projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
reverted changeset 4529:
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 *
19 * $Id$
20 */
21
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <sys/time.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <netinet/in.h>
30 #include <pthread.h>
31 #include <unistd.h>
32 #include <errno.h>
33 #include <string.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <daemon.h>
39 #include <utils/linked_list.h>
40 #include <processing/jobs/callback_job.h>
41 #include <processing/jobs/acquire_job.h>
42 #include <processing/jobs/rekey_child_sa_job.h>
43 #include <processing/jobs/delete_child_sa_job.h>
44 #include <processing/jobs/update_sa_job.h>
45
46 /** required for Linux 2.6.26 kernel and later */
47 #ifndef XFRM_STATE_AF_UNSPEC
48 #define XFRM_STATE_AF_UNSPEC 32
49 #endif
50
51 /** default priority of installed policies */
52 #define PRIO_LOW 3000
53 #define PRIO_HIGH 2000
54
55 /**
56 * Create ORable bitfield of XFRM NL groups
57 */
58 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
59
60 /**
61 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
62 * 'usual' netlink data x like 'struct xfrm_usersa_info'
63 */
64 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
65 /**
66 * returns a pointer to the next rtattr following rta.
67 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
68 */
69 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
70 /**
71 * returns the total size of attached rta data
72 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
73 */
74 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
75
76 typedef struct kernel_algorithm_t kernel_algorithm_t;
77
78 /**
79 * Mapping of IKEv2 kernel identifier to linux crypto API names
80 */
81 struct kernel_algorithm_t {
82 /**
83 * Identifier specified in IKEv2
84 */
85 int ikev2;
86
87 /**
88 * Name of the algorithm in linux crypto API
89 */
90 char *name;
91 };
92
93 #define END_OF_LIST -1
94
95 /**
96 * Algorithms for encryption
97 */
98 static kernel_algorithm_t encryption_algs[] = {
99 /* {ENCR_DES_IV64, "***" }, */
100 {ENCR_DES, "des" },
101 {ENCR_3DES, "des3_ede" },
102 /* {ENCR_RC5, "***" }, */
103 /* {ENCR_IDEA, "***" }, */
104 {ENCR_CAST, "cast128" },
105 {ENCR_BLOWFISH, "blowfish" },
106 /* {ENCR_3IDEA, "***" }, */
107 /* {ENCR_DES_IV32, "***" }, */
108 {ENCR_NULL, "cipher_null" },
109 {ENCR_AES_CBC, "aes" },
110 /* {ENCR_AES_CTR, "***" }, */
111 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
112 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
113 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
114 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
115 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
116 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
117 {END_OF_LIST, NULL },
118 };
119
120 /**
121 * Algorithms for integrity protection
122 */
123 static kernel_algorithm_t integrity_algs[] = {
124 {AUTH_HMAC_MD5_96, "md5" },
125 {AUTH_HMAC_SHA1_96, "sha1" },
126 {AUTH_HMAC_SHA2_256_128, "sha256" },
127 {AUTH_HMAC_SHA2_384_192, "sha384" },
128 {AUTH_HMAC_SHA2_512_256, "sha512" },
129 /* {AUTH_DES_MAC, "***" }, */
130 /* {AUTH_KPDK_MD5, "***" }, */
131 {AUTH_AES_XCBC_96, "xcbc(aes)" },
132 {END_OF_LIST, NULL },
133 };
134
135 /**
136 * Algorithms for IPComp
137 */
138 static kernel_algorithm_t compression_algs[] = {
139 /* {IPCOMP_OUI, "***" }, */
140 {IPCOMP_DEFLATE, "deflate" },
141 {IPCOMP_LZS, "lzs" },
142 {IPCOMP_LZJH, "lzjh" },
143 {END_OF_LIST, NULL },
144 };
145
146 /**
147 * Look up a kernel algorithm name and its key size
148 */
149 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
150 {
151 while (list->ikev2 != END_OF_LIST)
152 {
153 if (list->ikev2 == ikev2)
154 {
155 return list->name;
156 }
157 list++;
158 }
159 return NULL;
160 }
161
162 typedef struct route_entry_t route_entry_t;
163
164 /**
165 * installed routing entry
166 */
167 struct route_entry_t {
168 /** Name of the interface the route is bound to */
169 char *if_name;
170
171 /** Source ip of the route */
172 host_t *src_ip;
173
174 /** gateway for this route */
175 host_t *gateway;
176
177 /** Destination net */
178 chunk_t dst_net;
179
180 /** Destination net prefixlen */
181 u_int8_t prefixlen;
182 };
183
184 /**
185 * destroy an route_entry_t object
186 */
187 static void route_entry_destroy(route_entry_t *this)
188 {
189 free(this->if_name);
190 this->src_ip->destroy(this->src_ip);
191 this->gateway->destroy(this->gateway);
192 chunk_free(&this->dst_net);
193 free(this);
194 }
195
196 typedef struct policy_entry_t policy_entry_t;
197
198 /**
199 * installed kernel policy.
200 */
201 struct policy_entry_t {
202
203 /** direction of this policy: in, out, forward */
204 u_int8_t direction;
205
206 /** parameters of installed policy */
207 struct xfrm_selector sel;
208
209 /** associated route installed for this policy */
210 route_entry_t *route;
211
212 /** by how many CHILD_SA's this policy is used */
213 u_int refcount;
214 };
215
216 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
217
218 /**
219 * Private variables and functions of kernel_netlink class.
