fixed double free of host in selector2ts
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 *
20 * $Id$
21 */
22
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 #include <sys/time.h>
26 #include <stdint.h>
27 #include <linux/ipsec.h>
28 #include <linux/netlink.h>
29 #include <linux/rtnetlink.h>
30 #include <linux/xfrm.h>
31 #include <linux/udp.h>
32 #include <pthread.h>
33 #include <unistd.h>
34 #include <errno.h>
35 #include <string.h>
36
37 #include "kernel_netlink_ipsec.h"
38 #include "kernel_netlink_shared.h"
39
40 #include <daemon.h>
41 #include <utils/mutex.h>
42 #include <utils/linked_list.h>
43 #include <processing/jobs/callback_job.h>
44 #include <processing/jobs/acquire_job.h>
45 #include <processing/jobs/migrate_job.h>
46 #include <processing/jobs/rekey_child_sa_job.h>
47 #include <processing/jobs/delete_child_sa_job.h>
48 #include <processing/jobs/update_sa_job.h>
49
50 /** required for Linux 2.6.26 kernel and later */
51 #ifndef XFRM_STATE_AF_UNSPEC
52 #define XFRM_STATE_AF_UNSPEC 32
53 #endif
54
55 /** from linux/in.h */
56 #ifndef IP_IPSEC_POLICY
57 #define IP_IPSEC_POLICY 16
58 #endif
59
60 /* missing on uclibc */
61 #ifndef IPV6_IPSEC_POLICY
62 #define IPV6_IPSEC_POLICY 34
63 #endif /*IPV6_IPSEC_POLICY*/
64
65 /** default priority of installed policies */
66 #define PRIO_LOW 3000
67 #define PRIO_HIGH 2000
68
69 /**
70 * Create ORable bitfield of XFRM NL groups
71 */
72 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
73
74 /**
75 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
76 * 'usual' netlink data x like 'struct xfrm_usersa_info'
77 */
78 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
79 /**
80 * returns a pointer to the next rtattr following rta.
81 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
82 */
83 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
84 /**
85 * returns the total size of attached rta data
86 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
87 */
88 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
89
90 typedef struct kernel_algorithm_t kernel_algorithm_t;
91
92 /**
93 * Mapping of IKEv2 kernel identifier to linux crypto API names
94 */
95 struct kernel_algorithm_t {
96 /**
97 * Identifier specified in IKEv2
98 */
99 int ikev2;
100
101 /**
102 * Name of the algorithm in linux crypto API
103 */
104 char *name;
105 };
106
107 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
108 "XFRMA_UNSPEC",
109 "XFRMA_ALG_AUTH",
110 "XFRMA_ALG_CRYPT",
111 "XFRMA_ALG_COMP",
112 "XFRMA_ENCAP",
113 "XFRMA_TMPL",
114 "XFRMA_SA",
115 "XFRMA_POLICY",
116 "XFRMA_SEC_CTX",
117 "XFRMA_LTIME_VAL",
118 "XFRMA_REPLAY_VAL",
119 "XFRMA_REPLAY_THRESH",
120 "XFRMA_ETIMER_THRESH",
121 "XFRMA_SRCADDR",
122 "XFRMA_COADDR",
123 "XFRMA_LASTUSED",
124 "XFRMA_POLICY_TYPE",
125 "XFRMA_MIGRATE",
126 "XFRMA_ALG_AEAD",
127 "XFRMA_KMADDRESS"
128 );
129
130 #define END_OF_LIST -1
131
132 /**
133 * Algorithms for encryption
134 */
135 static kernel_algorithm_t encryption_algs[] = {
136 /* {ENCR_DES_IV64, "***" }, */
137 {ENCR_DES, "des" },
138 {ENCR_3DES, "des3_ede" },
