SUCCESS;
2007 }
2008
2009 /**
2010 * Implementation of kernel_interface_t.get_cpi.
2011 */
2012 static status_t get_cpi(private_kernel_interface_t *this,
2013 host_t *src, host_t *dst,
2014 u_int32_t reqid, u_int16_t *cpi)
2015 {
2016 u_int32_t received_spi = 0;
2017
2018 DBG2(DBG_KNL, "getting CPI for reqid {%d}", reqid);
2019
2020 if (get_spi_internal(this, src, dst,
2021 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
2022 {
2023 DBG1(DBG_KNL, "unable to get CPI for reqid {%d}", reqid);
2024 return FAILED;
2025 }
2026
2027 *cpi = htons((u_int16_t)ntohl(received_spi));
2028
2029 DBG2(DBG_KNL, "got CPI %.4x for reqid {%d}", ntohs(*cpi), reqid);
2030
2031 return SUCCESS;
2032 }
2033
2034 /**
2035 * Implementation of kernel_interface_t.add_sa.
2036 */
2037 static status_t add_sa(private_kernel_interface_t *this,
2038 host_t *src, host_t *dst, u_int32_t spi,
2039 protocol_id_t protocol, u_int32_t reqid,
2040 u_int64_t expire_soft, u_int64_t expire_hard,
2041 u_int16_t enc_alg, u_int16_t enc_size,
2042 u_int16_t int_alg, u_int16_t int_size,
2043 prf_plus_t *prf_plus, mode_t mode,
2044 u_int16_t ipcomp, bool encap,
2045 bool replace)
2046 {
2047 unsigned char request[BUFFER_SIZE];
2048 char *alg_name;
2049 /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
2050 u_int16_t add_keymat = 32;
2051 struct nlmsghdr *hdr;
2052 struct xfrm_usersa_info *sa;
2053
2054 memset(&request, 0, sizeof(request));
2055
2056 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
2057
2058 hdr = (struct nlmsghdr*)request;
2059 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2060 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
2061 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2062
2063 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
2064 host2xfrm(src, &sa->saddr);
2065 host2xfrm(dst, &sa->id.daddr);
2066 sa->id.spi = spi;
2067 sa->id.proto = proto_ike2kernel(protocol);
2068 sa->family = src->get_family(src);
2069 sa->mode = mode;
2070 if (mode == MODE_TUNNEL)
2071 {
2072 sa->flags |= XFRM_STATE_AF_UNSPEC;
2073 }
2074 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
2075 sa->reqid = reqid;
2076 /* we currently do not expire SAs by volume/packet count */
2077 sa->lft.soft_byte_limit = XFRM_INF;
2078 sa->lft.hard_byte_limit = XFRM_INF;
2079 sa->lft.soft_packet_limit = XFRM_INF;
2080 sa->lft.hard_packet_limit = XFRM_INF;
2081 /* we use lifetimes since added, not since used */
2082 sa->lft.soft_add_expires_seconds = expire_soft;
2083 sa->lft.hard_add_expires_seconds = expire_hard;
2084 sa->lft.soft_use_expires_seconds = 0;
2085 sa->lft.hard_use_expires_seconds = 0;
2086
2087 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
2088
2089 switch (enc_alg)
2090 {
2091 case ENCR_UNDEFINED:
2092 /* no encryption */
2093 break;
2094 case ENCR_AES_CCM_ICV8:
2095 case ENCR_AES_CCM_ICV12:
2096 case ENCR_AES_CCM_ICV16:
2097 /* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
2098 add_keymat = 24;
2099 /* fall-through */
2100 case ENCR_AES_GCM_ICV8:
2101 case ENCR_AES_GCM_ICV12:
2102 case ENCR_AES_GCM_ICV16:
2103 {
2104 u_int16_t icv_size = 0;
2105 rthdr->rta_type = XFRMA_ALG_AEAD;
2106 alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
2107 if (alg_name == NULL)
2108 {
2109 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2110 encryption_algorithm_names, enc_alg);
2111 return FAILED;
2112 }
2113 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2114 encryption_algorithm_names, enc_alg, enc_size);
2115
2116 /* additional KEYMAT required */
2117 enc_size += add_keymat;
2118
2119 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
2120 hdr->nlmsg_len += rthdr->rta_len;