220 */
221 struct private_kernel_netlink_ipsec_t {
222 /**
223 * Public part of the kernel_netlink_t object.
224 */
225 kernel_netlink_ipsec_t public;
226
227 /**
228 * mutex to lock access to various lists
229 */
230 pthread_mutex_t mutex;
231
232 /**
233 * List of installed policies (policy_entry_t)
234 */
235 linked_list_t *policies;
236
237 /**
238 * job receiving netlink events
239 */
240 callback_job_t *job;
241
242 /**
243 * Netlink xfrm socket (IPsec)
244 */
245 netlink_socket_t *socket_xfrm;
246
247 /**
248 * netlink xfrm socket to receive acquire and expire events
249 */
250 int socket_xfrm_events;
251
252 /**
253 * whether to install routes along policies
254 */
255 bool install_routes;
256 };
257
258 /**
259 * convert a IKEv2 specific protocol identifier to the kernel one
260 */
261 static u_int8_t proto_ike2kernel(protocol_id_t proto)
262 {
263 switch (proto)
264 {
265 case PROTO_ESP:
266 return IPPROTO_ESP;
267 case PROTO_AH:
268 return IPPROTO_AH;
269 default:
270 return proto;
271 }
272 }
273
274 /**
275 * reverse of ike2kernel
276 */
277 static protocol_id_t proto_kernel2ike(u_int8_t proto)
278 {
279 switch (proto)
280 {
281 case IPPROTO_ESP:
282 return PROTO_ESP;
283 case IPPROTO_AH:
284 return PROTO_AH;
285 default:
286 return proto;
287 }
288 }
289
290 /**
291 * convert a host_t to a struct xfrm_address
292 */
293 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
294 {
295 chunk_t chunk = host->get_address(host);
296 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
297 }
298
299 /**
300 * convert a struct xfrm_address to a host_t
301 */
302 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
303 {
304 chunk_t chunk;
305
306 switch (family)
307 {
308 case AF_INET:
309 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
310 break;
311 case AF_INET6:
312 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
313 break;
314 default:
315 return NULL;
316 }
317 return host_create_from_chunk(family, chunk, ntohs(port));
318 }
319
320 /**
321 * convert a traffic selector address range to subnet and its mask.
322 */
323 static void ts2subnet(traffic_selector_t* ts,
324 xfrm_address_t *net, u_int8_t *mask)
325 {
326 host_t *net_host;
327 chunk_t net_chunk;
328
329 ts->to_subnet(ts, &net_host, mask);
330 net_chunk = net_host->get_address(net_host);
331 memcpy(net, net_chunk.ptr, net_chunk.len);
332 net_host->destroy(net_host);
333 }
334
335 /**
336 * convert a traffic selector port range to port/portmask
337 */
338 static void ts2ports(traffic_selector_t* ts,
339 u_int16_t *port, u_int16_t *mask)
340 {
341 /* linux does not seem to accept complex portmasks. Only
342 * any or a specific port is allowed. We set to any, if we have
343 * a port range, or to a specific, if we have one port only.
344 */
345 u_int16_t from, to;
346
347 from = ts->get_from_port(ts);
348 to = ts->get_to_port(ts);
349
350 if (from == to)
351 {
352 *port = htons(from);
353 *mask = ~0;
354 }
355 else
356 {
357 *port = 0;
358 *mask = 0;
359 }
360 }
361
362 /**
363 * convert a pair of traffic_selectors to a xfrm_selector
364 */
365 static struct xfrm_selector ts2selector(traffic_selector_t *src,
366 traffic_selector_t *dst)
367 {
368 struct xfrm_selector sel;
369
370 memset(&sel, 0, sizeof(sel));
371 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
372 /* src or dest proto may be "any" (0), use more restrictive one */
373 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
374 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
375 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
376 ts2ports(dst, &sel.dport, &sel.dport_mask);
377 ts2ports(src, &sel.sport, &sel.sport_mask);
378 sel.ifindex = 0;
379 sel.user = 0;
380
381 return sel;
382 }
383
384
385 /**
386 * process a XFRM_MSG_ACQUIRE from kernel
387 */
388 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
389 {
390 u_int32_t reqid = 0;
391 int proto = 0;
392 job_t *job;
393 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
394 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
395
396 if (RTA_OK(rtattr, rtsize))
397 {
398 if (rtattr->rta_type == XFRMA_TMPL)
399 {
400 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
401 reqid = tmpl->reqid;
402 proto = tmpl->id.proto;
403 }
404 }
405 switch (proto)
406 {
407 case 0:
408 case IPPROTO_ESP:
409 case IPPROTO_AH:
410 break;
411 default:
412 /* acquire for AH/ESP only, not for IPCOMP */
413 return;
414 }
415 if (reqid == 0)
416 {
417 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
418 return;
419 }
420 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
421 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
422 job = (job_t*)acquire_job_create(reqid);
423 charon->processor->queue_job(charon->processor, job);
424 }
425
426 /**
427 * process a XFRM_MSG_EXPIRE from kernel
428 */
429 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
430 {
431 job_t *job;
432 protocol_id_t protocol;
433 u_int32_t spi, reqid;
434 struct xfrm_user_expire *expire;
435
436 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
437 protocol = proto_kernel2ike(expire->state.id.proto);
438 spi = expire->state.id.spi;
439 reqid = expire->state.reqid;
440
441 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
442
