projects / strongswan.git / blob
? search:


4aabded6f334a789c4e2ca5aef1f296550571c3b
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Based on xfrm code from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43
44 #include "kernel_interface.h"
45
46 #include <daemon.h>
47 #include <utils/linked_list.h>
48 #include <processing/jobs/delete_child_sa_job.h>
49 #include <processing/jobs/rekey_child_sa_job.h>
50 #include <processing/jobs/acquire_job.h>
51
52 /** kernel level protocol identifiers */
53 #define KERNEL_ESP 50
54 #define KERNEL_AH 51
55
56 /** default priority of installed policies */
57 #define PRIO_LOW 3000
58 #define PRIO_HIGH 2000
59
60 #define BUFFER_SIZE 1024
61
62 /**
63 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
64 * 'usual' netlink data x like 'struct xfrm_usersa_info'
65 */
66 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
67 /**
68 * returns a pointer to the next rtattr following rta.
69 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
70 */
71 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
72 /**
73 * returns the total size of attached rta data
74 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
75 */
76 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
77
78 typedef struct kernel_algorithm_t kernel_algorithm_t;
79
80 /**
81 * Mapping from the algorithms defined in IKEv2 to
82 * kernel level algorithm names and their key length
83 */
84 struct kernel_algorithm_t {
85 /**
86 * Identifier specified in IKEv2
87 */
88 int ikev2_id;
89
90 /**
91 * Name of the algorithm, as used as kernel identifier
92 */
93 char *name;
94
95 /**
96 * Key length in bits, if fixed size
97 */
98 u_int key_size;
99 };
100 #define END_OF_LIST -1
101
102 /**
103 * Algorithms for encryption
104 */
105 kernel_algorithm_t encryption_algs[] = {
106 /* {ENCR_DES_IV64, "***", 0}, */
107 {ENCR_DES, "des", 64},
108 {ENCR_3DES, "des3_ede", 192},
109 /* {ENCR_RC5, "***", 0}, */
110 /* {ENCR_IDEA, "***", 0}, */
111 {ENCR_CAST, "cast128", 0},
112 {ENCR_BLOWFISH, "blowfish", 0},
113 /* {ENCR_3IDEA, "***", 0}, */
114 /* {ENCR_DES_IV32, "***", 0}, */
115 {ENCR_NULL, "cipher_null", 0},
116 {ENCR_AES_CBC, "aes", 0},
117 /* {ENCR_AES_CTR, "***", 0}, */
118 {END_OF_LIST, NULL, 0},
119 };
120
121 /**
122 * Algorithms for integrity protection
123 */
124 kernel_algorithm_t integrity_algs[] = {
125 {AUTH_HMAC_MD5_96, "md5", 128},
126 {AUTH_HMAC_SHA1_96, "sha1", 160},
127 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
128 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
129 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
130 /* {AUTH_DES_MAC, "***", 0}, */
131 /* {AUTH_KPDK_MD5, "***", 0}, */
132 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
133 {END_OF_LIST, NULL, 0},
134 };
135
136 /**
137 * Look up a kernel algorithm name and its key size
138 */
139 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
140 algorithm_t *ikev2_algo, u_int *key_size)
141 {
142 while (kernel_algo->ikev2_id != END_OF_LIST)
143 {
144 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
145 {
146 /* match, evaluate key length */
147 if (ikev2_algo->key_size)
148 { /* variable length */
149 *key_size = ikev2_algo->key_size;
150 }
151 else
152 { /* fixed length */
153 *key_size = kernel_algo->key_size;
154 }
155 return kernel_algo->name;
156 }
157 kernel_algo++;
158 }
159 return NULL;
160 }
161
162 typedef struct route_entry_t route_entry_t;
163
164 /**
165 * installed routing entry
166 */
167 struct route_entry_t {
168
169 /** Index of the interface the route is bound to */
170 int if_index;
171
172 /** Source ip of the route */
173 host_t *src_ip;
174
175 /** gateway for this route */
176 host_t *gateway;
177
178 /** Destination net */
179 chunk_t dst_net;
180
181 /** Destination net prefixlen */
182 u_int8_t prefixlen;
183 };
184
185 /**
186 * destroy an route_entry_t object
187 */
188 static void route_entry_destroy(route_entry_t *this)
189 {
190 this->src_ip->destroy(this->src_ip);
191 this->gateway->destroy(this->gateway);
192 chunk_free(&this->dst_net);
193 free(this);
194 }
195
196 typedef struct policy_entry_t policy_entry_t;
197
198 /**
199 * installed kernel policy.
200 */
201 struct policy_entry_t {
202
203 /** direction of this policy: in, out, forward */
204 u_int8_t direction;
205
206 /** reqid of the policy */
207 u_int32_t reqid;
208
209 /** parameters of installed policy */
210 struct xfrm_selector sel;
211
212 /** associated route installed for this policy */
213 route_entry_t *route;
214
215 /** by how many CHILD_SA's this policy is used */
216 u_int refcount;
217 };
218
219 typedef struct vip_entry_t vip_entry_t;
220
221 /**
222 * Installed virtual ip
223 */
224 struct vip_entry_t {
225 /** Index of the interface the ip is bound to */
226 u_int8_t if_index;
227
228 /** The ip address */
229 host_t *ip;
230
231 /** Number of times this IP is used */
232 u_int refcount;
233 };
234
235 /**
236 * destroy a vip_entry_t object
237 */
238 static void vip_entry_destroy(vip_entry_t *this)
239 {
240 this->ip->destroy(this->ip);
241 free(this);
242 }
243
244 typedef struct address_entry_t address_entry_t;
245
246 /**
247 * an address found on the system, containg address and interface info
248 */
249 struct address_entry_t {
250
251 /** address of this entry */
252 host_t *host;
253
254 /** interface index */
255 int ifindex;
256
257 /** name of the index */
258 char ifname[IFNAMSIZ];
259 };
260
261 /**
262 * destroy an address entry
263 */
264 static void address_entry_destroy(address_entry_t *this)
265 {
266 this->host->destroy(this->host);
267 free(this);
268 }
269
270 typedef struct private_kernel_interface_t private_kernel_interface_t;
271
272 /**
273 * Private variables and functions of kernel_interface class.
274 */
275 struct private_kernel_interface_t {
276 /**
277 * Public part of the kernel_interface_t object.
278 */
279 kernel_interface_t public;
280
281 /**
282 * List of installed policies (kernel_entry_t)
283 */
284 linked_list_t *policies;
285
286 /**
287 * Mutex locks access to policies
288 */
289 pthread_mutex_t policies_mutex;
290
291 /**
292 * List of installed virtual IPs. (vip_entry_t)
293 */
294 linked_list_t *vips;
295
296 /**
297 * Mutex to lock access to vips.
