typos
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 *
19 * $Id$
20 */
21
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <sys/time.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <netinet/in.h>
30 #include <pthread.h>
31 #include <unistd.h>
32 #include <fcntl.h>
33 #include <errno.h>
34 #include <string.h>
35 #include <net/if.h>
36 #include <sys/ioctl.h>
37
38 #include "kernel_interface.h"
39
40 #include <daemon.h>
41 #include <utils/linked_list.h>
42 #include <processing/jobs/delete_child_sa_job.h>
43 #include <processing/jobs/rekey_child_sa_job.h>
44 #include <processing/jobs/acquire_job.h>
45 #include <processing/jobs/callback_job.h>
46 #include <processing/jobs/roam_job.h>
47
48 /** required for Linux 2.6.26 kernel and later */
49 #ifndef XFRM_STATE_AF_UNSPEC
50 #define XFRM_STATE_AF_UNSPEC 32
51 #endif
52
53 /** routing table for routes installed by us */
54 #ifndef IPSEC_ROUTING_TABLE
55 #define IPSEC_ROUTING_TABLE 100
56 #endif
57 #ifndef IPSEC_ROUTING_TABLE_PRIO
58 #define IPSEC_ROUTING_TABLE_PRIO 100
59 #endif
60
61 /** default priority of installed policies */
62 #define PRIO_LOW 3000
63 #define PRIO_HIGH 2000
64
65 /** delay before firing roam jobs (ms) */
66 #define ROAM_DELAY 100
67
68 #define BUFFER_SIZE 1024
69
70 /**
71 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
72 * 'usual' netlink data x like 'struct xfrm_usersa_info'
73 */
74 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
75 /**
76 * returns a pointer to the next rtattr following rta.
77 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
78 */
79 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
80 /**
81 * returns the total size of attached rta data
82 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
83 */
84 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
85
86 typedef struct kernel_algorithm_t kernel_algorithm_t;
87
88 /**
89 * Mapping from the algorithms defined in IKEv2 to
90 * kernel level algorithm names and their key length
91 */
92 struct kernel_algorithm_t {
93 /**
94 * Identifier specified in IKEv2
95 */
96 int ikev2_id;
97
98 /**
99 * Name of the algorithm, as used as kernel identifier
100 */
101 char *name;
102
103 /**
104 * Key length in bits, if fixed size
105 */
106 u_int key_size;
107 };
108
109 ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
110 "in",
111 "out",
112 "fwd"
113 );
114
115 #define END_OF_LIST -1
116
117 /**
118 * Algorithms for encryption
119 */
120 static kernel_algorithm_t encryption_algs[] = {
121 /* {ENCR_DES_IV64, "***", 0}, */
122 {ENCR_DES, "des", 64},
123 {ENCR_3DES, "des3_ede", 192},
124 /* {ENCR_RC5, "***", 0}, */
125 /* {ENCR_IDEA, "***", 0}, */
126 {ENCR_CAST, "cast128", 0},
127 {ENCR_BLOWFISH, "blowfish", 0},
128 /* {ENCR_3IDEA, "***", 0}, */
129 /* {ENCR_DES_IV32, "***", 0}, */
130 {ENCR_NULL, "cipher_null", 0},
131 {ENCR_AES_CBC, "aes", 0},
132 /* {ENCR_AES_CTR, "***", 0}, */
133 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))", 64}, /* key_size = ICV size */
134 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))", 96}, /* key_size = ICV size */
135 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))", 128}, /* key_size = ICV size */
136 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))", 64}, /* key_size = ICV size */
137 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))", 96}, /* key_size = ICV size */
138 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))", 128}, /* key_size = ICV size */
139 {END_OF_LIST, NULL, 0},
140 };
141
142 /**
143 * Algorithms for integrity protection
144 */
145 static kernel_algorithm_t integrity_algs[] = {
146 {AUTH_HMAC_MD5_96, "md5", 128},
147 {AUTH_HMAC_SHA1_96, "sha1", 160},
148 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
149 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
150 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
151 /* {AUTH_DES_MAC, "***", 0}, */
152 /* {AUTH_KPDK_MD5, "***", 0}, */
153 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
154 {END_OF_LIST, NULL, 0},
155 };
156
157 /**
158 * Algorithms for IPComp
159 */
160 static kernel_algorithm_t compression_algs[] = {
161 /* {IPCOMP_OUI, "***", 0}, */
162 {IPCOMP_DEFLATE, "deflate", 0},
163 {IPCOMP_LZS, "lzs", 0},
164 {IPCOMP_LZJH, "lzjh", 0},
165 {END_OF_LIST, NULL, 0},
166 };
167
168 /**
169 * Look up a kernel algorithm name and its key size
170 */
171 static char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
172 u_int16_t ikev2_algo, u_int16_t *key_size)
173 {
174 while (kernel_algo->ikev2_id != END_OF_LIST)
175 {
176 if (ikev2_algo == kernel_algo->ikev2_id)
177 {
178 /* match, evaluate key length */
179 if (key_size && *key_size == 0)
180 { /* update key size if not set */
181 *key_size = kernel_algo->key_size;
182 }
183 return kernel_algo->name;
184 }
185 kernel_algo++;
186 }
187 return NULL;
188 }
189
190 typedef struct route_entry_t route_entry_t;
191
192 /**
193 * installed routing entry
194 */
195 struct route_entry_t {
196
197 /** Index of the interface the route is bound to */
198 int if_index;
199
200 /** Source ip of the route */
201 host_t *src_ip;
202
203 /** gateway for this route */
204 host_t *gateway;
205
206 /** Destination net */
207 chunk_t dst_net;
208
209 /** Destination net prefixlen */
210 u_int8_t prefixlen;
211 };
212
213 /**
214 * destroy an route_entry_t object
215 */
216 static void route_entry_destroy(route_entry_t *this)
217 {
218 this->src_ip->destroy(this->src_ip);
219 this->gateway->destroy(this->gateway);
220 chunk_free(&this->dst_net);
221 free(this);
222 }
223
224 typedef struct policy_entry_t policy_entry_t;
225
226 /**
227 * installed kernel policy.
228 */
229 struct policy_entry_t {
230
231 /** direction of this policy: in, out, forward */
232 u_int8_t direction;
233
234 /** reqid of the policy */
235 u_int32_t reqid;
236
237 /** parameters of installed policy */
238 struct xfrm_selector sel;
239
240 /** associated route installed for this policy */
241 route_entry_t *route;
242
243 /** by how many CHILD_SA's this policy is used */
244 u_int refcount;
245 };
246
247 typedef struct addr_entry_t addr_entry_t;
248
249 /**
250 * IP address in an inface_entry_t
251 */
252 struct addr_entry_t {
253
254 /** The ip address */
255 host_t *ip;
256
257 /** virtual IP managed by us */
258 bool virtual;
259
260 /** scope of the address */
261 u_char scope;
262
263 /** Number of times this IP is used, if virtual */
264 u_int refcount;
265 };
266
267 /**
268 * destroy a addr_entry_t object
269 */
270 static void addr_entry_destroy(addr_entry_t *this)
271 {
272 this->ip->destroy(this->ip);
273 free(this);
274 }
275
276 typedef struct iface_entry_t iface_entry_t;
277
278 /**
279 * A network interface on this system, containing addr_entry_t's
280 */
281 struct iface_entry_t {
282
283 /** interface index */
284 int ifindex;
285
286 /** name of the interface */
287 char ifname[IFNAMSIZ];
288
289 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
290 u_int flags;
291
292 /** list of addresses as host_t */
293 linked_list_t *addrs;
294 };
295
296 /**
297 * destroy an interface entry
298 */
299 static void iface_entry_destroy(iface_entry_t *this)
300 {
301 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
302 free(this);
303 }
304
305 typedef struct private_kernel_interface_t private_kernel_interface_t;
306
307 /**
308 * Private variables and functions of kernel_interface class.
309 */
310 struct private_kernel_interface_t {
311 /**
312 * Public part of the kernel_interface_t object.
313 */
314 kernel_interface_t public;
315
316 /**
317 * mutex to lock access to netlink socket
318 */
319 pthread_mutex_t nl_mutex;
320
321 /**
322 * mutex to lock access to various lists
323 */
324 pthread_mutex_t mutex;
325
326 /**
327 * condition variable to signal virtual IP add/removal
328 */
329 pthread_cond_t cond;
330
331 /**
332 * List of installed policies (policy_entry_t)
333 */
334 linked_list_t *policies;
335
336 /**
337 * Cached list of interfaces and its addresses (iface_entry_t)
338 */
339 linked_list_t *ifaces;
340
341 /**
342 * iterator used in hook()
343 */
344 iterator_t *hiter;
345
346 /**
347 * job receiving netlink events
348 */
349 callback_job_t *job;
350
351 /**
352 * current sequence number for netlink request
353 */
354 int seq;
355
356 /**
357 * Netlink xfrm socket (IPsec)
358 */
359 int socket_xfrm;
360
361 /**
362 * netlink xfrm socket to receive acquire and expire events
363 */
364 int socket_xfrm_events;
365
366 /**
367 * Netlink rt socket (routing)
368 */
369 int socket_rt;
370
371 /**
372 * Netlink rt socket to receive address change events
373 */
374 int socket_rt_events;
375
376 /**
377 * time of the last roam_job
378 */
379 struct timeval last_roam;
380
381 /**
382 * whether to install routes along policies
383 */
384 bool install_routes;
385
386 /**
387 * routing table to install routes
388 */
389 int routing_table;
390
391 /**
392 * priority of used routing table
393 */
394 int routing_table_prio;
395
396 /**
397 * whether to react to RTM_NEWROUTE or RTM_DELROUTE events
398 */
399 bool process_route;
400
401 };
402
403 /**
404 * convert a IKEv2 specific protocol identifier to the kernel one
405 */
406 static u_int8_t proto_ike2kernel(protocol_id_t proto)
407 {
408 switch (proto)
409 {
410 case PROTO_ESP:
411 return IPPROTO_ESP;
412 case PROTO_AH:
413 return IPPROTO_AH;
414 default:
415 return proto;
416 }
417 }
418
419 /**
420 * reverse of ike2kernel
421 */
422 static protocol_id_t proto_kernel2ike(u_int8_t proto)
423 {
424 switch (proto)
425 {
426 case IPPROTO_ESP:
427 return PROTO_ESP;
428 case IPPROTO_AH:
429 return PROTO_AH;
430 default:
431 return proto;
432 }
433 }
434
435 /**
436 * convert a host_t to a struct xfrm_address
437 */
438 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
439 {
440 chunk_t chunk = host->get_address(host);
441 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
442 }
443
444 /**
445 * convert a traffic selector address range to subnet and its mask.
446 */
447 static void ts2subnet(traffic_selector_t* ts,
448 xfrm_address_t *net, u_int8_t *mask)
449 {
450 /* there is no way to do this cleanly, as the address range may
451 * be anything else but a subnet. We use from_addr as subnet
452 * and try to calculate a usable subnet mask.
453 */
454 int byte, bit;
455 bool found = FALSE;
456 chunk_t from, to;
457 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
458
459 from = ts->get_from_address(ts);
460 to = ts->get_to_address(ts);
461
462 *mask = (size * 8);
463 /* go trough all bits of the addresses, beginning in the front.