443 if (protocol != PROTO_ESP && protocol != PROTO_AH)
444 {
445 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%d} "
446 "which is not a CHILD_SA", ntohl(spi), reqid);
447 return;
448 }
449
450 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
451 expire->hard ? "delete" : "rekey", protocol_id_names,
452 protocol, ntohl(spi), reqid);
453 if (expire->hard)
454 {
455 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
456 }
457 else
458 {
459 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
460 }
461 charon->processor->queue_job(charon->processor, job);
462 }
463
464 /**
465 * process a XFRM_MSG_MAPPING from kernel
466 */
467 static void process_mapping(private_kernel_netlink_ipsec_t *this,
468 struct nlmsghdr *hdr)
469 {
470 job_t *job;
471 u_int32_t spi, reqid;
472 struct xfrm_user_mapping *mapping;
473 host_t *host;
474
475 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
476 spi = mapping->id.spi;
477 reqid = mapping->reqid;
478
479 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
480
481 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
482 {
483 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
484 mapping->new_sport);
485 if (host)
486 {
487 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
488 "reqid {%d} changed, queuing update job", ntohl(spi), reqid);
489 job = (job_t*)update_sa_job_create(reqid, host);
490 charon->processor->queue_job(charon->processor, job);
491 }
492 }
493 }
494
495 /**
496 * Receives events from kernel
497 */
498 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
499 {
500 char response[1024];
501 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
502 struct sockaddr_nl addr;
503 socklen_t addr_len = sizeof(addr);
504 int len, oldstate;
505
506 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
507 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
508 (struct sockaddr*)&addr, &addr_len);
509 pthread_setcancelstate(oldstate, NULL);
510
511 if (len < 0)
512 {
513 switch (errno)
514 {
515 case EINTR:
516 /* interrupted, try again */
517 return JOB_REQUEUE_DIRECT;
518 case EAGAIN:
519 /* no data ready, select again */
520 return JOB_REQUEUE_DIRECT;
521 default:
522 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
523 sleep(1);
524 return JOB_REQUEUE_FAIR;
525 }
526 }
527
528 if (addr.nl_pid != 0)
529 { /* not from kernel. not interested, try another one */
530 return JOB_REQUEUE_DIRECT;
531 }
532
533 while (NLMSG_OK(hdr, len))
534 {
535 switch (hdr->nlmsg_type)
536 {
537 case XFRM_MSG_ACQUIRE:
538 process_acquire(this, hdr);
539 break;
540 case XFRM_MSG_EXPIRE:
541 process_expire(this, hdr);
542 break;
543 case XFRM_MSG_MAPPING:
544 process_mapping(this, hdr);
545 break;
546 default:
547 break;
548 }
549 hdr = NLMSG_NEXT(hdr, len);
550 }
551 return JOB_REQUEUE_DIRECT;
552 }
553
554 /**
555 * Get an SPI for a specific protocol from the kernel.
556 */
557 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
558 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
559 u_int32_t reqid, u_int32_t *spi)
560 {
561 unsigned char request[NETLINK_BUFFER_SIZE];
562 struct nlmsghdr *hdr, *out;
563 struct xfrm_userspi_info *userspi;
564 u_int32_t received_spi = 0;
565 size_t len;
566
567 memset(&request, 0, sizeof(request));
568
569 hdr = (struct nlmsghdr*)request;
570 hdr->nlmsg_flags = NLM_F_REQUEST;
571 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
572 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
573
574 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
575 host2xfrm(src, &userspi->info.saddr);
576 host2xfrm(dst, &userspi->info.id.daddr);
577 userspi->info.id.proto = proto;
578 userspi->info.mode = TRUE; /* tunnel mode */
579 userspi->info.reqid = reqid;
580 userspi->info.family = src->get_family(src);
581 userspi->min = min;
582 userspi->max = max;
583
584 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
585 {
586 hdr = out;
587 while (NLMSG_OK(hdr, len))
588 {
589 switch (hdr->nlmsg_type)
590 {
591 case XFRM_MSG_NEWSA:
592 {
593 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
594 received_spi = usersa->id.spi;
595 break;
596 }
597 case NLMSG_ERROR:
598 {
599 struct nlmsgerr *err = NLMSG_DATA(hdr);
600
601 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
602 strerror(-err->error), -err->error);
603 break;
604 }
605 default:
606 hdr = NLMSG_NEXT(hdr, len);
607 continue;
608 case NLMSG_DONE:
609 break;
610 }
611 break;
612 }
613 free(out);
614 }
615
616 if (received_spi == 0)
617 {
618 return FAILED;
619 }
620
621 *spi = received_spi;
622 return SUCCESS;
623 }
624
625 /**
626 * Implementation of kernel_interface_t.get_spi.
627 */
628 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
629 host_t *src, host_t *dst,
630 protocol_id_t protocol, u_int32_t reqid,
631 u_int32_t *spi)
632 {
633 DBG2(DBG_KNL, "getting SPI for reqid {%d}", reqid);
634
635 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
636 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
637 {
638 DBG1(DBG_KNL, "unable to get SPI for reqid {%d}", reqid);
639 return FAILED;
640 }
641
642 DBG2(DBG_KNL, "got SPI %.8x for reqid {%d}", ntohl(*spi), reqid);
643
644 return SUCCESS;
645 }
646
647 /**
648 * Implementation of kernel_interface_t.get_cpi.