298 */
299 pthread_mutex_t vips_mutex;
300
301 /**
302 * netlink xfrm socket to receive acquire and expire events
303 */
304 int socket_xfrm_events;
305
306 /**
307 * Netlink xfrm socket (IPsec)
308 */
309 int socket_xfrm;
310
311 /**
312 * Netlink rt socket (routing)
313 */
314 int socket_rt;
315
316 /**
317 * Thread receiving events from kernel
318 */
319 pthread_t event_thread;
320 };
321
322 /**
323 * convert a host_t to a struct xfrm_address
324 */
325 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
326 {
327 chunk_t chunk = host->get_address(host);
328 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
329 }
330
331 /**
332 * convert a traffic selector address range to subnet and its mask.
333 */
334 static void ts2subnet(traffic_selector_t* ts,
335 xfrm_address_t *net, u_int8_t *mask)
336 {
337 /* there is no way to do this cleanly, as the address range may
338 * be anything else but a subnet. We use from_addr as subnet
339 * and try to calculate a usable subnet mask.
340 */
341 int byte, bit;
342 bool found = FALSE;
343 chunk_t from, to;
344 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
345
346 from = ts->get_from_address(ts);
347 to = ts->get_to_address(ts);
348
349 *mask = (size * 8);
350 /* go trough all bits of the addresses, beginning in the front.
351 * as long as they are equal, the subnet gets larger
352 */
353 for (byte = 0; byte < size; byte++)
354 {
355 for (bit = 7; bit >= 0; bit--)
356 {
357 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
358 {
359 *mask = ((7 - bit) + (byte * 8));
360 found = TRUE;
361 break;
362 }
363 }
364 if (found)
365 {
366 break;
367 }
368 }
369 memcpy(net, from.ptr, from.len);
370 chunk_free(&from);
371 chunk_free(&to);
372 }
373
374 /**
375 * convert a traffic selector port range to port/portmask
376 */
377 static void ts2ports(traffic_selector_t* ts,
378 u_int16_t *port, u_int16_t *mask)
379 {
380 /* linux does not seem to accept complex portmasks. Only
381 * any or a specific port is allowed. We set to any, if we have
382 * a port range, or to a specific, if we have one port only.
383 */
384 u_int16_t from, to;
385
386 from = ts->get_from_port(ts);
387 to = ts->get_to_port(ts);
388
389 if (from == to)
390 {
391 *port = htons(from);
392 *mask = ~0;
393 }
394 else
395 {
396 *port = 0;
397 *mask = 0;
398 }
399 }
400
401 /**
402 * convert a pair of traffic_selectors to a xfrm_selector
403 */
404 static struct xfrm_selector ts2selector(traffic_selector_t *src,
405 traffic_selector_t *dst)
406 {
407 struct xfrm_selector sel;
408
409 memset(&sel, 0, sizeof(sel));
410 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
411 /* src or dest proto may be "any" (0), use more restrictive one */
412 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
413 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
414 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
415 ts2ports(dst, &sel.dport, &sel.dport_mask);
416 ts2ports(src, &sel.sport, &sel.sport_mask);
417 sel.ifindex = 0;
418 sel.user = 0;
419
420 return sel;
421 }
422
423 /**
424 * Creates an rtattr and adds it to the netlink message
425 */
426 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
427 size_t buflen)
428 {
429 struct rtattr *rta;
430
431 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
432 {
433 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
434 return;
435 }
436
437 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
438 rta->rta_type = rta_type;
439 rta->rta_len = RTA_LENGTH(data.len);
440 memcpy(RTA_DATA(rta), data.ptr, data.len);
441 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
442 }
443
444 /**
445 * Receives events from kernel
446 */
447 static void receive_events(private_kernel_interface_t *this)
448 {
449 charon->drop_capabilities(charon, TRUE);
450
451 while(TRUE)
452 {
453 unsigned char response[512];
454 struct nlmsghdr *hdr;
455 struct sockaddr_nl addr;
456 socklen_t addr_len = sizeof(addr);
457 int len;
458
459 hdr = (struct nlmsghdr*)response;
460 len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
461 0, (struct sockaddr*)&addr, &addr_len);
462 if (len < 0)
463 {
464 if (errno == EINTR)
465 {
466 /* interrupted, try again */
467 continue;
468 }
469 charon->kill(charon, "unable to receive netlink events");
470 }
471
472 if (!NLMSG_OK(hdr, len))
473 {
474 /* bad netlink message */
475 continue;
476 }
477
478 if (addr.nl_pid != 0)
479 {
480 /* not from kernel. not interested, try another one */
481 continue;
482 }
483
484 /* we handle ACQUIRE and EXPIRE messages directly */
485 if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE)
486 {
487 u_int32_t reqid = 0;
488 job_t *job;
489 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
490 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
491 if (RTA_OK(rtattr, rtsize))
492 {
493 if (rtattr->rta_type == XFRMA_TMPL)
494 {
495 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
496 reqid = tmpl->reqid;
497 }
498 }
499 if (reqid == 0)
500 {
501 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
502 }
503 else
504 {
505 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
506 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d",
507 reqid);
508 job = (job_t*)acquire_job_create(reqid);
509 charon->job_queue->add(charon->job_queue, job);
510 }
511 }
512 else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE)
513 {
514 job_t *job;
515 protocol_id_t protocol;
516 u_int32_t spi, reqid;
517 struct xfrm_user_expire *expire;
518
519 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
520 protocol = expire->state.id.proto == KERNEL_ESP ?
