ca3bec246d75da40d7a9b33ea70070993d4a833f
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 *
19 * $Id$
20 */
21
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <sys/time.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <netinet/in.h>
30 #include <pthread.h>
31 #include <unistd.h>
32 #include <fcntl.h>
33 #include <errno.h>
34 #include <string.h>
35 #include <net/if.h>
36 #include <sys/ioctl.h>
37
38 #include "kernel_interface.h"
39
40 #include <daemon.h>
41 #include <utils/linked_list.h>
42 #include <processing/jobs/delete_child_sa_job.h>
43 #include <processing/jobs/rekey_child_sa_job.h>
44 #include <processing/jobs/acquire_job.h>
45 #include <processing/jobs/callback_job.h>
46 #include <processing/jobs/roam_job.h>
47
48 /** required for Linux 2.6.26 kernel and later */
49 #ifndef XFRM_STATE_AF_UNSPEC
50 #define XFRM_STATE_AF_UNSPEC 32
51 #endif
52
53 /** routing table for routes installed by us */
54 #ifndef IPSEC_ROUTING_TABLE
55 #define IPSEC_ROUTING_TABLE 100
56 #endif
57 #ifndef IPSEC_ROUTING_TABLE_PRIO
58 #define IPSEC_ROUTING_TABLE_PRIO 100
59 #endif
60
61 /** default priority of installed policies */
62 #define PRIO_LOW 3000
63 #define PRIO_HIGH 2000
64
65 /** delay before firing roam jobs (ms) */
66 #define ROAM_DELAY 100
67
68 #define BUFFER_SIZE 1024
69
70 /**
71 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
72 * 'usual' netlink data x like 'struct xfrm_usersa_info'
73 */
74 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
75 /**
76 * returns a pointer to the next rtattr following rta.
77 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
78 */
79 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
80 /**
81 * returns the total size of attached rta data
82 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
83 */
84 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
85
86 typedef struct kernel_algorithm_t kernel_algorithm_t;
87
88 /**
89 * Mapping from the algorithms defined in IKEv2 to
90 * kernel level algorithm names and their key length
91 */
92 struct kernel_algorithm_t {
93 /**
94 * Identifier specified in IKEv2
95 */
96 int ikev2_id;
97
98 /**
99 * Name of the algorithm, as used as kernel identifier
100 */
101 char *name;
102
103 /**
104 * Key length in bits, if fixed size
105 */
106 u_int key_size;
107 };
108
109 ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
110 "in",
111 "out",
112 "fwd"
113 );
114
115 #define END_OF_LIST -1
116
117 /**
118 * Algorithms for encryption
119 */
120 static kernel_algorithm_t encryption_algs[] = {
121 /* {ENCR_DES_IV64, "***", 0}, */
122 {ENCR_DES, "des", 64},
123 {ENCR_3DES, "des3_ede", 192},
124 /* {ENCR_RC5, "***", 0}, */
125 /* {ENCR_IDEA, "***", 0}, */
126 {ENCR_CAST, "cast128", 0},
127 {ENCR_BLOWFISH, "blowfish", 0},
128 /* {ENCR_3IDEA, "***", 0}, */
129 /* {ENCR_DES_IV32, "***", 0}, */
130 {ENCR_NULL, "cipher_null", 0},
131 {ENCR_AES_CBC, "aes", 0},
132 /* {ENCR_AES_CTR, "***", 0}, */
133 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))", 64}, /* key_size = ICV size */
134 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))", 96}, /* key_size = ICV size */
135 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))", 128}, /* key_size = ICV size */
136 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))", 64}, /* key_size = ICV size */
137 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))", 96}, /* key_size = ICV size */
138 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))", 128}, /* key_size = ICV size */
139 {END_OF_LIST, NULL, 0},
140 };
141
142 /**
143 * Algorithms for integrity protection
144 */
145 static kernel_algorithm_t integrity_algs[] = {
146 {AUTH_HMAC_MD5_96, "md5", 128},
147 {AUTH_HMAC_SHA1_96, "sha1", 160},
148 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
149 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
150 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
151 /* {AUTH_DES_MAC, "***", 0}, */
152 /* {AUTH_KPDK_MD5, "***", 0}, */
153 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
154 {END_OF_LIST, NULL, 0},
155 };
156
157 /**
158 * Algorithms for IPComp
159 */
160 static kernel_algorithm_t compression_algs[] = {
161 /* {IPCOMP_OUI, "***", 0}, */
162 {IPCOMP_DEFLATE, "deflate", 0},
163 {IPCOMP_LZS, "lzs", 0},
164 {IPCOMP_LZJH, "lzjh", 0},
165 {END_OF_LIST, NULL, 0},
166 };
167
168 /**
169 * Look up a kernel algorithm name and its key size
170 */
171 static char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
172 u_int16_t ikev2_algo, u_int16_t *key_size)
173 {
174 while (kernel_algo->ikev2_id != END_OF_LIST)
175 {
176 if (ikev2_algo == kernel_algo->ikev2_id)
177 {
178 /* match, evaluate key length */
179 if (key_size && *key_size == 0)
180 { /* update key size if not set */
181 *key_size = kernel_algo->key_size;
182 }
183 return kernel_algo->name;
184 }
185 kernel_algo++;
186 }
187 return NULL;
188 }
189
190 typedef struct route_entry_t route_entry_t;
191
192 /**
193 * installed routing entry
194 */
195 struct route_entry_t {
196
197 /** Index of the interface the route is bound to */
198 int if_index;
199
200 /** Source ip of the route */
201 host_t *src_ip;
202
203 /** gateway for this route */
204 host_t *gateway;
205
206 /** Destination net */
207 chunk_t dst_net;
208
209 /** Destination net prefixlen */
210 u_int8_t prefixlen;
211 };
212
213 /**
214 * destroy an route_entry_t object
215 */
216 static void route_entry_destroy(route_entry_t *this)
217 {
218 this->src_ip->destroy(this->src_ip);
219 this->gateway->destroy(this->gateway);
220 chunk_free(&this->dst_net);
221 free(this);
222 }
223
224 typedef struct policy_entry_t policy_entry_t;
225
226 /**
227 * installed kernel policy.
228 */
229 struct policy_entry_t {
230
231 /** direction of this policy: in, out, forward */
232 u_int8_t direction;
233
234 /** reqid of the policy */
235 u_int32_t reqid;
236
237 /** parameters of installed policy */
238 struct xfrm_selector sel;
239
240 /** associated route installed for this policy */
241 route_entry_t *route;
242
243 /** by how many CHILD_SA's this policy is used */
244 u_int refcount;
245 };
246
247 typedef struct addr_entry_t addr_entry_t;
248
249 /**
250 * IP address in an inface_entry_t
251 */
252 struct addr_entry_t {
253
254 /** The ip address */
255 host_t *ip;
256
257 /** virtual IP managed by us */
258 bool virtual;
259
260 /** scope of the address */
261 u_char scope;
262
263 /** Number of times this IP is used, if virtual */
264 u_int refcount;
265 };
266
267 /**
268 * destroy a addr_entry_t object
269 */
270 static void addr_entry_destroy(addr_entry_t *this)
271 {
272 this->ip->destroy(this->ip);
273 free(this);
274 }
275
276 typedef struct iface_entry_t iface_entry_t;
277
278 /**
279 * A network interface on this system, containing addr_entry_t's
280 */
281 struct iface_entry_t {
282
283 /** interface index */
284 int ifindex;
285
286 /** name of the interface */
287 char ifname[IFNAMSIZ];
288
289 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
290 u_int flags;
291
292 /** list of addresses as host_t */
293 linked_list_t *addrs;
294 };
295
296 /**
297 * destroy an interface entry
298 */
299 static void iface_entry_destroy(iface_entry_t *this)
300 {
301 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
302 free(this);
303 }
304
305 typedef struct private_kernel_interface_t private_kernel_interface_t;
306
307 /**
308 * Private variables and functions of kernel_interface class.
309 */
310 struct private_kernel_interface_t {
311 /**
312 * Public part of the kernel_interface_t object.
313 */
314 kernel_interface_t public;
315
316 /**
317 * mutex to lock access to netlink socket
318 */
319 pthread_mutex_t nl_mutex;
320
321 /**
322 * mutex to lock access to various lists
323 */
324 pthread_mutex_t mutex;
325
326 /**
327 * condition variable to signal virtual IP add/removal
328 */
329 pthread_cond_t cond;
330
331 /**
332 * List of installed policies (policy_entry_t)
333 */
334 linked_list_t *policies;
335
336 /**
337 * Cached list of interfaces and its adresses (iface_entry_t)
338 */
339 linked_list_t *ifaces;
340
341 /**
342 * iterator used in hook()
343 */
344 iterator_t *hiter;
345
346 /**
347 * job receiving netlink events
348 */
349 callback_job_t *job;
350
351 /**
352 * current sequence number for netlink request
353 */
354 int seq;
355
356 /**
357 * Netlink xfrm socket (IPsec)
358 */
359 int socket_xfrm;
360
361 /**
362 * netlink xfrm socket to receive acquire and expire events
363 */
364 int socket_xfrm_events;
365
366 /**
367 * Netlink rt socket (routing)
368 */
369 int socket_rt;
370
371 /**
372 * Netlink rt socket to receive address change events
373 */
374 int socket_rt_events;
375
376 /**
377 * time of the last roam_job
378 */
379 struct timeval last_roam;
380
381 /**
382 * whether to install routes along policies
383 */
384 bool install_routes;
385
386 /**
387 * routing table to install routes
388 */
389 int routing_table;
390
391 /**
392 * priority of used routing table
393 */
394 int routing_table_prio;
395
396 /**
397 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
398 */
399 bool process_route;
400
401 };
402
403 /**
404 * convert a IKEv2 specific protocol identifier to the kernel one
405 */
406 static u_int8_t proto_ike2kernel(protocol_id_t proto)
407 {
408 switch (proto)
409 {
410 case PROTO_ESP:
411 return IPPROTO_ESP;
412 case PROTO_AH:
413 return IPPROTO_AH;
414 default:
415 return proto;
416 }
417 }
418
419 /**
420 * reverse of ike2kernel
421 */
422 static protocol_id_t proto_kernel2ike(u_int8_t proto)
423 {
424 switch (proto)
425 {
426 case IPPROTO_ESP:
427 return PROTO_ESP;
428 case IPPROTO_AH:
429 return PROTO_AH;
430 default:
431 return proto;
432 }
433 }
434
435 /**
436 * convert a host_t to a struct xfrm_address
437 */
438 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
439 {
440 chunk_t chunk = host->get_address(host);
441 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
442 }
443
444 /**
445 * convert a traffic selector address range to subnet and its mask.
446 */
447 static void ts2subnet(traffic_selector_t* ts,
448 xfrm_address_t *net, u_int8_t *mask)
449 {
450 /* there is no way to do this cleanly, as the address range may
451 * be anything else but a subnet. We use from_addr as subnet
452 * and try to calculate a usable subnet mask.
453 */
454 int byte, bit;
455 bool found = FALSE;
456 chunk_t from, to;
457 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
458
459 from = ts->get_from_address(ts);
460 to = ts->get_to_address(ts);
461
462 *mask = (size * 8);
463 /* go trough all bits of the addresses, beginning in the front.