464 * as long as they are equal, the subnet gets larger
465 */
466 for (byte = 0; byte < size; byte++)
467 {
468 for (bit = 7; bit >= 0; bit--)
469 {
470 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
471 {
472 *mask = ((7 - bit) + (byte * 8));
473 found = TRUE;
474 break;
475 }
476 }
477 if (found)
478 {
479 break;
480 }
481 }
482 memcpy(net, from.ptr, from.len);
483 chunk_free(&from);
484 chunk_free(&to);
485 }
486
487 /**
488 * convert a traffic selector port range to port/portmask
489 */
490 static void ts2ports(traffic_selector_t* ts,
491 u_int16_t *port, u_int16_t *mask)
492 {
493 /* linux does not seem to accept complex portmasks. Only
494 * any or a specific port is allowed. We set to any, if we have
495 * a port range, or to a specific, if we have one port only.
496 */
497 u_int16_t from, to;
498
499 from = ts->get_from_port(ts);
500 to = ts->get_to_port(ts);
501
502 if (from == to)
503 {
504 *port = htons(from);
505 *mask = ~0;
506 }
507 else
508 {
509 *port = 0;
510 *mask = 0;
511 }
512 }
513
514 /**
515 * convert a pair of traffic_selectors to a xfrm_selector
516 */
517 static struct xfrm_selector ts2selector(traffic_selector_t *src,
518 traffic_selector_t *dst)
519 {
520 struct xfrm_selector sel;
521
522 memset(&sel, 0, sizeof(sel));
523 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
524 /* src or dest proto may be "any" (0), use more restrictive one */
525 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
526 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
527 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
528 ts2ports(dst, &sel.dport, &sel.dport_mask);
529 ts2ports(src, &sel.sport, &sel.sport_mask);
530 sel.ifindex = 0;
531 sel.user = 0;
532
533 return sel;
534 }
535
536 /**
537 * Creates an rtattr and adds it to the netlink message
538 */
539 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
540 size_t buflen)
541 {
542 struct rtattr *rta;
543
544 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
545 {
546 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
547 return;
548 }
549
550 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
551 rta->rta_type = rta_type;
552 rta->rta_len = RTA_LENGTH(data.len);
553 memcpy(RTA_DATA(rta), data.ptr, data.len);
554 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
555 }
556
557 /**
558 * process a XFRM_MSG_ACQUIRE from kernel
559 */
560 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
561 {
562 u_int32_t reqid = 0;
563 int proto = 0;
564 job_t *job;
565 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
566 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
567
568 if (RTA_OK(rtattr, rtsize))
569 {
570 if (rtattr->rta_type == XFRMA_TMPL)
571 {
572 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
573 reqid = tmpl->reqid;
574 proto = tmpl->id.proto;
575 }
576 }
577 switch (proto)
578 {
579 case 0:
580 case IPPROTO_ESP:
581 case IPPROTO_AH:
582 break;
583 default:
584 /* acquire for AH/ESP only, not for IPCOMP */
585 return;
586 }
587 if (reqid == 0)
588 {
589 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
590 return;
591 }
592 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
593 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
594 job = (job_t*)acquire_job_create(reqid);
595 charon->processor->queue_job(charon->processor, job);
596 }
597
598 /**
599 * process a XFRM_MSG_EXPIRE from kernel
600 */
601 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
602 {
603 job_t *job;
604 protocol_id_t protocol;
605 u_int32_t spi, reqid;
606 struct xfrm_user_expire *expire;
607
608 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
609 protocol = proto_kernel2ike(expire->state.id.proto);
610 spi = expire->state.id.spi;
611 reqid = expire->state.reqid;
612
613 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
614
615 if (protocol != PROTO_ESP && protocol != PROTO_AH)
616 {
617 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%d} "
618 "which is not a CHILD_SA", ntohl(spi), reqid);
619 return;
620 }
621
622 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
623 expire->hard ? "delete" : "rekey", protocol_id_names,
624 protocol, ntohl(spi), reqid);
625 if (expire->hard)
626 {
627 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
628 }
629 else
630 {
631 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
632 }
633 charon->processor->queue_job(charon->processor, job);
634 }
635
636 /**
637 * start a roaming job. We delay it for a second and fire only one job
638 * for multiple events. Otherwise we would create two many jobs.
639 */
640 static void fire_roam_job(private_kernel_interface_t *this, bool address)
641 {
642 struct timeval now;
643
644 if (gettimeofday(&now, NULL) == 0)
645 {
646 if (timercmp(&now, &this->last_roam, >))
647 {
648 now.tv_usec += ROAM_DELAY * 1000;
649 while (now.tv_usec > 1000000)
650 {
651 now.tv_sec++;
652 now.tv_usec -= 1000000;
653 }
654 this->last_roam = now;
655 charon->scheduler->schedule_job(charon->scheduler,
656 (job_t*)roam_job_create(address), ROAM_DELAY);
657 }
658 }
659 }
660
661 /**
662 * get the refcount of a virtual ip
663 */
664 static int get_vip_refcount(private_kernel_interface_t *this, host_t* ip)
665 {
666 iterator_t *ifaces, *addrs;
667 iface_entry_t *iface;
668 addr_entry_t *addr;
669 int refcount = 0;
670
671 ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
672 while (ifaces->iterate(ifaces, (void**)&iface))
673 {
674 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
675 while (addrs->iterate(addrs, (void**)&addr))
676 {
677 if (addr->virtual && (iface->flags & IFF_UP) &&
678 ip->ip_equals(ip, addr->ip))
679 {
680 refcount = addr->refcount;
681 break;
682 }
683 }
684 addrs->destroy(addrs);
685 if (refcount)
686 {
687 break;
688 }
689 }
690 ifaces->destroy(ifaces);
691
692 return refcount;
693 }
694
695 /**
696 * process RTM_NEWLINK/RTM_DELLINK from kernel
697 */
698 static void process_link(private_kernel_interface_t *this,
699 struct nlmsghdr *hdr, bool event)
700 {
701 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
702 struct rtattr *rta = IFLA_RTA(msg);
703 size_t rtasize = IFLA_PAYLOAD (hdr);
704 iterator_t *iterator;
705 iface_entry_t *current, *entry = NULL;
706 char *name = NULL;
707 bool update = FALSE;
708
709 while(RTA_OK(rta, rtasize))
710 {
711 switch (rta->rta_type)
712 {
713 case IFLA_IFNAME:
714 name = RTA_DATA(rta);
715 break;
716 }
717 rta = RTA_NEXT(rta, rtasize);
718 }
719 if (!name)
720 {
721 name = "(unknown)";
722 }
723
724 switch (hdr->nlmsg_type)
725 {
726 case RTM_NEWLINK:
727 {
728 if (msg->ifi_flags & IFF_LOOPBACK)
729 { /* ignore loopback interfaces */
730 break;
731 }
732 iterator = this->ifaces->create_iterator_locked(this->ifaces,
733 &this->mutex);
734 while (iterator->iterate(iterator, (void**)&current))
735 {
736 if (current->ifindex == msg->ifi_index)
737 {
738 entry = current;
739 break;
740 }
741 }
742 if (!entry)
743 {
744 entry = malloc_thing(iface_entry_t);
745 entry->ifindex = msg->ifi_index;
746 entry->flags = 0;
747 entry->addrs = linked_list_create();
748 this->ifaces->insert_last(this->ifaces, entry);
749 }
750 memcpy(entry->ifname, name, IFNAMSIZ);
751 entry->ifname[IFNAMSIZ-1] = '\0';
752 if (event)
753 {
754 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
755 {
756 update = TRUE;
757 DBG1(DBG_KNL, "interface %s activated", name);
758 }
759 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
760 {
761 update = TRUE;
762 DBG1(DBG_KNL, "interface %s deactivated", name);
763 }
764 }
765 entry->flags = msg->ifi_flags;
766 iterator->destroy(iterator);
767 break;
768 }
769 case RTM_DELLINK:
770 {
771 iterator = this->ifaces->create_iterator_locked(this->ifaces,
772 &this->mutex);
773 while (iterator->iterate(iterator, (void**)&current))
774 {
775 if (current->ifindex == msg->ifi_index)
776 {
777 /* we do not remove it, as an address may be added to a
778 * "down" interface and we wan't to know that. */
779 current->flags = msg->ifi_flags;
780 break;
781 }
782 }
783 iterator->destroy(iterator);
784 break;
785 }
786 }
787
788 /* send an update to all IKE_SAs */
789 if (update && event)
790 {
791 fire_roam_job(this, TRUE);
792 }
793 }
794
795 /**
796 * process RTM_NEWADDR/RTM_DELADDR from kernel
797 */
798 static void process_addr(private_kernel_interface_t *this,
799 struct nlmsghdr *hdr, bool event)
800 {
801 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
802 struct rtattr *rta = IFA_RTA(msg);
803 size_t rtasize = IFA_PAYLOAD (hdr);
804 host_t *host = NULL;
805 iterator_t *ifaces, *addrs;
806 iface_entry_t *iface;
807 addr_entry_t *addr;
808 chunk_t local = chunk_empty, address = chunk_empty;
809 bool update = FALSE, found = FALSE, changed = FALSE;
810
811 while(RTA_OK(rta, rtasize))
812 {
813 switch (rta->rta_type)
814 {
815 case IFA_LOCAL:
816 local.ptr = RTA_DATA(rta);
817 local.len = RTA_PAYLOAD(rta);
818 break;
819 case IFA_ADDRESS:
820 address.ptr = RTA_DATA(rta);
821 address.len = RTA_PAYLOAD(rta);
822 break;
823 }
824 rta = RTA_NEXT(rta, rtasize);
825 }
826
827 /* For PPP interfaces, we need the IFA_LOCAL address,
828 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