649 */
650 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
651 host_t *src, host_t *dst,
652 u_int32_t reqid, u_int16_t *cpi)
653 {
654 u_int32_t received_spi = 0;
655
656 DBG2(DBG_KNL, "getting CPI for reqid {%d}", reqid);
657
658 if (get_spi_internal(this, src, dst,
659 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
660 {
661 DBG1(DBG_KNL, "unable to get CPI for reqid {%d}", reqid);
662 return FAILED;
663 }
664
665 *cpi = htons((u_int16_t)ntohl(received_spi));
666
667 DBG2(DBG_KNL, "got CPI %.4x for reqid {%d}", ntohs(*cpi), reqid);
668
669 return SUCCESS;
670 }
671
672 /**
673 * Implementation of kernel_interface_t.add_sa.
674 */
675 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
676 host_t *src, host_t *dst, u_int32_t spi,
677 protocol_id_t protocol, u_int32_t reqid,
678 u_int64_t expire_soft, u_int64_t expire_hard,
679 u_int16_t enc_alg, chunk_t enc_key,
680 u_int16_t int_alg, chunk_t int_key,
681 ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
682 bool replace)
683 {
684 unsigned char request[NETLINK_BUFFER_SIZE];
685 char *alg_name;
686 struct nlmsghdr *hdr;
687 struct xfrm_usersa_info *sa;
688 u_int16_t icv_size = 64;
689
690 memset(&request, 0, sizeof(request));
691
692 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}",
693 ntohl(spi), reqid);
694
695 hdr = (struct nlmsghdr*)request;
696 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
697 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
698 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
699
700 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
701 host2xfrm(src, &sa->saddr);
702 host2xfrm(dst, &sa->id.daddr);
703 sa->id.spi = spi;
704 sa->id.proto = proto_ike2kernel(protocol);
705 sa->family = src->get_family(src);
706 sa->mode = mode;
707 if (mode == MODE_TUNNEL)
708 {
709 sa->flags |= XFRM_STATE_AF_UNSPEC;
710 }
711 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
712 sa->reqid = reqid;
713 /* we currently do not expire SAs by volume/packet count */
714 sa->lft.soft_byte_limit = XFRM_INF;
715 sa->lft.hard_byte_limit = XFRM_INF;
716 sa->lft.soft_packet_limit = XFRM_INF;
717 sa->lft.hard_packet_limit = XFRM_INF;
718 /* we use lifetimes since added, not since used */
719 sa->lft.soft_add_expires_seconds = expire_soft;
720 sa->lft.hard_add_expires_seconds = expire_hard;
721 sa->lft.soft_use_expires_seconds = 0;
722 sa->lft.hard_use_expires_seconds = 0;
723
724 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
725
726 switch (enc_alg)
727 {
728 case ENCR_UNDEFINED:
729 /* no encryption */
730 break;
731 case ENCR_AES_CCM_ICV16:
732 case ENCR_AES_GCM_ICV16:
733 icv_size += 32;
734 /* FALL */
735 case ENCR_AES_CCM_ICV12:
736 case ENCR_AES_GCM_ICV12:
737 icv_size += 32;
738 /* FALL */
739 case ENCR_AES_CCM_ICV8:
740 case ENCR_AES_GCM_ICV8:
741 {
742 rthdr->rta_type = XFRMA_ALG_AEAD;
743 alg_name = lookup_algorithm(encryption_algs, enc_alg);
744 if (alg_name == NULL)
745 {
746 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
747 encryption_algorithm_names, enc_alg);
748 return FAILED;
749 }
750 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
751 encryption_algorithm_names, enc_alg, enc_key.len * 8);
752
753 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
754 hdr->nlmsg_len += rthdr->rta_len;
755 if (hdr->nlmsg_len > sizeof(request))
756 {
757 return FAILED;
758 }
759
760 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
761 algo->alg_key_len = enc_key.len * 8;
762 algo->alg_icv_len = icv_size;
763 strcpy(algo->alg_name, alg_name);
764 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
765
766 rthdr = XFRM_RTA_NEXT(rthdr);
767 break;
768 }
769 default:
770 {
771 rthdr->rta_type = XFRMA_ALG_CRYPT;
772 alg_name = lookup_algorithm(encryption_algs, enc_alg);
773 if (alg_name == NULL)
774 {
775 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
776 encryption_algorithm_names, enc_alg);
777 return FAILED;
778 }
779 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
780 encryption_algorithm_names, enc_alg, enc_key.len * 8);
781
782 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
783 hdr->nlmsg_len += rthdr->rta_len;
784 if (hdr->nlmsg_len > sizeof(request))
785 {
786 return FAILED;
787 }
788
789 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
790 algo->alg_key_len = enc_key.len * 8;
791 strcpy(algo->alg_name, alg_name);
792 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
793
794 rthdr = XFRM_RTA_NEXT(rthdr);
795 break;
796 }
797 }
798
799 if (int_alg != AUTH_UNDEFINED)
800 {
801 rthdr->rta_type = XFRMA_ALG_AUTH;
802 alg_name = lookup_algorithm(integrity_algs, int_alg);
803 if (alg_name == NULL)
804 {
805 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
806 integrity_algorithm_names, int_alg);
807 return FAILED;
808 }
809 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
810 integrity_algorithm_names, int_alg, int_key.len * 8);
811
812 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
813 hdr->nlmsg_len += rthdr->rta_len;
814 if (hdr->nlmsg_len > sizeof(request))
815 {
816 return FAILED;
817 }
818
819 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
820 algo->alg_key_len = int_key.len * 8;
821 strcpy(algo->alg_name, alg_name);
822 memcpy(algo->alg_key, int_key.ptr, int_key.len);
823
824 rthdr = XFRM_RTA_NEXT(rthdr);
825 }
826
827 if (ipcomp != IPCOMP_NONE)
828 {
829 rthdr->rta_type = XFRMA_ALG_COMP;
830 alg_name = lookup_algorithm(compression_algs, ipcomp);
831 if (alg_name == NULL)
832 {
833 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
834 ipcomp_transform_names, ipcomp);
835 return FAILED;
836 }
837 DBG2(DBG_KNL, " using compression algorithm %N",
838 ipcomp_transform_names, ipcomp);
839
840 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
841 hdr->nlmsg_len += rthdr->rta_len;
842 if (hdr->nlmsg_len > sizeof(request))
843 {
844 return FAILED;
845 }
846
847 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
848 algo->alg_key_len = 0;
849 strcpy(algo->alg_name, alg_name);
850
851 rthdr = XFRM_RTA_NEXT(rthdr);
852 }
853
854 if (encap)
855 {
856 rthdr->rta_type = XFRMA_ENCAP;
857 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
858
859 hdr->nlmsg_len += rthdr->rta_len;
860 if (hdr->nlmsg_len > sizeof(request))
861 {
862 return FAILED;
863 }
864
865 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
866 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
867 tmpl->encap_sport = htons(src->get_port(src));
868 tmpl->encap_dport = htons(dst->get_port(dst));
869 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
870 /* encap_oa could probably be derived from the
871 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
872 * pluto does the same as we do here but it uses encap_oa in the
873 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
874 * the kernel ignores it anyway
875 * -> does that mean that NAT-T encap doesn't work in transport mode?