464 * as long as they are equal, the subnet gets larger
465 */
466 for (byte = 0; byte < size; byte++)
467 {
468 for (bit = 7; bit >= 0; bit--)
469 {
470 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
471 {
472 *mask = ((7 - bit) + (byte * 8));
473 found = TRUE;
474 break;
475 }
476 }
477 if (found)
478 {
479 break;
480 }
481 }
482 memcpy(net, from.ptr, from.len);
483 chunk_free(&from);
484 chunk_free(&to);
485 }
486
487 /**
488 * convert a traffic selector port range to port/portmask
489 */
490 static void ts2ports(traffic_selector_t* ts,
491 u_int16_t *port, u_int16_t *mask)
492 {
493 /* linux does not seem to accept complex portmasks. Only
494 * any or a specific port is allowed. We set to any, if we have
495 * a port range, or to a specific, if we have one port only.
496 */
497 u_int16_t from, to;
498
499 from = ts->get_from_port(ts);
500 to = ts->get_to_port(ts);
501
502 if (from == to)
503 {
504 *port = htons(from);
505 *mask = ~0;
506 }
507 else
508 {
509 *port = 0;
510 *mask = 0;
511 }
512 }
513
514 /**
515 * convert a pair of traffic_selectors to a xfrm_selector
516 */
517 static struct xfrm_selector ts2selector(traffic_selector_t *src,
518 traffic_selector_t *dst)
519 {
520 struct xfrm_selector sel;
521
522 memset(&sel, 0, sizeof(sel));
523 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
524 /* src or dest proto may be "any" (0), use more restrictive one */
525 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
526 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
527 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
528 ts2ports(dst, &sel.dport, &sel.dport_mask);
529 ts2ports(src, &sel.sport, &sel.sport_mask);
530 sel.ifindex = 0;
531 sel.user = 0;
532
533 return sel;
534 }
535
536 /**
537 * Creates an rtattr and adds it to the netlink message
538 */
539 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
540 size_t buflen)
541 {
542 struct rtattr *rta;
543
544 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
545 {
546 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
547 return;
548 }
549
550 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
551 rta->rta_type = rta_type;
552 rta->rta_len = RTA_LENGTH(data.len);
553 memcpy(RTA_DATA(rta), data.ptr, data.len);
554 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
555 }
556
557 /**
558 * process a XFRM_MSG_ACQUIRE from kernel
559 */
560 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
561 {
562 u_int32_t reqid = 0;
563 int proto = 0;
564 job_t *job;
565 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
566 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
567
568 if (RTA_OK(rtattr, rtsize))
569 {
570 if (rtattr->rta_type == XFRMA_TMPL)
571 {
572 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
573 reqid = tmpl->reqid;
574 proto = tmpl->id.proto;
575 }
576 }
577 switch (proto)
578 {
579 case 0:
580 case IPPROTO_ESP:
581 case IPPROTO_AH:
582 break;
583 default:
584 /* acquire for AH/ESP only, not for IPCOMP */
585 return;
586 }
587 if (reqid == 0)
588 {
589 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
590 return;
591 }
592 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
593 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
594 job = (job_t*)acquire_job_create(reqid);
595 charon->processor->queue_job(charon->processor, job);
596 }
597
598 /**
599 * process a XFRM_MSG_EXPIRE from kernel
600 */
601 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
602 {
603 job_t *job;
604 protocol_id_t protocol;
605 u_int32_t spi, reqid;
606 struct xfrm_user_expire *expire;
607
608 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
609 protocol = proto_kernel2ike(expire->state.id.proto);
610 spi = expire->state.id.spi;
611 reqid = expire->state.reqid;
612
613 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
614
615 if (protocol != PROTO_ESP && protocol != PROTO_AH)
616 {
617 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%d} "
618 "which is not a CHILD_SA", ntohl(spi), reqid);
619 return;
620 }
621
622 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
623 expire->hard ? "delete" : "rekey", protocol_id_names,
624 protocol, ntohl(spi), reqid);
625 if (expire->hard)
626 {
627 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
628 }
629 else
630 {
631 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
632 }
633 charon->processor->queue_job(charon->processor, job);
634 }
635
636 /**
637 * start a roaming job. We delay it for a second and fire only one job
638 * for multiple events. Otherwise we would create two many jobs.
639 */
640 static void fire_roam_job(private_kernel_interface_t *this, bool address)
641 {
642 struct timeval now;
643
644 if (gettimeofday(&now, NULL) == 0)
645 {
646 if (timercmp(&now, &this->last_roam, >))
647 {
648 now.tv_usec += ROAM_DELAY * 1000;
649 while (now.tv_usec > 1000000)
650 {
651 now.tv_sec++;
652 now.tv_usec -= 1000000;
653 }
654 this->last_roam = now;
655 charon->scheduler->schedule_job(charon->scheduler,
656 (job_t*)roam_job_create(address), ROAM_DELAY);
657 }
658 }
659 }
660
661 /**
662 * get the refcount of a virtual ip
663 */
664 static int get_vip_refcount(private_kernel_interface_t *this, host_t* ip)
665 {
666 iterator_t *ifaces, *addrs;
667 iface_entry_t *iface;
668 addr_entry_t *addr;
669 int refcount = 0;
670
671 ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
672 while (ifaces->iterate(ifaces, (void**)&iface))
673 {
674 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
675 while (addrs->iterate(addrs, (void**)&addr))
676 {
677 if (addr->virtual && (iface->flags & IFF_UP) &&
678 ip->ip_equals(ip, addr->ip))
679 {
680 refcount = addr->refcount;
681 break;
682 }
683 }
684 addrs->destroy(addrs);
685 if (refcount)
686 {
687 break;
688 }
689 }
690 ifaces->destroy(ifaces);
691
692 return refcount;
693 }
694
695 /**
696 * process RTM_NEWLINK/RTM_DELLINK from kernel
697 */
698 static void process_link(private_kernel_interface_t *this,
699 struct nlmsghdr *hdr, bool event)
700 {
701 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
702 struct rtattr *rta = IFLA_RTA(msg);
703 size_t rtasize = IFLA_PAYLOAD (hdr);
704 iterator_t *iterator;
705 iface_entry_t *current, *entry = NULL;
706 char *name = NULL;
707 bool update = FALSE;
708
709 while(RTA_OK(rta, rtasize))
710 {
711 switch (rta->rta_type)
712 {
713 case IFLA_IFNAME:
714 name = RTA_DATA(rta);
715 break;
716 }
717 rta = RTA_NEXT(rta, rtasize);
718 }
719 if (!name)
720 {
721 name = "(unknown)";
722 }
723
724 switch (hdr->nlmsg_type)
725 {
726 case RTM_NEWLINK:
727 {
728 if (msg->ifi_flags & IFF_LOOPBACK)
729 { /* ignore loopback interfaces */
730 break;
731 }
732 iterator = this->ifaces->create_iterator_locked(this->ifaces,
733 &this->mutex);
734 while (iterator->iterate(iterator, (void**)&current))
735 {
736 if (current->ifindex == msg->ifi_index)
737 {
738 entry = current;
739 break;
740 }
741 }
742 if (!entry)
743 {
744 entry = malloc_thing(iface_entry_t);
745 entry->ifindex = msg->ifi_index;
746 entry->flags = 0;
747 entry->addrs = linked_list_create();
748 this->ifaces->insert_last(this->ifaces, entry);
749 }
750 memcpy(entry->ifname, name, IFNAMSIZ);
751 entry->ifname[IFNAMSIZ-1] = '\0';
752 if (event)
753 {
754 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
755 {
756 update = TRUE;
757 DBG1(DBG_KNL, "interface %s activated", name);
758 }
759 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
760 {
761 update = TRUE;
762 DBG1(DBG_KNL, "interface %s deactivated", name);
763 }
764 }
765 entry->flags = msg->ifi_flags;
766 iterator->destroy(iterator);
767 break;
768 }
769 case RTM_DELLINK:
770 {
771 iterator = this->ifaces->create_iterator_locked(this->ifaces,
772 &this->mutex);
773 while (iterator->iterate(iterator, (void**)&current))
774 {
775 if (current->ifindex == msg->ifi_index)
776 {
777 /* we do not remove it, as an address may be added to a
778 * "down" interface and we wan't to know that. */
779 current->flags = msg->ifi_flags;
780 break;
781 }
782 }
783 iterator->destroy(iterator);
784 break;
785 }
786 }
787
788 /* send an update to all IKE_SAs */
789 if (update && event)
790 {
791 fire_roam_job(this, TRUE);
792 }
793 }
794
795 /**
796 * process RTM_NEWADDR/RTM_DELADDR from kernel
797 */
798 static void process_addr(private_kernel_interface_t *this,
799 struct nlmsghdr *hdr, bool event)
800 {
801 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
802 struct rtattr *rta = IFA_RTA(msg);
803 size_t rtasize = IFA_PAYLOAD (hdr);
804 host_t *host = NULL;
805 iterator_t *ifaces, *addrs;
806 iface_entry_t *iface;
807 addr_entry_t *addr;
808 chunk_t local = chunk_empty, address = chunk_empty;
809 bool update = FALSE, found = FALSE, changed = FALSE;
810
811 while(RTA_OK(rta, rtasize))
812 {
813 switch (rta->rta_type)
814 {
815 case IFA_LOCAL:
816 local.ptr = RTA_DATA(rta);
817 local.len = RTA_PAYLOAD(rta);
818 break;
819 case IFA_ADDRESS:
820 address.ptr = RTA_DATA(rta);
821 address.len = RTA_PAYLOAD(rta);
822 break;
823 }
824 rta = RTA_NEXT(rta, rtasize);
825 }
826
827 /* For PPP interfaces, we need the IFA_LOCAL address,
828 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