2121 if (hdr->nlmsg_len > sizeof(request))
2122 {
2123 return FAILED;
2124 }
2125
2126 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
2127 algo->alg_key_len = enc_size;
2128 algo->alg_icv_len = icv_size;
2129 strcpy(algo->alg_name, alg_name);
2130 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2131
2132 rthdr = XFRM_RTA_NEXT(rthdr);
2133 break;
2134 }
2135 default:
2136 {
2137 rthdr->rta_type = XFRMA_ALG_CRYPT;
2138 alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
2139 if (alg_name == NULL)
2140 {
2141 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2142 encryption_algorithm_names, enc_alg);
2143 return FAILED;
2144 }
2145 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2146 encryption_algorithm_names, enc_alg, enc_size);
2147
2148 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
2149 hdr->nlmsg_len += rthdr->rta_len;
2150 if (hdr->nlmsg_len > sizeof(request))
2151 {
2152 return FAILED;
2153 }
2154
2155 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2156 algo->alg_key_len = enc_size;
2157 strcpy(algo->alg_name, alg_name);
2158 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2159
2160 rthdr = XFRM_RTA_NEXT(rthdr);
2161 break;
2162 }
2163 }
2164
2165 if (int_alg != AUTH_UNDEFINED)
2166 {
2167 rthdr->rta_type = XFRMA_ALG_AUTH;
2168 alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
2169 if (alg_name == NULL)
2170 {
2171 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2172 integrity_algorithm_names, int_alg);
2173 return FAILED;
2174 }
2175 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
2176 integrity_algorithm_names, int_alg, int_size);
2177
2178 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
2179 hdr->nlmsg_len += rthdr->rta_len;
2180 if (hdr->nlmsg_len > sizeof(request))
2181 {
2182 return FAILED;
2183 }
2184
2185 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2186 algo->alg_key_len = int_size;
2187 strcpy(algo->alg_name, alg_name);
2188 prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
2189
2190 rthdr = XFRM_RTA_NEXT(rthdr);
2191 }
2192
2193 if (ipcomp != IPCOMP_NONE)
2194 {
2195 rthdr->rta_type = XFRMA_ALG_COMP;
2196 alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
2197 if (alg_name == NULL)
2198 {
2199 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2200 ipcomp_transform_names, ipcomp);
2201 return FAILED;
2202 }
2203 DBG2(DBG_KNL, " using compression algorithm %N",
2204 ipcomp_transform_names, ipcomp);
2205
2206 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
2207 hdr->nlmsg_len += rthdr->rta_len;
2208 if (hdr->nlmsg_len > sizeof(request))
2209 {
2210 return FAILED;
2211 }
2212
2213 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2214 algo->alg_key_len = 0;
2215 strcpy(algo->alg_name, alg_name);
2216
2217 rthdr = XFRM_RTA_NEXT(rthdr);
2218 }
2219
2220 if (encap)
2221 {
2222 rthdr->rta_type = XFRMA_ENCAP;
2223 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2224
2225 hdr->nlmsg_len += rthdr->rta_len;
2226 if (hdr->nlmsg_len > sizeof(request))
2227 {
2228 return FAILED;
2229 }
2230
2231 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
2232 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2233 tmpl->encap_sport = htons(src->get_port(src));
2234 tmpl->encap_dport = htons(dst->get_port(dst));
2235 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2236 /* encap_oa could probably be derived from the
2237 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
2238 * pluto does the same as we do here but it uses encap_oa in the
2239 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
2240 * the kernel ignores it anyway
2241 * -> does that mean that NAT-T encap doesn't work in transport mode?