521 PROTO_ESP : PROTO_AH;
522 spi = expire->state.id.spi;
523 reqid = expire->state.reqid;
524
525 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
526 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
527 expire->hard ? "delete" : "rekey", protocol_id_names,
528 protocol, ntohl(spi), reqid);
529 if (expire->hard)
530 {
531 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
532 }
533 else
534 {
535 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
536 }
537 charon->job_queue->add(charon->job_queue, job);
538 }
539 }
540 }
541
542 /**
543 * send a netlink message and wait for a reply
544 */
545 static status_t netlink_send(int socket, struct nlmsghdr *in,
546 struct nlmsghdr **out, size_t *out_len)
547 {
548 int len, addr_len;
549 struct sockaddr_nl addr;
550 chunk_t result = chunk_empty, tmp;
551 struct nlmsghdr *msg, peek;
552
553 static int seq = 200;
554 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
555
556
557 pthread_mutex_lock(&mutex);
558
559 in->nlmsg_seq = ++seq;
560 in->nlmsg_pid = getpid();
561
562 memset(&addr, 0, sizeof(addr));
563 addr.nl_family = AF_NETLINK;
564 addr.nl_pid = 0;
565 addr.nl_groups = 0;
566
567 while (TRUE)
568 {
569 len = sendto(socket, in, in->nlmsg_len, 0,
570 (struct sockaddr*)&addr, sizeof(addr));
571
572 if (len != in->nlmsg_len)
573 {
574 if (errno == EINTR)
575 {
576 /* interrupted, try again */
577 continue;
578 }
579 pthread_mutex_unlock(&mutex);
580 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
581 return FAILED;
582 }
583 break;
584 }
585
586 while (TRUE)
587 {
588 char buf[1024];
589 tmp.len = sizeof(buf);
590 tmp.ptr = buf;
591 msg = (struct nlmsghdr*)tmp.ptr;
592
593 memset(&addr, 0, sizeof(addr));
594 addr.nl_family = AF_NETLINK;
595 addr.nl_pid = getpid();
596 addr.nl_groups = 0;
597 addr_len = sizeof(addr);
598
599 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
600 (struct sockaddr*)&addr, &addr_len);
601
602 if (len < 0)
603 {
604 if (errno == EINTR)
605 {
606 DBG1(DBG_IKE, "got interrupted");
607 /* interrupted, try again */
608 continue;
609 }
610 DBG1(DBG_IKE, "error reading from netlink socket: %s", strerror(errno));
611 pthread_mutex_unlock(&mutex);
612 return FAILED;
613 }
614 if (!NLMSG_OK(msg, len))
615 {
616 DBG1(DBG_IKE, "received corrupted netlink message");
617 pthread_mutex_unlock(&mutex);
618 return FAILED;
619 }
620 if (msg->nlmsg_seq != seq)
621 {
622 DBG1(DBG_IKE, "received invalid netlink sequence number");
623 if (msg->nlmsg_seq < seq)
624 {
625 continue;
626 }
627 pthread_mutex_unlock(&mutex);
628 return FAILED;
629 }
630
631 tmp.len = len;
632 result = chunk_cata("cc", result, tmp);
633
634 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
635 * numbers to detect multi header messages */
636 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
637 (struct sockaddr*)&addr, &addr_len);
638
639 if (len == sizeof(peek) && peek.nlmsg_seq == seq)
640 {
641 /* seems to be multipart */
642 continue;
643 }
644 break;
645 }
646
647 *out_len = result.len;
648 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
649
650 pthread_mutex_unlock(&mutex);
651
652 return SUCCESS;
653 }
654
655 /**
656 * send a netlink message and wait for its acknowlegde
657 */
658 static status_t netlink_send_ack(int socket, struct nlmsghdr *in)
659 {
660 struct nlmsghdr *out, *hdr;
661 size_t len;
662
663 if (netlink_send(socket, in, &out, &len) != SUCCESS)
664 {
665 return FAILED;
666 }
667 hdr = out;
668 while (NLMSG_OK(hdr, len))
669 {
670 switch (hdr->nlmsg_type)
671 {
672 case NLMSG_ERROR:
673 {
674 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
675
676 if (err->error)
677 {
678 DBG1(DBG_KNL, "received netlink error: %s (%d)",
679 strerror(-err->error), -err->error);
680 free(out);
681 return FAILED;
682 }
683 free(out);
684 return SUCCESS;
685 }
686 default:
687 hdr = NLMSG_NEXT(hdr, len);
688 continue;
689 case NLMSG_DONE:
690 break;
691 }
692 break;
693 }
694 DBG1(DBG_KNL, "netlink request not acknowlegded");
695 free(out);
696 return FAILED;
697 }
698
699 /**
700 * Create a list of local addresses.
701 */
702 static linked_list_t *create_address_list(private_kernel_interface_t *this)
703 {
704 char request[BUFFER_SIZE];
705 struct nlmsghdr *out, *hdr;
706 struct rtgenmsg *msg;
707 size_t len;
708 linked_list_t *list;
709
710 DBG2(DBG_IKE, "getting local address list");
711
712 list = linked_list_create();
713
714 memset(&request, 0, sizeof(request));
715
716 hdr = (struct nlmsghdr*)&request;
717 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
718 hdr->nlmsg_type = RTM_GETADDR;
719 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
720 msg = (struct rtgenmsg*)NLMSG_DATA(hdr);
721 msg->rtgen_family = AF_UNSPEC;
722
723 if (netlink_send(this->socket_rt, hdr, &out, &len) == SUCCESS)
724 {
725 hdr = out;
726 while (NLMSG_OK(hdr, len))
727 {
728 switch (hdr->nlmsg_type)
729 {
730 case RTM_NEWADDR:
731 {
732 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
733 struct rtattr *rta = IFA_RTA(msg);
734 size_t rtasize = IFA_PAYLOAD (hdr);
735 host_t *host = NULL;
736 char *name = NULL;
737 chunk_t local = chunk_empty, address = chunk_empty;
738
739 while(RTA_OK(rta, rtasize))
740 {
741 switch (rta->rta_type)
742 {
743 case IFA_LOCAL:
744 local.ptr = RTA_DATA(rta);
745 local.len = RTA_PAYLOAD(rta);
746 break;
747 case IFA_ADDRESS:
748 address.ptr = RTA_DATA(rta);
749 address.len = RTA_PAYLOAD(rta);
750 break;
751 case IFA_LABEL:
752 name = RTA_DATA(rta);
753 break;
754 }
755 rta = RTA_NEXT(rta, rtasize);
756 }
757
758 /* For PPP interfaces, we need the IFA_LOCAL address,
759 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
760 * not included in all cases, so fallback to IFA_ADDRESS. */
761 if (local.ptr)
762 {
763 host = host_create_from_chunk(msg->ifa_family, local, 0);
764 }
765 else if (address.ptr)
766 {
767 host = host_create_from_chunk(msg->ifa_family, address, 0);
768 }
769
770 if (host)
771 {
772 address_entry_t *entry;
773
774 entry = malloc_thing(address_entry_t);
775 entry->host = host;
776 entry->ifindex = msg->ifa_index;
777 if (name)
778 {
779 memcpy(entry->ifname, name, IFNAMSIZ);
780 }
781 else
782 {
783 strcpy(entry->ifname, "(unknown)");
784 }
785 list->insert_last(list, entry);
786 }
787 hdr = NLMSG_NEXT(hdr, len);
788 continue;
789 }
790 default:
791 hdr = NLMSG_NEXT(hdr, len);
792 continue;
793 case NLMSG_DONE:
794 break;
795 }
796 break;
797 }
798 free(out);
799 }
800 else
801 {
802 DBG1(DBG_IKE, "unable to get local address list");
803 }
804
805 return list;
806 }
807
808 /**
809 * Implements kernel_interface_t.create_address_list.