829 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
830 if (local.ptr)
831 {
832 host = host_create_from_chunk(msg->ifa_family, local, 0);
833 }
834 else if (address.ptr)
835 {
836 host = host_create_from_chunk(msg->ifa_family, address, 0);
837 }
838
839 if (host == NULL)
840 { /* bad family? */
841 return;
842 }
843
844 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
845 while (ifaces->iterate(ifaces, (void**)&iface))
846 {
847 if (iface->ifindex == msg->ifa_index)
848 {
849 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
850 while (addrs->iterate(addrs, (void**)&addr))
851 {
852 if (host->ip_equals(host, addr->ip))
853 {
854 found = TRUE;
855 if (hdr->nlmsg_type == RTM_DELADDR)
856 {
857 addrs->remove(addrs);
858 if (!addr->virtual)
859 {
860 changed = TRUE;
861 DBG1(DBG_KNL, "%H disappeared from %s",
862 host, iface->ifname);
863 }
864 addr_entry_destroy(addr);
865 }
866 else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
867 {
868 addr->refcount = 1;
869 }
870 }
871 }
872 addrs->destroy(addrs);
873
874 if (hdr->nlmsg_type == RTM_NEWADDR)
875 {
876 if (!found)
877 {
878 found = TRUE;
879 changed = TRUE;
880 addr = malloc_thing(addr_entry_t);
881 addr->ip = host->clone(host);
882 addr->virtual = FALSE;
883 addr->refcount = 1;
884 addr->scope = msg->ifa_scope;
885
886 iface->addrs->insert_last(iface->addrs, addr);
887 if (event)
888 {
889 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
890 }
891 }
892 }
893 if (found && (iface->flags & IFF_UP))
894 {
895 update = TRUE;
896 }
897 break;
898 }
899 }
900 ifaces->destroy(ifaces);
901 host->destroy(host);
902
903 /* send an update to all IKE_SAs */
904 if (update && event && changed)
905 {
906 fire_roam_job(this, TRUE);
907 }
908 }
909
910 /**
911 * process RTM_NEWROUTE and RTM_DELROUTE from kernel
912 */
913 static void process_route(private_kernel_interface_t *this, struct nlmsghdr *hdr)
914 {
915 struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
916 struct rtattr *rta = RTM_RTA(msg);
917 size_t rtasize = RTM_PAYLOAD(hdr);
918 host_t *host = NULL;
919
920 while (RTA_OK(rta, rtasize))
921 {
922 switch (rta->rta_type)
923 {
924 case RTA_PREFSRC:
925 host = host_create_from_chunk(msg->rtm_family,
926 chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
927 break;
928 }
929 rta = RTA_NEXT(rta, rtasize);
930 }
931 if (host)
932 {
933 if (!get_vip_refcount(this, host))
934 { /* ignore routes added for virtual IPs */
935 fire_roam_job(this, FALSE);
936 }
937 host->destroy(host);
938 }
939 }
940
941 /**
942 * Receives events from kernel
943 */
944 static job_requeue_t receive_events(private_kernel_interface_t *this)
945 {
946 char response[1024];
947 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
948 struct sockaddr_nl addr;
949 socklen_t addr_len = sizeof(addr);
950 int len, oldstate, maxfd, selected;
951 fd_set rfds;
952
953 FD_ZERO(&rfds);
954 FD_SET(this->socket_xfrm_events, &rfds);
955 FD_SET(this->socket_rt_events, &rfds);
956 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
957
958 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
959 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
960 pthread_setcancelstate(oldstate, NULL);
961 if (selected <= 0)
962 {
963 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
964 return JOB_REQUEUE_FAIR;
965 }
966 if (FD_ISSET(this->socket_xfrm_events, &rfds))
967 {
968 selected = this->socket_xfrm_events;
969 }
970 else if (FD_ISSET(this->socket_rt_events, &rfds))
971 {
972 selected = this->socket_rt_events;
973 }
974 else
975 {
976 return JOB_REQUEUE_DIRECT;
977 }
978
979 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
980 (struct sockaddr*)&addr, &addr_len);
981 if (len < 0)
982 {
983 switch (errno)
984 {
985 case EINTR:
986 /* interrupted, try again */
987 return JOB_REQUEUE_DIRECT;
988 case EAGAIN:
989 /* no data ready, select again */
990 return JOB_REQUEUE_DIRECT;
991 default:
992 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
993 sleep(1);
994 return JOB_REQUEUE_FAIR;
995 }
996 }
997 if (addr.nl_pid != 0)
998 { /* not from kernel. not interested, try another one */
999 return JOB_REQUEUE_DIRECT;
1000 }
1001
1002 while (NLMSG_OK(hdr, len))
1003 {
1004 /* looks good so far, dispatch netlink message */
1005 if (selected == this->socket_xfrm_events)
1006 {
1007 switch (hdr->nlmsg_type)
1008 {
1009 case XFRM_MSG_ACQUIRE:
1010 process_acquire(this, hdr);
1011 break;
1012 case XFRM_MSG_EXPIRE:
1013 process_expire(this, hdr);
1014 break;
1015 default:
1016 break;
1017 }
1018 }
1019 else if (selected == this->socket_rt_events)
1020 {
1021 switch (hdr->nlmsg_type)
1022 {
1023 case RTM_NEWADDR:
1024 case RTM_DELADDR:
1025 process_addr(this, hdr, TRUE);
1026 pthread_cond_broadcast(&this->cond);
1027 break;
1028 case RTM_NEWLINK:
1029 case RTM_DELLINK:
1030 process_link(this, hdr, TRUE);
1031 pthread_cond_broadcast(&this->cond);
1032 break;
1033 case RTM_NEWROUTE:
1034 case RTM_DELROUTE:
1035 if (this->process_route)
1036 {
1037 process_route(this, hdr);
1038 }
1039 break;
1040 default:
1041 break;
1042 }
1043 }
1044 hdr = NLMSG_NEXT(hdr, len);
1045 }
1046 return JOB_REQUEUE_DIRECT;
1047 }
1048
1049 /**
1050 * send a netlink message and wait for a reply
1051 */
1052 static status_t netlink_send(private_kernel_interface_t *this,
1053 int socket, struct nlmsghdr *in,
1054 struct nlmsghdr **out, size_t *out_len)
1055 {
1056 int len, addr_len;
1057 struct sockaddr_nl addr;
1058 chunk_t result = chunk_empty, tmp;
1059 struct nlmsghdr *msg, peek;
1060
1061 pthread_mutex_lock(&this->nl_mutex);
1062
1063 in->nlmsg_seq = ++this->seq;
1064 in->nlmsg_pid = getpid();
1065
1066 memset(&addr, 0, sizeof(addr));
1067 addr.nl_family = AF_NETLINK;
1068 addr.nl_pid = 0;
1069 addr.nl_groups = 0;
1070
1071 while (TRUE)
1072 {
1073 len = sendto(socket, in, in->nlmsg_len, 0,
1074 (struct sockaddr*)&addr, sizeof(addr));
1075
1076 if (len != in->nlmsg_len)
1077 {
1078 if (errno == EINTR)
1079 {
1080 /* interrupted, try again */
1081 continue;
1082 }
1083 pthread_mutex_unlock(&this->nl_mutex);
1084 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
1085 return FAILED;
1086 }
1087 break;
1088 }
1089
1090 while (TRUE)
1091 {
1092 char buf[4096];
1093 tmp.len = sizeof(buf);
1094 tmp.ptr = buf;
1095 msg = (struct nlmsghdr*)tmp.ptr;
1096
1097 memset(&addr, 0, sizeof(addr));
1098 addr.nl_family = AF_NETLINK;
1099 addr.nl_pid = getpid();
1100 addr.nl_groups = 0;
1101 addr_len = sizeof(addr);
1102
1103 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
1104 (struct sockaddr*)&addr, &addr_len);
1105
1106 if (len < 0)
1107 {
1108 if (errno == EINTR)
1109 {
1110 DBG1(DBG_KNL, "got interrupted");
1111 /* interrupted, try again */
1112 continue;
1113 }
1114 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
1115 pthread_mutex_unlock(&this->nl_mutex);
1116 free(result.ptr);
1117 return FAILED;
1118 }
1119 if (!NLMSG_OK(msg, len))
1120 {
1121 DBG1(DBG_KNL, "received corrupted netlink message");
1122 pthread_mutex_unlock(&this->nl_mutex);
1123 free(result.ptr);
1124 return FAILED;
1125 }
1126 if (msg->nlmsg_seq != this->seq)
1127 {
1128 DBG1(DBG_KNL, "received invalid netlink sequence number");
1129 if (msg->nlmsg_seq < this->seq)
1130 {
1131 continue;
1132 }
1133 pthread_mutex_unlock(&this->nl_mutex);
1134 free(result.ptr);
1135 return FAILED;
1136 }
1137
1138 tmp.len = len;
1139 result.ptr = realloc(result.ptr, result.len + tmp.len);
1140 memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
1141 result.len += tmp.len;
1142
1143 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
1144 * numbers to detect multi header messages */
1145 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
1146 (struct sockaddr*)&addr, &addr_len);
1147
1148 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
1149 {
1150 /* seems to be multipart */
1151 continue;
1152 }
1153 break;
1154 }
1155
1156 *out_len = result.len;
1157 *out = (struct nlmsghdr*)result.ptr;
1158
1159 pthread_mutex_unlock(&this->nl_mutex);
1160
1161 return SUCCESS;
1162 }
1163
1164 /**
1165 * send a netlink message and wait for its acknowlegde
1166 */
1167 static status_t netlink_send_ack(private_kernel_interface_t *this,
1168 int socket, struct nlmsghdr *in)
1169 {
1170 struct nlmsghdr *out, *hdr;
1171 size_t len;
1172
1173 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
1174 {
1175 return FAILED;
1176 }
1177 hdr = out;
1178 while (NLMSG_OK(hdr, len))
1179 {
1180 switch (hdr->nlmsg_type)
1181 {
1182 case NLMSG_ERROR:
1183 {
1184 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
1185
1186 if (err->error)
1187 {
1188 if (-err->error == EEXIST)
1189 { /* do not report existing routes */
1190 free(out);
1191 return ALREADY_DONE;
1192 }
1193 DBG1(DBG_KNL, "received netlink error: %s (%d)",
1194 strerror(-err->error), -err->error);
1195 free(out);
1196 return FAILED;
1197 }
1198 free(out);
1199 return SUCCESS;
1200 }
1201 default:
1202 hdr = NLMSG_NEXT(hdr, len);
1203 continue;
1204 case NLMSG_DONE:
1205 break;
1206 }
1207 break;
1208 }
1209 DBG1(DBG_KNL, "netlink request not acknowlegded");
1210 free(out);
1211 return FAILED;
1212 }
1213
1214 /**
1215 * Initialize a list of local addresses.