829 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
830 if (local.ptr)
831 {
832 host = host_create_from_chunk(msg->ifa_family, local, 0);
833 }
834 else if (address.ptr)
835 {
836 host = host_create_from_chunk(msg->ifa_family, address, 0);
837 }
838
839 if (host == NULL)
840 { /* bad family? */
841 return;
842 }
843
844 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
845 while (ifaces->iterate(ifaces, (void**)&iface))
846 {
847 if (iface->ifindex == msg->ifa_index)
848 {
849 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
850 while (addrs->iterate(addrs, (void**)&addr))
851 {
852 if (host->ip_equals(host, addr->ip))
853 {
854 found = TRUE;
855 if (hdr->nlmsg_type == RTM_DELADDR)
856 {
857 addrs->remove(addrs);
858 if (!addr->virtual)
859 {
860 changed = TRUE;
861 DBG1(DBG_KNL, "%H disappeared from %s",
862 host, iface->ifname);
863 }
864 addr_entry_destroy(addr);
865 }
866 else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
867 {
868 addr->refcount = 1;
869 }
870 }
871 }
872 addrs->destroy(addrs);
873
874 if (hdr->nlmsg_type == RTM_NEWADDR)
875 {
876 if (!found)
877 {
878 found = TRUE;
879 changed = TRUE;
880 addr = malloc_thing(addr_entry_t);
881 addr->ip = host->clone(host);
882 addr->virtual = FALSE;
883 addr->refcount = 1;
884 addr->scope = msg->ifa_scope;
885
886 iface->addrs->insert_last(iface->addrs, addr);
887 if (event)
888 {
889 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
890 }
891 }
892 }
893 if (found && (iface->flags & IFF_UP))
894 {
895 update = TRUE;
896 }
897 break;
898 }
899 }
900 ifaces->destroy(ifaces);
901 host->destroy(host);
902
903 /* send an update to all IKE_SAs */
904 if (update && event && changed)
905 {
906 fire_roam_job(this, TRUE);
907 }
908 }
909
910 /**
911 * process RTM_NEWROUTE and RTM_DELROUTE from kernel
912 */
913 static void process_route(private_kernel_interface_t *this, struct nlmsghdr *hdr)
914 {
915 struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
916 struct rtattr *rta = RTM_RTA(msg);
917 size_t rtasize = RTM_PAYLOAD(hdr);
918 host_t *host = NULL;
919
920 while (RTA_OK(rta, rtasize))
921 {
922 switch (rta->rta_type)
923 {
924 case RTA_PREFSRC:
925 host = host_create_from_chunk(msg->rtm_family,
926 chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
927 break;
928 }
929 rta = RTA_NEXT(rta, rtasize);
930 }
931 if (host)
932 {
933 if (!get_vip_refcount(this, host))
934 { /* ignore routes added for virtual IPs */
935 fire_roam_job(this, FALSE);
936 }
937 host->destroy(host);
938 }
939 }
940
941 /**
942 * Receives events from kernel
943 */
944 static job_requeue_t receive_events(private_kernel_interface_t *this)
945 {
946 char response[1024];
947 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
948 struct sockaddr_nl addr;
949 socklen_t addr_len = sizeof(addr);
950 int len, oldstate, maxfd, selected;
951 fd_set rfds;
952
953 FD_ZERO(&rfds);
954 FD_SET(this->socket_xfrm_events, &rfds);
955 FD_SET(this->socket_rt_events, &rfds);
956 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
957
958 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
959 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
960 pthread_setcancelstate(oldstate, NULL);
961 if (selected <= 0)
962 {
963 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
964 return JOB_REQUEUE_FAIR;
965 }
966 if (FD_ISSET(this->socket_xfrm_events, &rfds))
967 {
968 selected = this->socket_xfrm_events;
969 }
970 else if (FD_ISSET(this->socket_rt_events, &rfds))
971 {
972 selected = this->socket_rt_events;
973 }
974 else
975 {
976 return JOB_REQUEUE_DIRECT;
977 }
978
979 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
980 (struct sockaddr*)&addr, &addr_len);
981 if (len < 0)
982 {
983 switch (errno)
984 {
985 case EINTR:
986 /* interrupted, try again */
987 return JOB_REQUEUE_DIRECT;
988 case EAGAIN:
989 /* no data ready, select again */
990 return JOB_REQUEUE_DIRECT;
991 default:
992 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
993 sleep(1);
994 return JOB_REQUEUE_FAIR;
995 }
996 }
997 if (addr.nl_pid != 0)
998 { /* not from kernel. not interested, try another one */
999 return JOB_REQUEUE_DIRECT;
1000 }
1001
1002 while (NLMSG_OK(hdr, len))
1003 {
1004 /* looks good so far, dispatch netlink message */
1005 if (selected == this->socket_xfrm_events)
1006 {
1007 switch (hdr->nlmsg_type)
1008 {
1009 case XFRM_MSG_ACQUIRE:
1010 process_acquire(this, hdr);
1011 break;
1012 case XFRM_MSG_EXPIRE:
1013 process_expire(this, hdr);
1014 break;
1015 default:
1016 break;
1017 }
1018 }
1019 else if (selected == this->socket_rt_events)
1020 {
1021 switch (hdr->nlmsg_type)
1022 {
1023 case RTM_NEWADDR:
1024 case RTM_DELADDR:
1025 process_addr(this, hdr, TRUE);
1026 pthread_cond_broadcast(&this->cond);
1027 break;
1028 case RTM_NEWLINK:
1029 case RTM_DELLINK:
1030 process_link(this, hdr, TRUE);
1031 pthread_cond_broadcast(&this->cond);
1032 break;
1033 case RTM_NEWROUTE:
1034 case RTM_DELROUTE:
1035 if (this->process_route)
1036 {
1037 process_route(this, hdr);
1038 }
1039 break;
1040 default:
1041 break;
1042 }
1043 }
1044 hdr = NLMSG_NEXT(hdr, len);
1045 }
1046 return JOB_REQUEUE_DIRECT;
1047 }
1048
1049 /**
1050 * send a netlink message and wait for a reply
1051 */
1052 static status_t netlink_send(private_kernel_interface_t *this,
1053 int socket, struct nlmsghdr *in,
1054 struct nlmsghdr **out, size_t *out_len)
1055 {
1056 int len, addr_len;
1057 struct sockaddr_nl addr;
1058 chunk_t result = chunk_empty, tmp;
1059 struct nlmsghdr *msg, peek;
1060
1061 pthread_mutex_lock(&this->nl_mutex);
1062
1063 in->nlmsg_seq = ++this->seq;
1064 in->nlmsg_pid = getpid();
1065
1066 memset(&addr, 0, sizeof(addr));
1067 addr.nl_family = AF_NETLINK;
1068 addr.nl_pid = 0;
1069 addr.nl_groups = 0;
1070
1071 while (TRUE)
1072 {
1073 len = sendto(socket, in, in->nlmsg_len, 0,
1074 (struct sockaddr*)&addr, sizeof(addr));
1075
1076 if (len != in->nlmsg_len)
1077 {
1078 if (errno == EINTR)
1079 {
1080 /* interrupted, try again */
1081 continue;
1082 }
1083 pthread_mutex_unlock(&this->nl_mutex);
1084 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
1085 return FAILED;
1086 }
1087 break;
1088 }
1089
1090 while (TRUE)
1091 {
1092 char buf[4096];
1093 tmp.len = sizeof(buf);
1094 tmp.ptr = buf;
1095 msg = (struct nlmsghdr*)tmp.ptr;
1096
1097 memset(&addr, 0, sizeof(addr));
1098 addr.nl_family = AF_NETLINK;
1099 addr.nl_pid = getpid();
1100 addr.nl_groups = 0;
1101 addr_len = sizeof(addr);
1102
1103 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
1104 (struct sockaddr*)&addr, &addr_len);
1105
1106 if (len < 0)
1107 {
1108 if (errno == EINTR)
1109 {
1110 DBG1(DBG_KNL, "got interrupted");
1111 /* interrupted, try again */
1112 continue;
1113 }
1114 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
1115 pthread_mutex_unlock(&this->nl_mutex);
1116 free(result.ptr);
1117 return FAILED;
1118 }
1119 if (!NLMSG_OK(msg, len))
1120 {
1121 DBG1(DBG_KNL, "received corrupted netlink message");
1122 pthread_mutex_unlock(&this->nl_mutex);
1123 free(result.ptr);
1124 return FAILED;
1125 }
1126 if (msg->nlmsg_seq != this->seq)
1127 {
1128 DBG1(DBG_KNL, "received invalid netlink sequence number");
1129 if (msg->nlmsg_seq < this->seq)
1130 {
1131 continue;
1132 }
1133 pthread_mutex_unlock(&this->nl_mutex);
1134 free(result.ptr);
1135 return FAILED;
1136 }
1137
1138 tmp.len = len;
1139 result.ptr = realloc(result.ptr, result.len + tmp.len);
1140 memcpy(result.ptr + result.len, tmp.ptr, tmp.len);
1141 result.len += tmp.len;
1142
1143 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
1144 * numbers to detect multi header messages */
1145 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
1146 (struct sockaddr*)&addr, &addr_len);
1147
1148 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
1149 {
1150 /* seems to be multipart */
1151 continue;
1152 }
1153 break;
1154 }
1155
1156 *out_len = result.len;
1157 *out = (struct nlmsghdr*)result.ptr;
1158
1159 pthread_mutex_unlock(&this->nl_mutex);
1160
1161 return SUCCESS;
1162 }
1163
1164 /**
1165 * send a netlink message and wait for its acknowledge
1166 */
1167 static status_t netlink_send_ack(private_kernel_interface_t *this,
1168 int socket, struct nlmsghdr *in)
1169 {
1170 struct nlmsghdr *out, *hdr;
1171 size_t len;
1172
1173 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
1174 {
1175 return FAILED;
1176 }
1177 hdr = out;
1178 while (NLMSG_OK(hdr, len))
1179 {
1180 switch (hdr->nlmsg_type)
1181 {
1182 case NLMSG_ERROR:
1183 {
1184 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
1185
1186 if (err->error)
1187 {
1188 if (-err->error == EEXIST)
1189 { /* do not report existing routes */
1190 free(out);
1191 return ALREADY_DONE;
1192 }
1193 DBG1(DBG_KNL, "received netlink error: %s (%d)",
1194 strerror(-err->error), -err->error);
1195 free(out);
1196 return FAILED;
1197 }
1198 free(out);
1199 return SUCCESS;
1200 }
1201 default:
1202 hdr = NLMSG_NEXT(hdr, len);
1203 continue;
1204 case NLMSG_DONE:
1205 break;
1206 }
1207 break;
1208 }
1209 DBG1(DBG_KNL, "netlink request not acknowledged");
1210 free(out);
1211 return FAILED;
1212 }
1213
1214 /**
1215 * Initialize a list of local addresses.
