consistent logging of IKE and CHILD SAs
[strongswan.git] / src / charon / kernel / kernel_interface.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 *
19 * $Id$
20 */
21
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <sys/time.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <netinet/in.h>
30 #include <pthread.h>
31 #include <unistd.h>
32 #include <fcntl.h>
33 #include <errno.h>
34 #include <string.h>
35 #include <net/if.h>
36 #include <sys/ioctl.h>
37
38 #include "kernel_interface.h"
39
40 #include <daemon.h>
41 #include <utils/linked_list.h>
42 #include <processing/jobs/delete_child_sa_job.h>
43 #include <processing/jobs/rekey_child_sa_job.h>
44 #include <processing/jobs/acquire_job.h>
45 #include <processing/jobs/callback_job.h>
46 #include <processing/jobs/roam_job.h>
47
48 /** required for Linux 2.6.26 kernel and later */
49 #ifndef XFRM_STATE_AF_UNSPEC
50 #define XFRM_STATE_AF_UNSPEC 32
51 #endif
52
53 /** routing table for routes installed by us */
54 #ifndef IPSEC_ROUTING_TABLE
55 #define IPSEC_ROUTING_TABLE 100
56 #endif
57 #ifndef IPSEC_ROUTING_TABLE_PRIO
58 #define IPSEC_ROUTING_TABLE_PRIO 100
59 #endif
60
61 /** default priority of installed policies */
62 #define PRIO_LOW 3000
63 #define PRIO_HIGH 2000
64
65 /** delay before firing roam jobs (ms) */
66 #define ROAM_DELAY 100
67
68 #define BUFFER_SIZE 1024
69
70 /**
71 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
72 * 'usual' netlink data x like 'struct xfrm_usersa_info'
73 */
74 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
75 /**
76 * returns a pointer to the next rtattr following rta.
77 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
78 */
79 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
80 /**
81 * returns the total size of attached rta data
82 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
83 */
84 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
85
86 typedef struct kernel_algorithm_t kernel_algorithm_t;
87
88 /**
89 * Mapping from the algorithms defined in IKEv2 to
90 * kernel level algorithm names and their key length
91 */
92 struct kernel_algorithm_t {
93 /**
94 * Identifier specified in IKEv2
95 */
96 int ikev2_id;
97
98 /**
99 * Name of the algorithm, as used as kernel identifier
100 */
101 char *name;
102
103 /**
104 * Key length in bits, if fixed size
105 */
106 u_int key_size;
107 };
108 #define END_OF_LIST -1
109
110 /**
111 * Algorithms for encryption
112 */
113 static kernel_algorithm_t encryption_algs[] = {
114 /* {ENCR_DES_IV64, "***", 0}, */
115 {ENCR_DES, "des", 64},
116 {ENCR_3DES, "des3_ede", 192},
117 /* {ENCR_RC5, "***", 0}, */
118 /* {ENCR_IDEA, "***", 0}, */
119 {ENCR_CAST, "cast128", 0},
120 {ENCR_BLOWFISH, "blowfish", 0},
121 /* {ENCR_3IDEA, "***", 0}, */
122 /* {ENCR_DES_IV32, "***", 0}, */
123 {ENCR_NULL, "cipher_null", 0},
124 {ENCR_AES_CBC, "aes", 0},
125 /* {ENCR_AES_CTR, "***", 0}, */
126 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))", 64}, /* key_size = ICV size */
127 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))", 96}, /* key_size = ICV size */
128 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))", 128}, /* key_size = ICV size */
129 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))", 64}, /* key_size = ICV size */
130 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))", 96}, /* key_size = ICV size */
131 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))", 128}, /* key_size = ICV size */
132 {END_OF_LIST, NULL, 0},
133 };
134
135 /**
136 * Algorithms for integrity protection
137 */
138 static kernel_algorithm_t integrity_algs[] = {
139 {AUTH_HMAC_MD5_96, "md5", 128},
140 {AUTH_HMAC_SHA1_96, "sha1", 160},
141 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
142 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
143 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
144 /* {AUTH_DES_MAC, "***", 0}, */
145 /* {AUTH_KPDK_MD5, "***", 0}, */
146 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
147 {END_OF_LIST, NULL, 0},
148 };
149
150 /**
151 * Algorithms for IPComp
152 */
153 static kernel_algorithm_t compression_algs[] = {
154 /* {IPCOMP_OUI, "***", 0}, */
155 {IPCOMP_DEFLATE, "deflate", 0},
156 {IPCOMP_LZS, "lzs", 0},
157 {IPCOMP_LZJH, "lzjh", 0},
158 {END_OF_LIST, NULL, 0},
159 };
160
161 /**
162 * Look up a kernel algorithm name and its key size
163 */
164 static char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
165 u_int16_t ikev2_algo, u_int16_t *key_size)
166 {
167 while (kernel_algo->ikev2_id != END_OF_LIST)
168 {
169 if (ikev2_algo == kernel_algo->ikev2_id)
170 {
171 /* match, evaluate key length */
172 if (key_size && *key_size == 0)
173 { /* update key size if not set */
174 *key_size = kernel_algo->key_size;
175 }
176 return kernel_algo->name;
177 }
178 kernel_algo++;
179 }
180 return NULL;
181 }
182
183 typedef struct route_entry_t route_entry_t;
184
185 /**
186 * installed routing entry
187 */
188 struct route_entry_t {
189
190 /** Index of the interface the route is bound to */
191 int if_index;
192
193 /** Source ip of the route */
194 host_t *src_ip;
195
196 /** gateway for this route */
197 host_t *gateway;
198
199 /** Destination net */
200 chunk_t dst_net;
201
202 /** Destination net prefixlen */
203 u_int8_t prefixlen;
204 };
205
206 /**
207 * destroy an route_entry_t object
208 */
209 static void route_entry_destroy(route_entry_t *this)
210 {
211 this->src_ip->destroy(this->src_ip);
212 this->gateway->destroy(this->gateway);
213 chunk_free(&this->dst_net);
214 free(this);
215 }
216
217 typedef struct policy_entry_t policy_entry_t;
218
219 /**
220 * installed kernel policy.
221 */
222 struct policy_entry_t {
223
224 /** direction of this policy: in, out, forward */
225 u_int8_t direction;
226
227 /** reqid of the policy */
228 u_int32_t reqid;
229
230 /** parameters of installed policy */
231 struct xfrm_selector sel;
232
233 /** associated route installed for this policy */
234 route_entry_t *route;
235
236 /** by how many CHILD_SA's this policy is used */
237 u_int refcount;
238 };
239
240 typedef struct addr_entry_t addr_entry_t;
241
242 /**
243 * IP address in an inface_entry_t
244 */
245 struct addr_entry_t {
246
247 /** The ip address */
248 host_t *ip;
249
250 /** virtual IP managed by us */
251 bool virtual;
252
253 /** scope of the address */
254 u_char scope;
255
256 /** Number of times this IP is used, if virtual */
257 u_int refcount;
258 };
259
260 /**
261 * destroy a addr_entry_t object
262 */
263 static void addr_entry_destroy(addr_entry_t *this)
264 {
265 this->ip->destroy(this->ip);
266 free(this);
267 }
268
269 typedef struct iface_entry_t iface_entry_t;
270
271 /**
272 * A network interface on this system, containing addr_entry_t's
273 */
274 struct iface_entry_t {
275
276 /** interface index */
277 int ifindex;
278
279 /** name of the interface */
280 char ifname[IFNAMSIZ];
281
282 /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
283 u_int flags;
284
285 /** list of addresses as host_t */
286 linked_list_t *addrs;
287 };
288
289 /**
290 * destroy an interface entry
291 */
292 static void iface_entry_destroy(iface_entry_t *this)
293 {
294 this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
295 free(this);
296 }
297
298 typedef struct private_kernel_interface_t private_kernel_interface_t;
299
300 /**
301 * Private variables and functions of kernel_interface class.
302 */
303 struct private_kernel_interface_t {
304 /**
305 * Public part of the kernel_interface_t object.
306 */
307 kernel_interface_t public;
308
309 /**
310 * mutex to lock access to netlink socket
311 */
312 pthread_mutex_t nl_mutex;
313
314 /**
315 * mutex to lock access to various lists
316 */
317 pthread_mutex_t mutex;
318
319 /**
320 * condition variable to signal virtual IP add/removal
321 */
322 pthread_cond_t cond;
323
324 /**
325 * List of installed policies (policy_entry_t)
326 */
327 linked_list_t *policies;
328
329 /**
330 * Cached list of interfaces and its adresses (iface_entry_t)
331 */
332 linked_list_t *ifaces;
333
334 /**
335 * iterator used in hook()
336 */
337 iterator_t *hiter;
338
339 /**
340 * job receiving netlink events
341 */
342 callback_job_t *job;
343
344 /**
345 * current sequence number for netlink request
346 */
347 int seq;
348
349 /**
350 * Netlink xfrm socket (IPsec)
351 */
352 int socket_xfrm;
353
354 /**
355 * netlink xfrm socket to receive acquire and expire events
356 */
357 int socket_xfrm_events;
358
359 /**
360 * Netlink rt socket (routing)
361 */
362 int socket_rt;
363
364 /**
365 * Netlink rt socket to receive address change events
366 */
367 int socket_rt_events;
368
369 /**
370 * time of the last roam_job
371 */
372 struct timeval last_roam;
373
374 /**
375 * whether to install routes along policies
376 */
377 bool install_routes;
378
379 /**
380 * routing table to install routes
381 */
382 int routing_table;
383
384 /**
385 * priority of used routing table
386 */
387 int routing_table_prio;
388 };
389
390 /**
391 * convert a IKEv2 specific protocol identifier to the kernel one
392 */
393 static u_int8_t proto_ike2kernel(protocol_id_t proto)
394 {
395 switch (proto)
396 {
397 case PROTO_ESP:
398 return IPPROTO_ESP;
399 case PROTO_AH:
400 return IPPROTO_AH;
401 default:
402 return proto;
403 }
404 }
405
406 /**
407 * reverse of ike2kernel
408 */
409 static protocol_id_t proto_kernel2ike(u_int8_t proto)
410 {
411 switch (proto)
412 {
413 case IPPROTO_ESP:
414 return PROTO_ESP;
415 case IPPROTO_AH:
416 return PROTO_AH;
417 default:
418 return proto;
419 }
420 }
421
422 /**
423 * convert a host_t to a struct xfrm_address
424 */
425 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
426 {
427 chunk_t chunk = host->get_address(host);
428 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
429 }
430
431 /**
432 * convert a traffic selector address range to subnet and its mask.
433 */
434 static void ts2subnet(traffic_selector_t* ts,
435 xfrm_address_t *net, u_int8_t *mask)
436 {
437 /* there is no way to do this cleanly, as the address range may
438 * be anything else but a subnet. We use from_addr as subnet
439 * and try to calculate a usable subnet mask.
440 */
441 int byte, bit;
442 bool found = FALSE;
443 chunk_t from, to;
444 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
445
446 from = ts->get_from_address(ts);
447 to = ts->get_to_address(ts);
448
449 *mask = (size * 8);
450 /* go trough all bits of the addresses, beginning in the front.