1216 */
1217 static status_t init_address_list(private_kernel_interface_t *this)
1218 {
1219 char request[BUFFER_SIZE];
1220 struct nlmsghdr *out, *current, *in;
1221 struct rtgenmsg *msg;
1222 size_t len;
1223 iterator_t *ifaces, *addrs;
1224 iface_entry_t *iface;
1225 addr_entry_t *addr;
1226
1227 DBG1(DBG_KNL, "listening on interfaces:");
1228
1229 memset(&request, 0, sizeof(request));
1230
1231 in = (struct nlmsghdr*)&request;
1232 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1233 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1234 msg = (struct rtgenmsg*)NLMSG_DATA(in);
1235 msg->rtgen_family = AF_UNSPEC;
1236
1237 /* get all links */
1238 in->nlmsg_type = RTM_GETLINK;
1239 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1240 {
1241 return FAILED;
1242 }
1243 current = out;
1244 while (NLMSG_OK(current, len))
1245 {
1246 switch (current->nlmsg_type)
1247 {
1248 case NLMSG_DONE:
1249 break;
1250 case RTM_NEWLINK:
1251 process_link(this, current, FALSE);
1252 /* fall through */
1253 default:
1254 current = NLMSG_NEXT(current, len);
1255 continue;
1256 }
1257 break;
1258 }
1259 free(out);
1260
1261 /* get all interface addresses */
1262 in->nlmsg_type = RTM_GETADDR;
1263 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1264 {
1265 return FAILED;
1266 }
1267 current = out;
1268 while (NLMSG_OK(current, len))
1269 {
1270 switch (current->nlmsg_type)
1271 {
1272 case NLMSG_DONE:
1273 break;
1274 case RTM_NEWADDR:
1275 process_addr(this, current, FALSE);
1276 /* fall through */
1277 default:
1278 current = NLMSG_NEXT(current, len);
1279 continue;
1280 }
1281 break;
1282 }
1283 free(out);
1284
1285 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1286 while (ifaces->iterate(ifaces, (void**)&iface))
1287 {
1288 if (iface->flags & IFF_UP)
1289 {
1290 DBG1(DBG_KNL, " %s", iface->ifname);
1291 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1292 while (addrs->iterate(addrs, (void**)&addr))
1293 {
1294 DBG1(DBG_KNL, " %H", addr->ip);
1295 }
1296 addrs->destroy(addrs);
1297 }
1298 }
1299 ifaces->destroy(ifaces);
1300 return SUCCESS;
1301 }
1302
1303 /**
1304 * iterator hook to iterate over addrs
1305 */
1306 static hook_result_t addr_hook(private_kernel_interface_t *this,
1307 addr_entry_t *in, host_t **out)
1308 {
1309 if (in->virtual)
1310 { /* skip virtual interfaces added by us */
1311 return HOOK_SKIP;
1312 }
1313 if (in->scope >= RT_SCOPE_LINK)
1314 { /* skip addresses with a unusable scope */
1315 return HOOK_SKIP;
1316 }
1317 *out = in->ip;
1318 return HOOK_NEXT;
1319 }
1320
1321 /**
1322 * iterator hook to iterate over ifaces
1323 */
1324 static hook_result_t iface_hook(private_kernel_interface_t *this,
1325 iface_entry_t *in, host_t **out)
1326 {
1327 if (!(in->flags & IFF_UP))
1328 { /* skip interfaces not up */
1329 return HOOK_SKIP;
1330 }
1331
1332 if (this->hiter == NULL)
1333 {
1334 this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
1335 this->hiter->set_iterator_hook(this->hiter,
1336 (iterator_hook_t*)addr_hook, this);
1337 }
1338 while (this->hiter->iterate(this->hiter, (void**)out))
1339 {
1340 return HOOK_AGAIN;
1341 }
1342 this->hiter->destroy(this->hiter);
1343 this->hiter = NULL;
1344 return HOOK_SKIP;
1345 }
1346
1347 /**
1348 * Implements kernel_interface_t.create_address_iterator.
1349 */
1350 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1351 {
1352 iterator_t *iterator;
1353
1354 /* This iterator is not only hooked, is is double-hooked. As we have stored
1355 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
1356 * entries in each interface we iterate. This does the iface_hook. The
1357 * addr_hook returns the ip instead of the addr_entry. */
1358
1359 iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1360 iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
1361 return iterator;
1362 }
1363
1364 /**
1365 * implementation of kernel_interface_t.get_interface_name
1366 */
1367 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1368 {
1369 iterator_t *ifaces, *addrs;
1370 iface_entry_t *iface;
1371 addr_entry_t *addr;
1372 char *name = NULL;
1373
1374 DBG2(DBG_KNL, "getting interface name for %H", ip);
1375
1376 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1377 while (ifaces->iterate(ifaces, (void**)&iface))
1378 {
1379 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1380 while (addrs->iterate(addrs, (void**)&addr))
1381 {
1382 if (ip->ip_equals(ip, addr->ip))
1383 {
1384 name = strdup(iface->ifname);
1385 break;
1386 }
1387 }
1388 addrs->destroy(addrs);
1389 if (name)
1390 {
1391 break;
1392 }
1393 }
1394 ifaces->destroy(ifaces);
1395
1396 if (name)
1397 {
1398 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1399 }
1400 else
1401 {
1402 DBG2(DBG_KNL, "%H is not a local address", ip);
1403 }
1404 return name;
1405 }
1406
1407 /**
1408 * Tries to find an ip address of a local interface that is included in the
1409 * supplied traffic selector.
1410 */
1411 static status_t get_address_by_ts(private_kernel_interface_t *this,
1412 traffic_selector_t *ts, host_t **ip)
1413 {
1414 iterator_t *ifaces, *addrs;
1415 iface_entry_t *iface;
1416 addr_entry_t *addr;
1417 host_t *host;
1418 int family;
1419 bool found = FALSE;
1420
1421 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1422
1423 /* if we have a family which includes localhost, we do not
1424 * search for an IP, we use the default */
1425 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1426
1427 if (family == AF_INET)
1428 {
1429 host = host_create_from_string("127.0.0.1", 0);
1430 }
1431 else
1432 {
1433 host = host_create_from_string("::1", 0);
1434 }
1435
1436 if (ts->includes(ts, host))
1437 {
1438 *ip = host_create_any(family);
1439 host->destroy(host);
1440 DBG2(DBG_KNL, "using host %H", *ip);
1441 return SUCCESS;
1442 }
1443 host->destroy(host);
1444
1445 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1446 while (ifaces->iterate(ifaces, (void**)&iface))
1447 {
1448 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1449 while (addrs->iterate(addrs, (void**)&addr))
1450 {
1451 if (ts->includes(ts, addr->ip))
1452 {
1453 found = TRUE;
1454 *ip = addr->ip->clone(addr->ip);
1455 break;
1456 }
1457 }
1458 addrs->destroy(addrs);
1459 if (found)
1460 {
1461 break;
1462 }
1463 }
1464 ifaces->destroy(ifaces);
1465
1466 if (!found)
1467 {
1468 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1469 return FAILED;
1470 }
1471 DBG2(DBG_KNL, "using host %H", *ip);
1472 return SUCCESS;
1473 }
1474
1475 /**
1476 * get the interface of a local address
1477 */
1478 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1479 {
1480 iterator_t *ifaces, *addrs;
1481 iface_entry_t *iface;
1482 addr_entry_t *addr;
1483 int ifindex = 0;
1484
1485 DBG2(DBG_KNL, "getting iface for %H", ip);
1486
1487 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1488 while (ifaces->iterate(ifaces, (void**)&iface))
1489 {
1490 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1491 while (addrs->iterate(addrs, (void**)&addr))
1492 {
1493 if (ip->ip_equals(ip, addr->ip))
1494 {
1495 ifindex = iface->ifindex;
1496 break;
1497 }
1498 }
1499 addrs->destroy(addrs);
1500 if (ifindex)
1501 {
1502 break;
1503 }
1504 }
1505 ifaces->destroy(ifaces);
1506
1507 if (ifindex == 0)
1508 {
1509 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1510 }
1511 return ifindex;
1512 }
1513
1514 /**
1515 * Manages the creation and deletion of ip addresses on an interface.
1516 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1517 */
1518 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1519 int flags, int if_index, host_t *ip)
1520 {
1521 unsigned char request[BUFFER_SIZE];
1522 struct nlmsghdr *hdr;
1523 struct ifaddrmsg *msg;
1524 chunk_t chunk;
1525
1526 memset(&request, 0, sizeof(request));
1527
1528 chunk = ip->get_address(ip);
1529
1530 hdr = (struct nlmsghdr*)request;
1531 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1532 hdr->nlmsg_type = nlmsg_type;
1533 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1534
1535 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1536 msg->ifa_family = ip->get_family(ip);
1537 msg->ifa_flags = 0;
1538 msg->ifa_prefixlen = 8 * chunk.len;
1539 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1540 msg->ifa_index = if_index;
1541
1542 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1543
1544 return netlink_send_ack(this, this->socket_rt, hdr);
1545 }
1546
1547 /**
1548 * Manages source routes in the routing table.
1549 * By setting the appropriate nlmsg_type, the route added or r.
1550 */
1551 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1552 int flags, route_entry_t *route)
1553 {
1554 unsigned char request[BUFFER_SIZE];
1555 struct nlmsghdr *hdr;
1556 struct rtmsg *msg;
1557 chunk_t chunk;
1558
1559 /* if route is 0.0.0.0/0, we can't install it, as it would
1560 * overwrite the default route. Instead, we add two routes:
1561 * 0.0.0.0/1 and 128.0.0.0/1 */
1562 if (this->routing_table == 0 && route->prefixlen == 0)
1563 {
1564 route_entry_t half;
1565 status_t status;
1566
1567 half.dst_net = chunk_alloca(route->dst_net.len);
1568 memset(half.dst_net.ptr, 0, half.dst_net.len);
1569 half.src_ip = route->src_ip;
1570 half.gateway = route->gateway;
1571 half.if_index = route->if_index;
1572 half.prefixlen = 1;
1573
1574 status = manage_srcroute(this, nlmsg_type, flags, &half);
1575 half.dst_net.ptr[0] |= 0x80;
1576 status = manage_srcroute(this, nlmsg_type, flags, &half);
1577 return status;
1578 }
1579
1580 memset(&request, 0, sizeof(request));
1581
1582 hdr = (struct nlmsghdr*)request;
1583 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1584 hdr->nlmsg_type = nlmsg_type;
1585 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1586
1587 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1588 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1589 msg->rtm_dst_len = route->prefixlen;
1590 msg->rtm_table = this->routing_table;
1591 msg->rtm_protocol = RTPROT_STATIC;
1592 msg->rtm_type = RTN_UNICAST;
1593 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1594
1595 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1596 chunk = route->src_ip->get_address(route->src_ip);
1597 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1598 chunk = route->gateway->get_address(route->gateway);
1599 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1600 chunk.ptr = (char*)&route->if_index;
1601 chunk.len = sizeof(route->if_index);
1602 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1603
1604 return netlink_send_ack(this, this->socket_rt, hdr);
1605 }
1606
1607 /**
1608 * create or delete an rule to use our routing table
1609 */
1610 static status_t manage_rule(private_kernel_interface_t *this, int nlmsg_type,
1611 u_int32_t table, u_int32_t prio)
1612 {
1613 unsigned char request[BUFFER_SIZE];
1614 struct nlmsghdr *hdr;
1615 struct rtmsg *msg;
1616 chunk_t chunk;
1617
1618 memset(&request, 0, sizeof(request));