1216 */
1217 static status_t init_address_list(private_kernel_interface_t *this)
1218 {
1219 char request[BUFFER_SIZE];
1220 struct nlmsghdr *out, *current, *in;
1221 struct rtgenmsg *msg;
1222 size_t len;
1223 iterator_t *ifaces, *addrs;
1224 iface_entry_t *iface;
1225 addr_entry_t *addr;
1226
1227 DBG1(DBG_KNL, "listening on interfaces:");
1228
1229 memset(&request, 0, sizeof(request));
1230
1231 in = (struct nlmsghdr*)&request;
1232 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1233 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1234 msg = (struct rtgenmsg*)NLMSG_DATA(in);
1235 msg->rtgen_family = AF_UNSPEC;
1236
1237 /* get all links */
1238 in->nlmsg_type = RTM_GETLINK;
1239 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1240 {
1241 return FAILED;
1242 }
1243 current = out;
1244 while (NLMSG_OK(current, len))
1245 {
1246 switch (current->nlmsg_type)
1247 {
1248 case NLMSG_DONE:
1249 break;
1250 case RTM_NEWLINK:
1251 process_link(this, current, FALSE);
1252 /* fall through */
1253 default:
1254 current = NLMSG_NEXT(current, len);
1255 continue;
1256 }
1257 break;
1258 }
1259 free(out);
1260
1261 /* get all interface addresses */
1262 in->nlmsg_type = RTM_GETADDR;
1263 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1264 {
1265 return FAILED;
1266 }
1267 current = out;
1268 while (NLMSG_OK(current, len))
1269 {
1270 switch (current->nlmsg_type)
1271 {
1272 case NLMSG_DONE:
1273 break;
1274 case RTM_NEWADDR:
1275 process_addr(this, current, FALSE);
1276 /* fall through */
1277 default:
1278 current = NLMSG_NEXT(current, len);
1279 continue;
1280 }
1281 break;
1282 }
1283 free(out);
1284
1285 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1286 while (ifaces->iterate(ifaces, (void**)&iface))
1287 {
1288 if (iface->flags & IFF_UP)
1289 {
1290 DBG1(DBG_KNL, " %s", iface->ifname);
1291 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1292 while (addrs->iterate(addrs, (void**)&addr))
1293 {
1294 DBG1(DBG_KNL, " %H", addr->ip);
1295 }
1296 addrs->destroy(addrs);
1297 }
1298 }
1299 ifaces->destroy(ifaces);
1300 return SUCCESS;
1301 }
1302
1303 /**
1304 * iterator hook to iterate over addrs
1305 */
1306 static hook_result_t addr_hook(private_kernel_interface_t *this,
1307 addr_entry_t *in, host_t **out)
1308 {
1309 if (in->virtual)
1310 { /* skip virtual interfaces added by us */
1311 return HOOK_SKIP;
1312 }
1313 if (in->scope >= RT_SCOPE_LINK)
1314 { /* skip addresses with a unusable scope */
1315 return HOOK_SKIP;
1316 }
1317 *out = in->ip;
1318 return HOOK_NEXT;
1319 }
1320
1321 /**
1322 * iterator hook to iterate over ifaces
1323 */
1324 static hook_result_t iface_hook(private_kernel_interface_t *this,
1325 iface_entry_t *in, host_t **out)
1326 {
1327 if (!(in->flags & IFF_UP))
1328 { /* skip interfaces not up */
1329 return HOOK_SKIP;
1330 }
1331
1332 if (this->hiter == NULL)
1333 {
1334 this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
1335 this->hiter->set_iterator_hook(this->hiter,
1336 (iterator_hook_t*)addr_hook, this);
1337 }
1338 while (this->hiter->iterate(this->hiter, (void**)out))
1339 {
1340 return HOOK_AGAIN;
1341 }
1342 this->hiter->destroy(this->hiter);
1343 this->hiter = NULL;
1344 return HOOK_SKIP;
1345 }
1346
1347 /**
1348 * Implements kernel_interface_t.create_address_iterator.
1349 */
1350 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1351 {
1352 iterator_t *iterator;
1353
1354 /* This iterator is not only hooked, it is double-hooked. As we have stored
1355 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
1356 * entries in each interface we iterate. This does the iface_hook. The
1357 * addr_hook returns the ip instead of the addr_entry. */
1358
1359 iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1360 iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
1361 return iterator;
1362 }
1363
1364 /**
1365 * implementation of kernel_interface_t.get_interface_name
1366 */
1367 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1368 {
1369 iterator_t *ifaces, *addrs;
1370 iface_entry_t *iface;
1371 addr_entry_t *addr;
1372 char *name = NULL;
1373
1374 DBG2(DBG_KNL, "getting interface name for %H", ip);
1375
1376 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1377 while (ifaces->iterate(ifaces, (void**)&iface))
1378 {
1379 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1380 while (addrs->iterate(addrs, (void**)&addr))
1381 {
1382 if (ip->ip_equals(ip, addr->ip))
1383 {
1384 name = strdup(iface->ifname);
1385 break;
1386 }
1387 }
1388 addrs->destroy(addrs);
1389 if (name)
1390 {
1391 break;
1392 }
1393 }
1394 ifaces->destroy(ifaces);
1395
1396 if (name)
1397 {
1398 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1399 }
1400 else
1401 {
1402 DBG2(DBG_KNL, "%H is not a local address", ip);
1403 }
1404 return name;
1405 }
1406
1407 /**
1408 * Tries to find an ip address of a local interface that is included in the
1409 * supplied traffic selector.
1410 */
1411 static status_t get_address_by_ts(private_kernel_interface_t *this,
1412 traffic_selector_t *ts, host_t **ip)
1413 {
1414 iterator_t *ifaces, *addrs;
1415 iface_entry_t *iface;
1416 addr_entry_t *addr;
1417 host_t *host;
1418 int family;
1419 bool found = FALSE;
1420
1421 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1422
1423 /* if we have a family which includes localhost, we do not
1424 * search for an IP, we use the default */
1425 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1426
1427 if (family == AF_INET)
1428 {
1429 host = host_create_from_string("127.0.0.1", 0);
1430 }
1431 else
1432 {
1433 host = host_create_from_string("::1", 0);
1434 }
1435
1436 if (ts->includes(ts, host))
1437 {
1438 *ip = host_create_any(family);
1439 host->destroy(host);
1440 DBG2(DBG_KNL, "using host %H", *ip);
1441 return SUCCESS;
1442 }
1443 host->destroy(host);
1444
1445 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1446 while (ifaces->iterate(ifaces, (void**)&iface))
1447 {
1448 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1449 while (addrs->iterate(addrs, (void**)&addr))
1450 {
1451 if (ts->includes(ts, addr->ip))
1452 {
1453 found = TRUE;
1454 *ip = addr->ip->clone(addr->ip);
1455 break;
1456 }
1457 }
1458 addrs->destroy(addrs);
1459 if (found)
1460 {
1461 break;
1462 }
1463 }
1464 ifaces->destroy(ifaces);
1465
1466 if (!found)
1467 {
1468 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1469 return FAILED;
1470 }
1471 DBG2(DBG_KNL, "using host %H", *ip);
1472 return SUCCESS;
1473 }
1474
1475 /**
1476 * get the interface of a local address
1477 */
1478 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1479 {
1480 iterator_t *ifaces, *addrs;
1481 iface_entry_t *iface;
1482 addr_entry_t *addr;
1483 int ifindex = 0;
1484
1485 DBG2(DBG_KNL, "getting iface for %H", ip);
1486
1487 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1488 while (ifaces->iterate(ifaces, (void**)&iface))
1489 {
1490 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1491 while (addrs->iterate(addrs, (void**)&addr))
1492 {
1493 if (ip->ip_equals(ip, addr->ip))
1494 {
1495 ifindex = iface->ifindex;
1496 break;
1497 }
1498 }
1499 addrs->destroy(addrs);
1500 if (ifindex)
1501 {
1502 break;
1503 }
1504 }
1505 ifaces->destroy(ifaces);
1506
1507 if (ifindex == 0)
1508 {
1509 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1510 }
1511 return ifindex;
1512 }
1513
1514 /**
1515 * Manages the creation and deletion of ip addresses on an interface.
1516 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1517 */
1518 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1519 int flags, int if_index, host_t *ip)
1520 {
1521 unsigned char request[BUFFER_SIZE];
1522 struct nlmsghdr *hdr;
1523 struct ifaddrmsg *msg;
1524 chunk_t chunk;
1525
1526 memset(&request, 0, sizeof(request));
1527
1528 chunk = ip->get_address(ip);
1529
1530 hdr = (struct nlmsghdr*)request;
1531 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1532 hdr->nlmsg_type = nlmsg_type;
1533 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1534
1535 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1536 msg->ifa_family = ip->get_family(ip);
1537 msg->ifa_flags = 0;
1538 msg->ifa_prefixlen = 8 * chunk.len;
1539 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1540 msg->ifa_index = if_index;
1541
1542 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1543
1544 return netlink_send_ack(this, this->socket_rt, hdr);
1545 }
1546
1547 /**
1548 * Manages source routes in the routing table.
1549 * By setting the appropriate nlmsg_type, the route added or r.
1550 */
1551 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1552 int flags, route_entry_t *route)
1553 {
1554 unsigned char request[BUFFER_SIZE];
1555 struct nlmsghdr *hdr;
1556 struct rtmsg *msg;
1557 chunk_t chunk;
1558
1559 /* if route is 0.0.0.0/0, we can't install it, as it would
1560 * overwrite the default route. Instead, we add two routes:
1561 * 0.0.0.0/1 and 128.0.0.0/1 */
1562 if (this->routing_table == 0 && route->prefixlen == 0)
1563 {
1564 route_entry_t half;
1565 status_t status;
1566
1567 half.dst_net = chunk_alloca(route->dst_net.len);
1568 memset(half.dst_net.ptr, 0, half.dst_net.len);
1569 half.src_ip = route->src_ip;
1570 half.gateway = route->gateway;
1571 half.if_index = route->if_index;
1572 half.prefixlen = 1;
1573
1574 status = manage_srcroute(this, nlmsg_type, flags, &half);
1575 half.dst_net.ptr[0] |= 0x80;
1576 status = manage_srcroute(this, nlmsg_type, flags, &half);
1577 return status;
1578 }
1579
1580 memset(&request, 0, sizeof(request));
1581
1582 hdr = (struct nlmsghdr*)request;
1583 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1584 hdr->nlmsg_type = nlmsg_type;
1585 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1586
1587 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1588 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1589 msg->rtm_dst_len = route->prefixlen;
1590 msg->rtm_table = this->routing_table;
1591 msg->rtm_protocol = RTPROT_STATIC;
1592 msg->rtm_type = RTN_UNICAST;
1593 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1594
1595 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1596 chunk = route->src_ip->get_address(route->src_ip);
1597 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1598 chunk = route->gateway->get_address(route->gateway);
1599 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1600 chunk.ptr = (char*)&route->if_index;
1601 chunk.len = sizeof(route->if_index);
1602 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1603
1604 return netlink_send_ack(this, this->socket_rt, hdr);
1605 }
1606
1607 /**
1608 * create or delete an rule to use our routing table
1609 */
1610 static status_t manage_rule(private_kernel_interface_t *this, int nlmsg_type,
1611 u_int32_t table, u_int32_t prio)
1612 {
1613 unsigned char request[BUFFER_SIZE];
1614 struct nlmsghdr *hdr;
1615 struct rtmsg *msg;
1616 chunk_t chunk;
1617
1618 memset(&request, 0, sizeof(request));
1619 hdr = (struct nlmsghdr*)request;