2242 * No. The reason the kernel ignores NAT-OA is that it recomputes
2243 * (or, rather, just ignores) the checksum. If packets pass
2244 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
2245 rthdr = XFRM_RTA_NEXT(rthdr);
2246 }
2247
2248 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2249 {
2250 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
2251 return FAILED;
2252 }
2253 return SUCCESS;
2254 }
2255
2256 /**
2257 * Get the replay state (i.e. sequence numbers) of an SA.
2258 */
2259 static status_t get_replay_state(private_kernel_interface_t *this,
2260 u_int32_t spi, protocol_id_t protocol, host_t *dst,
2261 struct xfrm_replay_state *replay)
2262 {
2263 unsigned char request[BUFFER_SIZE];
2264 struct nlmsghdr *hdr, *out = NULL;
2265 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
2266 size_t len;
2267 struct rtattr *rta;
2268 size_t rtasize;
2269
2270 memset(&request, 0, sizeof(request));
2271
2272 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
2273
2274 hdr = (struct nlmsghdr*)request;
2275 hdr->nlmsg_flags = NLM_F_REQUEST;
2276 hdr->nlmsg_type = XFRM_MSG_GETAE;
2277 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
2278
2279 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
2280 aevent_id->flags = XFRM_AE_RVAL;
2281
2282 host2xfrm(dst, &aevent_id->sa_id.daddr);
2283 aevent_id->sa_id.spi = spi;
2284 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
2285 aevent_id->sa_id.family = dst->get_family(dst);
2286
2287 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2288 {
2289 hdr = out;
2290 while (NLMSG_OK(hdr, len))
2291 {
2292 switch (hdr->nlmsg_type)
2293 {
2294 case XFRM_MSG_NEWAE:
2295 {
2296 out_aevent = NLMSG_DATA(hdr);
2297 break;
2298 }
2299 case NLMSG_ERROR:
2300 {
2301 struct nlmsgerr *err = NLMSG_DATA(hdr);
2302 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
2303 strerror(-err->error), -err->error);
2304 break;
2305 }
2306 default:
2307 hdr = NLMSG_NEXT(hdr, len);
2308 continue;
2309 case NLMSG_DONE:
2310 break;
2311 }
2312 break;
2313 }
2314 }
2315
2316 if (out_aevent == NULL)
2317 {
2318 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
2319 ntohl(spi));
2320 free(out);
2321 return FAILED;
2322 }
2323
2324 rta = XFRM_RTA(out, struct xfrm_aevent_id);
2325 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
2326 while(RTA_OK(rta, rtasize))
2327 {
2328 if (rta->rta_type == XFRMA_REPLAY_VAL)
2329 {
2330 memcpy(replay, RTA_DATA(rta), rta->rta_len);
2331 free(out);
2332 return SUCCESS;
2333 }
2334 rta = RTA_NEXT(rta, rtasize);
2335 }
2336
2337 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
2338 ntohl(spi));
2339 free(out);
2340 return FAILED;
2341 }
2342
2343 /**
2344 * Implementation of kernel_interface_t.update_sa.