451 * as long as they are equal, the subnet gets larger
452 */
453 for (byte = 0; byte < size; byte++)
454 {
455 for (bit = 7; bit >= 0; bit--)
456 {
457 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
458 {
459 *mask = ((7 - bit) + (byte * 8));
460 found = TRUE;
461 break;
462 }
463 }
464 if (found)
465 {
466 break;
467 }
468 }
469 memcpy(net, from.ptr, from.len);
470 chunk_free(&from);
471 chunk_free(&to);
472 }
473
474 /**
475 * convert a traffic selector port range to port/portmask
476 */
477 static void ts2ports(traffic_selector_t* ts,
478 u_int16_t *port, u_int16_t *mask)
479 {
480 /* linux does not seem to accept complex portmasks. Only
481 * any or a specific port is allowed. We set to any, if we have
482 * a port range, or to a specific, if we have one port only.
483 */
484 u_int16_t from, to;
485
486 from = ts->get_from_port(ts);
487 to = ts->get_to_port(ts);
488
489 if (from == to)
490 {
491 *port = htons(from);
492 *mask = ~0;
493 }
494 else
495 {
496 *port = 0;
497 *mask = 0;
498 }
499 }
500
501 /**
502 * convert a pair of traffic_selectors to a xfrm_selector
503 */
504 static struct xfrm_selector ts2selector(traffic_selector_t *src,
505 traffic_selector_t *dst)
506 {
507 struct xfrm_selector sel;
508
509 memset(&sel, 0, sizeof(sel));
510 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
511 /* src or dest proto may be "any" (0), use more restrictive one */
512 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
513 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
514 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
515 ts2ports(dst, &sel.dport, &sel.dport_mask);
516 ts2ports(src, &sel.sport, &sel.sport_mask);
517 sel.ifindex = 0;
518 sel.user = 0;
519
520 return sel;
521 }
522
523 /**
524 * Creates an rtattr and adds it to the netlink message
525 */
526 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
527 size_t buflen)
528 {
529 struct rtattr *rta;
530
531 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
532 {
533 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
534 return;
535 }
536
537 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
538 rta->rta_type = rta_type;
539 rta->rta_len = RTA_LENGTH(data.len);
540 memcpy(RTA_DATA(rta), data.ptr, data.len);
541 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
542 }
543
544 /**
545 * process a XFRM_MSG_ACQUIRE from kernel
546 */
547 static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
548 {
549 u_int32_t reqid = 0;
550 int proto = 0;
551 job_t *job;
552 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
553 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
554
555 if (RTA_OK(rtattr, rtsize))
556 {
557 if (rtattr->rta_type == XFRMA_TMPL)
558 {
559 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
560 reqid = tmpl->reqid;
561 proto = tmpl->id.proto;
562 }
563 }
564 switch (proto)
565 {
566 case 0:
567 case IPPROTO_ESP:
568 case IPPROTO_AH:
569 break;
570 default:
571 /* acquire for AH/ESP only, not for IPCOMP */
572 return;
573 }
574 if (reqid == 0)
575 {
576 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
577 return;
578 }
579 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
580 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with {reqid %d}", reqid);
581 job = (job_t*)acquire_job_create(reqid);
582 charon->processor->queue_job(charon->processor, job);
583 }
584
585 /**
586 * process a XFRM_MSG_EXPIRE from kernel
587 */
588 static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
589 {
590 job_t *job;
591 protocol_id_t protocol;
592 u_int32_t spi, reqid;
593 struct xfrm_user_expire *expire;
594
595 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
596 protocol = proto_kernel2ike(expire->state.id.proto);
597 spi = expire->state.id.spi;
598 reqid = expire->state.reqid;
599
600 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
601
602 if (protocol != PROTO_ESP && protocol != PROTO_AH)
603 {
604 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA 0x%x {reqid %d} which is "
605 "not a CHILD_SA", ntohl(spi), reqid);
606 return;
607 }
608
609 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x {reqid %d}",
610 expire->hard ? "delete" : "rekey", protocol_id_names,
611 protocol, ntohl(spi), reqid);
612 if (expire->hard)
613 {
614 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
615 }
616 else
617 {
618 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
619 }
620 charon->processor->queue_job(charon->processor, job);
621 }
622
623 /**
624 * start a roaming job. We delay it for a second and fire only one job
625 * for multiple events. Otherwise we would create two many jobs.
626 */
627 static void fire_roam_job(private_kernel_interface_t *this, bool address)
628 {
629 struct timeval now;
630
631 if (gettimeofday(&now, NULL) == 0)
632 {
633 if (timercmp(&now, &this->last_roam, >))
634 {
635 now.tv_usec += ROAM_DELAY * 1000;
636 while (now.tv_usec > 1000000)
637 {
638 now.tv_sec++;
639 now.tv_usec -= 1000000;
640 }
641 this->last_roam = now;
642 charon->scheduler->schedule_job(charon->scheduler,
643 (job_t*)roam_job_create(address), ROAM_DELAY);
644 }
645 }
646 }
647
648 /**
649 * process RTM_NEWLINK/RTM_DELLINK from kernel
650 */
651 static void process_link(private_kernel_interface_t *this,
652 struct nlmsghdr *hdr, bool event)
653 {
654 struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
655 struct rtattr *rta = IFLA_RTA(msg);
656 size_t rtasize = IFLA_PAYLOAD (hdr);
657 iterator_t *iterator;
658 iface_entry_t *current, *entry = NULL;
659 char *name = NULL;
660 bool update = FALSE;
661
662 while(RTA_OK(rta, rtasize))
663 {
664 switch (rta->rta_type)
665 {
666 case IFLA_IFNAME:
667 name = RTA_DATA(rta);
668 break;
669 }
670 rta = RTA_NEXT(rta, rtasize);
671 }
672 if (!name)
673 {
674 name = "(unknown)";
675 }
676
677 switch (hdr->nlmsg_type)
678 {
679 case RTM_NEWLINK:
680 {
681 if (msg->ifi_flags & IFF_LOOPBACK)
682 { /* ignore loopback interfaces */
683 break;
684 }
685 iterator = this->ifaces->create_iterator_locked(this->ifaces,
686 &this->mutex);
687 while (iterator->iterate(iterator, (void**)&current))
688 {
689 if (current->ifindex == msg->ifi_index)
690 {
691 entry = current;
692 break;
693 }
694 }
695 if (!entry)
696 {
697 entry = malloc_thing(iface_entry_t);
698 entry->ifindex = msg->ifi_index;
699 entry->flags = 0;
700 entry->addrs = linked_list_create();
701 this->ifaces->insert_last(this->ifaces, entry);
702 }
703 memcpy(entry->ifname, name, IFNAMSIZ);
704 entry->ifname[IFNAMSIZ-1] = '\0';
705 if (event)
706 {
707 if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
708 {
709 update = TRUE;
710 DBG1(DBG_KNL, "interface %s activated", name);
711 }
712 if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
713 {
714 update = TRUE;
715 DBG1(DBG_KNL, "interface %s deactivated", name);
716 }
717 }
718 entry->flags = msg->ifi_flags;
719 iterator->destroy(iterator);
720 break;
721 }
722 case RTM_DELLINK:
723 {
724 iterator = this->ifaces->create_iterator_locked(this->ifaces,
725 &this->mutex);
726 while (iterator->iterate(iterator, (void**)&current))
727 {
728 if (current->ifindex == msg->ifi_index)
729 {
730 /* we do not remove it, as an address may be added to a
731 * "down" interface and we wan't to know that. */
732 current->flags = msg->ifi_flags;
733 break;
734 }
735 }
736 iterator->destroy(iterator);
737 break;
738 }
739 }
740
741 /* send an update to all IKE_SAs */
742 if (update && event)
743 {
744 fire_roam_job(this, TRUE);
745 }
746 }
747
748 /**
749 * process RTM_NEWADDR/RTM_DELADDR from kernel
750 */
751 static void process_addr(private_kernel_interface_t *this,
752 struct nlmsghdr *hdr, bool event)
753 {
754 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
755 struct rtattr *rta = IFA_RTA(msg);
756 size_t rtasize = IFA_PAYLOAD (hdr);
757 host_t *host = NULL;
758 iterator_t *ifaces, *addrs;
759 iface_entry_t *iface;
760 addr_entry_t *addr;
761 chunk_t local = chunk_empty, address = chunk_empty;
762 bool update = FALSE, found = FALSE, changed = FALSE;
763
764 while(RTA_OK(rta, rtasize))
765 {
766 switch (rta->rta_type)
767 {
768 case IFA_LOCAL:
769 local.ptr = RTA_DATA(rta);
770 local.len = RTA_PAYLOAD(rta);
771 break;
772 case IFA_ADDRESS:
773 address.ptr = RTA_DATA(rta);
774 address.len = RTA_PAYLOAD(rta);
775 break;
776 }
777 rta = RTA_NEXT(rta, rtasize);
778 }
779
780 /* For PPP interfaces, we need the IFA_LOCAL address,
781 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
782 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
783 if (local.ptr)
784 {
785 host = host_create_from_chunk(msg->ifa_family, local, 0);
786 }
787 else if (address.ptr)
788 {
789 host = host_create_from_chunk(msg->ifa_family, address, 0);
790 }
791
792 if (host == NULL)
793 { /* bad family? */
794 return;
795 }
796
797 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
798 while (ifaces->iterate(ifaces, (void**)&iface))
799 {
800 if (iface->ifindex == msg->ifa_index)
801 {
802 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
803 while (addrs->iterate(addrs, (void**)&addr))
804 {
805 if (host->ip_equals(host, addr->ip))
806 {
807 found = TRUE;
808 if (hdr->nlmsg_type == RTM_DELADDR)
809 {
810 changed = TRUE;
811 addrs->remove(addrs);
812 if (!addr->virtual)
813 {
814 DBG1(DBG_KNL, "%H disappeared from %s",
815 host, iface->ifname);
816 }
817 addr_entry_destroy(addr);
818 }
819 else if (hdr->nlmsg_type == RTM_NEWADDR && addr->virtual)
820 {
821 addr->refcount = 1;
822 }
823 }
824 }
825 addrs->destroy(addrs);
826
827 if (hdr->nlmsg_type == RTM_NEWADDR)
828 {
829 if (!found)
830 {
831 found = TRUE;
832 changed = TRUE;
833 addr = malloc_thing(addr_entry_t);
834 addr->ip = host->clone(host);
835 addr->virtual = FALSE;
836 addr->refcount = 1;
837 addr->scope = msg->ifa_scope;
838
839 iface->addrs->insert_last(iface->addrs, addr);
840 if (event)
841 {
842 DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
843 }
844 }
845 }
846 if (found && (iface->flags & IFF_UP))