810 */
811 static linked_list_t *create_address_list_public(private_kernel_interface_t *this)
812 {
813 linked_list_t *result, *list;
814 address_entry_t *entry;
815
816 result = linked_list_create();
817 list = create_address_list(this);
818 while (list->remove_last(list, (void**)&entry) == SUCCESS)
819 {
820 result->insert_last(result, entry->host);
821 free(entry);
822 }
823 list->destroy(list);
824
825 return result;
826 }
827
828 /**
829 * implementation of kernel_interface_t.get_interface_name
830 */
831 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
832 {
833 linked_list_t *list;
834 address_entry_t *entry;
835 char *name = NULL;
836
837 DBG2(DBG_IKE, "getting interface name for %H", ip);
838
839 list = create_address_list(this);
840 while (!name && list->remove_last(list, (void**)&entry) == SUCCESS)
841 {
842 if (ip->ip_equals(ip, entry->host))
843 {
844 name = strdup(entry->ifname);
845 }
846 address_entry_destroy(entry);
847 }
848 list->destroy_function(list, (void*)address_entry_destroy);
849
850 if (name)
851 {
852 DBG2(DBG_IKE, "%H is on interface %s", ip, name);
853 }
854 else
855 {
856 DBG2(DBG_IKE, "%H is not a local address", ip);
857 }
858 return name;
859 }
860
861 /**
862 * Tries to find an ip address of a local interface that is included in the
863 * supplied traffic selector.
864 */
865 static status_t get_address_by_ts(private_kernel_interface_t *this,
866 traffic_selector_t *ts, host_t **ip)
867 {
868 address_entry_t *entry;
869 host_t *host;
870 int family;
871 linked_list_t *list;
872 bool found = FALSE;
873
874 DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts);
875
876 /* if we have a family which includes localhost, we do not
877 * search for an IP, we use the default */
878 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
879
880 if (family == AF_INET)
881 {
882 host = host_create_from_string("127.0.0.1", 0);
883 }
884 else
885 {
886 host = host_create_from_string("::1", 0);
887 }
888
889 if (ts->includes(ts, host))
890 {
891 *ip = host_create_any(family);
892 host->destroy(host);
893 DBG2(DBG_IKE, "using host %H", *ip);
894 return SUCCESS;
895 }
896 host->destroy(host);
897
898 list = create_address_list(this);
899 while (!found && list->remove_last(list, (void**)&entry) == SUCCESS)
900 {
901 if (ts->includes(ts, entry->host))
902 {
903 found = TRUE;
904 *ip = entry->host->clone(entry->host);
905 }
906 address_entry_destroy(entry);
907 }
908 list->destroy_function(list, (void*)address_entry_destroy);
909
910 if (!found)
911 {
912 DBG1(DBG_IKE, "no local address found in traffic selector %R", ts);
913 return FAILED;
914 }
915 DBG2(DBG_IKE, "using host %H", *ip);
916 return SUCCESS;
917 }
918
919 /**
920 * get the interface of a local address
921 */
922 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
923 {
924 linked_list_t *list;
925 address_entry_t *entry;
926 int ifindex = 0;
927
928 DBG2(DBG_IKE, "getting iface for %H", ip);
929
930 list = create_address_list(this);
931 while (!ifindex && list->remove_last(list, (void**)&entry) == SUCCESS)
932 {
933 if (ip->ip_equals(ip, entry->host))
934 {
935 ifindex = entry->ifindex;
936 }
937 address_entry_destroy(entry);
938 }
939 list->destroy_function(list, (void*)address_entry_destroy);
940
941 if (ifindex == 0)
942 {
943 DBG1(DBG_IKE, "unable to get interface for %H", ip);
944 }
945 return ifindex;
946 }
947
948 /**
949 * Manages the creation and deletion of ip addresses on an interface.
950 * By setting the appropriate nlmsg_type, the ip will be set or unset.
951 */
952 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
953 int flags, int if_index, host_t *ip)
954 {
955 unsigned char request[BUFFER_SIZE];
956 struct nlmsghdr *hdr;
957 struct ifaddrmsg *msg;
958 chunk_t chunk;
959
960 memset(&request, 0, sizeof(request));
961
962 chunk = ip->get_address(ip);
963
964 hdr = (struct nlmsghdr*)request;
965 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
966 hdr->nlmsg_type = nlmsg_type;
967 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
968
969 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
970 msg->ifa_family = ip->get_family(ip);
971 msg->ifa_flags = 0;
972 msg->ifa_prefixlen = 8 * chunk.len;
973 msg->ifa_scope = RT_SCOPE_UNIVERSE;
974 msg->ifa_index = if_index;
975
976 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
977
978 return netlink_send_ack(this->socket_rt, hdr);
979 }
980
981 /**
982 * Manages source routes in the routing table.
983 * By setting the appropriate nlmsg_type, the route added or r.
984 */
985 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
986 int flags, route_entry_t *route)
987 {
988 unsigned char request[BUFFER_SIZE];
989 struct nlmsghdr *hdr;
990 struct rtmsg *msg;
991 chunk_t chunk;
992
993 /* if route is 0.0.0.0/0, we can't install it, as it would
994 * overwrite the default route. Instead, we add two routes:
995 * 0.0.0.0/1 and 128.0.0.0/1
996 * TODO: use metrics instead */
997 if (route->prefixlen == 0)
998 {
999 route_entry_t half;
1000 status_t status;
1001
1002 half.dst_net = chunk_alloca(route->dst_net.len);
1003 memset(half.dst_net.ptr, 0, half.dst_net.len);
1004 half.src_ip = route->src_ip;
1005 half.if_index = route->if_index;
1006 half.prefixlen = 1;
1007
1008 status = manage_srcroute(this, nlmsg_type, flags, &half);
1009 half.dst_net.ptr[0] |= 0x80;
1010 status = manage_srcroute(this, nlmsg_type, flags, &half);
1011 return status;
1012 }
1013
1014 memset(&request, 0, sizeof(request));
1015
1016 hdr = (struct nlmsghdr*)request;
1017 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1018 hdr->nlmsg_type = nlmsg_type;
1019 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1020
1021 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1022 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1023 msg->rtm_dst_len = route->prefixlen;
1024 msg->rtm_table = RT_TABLE_MAIN;
1025 msg->rtm_protocol = RTPROT_STATIC;
1026 msg->rtm_type = RTN_UNICAST;
1027 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1028
1029 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1030 chunk = route->src_ip->get_address(route->src_ip);
1031 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1032 chunk = route->gateway->get_address(route->gateway);
1033 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1034 chunk.ptr = (char*)&route->if_index;
1035 chunk.len = sizeof(route->if_index);
1036 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1037
1038 return netlink_send_ack(this->socket_rt, hdr);
1039 }
1040
1041
1042 /**
1043 * Implementation of kernel_interface_t.add_ip.