2345 */
2346 static status_t update_sa(private_kernel_interface_t *this,
2347 u_int32_t spi, protocol_id_t protocol,
2348 host_t *src, host_t *dst,
2349 host_t *new_src, host_t *new_dst, bool encap)
2350 {
2351 unsigned char request[BUFFER_SIZE], *pos;
2352 struct nlmsghdr *hdr, *out = NULL;
2353 struct xfrm_usersa_id *sa_id;
2354 struct xfrm_usersa_info *out_sa = NULL, *sa;
2355 size_t len;
2356 struct rtattr *rta;
2357 size_t rtasize;
2358 struct xfrm_encap_tmpl* tmpl = NULL;
2359 bool got_replay_state;
2360 struct xfrm_replay_state replay;
2361
2362 memset(&request, 0, sizeof(request));
2363
2364 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
2365
2366 /* query the exisiting SA first */
2367 hdr = (struct nlmsghdr*)request;
2368 hdr->nlmsg_flags = NLM_F_REQUEST;
2369 hdr->nlmsg_type = XFRM_MSG_GETSA;
2370 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2371
2372 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2373 host2xfrm(dst, &sa_id->daddr);
2374 sa_id->spi = spi;
2375 sa_id->proto = proto_ike2kernel(protocol);
2376 sa_id->family = dst->get_family(dst);
2377
2378 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2379 {
2380 hdr = out;
2381 while (NLMSG_OK(hdr, len))
2382 {
2383 switch (hdr->nlmsg_type)
2384 {
2385 case XFRM_MSG_NEWSA:
2386 {
2387 out_sa = NLMSG_DATA(hdr);
2388 break;
2389 }
2390 case NLMSG_ERROR:
2391 {
2392 struct nlmsgerr *err = NLMSG_DATA(hdr);
2393 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2394 strerror(-err->error), -err->error);
2395 break;
2396 }
2397 default:
2398 hdr = NLMSG_NEXT(hdr, len);
2399 continue;
2400 case NLMSG_DONE:
2401 break;
2402 }
2403 break;
2404 }
2405 }
2406 if (out_sa == NULL)
2407 {
2408 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
2409 free(out);
2410 return FAILED;
2411 }
2412
2413 /* try to get the replay state */
2414 got_replay_state = (get_replay_state(
2415 this, spi, protocol, dst, &replay) == SUCCESS);
2416
2417 /* delete the old SA */
2418 if (this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
2419 {
2420 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
2421 free(out);
2422 return FAILED;
2423 }
2424
2425 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
2426 ntohl(spi), src, dst, new_src, new_dst);
2427
2428 /* copy over the SA from out to request */
2429 hdr = (struct nlmsghdr*)request;
2430 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
2431 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2432 hdr->nlmsg_type = XFRM_MSG_NEWSA;
2433 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2434 sa = NLMSG_DATA(hdr);
2435 sa->family = new_dst->get_family(new_dst);
2436
2437 if (!src->ip_equals(src, new_src))
2438 {
2439 host2xfrm(new_src, &sa->saddr);
2440 }
2441 if (!dst->ip_equals(dst, new_dst))
2442 {
2443 host2xfrm(new_dst, &sa->id.daddr);
2444 }
2445
2446 rta = XFRM_RTA(out, struct xfrm_usersa_info);
2447 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
2448 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
2449 while(RTA_OK(rta, rtasize))
2450 {
2451 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
2452 if (rta->rta_type != XFRMA_ENCAP || encap)
2453 {
2454 if (rta->rta_type == XFRMA_ENCAP)
2455 { /* update encap tmpl */
2456 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2457 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2458 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2459 }
2460 memcpy(pos, rta, rta->rta_len);
2461 pos += RTA_ALIGN(rta->rta_len);
2462 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
2463 }
2464 rta = RTA_NEXT(rta, rtasize);
2465 }
2466
2467 rta = (struct rtattr*)pos;
2468 if (tmpl == NULL && encap)
2469 { /* add tmpl if we are enabling it */
2470 rta->rta_type = XFRMA_ENCAP;
2471 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2472
2473 hdr->nlmsg_len += rta->rta_len;
2474 if (hdr->nlmsg_len > sizeof(request))
2475 {
2476 return FAILED;
2477 }
2478
2479 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2480 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2481 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2482 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2483 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2484
2485 rta = XFRM_RTA_NEXT(rta);
2486 }
2487
2488 if (got_replay_state)
2489 { /* copy the replay data if available */
2490 rta->rta_type = XFRMA_REPLAY_VAL;
2491 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
2492
2493 hdr->nlmsg_len += rta->rta_len;
2494 if (hdr->nlmsg_len > sizeof(request))
2495 {
2496 return FAILED;
2497 }
2498 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
2499
2500 rta = XFRM_RTA_NEXT(rta);
2501 }
2502
2503 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2504 {
2505 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
2506 free(out);
2507 return FAILED;
2508 }
2509 free(out);
2510
2511 return SUCCESS;
2512 }
2513
2514 /**
2515 * Implementation of kernel_interface_t.query_sa.