1619 hdr = (struct nlmsghdr*)request;
1620 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1621 hdr->nlmsg_type = nlmsg_type;
1622 if (nlmsg_type == RTM_NEWRULE)
1623 {
1624 hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
1625 }
1626 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1627
1628 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1629 msg->rtm_table = table;
1630 msg->rtm_family = AF_INET;
1631 msg->rtm_protocol = RTPROT_BOOT;
1632 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1633 msg->rtm_type = RTN_UNICAST;
1634
1635 chunk = chunk_from_thing(prio);
1636 add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
1637
1638 return netlink_send_ack(this, this->socket_rt, hdr);
1639 }
1640
1641 /**
1642 * check if an address (chunk) addr is in subnet (net with net_len net bits)
1643 */
1644 static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
1645 {
1646 int bit, byte;
1647
1648 if (addr.len != net.len)
1649 {
1650 return FALSE;
1651 }
1652 /* scan through all bits, beginning in the front */
1653 for (byte = 0; byte < addr.len; byte++)
1654 {
1655 for (bit = 7; bit >= 0; bit--)
1656 {
1657 /* check if bits are equal (or we reached the end of the net) */
1658 if (bit + byte * 8 > net_len)
1659 {
1660 return TRUE;
1661 }
1662 if (((1<<bit) & addr.ptr[byte]) != ((1<<bit) & net.ptr[byte]))
1663 {
1664 return FALSE;
1665 }
1666 }
1667 }
1668 return TRUE;
1669 }
1670
1671 /**
1672 * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1673 */
1674 static host_t *get_route(private_kernel_interface_t *this, host_t *dest,
1675 bool nexthop)
1676 {
1677 unsigned char request[BUFFER_SIZE];
1678 struct nlmsghdr *hdr, *out, *current;
1679 struct rtmsg *msg;
1680 chunk_t chunk;
1681 size_t len;
1682 int best = -1;
1683 host_t *src = NULL, *gtw = NULL;
1684
1685 DBG2(DBG_KNL, "getting address to reach %H", dest);
1686
1687 memset(&request, 0, sizeof(request));
1688
1689 hdr = (struct nlmsghdr*)request;
1690 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
1691 hdr->nlmsg_type = RTM_GETROUTE;
1692 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1693
1694 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1695 msg->rtm_family = dest->get_family(dest);
1696
1697 chunk = dest->get_address(dest);
1698 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1699
1700 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1701 {
1702 DBG1(DBG_KNL, "getting address to %H failed", dest);
1703 return NULL;
1704 }
1705 current = out;
1706 while (NLMSG_OK(current, len))
1707 {
1708 switch (current->nlmsg_type)
1709 {
1710 case NLMSG_DONE:
1711 break;
1712 case RTM_NEWROUTE:
1713 {
1714 struct rtattr *rta;
1715 size_t rtasize;
1716 chunk_t rta_gtw, rta_src, rta_dst;
1717 u_int32_t rta_oif = 0;
1718
1719 rta_gtw = rta_src = rta_dst = chunk_empty;
1720 msg = (struct rtmsg*)(NLMSG_DATA(current));
1721 rta = RTM_RTA(msg);
1722 rtasize = RTM_PAYLOAD(current);
1723 while (RTA_OK(rta, rtasize))
1724 {
1725 switch (rta->rta_type)
1726 {
1727 case RTA_PREFSRC:
1728 rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1729 break;
1730 case RTA_GATEWAY:
1731 rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1732 break;
1733 case RTA_DST:
1734 rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1735 break;
1736 case RTA_OIF:
1737 if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
1738 {
1739 rta_oif = *(u_int32_t*)RTA_DATA(rta);
1740 }
1741 break;
1742 }
1743 rta = RTA_NEXT(rta, rtasize);
1744 }
1745
1746 /* apply the route if:
1747 * - it is not from our own ipsec routing table
1748 * - is better than a previous one
1749 * - is the default route or
1750 * - its destination net contains our destination
1751 */
1752 if ((this->routing_table == 0 ||msg->rtm_table != this->routing_table)
1753 && msg->rtm_dst_len > best
1754 && (msg->rtm_dst_len == 0 || /* default route */
1755 (rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
1756 {
1757 iterator_t *ifaces, *addrs;
1758 iface_entry_t *iface;
1759 addr_entry_t *addr;
1760
1761 best = msg->rtm_dst_len;
1762 if (nexthop)
1763 {
1764 DESTROY_IF(gtw);
1765 gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
1766 }
1767 else if (rta_src.ptr)
1768 {
1769 DESTROY_IF(src);
1770 src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
1771 if (get_vip_refcount(this, src))
1772 { /* skip source address if it is installed by us */
1773 DESTROY_IF(src);
1774 src = NULL;
1775 current = NLMSG_NEXT(current, len);
1776 continue;
1777 }
1778 }
1779 else
1780 {
1781 /* no source addr, get one from the interfaces */
1782 ifaces = this->ifaces->create_iterator_locked(
1783 this->ifaces, &this->mutex);
1784 while (ifaces->iterate(ifaces, (void**)&iface))
1785 {
1786 if (iface->ifindex == rta_oif)
1787 {
1788 addrs = iface->addrs->create_iterator(
1789 iface->addrs, TRUE);
1790 while (addrs->iterate(addrs, (void**)&addr))
1791 {
1792 chunk_t ip = addr->ip->get_address(addr->ip);
1793 if (msg->rtm_dst_len == 0
1794 || addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
1795 {
1796 DESTROY_IF(src);
1797 src = addr->ip->clone(addr->ip);
1798 break;
1799 }
1800 }
1801 addrs->destroy(addrs);
1802 }
1803 }
1804 ifaces->destroy(ifaces);
1805 }
1806 }
1807 /* FALL through */
1808 }
1809 default:
1810 current = NLMSG_NEXT(current, len);
1811 continue;
1812 }
1813 break;
1814 }
1815 free(out);
1816
1817 if (nexthop)
1818 {
1819 if (gtw)
1820 {
1821 return gtw;
1822 }
1823 return dest->clone(dest);
1824 }
1825 return src;
1826 }
1827
1828 /**
1829 * Implementation of kernel_interface_t.get_source_addr.
1830 */
1831 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1832 {
1833 return get_route(this, dest, FALSE);
1834 }
1835
1836 /**
1837 * Implementation of kernel_interface_t.add_ip.
1838 */
1839 static status_t add_ip(private_kernel_interface_t *this,
1840 host_t *virtual_ip, host_t *iface_ip)
1841 {
1842 iface_entry_t *iface;
1843 addr_entry_t *addr;
1844 iterator_t *addrs, *ifaces;
1845 int ifindex;
1846
1847 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1848
1849 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1850 while (ifaces->iterate(ifaces, (void**)&iface))
1851 {
1852 bool iface_found = FALSE;
1853
1854 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1855 while (addrs->iterate(addrs, (void**)&addr))
1856 {
1857 if (iface_ip->ip_equals(iface_ip, addr->ip))
1858 {
1859 iface_found = TRUE;
1860 }
1861 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1862 {
1863 addr->refcount++;
1864 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1865 virtual_ip, iface->ifname);
1866 addrs->destroy(addrs);
1867 ifaces->destroy(ifaces);
1868 return SUCCESS;
1869 }
1870 }
1871 addrs->destroy(addrs);
1872
1873 if (iface_found)
1874 {
1875 ifindex = iface->ifindex;
1876 addr = malloc_thing(addr_entry_t);
1877 addr->ip = virtual_ip->clone(virtual_ip);
1878 addr->refcount = 0;
1879 addr->virtual = TRUE;
1880 addr->scope = RT_SCOPE_UNIVERSE;
1881 iface->addrs->insert_last(iface->addrs, addr);
1882
1883 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1884 ifindex, virtual_ip) == SUCCESS)
1885 {
1886 while (get_vip_refcount(this, virtual_ip) == 0)
1887 { /* wait until address appears */
1888 pthread_cond_wait(&this->cond, &this->mutex);
1889 }
1890 ifaces->destroy(ifaces);
1891 return SUCCESS;
1892 }
1893 ifaces->destroy(ifaces);
1894 DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1895 return FAILED;
1896 }
1897 }
1898 ifaces->destroy(ifaces);
1899
1900 DBG1(DBG_KNL, "interface address %H not found, unable to install"
1901 "virtual IP %H", iface_ip, virtual_ip);
1902 return FAILED;
1903 }
1904
1905 /**
1906 * Implementation of kernel_interface_t.del_ip.
1907 */
1908 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
1909 {
1910 iface_entry_t *iface;
1911 addr_entry_t *addr;
1912 iterator_t *addrs, *ifaces;
1913 status_t status;
1914 int ifindex;
1915
1916 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1917
1918 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1919 while (ifaces->iterate(ifaces, (void**)&iface))
1920 {
1921 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1922 while (addrs->iterate(addrs, (void**)&addr))
1923 {
1924 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1925 {
1926 ifindex = iface->ifindex;
1927 if (addr->refcount == 1)
1928 {
1929 status = manage_ipaddr(this, RTM_DELADDR, 0,
1930 ifindex, virtual_ip);
1931 if (status == SUCCESS)
1932 { /* wait until the address is really gone */
1933 while (get_vip_refcount(this, virtual_ip) > 0)
1934 {
1935 pthread_cond_wait(&this->cond, &this->mutex);
1936 }
1937 }
1938 addrs->destroy(addrs);
1939 ifaces->destroy(ifaces);
1940 return status;
1941 }
1942 else
1943 {
1944 addr->refcount--;
1945 }
1946 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1947 virtual_ip);
1948 addrs->destroy(addrs);
1949 ifaces->destroy(ifaces);
1950 return SUCCESS;
1951 }
1952 }
1953 addrs->destroy(addrs);
1954 }
1955 ifaces->destroy(ifaces);
1956
1957 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1958 return FAILED;
1959 }
1960
1961 /**
1962 * Get an SPI for a specific protocol from the kernel.
1963 */
1964 static status_t get_spi_internal(private_kernel_interface_t *this,
1965 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
1966 u_int32_t reqid, u_int32_t *spi)
1967 {
1968 unsigned char request[BUFFER_SIZE];
1969 struct nlmsghdr *hdr, *out;
1970 struct xfrm_userspi_info *userspi;
1971 u_int32_t received_spi = 0;
1972 size_t len;
1973
1974 memset(&request, 0, sizeof(request));
1975
1976 hdr = (struct nlmsghdr*)request;
1977 hdr->nlmsg_flags = NLM_F_REQUEST;
1978 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1979 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1980
1981 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1982 host2xfrm(src, &userspi->info.saddr);
1983 host2xfrm(dst, &userspi->info.id.daddr);
1984 userspi->info.id.proto = proto;
1985 userspi->info.mode = TRUE; /* tunnel mode */
1986 userspi->info.reqid = reqid;
1987 userspi->info.family = src->get_family(src);
1988 userspi->min = min;
1989 userspi->max = max;
1990
1991 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1992 {
1993 hdr = out;
1994 while (NLMSG_OK(hdr, len))
1995 {
1996 switch (hdr->nlmsg_type)
1997 {
1998 case XFRM_MSG_NEWSA:
1999 {
2000 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
2001 received_spi = usersa->id.spi;
2002 break;
2003 }
2004 case NLMSG_ERROR:
2005 {
2006 struct nlmsgerr *err = NLMSG_DATA(hdr);
2007
2008 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
2009 strerror(-err->error), -err->error);
2010 break;
2011 }
2012 default:
2013 hdr = NLMSG_NEXT(hdr, len);
2014 continue;
2015 case NLMSG_DONE:
2016 break;
2017 }
2018 break;
2019 }
2020 free(out);
2021 }
2022
2023 if (received_spi == 0)
2024 {
2025 return FAILED;
2026 }
2027
2028 *spi = received_spi;
2029 return SUCCESS;
2030 }
2031
2032 /**
2033 * Implementation of kernel_interface_t.get_spi.