139 /* {ENCR_RC5, "***" }, */
140 /* {ENCR_IDEA, "***" }, */
141 {ENCR_CAST, "cast128" },
142 {ENCR_BLOWFISH, "blowfish" },
143 /* {ENCR_3IDEA, "***" }, */
144 /* {ENCR_DES_IV32, "***" }, */
145 {ENCR_NULL, "cipher_null" },
146 {ENCR_AES_CBC, "aes" },
147 /* {ENCR_AES_CTR, "***" }, */
148 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
149 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
150 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
151 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
152 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
153 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
154 {END_OF_LIST, NULL },
155 };
156
157 /**
158 * Algorithms for integrity protection
159 */
160 static kernel_algorithm_t integrity_algs[] = {
161 {AUTH_HMAC_MD5_96, "md5" },
162 {AUTH_HMAC_SHA1_96, "sha1" },
163 {AUTH_HMAC_SHA2_256_128, "sha256" },
164 {AUTH_HMAC_SHA2_384_192, "sha384" },
165 {AUTH_HMAC_SHA2_512_256, "sha512" },
166 /* {AUTH_DES_MAC, "***" }, */
167 /* {AUTH_KPDK_MD5, "***" }, */
168 {AUTH_AES_XCBC_96, "xcbc(aes)" },
169 {END_OF_LIST, NULL },
170 };
171
172 /**
173 * Algorithms for IPComp
174 */
175 static kernel_algorithm_t compression_algs[] = {
176 /* {IPCOMP_OUI, "***" }, */
177 {IPCOMP_DEFLATE, "deflate" },
178 {IPCOMP_LZS, "lzs" },
179 {IPCOMP_LZJH, "lzjh" },
180 {END_OF_LIST, NULL },
181 };
182
183 /**
184 * Look up a kernel algorithm name and its key size
185 */
186 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
187 {
188 while (list->ikev2 != END_OF_LIST)
189 {
190 if (list->ikev2 == ikev2)
191 {
192 return list->name;
193 }
194 list++;
195 }
196 return NULL;
197 }
198
199 typedef struct route_entry_t route_entry_t;
200
201 /**
202 * installed routing entry
203 */
204 struct route_entry_t {
205 /** Name of the interface the route is bound to */
206 char *if_name;
207
208 /** Source ip of the route */
209 host_t *src_ip;
210
211 /** gateway for this route */
212 host_t *gateway;
213
214 /** Destination net */
215 chunk_t dst_net;
216
217 /** Destination net prefixlen */
218 u_int8_t prefixlen;
219 };
220
221 /**
222 * destroy an route_entry_t object
223 */
224 static void route_entry_destroy(route_entry_t *this)
225 {
226 free(this->if_name);
227 this->src_ip->destroy(this->src_ip);
228 this->gateway->destroy(this->gateway);
229 chunk_free(&this->dst_net);
230 free(this);
231 }
232
233 typedef struct policy_entry_t policy_entry_t;
234
235 /**
236 * installed kernel policy.
237 */
238 struct policy_entry_t {
239
240 /** direction of this policy: in, out, forward */
241 u_int8_t direction;
242
243 /** parameters of installed policy */
244 struct xfrm_selector sel;
245
246 /** associated route installed for this policy */
247 route_entry_t *route;
248
249 /** by how many CHILD_SA's this policy is used */
250 u_int refcount;
251 };
252
253 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
254
255 /**
256 * Private variables and functions of kernel_netlink class.
257 */
258 struct private_kernel_netlink_ipsec_t {
259 /**
260 * Public part of the kernel_netlink_t object.