2516 */
2517 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
2518 u_int32_t spi, protocol_id_t protocol,
2519 u_int32_t *use_time)
2520 {
2521 unsigned char request[BUFFER_SIZE];
2522 struct nlmsghdr *out = NULL, *hdr;
2523 struct xfrm_usersa_id *sa_id;
2524 struct xfrm_usersa_info *sa = NULL;
2525 size_t len;
2526
2527 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
2528 memset(&request, 0, sizeof(request));
2529
2530 hdr = (struct nlmsghdr*)request;
2531 hdr->nlmsg_flags = NLM_F_REQUEST;
2532 hdr->nlmsg_type = XFRM_MSG_GETSA;
2533 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2534
2535 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2536 host2xfrm(dst, &sa_id->daddr);
2537 sa_id->spi = spi;
2538 sa_id->proto = proto_ike2kernel(protocol);
2539 sa_id->family = dst->get_family(dst);
2540
2541 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2542 {
2543 hdr = out;
2544 while (NLMSG_OK(hdr, len))
2545 {
2546 switch (hdr->nlmsg_type)
2547 {
2548 case XFRM_MSG_NEWSA:
2549 {
2550 sa = NLMSG_DATA(hdr);
2551 break;
2552 }
2553 case NLMSG_ERROR:
2554 {
2555 struct nlmsgerr *err = NLMSG_DATA(hdr);
2556 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2557 strerror(-err->error), -err->error);
2558 break;
2559 }
2560 default:
2561 hdr = NLMSG_NEXT(hdr, len);
2562 continue;
2563 case NLMSG_DONE:
2564 break;
2565 }
2566 break;
2567 }
2568 }
2569
2570 if (sa == NULL)
2571 {
2572 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
2573 free(out);
2574 return FAILED;
2575 }
2576
2577 *use_time = sa->curlft.use_time;
2578 free (out);
2579 return SUCCESS;
2580 }
2581
2582 /**
2583 * Implementation of kernel_interface_t.del_sa.
2584 */
2585 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
2586 u_int32_t spi, protocol_id_t protocol)
2587 {
2588 unsigned char request[BUFFER_SIZE];
2589 struct nlmsghdr *hdr;
2590 struct xfrm_usersa_id *sa_id;
2591
2592 memset(&request, 0, sizeof(request));
2593
2594 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
2595
2596 hdr = (struct nlmsghdr*)request;
2597 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2598 hdr->nlmsg_type = XFRM_MSG_DELSA;
2599 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2600
2601 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2602 host2xfrm(dst, &sa_id->daddr);
2603 sa_id->spi = spi;
2604 sa_id->proto = proto_ike2kernel(protocol);
2605 sa_id->family = dst->get_family(dst);
2606
2607 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2608 {
2609 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
2610 return FAILED;
2611 }
2612 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
2613 return SUCCESS;
2614 }
2615
2616 /**
2617 * Implementation of kernel_interface_t.add_policy.