847 {
848 update = TRUE;
849 }
850 break;
851 }
852 }
853 ifaces->destroy(ifaces);
854 host->destroy(host);
855
856 /* send an update to all IKE_SAs */
857 if (update && event && changed)
858 {
859 fire_roam_job(this, TRUE);
860 }
861 }
862
863 /**
864 * Receives events from kernel
865 */
866 static job_requeue_t receive_events(private_kernel_interface_t *this)
867 {
868 char response[1024];
869 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
870 struct sockaddr_nl addr;
871 socklen_t addr_len = sizeof(addr);
872 int len, oldstate, maxfd, selected;
873 fd_set rfds;
874
875 FD_ZERO(&rfds);
876 FD_SET(this->socket_xfrm_events, &rfds);
877 FD_SET(this->socket_rt_events, &rfds);
878 maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
879
880 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
881 selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
882 pthread_setcancelstate(oldstate, NULL);
883 if (selected <= 0)
884 {
885 DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
886 return JOB_REQUEUE_FAIR;
887 }
888 if (FD_ISSET(this->socket_xfrm_events, &rfds))
889 {
890 selected = this->socket_xfrm_events;
891 }
892 else if (FD_ISSET(this->socket_rt_events, &rfds))
893 {
894 selected = this->socket_rt_events;
895 }
896 else
897 {
898 return JOB_REQUEUE_DIRECT;
899 }
900
901 len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
902 (struct sockaddr*)&addr, &addr_len);
903 if (len < 0)
904 {
905 switch (errno)
906 {
907 case EINTR:
908 /* interrupted, try again */
909 return JOB_REQUEUE_DIRECT;
910 case EAGAIN:
911 /* no data ready, select again */
912 return JOB_REQUEUE_DIRECT;
913 default:
914 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
915 sleep(1);
916 return JOB_REQUEUE_FAIR;
917 }
918 }
919 if (addr.nl_pid != 0)
920 { /* not from kernel. not interested, try another one */
921 return JOB_REQUEUE_DIRECT;
922 }
923
924 while (NLMSG_OK(hdr, len))
925 {
926 /* looks good so far, dispatch netlink message */
927 if (selected == this->socket_xfrm_events)
928 {
929 switch (hdr->nlmsg_type)
930 {
931 case XFRM_MSG_ACQUIRE:
932 process_acquire(this, hdr);
933 break;
934 case XFRM_MSG_EXPIRE:
935 process_expire(this, hdr);
936 break;
937 default:
938 break;
939 }
940 }
941 else if (selected == this->socket_rt_events)
942 {
943 switch (hdr->nlmsg_type)
944 {
945 case RTM_NEWADDR:
946 case RTM_DELADDR:
947 process_addr(this, hdr, TRUE);
948 pthread_cond_signal(&this->cond);
949 break;
950 case RTM_NEWLINK:
951 case RTM_DELLINK:
952 process_link(this, hdr, TRUE);
953 pthread_cond_signal(&this->cond);
954 break;
955 case RTM_NEWROUTE:
956 case RTM_DELROUTE:
957 fire_roam_job(this, FALSE);
958 break;
959 default:
960 break;
961 }
962 }
963 hdr = NLMSG_NEXT(hdr, len);
964 }
965 return JOB_REQUEUE_DIRECT;
966 }
967
968 /**
969 * send a netlink message and wait for a reply
970 */
971 static status_t netlink_send(private_kernel_interface_t *this,
972 int socket, struct nlmsghdr *in,
973 struct nlmsghdr **out, size_t *out_len)
974 {
975 int len, addr_len;
976 struct sockaddr_nl addr;
977 chunk_t result = chunk_empty, tmp;
978 struct nlmsghdr *msg, peek;
979
980 pthread_mutex_lock(&this->nl_mutex);
981
982 in->nlmsg_seq = ++this->seq;
983 in->nlmsg_pid = getpid();
984
985 memset(&addr, 0, sizeof(addr));
986 addr.nl_family = AF_NETLINK;
987 addr.nl_pid = 0;
988 addr.nl_groups = 0;
989
990 while (TRUE)
991 {
992 len = sendto(socket, in, in->nlmsg_len, 0,
993 (struct sockaddr*)&addr, sizeof(addr));
994
995 if (len != in->nlmsg_len)
996 {
997 if (errno == EINTR)
998 {
999 /* interrupted, try again */
1000 continue;
1001 }
1002 pthread_mutex_unlock(&this->nl_mutex);
1003 DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
1004 return FAILED;
1005 }
1006 break;
1007 }
1008
1009 while (TRUE)
1010 {
1011 char buf[4096];
1012 tmp.len = sizeof(buf);
1013 tmp.ptr = buf;
1014 msg = (struct nlmsghdr*)tmp.ptr;
1015
1016 memset(&addr, 0, sizeof(addr));
1017 addr.nl_family = AF_NETLINK;
1018 addr.nl_pid = getpid();
1019 addr.nl_groups = 0;
1020 addr_len = sizeof(addr);
1021
1022 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
1023 (struct sockaddr*)&addr, &addr_len);
1024
1025 if (len < 0)
1026 {
1027 if (errno == EINTR)
1028 {
1029 DBG1(DBG_KNL, "got interrupted");
1030 /* interrupted, try again */
1031 continue;
1032 }
1033 DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
1034 pthread_mutex_unlock(&this->nl_mutex);
1035 return FAILED;
1036 }
1037 if (!NLMSG_OK(msg, len))
1038 {
1039 DBG1(DBG_KNL, "received corrupted netlink message");
1040 pthread_mutex_unlock(&this->nl_mutex);
1041 return FAILED;
1042 }
1043 if (msg->nlmsg_seq != this->seq)
1044 {
1045 DBG1(DBG_KNL, "received invalid netlink sequence number");
1046 if (msg->nlmsg_seq < this->seq)
1047 {
1048 continue;
1049 }
1050 pthread_mutex_unlock(&this->nl_mutex);
1051 return FAILED;
1052 }
1053
1054 tmp.len = len;
1055 result = chunk_cata("cc", result, tmp);
1056
1057 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
1058 * numbers to detect multi header messages */
1059 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
1060 (struct sockaddr*)&addr, &addr_len);
1061
1062 if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
1063 {
1064 /* seems to be multipart */
1065 continue;
1066 }
1067 break;
1068 }
1069
1070 *out_len = result.len;
1071 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
1072
1073 pthread_mutex_unlock(&this->nl_mutex);
1074
1075 return SUCCESS;
1076 }
1077
1078 /**
1079 * send a netlink message and wait for its acknowlegde
1080 */
1081 static status_t netlink_send_ack(private_kernel_interface_t *this,
1082 int socket, struct nlmsghdr *in)
1083 {
1084 struct nlmsghdr *out, *hdr;
1085 size_t len;
1086
1087 if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
1088 {
1089 return FAILED;
1090 }
1091 hdr = out;
1092 while (NLMSG_OK(hdr, len))
1093 {
1094 switch (hdr->nlmsg_type)
1095 {
1096 case NLMSG_ERROR:
1097 {
1098 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
1099
1100 if (err->error)
1101 {
1102 if (-err->error == EEXIST)
1103 { /* do not report existing routes */
1104 free(out);
1105 return ALREADY_DONE;
1106 }
1107 DBG1(DBG_KNL, "received netlink error: %s (%d)",
1108 strerror(-err->error), -err->error);
1109 free(out);
1110 return FAILED;
1111 }
1112 free(out);
1113 return SUCCESS;
1114 }
1115 default:
1116 hdr = NLMSG_NEXT(hdr, len);
1117 continue;
1118 case NLMSG_DONE:
1119 break;
1120 }
1121 break;
1122 }
1123 DBG1(DBG_KNL, "netlink request not acknowlegded");
1124 free(out);
1125 return FAILED;
1126 }
1127
1128 /**
1129 * Initialize a list of local addresses.
1130 */
1131 static status_t init_address_list(private_kernel_interface_t *this)
1132 {
1133 char request[BUFFER_SIZE];
1134 struct nlmsghdr *out, *current, *in;
1135 struct rtgenmsg *msg;
1136 size_t len;
1137 iterator_t *ifaces, *addrs;
1138 iface_entry_t *iface;
1139 addr_entry_t *addr;
1140
1141 DBG1(DBG_KNL, "listening on interfaces:");
1142
1143 memset(&request, 0, sizeof(request));
1144
1145 in = (struct nlmsghdr*)&request;
1146 in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
1147 in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
1148 msg = (struct rtgenmsg*)NLMSG_DATA(in);
1149 msg->rtgen_family = AF_UNSPEC;
1150
1151 /* get all links */
1152 in->nlmsg_type = RTM_GETLINK;
1153 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1154 {
1155 return FAILED;
1156 }
1157 current = out;
1158 while (NLMSG_OK(current, len))
1159 {
1160 switch (current->nlmsg_type)
1161 {
1162 case NLMSG_DONE:
1163 break;
1164 case RTM_NEWLINK:
1165 process_link(this, current, FALSE);
1166 /* fall through */
1167 default:
1168 current = NLMSG_NEXT(current, len);
1169 continue;
1170 }
1171 break;
1172 }
1173 free(out);
1174
1175 /* get all interface addresses */
1176 in->nlmsg_type = RTM_GETADDR;
1177 if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
1178 {
1179 return FAILED;
1180 }
1181 current = out;
1182 while (NLMSG_OK(current, len))
1183 {
1184 switch (current->nlmsg_type)
1185 {
1186 case NLMSG_DONE:
1187 break;
1188 case RTM_NEWADDR:
1189 process_addr(this, current, FALSE);
1190 /* fall through */
1191 default:
1192 current = NLMSG_NEXT(current, len);
1193 continue;
1194 }
1195 break;
1196 }
1197 free(out);
1198
1199 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1200 while (ifaces->iterate(ifaces, (void**)&iface))
1201 {
1202 if (iface->flags & IFF_UP)
1203 {
1204 DBG1(DBG_KNL, " %s", iface->ifname);
1205 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1206 while (addrs->iterate(addrs, (void**)&addr))
1207 {
1208 DBG1(DBG_KNL, " %H", addr->ip);
1209 }
1210 addrs->destroy(addrs);
1211 }
1212 }
1213 ifaces->destroy(ifaces);
1214 return SUCCESS;
1215 }
1216
1217 /**
1218 * iterator hook to iterate over addrs
1219 */
1220 static hook_result_t addr_hook(private_kernel_interface_t *this,
1221 addr_entry_t *in, host_t **out)
1222 {
1223 if (in->virtual)
1224 { /* skip virtual interfaces added by us */
1225 return HOOK_SKIP;
1226 }
1227 if (in->scope >= RT_SCOPE_LINK)
1228 { /* skip addresses with a unusable scope */
1229 return HOOK_SKIP;
1230 }
1231 *out = in->ip;
1232 return HOOK_NEXT;
1233 }
1234
1235 /**
1236 * iterator hook to iterate over ifaces
1237 */
1238 static hook_result_t iface_hook(private_kernel_interface_t *this,
1239 iface_entry_t *in, host_t **out)
1240 {
1241 if (!(in->flags & IFF_UP))
1242 { /* skip interfaces not up */
1243 return HOOK_SKIP;
1244 }
1245
1246 if (this->hiter == NULL)
1247 {
1248 this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
1249 this->hiter->set_iterator_hook(this->hiter,
1250 (iterator_hook_t*)addr_hook, this);
1251 }
1252 while (this->hiter->iterate(this->hiter, (void**)out))
1253 {
1254 return HOOK_AGAIN;
1255 }
1256 this->hiter->destroy(this->hiter);
1257 this->hiter = NULL;
1258 return HOOK_SKIP;
1259 }
1260
1261 /**
1262 * Implements kernel_interface_t.create_address_iterator.