261 */
262 kernel_netlink_ipsec_t public;
263
264 /**
265 * mutex to lock access to various lists
266 */
267 mutex_t *mutex;
268
269 /**
270 * List of installed policies (policy_entry_t)
271 */
272 linked_list_t *policies;
273
274 /**
275 * job receiving netlink events
276 */
277 callback_job_t *job;
278
279 /**
280 * Netlink xfrm socket (IPsec)
281 */
282 netlink_socket_t *socket_xfrm;
283
284 /**
285 * netlink xfrm socket to receive acquire and expire events
286 */
287 int socket_xfrm_events;
288
289 /**
290 * whether to install routes along policies
291 */
292 bool install_routes;
293 };
294
295 /**
296 * convert a IKEv2 specific protocol identifier to the kernel one
297 */
298 static u_int8_t proto_ike2kernel(protocol_id_t proto)
299 {
300 switch (proto)
301 {
302 case PROTO_ESP:
303 return IPPROTO_ESP;
304 case PROTO_AH:
305 return IPPROTO_AH;
306 default:
307 return proto;
308 }
309 }
310
311 /**
312 * reverse of ike2kernel
313 */
314 static protocol_id_t proto_kernel2ike(u_int8_t proto)
315 {
316 switch (proto)
317 {
318 case IPPROTO_ESP:
319 return PROTO_ESP;
320 case IPPROTO_AH:
321 return PROTO_AH;
322 default:
323 return proto;
324 }
325 }
326
327 /**
328 * convert a host_t to a struct xfrm_address
329 */
330 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
331 {
332 chunk_t chunk = host->get_address(host);
333 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
334 }
335
336 /**
337 * convert a struct xfrm_address to a host_t
338 */
339 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
340 {
341 chunk_t chunk;
342
343 switch (family)
344 {
345 case AF_INET:
346 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
347 break;
348 case AF_INET6:
349 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
350 break;
351 default:
352 return NULL;
353 }
354 return host_create_from_chunk(family, chunk, ntohs(port));
355 }
356
357 /**
358 * convert a traffic selector address range to subnet and its mask.
359 */
360 static void ts2subnet(traffic_selector_t* ts,
361 xfrm_address_t *net, u_int8_t *mask)
362 {
363 host_t *net_host;
364 chunk_t net_chunk;
365
366 ts->to_subnet(ts, &net_host, mask);
367 net_chunk = net_host->get_address(net_host);
368 memcpy(net, net_chunk.ptr, net_chunk.len);
369 net_host->destroy(net_host);
370 }
371
372 /**
373 * convert a traffic selector port range to port/portmask
374 */
375 static void ts2ports(traffic_selector_t* ts,
376 u_int16_t *port, u_int16_t *mask)
377 {
378 /* linux does not seem to accept complex portmasks. Only
379 * any or a specific port is allowed. We set to any, if we have
380 * a port range, or to a specific, if we have one port only.
381 */
382 u_int16_t from, to;
383
384 from = ts->get_from_port(ts);
385 to = ts->get_to_port(ts);
386
387 if (from == to)
388 {
389 *port = htons(from);
390 *mask = ~0;
391 }
392 else
393 {
394 *port = 0;
395 *mask = 0;
396 }
397 }
398
399 /**
400 * convert a pair of traffic_selectors to a xfrm_selector
401 */
402 static struct xfrm_selector ts2selector(traffic_selector_t *src,
403 traffic_selector_t *dst)
404 {
405 struct xfrm_selector sel;
406
407 memset(&sel, 0, sizeof(sel));
408 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
409 /* src or dest proto may be "any" (0), use more restrictive one */
410 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
411 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
412 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
413 ts2ports(dst, &sel.dport, &sel.dport_mask);
414 ts2ports(src, &sel.sport, &sel.sport_mask);
415 sel.ifindex = 0;
416 sel.user = 0;
417
418 return sel;
419 }
420
421 /**
422 * convert a xfrm_selector to a src|dst traffic_selector
423 */
424 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
425 {
426 u_char *addr;
427 u_int8_t prefixlen;
428 u_int16_t port = 0;
429 host_t *host = NULL;
430
431 if (src)
432 {
433 addr = (u_char*)&sel->saddr;
434 prefixlen = sel->prefixlen_s;
435 if (sel->sport_mask)
436 {
437 port = htons(sel->sport);
438 }
439 }
440 else
441 {
442 addr = (u_char*)&sel->daddr;
443 prefixlen = sel->prefixlen_d;
444 if (sel->dport_mask)
445 {
446 port = htons(sel->dport);
447 }
448 }
449
450 /* The Linux 2.6 kernel does not set the selector's family field,
451 * so as a kludge we additionally test the prefix length.