2034 */
2035 static status_t get_spi(private_kernel_interface_t *this,
2036 host_t *src, host_t *dst,
2037 protocol_id_t protocol, u_int32_t reqid,
2038 u_int32_t *spi)
2039 {
2040 DBG2(DBG_KNL, "getting SPI for reqid {%d}", reqid);
2041
2042 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
2043 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
2044 {
2045 DBG1(DBG_KNL, "unable to get SPI for reqid {%d}", reqid);
2046 return FAILED;
2047 }
2048
2049 DBG2(DBG_KNL, "got SPI %.8x for reqid {%d}", ntohl(*spi), reqid);
2050
2051 return SUCCESS;
2052 }
2053
2054 /**
2055 * Implementation of kernel_interface_t.get_cpi.
2056 */
2057 static status_t get_cpi(private_kernel_interface_t *this,
2058 host_t *src, host_t *dst,
2059 u_int32_t reqid, u_int16_t *cpi)
2060 {
2061 u_int32_t received_spi = 0;
2062
2063 DBG2(DBG_KNL, "getting CPI for reqid {%d}", reqid);
2064
2065 if (get_spi_internal(this, src, dst,
2066 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
2067 {
2068 DBG1(DBG_KNL, "unable to get CPI for reqid {%d}", reqid);
2069 return FAILED;
2070 }
2071
2072 *cpi = htons((u_int16_t)ntohl(received_spi));
2073
2074 DBG2(DBG_KNL, "got CPI %.4x for reqid {%d}", ntohs(*cpi), reqid);
2075
2076 return SUCCESS;
2077 }
2078
2079 /**
2080 * Implementation of kernel_interface_t.add_sa.
2081 */
2082 static status_t add_sa(private_kernel_interface_t *this,
2083 host_t *src, host_t *dst, u_int32_t spi,
2084 protocol_id_t protocol, u_int32_t reqid,
2085 u_int64_t expire_soft, u_int64_t expire_hard,
2086 u_int16_t enc_alg, u_int16_t enc_size,
2087 u_int16_t int_alg, u_int16_t int_size,
2088 prf_plus_t *prf_plus, mode_t mode,
2089 u_int16_t ipcomp, bool encap,
2090 bool replace)
2091 {
2092 unsigned char request[BUFFER_SIZE];
2093 char *alg_name;
2094 /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
2095 u_int16_t add_keymat = 32;
2096 struct nlmsghdr *hdr;
2097 struct xfrm_usersa_info *sa;
2098
2099 memset(&request, 0, sizeof(request));
2100
2101 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
2102
2103 hdr = (struct nlmsghdr*)request;
2104 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2105 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
2106 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2107
2108 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
2109 host2xfrm(src, &sa->saddr);
2110 host2xfrm(dst, &sa->id.daddr);
2111 sa->id.spi = spi;
2112 sa->id.proto = proto_ike2kernel(protocol);
2113 sa->family = src->get_family(src);
2114 sa->mode = mode;
2115 if (mode == MODE_TUNNEL)
2116 {
2117 sa->flags |= XFRM_STATE_AF_UNSPEC;
2118 }
2119 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
2120 sa->reqid = reqid;
2121 /* we currently do not expire SAs by volume/packet count */
2122 sa->lft.soft_byte_limit = XFRM_INF;
2123 sa->lft.hard_byte_limit = XFRM_INF;
2124 sa->lft.soft_packet_limit = XFRM_INF;
2125 sa->lft.hard_packet_limit = XFRM_INF;
2126 /* we use lifetimes since added, not since used */
2127 sa->lft.soft_add_expires_seconds = expire_soft;
2128 sa->lft.hard_add_expires_seconds = expire_hard;
2129 sa->lft.soft_use_expires_seconds = 0;
2130 sa->lft.hard_use_expires_seconds = 0;
2131
2132 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
2133
2134 switch (enc_alg)
2135 {
2136 case ENCR_UNDEFINED:
2137 /* no encryption */
2138 break;
2139 case ENCR_AES_CCM_ICV8:
2140 case ENCR_AES_CCM_ICV12:
2141 case ENCR_AES_CCM_ICV16:
2142 /* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
2143 add_keymat = 24;
2144 /* fall-through */
2145 case ENCR_AES_GCM_ICV8:
2146 case ENCR_AES_GCM_ICV12:
2147 case ENCR_AES_GCM_ICV16:
2148 {
2149 u_int16_t icv_size = 0;
2150 rthdr->rta_type = XFRMA_ALG_AEAD;
2151 alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
2152 if (alg_name == NULL)
2153 {
2154 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2155 encryption_algorithm_names, enc_alg);
2156 return FAILED;
2157 }
2158 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2159 encryption_algorithm_names, enc_alg, enc_size);
2160
2161 /* additional KEYMAT required */
2162 enc_size += add_keymat;
2163
2164 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
2165 hdr->nlmsg_len += rthdr->rta_len;
2166 if (hdr->nlmsg_len > sizeof(request))
2167 {
2168 return FAILED;
2169 }
2170
2171 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
2172 algo->alg_key_len = enc_size;
2173 algo->alg_icv_len = icv_size;
2174 strcpy(algo->alg_name, alg_name);
2175 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2176
2177 rthdr = XFRM_RTA_NEXT(rthdr);
2178 break;
2179 }
2180 default:
2181 {
2182 rthdr->rta_type = XFRMA_ALG_CRYPT;
2183 alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
2184 if (alg_name == NULL)
2185 {
2186 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2187 encryption_algorithm_names, enc_alg);
2188 return FAILED;
2189 }
2190 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2191 encryption_algorithm_names, enc_alg, enc_size);
2192
2193 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
2194 hdr->nlmsg_len += rthdr->rta_len;
2195 if (hdr->nlmsg_len > sizeof(request))
2196 {
2197 return FAILED;
2198 }
2199
2200 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2201 algo->alg_key_len = enc_size;
2202 strcpy(algo->alg_name, alg_name);
2203 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2204
2205 rthdr = XFRM_RTA_NEXT(rthdr);
2206 break;
2207 }
2208 }
2209
2210 if (int_alg != AUTH_UNDEFINED)
2211 {
2212 rthdr->rta_type = XFRMA_ALG_AUTH;
2213 alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
2214 if (alg_name == NULL)
2215 {
2216 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2217 integrity_algorithm_names, int_alg);
2218 return FAILED;
2219 }
2220 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
2221 integrity_algorithm_names, int_alg, int_size);
2222
2223 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
2224 hdr->nlmsg_len += rthdr->rta_len;
2225 if (hdr->nlmsg_len > sizeof(request))
2226 {
2227 return FAILED;
2228 }
2229
2230 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2231 algo->alg_key_len = int_size;
2232 strcpy(algo->alg_name, alg_name);
2233 prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
2234
2235 rthdr = XFRM_RTA_NEXT(rthdr);
2236 }
2237
2238 if (ipcomp != IPCOMP_NONE)
2239 {
2240 rthdr->rta_type = XFRMA_ALG_COMP;
2241 alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
2242 if (alg_name == NULL)
2243 {
2244 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2245 ipcomp_transform_names, ipcomp);
2246 return FAILED;
2247 }
2248 DBG2(DBG_KNL, " using compression algorithm %N",
2249 ipcomp_transform_names, ipcomp);
2250
2251 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
2252 hdr->nlmsg_len += rthdr->rta_len;
2253 if (hdr->nlmsg_len > sizeof(request))
2254 {
2255 return FAILED;
2256 }
2257
2258 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2259 algo->alg_key_len = 0;
2260 strcpy(algo->alg_name, alg_name);
2261
2262 rthdr = XFRM_RTA_NEXT(rthdr);
2263 }
2264
2265 if (encap)
2266 {
2267 rthdr->rta_type = XFRMA_ENCAP;
2268 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2269
2270 hdr->nlmsg_len += rthdr->rta_len;
2271 if (hdr->nlmsg_len > sizeof(request))
2272 {
2273 return FAILED;
2274 }
2275
2276 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
2277 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2278 tmpl->encap_sport = htons(src->get_port(src));
2279 tmpl->encap_dport = htons(dst->get_port(dst));
2280 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2281 /* encap_oa could probably be derived from the
2282 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
2283 * pluto does the same as we do here but it uses encap_oa in the
2284 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
2285 * the kernel ignores it anyway
2286 * -> does that mean that NAT-T encap doesn't work in transport mode?
2287 * No. The reason the kernel ignores NAT-OA is that it recomputes
2288 * (or, rather, just ignores) the checksum. If packets pass
2289 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
2290 rthdr = XFRM_RTA_NEXT(rthdr);
2291 }
2292
2293 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2294 {
2295 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
2296 return FAILED;
2297 }
2298 return SUCCESS;
2299 }
2300
2301 /**
2302 * Get the replay state (i.e. sequence numbers) of an SA.
2303 */
2304 static status_t get_replay_state(private_kernel_interface_t *this,
2305 u_int32_t spi, protocol_id_t protocol, host_t *dst,
2306 struct xfrm_replay_state *replay)
2307 {
2308 unsigned char request[BUFFER_SIZE];
2309 struct nlmsghdr *hdr, *out = NULL;
2310 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
2311 size_t len;
2312 struct rtattr *rta;
2313 size_t rtasize;
2314
2315 memset(&request, 0, sizeof(request));
2316
2317 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
2318
2319 hdr = (struct nlmsghdr*)request;
2320 hdr->nlmsg_flags = NLM_F_REQUEST;
2321 hdr->nlmsg_type = XFRM_MSG_GETAE;
2322 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
2323
2324 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
2325 aevent_id->flags = XFRM_AE_RVAL;
2326
2327 host2xfrm(dst, &aevent_id->sa_id.daddr);
2328 aevent_id->sa_id.spi = spi;
2329 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
2330 aevent_id->sa_id.family = dst->get_family(dst);
2331
2332 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2333 {
2334 hdr = out;
2335 while (NLMSG_OK(hdr, len))
2336 {
2337 switch (hdr->nlmsg_type)
2338 {
2339 case XFRM_MSG_NEWAE:
2340 {
2341 out_aevent = NLMSG_DATA(hdr);
2342 break;
2343 }
2344 case NLMSG_ERROR:
2345 {
2346 struct nlmsgerr *err = NLMSG_DATA(hdr);
2347 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
2348 strerror(-err->error), -err->error);
2349 break;
2350 }
2351 default:
2352 hdr = NLMSG_NEXT(hdr, len);
2353 continue;
2354 case NLMSG_DONE:
2355 break;
2356 }
2357 break;
2358 }
2359 }
2360
2361 if (out_aevent == NULL)
2362 {
2363 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
2364 ntohl(spi));
2365 free(out);
2366 return FAILED;
2367 }
2368
2369 rta = XFRM_RTA(out, struct xfrm_aevent_id);
2370 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
2371 while(RTA_OK(rta, rtasize))
2372 {
2373 if (rta->rta_type == XFRMA_REPLAY_VAL)
2374 {
2375 memcpy(replay, RTA_DATA(rta), rta->rta_len);
2376 free(out);
2377 return SUCCESS;
2378 }
2379 rta = RTA_NEXT(rta, rtasize);
2380 }
2381
2382 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
2383 ntohl(spi));
2384 free(out);
2385 return FAILED;
2386 }
2387
2388 /**
2389 * Implementation of kernel_interface_t.update_sa.