1263 */
1264 static iterator_t *create_address_iterator(private_kernel_interface_t *this)
1265 {
1266 iterator_t *iterator;
1267
1268 /* This iterator is not only hooked, is is double-hooked. As we have stored
1269 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
1270 * entries in each interface we iterate. This does the iface_hook. The
1271 * addr_hook returns the ip instead of the addr_entry. */
1272
1273 iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1274 iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
1275 return iterator;
1276 }
1277
1278 /**
1279 * implementation of kernel_interface_t.get_interface_name
1280 */
1281 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
1282 {
1283 iterator_t *ifaces, *addrs;
1284 iface_entry_t *iface;
1285 addr_entry_t *addr;
1286 char *name = NULL;
1287
1288 DBG2(DBG_KNL, "getting interface name for %H", ip);
1289
1290 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1291 while (ifaces->iterate(ifaces, (void**)&iface))
1292 {
1293 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1294 while (addrs->iterate(addrs, (void**)&addr))
1295 {
1296 if (ip->ip_equals(ip, addr->ip))
1297 {
1298 name = strdup(iface->ifname);
1299 break;
1300 }
1301 }
1302 addrs->destroy(addrs);
1303 if (name)
1304 {
1305 break;
1306 }
1307 }
1308 ifaces->destroy(ifaces);
1309
1310 if (name)
1311 {
1312 DBG2(DBG_KNL, "%H is on interface %s", ip, name);
1313 }
1314 else
1315 {
1316 DBG2(DBG_KNL, "%H is not a local address", ip);
1317 }
1318 return name;
1319 }
1320
1321 /**
1322 * Tries to find an ip address of a local interface that is included in the
1323 * supplied traffic selector.
1324 */
1325 static status_t get_address_by_ts(private_kernel_interface_t *this,
1326 traffic_selector_t *ts, host_t **ip)
1327 {
1328 iterator_t *ifaces, *addrs;
1329 iface_entry_t *iface;
1330 addr_entry_t *addr;
1331 host_t *host;
1332 int family;
1333 bool found = FALSE;
1334
1335 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
1336
1337 /* if we have a family which includes localhost, we do not
1338 * search for an IP, we use the default */
1339 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
1340
1341 if (family == AF_INET)
1342 {
1343 host = host_create_from_string("127.0.0.1", 0);
1344 }
1345 else
1346 {
1347 host = host_create_from_string("::1", 0);
1348 }
1349
1350 if (ts->includes(ts, host))
1351 {
1352 *ip = host_create_any(family);
1353 host->destroy(host);
1354 DBG2(DBG_KNL, "using host %H", *ip);
1355 return SUCCESS;
1356 }
1357 host->destroy(host);
1358
1359 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1360 while (ifaces->iterate(ifaces, (void**)&iface))
1361 {
1362 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1363 while (addrs->iterate(addrs, (void**)&addr))
1364 {
1365 if (ts->includes(ts, addr->ip))
1366 {
1367 found = TRUE;
1368 *ip = addr->ip->clone(addr->ip);
1369 break;
1370 }
1371 }
1372 addrs->destroy(addrs);
1373 if (found)
1374 {
1375 break;
1376 }
1377 }
1378 ifaces->destroy(ifaces);
1379
1380 if (!found)
1381 {
1382 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
1383 return FAILED;
1384 }
1385 DBG2(DBG_KNL, "using host %H", *ip);
1386 return SUCCESS;
1387 }
1388
1389 /**
1390 * get the interface of a local address
1391 */
1392 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
1393 {
1394 iterator_t *ifaces, *addrs;
1395 iface_entry_t *iface;
1396 addr_entry_t *addr;
1397 int ifindex = 0;
1398
1399 DBG2(DBG_KNL, "getting iface for %H", ip);
1400
1401 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1402 while (ifaces->iterate(ifaces, (void**)&iface))
1403 {
1404 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1405 while (addrs->iterate(addrs, (void**)&addr))
1406 {
1407 if (ip->ip_equals(ip, addr->ip))
1408 {
1409 ifindex = iface->ifindex;
1410 break;
1411 }
1412 }
1413 addrs->destroy(addrs);
1414 if (ifindex)
1415 {
1416 break;
1417 }
1418 }
1419 ifaces->destroy(ifaces);
1420
1421 if (ifindex == 0)
1422 {
1423 DBG1(DBG_KNL, "unable to get interface for %H", ip);
1424 }
1425 return ifindex;
1426 }
1427
1428 /**
1429 * get the refcount of a virtual ip
1430 */
1431 static int get_vip_refcount(private_kernel_interface_t *this, host_t* ip)
1432 {
1433 iterator_t *ifaces, *addrs;
1434 iface_entry_t *iface;
1435 addr_entry_t *addr;
1436 int refcount = 0;
1437
1438 ifaces = this->ifaces->create_iterator(this->ifaces, TRUE);
1439 while (ifaces->iterate(ifaces, (void**)&iface))
1440 {
1441 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1442 while (addrs->iterate(addrs, (void**)&addr))
1443 {
1444 if (addr->virtual && (iface->flags & IFF_UP) &&
1445 ip->ip_equals(ip, addr->ip))
1446 {
1447 refcount = addr->refcount;
1448 break;
1449 }
1450 }
1451 addrs->destroy(addrs);
1452 if (refcount)
1453 {
1454 break;
1455 }
1456 }
1457 ifaces->destroy(ifaces);
1458
1459 return refcount;
1460 }
1461
1462 /**
1463 * Manages the creation and deletion of ip addresses on an interface.
1464 * By setting the appropriate nlmsg_type, the ip will be set or unset.
1465 */
1466 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
1467 int flags, int if_index, host_t *ip)
1468 {
1469 unsigned char request[BUFFER_SIZE];
1470 struct nlmsghdr *hdr;
1471 struct ifaddrmsg *msg;
1472 chunk_t chunk;
1473
1474 memset(&request, 0, sizeof(request));
1475
1476 chunk = ip->get_address(ip);
1477
1478 hdr = (struct nlmsghdr*)request;
1479 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1480 hdr->nlmsg_type = nlmsg_type;
1481 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
1482
1483 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
1484 msg->ifa_family = ip->get_family(ip);
1485 msg->ifa_flags = 0;
1486 msg->ifa_prefixlen = 8 * chunk.len;
1487 msg->ifa_scope = RT_SCOPE_UNIVERSE;
1488 msg->ifa_index = if_index;
1489
1490 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
1491
1492 return netlink_send_ack(this, this->socket_rt, hdr);
1493 }
1494
1495 /**
1496 * Manages source routes in the routing table.
1497 * By setting the appropriate nlmsg_type, the route added or r.
1498 */
1499 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
1500 int flags, route_entry_t *route)
1501 {
1502 unsigned char request[BUFFER_SIZE];
1503 struct nlmsghdr *hdr;
1504 struct rtmsg *msg;
1505 chunk_t chunk;
1506
1507 /* if route is 0.0.0.0/0, we can't install it, as it would
1508 * overwrite the default route. Instead, we add two routes:
1509 * 0.0.0.0/1 and 128.0.0.0/1 */
1510 if (this->routing_table == 0 && route->prefixlen == 0)
1511 {
1512 route_entry_t half;
1513 status_t status;
1514
1515 half.dst_net = chunk_alloca(route->dst_net.len);
1516 memset(half.dst_net.ptr, 0, half.dst_net.len);
1517 half.src_ip = route->src_ip;
1518 half.gateway = route->gateway;
1519 half.if_index = route->if_index;
1520 half.prefixlen = 1;
1521
1522 status = manage_srcroute(this, nlmsg_type, flags, &half);
1523 half.dst_net.ptr[0] |= 0x80;
1524 status = manage_srcroute(this, nlmsg_type, flags, &half);
1525 return status;
1526 }
1527
1528 memset(&request, 0, sizeof(request));
1529
1530 hdr = (struct nlmsghdr*)request;
1531 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
1532 hdr->nlmsg_type = nlmsg_type;
1533 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1534
1535 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1536 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1537 msg->rtm_dst_len = route->prefixlen;
1538 msg->rtm_table = this->routing_table;
1539 msg->rtm_protocol = RTPROT_STATIC;
1540 msg->rtm_type = RTN_UNICAST;
1541 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1542
1543 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1544 chunk = route->src_ip->get_address(route->src_ip);
1545 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1546 chunk = route->gateway->get_address(route->gateway);
1547 add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
1548 chunk.ptr = (char*)&route->if_index;
1549 chunk.len = sizeof(route->if_index);
1550 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1551
1552 return netlink_send_ack(this, this->socket_rt, hdr);
1553 }
1554
1555 /**
1556 * create or delete an rule to use our routing table
1557 */
1558 static status_t manage_rule(private_kernel_interface_t *this, int nlmsg_type,
1559 u_int32_t table, u_int32_t prio)
1560 {
1561 unsigned char request[BUFFER_SIZE];
1562 struct nlmsghdr *hdr;
1563 struct rtmsg *msg;
1564 chunk_t chunk;
1565
1566 memset(&request, 0, sizeof(request));
1567 hdr = (struct nlmsghdr*)request;
1568 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1569 hdr->nlmsg_type = nlmsg_type;
1570 if (nlmsg_type == RTM_NEWRULE)
1571 {
1572 hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_EXCL;
1573 }
1574 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1575
1576 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1577 msg->rtm_table = table;
1578 msg->rtm_family = AF_INET;
1579 msg->rtm_protocol = RTPROT_BOOT;
1580 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1581 msg->rtm_type = RTN_UNICAST;
1582
1583 chunk = chunk_from_thing(prio);
1584 add_attribute(hdr, RTA_PRIORITY, chunk, sizeof(request));
1585
1586 return netlink_send_ack(this, this->socket_rt, hdr);
1587 }
1588
1589 /**
1590 * check if an address (chunk) addr is in subnet (net with net_len net bits)
1591 */
1592 static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
1593 {
1594 int bit, byte;
1595
1596 if (addr.len != net.len)
1597 {
1598 return FALSE;
1599 }
1600 /* scan through all bits, beginning in the front */
1601 for (byte = 0; byte < addr.len; byte++)
1602 {
1603 for (bit = 7; bit >= 0; bit--)
1604 {
1605 /* check if bits are equal (or we reached the end of the net) */
1606 if (bit + byte * 8 > net_len)
1607 {
1608 return TRUE;
1609 }
1610 if (((1<<bit) & addr.ptr[byte]) != ((1<<bit) & net.ptr[byte]))
1611 {
1612 return FALSE;
1613 }
1614 }
1615 }
1616 return TRUE;
1617 }
1618
1619 /**
1620 * Get a route: If "nexthop", the nexthop is returned. source addr otherwise.