1044 */
1045 static status_t add_ip(private_kernel_interface_t *this,
1046 host_t *virtual_ip, host_t *iface_ip)
1047 {
1048 int targetif;
1049 vip_entry_t *listed;
1050 iterator_t *iterator;
1051
1052 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1053
1054 targetif = get_interface_index(this, iface_ip);
1055 if (targetif == 0)
1056 {
1057 DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H",
1058 virtual_ip, iface_ip);
1059 return FAILED;
1060 }
1061
1062 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1063 iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
1064 while (iterator->iterate(iterator, (void**)&listed))
1065 {
1066 if (listed->if_index == targetif &&
1067 virtual_ip->ip_equals(virtual_ip, listed->ip))
1068 {
1069 listed->refcount++;
1070 iterator->destroy(iterator);
1071 DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it",
1072 virtual_ip, targetif);
1073 return SUCCESS;
1074 }
1075 }
1076 iterator->destroy(iterator);
1077
1078 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1079 targetif, virtual_ip) == SUCCESS)
1080 {
1081 listed = malloc_thing(vip_entry_t);
1082 listed->ip = virtual_ip->clone(virtual_ip);
1083 listed->if_index = targetif;
1084 listed->refcount = 1;
1085 this->vips->insert_last(this->vips, listed);
1086 DBG2(DBG_KNL, "virtual IP %H added to iface %d",
1087 virtual_ip, targetif);
1088 return SUCCESS;
1089 }
1090
1091 DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d",
1092 virtual_ip, targetif);
1093 return FAILED;
1094 }
1095
1096 /**
1097 * Implementation of kernel_interface_t.del_ip.
1098 */
1099 static status_t del_ip(private_kernel_interface_t *this,
1100 host_t *virtual_ip, host_t *iface_ip)
1101 {
1102 int targetif;
1103 vip_entry_t *listed;
1104 iterator_t *iterator;
1105
1106 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1107
1108 targetif = get_interface_index(this, iface_ip);
1109 if (targetif == 0)
1110 {
1111 DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H",
1112 virtual_ip, iface_ip);
1113 return FAILED;
1114 }
1115
1116 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1117 iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
1118 while (iterator->iterate(iterator, (void**)&listed))
1119 {
1120 if (listed->if_index == targetif &&
1121 virtual_ip->ip_equals(virtual_ip, listed->ip))
1122 {
1123 listed->refcount--;
1124 if (listed->refcount == 0)
1125 {
1126 iterator->remove(iterator);
1127 vip_entry_destroy(listed);
1128 iterator->destroy(iterator);
1129 return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
1130 }
1131 iterator->destroy(iterator);
1132 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1133 virtual_ip);
1134 return SUCCESS;
1135 }
1136 }
1137 iterator->destroy(iterator);
1138
1139 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1140 return FAILED;
1141 }
1142
1143 /**
1144 * Implementation of kernel_interface_t.get_spi.
1145 */
1146 static status_t get_spi(private_kernel_interface_t *this,
1147 host_t *src, host_t *dst,
1148 protocol_id_t protocol, u_int32_t reqid,
1149 u_int32_t *spi)
1150 {
1151 unsigned char request[BUFFER_SIZE];
1152 struct nlmsghdr *hdr, *out;
1153 struct xfrm_userspi_info *userspi;
1154 u_int32_t received_spi = 0;
1155 size_t len;
1156
1157 memset(&request, 0, sizeof(request));
1158
1159 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1160
1161 hdr = (struct nlmsghdr*)request;
1162 hdr->nlmsg_flags = NLM_F_REQUEST;
1163 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1164 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1165
1166 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1167 host2xfrm(src, &userspi->info.saddr);
1168 host2xfrm(dst, &userspi->info.id.daddr);
1169 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1170 userspi->info.mode = TRUE; /* tunnel mode */
1171 userspi->info.reqid = reqid;
1172 userspi->info.family = src->get_family(src);
1173 userspi->min = 0xc0000000;
1174 userspi->max = 0xcFFFFFFF;
1175
1176 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1177 {
1178 hdr = out;
1179 while (NLMSG_OK(hdr, len))
1180 {
1181 switch (hdr->nlmsg_type)
1182 {
1183 case XFRM_MSG_NEWSA:
1184 {
1185 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1186 received_spi = usersa->id.spi;
1187 break;
1188 }
1189 case NLMSG_ERROR:
1190 {
1191 struct nlmsgerr *err = NLMSG_DATA(hdr);
1192
1193 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1194 strerror(-err->error), -err->error);
1195 break;
1196 }
1197 default:
1198 hdr = NLMSG_NEXT(hdr, len);
1199 continue;
1200 case NLMSG_DONE:
1201 break;
1202 }
1203 break;
1204 }
1205 free(out);
1206 }
1207
1208 if (received_spi == 0)
1209 {
1210 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1211 return FAILED;
1212 }
1213
1214 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
1215
1216 *spi = received_spi;
1217 return SUCCESS;
1218 }
1219
1220 /**
1221 * Implementation of kernel_interface_t.add_sa.
1222 */
1223 static status_t add_sa(private_kernel_interface_t *this,
1224 host_t *src, host_t *dst, u_int32_t spi,
1225 protocol_id_t protocol, u_int32_t reqid,
1226 u_int64_t expire_soft, u_int64_t expire_hard,
1227 algorithm_t *enc_alg, algorithm_t *int_alg,
1228 prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
1229 bool replace)
1230 {
1231 unsigned char request[BUFFER_SIZE];
1232 char *alg_name;
1233 u_int key_size;
1234 struct nlmsghdr *hdr;
1235 struct xfrm_usersa_info *sa;
1236
1237 memset(&request, 0, sizeof(request));
1238
1239 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
1240
1241 hdr = (struct nlmsghdr*)request;
1242 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1243 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1244 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1245
1246 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1247 host2xfrm(src, &sa->saddr);
1248 host2xfrm(dst, &sa->id.daddr);
1249 sa->id.spi = spi;
1250 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1251 sa->family = src->get_family(src);
1252 sa->mode = mode;
1253 sa->replay_window = 32;
1254 sa->reqid = reqid;
1255 /* we currently do not expire SAs by volume/packet count */
1256 sa->lft.soft_byte_limit = XFRM_INF;
1257 sa->lft.hard_byte_limit = XFRM_INF;
1258 sa->lft.soft_packet_limit = XFRM_INF;
1259 sa->lft.hard_packet_limit = XFRM_INF;
1260 /* we use lifetimes since added, not since used */
1261 sa->lft.soft_add_expires_seconds = expire_soft;
1262 sa->lft.hard_add_expires_seconds = expire_hard;
1263 sa->lft.soft_use_expires_seconds = 0;
1264 sa->lft.hard_use_expires_seconds = 0;
1265
1266 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1267
1268 if (enc_alg->algorithm != ENCR_UNDEFINED)
1269 {
1270 rthdr->rta_type = XFRMA_ALG_CRYPT;
1271 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1272 if (alg_name == NULL)
1273 {
1274 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1275 encryption_algorithm_names, enc_alg->algorithm);
1276 return FAILED;
1277 }
1278 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1279 encryption_algorithm_names, enc_alg->algorithm, key_size);
1280
1281 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1282 hdr->nlmsg_len += rthdr->rta_len;
1283 if (hdr->nlmsg_len > sizeof(request))
1284 {