876 * No. The reason the kernel ignores NAT-OA is that it recomputes
877 * (or, rather, just ignores) the checksum. If packets pass
878 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
879 rthdr = XFRM_RTA_NEXT(rthdr);
880 }
881
882 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
883 {
884 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
885 return FAILED;
886 }
887 return SUCCESS;
888 }
889
890 /**
891 * Get the replay state (i.e. sequence numbers) of an SA.
892 */
893 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
894 u_int32_t spi, protocol_id_t protocol, host_t *dst,
895 struct xfrm_replay_state *replay)
896 {
897 unsigned char request[NETLINK_BUFFER_SIZE];
898 struct nlmsghdr *hdr, *out = NULL;
899 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
900 size_t len;
901 struct rtattr *rta;
902 size_t rtasize;
903
904 memset(&request, 0, sizeof(request));
905
906 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
907
908 hdr = (struct nlmsghdr*)request;
909 hdr->nlmsg_flags = NLM_F_REQUEST;
910 hdr->nlmsg_type = XFRM_MSG_GETAE;
911 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
912
913 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
914 aevent_id->flags = XFRM_AE_RVAL;
915
916 host2xfrm(dst, &aevent_id->sa_id.daddr);
917 aevent_id->sa_id.spi = spi;
918 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
919 aevent_id->sa_id.family = dst->get_family(dst);
920
921 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
922 {
923 hdr = out;
924 while (NLMSG_OK(hdr, len))
925 {
926 switch (hdr->nlmsg_type)
927 {
928 case XFRM_MSG_NEWAE:
929 {
930 out_aevent = NLMSG_DATA(hdr);
931 break;
932 }
933 case NLMSG_ERROR:
934 {
935 struct nlmsgerr *err = NLMSG_DATA(hdr);
936 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
937 strerror(-err->error), -err->error);
938 break;
939 }
940 default:
941 hdr = NLMSG_NEXT(hdr, len);
942 continue;
943 case NLMSG_DONE:
944 break;
945 }
946 break;
947 }
948 }
949
950 if (out_aevent == NULL)
951 {
952 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
953 ntohl(spi));
954 free(out);
955 return FAILED;
956 }
957
958 rta = XFRM_RTA(out, struct xfrm_aevent_id);
959 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
960 while(RTA_OK(rta, rtasize))
961 {
962 if (rta->rta_type == XFRMA_REPLAY_VAL)
963 {
964 memcpy(replay, RTA_DATA(rta), rta->rta_len);
965 free(out);
966 return SUCCESS;
967 }
968 rta = RTA_NEXT(rta, rtasize);
969 }
970
971 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
972 ntohl(spi));
973 free(out);
974 return FAILED;
975 }
976
977 /**
978 * Implementation of kernel_interface_t.update_sa.