1621 */
1622 static host_t *get_route(private_kernel_interface_t *this, host_t *dest,
1623 bool nexthop)
1624 {
1625 unsigned char request[BUFFER_SIZE];
1626 struct nlmsghdr *hdr, *out, *current;
1627 struct rtmsg *msg;
1628 chunk_t chunk;
1629 size_t len;
1630 int best = -1;
1631 host_t *src = NULL, *gtw = NULL;
1632
1633 DBG2(DBG_KNL, "getting address to reach %H", dest);
1634
1635 memset(&request, 0, sizeof(request));
1636
1637 hdr = (struct nlmsghdr*)request;
1638 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ROOT;
1639 hdr->nlmsg_type = RTM_GETROUTE;
1640 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1641
1642 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1643 msg->rtm_family = dest->get_family(dest);
1644
1645 chunk = dest->get_address(dest);
1646 add_attribute(hdr, RTA_DST, chunk, sizeof(request));
1647
1648 if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
1649 {
1650 DBG1(DBG_KNL, "getting address to %H failed", dest);
1651 return NULL;
1652 }
1653 current = out;
1654 while (NLMSG_OK(current, len))
1655 {
1656 switch (current->nlmsg_type)
1657 {
1658 case NLMSG_DONE:
1659 break;
1660 case RTM_NEWROUTE:
1661 {
1662 struct rtattr *rta;
1663 size_t rtasize;
1664 chunk_t rta_gtw, rta_src, rta_dst;
1665 u_int32_t rta_oif = 0;
1666
1667 rta_gtw = rta_src = rta_dst = chunk_empty;
1668 msg = (struct rtmsg*)(NLMSG_DATA(current));
1669 rta = RTM_RTA(msg);
1670 rtasize = RTM_PAYLOAD(current);
1671 while (RTA_OK(rta, rtasize))
1672 {
1673 switch (rta->rta_type)
1674 {
1675 case RTA_PREFSRC:
1676 rta_src = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1677 break;
1678 case RTA_GATEWAY:
1679 rta_gtw = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1680 break;
1681 case RTA_DST:
1682 rta_dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
1683 break;
1684 case RTA_OIF:
1685 if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
1686 {
1687 rta_oif = *(u_int32_t*)RTA_DATA(rta);
1688 }
1689 break;
1690 }
1691 rta = RTA_NEXT(rta, rtasize);
1692 }
1693
1694 /* apply the route if:
1695 * - it is not from our own ipsec routing table
1696 * - is better than a previous one
1697 * - is the default route or
1698 * - its destination net contains our destination
1699 */
1700 if ((this->routing_table == 0 ||msg->rtm_table != this->routing_table)
1701 && msg->rtm_dst_len > best
1702 && (msg->rtm_dst_len == 0 || /* default route */
1703 (rta_dst.ptr && addr_in_subnet(chunk, rta_dst, msg->rtm_dst_len))))
1704 {
1705 iterator_t *ifaces, *addrs;
1706 iface_entry_t *iface;
1707 addr_entry_t *addr;
1708
1709 best = msg->rtm_dst_len;
1710 if (nexthop)
1711 {
1712 DESTROY_IF(gtw);
1713 gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
1714 }
1715 else if (rta_src.ptr)
1716 {
1717 DESTROY_IF(src);
1718 src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
1719 if (get_vip_refcount(this, src))
1720 { /* skip source address if it is installed by us */
1721 DESTROY_IF(src);
1722 src = NULL;
1723 current = NLMSG_NEXT(current, len);
1724 continue;
1725 }
1726 }
1727 else
1728 {
1729 /* no source addr, get one from the interfaces */
1730 ifaces = this->ifaces->create_iterator_locked(
1731 this->ifaces, &this->mutex);
1732 while (ifaces->iterate(ifaces, (void**)&iface))
1733 {
1734 if (iface->ifindex == rta_oif)
1735 {
1736 addrs = iface->addrs->create_iterator(
1737 iface->addrs, TRUE);
1738 while (addrs->iterate(addrs, (void**)&addr))
1739 {
1740 chunk_t ip = addr->ip->get_address(addr->ip);
1741 if (msg->rtm_dst_len == 0
1742 || addr_in_subnet(ip, rta_dst, msg->rtm_dst_len))
1743 {
1744 DESTROY_IF(src);
1745 src = addr->ip->clone(addr->ip);
1746 break;
1747 }
1748 }
1749 addrs->destroy(addrs);
1750 }
1751 }
1752 ifaces->destroy(ifaces);
1753 }
1754 }
1755 /* FALL through */
1756 }
1757 default:
1758 current = NLMSG_NEXT(current, len);
1759 continue;
1760 }
1761 break;
1762 }
1763 free(out);
1764
1765 if (nexthop)
1766 {
1767 if (gtw)
1768 {
1769 return gtw;
1770 }
1771 return dest->clone(dest);
1772 }
1773 return src;
1774 }
1775
1776 /**
1777 * Implementation of kernel_interface_t.get_source_addr.
1778 */
1779 static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
1780 {
1781 return get_route(this, dest, FALSE);
1782 }
1783
1784 /**
1785 * Implementation of kernel_interface_t.add_ip.
1786 */
1787 static status_t add_ip(private_kernel_interface_t *this,
1788 host_t *virtual_ip, host_t *iface_ip)
1789 {
1790 iface_entry_t *iface;
1791 addr_entry_t *addr;
1792 iterator_t *addrs, *ifaces;
1793 int ifindex;
1794
1795 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1796
1797 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1798 while (ifaces->iterate(ifaces, (void**)&iface))
1799 {
1800 bool iface_found = FALSE;
1801
1802 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1803 while (addrs->iterate(addrs, (void**)&addr))
1804 {
1805 if (iface_ip->ip_equals(iface_ip, addr->ip))
1806 {
1807 iface_found = TRUE;
1808 }
1809 else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1810 {
1811 addr->refcount++;
1812 DBG2(DBG_KNL, "virtual IP %H already installed on %s",
1813 virtual_ip, iface->ifname);
1814 addrs->destroy(addrs);
1815 ifaces->destroy(ifaces);
1816 return SUCCESS;
1817 }
1818 }
1819 addrs->destroy(addrs);
1820
1821 if (iface_found)
1822 {
1823 ifindex = iface->ifindex;
1824 addr = malloc_thing(addr_entry_t);
1825 addr->ip = virtual_ip->clone(virtual_ip);
1826 addr->refcount = 0;
1827 addr->virtual = TRUE;
1828 addr->scope = RT_SCOPE_UNIVERSE;
1829 iface->addrs->insert_last(iface->addrs, addr);
1830
1831 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1832 ifindex, virtual_ip) == SUCCESS)
1833 {
1834 while (get_vip_refcount(this, virtual_ip) == 0)
1835 { /* wait until address appears */
1836 pthread_cond_wait(&this->cond, &this->mutex);
1837 }
1838 ifaces->destroy(ifaces);
1839 return SUCCESS;
1840 }
1841 ifaces->destroy(ifaces);
1842 DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
1843 return FAILED;
1844 }
1845 }
1846 ifaces->destroy(ifaces);
1847
1848 DBG1(DBG_KNL, "interface address %H not found, unable to install"
1849 "virtual IP %H", iface_ip, virtual_ip);
1850 return FAILED;
1851 }
1852
1853 /**
1854 * Implementation of kernel_interface_t.del_ip.
1855 */
1856 static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
1857 {
1858 iface_entry_t *iface;
1859 addr_entry_t *addr;
1860 iterator_t *addrs, *ifaces;
1861 status_t status;
1862 int ifindex;
1863
1864 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1865
1866 ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
1867 while (ifaces->iterate(ifaces, (void**)&iface))
1868 {
1869 addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
1870 while (addrs->iterate(addrs, (void**)&addr))
1871 {
1872 if (virtual_ip->ip_equals(virtual_ip, addr->ip))
1873 {
1874 ifindex = iface->ifindex;
1875 if (addr->refcount == 1)
1876 {
1877 status = manage_ipaddr(this, RTM_DELADDR, 0,
1878 ifindex, virtual_ip);
1879 if (status == SUCCESS)
1880 { /* wait until the address is really gone */
1881 while (get_vip_refcount(this, virtual_ip) > 0)
1882 {
1883 pthread_cond_wait(&this->cond, &this->mutex);
1884 }
1885 }
1886 addrs->destroy(addrs);
1887 ifaces->destroy(ifaces);
1888 return status;
1889 }
1890 else
1891 {
1892 addr->refcount--;
1893 }
1894 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1895 virtual_ip);
1896 addrs->destroy(addrs);
1897 ifaces->destroy(ifaces);
1898 return SUCCESS;
1899 }
1900 }
1901 addrs->destroy(addrs);
1902 }
1903 ifaces->destroy(ifaces);
1904
1905 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1906 return FAILED;
1907 }
1908
1909 /**
1910 * Get an SPI for a specific protocol from the kernel.
1911 */
1912 static status_t get_spi_internal(private_kernel_interface_t *this,
1913 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
1914 u_int32_t reqid, u_int32_t *spi)
1915 {
1916 unsigned char request[BUFFER_SIZE];
1917 struct nlmsghdr *hdr, *out;
1918 struct xfrm_userspi_info *userspi;
1919 u_int32_t received_spi = 0;
1920 size_t len;
1921
1922 memset(&request, 0, sizeof(request));
1923
1924 hdr = (struct nlmsghdr*)request;
1925 hdr->nlmsg_flags = NLM_F_REQUEST;
1926 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1927 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1928
1929 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1930 host2xfrm(src, &userspi->info.saddr);
1931 host2xfrm(dst, &userspi->info.id.daddr);
1932 userspi->info.id.proto = proto;
1933 userspi->info.mode = TRUE; /* tunnel mode */
1934 userspi->info.reqid = reqid;
1935 userspi->info.family = src->get_family(src);
1936 userspi->min = min;
1937 userspi->max = max;
1938
1939 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1940 {
1941 hdr = out;
1942 while (NLMSG_OK(hdr, len))
1943 {
1944 switch (hdr->nlmsg_type)
1945 {
1946 case XFRM_MSG_NEWSA:
1947 {
1948 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1949 received_spi = usersa->id.spi;
1950 break;
1951 }
1952 case NLMSG_ERROR:
1953 {
1954 struct nlmsgerr *err = NLMSG_DATA(hdr);
1955
1956 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1957 strerror(-err->error), -err->error);
1958 break;
1959 }
1960 default:
1961 hdr = NLMSG_NEXT(hdr, len);
1962 continue;
1963 case NLMSG_DONE:
1964 break;
1965 }
1966 break;
1967 }
1968 free(out);
1969 }
1970
1971 if (received_spi == 0)
1972 {
1973 return FAILED;
1974 }
1975
1976 *spi = received_spi;
1977 return SUCCESS;
1978 }
1979
1980 /**
1981 * Implementation of kernel_interface_t.get_spi.