2618 */
2619 static status_t add_policy(private_kernel_interface_t *this,
2620 host_t *src, host_t *dst,
2621 traffic_selector_t *src_ts,
2622 traffic_selector_t *dst_ts,
2623 policy_dir_t direction, protocol_id_t protocol,
2624 u_int32_t reqid, bool high_prio, mode_t mode,
2625 u_int16_t ipcomp)
2626 {
2627 iterator_t *iterator;
2628 policy_entry_t *current, *policy;
2629 bool found = FALSE;
2630 unsigned char request[BUFFER_SIZE];
2631 struct xfrm_userpolicy_info *policy_info;
2632 struct nlmsghdr *hdr;
2633
2634 /* create a policy */
2635 policy = malloc_thing(policy_entry_t);
2636 memset(policy, 0, sizeof(policy_entry_t));
2637 policy->sel = ts2selector(src_ts, dst_ts);
2638 policy->direction = direction;
2639
2640 /* find the policy, which matches EXACTLY */
2641 pthread_mutex_lock(&this->mutex);
2642 iterator = this->policies->create_iterator(this->policies, TRUE);
2643 while (iterator->iterate(iterator, (void**)&current))
2644 {
2645 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
2646 policy->direction == current->direction)
2647 {
2648 /* use existing policy */
2649 current->refcount++;
2650 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
2651 "refcount", src_ts, dst_ts,
2652 policy_dir_names, direction);
2653 free(policy);
2654 policy = current;
2655 found = TRUE;
2656 break;
2657 }
2658 }
2659 iterator->destroy(iterator);
2660 if (!found)
2661 { /* apply the new one, if we have no such policy */
2662 this->policies->insert_last(this->policies, policy);
2663 policy->refcount = 1;
2664 }
2665
2666 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
2667 policy_dir_names, direction);
2668
2669 memset(&request, 0, sizeof(request));
2670 hdr = (struct nlmsghdr*)request;
2671 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2672 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2673 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2674
2675 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2676 policy_info->sel = policy->sel;
2677 policy_info->dir = policy->direction;
2678 /* calculate priority based on source selector size, small size = high prio */
2679 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2680 policy_info->priority -= policy->sel.prefixlen_s * 10;
2681 policy_info->priority -= policy->sel.proto ? 2 : 0;
2682 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2683 policy_info->action = XFRM_POLICY_ALLOW;
2684 policy_info->share = XFRM_SHARE_ANY;
2685 pthread_mutex_unlock(&this->mutex);
2686
2687 /* policies don't expire */
2688 policy_info->lft.soft_byte_limit = XFRM_INF;
2689 policy_info->lft.soft_packet_limit = XFRM_INF;
2690 policy_info->lft.hard_byte_limit = XFRM_INF;
2691 policy_info->lft.hard_packet_limit = XFRM_INF;
2692 policy_info->lft.soft_add_expires_seconds = 0;
2693 policy_info->lft.hard_add_expires_seconds = 0;
2694 policy_info->lft.soft_use_expires_seconds = 0;
2695 policy_info->lft.hard_use_expires_seconds = 0;
2696
2697 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2698 rthdr->rta_type = XFRMA_TMPL;
2699 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2700
2701 hdr->nlmsg_len += rthdr->rta_len;
2702 if (hdr->nlmsg_len > sizeof(request))
2703 {
2704 return FAILED;
2705 }
2706
2707 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2708
2709 if (ipcomp != IPCOMP_NONE)
2710 {
2711 tmpl->reqid = reqid;
2712 tmpl->id.proto = IPPROTO_COMP;
2713 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2714 tmpl->mode = mode;
2715 tmpl->optional = direction != POLICY_OUT;
2716 tmpl->family = src->get_family(src);
2717
2718 host2xfrm(src, &tmpl->saddr);
2719 host2xfrm(dst, &tmpl->id.daddr);
2720
2721 /* add an additional xfrm_user_tmpl */
2722 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2723 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2724 if (hdr->nlmsg_len > sizeof(request))
2725 {
2726 return FAILED;
2727 }
2728
2729 tmpl++;
2730 }
2731
2732 tmpl->reqid = reqid;
2733 tmpl->id.proto = proto_ike2kernel(protocol);
2734 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2735 tmpl->mode = mode;
2736 tmpl->family = src->get_family(src);
2737
2738 host2xfrm(src, &tmpl->saddr);
2739 host2xfrm(dst, &tmpl->id.daddr);
2740
2741 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2742 {
2743 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
2744 policy_dir_names, direction);
2745 return FAILED;
2746 }
2747
2748 /* install a route, if:
2749 * - we are NOT updating a policy
2750 * - this is a forward policy (to just get one for each child)
2751 * - we are in tunnel mode
2752 * - we are not using IPv6 (does not work correctly yet!)