1285 return FAILED;
1286 }
1287
1288 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1289 algo->alg_key_len = key_size;
1290 strcpy(algo->alg_name, alg_name);
1291 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1292
1293 rthdr = XFRM_RTA_NEXT(rthdr);
1294 }
1295
1296 if (int_alg->algorithm != AUTH_UNDEFINED)
1297 {
1298 rthdr->rta_type = XFRMA_ALG_AUTH;
1299 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1300 if (alg_name == NULL)
1301 {
1302 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1303 integrity_algorithm_names, int_alg->algorithm);
1304 return FAILED;
1305 }
1306 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1307 integrity_algorithm_names, int_alg->algorithm, key_size);
1308
1309 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1310 hdr->nlmsg_len += rthdr->rta_len;
1311 if (hdr->nlmsg_len > sizeof(request))
1312 {
1313 return FAILED;
1314 }
1315
1316 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1317 algo->alg_key_len = key_size;
1318 strcpy(algo->alg_name, alg_name);
1319 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1320
1321 rthdr = XFRM_RTA_NEXT(rthdr);
1322 }
1323
1324 /* TODO: add IPComp here */
1325
1326 if (natt)
1327 {
1328 rthdr->rta_type = XFRMA_ENCAP;
1329 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1330
1331 hdr->nlmsg_len += rthdr->rta_len;
1332 if (hdr->nlmsg_len > sizeof(request))
1333 {
1334 return FAILED;
1335 }
1336
1337 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1338 encap->encap_type = UDP_ENCAP_ESPINUDP;
1339 encap->encap_sport = htons(natt->sport);
1340 encap->encap_dport = htons(natt->dport);
1341 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
1342 /* encap_oa could probably be derived from the
1343 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1344 * pluto does the same as we do here but it uses encap_oa in the
1345 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1346 * the kernel ignores it anyway
1347 * -> does that mean that NAT-T encap doesn't work in transport mode?
1348 * No. The reason the kernel ignores NAT-OA is that it recomputes
1349 * (or, rather, just ignores) the checksum. If packets pass
1350 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1351 rthdr = XFRM_RTA_NEXT(rthdr);
1352 }
1353
1354 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1355 {
1356 DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
1357 return FAILED;
1358 }
1359 return SUCCESS;
1360 }
1361
1362 /**
1363 * Implementation of kernel_interface_t.update_sa.
1364 */
1365 static status_t update_sa(private_kernel_interface_t *this,
1366 host_t *src, host_t *dst,
1367 host_t *new_src, host_t *new_dst,
1368 host_diff_t src_changes, host_diff_t dst_changes,
1369 u_int32_t spi, protocol_id_t protocol)
1370 {
1371 unsigned char request[BUFFER_SIZE];
1372 struct nlmsghdr *hdr, *out = NULL;
1373 struct xfrm_usersa_id *sa_id;
1374 struct xfrm_usersa_info *sa = NULL;
1375 size_t len;
1376
1377 memset(&request, 0, sizeof(request));
1378
1379 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1380
1381 hdr = (struct nlmsghdr*)request;
1382 hdr->nlmsg_flags = NLM_F_REQUEST;
1383 hdr->nlmsg_type = XFRM_MSG_GETSA;
1384 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1385
1386 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1387 host2xfrm(dst, &sa_id->daddr);
1388 sa_id->spi = spi;
1389 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1390 sa_id->family = dst->get_family(dst);
1391
1392 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1393 {
1394 hdr = out;
1395 while (NLMSG_OK(hdr, len))
1396 {
1397 switch (hdr->nlmsg_type)
1398 {
1399 case XFRM_MSG_NEWSA:
1400 {
1401 sa = NLMSG_DATA(hdr);
1402 break;
1403 }
1404 case NLMSG_ERROR:
1405 {
1406 struct nlmsgerr *err = NLMSG_DATA(hdr);
1407 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1408 strerror(-err->error), -err->error);
1409 break;
1410 }
1411 default:
1412 hdr = NLMSG_NEXT(hdr, len);
1413 continue;
1414 case NLMSG_DONE:
1415 break;
1416 }
1417 break;
1418 }
1419 }
1420 if (sa == NULL)
1421 {
1422 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
1423 free(out);
1424 return FAILED;
1425 }
1426
1427 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi);
1428
1429 hdr = out;
1430 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1431 hdr->nlmsg_type = XFRM_MSG_UPDSA;
1432
1433 if (src_changes & HOST_DIFF_ADDR)
1434 {
1435 host2xfrm(new_src, &sa->saddr);
1436 }
1437
1438 if (dst_changes & HOST_DIFF_ADDR)
1439 {
1440 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1441 host2xfrm(new_dst, &sa->id.daddr);
1442 }
1443
1444 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
1445 {
1446 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1447 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
1448 while (RTA_OK(rtattr, rtsize))
1449 {
1450 if (rtattr->rta_type == XFRMA_ENCAP)
1451 {
1452 struct xfrm_encap_tmpl* encap;
1453 encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
1454 encap->encap_sport = ntohs(new_src->get_port(new_src));
1455 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
1456 break;
1457 }
1458 rtattr = RTA_NEXT(rtattr, rtsize);
1459 }
1460 }
1461 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1462 {
1463 DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
1464 free(out);
1465 return FAILED;
1466 }
1467 free(out);
1468
1469 if (dst_changes & HOST_DIFF_ADDR)
1470 {
1471 return this->public.del_sa(&this->public, dst, spi, protocol);
1472 }
1473 return SUCCESS;
1474 }
1475
1476 /**
1477 * Implementation of kernel_interface_t.query_sa.
1478 */
1479 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
1480 u_int32_t spi, protocol_id_t protocol,
1481 u_int32_t *use_time)
1482 {
1483 unsigned char request[BUFFER_SIZE];
1484 struct nlmsghdr *out = NULL, *hdr;
1485 struct xfrm_usersa_id *sa_id;
1486 struct xfrm_usersa_info *sa = NULL;
1487 size_t len;
1488
1489 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1490 memset(&request, 0, sizeof(request));
1491
1492 hdr = (struct nlmsghdr*)request;
1493 hdr->nlmsg_flags = NLM_F_REQUEST;
1494 hdr->nlmsg_type = XFRM_MSG_GETSA;
1495 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1496
1497 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1498 host2xfrm(dst, &sa_id->daddr);
1499 sa_id->spi = spi;
1500 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1501 sa_id->family = dst->get_family(dst);
1502
1503 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1504 {
1505 hdr = out;
1506 while (NLMSG_OK(hdr, len))
1507 {
1508 switch (hdr->nlmsg_type)
1509 {
1510 case XFRM_MSG_NEWSA:
1511 {
1512 sa = NLMSG_DATA(hdr);
1513 break;
1514 }
1515 case NLMSG_ERROR:
1516 {
1517 struct nlmsgerr *err = NLMSG_DATA(hdr);
1518 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1519 strerror(-err->error), -err->error);
1520 break;
1521 }
1522 default:
1523 hdr = NLMSG_NEXT(hdr, len);
1524 continue;
1525 case NLMSG_DONE:
1526 break;
1527 }
1528 break;
1529 }
1530 }
1531
1532 if (sa == NULL)
1533 {
1534 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
1535 free(out);
1536 return FAILED;
1537 }
1538
1539 *use_time = sa->curlft.use_time;
1540 free (out);
1541 return SUCCESS;
1542 }
1543
1544 /**
1545 * Implementation of kernel_interface_t.del_sa.