1982 */
1983 static status_t get_spi(private_kernel_interface_t *this,
1984 host_t *src, host_t *dst,
1985 protocol_id_t protocol, u_int32_t reqid,
1986 u_int32_t *spi)
1987 {
1988 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1989
1990 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
1991 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
1992 {
1993 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1994 return FAILED;
1995 }
1996
1997 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", *spi, reqid);
1998
1999 return SUCCESS;
2000 }
2001
2002 /**
2003 * Implementation of kernel_interface_t.get_cpi.
2004 */
2005 static status_t get_cpi(private_kernel_interface_t *this,
2006 host_t *src, host_t *dst,
2007 u_int32_t reqid, u_int16_t *cpi)
2008 {
2009 u_int32_t received_spi = 0;
2010 DBG2(DBG_KNL, "getting CPI for reqid %d", reqid);
2011
2012 if (get_spi_internal(this, src, dst,
2013 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
2014 {
2015 DBG1(DBG_KNL, "unable to get CPI for reqid %d", reqid);
2016 return FAILED;
2017 }
2018
2019 *cpi = htons((u_int16_t)ntohl(received_spi));
2020
2021 DBG2(DBG_KNL, "got CPI 0x%x for reqid %d", *cpi, reqid);
2022
2023 return SUCCESS;
2024 }
2025
2026 /**
2027 * Implementation of kernel_interface_t.add_sa.
2028 */
2029 static status_t add_sa(private_kernel_interface_t *this,
2030 host_t *src, host_t *dst, u_int32_t spi,
2031 protocol_id_t protocol, u_int32_t reqid,
2032 u_int64_t expire_soft, u_int64_t expire_hard,
2033 u_int16_t enc_alg, u_int16_t enc_size,
2034 u_int16_t int_alg, u_int16_t int_size,
2035 prf_plus_t *prf_plus, mode_t mode,
2036 u_int16_t ipcomp, bool encap,
2037 bool replace)
2038 {
2039 unsigned char request[BUFFER_SIZE];
2040 char *alg_name;
2041 /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
2042 u_int16_t add_keymat = 32;
2043 struct nlmsghdr *hdr;
2044 struct xfrm_usersa_info *sa;
2045
2046 memset(&request, 0, sizeof(request));
2047
2048 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x and reqid %d", spi, reqid);
2049
2050 hdr = (struct nlmsghdr*)request;
2051 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2052 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
2053 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2054
2055 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
2056 host2xfrm(src, &sa->saddr);
2057 host2xfrm(dst, &sa->id.daddr);
2058 sa->id.spi = spi;
2059 sa->id.proto = proto_ike2kernel(protocol);
2060 sa->family = src->get_family(src);
2061 sa->mode = mode;
2062 if (mode == MODE_TUNNEL)
2063 {
2064 sa->flags |= XFRM_STATE_AF_UNSPEC;
2065 }
2066 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
2067 sa->reqid = reqid;
2068 /* we currently do not expire SAs by volume/packet count */
2069 sa->lft.soft_byte_limit = XFRM_INF;
2070 sa->lft.hard_byte_limit = XFRM_INF;
2071 sa->lft.soft_packet_limit = XFRM_INF;
2072 sa->lft.hard_packet_limit = XFRM_INF;
2073 /* we use lifetimes since added, not since used */
2074 sa->lft.soft_add_expires_seconds = expire_soft;
2075 sa->lft.hard_add_expires_seconds = expire_hard;
2076 sa->lft.soft_use_expires_seconds = 0;
2077 sa->lft.hard_use_expires_seconds = 0;
2078
2079 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
2080
2081 switch (enc_alg)
2082 {
2083 case ENCR_UNDEFINED:
2084 /* no encryption */
2085 break;
2086 case ENCR_AES_CCM_ICV8:
2087 case ENCR_AES_CCM_ICV12:
2088 case ENCR_AES_CCM_ICV16:
2089 /* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
2090 add_keymat = 24;
2091 /* fall-through */
2092 case ENCR_AES_GCM_ICV8:
2093 case ENCR_AES_GCM_ICV12:
2094 case ENCR_AES_GCM_ICV16:
2095 {
2096 u_int16_t icv_size = 0;
2097 rthdr->rta_type = XFRMA_ALG_AEAD;
2098 alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
2099 if (alg_name == NULL)
2100 {
2101 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2102 encryption_algorithm_names, enc_alg);
2103 return FAILED;
2104 }
2105 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2106 encryption_algorithm_names, enc_alg, enc_size);
2107
2108 /* additional KEYMAT required */
2109 enc_size += add_keymat;
2110
2111 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
2112 hdr->nlmsg_len += rthdr->rta_len;
2113 if (hdr->nlmsg_len > sizeof(request))
2114 {
2115 return FAILED;
2116 }
2117
2118 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
2119 algo->alg_key_len = enc_size;
2120 algo->alg_icv_len = icv_size;
2121 strcpy(algo->alg_name, alg_name);
2122 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2123
2124 rthdr = XFRM_RTA_NEXT(rthdr);
2125 break;
2126 }
2127 default:
2128 {
2129 rthdr->rta_type = XFRMA_ALG_CRYPT;
2130 alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
2131 if (alg_name == NULL)
2132 {
2133 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2134 encryption_algorithm_names, enc_alg);
2135 return FAILED;
2136 }
2137 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
2138 encryption_algorithm_names, enc_alg, enc_size);
2139
2140 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
2141 hdr->nlmsg_len += rthdr->rta_len;
2142 if (hdr->nlmsg_len > sizeof(request))
2143 {
2144 return FAILED;
2145 }
2146
2147 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2148 algo->alg_key_len = enc_size;
2149 strcpy(algo->alg_name, alg_name);
2150 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
2151
2152 rthdr = XFRM_RTA_NEXT(rthdr);
2153 break;
2154 }
2155 }
2156
2157 if (int_alg != AUTH_UNDEFINED)
2158 {
2159 rthdr->rta_type = XFRMA_ALG_AUTH;
2160 alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
2161 if (alg_name == NULL)
2162 {
2163 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2164 integrity_algorithm_names, int_alg);
2165 return FAILED;
2166 }
2167 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
2168 integrity_algorithm_names, int_alg, int_size);
2169
2170 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
2171 hdr->nlmsg_len += rthdr->rta_len;
2172 if (hdr->nlmsg_len > sizeof(request))
2173 {
2174 return FAILED;
2175 }
2176
2177 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2178 algo->alg_key_len = int_size;
2179 strcpy(algo->alg_name, alg_name);
2180 prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
2181
2182 rthdr = XFRM_RTA_NEXT(rthdr);
2183 }
2184
2185 if (ipcomp != IPCOMP_NONE)
2186 {
2187 rthdr->rta_type = XFRMA_ALG_COMP;
2188 alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
2189 if (alg_name == NULL)
2190 {
2191 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
2192 ipcomp_transform_names, ipcomp);
2193 return FAILED;
2194 }
2195 DBG2(DBG_KNL, " using compression algorithm %N",
2196 ipcomp_transform_names, ipcomp);
2197
2198 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
2199 hdr->nlmsg_len += rthdr->rta_len;
2200 if (hdr->nlmsg_len > sizeof(request))
2201 {
2202 return FAILED;
2203 }
2204
2205 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
2206 algo->alg_key_len = 0;
2207 strcpy(algo->alg_name, alg_name);
2208
2209 rthdr = XFRM_RTA_NEXT(rthdr);
2210 }
2211
2212 if (encap)
2213 {
2214 rthdr->rta_type = XFRMA_ENCAP;
2215 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2216
2217 hdr->nlmsg_len += rthdr->rta_len;
2218 if (hdr->nlmsg_len > sizeof(request))
2219 {
2220 return FAILED;
2221 }
2222
2223 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
2224 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2225 tmpl->encap_sport = htons(src->get_port(src));
2226 tmpl->encap_dport = htons(dst->get_port(dst));
2227 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2228 /* encap_oa could probably be derived from the
2229 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
2230 * pluto does the same as we do here but it uses encap_oa in the
2231 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
2232 * the kernel ignores it anyway
2233 * -> does that mean that NAT-T encap doesn't work in transport mode?
2234 * No. The reason the kernel ignores NAT-OA is that it recomputes
2235 * (or, rather, just ignores) the checksum. If packets pass
2236 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
2237 rthdr = XFRM_RTA_NEXT(rthdr);
2238 }
2239
2240 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2241 {
2242 DBG1(DBG_KNL, "unable to add SAD entry with SPI 0x%x", spi);
2243 return FAILED;
2244 }
2245 return SUCCESS;
2246 }
2247
2248 /**
2249 * Get the replay state (i.e. sequence numbers) of an SA.
2250 */
2251 static status_t get_replay_state(private_kernel_interface_t *this,
2252 u_int32_t spi, protocol_id_t protocol, host_t *dst,
2253 struct xfrm_replay_state *replay)
2254 {
2255 unsigned char request[BUFFER_SIZE];
2256 struct nlmsghdr *hdr, *out = NULL;
2257 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
2258 size_t len;
2259 struct rtattr *rta;
2260 size_t rtasize;
2261
2262 memset(&request, 0, sizeof(request));
2263
2264 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI 0x%x", spi);
2265
2266 hdr = (struct nlmsghdr*)request;
2267 hdr->nlmsg_flags = NLM_F_REQUEST;
2268 hdr->nlmsg_type = XFRM_MSG_GETAE;
2269 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
2270
2271 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
2272 aevent_id->flags = XFRM_AE_RVAL;
2273
2274 host2xfrm(dst, &aevent_id->sa_id.daddr);
2275 aevent_id->sa_id.spi = spi;
2276 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
2277 aevent_id->sa_id.family = dst->get_family(dst);
2278
2279 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2280 {
2281 hdr = out;
2282 while (NLMSG_OK(hdr, len))
2283 {
2284 switch (hdr->nlmsg_type)
2285 {
2286 case XFRM_MSG_NEWAE:
2287 {
2288 out_aevent = NLMSG_DATA(hdr);
2289 break;
2290 }
2291 case NLMSG_ERROR:
2292 {
2293 struct nlmsgerr *err = NLMSG_DATA(hdr);
2294 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
2295 strerror(-err->error), -err->error);
2296 break;
2297 }
2298 default:
2299 hdr = NLMSG_NEXT(hdr, len);
2300 continue;
2301 case NLMSG_DONE:
2302 break;
2303 }
2304 break;
2305 }
2306 }
2307
2308 if (out_aevent == NULL)
2309 {
2310 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI 0x%x", spi);
2311 free(out);
2312 return FAILED;
2313 }
2314
2315 rta = XFRM_RTA(out, struct xfrm_aevent_id);
2316 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
2317 while(RTA_OK(rta, rtasize))
2318 {
2319 if (rta->rta_type == XFRMA_REPLAY_VAL)
2320 {
2321 memcpy(replay, RTA_DATA(rta), rta->rta_len);
2322 free(out);
2323 return SUCCESS;
2324 }
2325 rta = RTA_NEXT(rta, rtasize);
2326 }
2327
2328 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI 0x%x", spi);
2329 free(out);
2330 return FAILED;
2331 }
2332
2333 /**
2334 * Implementation of kernel_interface_t.update_sa.