1620 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1621 hdr->nlmsg_type = nlmsg_type;
1622 if (nlmsg_type == RTM_NEWRULE)
1623 {
1624 hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
1625 }
1626 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1627
1628 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1629 msg->rtm_table = table;
1630 msg->rtm_family = AF_INET;
1631 msg->rtm_protocol = RTPROT_BOOT;
1632 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1633 msg->rtm_type = RTN_UNICAST;
1634
1635 chunk = chunk_from_thing(prio);
1636 add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
1637
1638 return netlink_send_ack(this, this->socket_rt, hdr);
1639 }
1640
1641 /**
1642 * check if an address (chunk) addr is in subnet (net with net_len net bits)
1643 */
1644 static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
1645 {
1646 int bit, byte;
1647
1648 if (addr.len != net.len)
1649 {
1650 return FALSE;
1651 }
1652 /* scan through all bits, beginning in the front */
1653 for (byte = 0; byte < addr.len; byte++)
1654 {
1655 for (bit = 7; bit >= 0; bit--)
1656 {
1657 /* check if bits are equal (or we reached the end of the net) */
1658 if (bit + byte * 8 > net_len)
1659 {
1660 return TRUE;
1661 }
1662 if (((1<<bit) & addr.ptr[byte]) != ((1<<bit) & net.ptr[byte]))
1663 {
1664 return FALSE;
1665 }
1666 }
1667 }
1668 return TRUE;
1669 }
1670
1671 /**
1672 * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1673 */
1674 static host_t *get_route(private_kernel_interface_t *this, host_t *dest,
1675 bool nexthop)
1676 {
1677 unsigned char request[BUFFER_SIZE];
1678 struct nlmsghdr *hdr, *out, *current;
1679 struct rtmsg *msg;
1680 chunk_t chunk;
1681 size_t len;
1682 int best = -1;
1683 host_t *src = NULL, *gtw = NULL;
1684
1685 DBG2(DBG_KNL, "getting address to reach %H", dest);
1686
1687 memset(&request, 0, sizeof(request));
1688
1689 hdr = (struct nlmsghdr*)request;
1690 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
1691 hdr->nlmsg_type = RTM_GETROUTE;
1692 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1693
1694 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1695 msg->rtm_family = dest->get_family(dest);
1696
1697 chunk = dest->get_address(dest);
1698 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1699
1700 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1701 {
1702 DBG1(DBG_KNL, "getting address to %H failed", dest);
1703 return NULL;
1704 }
1705 current = out;
1706 while (NLMSG_OK(current, len))
1707 {
1708 switch (current->nlmsg_type)
1709 {
1710 case NLMSG_DONE:
1711 break;
1712 case RTM_NEWROUTE:
1713 {
1714 struct rtattr *rta;
1715 size_t rtasize;
1716 chunk_t rta_gtw, rta_src, rta_dst;
1717 u_int32_t rta_oif = 0;
1718
1719 rta_gtw = rta_src = rta_dst = chunk_empty;
1720 msg = (struct rtmsg*)(NLMSG_DATA(current));
1721 rta = RTM_RTA(msg);
1722 rtasize = RTM_PAYLOAD(current);
1723 while (RTA_OK(rta, rtasize))
1724 {
1725 switch (rta->rta_type)
1726 {
1727 case RTA_PREFSRC:
1728 rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1729 break;
1730 case RTA_GATEWAY:
1731 rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1732 break;
1733 case RTA_DST:
1734 rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1735 break;
1736 case RTA_OIF:
1737 if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
1738 {
1739 rta_oif = *(u_int32_t*)RTA_DATA(rta);
1740 }
1741 break;
1742 }
1743 rta = RTA_NEXT(rta, rtasize);
1744 }
1745
1746 /* apply the route if:
1747 * - it is not from our own ipsec routing table
1748 * - is better than a previous one
1749 * - is the default route or
1750 * - its destination net contains our destination
1751 */
1752 if ((this->routing_table == 0 ||msg->rtm_table != this->routing_table)
1753 && msg->rtm_dst_len > best
1754 && (msg->rtm_dst_len == 0 || /* default route */
1755 (rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
1756 {
1757 iterator_t *ifaces, *addrs;
1758 iface_entry_t *iface;
1759 addr_entry_t *addr;
1760
1761 best = msg->rtm_dst_len;
1762 if (nexthop)
1763 {
1764 DESTROY_IF(gtw);
1765 gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
1766 }
1767 else if (rta_src.ptr)
1768 {
1769 DESTROY_IF(src);
1770 src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
1771 if (get_vip_refcount(this, src))
1772 { /* skip source address if it is installed by us */
1773 DESTROY_IF(src);
1774 src = NULL;
1775 current = NLMSG_NEXT(current, len);
1776 continue;
1777 }
1778 }
1779 else
1780 {
1781 /* no source addr, get one from the interfaces */
1782 ifaces = this->ifaces->create_iterator_locked(
1783 this->ifaces, &this->mutex);
1784 while (ifaces->iterate(ifaces, (void**)&iface))
1785 {
1786 if (iface->ifindex == rta_oif)
1787 {
1788 addrs = iface->addrs->create_iterator(
1789 iface->addrs, TRUE);
1790 while (addrs->iterate(addrs, (void**)&addr))
1791 {
1792 chunk_t ip = addr->ip->get_address(addr->ip);
1793 if ((msg->rtm_dst_len == 0 &&
1794 addr->ip->get_family(addr->ip) ==
1795 dest->get_family(dest)) ||
1796 addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
1797 {
1798 DESTROY_IF(src);
1799 src = addr->ip->clone(addr->ip);
1800 break;
1801 }
1802 }
1803 addrs->destroy(addrs);
1804 }
1805 }
1806 ifaces->destroy(ifaces);
1807 }
1808 }
1809 /* FALL through */
1810 }
1811 default:
1812 current = NLMSG_NEXT(current, len);
1813 continue;
1814 }
1815 break;
1816 }
1817 free(out);
1818
1819 if (nexthop)
1820 {
1821 if (gtw)
1822 {
1823 return gtw;
1824 }
1825 return dest->clone(dest);
1826 }
1827 return src;
1828 }
1829
1830 /**
1831 * Implementation of kernel_interface_t.get_source_addr.
1832 */
1833 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1834 {
1835 return get_route(this, dest, FALSE);
1836 }
1837
1838 /**
1839 * Implementation of kernel_interface_t.add_ip.
1840 */
1841 static status_t add_ip(private_kernel_interface_t *this,
1842 host_t *virtual_ip, host_t *iface_ip)
1843 {
1844 iface_entry_t *iface;
1845 addr_entry_t *addr;
1846 iterator_t *addrs, *ifaces;
1847 int ifindex;
1848
1849 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1850
1851 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1852 while (ifaces->iterate(ifaces, (void**)&iface))
1853 {
1854 bool iface_found = FALSE;
1855
1856 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1857 while (addrs->iterate(addrs, (void**)&addr))
1858 {
1859 if (iface_ip->ip_equals(iface_ip, addr->ip))
1860 {
1861 iface_found = TRUE;
1862 }
1863 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1864 {
1865 addr->refcount++;
1866 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1867 virtual_ip, iface->ifname);
1868 addrs->destroy(addrs);
1869 ifaces->destroy(ifaces);
1870 return SUCCESS;
1871 }
1872 }
1873 addrs->destroy(addrs);
1874
1875 if (iface_found)
1876 {
1877 ifindex = iface->ifindex;
1878 addr = malloc_thing(addr_entry_t);
1879 addr->ip = virtual_ip->clone(virtual_ip);
1880 addr->refcount = 0;
1881 addr->virtual = TRUE;
1882 addr->scope = RT_SCOPE_UNIVERSE;
1883 iface->addrs->insert_last(iface->addrs, addr);
1884
1885 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1886 ifindex, virtual_ip) == SUCCESS)
1887 {
1888 while (get_vip_refcount(this, virtual_ip) == 0)
1889 { /* wait until address appears */
1890 pthread_cond_wait(&this->cond, &this->mutex);
1891 }
1892 ifaces->destroy(ifaces);
1893 return SUCCESS;
1894 }
1895 ifaces->destroy(ifaces);
1896 DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1897 return FAILED;
1898 }
1899 }
1900 ifaces->destroy(ifaces);
1901
1902 DBG1(DBG_KNL, "interface address %H not found, unable to install"
1903 "virtual IP %H", iface_ip, virtual_ip);
1904 return FAILED;
1905 }
1906
1907 /**
1908 * Implementation of kernel_interface_t.del_ip.
1909 */
1910 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
1911 {
1912 iface_entry_t *iface;
1913 addr_entry_t *addr;
1914 iterator_t *addrs, *ifaces;
1915 status_t status;
1916 int ifindex;
1917
1918 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1919
1920 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1921 while (ifaces->iterate(ifaces, (void**)&iface))
1922 {
1923 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1924 while (addrs->iterate(addrs, (void**)&addr))
1925 {
1926 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1927 {
1928 ifindex = iface->ifindex;
1929 if (addr->refcount == 1)
1930 {
1931 status = manage_ipaddr(this, RTM_DELADDR, 0,
1932 ifindex, virtual_ip);
1933 if (status == SUCCESS)
1934 { /* wait until the address is really gone */
1935 while (get_vip_refcount(this, virtual_ip) > 0)
1936 {
1937 pthread_cond_wait(&this->cond, &this->mutex);
1938 }
1939 }
1940 addrs->destroy(addrs);
1941 ifaces->destroy(ifaces);
1942 return status;
1943 }
1944 else
1945 {
1946 addr->refcount--;
1947 }
1948 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1949 virtual_ip);
1950 addrs->destroy(addrs);
1951 ifaces->destroy(ifaces);
1952 return SUCCESS;
1953 }
1954 }
1955 addrs->destroy(addrs);
1956 }
1957 ifaces->destroy(ifaces);
1958
1959 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1960 return FAILED;
1961 }
1962
1963 /**
1964 * Get an SPI for a specific protocol from the kernel.
1965 */
1966 static status_t get_spi_internal(private_kernel_interface_t *this,
1967 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
1968 u_int32_t reqid, u_int32_t *spi)
1969 {
1970 unsigned char request[BUFFER_SIZE];
1971 struct nlmsghdr *hdr, *out;
1972 struct xfrm_userspi_info *userspi;
1973 u_int32_t received_spi = 0;
1974 size_t len;
1975
1976 memset(&request, 0, sizeof(request));
1977
1978 hdr = (struct nlmsghdr*)request;
1979 hdr->nlmsg_flags = NLM_F_REQUEST;
1980 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1981 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1982
1983 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1984 host2xfrm(src, &userspi->info.saddr);
1985 host2xfrm(dst, &userspi->info.id.daddr);
1986 userspi->info.id.proto = proto;
1987 userspi->info.mode = TRUE; /* tunnel mode */
1988 userspi->info.reqid = reqid;
1989 userspi->info.family = src->get_family(src);
1990 userspi->min = min;
1991 userspi->max = max;
1992
1993 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1994 {
1995 hdr = out;
1996 while (NLMSG_OK(hdr, len))
1997 {
1998 switch (hdr->nlmsg_type)
1999 {
2000 case XFRM_MSG_NEWSA:
2001 {
2002 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
2003 received_spi = usersa->id.spi;
2004 break;
2005 }
2006 case NLMSG_ERROR:
2007 {
2008 struct nlmsgerr *err = NLMSG_DATA(hdr);
2009
2010 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
2011 strerror(-err->error), -err->error);
2012 break;
2013 }
2014 default:
2015 hdr = NLMSG_NEXT(hdr, len);
2016 continue;
2017 case NLMSG_DONE:
2018 break;
2019 }
2020 break;
2021 }
2022 free(out);
2023 }
2024
2025 if (received_spi == 0)
2026 {
2027 return FAILED;
2028 }
2029
2030 *spi = received_spi;
2031 return SUCCESS;
2032 }
2033
2034 /**
2035 * Implementation of kernel_interface_t.get_spi.