2390 */
2391 static status_t update_sa(private_kernel_interface_t *this,
2392 u_int32_t spi, protocol_id_t protocol,
2393 host_t *src, host_t *dst,
2394 host_t *new_src, host_t *new_dst, bool encap)
2395 {
2396 unsigned char request[BUFFER_SIZE], *pos;
2397 struct nlmsghdr *hdr, *out = NULL;
2398 struct xfrm_usersa_id *sa_id;
2399 struct xfrm_usersa_info *out_sa = NULL, *sa;
2400 size_t len;
2401 struct rtattr *rta;
2402 size_t rtasize;
2403 struct xfrm_encap_tmpl* tmpl = NULL;
2404 bool got_replay_state;
2405 struct xfrm_replay_state replay;
2406
2407 memset(&request, 0, sizeof(request));
2408
2409 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
2410
2411 /* query the exisiting SA first */
2412 hdr = (struct nlmsghdr*)request;
2413 hdr->nlmsg_flags = NLM_F_REQUEST;
2414 hdr->nlmsg_type = XFRM_MSG_GETSA;
2415 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2416
2417 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2418 host2xfrm(dst, &sa_id->daddr);
2419 sa_id->spi = spi;
2420 sa_id->proto = proto_ike2kernel(protocol);
2421 sa_id->family = dst->get_family(dst);
2422
2423 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2424 {
2425 hdr = out;
2426 while (NLMSG_OK(hdr, len))
2427 {
2428 switch (hdr->nlmsg_type)
2429 {
2430 case XFRM_MSG_NEWSA:
2431 {
2432 out_sa = NLMSG_DATA(hdr);
2433 break;
2434 }
2435 case NLMSG_ERROR:
2436 {
2437 struct nlmsgerr *err = NLMSG_DATA(hdr);
2438 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2439 strerror(-err->error), -err->error);
2440 break;
2441 }
2442 default:
2443 hdr = NLMSG_NEXT(hdr, len);
2444 continue;
2445 case NLMSG_DONE:
2446 break;
2447 }
2448 break;
2449 }
2450 }
2451 if (out_sa == NULL)
2452 {
2453 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
2454 free(out);
2455 return FAILED;
2456 }
2457
2458 /* try to get the replay state */
2459 got_replay_state = (get_replay_state(
2460 this, spi, protocol, dst, &replay) == SUCCESS);
2461
2462 /* delete the old SA */
2463 if (this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
2464 {
2465 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
2466 free(out);
2467 return FAILED;
2468 }
2469
2470 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
2471 ntohl(spi), src, dst, new_src, new_dst);
2472
2473 /* copy over the SA from out to request */
2474 hdr = (struct nlmsghdr*)request;
2475 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
2476 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2477 hdr->nlmsg_type = XFRM_MSG_NEWSA;
2478 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2479 sa = NLMSG_DATA(hdr);
2480 sa->family = new_dst->get_family(new_dst);
2481
2482 if (!src->ip_equals(src, new_src))
2483 {
2484 host2xfrm(new_src, &sa->saddr);
2485 }
2486 if (!dst->ip_equals(dst, new_dst))
2487 {
2488 host2xfrm(new_dst, &sa->id.daddr);
2489 }
2490
2491 rta = XFRM_RTA(out, struct xfrm_usersa_info);
2492 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
2493 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
2494 while(RTA_OK(rta, rtasize))
2495 {
2496 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
2497 if (rta->rta_type != XFRMA_ENCAP || encap)
2498 {
2499 if (rta->rta_type == XFRMA_ENCAP)
2500 { /* update encap tmpl */
2501 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2502 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2503 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2504 }
2505 memcpy(pos, rta, rta->rta_len);
2506 pos += RTA_ALIGN(rta->rta_len);
2507 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
2508 }
2509 rta = RTA_NEXT(rta, rtasize);
2510 }
2511
2512 rta = (struct rtattr*)pos;
2513 if (tmpl == NULL && encap)
2514 { /* add tmpl if we are enabling it */
2515 rta->rta_type = XFRMA_ENCAP;
2516 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2517
2518 hdr->nlmsg_len += rta->rta_len;
2519 if (hdr->nlmsg_len > sizeof(request))
2520 {
2521 return FAILED;
2522 }
2523
2524 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2525 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2526 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2527 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2528 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2529
2530 rta = XFRM_RTA_NEXT(rta);
2531 }
2532
2533 if (got_replay_state)
2534 { /* copy the replay data if available */
2535 rta->rta_type = XFRMA_REPLAY_VAL;
2536 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
2537
2538 hdr->nlmsg_len += rta->rta_len;
2539 if (hdr->nlmsg_len > sizeof(request))
2540 {
2541 return FAILED;
2542 }
2543 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
2544
2545 rta = XFRM_RTA_NEXT(rta);
2546 }
2547
2548 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2549 {
2550 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
2551 free(out);
2552 return FAILED;
2553 }
2554 free(out);
2555
2556 return SUCCESS;
2557 }
2558
2559 /**
2560 * Implementation of kernel_interface_t.query_sa.
2561 */
2562 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
2563 u_int32_t spi, protocol_id_t protocol,
2564 u_int32_t *use_time)
2565 {
2566 unsigned char request[BUFFER_SIZE];
2567 struct nlmsghdr *out = NULL, *hdr;
2568 struct xfrm_usersa_id *sa_id;
2569 struct xfrm_usersa_info *sa = NULL;
2570 size_t len;
2571
2572 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
2573 memset(&request, 0, sizeof(request));
2574
2575 hdr = (struct nlmsghdr*)request;
2576 hdr->nlmsg_flags = NLM_F_REQUEST;
2577 hdr->nlmsg_type = XFRM_MSG_GETSA;
2578 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2579
2580 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2581 host2xfrm(dst, &sa_id->daddr);
2582 sa_id->spi = spi;
2583 sa_id->proto = proto_ike2kernel(protocol);
2584 sa_id->family = dst->get_family(dst);
2585
2586 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2587 {
2588 hdr = out;
2589 while (NLMSG_OK(hdr, len))
2590 {
2591 switch (hdr->nlmsg_type)
2592 {
2593 case XFRM_MSG_NEWSA:
2594 {
2595 sa = NLMSG_DATA(hdr);
2596 break;
2597 }
2598 case NLMSG_ERROR:
2599 {
2600 struct nlmsgerr *err = NLMSG_DATA(hdr);
2601 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2602 strerror(-err->error), -err->error);
2603 break;
2604 }
2605 default:
2606 hdr = NLMSG_NEXT(hdr, len);
2607 continue;
2608 case NLMSG_DONE:
2609 break;
2610 }
2611 break;
2612 }
2613 }
2614
2615 if (sa == NULL)
2616 {
2617 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
2618 free(out);
2619 return FAILED;
2620 }
2621
2622 *use_time = sa->curlft.use_time;
2623 free (out);
2624 return SUCCESS;
2625 }
2626
2627 /**
2628 * Implementation of kernel_interface_t.del_sa.
2629 */
2630 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
2631 u_int32_t spi, protocol_id_t protocol)
2632 {
2633 unsigned char request[BUFFER_SIZE];
2634 struct nlmsghdr *hdr;
2635 struct xfrm_usersa_id *sa_id;
2636
2637 memset(&request, 0, sizeof(request));
2638
2639 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
2640
2641 hdr = (struct nlmsghdr*)request;
2642 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2643 hdr->nlmsg_type = XFRM_MSG_DELSA;
2644 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2645
2646 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2647 host2xfrm(dst, &sa_id->daddr);
2648 sa_id->spi = spi;
2649 sa_id->proto = proto_ike2kernel(protocol);
2650 sa_id->family = dst->get_family(dst);
2651
2652 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2653 {
2654 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
2655 return FAILED;
2656 }
2657 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
2658 return SUCCESS;
2659 }
2660
2661 /**
2662 * Implementation of kernel_interface_t.add_policy.
2663 */
2664 static status_t add_policy(private_kernel_interface_t *this,
2665 host_t *src, host_t *dst,
2666 traffic_selector_t *src_ts,
2667 traffic_selector_t *dst_ts,
2668 policy_dir_t direction, protocol_id_t protocol,
2669 u_int32_t reqid, bool high_prio, mode_t mode,
2670 u_int16_t ipcomp)
2671 {
2672 iterator_t *iterator;
2673 policy_entry_t *current, *policy;
2674 bool found = FALSE;
2675 unsigned char request[BUFFER_SIZE];
2676 struct xfrm_userpolicy_info *policy_info;
2677 struct nlmsghdr *hdr;
2678
2679 /* create a policy */
2680 policy = malloc_thing(policy_entry_t);
2681 memset(policy, 0, sizeof(policy_entry_t));
2682 policy->sel = ts2selector(src_ts, dst_ts);
2683 policy->direction = direction;
2684
2685 /* find the policy, which matches EXACTLY */
2686 pthread_mutex_lock(&this->mutex);
2687 iterator = this->policies->create_iterator(this->policies, TRUE);
2688 while (iterator->iterate(iterator, (void**)&current))
2689 {
2690 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
2691 policy->direction == current->direction)
2692 {
2693 /* use existing policy */
2694 current->refcount++;
2695 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
2696 "refcount", src_ts, dst_ts,
2697 policy_dir_names, direction);
2698 free(policy);
2699 policy = current;
2700 found = TRUE;
2701 break;
2702 }
2703 }
2704 iterator->destroy(iterator);
2705 if (!found)
2706 { /* apply the new one, if we have no such policy */
2707 this->policies->insert_last(this->policies, policy);
2708 policy->refcount = 1;
2709 }
2710
2711 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
2712 policy_dir_names, direction);
2713
2714 memset(&request, 0, sizeof(request));
2715 hdr = (struct nlmsghdr*)request;
2716 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2717 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
2718 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2719
2720 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2721 policy_info->sel = policy->sel;
2722 policy_info->dir = policy->direction;
2723 /* calculate priority based on source selector size, small size = high prio */
2724 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2725 policy_info->priority -= policy->sel.prefixlen_s * 10;
2726 policy_info->priority -= policy->sel.proto ? 2 : 0;
2727 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2728 policy_info->action = XFRM_POLICY_ALLOW;
2729 policy_info->share = XFRM_SHARE_ANY;
2730 pthread_mutex_unlock(&this->mutex);
2731
2732 /* policies don't expire */
2733 policy_info->lft.soft_byte_limit = XFRM_INF;
2734 policy_info->lft.soft_packet_limit = XFRM_INF;
2735 policy_info->lft.hard_byte_limit = XFRM_INF;
2736 policy_info->lft.hard_packet_limit = XFRM_INF;
2737 policy_info->lft.soft_add_expires_seconds = 0;
2738 policy_info->lft.hard_add_expires_seconds = 0;
2739 policy_info->lft.soft_use_expires_seconds = 0;
2740 policy_info->lft.hard_use_expires_seconds = 0;
2741
2742 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2743 rthdr->rta_type = XFRMA_TMPL;
2744 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2745
2746 hdr->nlmsg_len += rthdr->rta_len;
2747 if (hdr->nlmsg_len > sizeof(request))
2748 {
2749 return FAILED;
2750 }
2751
2752 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2753
2754 if (ipcomp != IPCOMP_NONE)
2755 {
2756 tmpl->reqid = reqid;
2757 tmpl->id.proto = IPPROTO_COMP;
2758 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2759 tmpl->mode = mode;
2760 tmpl->optional = direction != POLICY_OUT;
2761 tmpl->family = src->get_family(src);
2762
2763 host2xfrm(src, &tmpl->saddr);
2764 host2xfrm(dst, &tmpl->id.daddr);
2765
2766 /* add an additional xfrm_user_tmpl */
2767 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2768 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2769 if (hdr->nlmsg_len > sizeof(request))
2770 {
2771 return FAILED;
2772 }
2773
2774 tmpl++;
2775 }
2776
2777 tmpl->reqid = reqid;
2778 tmpl->id.proto = proto_ike2kernel(protocol);
2779 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2780 tmpl->mode = mode;
2781 tmpl->family = src->get_family(src);
2782
2783 host2xfrm(src, &tmpl->saddr);
2784 host2xfrm(dst, &tmpl->id.daddr);
2785
2786 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2787 {
2788 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
2789 policy_dir_names, direction);
2790 return FAILED;
2791 }
2792
2793 /* install a route, if:
2794 * - we are NOT updating a policy
2795 * - this is a forward policy (to just get one for each child)
2796 * - we are in tunnel mode
2797 * - we are not using IPv6 (does not work correctly yet!)