2335 */
2336 static status_t update_sa(private_kernel_interface_t *this,
2337 u_int32_t spi, protocol_id_t protocol,
2338 host_t *src, host_t *dst,
2339 host_t *new_src, host_t *new_dst, bool encap)
2340 {
2341 unsigned char request[BUFFER_SIZE], *pos;
2342 struct nlmsghdr *hdr, *out = NULL;
2343 struct xfrm_usersa_id *sa_id;
2344 struct xfrm_usersa_info *out_sa = NULL, *sa;
2345 size_t len;
2346 struct rtattr *rta;
2347 size_t rtasize;
2348 struct xfrm_encap_tmpl* tmpl = NULL;
2349 bool got_replay_state;
2350 struct xfrm_replay_state replay;
2351
2352 memset(&request, 0, sizeof(request));
2353
2354 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x for update", spi);
2355
2356 /* query the exisiting SA first */
2357 hdr = (struct nlmsghdr*)request;
2358 hdr->nlmsg_flags = NLM_F_REQUEST;
2359 hdr->nlmsg_type = XFRM_MSG_GETSA;
2360 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2361
2362 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2363 host2xfrm(dst, &sa_id->daddr);
2364 sa_id->spi = spi;
2365 sa_id->proto = proto_ike2kernel(protocol);
2366 sa_id->family = dst->get_family(dst);
2367
2368 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2369 {
2370 hdr = out;
2371 while (NLMSG_OK(hdr, len))
2372 {
2373 switch (hdr->nlmsg_type)
2374 {
2375 case XFRM_MSG_NEWSA:
2376 {
2377 out_sa = NLMSG_DATA(hdr);
2378 break;
2379 }
2380 case NLMSG_ERROR:
2381 {
2382 struct nlmsgerr *err = NLMSG_DATA(hdr);
2383 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2384 strerror(-err->error), -err->error);
2385 break;
2386 }
2387 default:
2388 hdr = NLMSG_NEXT(hdr, len);
2389 continue;
2390 case NLMSG_DONE:
2391 break;
2392 }
2393 break;
2394 }
2395 }
2396 if (out_sa == NULL)
2397 {
2398 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
2399 free(out);
2400 return FAILED;
2401 }
2402
2403 /* try to get the replay state */
2404 got_replay_state = (get_replay_state(
2405 this, spi, protocol, dst, &replay) == SUCCESS);
2406
2407 /* delete the old SA */
2408 if (this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
2409 {
2410 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI 0x%x", spi);
2411 free(out);
2412 return FAILED;
2413 }
2414
2415 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x from %#H..%#H to %#H..%#H",
2416 spi, src, dst, new_src, new_dst);
2417
2418 /* copy over the SA from out to request */
2419 hdr = (struct nlmsghdr*)request;
2420 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
2421 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2422 hdr->nlmsg_type = XFRM_MSG_NEWSA;
2423 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2424 sa = NLMSG_DATA(hdr);
2425 sa->family = new_dst->get_family(new_dst);
2426
2427 if (!src->ip_equals(src, new_src))
2428 {
2429 host2xfrm(new_src, &sa->saddr);
2430 }
2431 if (!dst->ip_equals(dst, new_dst))
2432 {
2433 host2xfrm(new_dst, &sa->id.daddr);
2434 }
2435
2436 rta = XFRM_RTA(out, struct xfrm_usersa_info);
2437 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
2438 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
2439 while(RTA_OK(rta, rtasize))
2440 {
2441 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
2442 if (rta->rta_type != XFRMA_ENCAP || encap)
2443 {
2444 if (rta->rta_type == XFRMA_ENCAP)
2445 { /* update encap tmpl */
2446 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2447 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2448 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2449 }
2450 memcpy(pos, rta, rta->rta_len);
2451 pos += RTA_ALIGN(rta->rta_len);
2452 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
2453 }
2454 rta = RTA_NEXT(rta, rtasize);
2455 }
2456
2457 rta = (struct rtattr*)pos;
2458 if (tmpl == NULL && encap)
2459 { /* add tmpl if we are enabling it */
2460 rta->rta_type = XFRMA_ENCAP;
2461 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
2462
2463 hdr->nlmsg_len += rta->rta_len;
2464 if (hdr->nlmsg_len > sizeof(request))
2465 {
2466 return FAILED;
2467 }
2468
2469 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
2470 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2471 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
2472 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
2473 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2474
2475 rta = XFRM_RTA_NEXT(rta);
2476 }
2477
2478 if (got_replay_state)
2479 { /* copy the replay data if available */
2480 rta->rta_type = XFRMA_REPLAY_VAL;
2481 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
2482
2483 hdr->nlmsg_len += rta->rta_len;
2484 if (hdr->nlmsg_len > sizeof(request))
2485 {
2486 return FAILED;
2487 }
2488 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
2489
2490 rta = XFRM_RTA_NEXT(rta);
2491 }
2492
2493 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2494 {
2495 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
2496 free(out);
2497 return FAILED;
2498 }
2499 free(out);
2500
2501 return SUCCESS;
2502 }
2503
2504 /**
2505 * Implementation of kernel_interface_t.query_sa.
2506 */
2507 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
2508 u_int32_t spi, protocol_id_t protocol,
2509 u_int32_t *use_time)
2510 {
2511 unsigned char request[BUFFER_SIZE];
2512 struct nlmsghdr *out = NULL, *hdr;
2513 struct xfrm_usersa_id *sa_id;
2514 struct xfrm_usersa_info *sa = NULL;
2515 size_t len;
2516
2517 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
2518 memset(&request, 0, sizeof(request));
2519
2520 hdr = (struct nlmsghdr*)request;
2521 hdr->nlmsg_flags = NLM_F_REQUEST;
2522 hdr->nlmsg_type = XFRM_MSG_GETSA;
2523 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2524
2525 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2526 host2xfrm(dst, &sa_id->daddr);
2527 sa_id->spi = spi;
2528 sa_id->proto = proto_ike2kernel(protocol);
2529 sa_id->family = dst->get_family(dst);
2530
2531 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2532 {
2533 hdr = out;
2534 while (NLMSG_OK(hdr, len))
2535 {
2536 switch (hdr->nlmsg_type)
2537 {
2538 case XFRM_MSG_NEWSA:
2539 {
2540 sa = NLMSG_DATA(hdr);
2541 break;
2542 }
2543 case NLMSG_ERROR:
2544 {
2545 struct nlmsgerr *err = NLMSG_DATA(hdr);
2546 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2547 strerror(-err->error), -err->error);
2548 break;
2549 }
2550 default:
2551 hdr = NLMSG_NEXT(hdr, len);
2552 continue;
2553 case NLMSG_DONE:
2554 break;
2555 }
2556 break;
2557 }
2558 }
2559
2560 if (sa == NULL)
2561 {
2562 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
2563 free(out);
2564 return FAILED;
2565 }
2566
2567 *use_time = sa->curlft.use_time;
2568 free (out);
2569 return SUCCESS;
2570 }
2571
2572 /**
2573 * Implementation of kernel_interface_t.del_sa.
2574 */
2575 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
2576 u_int32_t spi, protocol_id_t protocol)
2577 {
2578 unsigned char request[BUFFER_SIZE];
2579 struct nlmsghdr *hdr;
2580 struct xfrm_usersa_id *sa_id;
2581
2582 memset(&request, 0, sizeof(request));
2583
2584 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
2585
2586 hdr = (struct nlmsghdr*)request;
2587 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2588 hdr->nlmsg_type = XFRM_MSG_DELSA;
2589 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2590
2591 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
2592 host2xfrm(dst, &sa_id->daddr);
2593 sa_id->spi = spi;
2594 sa_id->proto = proto_ike2kernel(protocol);
2595 sa_id->family = dst->get_family(dst);
2596
2597 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2598 {
2599 DBG1(DBG_KNL, "unable to delete SAD entry with SPI 0x%x", spi);
2600 return FAILED;
2601 }
2602 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
2603 return SUCCESS;
2604 }
2605
2606 /**
2607 * Implementation of kernel_interface_t.add_policy.
2608 */
2609 static status_t add_policy(private_kernel_interface_t *this,
2610 host_t *src, host_t *dst,
2611 traffic_selector_t *src_ts,
2612 traffic_selector_t *dst_ts,
2613 policy_dir_t direction, protocol_id_t protocol,
2614 u_int32_t reqid, bool high_prio, mode_t mode,
2615 u_int16_t ipcomp)
2616 {
2617 iterator_t *iterator;
2618 policy_entry_t *current, *policy;
2619 bool found = FALSE;
2620 unsigned char request[BUFFER_SIZE];
2621 struct xfrm_userpolicy_info *policy_info;
2622 struct nlmsghdr *hdr;
2623
2624 /* create a policy */
2625 policy = malloc_thing(policy_entry_t);
2626 memset(policy, 0, sizeof(policy_entry_t));
2627 policy->sel = ts2selector(src_ts, dst_ts);
2628 policy->direction = direction;
2629
2630 /* find the policy, which matches EXACTLY */
2631 pthread_mutex_lock(&this->mutex);
2632 iterator = this->policies->create_iterator(this->policies, TRUE);
2633 while (iterator->iterate(iterator, (void**)&current))
2634 {
2635 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
2636 policy->direction == current->direction)
2637 {
2638 /* use existing policy */
2639 current->refcount++;
2640 DBG2(DBG_KNL, "policy %R===%R already exists, increasing "
2641 "refcount", src_ts, dst_ts);
2642 free(policy);
2643 policy = current;
2644 found = TRUE;
2645 break;
2646 }
2647 }
2648 iterator->destroy(iterator);
2649 if (!found)
2650 { /* apply the new one, if we have no such policy */
2651 this->policies->insert_last(this->policies, policy);
2652 policy->refcount = 1;
2653 }
2654
2655 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
2656
2657 memset(&request, 0, sizeof(request));
2658 hdr = (struct nlmsghdr*)request;
2659 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2660 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2661 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2662
2663 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2664 policy_info->sel = policy->sel;
2665 policy_info->dir = policy->direction;
2666 /* calculate priority based on source selector size, small size = high prio */
2667 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
2668 policy_info->priority -= policy->sel.prefixlen_s * 10;
2669 policy_info->priority -= policy->sel.proto ? 2 : 0;
2670 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
2671 policy_info->action = XFRM_POLICY_ALLOW;
2672 policy_info->share = XFRM_SHARE_ANY;
2673 pthread_mutex_unlock(&this->mutex);
2674
2675 /* policies don't expire */
2676 policy_info->lft.soft_byte_limit = XFRM_INF;
2677 policy_info->lft.soft_packet_limit = XFRM_INF;
2678 policy_info->lft.hard_byte_limit = XFRM_INF;
2679 policy_info->lft.hard_packet_limit = XFRM_INF;
2680 policy_info->lft.soft_add_expires_seconds = 0;
2681 policy_info->lft.hard_add_expires_seconds = 0;
2682 policy_info->lft.soft_use_expires_seconds = 0;
2683 policy_info->lft.hard_use_expires_seconds = 0;
2684
2685 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
2686 rthdr->rta_type = XFRMA_TMPL;
2687 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2688
2689 hdr->nlmsg_len += rthdr->rta_len;
2690 if (hdr->nlmsg_len > sizeof(request))
2691 {
2692 return FAILED;
2693 }
2694
2695 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
2696
2697 if (ipcomp != IPCOMP_NONE)
2698 {
2699 tmpl->reqid = reqid;
2700 tmpl->id.proto = IPPROTO_COMP;
2701 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2702 tmpl->mode = mode;
2703 tmpl->optional = direction != POLICY_OUT;
2704 tmpl->family = src->get_family(src);
2705
2706 host2xfrm(src, &tmpl->saddr);
2707 host2xfrm(dst, &tmpl->id.daddr);
2708
2709 /* add an additional xfrm_user_tmpl */
2710 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2711 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
2712 if (hdr->nlmsg_len > sizeof(request))
2713 {
2714 return FAILED;
2715 }
2716
2717 tmpl++;
2718 }
2719
2720 tmpl->reqid = reqid;
2721 tmpl->id.proto = proto_ike2kernel(protocol);
2722 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2723 tmpl->mode = mode;
2724 tmpl->family = src->get_family(src);
2725
2726 host2xfrm(src, &tmpl->saddr);
2727 host2xfrm(dst, &tmpl->id.daddr);
2728
2729 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2730 {
2731 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
2732 return FAILED;
2733 }
2734
2735 /* install a route, if:
2736 * - we are NOT updating a policy
2737 * - this is a forward policy (to just get one for each child)
2738 * - we are in tunnel mode
2739 * - we are not using IPv6 (does not work correctly yet!)