2036 */
2037 static status_t get_spi(private_kernel_interface_t *this,
2038 host_t *src, host_t *dst,
2039 protocol_id_t protocol, u_int32_t reqid,
2040 u_int32_t *spi)
2041 {
2042 DBG2(DBG_KNL, "getting SPI for reqid {%d}", reqid);
2043
2044 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
2045 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
2046 {
2047 DBG1(DBG_KNL, "unable to get SPI for reqid {%d}", reqid);
2048 return FAILED;
2049 }
2050
2051 DBG2(DBG_KNL, "got SPI %.8x for reqid {%d}", ntohl(*spi), reqid);
2052
2053 return SUCCESS;
2054 }
2055
2056 /**
2057 * Implementation of kernel_interface_t.get_cpi.
2058 */
2059 static status_t get_cpi(private_kernel_interface_t *this,
2060 host_t *src, host_t *dst,
2061 u_int32_t reqid, u_int16_t *cpi)
2062 {
2063 u_int32_t received_spi = 0;
2064
2065 DBG2(DBG_KNL, "getting CPI for reqid {%d}", reqid);
2066
2067 if (get_spi_internal(this, src, dst,
2068 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
2069 {
2070 DBG1(DBG_KNL, "unable to get CPI for reqid {%d}", reqid);
2071 return FAILED;
2072 }
2073
2074 *cpi = htons((u_int16_t)ntohl(received_spi));
2075
2076 DBG2(DBG_KNL, "got CPI %.4x for reqid {%d}", ntohs(*cpi), reqid);
2077
2078 return SUCCESS;
2079 }
2080
2081 /**
2082 * Implementation of kernel_interface_t.add_sa.
2083 */
2084 static status_t add_sa(private_kernel_interface_t *this,
2085 host_t *src, host_t *dst, u_int32_t spi,
2086 protocol_id_t protocol, u_int32_t reqid,
2087 u_int64_t expire_soft, u_int64_t expire_hard,
2088 u_int16_t enc_alg, u_int16_t enc_size,
2089 u_int16_t int_alg, u_int16_t int_size,
2090 prf_plus_t *prf_plus, mode_t mode,
2091 u_int16_t ipcomp, bool encap,
2092 bool replace)
2093 {
2094 unsigned char request[BUFFER_SIZE];
2095 char *alg_name;
2096 /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
2097 u_int16_t add_keymat = 32;
2098 struct nlmsghdr *hdr;
2099 struct xfrm_usersa_info *sa;
2100
2101 memset(&request, 0, sizeof(request));
2102
2103 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
2104
2105 hdr = (struct nlmsghdr*)request;
2106 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2107 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
2108 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2109
2110 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
2111 host2xfrm(src, &sa->saddr);
2112 host2xfrm(dst, &sa->id.daddr);
2113 sa->id.spi = spi;
2114 sa->id.proto = proto_ike2kernel(protocol);
2115 sa->family = src->get_family(src);
2116 sa->mode = mode;
2117 if (mode == MODE_TUNNEL)
2118 {
2119 sa->flags |= XFRM_STATE_AF_UNSPEC;
2120 }
2121 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
2122 sa->reqid = reqid;
2123 /* we currently do not expire SAs by volume/packet count */
2124 sa->lft.soft_byte_limit = XFRM_INF;
2125 sa->lft.hard_byte_limit = XFRM_INF;
2126 sa->lft.soft_packet_limit = XFRM_INF;
2127 sa->lft.hard_packet_limit = XFRM_INF;
2128 /* we use lifetimes since added, not since used */
2129 sa->lft.soft_add_expires_seconds = expire_soft;
2130 sa->lft.hard_add_expires_seconds = expire_hard;
2131 sa->lft.soft_use_expires_seconds = 0;
2132 sa->lft.hard_use_expires_seconds = 0;
2133
2134 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
2135
2136 switch (enc_alg)
2137 {
2138 case ENCR_UNDEFINED:
2139 /* no encryption */
2140 break;
2141 case ENCR_AES_CCM_ICV8:
2142 case ENCR_AES_CCM_ICV12:
2143 case ENCR_AES_CCM_ICV16:
2144 /* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
2145 add_keymat = 24;
2146 /* fall-through */
2147 case ENCR_AES_GCM_ICV8:
2148 case ENCR_AES_GCM_ICV12:
2149 case ENCR_AES_GCM_ICV16:
2150 {
2151 u_int16_t icv_size = 0;
2152 rthdr->rta_type = XFRMA_ALG_AEAD;
2153 alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
2154 if (alg_name == NULL)
2155 {
2156 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2157 encryption_algorithm_names, enc_alg);
2158 return FAILED;
2159 }
2160 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2161 encryption_algorithm_names, enc_alg, enc_size);
2162
2163 /* additional KEYMAT required */
2164 enc_size += add_keymat;
2165
2166 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
2167 hdr->nlmsg_len += rthdr->rta_len;
2168 if (hdr->nlmsg_len > sizeof(request))
2169 {
2170 return FAILED;
2171 }
2172
2173 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
2174 algo->alg_key_len = enc_size;
2175 algo->alg_icv_len = icv_size;
2176 strcpy(algo->alg_name, alg_name);
2177 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2178
2179 rthdr = XFRM_RTA_NEXT(rthdr);
2180 break;
2181 }
2182 default:
2183 {
2184 rthdr->rta_type = XFRMA_ALG_CRYPT;
2185 alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
2186 if (alg_name == NULL)
2187 {
2188 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2189 encryption_algorithm_names, enc_alg);
2190 return FAILED;
2191 }
2192 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2193 encryption_algorithm_names, enc_alg, enc_size);
2194
2195 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
2196 hdr->nlmsg_len += rthdr->rta_len;
2197 if (hdr->nlmsg_len > sizeof(request))
2198 {
2199 return FAILED;
2200 }
2201
2202 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2203 algo->alg_key_len = enc_size;
2204 strcpy(algo->alg_name, alg_name);
2205 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2206
2207 rthdr = XFRM_RTA_NEXT(rthdr);
2208 break;
2209 }
2210 }
2211
2212 if (int_alg != AUTH_UNDEFINED)
2213 {
2214 rthdr->rta_type = XFRMA_ALG_AUTH;
2215 alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
2216 if (alg_name == NULL)
2217 {
2218 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2219 integrity_algorithm_names, int_alg);
2220 return FAILED;
2221 }
2222 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
2223 integrity_algorithm_names, int_alg, int_size);
2224
2225 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
2226 hdr->nlmsg_len += rthdr->rta_len;
2227 if (hdr->nlmsg_len > sizeof(request))
2228 {
2229 return FAILED;
2230 }
2231
2232 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2233 algo->alg_key_len = int_size;
2234 strcpy(algo->alg_name, alg_name);
2235 prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
2236
2237 rthdr = XFRM_RTA_NEXT(rthdr);
2238 }
2239
2240 if (ipcomp != IPCOMP_NONE)
2241 {
2242 rthdr->rta_type = XFRMA_ALG_COMP;
2243 alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
2244 if (alg_name == NULL)
2245 {
2246 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2247 ipcomp_transform_names, ipcomp);
2248 return FAILED;
2249 }
2250 DBG2(DBG_KNL, " using compression algorithm %N",
2251 ipcomp_transform_names, ipcomp);
2252
2253 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
2254 hdr->nlmsg_len += rthdr->rta_len;
2255 if (hdr->nlmsg_len > sizeof(request))
2256 {
2257 return FAILED;
2258 }
2259
2260 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2261 algo->alg_key_len = 0;
2262 strcpy(algo->alg_name, alg_name);
2263
2264 rthdr = XFRM_RTA_NEXT(rthdr);
2265 }
2266
2267 if (encap)
2268 {
2269 rthdr->rta_type = XFRMA_ENCAP;
2270 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2271
2272 hdr->nlmsg_len += rthdr->rta_len;
2273 if (hdr->nlmsg_len > sizeof(request))
2274 {
2275 return FAILED;
2276 }
2277
2278 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
2279 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2280 tmpl->encap_sport = htons(src->get_port(src));
2281 tmpl->encap_dport = htons(dst->get_port(dst));
2282 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2283 /* encap_oa could probably be derived from the
2284 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
2285 * pluto does the same as we do here but it uses encap_oa in the
2286 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
2287 * the kernel ignores it anyway
2288 * -> does that mean that NAT-T encap doesn't work in transport mode?
2289 * No. The reason the kernel ignores NAT-OA is that it recomputes
2290 * (or, rather, just ignores) the checksum. If packets pass
2291 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
2292 rthdr = XFRM_RTA_NEXT(rthdr);
2293 }
2294
2295 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2296 {
2297 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
2298 return FAILED;
2299 }
2300 return SUCCESS;
2301 }
2302
2303 /**
2304 * Get the replay state (i.e. sequence numbers) of an SA.
2305 */
2306 static status_t get_replay_state(private_kernel_interface_t *this,
2307 u_int32_t spi, protocol_id_t protocol, host_t *dst,
2308 struct xfrm_replay_state *replay)
2309 {
2310 unsigned char request[BUFFER_SIZE];
2311 struct nlmsghdr *hdr, *out = NULL;
2312 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
2313 size_t len;
2314 struct rtattr *rta;
2315 size_t rtasize;
2316
2317 memset(&request, 0, sizeof(request));
2318
2319 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
2320
2321 hdr = (struct nlmsghdr*)request;
2322 hdr->nlmsg_flags = NLM_F_REQUEST;
2323 hdr->nlmsg_type = XFRM_MSG_GETAE;
2324 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
2325
2326 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
2327 aevent_id->flags = XFRM_AE_RVAL;
2328
2329 host2xfrm(dst, &aevent_id->sa_id.daddr);
2330 aevent_id->sa_id.spi = spi;
2331 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
2332 aevent_id->sa_id.family = dst->get_family(dst);
2333
2334 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2335 {
2336 hdr = out;
2337 while (NLMSG_OK(hdr, len))
2338 {
2339 switch (hdr->nlmsg_type)
2340 {
2341 case XFRM_MSG_NEWAE:
2342 {
2343 out_aevent = NLMSG_DATA(hdr);
2344 break;
2345 }
2346 case NLMSG_ERROR:
2347 {
2348 struct nlmsgerr *err = NLMSG_DATA(hdr);
2349 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
2350 strerror(-err->error), -err->error);
2351 break;
2352 }
2353 default:
2354 hdr = NLMSG_NEXT(hdr, len);
2355 continue;
2356 case NLMSG_DONE:
2357 break;
2358 }
2359 break;
2360 }
2361 }
2362
2363 if (out_aevent == NULL)
2364 {
2365 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
2366 ntohl(spi));
2367 free(out);
2368 return FAILED;
2369 }
2370
2371 rta = XFRM_RTA(out, struct xfrm_aevent_id);
2372 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
2373 while(RTA_OK(rta, rtasize))
2374 {
2375 if (rta->rta_type == XFRMA_REPLAY_VAL)
2376 {
2377 memcpy(replay, RTA_DATA(rta), rta->rta_len);
2378 free(out);
2379 return SUCCESS;
2380 }
2381 rta = RTA_NEXT(rta, rtasize);
2382 }
2383
2384 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
2385 ntohl(spi));
2386 free(out);
2387 return FAILED;
2388 }
2389
2390 /**
2391 * Implementation of kernel_interface_t.update_sa.