979 */
980 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
981 u_int32_t spi, protocol_id_t protocol,
982 host_t *src, host_t *dst,
983 host_t *new_src, host_t *new_dst, bool encap)
984 {
985 unsigned char request[NETLINK_BUFFER_SIZE], *pos;
986 struct nlmsghdr *hdr, *out = NULL;
987 struct xfrm_usersa_id *sa_id;
988 struct xfrm_usersa_info *out_sa = NULL, *sa;
989 size_t len;
990 struct rtattr *rta;
991 size_t rtasize;
992 struct xfrm_encap_tmpl* tmpl = NULL;
993 bool got_replay_state;
994 struct xfrm_replay_state replay;
995
996 memset(&request, 0, sizeof(request));
997
998 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
999
1000 /* query the existing SA first */
1001 hdr = (struct nlmsghdr*)request;
1002 hdr->nlmsg_flags = NLM_F_REQUEST;
1003 hdr->nlmsg_type = XFRM_MSG_GETSA;
1004 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1005
1006 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1007 host2xfrm(dst, &sa_id->daddr);
1008 sa_id->spi = spi;
1009 sa_id->proto = proto_ike2kernel(protocol);
1010 sa_id->family = dst->get_family(dst);
1011
1012 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1013 {
1014 hdr = out;
1015 while (NLMSG_OK(hdr, len))
1016 {
1017 switch (hdr->nlmsg_type)
1018 {
1019 case XFRM_MSG_NEWSA:
1020 {
1021 out_sa = NLMSG_DATA(hdr);
1022 break;
1023 }
1024 case NLMSG_ERROR:
1025 {
1026 struct nlmsgerr *err = NLMSG_DATA(hdr);
1027 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1028 strerror(-err->error), -err->error);
1029 break;
1030 }
1031 default:
1032 hdr = NLMSG_NEXT(hdr, len);
1033 continue;
1034 case NLMSG_DONE:
1035 break;
1036 }
1037 break;
1038 }
1039 }
1040 if (out_sa == NULL)
1041 {
1042 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1043 free(out);
1044 return FAILED;
1045 }
1046
1047 /* try to get the replay state */
1048 got_replay_state = (get_replay_state(
1049 this, spi, protocol, dst, &replay) == SUCCESS);
1050
1051 /* delete the old SA */
1052 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1053 {
1054 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1055 free(out);
1056 return FAILED;
1057 }
1058
1059 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1060 ntohl(spi), src, dst, new_src, new_dst);
1061
1062 /* copy over the SA from out to request */
1063 hdr = (struct nlmsghdr*)request;
1064 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1065 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1066 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1067 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1068 sa = NLMSG_DATA(hdr);
1069 sa->family = new_dst->get_family(new_dst);
1070
1071 if (!src->ip_equals(src, new_src))
1072 {
1073 host2xfrm(new_src, &sa->saddr);
1074 }
1075 if (!dst->ip_equals(dst, new_dst))
1076 {
1077 host2xfrm(new_dst, &sa->id.daddr);
1078 }
1079
1080 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1081 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1082 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1083 while(RTA_OK(rta, rtasize))
1084 {
1085 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1086 if (rta->rta_type != XFRMA_ENCAP || encap)
1087 {
1088 if (rta->rta_type == XFRMA_ENCAP)
1089 { /* update encap tmpl */
1090 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1091 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1092 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1093 }
1094 memcpy(pos, rta, rta->rta_len);
1095 pos += RTA_ALIGN(rta->rta_len);
1096 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1097 }
1098 rta = RTA_NEXT(rta, rtasize);
1099 }
1100
1101 rta = (struct rtattr*)pos;
1102 if (tmpl == NULL && encap)
1103 { /* add tmpl if we are enabling it */
1104 rta->rta_type = XFRMA_ENCAP;
1105 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1106
1107 hdr->nlmsg_len += rta->rta_len;
1108 if (hdr->nlmsg_len > sizeof(request))
1109 {
1110 return FAILED;
1111 }
1112
1113 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1114 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1115 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1116 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1117 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1118
1119 rta = XFRM_RTA_NEXT(rta);
1120 }
1121
1122 if (got_replay_state)
1123 { /* copy the replay data if available */
1124 rta->rta_type = XFRMA_REPLAY_VAL;
1125 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1126
1127 hdr->nlmsg_len += rta->rta_len;
1128 if (hdr->nlmsg_len > sizeof(request))
1129 {
1130 return FAILED;
1131 }
1132 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1133
1134 rta = XFRM_RTA_NEXT(rta);
1135 }
1136
1137 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1138 {
1139 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1140 free(out);
1141 return FAILED;
1142 }
1143 free(out);
1144
1145 return SUCCESS;
1146 }
1147
1148 /**
1149 * Implementation of kernel_interface_t.del_sa.
1150 */
1151 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1152 u_int32_t spi, protocol_id_t protocol)
1153 {
1154 unsigned char request[NETLINK_BUFFER_SIZE];
1155 struct nlmsghdr *hdr;
1156 struct xfrm_usersa_id *sa_id;
1157
1158 memset(&request, 0, sizeof(request));
1159
1160 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1161
1162 hdr = (struct nlmsghdr*)request;
1163 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1164 hdr->nlmsg_type = XFRM_MSG_DELSA;
1165 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1166
1167 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1168 host2xfrm(dst, &sa_id->daddr);
1169 sa_id->spi = spi;
1170 sa_id->proto = proto_ike2kernel(protocol);
1171 sa_id->family = dst->get_family(dst);
1172
1173 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1174 {
1175 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1176 return FAILED;
1177 }
1178 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1179 return SUCCESS;
1180 }
1181
1182 /**
1183 * Implementation of kernel_interface_t.add_policy.