1546 */
1547 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
1548 u_int32_t spi, protocol_id_t protocol)
1549 {
1550 unsigned char request[BUFFER_SIZE];
1551 struct nlmsghdr *hdr;
1552 struct xfrm_usersa_id *sa_id;
1553
1554 memset(&request, 0, sizeof(request));
1555
1556 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
1557
1558 hdr = (struct nlmsghdr*)request;
1559 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1560 hdr->nlmsg_type = XFRM_MSG_DELSA;
1561 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1562
1563 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1564 host2xfrm(dst, &sa_id->daddr);
1565 sa_id->spi = spi;
1566 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1567 sa_id->family = dst->get_family(dst);
1568
1569 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1570 {
1571 DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
1572 return FAILED;
1573 }
1574 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
1575 return SUCCESS;
1576 }
1577
1578 /**
1579 * Implementation of kernel_interface_t.add_policy.
1580 */
1581 static status_t add_policy(private_kernel_interface_t *this,
1582 host_t *src, host_t *dst,
1583 traffic_selector_t *src_ts,
1584 traffic_selector_t *dst_ts,
1585 policy_dir_t direction, protocol_id_t protocol,
1586 u_int32_t reqid, bool high_prio, mode_t mode,
1587 bool update)
1588 {
1589 iterator_t *iterator;
1590 policy_entry_t *current, *policy;
1591 bool found = FALSE;
1592 unsigned char request[BUFFER_SIZE];
1593 struct xfrm_userpolicy_info *policy_info;
1594 struct nlmsghdr *hdr;
1595
1596 /* create a policy */
1597 policy = malloc_thing(policy_entry_t);
1598 memset(policy, 0, sizeof(policy_entry_t));
1599 policy->sel = ts2selector(src_ts, dst_ts);
1600 policy->direction = direction;
1601
1602 /* find the policy, which matches EXACTLY */
1603 pthread_mutex_lock(&this->policies_mutex);
1604 iterator = this->policies->create_iterator(this->policies, TRUE);
1605 while (iterator->iterate(iterator, (void**)&current))
1606 {
1607 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
1608 policy->direction == current->direction)
1609 {
1610 /* use existing policy */
1611 if (!update)
1612 {
1613 current->refcount++;
1614 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
1615 "refcount", src_ts, dst_ts);
1616 }
1617 free(policy);
1618 policy = current;
1619 found = TRUE;
1620 break;
1621 }
1622 }
1623 iterator->destroy(iterator);
1624 if (!found)
1625 { /* apply the new one, if we have no such policy */
1626 this->policies->insert_last(this->policies, policy);
1627 policy->refcount = 1;
1628 }
1629
1630 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
1631
1632 memset(&request, 0, sizeof(request));
1633 hdr = (struct nlmsghdr*)request;
1634 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1635 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
1636 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1637
1638 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1639 policy_info->sel = policy->sel;
1640 policy_info->dir = policy->direction;
1641 /* calculate priority based on source selector size, small size = high prio */
1642 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1643 policy_info->priority -= policy->sel.prefixlen_s * 10;
1644 policy_info->priority -= policy->sel.proto ? 2 : 0;
1645 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1646 policy_info->action = XFRM_POLICY_ALLOW;
1647 policy_info->share = XFRM_SHARE_ANY;
1648 pthread_mutex_unlock(&this->policies_mutex);
1649
1650 /* policies don't expire */
1651 policy_info->lft.soft_byte_limit = XFRM_INF;
1652 policy_info->lft.soft_packet_limit = XFRM_INF;
1653 policy_info->lft.hard_byte_limit = XFRM_INF;
1654 policy_info->lft.hard_packet_limit = XFRM_INF;
1655 policy_info->lft.soft_add_expires_seconds = 0;
1656 policy_info->lft.hard_add_expires_seconds = 0;
1657 policy_info->lft.soft_use_expires_seconds = 0;
1658 policy_info->lft.hard_use_expires_seconds = 0;
1659
1660 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1661 rthdr->rta_type = XFRMA_TMPL;
1662
1663 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
1664 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
1665
1666 hdr->nlmsg_len += rthdr->rta_len;
1667 if (hdr->nlmsg_len > sizeof(request))
1668 {
1669 return FAILED;
1670 }
1671
1672 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1673 tmpl->reqid = reqid;
1674 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
1675 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1676 tmpl->mode = mode;
1677 tmpl->family = src->get_family(src);
1678
1679 host2xfrm(src, &tmpl->saddr);
1680 host2xfrm(dst, &tmpl->id.daddr);
1681
1682 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1683 {
1684 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
1685 return FAILED;
1686 }
1687
1688 /* install a route, if:
1689 * - we are NOT updating a policy
1690 * - this is a forward policy (to just get one for each child)
1691 * - we are in tunnel mode
1692 * - we are not using IPv6 (does not work correctly yet!)
1693 */
1694 if (policy->route == NULL && direction == POLICY_FWD &&
1695 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
1696 {
1697 policy->route = malloc_thing(route_entry_t);
1698 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
1699 {
1700 policy->route->gateway = (direction == POLICY_IN) ?
1701 dst->clone(dst) : src->clone(src);
1702 policy->route->if_index = get_interface_index(this, dst);
1703 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1704 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
1705 policy->route->prefixlen = policy->sel.prefixlen_s;
1706
1707 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
1708 policy->route) != SUCCESS)
1709 {
1710 DBG1(DBG_KNL, "unable to install source route for %H",
1711 policy->route->src_ip);
1712 route_entry_destroy(policy->route);
1713 policy->route = NULL;
1714 }
1715 }
1716 else
1717 {
1718 free(policy->route);
1719 policy->route = NULL;
1720 }
1721 }
1722
1723 return SUCCESS;
1724 }
1725
1726 /**
1727 * Implementation of kernel_interface_t.query_policy.