2753 * - routing is not disabled via strongswan.conf
2754 */
2755 if (policy->route == NULL && direction == POLICY_FWD &&
2756 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
2757 this->install_routes)
2758 {
2759 policy->route = malloc_thing(route_entry_t);
2760 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2761 {
2762 /* get the nexthop to src (src as we are in POLICY_FWD).*/
2763 policy->route->gateway = get_route(this, src, TRUE);
2764 policy->route->if_index = get_interface_index(this, dst);
2765 policy->route->dst_net = chunk_alloc(
2766 policy->sel.family == AF_INET ? 4 : 16);
2767 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr,
2768 policy->route->dst_net.len);
2769 policy->route->prefixlen = policy->sel.prefixlen_s;
2770
2771 switch (manage_srcroute(this, RTM_NEWROUTE,
2772 NLM_F_CREATE | NLM_F_EXCL, policy->route))
2773 {
2774 default:
2775 DBG1(DBG_KNL, "unable to install source route for %H",
2776 policy->route->src_ip);
2777 /* FALL */
2778 case ALREADY_DONE:
2779 /* route exists, do not uninstall */
2780 route_entry_destroy(policy->route);
2781 policy->route = NULL;
2782 break;
2783 case SUCCESS:
2784 break;
2785 }
2786 }
2787 else
2788 {
2789 free(policy->route);
2790 policy->route = NULL;
2791 }
2792 }
2793
2794 return SUCCESS;
2795 }
2796
2797 /**
2798 * Implementation of kernel_interface_t.query_policy.
2799 */
2800 static status_t query_policy(private_kernel_interface_t *this,
2801 traffic_selector_t *src_ts,
2802 traffic_selector_t *dst_ts,
2803 policy_dir_t direction, u_int32_t *use_time)
2804 {
2805 unsigned char request[BUFFER_SIZE];
2806 struct nlmsghdr *out = NULL, *hdr;
2807 struct xfrm_userpolicy_id *policy_id;
2808 struct xfrm_userpolicy_info *policy = NULL;
2809 size_t len;
2810
2811 memset(&request, 0, sizeof(request));
2812
2813 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2814 policy_dir_names, direction);
2815
2816 hdr = (struct nlmsghdr*)request;
2817 hdr->nlmsg_flags = NLM_F_REQUEST;
2818 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2819 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2820
2821 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2822 policy_id->sel = ts2selector(src_ts, dst_ts);
2823 policy_id->dir = direction;
2824
2825 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2826 {
2827 hdr = out;
2828 while (NLMSG_OK(hdr, len))
2829 {
2830 switch (hdr->nlmsg_type)
2831 {
2832 case XFRM_MSG_NEWPOLICY:
2833 {
2834 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2835 break;
2836 }
2837 case NLMSG_ERROR:
2838 {
2839 struct nlmsgerr *err = NLMSG_DATA(hdr);
2840 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2841 strerror(-err->error), -err->error);
2842 break;
2843 }
2844 default:
2845 hdr = NLMSG_NEXT(hdr, len);
2846 continue;
2847 case NLMSG_DONE:
2848 break;
2849 }
2850 break;
2851 }
2852 }
2853
2854 if (policy == NULL)
2855 {
2856 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2857 policy_dir_names, direction);
2858 free(out);
2859 return FAILED;
2860 }
2861 *use_time = (time_t)policy->curlft.use_time;
2862
2863 free(out);
2864 return SUCCESS;
2865 }
2866
2867 /**
2868 * Implementation of kernel_interface_t.del_policy.