2798 * - routing is not disabled via strongswan.conf
2799 */
2800 if (policy->route == NULL && direction == POLICY_FWD &&
2801 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
2802 this->install_routes)
2803 {
2804 policy->route = malloc_thing(route_entry_t);
2805 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2806 {
2807 /* get the nexthop to src (src as we are in POLICY_FWD).*/
2808 policy->route->gateway = get_route(this, src, TRUE);
2809 policy->route->if_index = get_interface_index(this, dst);
2810 policy->route->dst_net = chunk_alloc(
2811 policy->sel.family == AF_INET ? 4 : 16);
2812 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr,
2813 policy->route->dst_net.len);
2814 policy->route->prefixlen = policy->sel.prefixlen_s;
2815
2816 switch (manage_srcroute(this, RTM_NEWROUTE,
2817 NLM_F_CREATE | NLM_F_EXCL, policy->route))
2818 {
2819 default:
2820 DBG1(DBG_KNL, "unable to install source route for %H",
2821 policy->route->src_ip);
2822 /* FALL */
2823 case ALREADY_DONE:
2824 /* route exists, do not uninstall */
2825 route_entry_destroy(policy->route);
2826 policy->route = NULL;
2827 break;
2828 case SUCCESS:
2829 break;
2830 }
2831 }
2832 else
2833 {
2834 free(policy->route);
2835 policy->route = NULL;
2836 }
2837 }
2838
2839 return SUCCESS;
2840 }
2841
2842 /**
2843 * Implementation of kernel_interface_t.query_policy.
2844 */
2845 static status_t query_policy(private_kernel_interface_t *this,
2846 traffic_selector_t *src_ts,
2847 traffic_selector_t *dst_ts,
2848 policy_dir_t direction, u_int32_t *use_time)
2849 {
2850 unsigned char request[BUFFER_SIZE];
2851 struct nlmsghdr *out = NULL, *hdr;
2852 struct xfrm_userpolicy_id *policy_id;
2853 struct xfrm_userpolicy_info *policy = NULL;
2854 size_t len;
2855
2856 memset(&request, 0, sizeof(request));
2857
2858 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2859 policy_dir_names, direction);
2860
2861 hdr = (struct nlmsghdr*)request;
2862 hdr->nlmsg_flags = NLM_F_REQUEST;
2863 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2864 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2865
2866 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2867 policy_id->sel = ts2selector(src_ts, dst_ts);
2868 policy_id->dir = direction;
2869
2870 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2871 {
2872 hdr = out;
2873 while (NLMSG_OK(hdr, len))
2874 {
2875 switch (hdr->nlmsg_type)
2876 {
2877 case XFRM_MSG_NEWPOLICY:
2878 {
2879 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2880 break;
2881 }
2882 case NLMSG_ERROR:
2883 {
2884 struct nlmsgerr *err = NLMSG_DATA(hdr);
2885 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2886 strerror(-err->error), -err->error);
2887 break;
2888 }
2889 default:
2890 hdr = NLMSG_NEXT(hdr, len);
2891 continue;
2892 case NLMSG_DONE:
2893 break;
2894 }
2895 break;
2896 }
2897 }
2898
2899 if (policy == NULL)
2900 {
2901 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2902 policy_dir_names, direction);
2903 free(out);
2904 return FAILED;
2905 }
2906 *use_time = (time_t)policy->curlft.use_time;
2907
2908 free(out);
2909 return SUCCESS;
2910 }
2911
2912 /**
2913 * Implementation of kernel_interface_t.del_policy.
2914 */
2915 static status_t del_policy(private_kernel_interface_t *this,
2916 traffic_selector_t *src_ts,
2917 traffic_selector_t *dst_ts,
2918 policy_dir_t direction)
2919 {
2920 policy_entry_t *current, policy, *to_delete = NULL;
2921 route_entry_t *route;
2922 unsigned char request[BUFFER_SIZE];
2923 struct nlmsghdr *hdr;
2924 struct xfrm_userpolicy_id *policy_id;
2925 iterator_t *iterator;
2926
2927 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
2928 policy_dir_names, direction);
2929
2930 /* create a policy */
2931 memset(&policy, 0, sizeof(policy_entry_t));
2932 policy.sel = ts2selector(src_ts, dst_ts);
2933 policy.direction = direction;
2934
2935 /* find the policy */
2936 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2937 while (iterator->iterate(iterator, (void**)&current))
2938 {
2939 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2940 policy.direction == current->direction)
2941 {
2942 to_delete = current;
2943 if (--to_delete->refcount > 0)
2944 {
2945 /* is used by more SAs, keep in kernel */
2946 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2947 iterator->destroy(iterator);
2948 return SUCCESS;
2949 }
2950 /* remove if last reference */
2951 iterator->remove(iterator);
2952 break;
2953 }
2954 }
2955 iterator->destroy(iterator);
2956 if (!to_delete)
2957 {
2958 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
2959 dst_ts, policy_dir_names, direction);
2960 return NOT_FOUND;
2961 }
2962
2963 memset(&request, 0, sizeof(request));
2964
2965 hdr = (struct nlmsghdr*)request;
2966 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2967 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2968 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2969
2970 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2971 policy_id->sel = to_delete->sel;
2972 policy_id->dir = direction;
2973
2974 route = to_delete->route;
2975 free(to_delete);
2976
2977 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2978 {
2979 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2980 policy_dir_names, direction);
2981 return FAILED;
2982 }
2983
2984 if (route)
2985 {
2986 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2987 {
2988 DBG1(DBG_KNL, "error uninstalling route installed with "
2989 "policy %R === %R %N", src_ts, dst_ts,
2990 policy_dir_names, direction);
2991 }
2992 route_entry_destroy(route);
2993 }
2994 return SUCCESS;
2995 }
2996
2997 /**
2998 * Implementation of kernel_interface_t.destroy.
2999 */
3000 static void destroy(private_kernel_interface_t *this)
3001 {
3002 if (this->routing_table)
3003 {
3004 manage_rule(this, RTM_DELRULE, this->routing_table,
3005 this->routing_table_prio);
3006 }
3007
3008 this->job->cancel(this->job);
3009 close(this->socket_xfrm_events);
3010 close(this->socket_xfrm);
3011 close(this->socket_rt_events);
3012 close(this->socket_rt);
3013 this->policies->destroy(this->policies);
3014 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
3015 free(this);
3016 }
3017
3018 /*
3019 * Described in header.
3020 */
3021 kernel_interface_t *kernel_interface_create()
3022 {
3023 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
3024 struct sockaddr_nl addr;
3025
3026 /* public functions */
3027 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
3028 this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
3029 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,mode_t,u_int16_t,bool,bool))add_sa;
3030 this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
3031 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
3032 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
3033 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,u_int16_t))add_policy;
3034 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
3035 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
3036 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
3037 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
3038 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
3039 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
3040 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
3041 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
3042
3043 /* private members */
3044 this->policies = linked_list_create();
3045 this->ifaces = linked_list_create();
3046 this->hiter = NULL;
3047 this->seq = 200;
3048 pthread_mutex_init(&this->mutex, NULL);
3049 pthread_mutex_init(&this->nl_mutex, NULL);
3050 pthread_cond_init(&this->cond, NULL);
3051 timerclear(&this->last_roam);
3052 this->install_routes = lib->settings->get_bool(lib->settings,
3053 "charon.install_routes", TRUE);
3054 this->routing_table = lib->settings->get_int(lib->settings,
3055 "charon.routing_table", IPSEC_ROUTING_TABLE);
3056 this->routing_table_prio = lib->settings->get_int(lib->settings,
3057 "charon.routing_table_prio", IPSEC_ROUTING_TABLE_PRIO);
3058 this->process_route = lib->settings->get_bool(lib->settings,
3059 "charon.process_route", TRUE);
3060 memset(&addr, 0, sizeof(addr));
3061 addr.nl_family = AF_NETLINK;
3062
3063 /* create and bind RT socket */
3064 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
3065 if (this->socket_rt <= 0)
3066 {
3067 charon->kill(charon, "unable to create RT netlink socket");
3068 }
3069 addr.nl_groups = 0;
3070 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
3071 {
3072 charon->kill(charon, "unable to bind RT netlink socket");
3073 }
3074
3075 /* create and bind RT socket for events (address/interface/route changes) */
3076 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
3077 if (this->socket_rt_events <= 0)
3078 {
3079 charon->kill(charon, "unable to create RT event socket");
3080 }
3081 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
3082 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
3083 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
3084 {
3085 charon->kill(charon, "unable to bind RT event socket");
3086 }
3087
3088 /* create and bind XFRM socket */
3089 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
3090 if (this->socket_xfrm <= 0)
3091 {
3092 charon->kill(charon, "unable to create XFRM netlink socket");
3093 }
3094 addr.nl_groups = 0;
3095 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
3096 {
3097 charon->kill(charon, "unable to bind XFRM netlink socket");
3098 }
3099
3100 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
3101 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
3102 if (this->socket_xfrm_events <= 0)
3103 {
3104 charon->kill(charon, "unable to create XFRM event socket");
3105 }
3106 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
3107 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
3108 {
3109 charon->kill(charon, "unable to bind XFRM event socket");
3110 }
3111
3112 this->job = callback_job_create((callback_job_cb_t)receive_events,
3113 this, NULL, NULL);
3114 charon->processor->queue_job(charon->processor, (job_t*)this->job);
3115
3116 if (init_address_list(this) != SUCCESS)
3117 {
3118 charon->kill(charon, "unable to get interface list");
3119 }
3120
3121 if (this->routing_table)
3122 {
3123 if (manage_rule(this, RTM_NEWRULE, this->routing_table,
3124 this->routing_table_prio) != SUCCESS)
3125 {
3126 DBG1(DBG_KNL, "unable to create routing table rule");
3127 }
3128 }
3129
3130 return &this->public;
3131 }
3132