2392 */
2393 static status_t update_sa(private_kernel_interface_t *this,
2394 u_int32_t spi, protocol_id_t protocol,
2395 host_t *src, host_t *dst,
2396 host_t *new_src, host_t *new_dst, bool encap)
2397 {
2398 unsigned char request[BUFFER_SIZE], *pos;
2399 struct nlmsghdr *hdr, *out = NULL;
2400 struct xfrm_usersa_id *sa_id;
2401 struct xfrm_usersa_info *out_sa = NULL, *sa;
2402 size_t len;
2403 struct rtattr *rta;
2404 size_t rtasize;
2405 struct xfrm_encap_tmpl* tmpl = NULL;
2406 bool got_replay_state;
2407 struct xfrm_replay_state replay;
2408
2409 memset(&request, 0, sizeof(request));
2410
2411 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
2412
2413 /* query the existing SA first */
2414 hdr = (struct nlmsghdr*)request;
2415 hdr->nlmsg_flags = NLM_F_REQUEST;
2416 hdr->nlmsg_type = XFRM_MSG_GETSA;
2417 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2418
2419 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2420 host2xfrm(dst, &sa_id->daddr);
2421 sa_id->spi = spi;
2422 sa_id->proto = proto_ike2kernel(protocol);
2423 sa_id->family = dst->get_family(dst);
2424
2425 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2426 {
2427 hdr = out;
2428 while (NLMSG_OK(hdr, len))
2429 {
2430 switch (hdr->nlmsg_type)
2431 {
2432 case XFRM_MSG_NEWSA:
2433 {
2434 out_sa = NLMSG_DATA(hdr);
2435 break;
2436 }
2437 case NLMSG_ERROR:
2438 {
2439 struct nlmsgerr *err = NLMSG_DATA(hdr);
2440 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2441 strerror(-err->error), -err->error);
2442 break;
2443 }
2444 default:
2445 hdr = NLMSG_NEXT(hdr, len);
2446 continue;
2447 case NLMSG_DONE:
2448 break;
2449 }
2450 break;
2451 }
2452 }
2453 if (out_sa == NULL)
2454 {
2455 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
2456 free(out);
2457 return FAILED;
2458 }
2459
2460 /* try to get the replay state */
2461 got_replay_state = (get_replay_state(
2462 this, spi, protocol, dst, &replay) == SUCCESS);
2463
2464 /* delete the old SA */
2465 if (this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
2466 {
2467 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
2468 free(out);
2469 return FAILED;
2470 }
2471
2472 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
2473 ntohl(spi), src, dst, new_src, new_dst);
2474
2475 /* copy over the SA from out to request */
2476 hdr = (struct nlmsghdr*)request;
2477 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
2478 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2479 hdr->nlmsg_type = XFRM_MSG_NEWSA;
2480 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2481 sa = NLMSG_DATA(hdr);
2482 sa->family = new_dst->get_family(new_dst);
2483
2484 if (!src->ip_equals(src, new_src))
2485 {
2486 host2xfrm(new_src, &sa->saddr);
2487 }
2488 if (!dst->ip_equals(dst, new_dst))
2489 {
2490 host2xfrm(new_dst, &sa->id.daddr);
2491 }
2492
2493 rta = XFRM_RTA(out, struct xfrm_usersa_info);
2494 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
2495 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
2496 while(RTA_OK(rta, rtasize))
2497 {
2498 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
2499 if (rta->rta_type != XFRMA_ENCAP || encap)
2500 {
2501 if (rta->rta_type == XFRMA_ENCAP)
2502 { /* update encap tmpl */
2503 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2504 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2505 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2506 }
2507 memcpy(pos, rta, rta->rta_len);
2508 pos += RTA_ALIGN(rta->rta_len);
2509 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
2510 }
2511 rta = RTA_NEXT(rta, rtasize);
2512 }
2513
2514 rta = (struct rtattr*)pos;
2515 if (tmpl == NULL && encap)
2516 { /* add tmpl if we are enabling it */
2517 rta->rta_type = XFRMA_ENCAP;
2518 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2519
2520 hdr->nlmsg_len += rta->rta_len;
2521 if (hdr->nlmsg_len > sizeof(request))
2522 {
2523 return FAILED;
2524 }
2525
2526 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2527 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2528 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2529 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2530 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2531
2532 rta = XFRM_RTA_NEXT(rta);
2533 }
2534
2535 if (got_replay_state)
2536 { /* copy the replay data if available */
2537 rta->rta_type = XFRMA_REPLAY_VAL;
2538 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
2539
2540 hdr->nlmsg_len += rta->rta_len;
2541 if (hdr->nlmsg_len > sizeof(request))
2542 {
2543 return FAILED;
2544 }
2545 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
2546
2547 rta = XFRM_RTA_NEXT(rta);
2548 }
2549
2550 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2551 {
2552 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
2553 free(out);
2554 return FAILED;
2555 }
2556 free(out);
2557
2558 return SUCCESS;
2559 }
2560
2561 /**
2562 * Implementation of kernel_interface_t.query_sa.
2563 */
2564 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
2565 u_int32_t spi, protocol_id_t protocol,
2566 u_int32_t *use_time)
2567 {
2568 unsigned char request[BUFFER_SIZE];
2569 struct nlmsghdr *out = NULL, *hdr;
2570 struct xfrm_usersa_id *sa_id;
2571 struct xfrm_usersa_info *sa = NULL;
2572 size_t len;
2573
2574 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
2575 memset(&request, 0, sizeof(request));
2576
2577 hdr = (struct nlmsghdr*)request;
2578 hdr->nlmsg_flags = NLM_F_REQUEST;
2579 hdr->nlmsg_type = XFRM_MSG_GETSA;
2580 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2581
2582 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2583 host2xfrm(dst, &sa_id->daddr);
2584 sa_id->spi = spi;
2585 sa_id->proto = proto_ike2kernel(protocol);
2586 sa_id->family = dst->get_family(dst);
2587
2588 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2589 {
2590 hdr = out;
2591 while (NLMSG_OK(hdr, len))
2592 {
2593 switch (hdr->nlmsg_type)
2594 {
2595 case XFRM_MSG_NEWSA:
2596 {
2597 sa = NLMSG_DATA(hdr);
2598 break;
2599 }
2600 case NLMSG_ERROR:
2601 {
2602 struct nlmsgerr *err = NLMSG_DATA(hdr);
2603 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2604 strerror(-err->error), -err->error);
2605 break;
2606 }
2607 default:
2608 hdr = NLMSG_NEXT(hdr, len);
2609 continue;
2610 case NLMSG_DONE:
2611 break;
2612 }
2613 break;
2614 }
2615 }
2616
2617 if (sa == NULL)
2618 {
2619 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
2620 free(out);
2621 return FAILED;
2622 }
2623
2624 *use_time = sa->curlft.use_time;
2625 free (out);
2626 return SUCCESS;
2627 }
2628
2629 /**
2630 * Implementation of kernel_interface_t.del_sa.
2631 */
2632 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
2633 u_int32_t spi, protocol_id_t protocol)
2634 {
2635 unsigned char request[BUFFER_SIZE];
2636 struct nlmsghdr *hdr;
2637 struct xfrm_usersa_id *sa_id;
2638
2639 memset(&request, 0, sizeof(request));
2640
2641 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
2642
2643 hdr = (struct nlmsghdr*)request;
2644 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2645 hdr->nlmsg_type = XFRM_MSG_DELSA;
2646 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2647
2648 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2649 host2xfrm(dst, &sa_id->daddr);
2650 sa_id->spi = spi;
2651 sa_id->proto = proto_ike2kernel(protocol);
2652 sa_id->family = dst->get_family(dst);
2653
2654 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2655 {
2656 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
2657 return FAILED;
2658 }
2659 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
2660 return SUCCESS;
2661 }
2662
2663 /**
2664 * Implementation of kernel_interface_t.add_policy.
2665 */
2666 static status_t add_policy(private_kernel_interface_t *this,
2667 host_t *src, host_t *dst,
2668 traffic_selector_t *src_ts,
2669 traffic_selector_t *dst_ts,
2670 policy_dir_t direction, protocol_id_t protocol,
2671 u_int32_t reqid, bool high_prio, mode_t mode,
2672 u_int16_t ipcomp)
2673 {
2674 iterator_t *iterator;
2675 policy_entry_t *current, *policy;
2676 bool found = FALSE;
2677 unsigned char request[BUFFER_SIZE];
2678 struct xfrm_userpolicy_info *policy_info;
2679 struct nlmsghdr *hdr;
2680
2681 /* create a policy */
2682 policy = malloc_thing(policy_entry_t);
2683 memset(policy, 0, sizeof(policy_entry_t));
2684 policy->sel = ts2selector(src_ts, dst_ts);
2685 policy->direction = direction;
2686
2687 /* find the policy, which matches EXACTLY */
2688 pthread_mutex_lock(&this->mutex);
2689 iterator = this->policies->create_iterator(this->policies, TRUE);
2690 while (iterator->iterate(iterator, (void**)&current))
2691 {
2692 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
2693 policy->direction == current->direction)
2694 {
2695 /* use existing policy */
2696 current->refcount++;
2697 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
2698 "refcount", src_ts, dst_ts,
2699 policy_dir_names, direction);
2700 free(policy);
2701 policy = current;
2702 found = TRUE;
2703 break;
2704 }
2705 }
2706 iterator->destroy(iterator);
2707 if (!found)
2708 { /* apply the new one, if we have no such policy */
2709 this->policies->insert_last(this->policies, policy);
2710 policy->refcount = 1;
2711 }
2712
2713 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
2714 policy_dir_names, direction);
2715
2716 memset(&request, 0, sizeof(request));
2717 hdr = (struct nlmsghdr*)request;
2718 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2719 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
2720 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2721
2722 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2723 policy_info->sel = policy->sel;
2724 policy_info->dir = policy->direction;
2725 /* calculate priority based on source selector size, small size = high prio */
2726 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2727 policy_info->priority -= policy->sel.prefixlen_s * 10;
2728 policy_info->priority -= policy->sel.proto ? 2 : 0;
2729 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2730 policy_info->action = XFRM_POLICY_ALLOW;
2731 policy_info->share = XFRM_SHARE_ANY;
2732 pthread_mutex_unlock(&this->mutex);
2733
2734 /* policies don't expire */
2735 policy_info->lft.soft_byte_limit = XFRM_INF;
2736 policy_info->lft.soft_packet_limit = XFRM_INF;
2737 policy_info->lft.hard_byte_limit = XFRM_INF;
2738 policy_info->lft.hard_packet_limit = XFRM_INF;
2739 policy_info->lft.soft_add_expires_seconds = 0;
2740 policy_info->lft.hard_add_expires_seconds = 0;
2741 policy_info->lft.soft_use_expires_seconds = 0;
2742 policy_info->lft.hard_use_expires_seconds = 0;
2743
2744 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2745 rthdr->rta_type = XFRMA_TMPL;
2746 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2747
2748 hdr->nlmsg_len += rthdr->rta_len;
2749 if (hdr->nlmsg_len > sizeof(request))
2750 {
2751 return FAILED;
2752 }
2753
2754 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2755
2756 if (ipcomp != IPCOMP_NONE)
2757 {
2758 tmpl->reqid = reqid;
2759 tmpl->id.proto = IPPROTO_COMP;
2760 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2761 tmpl->mode = mode;
2762 tmpl->optional = direction != POLICY_OUT;
2763 tmpl->family = src->get_family(src);
2764
2765 host2xfrm(src, &tmpl->saddr);
2766 host2xfrm(dst, &tmpl->id.daddr);
2767
2768 /* add an additional xfrm_user_tmpl */
2769 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2770 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2771 if (hdr->nlmsg_len > sizeof(request))
2772 {
2773 return FAILED;
2774 }
2775
2776 tmpl++;
2777 }
2778
2779 tmpl->reqid = reqid;
2780 tmpl->id.proto = proto_ike2kernel(protocol);
2781 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2782 tmpl->mode = mode;
2783 tmpl->family = src->get_family(src);
2784
2785 host2xfrm(src, &tmpl->saddr);
2786 host2xfrm(dst, &tmpl->id.daddr);
2787
2788 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2789 {
2790 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
2791 policy_dir_names, direction);
2792 return FAILED;
2793 }
2794
2795 /* install a route, if:
2796 * - we are NOT updating a policy
2797 * - this is a forward policy (to just get one for each child)
2798 * - we are in tunnel mode
2799 * - we are not using IPv6 (does not work correctly yet!)