2869 */
2870 static status_t del_policy(private_kernel_interface_t *this,
2871 traffic_selector_t *src_ts,
2872 traffic_selector_t *dst_ts,
2873 policy_dir_t direction)
2874 {
2875 policy_entry_t *current, policy, *to_delete = NULL;
2876 route_entry_t *route;
2877 unsigned char request[BUFFER_SIZE];
2878 struct nlmsghdr *hdr;
2879 struct xfrm_userpolicy_id *policy_id;
2880 iterator_t *iterator;
2881
2882 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
2883 policy_dir_names, direction);
2884
2885 /* create a policy */
2886 memset(&policy, 0, sizeof(policy_entry_t));
2887 policy.sel = ts2selector(src_ts, dst_ts);
2888 policy.direction = direction;
2889
2890 /* find the policy */
2891 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2892 while (iterator->iterate(iterator, (void**)&current))
2893 {
2894 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2895 policy.direction == current->direction)
2896 {
2897 to_delete = current;
2898 if (--to_delete->refcount > 0)
2899 {
2900 /* is used by more SAs, keep in kernel */
2901 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2902 iterator->destroy(iterator);
2903 return SUCCESS;
2904 }
2905 /* remove if last reference */
2906 iterator->remove(iterator);
2907 break;
2908 }
2909 }
2910 iterator->destroy(iterator);
2911 if (!to_delete)
2912 {
2913 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
2914 dst_ts, policy_dir_names, direction);
2915 return NOT_FOUND;
2916 }
2917
2918 memset(&request, 0, sizeof(request));
2919
2920 hdr = (struct nlmsghdr*)request;
2921 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2922 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2923 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2924
2925 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2926 policy_id->sel = to_delete->sel;
2927 policy_id->dir = direction;
2928
2929 route = to_delete->route;
2930 free(to_delete);
2931
2932 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2933 {
2934 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2935 policy_dir_names, direction);
2936 return FAILED;
2937 }
2938
2939 if (route)
2940 {
2941 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2942 {
2943 DBG1(DBG_KNL, "error uninstalling route installed with "
2944 "policy %R === %R %N", src_ts, dst_ts,
2945 policy_dir_names, direction);
2946 }
2947 route_entry_destroy(route);
2948 }
2949 return SUCCESS;
2950 }
2951
2952 /**
2953 * Implementation of kernel_interface_t.destroy.
2954 */
2955 static void destroy(private_kernel_interface_t *this)
2956 {
2957 if (this->routing_table)
2958 {
2959 manage_rule(this, RTM_DELRULE, this->routing_table,
2960 this->routing_table_prio);
2961 }
2962
2963 this->job->cancel(this->job);
2964 close(this->socket_xfrm_events);
2965 close(this->socket_xfrm);
2966 close(this->socket_rt_events);
2967 close(this->socket_rt);
2968 this->policies->destroy(this->policies);
2969 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
2970 free(this);
2971 }
2972
2973 /*
2974 * Described in header.
2975 */
2976 kernel_interface_t *kernel_interface_create()
2977 {
2978 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2979 struct sockaddr_nl addr;
2980
2981 /* public functions */
2982 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2983 this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
2984 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,mode_t,u_int16_t,bool,bool))add_sa;
2985 this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
2986 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2987 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2988 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,u_int16_t))add_policy;
2989 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2990 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2991 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2992 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2993 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
2994 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2995 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
2996 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2997
2998 /* private members */
2999 this->policies = linked_list_create();
3000 this->ifaces = linked_list_create();
3001 this->hiter = NULL;
3002 this->seq = 200;
3003 pthread_mutex_init(&this->mutex, NULL);
3004 pthread_mutex_init(&this->nl_mutex, NULL);
3005 pthread_cond_init(&this->cond, NULL);
3006 timerclear(&this->last_roam);
3007 this->install_routes = lib->settings->get_bool(lib->settings,
3008 "charon.install_routes", TRUE);
3009 this->routing_table = lib->settings->get_int(lib->settings,