1184 */
1185 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1186 host_t *src, host_t *dst,
1187 traffic_selector_t *src_ts,
1188 traffic_selector_t *dst_ts,
1189 policy_dir_t direction, protocol_id_t protocol,
1190 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1191 u_int16_t ipcomp)
1192 {
1193 iterator_t *iterator;
1194 policy_entry_t *current, *policy;
1195 bool found = FALSE;
1196 unsigned char request[NETLINK_BUFFER_SIZE];
1197 struct xfrm_userpolicy_info *policy_info;
1198 struct nlmsghdr *hdr;
1199
1200 /* create a policy */
1201 policy = malloc_thing(policy_entry_t);
1202 memset(policy, 0, sizeof(policy_entry_t));
1203 policy->sel = ts2selector(src_ts, dst_ts);
1204 policy->direction = direction;
1205
1206 /* find the policy, which matches EXACTLY */
1207 pthread_mutex_lock(&this->mutex);
1208 iterator = this->policies->create_iterator(this->policies, TRUE);
1209 while (iterator->iterate(iterator, (void**)&current))
1210 {
1211 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
1212 policy->direction == current->direction)
1213 {
1214 /* use existing policy */
1215 current->refcount++;
1216 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1217 "refcount", src_ts, dst_ts,
1218 policy_dir_names, direction);
1219 free(policy);
1220 policy = current;
1221 found = TRUE;
1222 break;
1223 }
1224 }
1225 iterator->destroy(iterator);
1226 if (!found)
1227 { /* apply the new one, if we have no such policy */
1228 this->policies->insert_last(this->policies, policy);
1229 policy->refcount = 1;
1230 }
1231
1232 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1233 policy_dir_names, direction);
1234
1235 memset(&request, 0, sizeof(request));
1236 hdr = (struct nlmsghdr*)request;
1237 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1238 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1239 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1240
1241 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1242 policy_info->sel = policy->sel;
1243 policy_info->dir = policy->direction;
1244 /* calculate priority based on source selector size, small size = high prio */
1245 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1246 policy_info->priority -= policy->sel.prefixlen_s * 10;
1247 policy_info->priority -= policy->sel.proto ? 2 : 0;
1248 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1249 policy_info->action = XFRM_POLICY_ALLOW;
1250 policy_info->share = XFRM_SHARE_ANY;
1251 pthread_mutex_unlock(&this->mutex);
1252
1253 /* policies don't expire */
1254 policy_info->lft.soft_byte_limit = XFRM_INF;
1255 policy_info->lft.soft_packet_limit = XFRM_INF;
1256 policy_info->lft.hard_byte_limit = XFRM_INF;
1257 policy_info->lft.hard_packet_limit = XFRM_INF;
1258 policy_info->lft.soft_add_expires_seconds = 0;
1259 policy_info->lft.hard_add_expires_seconds = 0;
1260 policy_info->lft.soft_use_expires_seconds = 0;
1261 policy_info->lft.hard_use_expires_seconds = 0;
1262
1263 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1264 rthdr->rta_type = XFRMA_TMPL;
1265 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1266
1267 hdr->nlmsg_len += rthdr->rta_len;
1268 if (hdr->nlmsg_len > sizeof(request))
1269 {
1270 return FAILED;
1271 }
1272
1273 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1274
1275 if (ipcomp != IPCOMP_NONE)
1276 {
1277 tmpl->reqid = reqid;
1278 tmpl->id.proto = IPPROTO_COMP;
1279 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1280 tmpl->mode = mode;
1281 tmpl->optional = direction != POLICY_OUT;
1282 tmpl->family = src->get_family(src);
1283
1284 host2xfrm(src, &tmpl->saddr);
1285 host2xfrm(dst, &tmpl->id.daddr);
1286
1287 /* add an additional xfrm_user_tmpl */
1288 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1289 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1290 if (hdr->nlmsg_len > sizeof(request))
1291 {
1292 return FAILED;
1293 }
1294
1295 tmpl++;
1296 }
1297
1298 tmpl->reqid = reqid;
1299 tmpl->id.proto = proto_ike2kernel(protocol);
1300 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1301 tmpl->mode = mode;
1302 tmpl->family = src->get_family(src);
1303
1304 host2xfrm(src, &tmpl->saddr);
1305 host2xfrm(dst, &tmpl->id.daddr);
1306
1307 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1308 {
1309 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1310 policy_dir_names, direction);
1311 return FAILED;
1312 }
1313
1314 /* install a route, if:
1315 * - we are NOT updating a policy
1316 * - this is a forward policy (to just get one for each child)
1317 * - we are in tunnel mode
1318 * - we are not using IPv6 (does not work correctly yet!)
1319 * - routing is not disabled via strongswan.conf
1320 */
1321 if (policy->route == NULL && direction == POLICY_FWD &&
1322 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1323 this->install_routes)
1324 {
1325 route_entry_t *route = malloc_thing(route_entry_t);
1326
1327 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1328 dst_ts, &route->src_ip) == SUCCESS)
1329 {
1330 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1331 route->gateway = charon->kernel_interface->get_nexthop(
1332 charon->kernel_interface, src);
1333 route->if_name = charon->kernel_interface->get_interface(
1334 charon->kernel_interface, dst);
1335 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1336 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1337 route->prefixlen = policy->sel.prefixlen_s;
1338
1339 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1340 route->dst_net, route->prefixlen, route->gateway,
1341 route->src_ip, route->if_name))
1342 {
1343 default:
1344 DBG1(DBG_KNL, "unable to install source route for %H",
1345 route->src_ip);
1346 /* FALL */
1347 case ALREADY_DONE:
1348 /* route exists, do not uninstall */
1349 route_entry_destroy(route);
1350 break;
1351 case SUCCESS:
1352 /* cache the installed route */
1353 policy->route = route;
1354 break;
1355 }
1356 }
1357 else
1358 {
1359 free(route);
1360 }
1361 }
1362
1363 return SUCCESS;
1364 }
1365
1366 /**
1367 * Implementation of kernel_interface_t.query_policy.