2740 * - routing is not disabled via strongswan.conf
2741 */
2742 if (policy->route == NULL && direction == POLICY_FWD &&
2743 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
2744 this->install_routes)
2745 {
2746 policy->route = malloc_thing(route_entry_t);
2747 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
2748 {
2749 /* get the nexthop to src (src as we are in POLICY_FWD).*/
2750 policy->route->gateway = get_route(this, src, TRUE);
2751 policy->route->if_index = get_interface_index(this, dst);
2752 policy->route->dst_net = chunk_alloc(
2753 policy->sel.family == AF_INET ? 4 : 16);
2754 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr,
2755 policy->route->dst_net.len);
2756 policy->route->prefixlen = policy->sel.prefixlen_s;
2757
2758 switch (manage_srcroute(this, RTM_NEWROUTE,
2759 NLM_F_CREATE | NLM_F_EXCL, policy->route))
2760 {
2761 default:
2762 DBG1(DBG_KNL, "unable to install source route for %H",
2763 policy->route->src_ip);
2764 /* FALL */
2765 case ALREADY_DONE:
2766 /* route exists, do not uninstall */
2767 route_entry_destroy(policy->route);
2768 policy->route = NULL;
2769 break;
2770 case SUCCESS:
2771 break;
2772 }
2773 }
2774 else
2775 {
2776 free(policy->route);
2777 policy->route = NULL;
2778 }
2779 }
2780
2781 return SUCCESS;
2782 }
2783
2784 /**
2785 * Implementation of kernel_interface_t.query_policy.
2786 */
2787 static status_t query_policy(private_kernel_interface_t *this,
2788 traffic_selector_t *src_ts,
2789 traffic_selector_t *dst_ts,
2790 policy_dir_t direction, u_int32_t *use_time)
2791 {
2792 unsigned char request[BUFFER_SIZE];
2793 struct nlmsghdr *out = NULL, *hdr;
2794 struct xfrm_userpolicy_id *policy_id;
2795 struct xfrm_userpolicy_info *policy = NULL;
2796 size_t len;
2797
2798 memset(&request, 0, sizeof(request));
2799
2800 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
2801
2802 hdr = (struct nlmsghdr*)request;
2803 hdr->nlmsg_flags = NLM_F_REQUEST;
2804 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2805 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2806
2807 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2808 policy_id->sel = ts2selector(src_ts, dst_ts);
2809 policy_id->dir = direction;
2810
2811 if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2812 {
2813 hdr = out;
2814 while (NLMSG_OK(hdr, len))
2815 {
2816 switch (hdr->nlmsg_type)
2817 {
2818 case XFRM_MSG_NEWPOLICY:
2819 {
2820 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2821 break;
2822 }
2823 case NLMSG_ERROR:
2824 {
2825 struct nlmsgerr *err = NLMSG_DATA(hdr);
2826 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2827 strerror(-err->error), -err->error);
2828 break;
2829 }
2830 default:
2831 hdr = NLMSG_NEXT(hdr, len);
2832 continue;
2833 case NLMSG_DONE:
2834 break;
2835 }
2836 break;
2837 }
2838 }
2839
2840 if (policy == NULL)
2841 {
2842 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
2843 free(out);
2844 return FAILED;
2845 }
2846 *use_time = (time_t)policy->curlft.use_time;
2847
2848 free(out);
2849 return SUCCESS;
2850 }
2851
2852 /**
2853 * Implementation of kernel_interface_t.del_policy.
2854 */
2855 static status_t del_policy(private_kernel_interface_t *this,
2856 traffic_selector_t *src_ts,
2857 traffic_selector_t *dst_ts,
2858 policy_dir_t direction)
2859 {
2860 policy_entry_t *current, policy, *to_delete = NULL;
2861 route_entry_t *route;
2862 unsigned char request[BUFFER_SIZE];
2863 struct nlmsghdr *hdr;
2864 struct xfrm_userpolicy_id *policy_id;
2865 iterator_t *iterator;
2866
2867 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
2868
2869 /* create a policy */
2870 memset(&policy, 0, sizeof(policy_entry_t));
2871 policy.sel = ts2selector(src_ts, dst_ts);
2872 policy.direction = direction;
2873
2874 /* find the policy */
2875 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
2876 while (iterator->iterate(iterator, (void**)&current))
2877 {
2878 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
2879 policy.direction == current->direction)
2880 {
2881 to_delete = current;
2882 if (--to_delete->refcount > 0)
2883 {
2884 /* is used by more SAs, keep in kernel */
2885 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2886 iterator->destroy(iterator);
2887 return SUCCESS;
2888 }
2889 /* remove if last reference */
2890 iterator->remove(iterator);
2891 break;
2892 }
2893 }
2894 iterator->destroy(iterator);
2895 if (!to_delete)
2896 {
2897 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
2898 return NOT_FOUND;
2899 }
2900
2901 memset(&request, 0, sizeof(request));
2902
2903 hdr = (struct nlmsghdr*)request;
2904 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2905 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2906 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2907
2908 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2909 policy_id->sel = to_delete->sel;
2910 policy_id->dir = direction;
2911
2912 route = to_delete->route;
2913 free(to_delete);
2914
2915 if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
2916 {
2917 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
2918 return FAILED;
2919 }
2920
2921 if (route)
2922 {
2923 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
2924 {
2925 DBG1(DBG_KNL, "error uninstalling route installed with "
2926 "policy %R===%R", src_ts, dst_ts);
2927 }
2928 route_entry_destroy(route);
2929 }
2930 return SUCCESS;
2931 }
2932
2933 /**
2934 * Implementation of kernel_interface_t.destroy.
2935 */
2936 static void destroy(private_kernel_interface_t *this)
2937 {
2938 if (this->routing_table)
2939 {
2940 manage_rule(this, RTM_DELRULE, this->routing_table,
2941 this->routing_table_prio);
2942 }
2943
2944 this->job->cancel(this->job);
2945 close(this->socket_xfrm_events);
2946 close(this->socket_xfrm);
2947 close(this->socket_rt_events);
2948 close(this->socket_rt);
2949 this->policies->destroy(this->policies);
2950 this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
2951 free(this);
2952 }
2953
2954 /*
2955 * Described in header.
2956 */
2957 kernel_interface_t *kernel_interface_create()
2958 {
2959 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
2960 struct sockaddr_nl addr;
2961
2962 /* public functions */
2963 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
2964 this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
2965 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,mode_t,u_int16_t,bool,bool))add_sa;
2966 this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
2967 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
2968 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
2969 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,u_int16_t))add_policy;
2970 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
2971 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
2972 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
2973 this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
2974 this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
2975 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
2976 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
2977 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
2978
2979 /* private members */
2980 this->policies = linked_list_create();
2981 this->ifaces = linked_list_create();
2982 this->hiter = NULL;
2983 this->seq = 200;
2984 pthread_mutex_init(&this->mutex, NULL);
2985 pthread_mutex_init(&this->nl_mutex, NULL);
2986 pthread_cond_init(&this->cond, NULL);
2987 timerclear(&this->last_roam);
2988 this->install_routes = lib->settings->get_bool(lib->settings,
2989 "charon.install_routes", TRUE);
2990 this->routing_table = lib->settings->get_int(lib->settings,
2991 "charon.routing_table", IPSEC_ROUTING_TABLE);
2992 this->routing_table_prio = lib->settings->get_int(lib->settings,
2993 "charon.routing_table_prio", IPSEC_ROUTING_TABLE_PRIO);
2994 memset(&addr, 0, sizeof(addr));
2995 addr.nl_family = AF_NETLINK;
2996
2997 /* create and bind RT socket */
2998 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
2999 if (this->socket_rt <= 0)
3000 {
3001 charon->kill(charon, "unable to create RT netlink socket");
3002 }
3003 addr.nl_groups = 0;
3004 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
3005 {
3006 charon->kill(charon, "unable to bind RT netlink socket");
3007 }
3008
3009 /* create and bind RT socket for events (address/interface/route changes) */
3010 this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
3011 if (this->socket_rt_events <= 0)
3012 {
3013 charon->kill(charon, "unable to create RT event socket");
3014 }
3015 addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR |
3016 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
3017 if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
3018 {
3019 charon->kill(charon, "unable to bind RT event socket");
3020 }
3021
3022 /* create and bind XFRM socket */
3023 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
3024 if (this->socket_xfrm <= 0)
3025 {
3026 charon->kill(charon, "unable to create XFRM netlink socket");
3027 }
3028 addr.nl_groups = 0;
3029 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
3030 {
3031 charon->kill(charon, "unable to bind XFRM netlink socket");
3032 }
3033
3034 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
3035 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
3036 if (this->socket_xfrm_events <= 0)
3037 {
3038 charon->kill(charon, "unable to create XFRM event socket");
3039 }
3040 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
3041 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
3042 {
3043 charon->kill(charon, "unable to bind XFRM event socket");
3044 }
3045
3046 this->job = callback_job_create((callback_job_cb_t)receive_events,
3047 this, NULL, NULL);
3048 charon->processor->queue_job(charon->processor, (job_t*)this->job);
3049
3050 if (init_address_list(this) != SUCCESS)
3051 {
3052 charon->kill(charon, "unable to get interface list");
3053 }
3054
3055 if (this->routing_table)
3056 {
3057 if (manage_rule(this, RTM_NEWRULE, this->routing_table,
3058 this->routing_table_prio) != SUCCESS)
3059 {
3060 DBG1(DBG_KNL, "unable to create routing table rule");
3061 }
3062 }
3063
3064 return &this->public;
3065 }
3066