2800 * - routing is not disabled via strongswan.conf
2801 */
2802 if (policy->route == NULL && direction == POLICY_FWD &&
2803 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
2804 this->install_routes)
2805 {
2806 policy->route = malloc_thing(route_entry_t);
2807 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2808 {
2809 /* get the nexthop to src (src as we are in POLICY_FWD).*/
2810 policy->route->gateway = get_route(this, src, TRUE);
2811 policy->route->if_index = get_interface_index(this, dst);
2812 policy->route->dst_net = chunk_alloc(
2813 policy->sel.family == AF_INET ? 4 : 16);
2814 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr,
2815 policy->route->dst_net.len);
2816 policy->route->prefixlen = policy->sel.prefixlen_s;
2817
2818 switch (manage_srcroute(this, RTM_NEWROUTE,
2819 NLM_F_CREATE | NLM_F_EXCL, policy->route))
2820 {
2821 default:
2822 DBG1(DBG_KNL, "unable to install source route for %H",
2823 policy->route->src_ip);
2824 /* FALL */
2825 case ALREADY_DONE:
2826 /* route exists, do not uninstall */
2827 route_entry_destroy(policy->route);
2828 policy->route = NULL;
2829 break;
2830 case SUCCESS:
2831 break;
2832 }
2833 }
2834 else
2835 {
2836 free(policy->route);
2837 policy->route = NULL;
2838 }
2839 }
2840
2841 return SUCCESS;
2842 }
2843
2844 /**
2845 * Implementation of kernel_interface_t.query_policy.
2846 */
2847 static status_t query_policy(private_kernel_interface_t *this,
2848 traffic_selector_t *src_ts,
2849 traffic_selector_t *dst_ts,
2850 policy_dir_t direction, u_int32_t *use_time)
2851 {
2852 unsigned char request[BUFFER_SIZE];
2853 struct nlmsghdr *out = NULL, *hdr;
2854 struct xfrm_userpolicy_id *policy_id;
2855 struct xfrm_userpolicy_info *policy = NULL;
2856 size_t len;
2857
2858 memset(&request, 0, sizeof(request));
2859
2860 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2861 policy_dir_names, direction);
2862
2863 hdr = (struct nlmsghdr*)request;
2864 hdr->nlmsg_flags = NLM_F_REQUEST;
2865 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2866 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2867
2868 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2869 policy_id->sel = ts2selector(src_ts, dst_ts);
2870 policy_id->dir = direction;
2871
2872 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2873 {
2874 hdr = out;
2875 while (NLMSG_OK(hdr, len))
2876 {
2877 switch (hdr->nlmsg_type)
2878 {
2879 case XFRM_MSG_NEWPOLICY:
2880 {
2881 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2882 break;
2883 }
2884 case NLMSG_ERROR:
2885 {
2886 struct nlmsgerr *err = NLMSG_DATA(hdr);
2887 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2888 strerror(-err->error), -err->error);
2889 break;
2890 }
2891 default:
2892 hdr = NLMSG_NEXT(hdr, len);
2893 continue;
2894 case NLMSG_DONE:
2895 break;
2896 }
2897 break;
2898 }
2899 }
2900
2901 if (policy == NULL)
2902 {
2903 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2904 policy_dir_names, direction);
2905 free(out);
2906 return FAILED;
2907 }
2908 *use_time = (time_t)policy->curlft.use_time;
2909
2910 free(out);
2911 return SUCCESS;
2912 }
2913
2914 /**
2915 * Implementation of kernel_interface_t.del_policy.
2916 */
2917 static status_t del_policy(private_kernel_interface_t *this,
2918 traffic_selector_t *src_ts,
2919 traffic_selector_t *dst_ts,
2920 policy_dir_t direction)
2921 {
2922 policy_entry_t *current, policy, *to_delete = NULL;
2923 route_entry_t *route;
2924 unsigned char request[BUFFER_SIZE];
2925 struct nlmsghdr *hdr;
2926 struct xfrm_userpolicy_id *policy_id;
2927 iterator_t *iterator;
2928
2929 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
2930 policy_dir_names, direction);
2931
2932 /* create a policy */
2933 memset(&policy, 0, sizeof(policy_entry_t));
2934 policy.sel = ts2selector(src_ts, dst_ts);
2935 policy.direction = direction;
2936
2937 /* find the policy */
2938 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2939 while (iterator->iterate(iterator, (void**)&current))
2940 {
2941 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2942 policy.direction == current->direction)
2943 {
2944 to_delete = current;
2945 if (--to_delete->refcount > 0)
2946 {
2947 /* is used by more SAs, keep in kernel */
2948 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2949 iterator->destroy(iterator);
2950 return SUCCESS;
2951 }
2952 /* remove if last reference */
2953 iterator->remove(iterator);
2954 break;
2955 }
2956 }
2957 iterator->destroy(iterator);
2958 if (!to_delete)
2959 {
2960 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
2961 dst_ts, policy_dir_names, direction);
2962 return NOT_FOUND;
2963 }
2964
2965 memset(&request, 0, sizeof(request));
2966
2967 hdr = (struct nlmsghdr*)request;
2968 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2969 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2970 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2971
2972 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2973 policy_id->sel = to_delete->sel;
2974 policy_id->dir = direction;
2975
2976 route = to_delete->route;
2977 free(to_delete);
2978
2979 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2980 {
2981 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
2982 policy_dir_names, direction);
2983 return FAILED;
2984 }
2985
2986 if (route)
2987 {
2988 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2989 {
2990 DBG1(DBG_KNL, "error uninstalling route installed with "
2991 "policy %R === %R %N", src_ts, dst_ts,
2992 policy_dir_names, direction);
2993 }
2994 route_entry_destroy(route);
2995 }
2996 return SUCCESS;
2997 }
2998
2999 /**
3000 * Implementation of kernel_interface_t.destroy.
3001 */
3002 static void destroy(private_kernel_interface_t *this)
3003 {
3004 if (this->routing_table)
3005 {
3006 manage_rule(this, RTM_DELRULE, this->routing_table,
3007 this->routing_table_prio);
3008 }
3009
3010 this->job->cancel(this->job);
3011 close(this->socket_xfrm_events);
3012 close(this->socket_xfrm);
3013 close(this->socket_rt_events);
3014 close(this->socket_rt);
3015 this->policies->destroy(this->policies);
3016 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
3017 free(this);
3018 }
3019
3020 /*
3021 * Described in header.
3022 */
3023 kernel_interface_t *kernel_interface_create()
3024 {
3025 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
3026 struct sockaddr_nl addr;
3027
3028 /* public functions */
3029 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
3030 this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
3031 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,mode_t,u_int16_t,bool,bool))add_sa;
3032 this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
3033 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
3034 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
3035 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,u_int16_t))add_policy;
3036 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
3037 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
3038 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
3039 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
3040 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
3041 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
3042 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
3043 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
3044
3045 /* private members */
3046 this->policies = linked_list_create();
3047 this->ifaces = linked_list_create();
3048 this->hiter = NULL;
3049 this->seq = 200;
3050 pthread_mutex_init(&this->mutex, NULL);
3051 pthread_mutex_init(&this->nl_mutex, NULL);
3052 pthread_cond_init(&this->cond, NULL);
3053 timerclear(&this->last_roam);
3054 this->install_routes = lib->settings->get_bool(lib->settings,
3055 "charon.install_routes", TRUE);
3056 this->routing_table = lib->settings->get_int(lib->settings,
3057 "charon.routing_table", IPSEC_ROUTING_TABLE);
3058 this->routing_table_prio = lib->settings->get_int(lib->settings,
3059 "charon.routing_table_prio", IPSEC_ROUTING_TABLE_PRIO);
3060 this->process_route = lib->settings->get_bool(lib->settings,
3061 "charon.process_route", TRUE);
3062 memset(&addr, 0, sizeof(addr));
3063 addr.nl_family = AF_NETLINK;
3064
3065 /* create and bind RT socket */
3066 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
3067 if (this->socket_rt <= 0)
3068 {
3069 charon->kill(charon, "unable to create RT netlink socket");
3070 }
3071 addr.nl_groups = 0;
3072 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
3073 {
3074 charon->kill(charon, "unable to bind RT netlink socket");
3075 }
3076
3077 /* create and bind RT socket for events (address/interface/route changes) */
3078 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
3079 if (this->socket_rt_events <= 0)
3080 {
3081 charon->kill(charon, "unable to create RT event socket");
3082 }
3083 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
3084 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
3085 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
3086 {
3087 charon->kill(charon, "unable to bind RT event socket");
3088 }
3089
3090 /* create and bind XFRM socket */
3091 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
3092 if (this->socket_xfrm <= 0)
3093 {
3094 charon->kill(charon, "unable to create XFRM netlink socket");
3095 }
3096 addr.nl_groups = 0;
3097 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
3098 {
3099 charon->kill(charon, "unable to bind XFRM netlink socket");
3100 }
3101
3102 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
3103 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
3104 if (this->socket_xfrm_events <= 0)
3105 {
3106 charon->kill(charon, "unable to create XFRM event socket");
3107 }
3108 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
3109 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
3110 {
3111 charon->kill(charon, "unable to bind XFRM event socket");
3112 }
3113
3114 this->job = callback_job_create((callback_job_cb_t)receive_events,
3115 this, NULL, NULL);
3116 charon->processor->queue_job(charon->processor, (job_t*)this->job);
3117
3118 if (init_address_list(this) != SUCCESS)
3119 {
3120 charon->kill(charon, "unable to get interface list");
3121 }
3122
3123 if (this->routing_table)
3124 {
3125 if (manage_rule(this, RTM_NEWRULE, this->routing_table,
3126 this->routing_table_prio) != SUCCESS)
3127 {
3128 DBG1(DBG_KNL, "unable to create routing table rule");
3129 }
3130 }
3131
3132 return &this->public;
3133 }