1368 */
1369 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1370 traffic_selector_t *src_ts,
1371 traffic_selector_t *dst_ts,
1372 policy_dir_t direction, u_int32_t *use_time)
1373 {
1374 unsigned char request[NETLINK_BUFFER_SIZE];
1375 struct nlmsghdr *out = NULL, *hdr;
1376 struct xfrm_userpolicy_id *policy_id;
1377 struct xfrm_userpolicy_info *policy = NULL;
1378 size_t len;
1379
1380 memset(&request, 0, sizeof(request));
1381
1382 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1383 policy_dir_names, direction);
1384
1385 hdr = (struct nlmsghdr*)request;
1386 hdr->nlmsg_flags = NLM_F_REQUEST;
1387 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1388 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1389
1390 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1391 policy_id->sel = ts2selector(src_ts, dst_ts);
1392 policy_id->dir = direction;
1393
1394 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1395 {
1396 hdr = out;
1397 while (NLMSG_OK(hdr, len))
1398 {
1399 switch (hdr->nlmsg_type)
1400 {
1401 case XFRM_MSG_NEWPOLICY:
1402 {
1403 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1404 break;
1405 }
1406 case NLMSG_ERROR:
1407 {
1408 struct nlmsgerr *err = NLMSG_DATA(hdr);
1409 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1410 strerror(-err->error), -err->error);
1411 break;
1412 }
1413 default:
1414 hdr = NLMSG_NEXT(hdr, len);
1415 continue;
1416 case NLMSG_DONE:
1417 break;
1418 }
1419 break;
1420 }
1421 }
1422
1423 if (policy == NULL)
1424 {
1425 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1426 policy_dir_names, direction);
1427 free(out);
1428 return FAILED;
1429 }
1430 *use_time = (time_t)policy->curlft.use_time;
1431
1432 free(out);
1433 return SUCCESS;
1434 }
1435
1436 /**
1437 * Implementation of kernel_interface_t.del_policy.
1438 */
1439 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1440 traffic_selector_t *src_ts,
1441 traffic_selector_t *dst_ts,
1442 policy_dir_t direction)
1443 {
1444 policy_entry_t *current, policy, *to_delete = NULL;
1445 route_entry_t *route;
1446 unsigned char request[NETLINK_BUFFER_SIZE];
1447 struct nlmsghdr *hdr;
1448 struct xfrm_userpolicy_id *policy_id;
1449 iterator_t *iterator;
1450
1451 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1452 policy_dir_names, direction);
1453
1454 /* create a policy */
1455 memset(&policy, 0, sizeof(policy_entry_t));
1456 policy.sel = ts2selector(src_ts, dst_ts);
1457 policy.direction = direction;
1458
1459 /* find the policy */
1460 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
1461 while (iterator->iterate(iterator, (void**)&current))
1462 {
1463 if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
1464 policy.direction == current->direction)
1465 {
1466 to_delete = current;
1467 if (--to_delete->refcount > 0)
1468 {
1469 /* is used by more SAs, keep in kernel */
1470 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1471 iterator->destroy(iterator);
1472 return SUCCESS;
1473 }
1474 /* remove if last reference */
1475 iterator->remove(iterator);
1476 break;
1477 }
1478 }
1479 iterator->destroy(iterator);
1480 if (!to_delete)
1481 {
1482 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1483 dst_ts, policy_dir_names, direction);
1484 return NOT_FOUND;
1485 }
1486
1487 memset(&request, 0, sizeof(request));
1488
1489 hdr = (struct nlmsghdr*)request;
1490 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1491 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1492 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1493
1494 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1495 policy_id->sel = to_delete->sel;
1496 policy_id->dir = direction;
1497
1498 route = to_delete->route;
1499 free(to_delete);
1500
1501 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1502 {
1503 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1504 policy_dir_names, direction);
1505 return FAILED;
1506 }
1507
1508 if (route)
1509 {
1510 if (charon->kernel_interface->del_route(charon->kernel_interface,
1511 route->dst_net, route->prefixlen, route->gateway,
1512 route->src_ip, route->if_name) != SUCCESS)
1513 {
1514 DBG1(DBG_KNL, "error uninstalling route installed with "
1515 "policy %R === %R %N", src_ts, dst_ts,
1516 policy_dir_names, direction);
1517 }
1518 route_entry_destroy(route);
1519 }
1520 return SUCCESS;
1521 }
1522
1523 /**
1524 * Implementation of kernel_interface_t.destroy.
1525 */
1526 static void destroy(private_kernel_netlink_ipsec_t *this)
1527 {
1528 this->job->cancel(this->job);
1529 close(this->socket_xfrm_events);
1530 this->socket_xfrm->destroy(this->socket_xfrm);
1531 this->policies->destroy(this->policies);
1532 free(this);
1533 }
1534
1535 /*
1536 * Described in header.
1537 */
1538 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1539 {
1540 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1541 struct sockaddr_nl addr;
1542
1543 /* public functions */
1544 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1545 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1546 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1547 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1548 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1549 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1550 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1551 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1552 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1553
1554 /* private members */
1555 this->policies = linked_list_create();
1556 pthread_mutex_init(&this->mutex, NULL);
1557 this->install_routes = lib->settings->get_bool(lib->settings,
1558 "charon.install_routes", TRUE);
1559
1560 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1561
1562 memset(&addr, 0, sizeof(addr));
1563 addr.nl_family = AF_NETLINK;
1564
1565 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
1566 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1567 if (this->socket_xfrm_events <= 0)
1568 {
1569 charon->kill(charon, "unable to create XFRM event socket");
1570 }
1571 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | XFRMNLGRP(MAPPING);
1572 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1573 {
1574 charon->kill(charon, "unable to bind XFRM event socket");
1575 }
1576
1577 this->job = callback_job_create((callback_job_cb_t)receive_events,
1578 this, NULL, NULL);
1579 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1580
1581 return &this->public;
1582 }
strongSwan - IPsec VPN