1728 */
1729 static status_t query_policy(private_kernel_interface_t *this,
1730 traffic_selector_t *src_ts,
1731 traffic_selector_t *dst_ts,
1732 policy_dir_t direction, u_int32_t *use_time)
1733 {
1734 unsigned char request[BUFFER_SIZE];
1735 struct nlmsghdr *out = NULL, *hdr;
1736 struct xfrm_userpolicy_id *policy_id;
1737 struct xfrm_userpolicy_info *policy = NULL;
1738 size_t len;
1739
1740 memset(&request, 0, sizeof(request));
1741
1742 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
1743
1744 hdr = (struct nlmsghdr*)request;
1745 hdr->nlmsg_flags = NLM_F_REQUEST;
1746 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1747 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1748
1749 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1750 policy_id->sel = ts2selector(src_ts, dst_ts);
1751 policy_id->dir = direction;
1752
1753 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1754 {
1755 hdr = out;
1756 while (NLMSG_OK(hdr, len))
1757 {
1758 switch (hdr->nlmsg_type)
1759 {
1760 case XFRM_MSG_NEWPOLICY:
1761 {
1762 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1763 break;
1764 }
1765 case NLMSG_ERROR:
1766 {
1767 struct nlmsgerr *err = NLMSG_DATA(hdr);
1768 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1769 strerror(-err->error), -err->error);
1770 break;
1771 }
1772 default:
1773 hdr = NLMSG_NEXT(hdr, len);
1774 continue;
1775 case NLMSG_DONE:
1776 break;
1777 }
1778 break;
1779 }
1780 }
1781
1782 if (policy == NULL)
1783 {
1784 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
1785 free(out);
1786 return FAILED;
1787 }
1788 *use_time = (time_t)policy->curlft.use_time;
1789
1790 free(out);
1791 return SUCCESS;
1792 }
1793
1794 /**
1795 * Implementation of kernel_interface_t.del_policy.
1796 */
1797 static status_t del_policy(private_kernel_interface_t *this,
1798 traffic_selector_t *src_ts,
1799 traffic_selector_t *dst_ts,
1800 policy_dir_t direction)
1801 {
1802 policy_entry_t *current, policy, *to_delete = NULL;
1803 route_entry_t *route;
1804 unsigned char request[BUFFER_SIZE];
1805 struct nlmsghdr *hdr;
1806 struct xfrm_userpolicy_id *policy_id;
1807 iterator_t *iterator;
1808
1809 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
1810
1811 /* create a policy */
1812 memset(&policy, 0, sizeof(policy_entry_t));
1813 policy.sel = ts2selector(src_ts, dst_ts);
1814 policy.direction = direction;
1815
1816 /* find the policy */
1817 pthread_mutex_lock(&this->policies_mutex);
1818 iterator = this->policies->create_iterator(this->policies, TRUE);
1819 while (iterator->iterate(iterator, (void**)&current))
1820 {
1821 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
1822 policy.direction == current->direction)
1823 {
1824 to_delete = current;
1825 if (--to_delete->refcount > 0)
1826 {
1827 /* is used by more SAs, keep in kernel */
1828 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1829 iterator->destroy(iterator);
1830 pthread_mutex_unlock(&this->policies_mutex);
1831 return SUCCESS;
1832 }
1833 /* remove if last reference */
1834 iterator->remove(iterator);
1835 break;
1836 }
1837 }
1838 iterator->destroy(iterator);
1839 pthread_mutex_unlock(&this->policies_mutex);
1840 if (!to_delete)
1841 {
1842 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
1843 return NOT_FOUND;
1844 }
1845
1846 memset(&request, 0, sizeof(request));
1847
1848 hdr = (struct nlmsghdr*)request;
1849 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1850 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1851 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1852
1853 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1854 policy_id->sel = to_delete->sel;
1855 policy_id->dir = direction;
1856
1857 route = to_delete->route;
1858 free(to_delete);
1859
1860 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1861 {
1862 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
1863 return FAILED;
1864 }
1865
1866 if (route)
1867 {
1868 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
1869 {
1870 DBG1(DBG_KNL, "error uninstalling route installed with "
1871 "policy %R===%R", src_ts, dst_ts);
1872 }
1873 route_entry_destroy(route);
1874 }
1875 return SUCCESS;
1876 }
1877
1878 /**
1879 * Implementation of kernel_interface_t.destroy.
1880 */
1881 static void destroy(private_kernel_interface_t *this)
1882 {
1883 pthread_cancel(this->event_thread);
1884 pthread_join(this->event_thread, NULL);
1885 close(this->socket_xfrm_events);
1886 close(this->socket_xfrm);
1887 close(this->socket_rt);
1888 this->vips->destroy(this->vips);
1889 this->policies->destroy(this->policies);
1890 free(this);
1891 }
1892
1893 /*
1894 * Described in header.
1895 */
1896 kernel_interface_t *kernel_interface_create()
1897 {
1898 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
1899 struct sockaddr_nl addr;
1900
1901 /* public functions */
1902 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1903 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
1904 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
1905 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
1906 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1907 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
1908 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1909 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1910
1911 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
1912 this->public.create_address_list = (linked_list_t*(*)(kernel_interface_t*))create_address_list_public;
1913 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
1914 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
1915 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
1916
1917 /* private members */
1918 this->vips = linked_list_create();
1919 this->policies = linked_list_create();
1920 pthread_mutex_init(&this->policies_mutex,NULL);
1921 pthread_mutex_init(&this->vips_mutex,NULL);
1922
1923 addr.nl_family = AF_NETLINK;
1924 addr.nl_pid = 0;
1925 addr.nl_groups = 0;
1926
1927 /* create and bind XFRM socket */
1928 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1929 if (this->socket_xfrm <= 0)
1930 {
1931 charon->kill(charon, "unable to create XFRM netlink socket");
1932 }
1933
1934 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
1935 {
1936 charon->kill(charon, "unable to bind XFRM netlink socket");
1937 }
1938
1939 /* create and bind RT socket */
1940 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
1941 if (this->socket_rt <= 0)
1942 {
1943 charon->kill(charon, "unable to create RT netlink socket");
1944 }
1945
1946 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
1947 {
1948 charon->kill(charon, "unable to bind RT netlink socket");
1949 }
1950
1951 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
1952 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
1953 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1954 if (this->socket_xfrm_events <= 0)
1955 {
1956 charon->kill(charon, "unable to create XFRM event socket");
1957 }
1958
1959 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1960 {
1961 charon->kill(charon, "unable to bind XFRM event socket");
1962 }
1963
1964 /* create a thread receiving ACQUIRE & EXPIRE events */
1965 if (pthread_create(&this->event_thread, NULL,
1966 (void*(*)(void*))receive_events, this))
1967 {
1968 charon->kill(charon, "unable to create xfrm event dispatcher thread");
1969 }
1970
1971 return &this->public;
1972 }
1973
1974 /* vim: set ts=4 sw=4 noet: */
strongSwan - IPsec VPN