452 */
453 if (sel->family == AF_INET || sel->prefixlen_s == 32)
454 {
455 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
456 }
457 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
458 {
459 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
460 }
461
462 if (host)
463 {
464 return traffic_selector_create_from_subnet(host, prefixlen,
465 sel->proto, port);
466 }
467 return NULL;
468 }
469
470 /**
471 * process a XFRM_MSG_ACQUIRE from kernel
472 */
473 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
474 {
475 u_int32_t reqid = 0;
476 int proto = 0;
477 traffic_selector_t *src_ts, *dst_ts;
478 struct xfrm_user_acquire *acquire;
479 struct rtattr *rta;
480 size_t rtasize;
481 job_t *job;
482
483 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
484 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
485 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
486
487 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
488
489 while (RTA_OK(rta, rtasize))
490 {
491 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
492
493 if (rta->rta_type == XFRMA_TMPL)
494 {
495 struct xfrm_user_tmpl* tmpl;
496
497 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
498 reqid = tmpl->reqid;
499 proto = tmpl->id.proto;
500 }
501 rta = RTA_NEXT(rta, rtasize);
502 }
503 switch (proto)
504 {
505 case 0:
506 case IPPROTO_ESP:
507 case IPPROTO_AH:
508 break;
509 default:
510 /* acquire for AH/ESP only, not for IPCOMP */
511 return;
512 }
513 src_ts = selector2ts(&acquire->sel, TRUE);
514 dst_ts = selector2ts(&acquire->sel, FALSE);
515 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
516 src_ts, dst_ts, reqid);
517 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
518 charon->processor->queue_job(charon->processor, job);
519 }
520
521 /**
522 * process a XFRM_MSG_EXPIRE from kernel
523 */
524 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
525 {
526 job_t *job;
527 protocol_id_t protocol;
528 u_int32_t spi, reqid;
529 struct xfrm_user_expire *expire;
530
531 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
532 protocol = proto_kernel2ike(expire->state.id.proto);
533 spi = expire->state.id.spi;
534 reqid = expire->state.reqid;
535
536 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
537
538 if (protocol != PROTO_ESP && protocol != PROTO_AH)
539 {
540 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
541 "which is not a CHILD_SA", ntohl(spi), reqid);
542 return;
543 }
544
545 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
546 expire->hard ? "delete" : "rekey", protocol_id_names,
547 protocol, ntohl(spi), reqid);
548 if (expire->hard)
549 {
550 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
551 }
552 else
553 {
554 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
555 }
556 charon->processor->queue_job(charon->processor, job);
557 }
558
559 /**
560 * process a XFRM_MSG_MIGRATE from kernel
561 */
562 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
563 {
564 traffic_selector_t *src_ts, *dst_ts;
565 host_t *local = NULL, *remote = NULL;
566 host_t *old_src = NULL, *old_dst = NULL;
567 host_t *new_src = NULL, *new_dst = NULL;
568 struct xfrm_userpolicy_id *policy_id;
569 struct rtattr *rta;
570 size_t rtasize;
571 u_int32_t reqid = 0;
572 policy_dir_t dir;
573 job_t *job;
574
575 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
576 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
577 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
578
579 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
580
581 src_ts = selector2ts(&policy_id->sel, TRUE);
582 dst_ts = selector2ts(&policy_id->sel, FALSE);
583 dir = (policy_dir_t)policy_id->dir;
584
585 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
586
587 while (RTA_OK(rta, rtasize))
588 {
589 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
590 if (rta->rta_type == XFRMA_KMADDRESS)
591 {
592 struct xfrm_user_kmaddress *kmaddress;
593
594 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
595 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
596 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
597 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
598 }
599 else if (rta->rta_type == XFRMA_MIGRATE)
600 {
601 struct xfrm_user_migrate *migrate;
602 protocol_id_t proto;
603
604 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
605 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
606 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
607 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
608 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
609 proto = proto_kernel2ike(migrate->proto);
610 reqid = migrate->reqid;
611 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
612 protocol_id_names, proto, old_src, old_dst,
613 new_src, new_dst, reqid);
614 DESTROY_IF(old_src);
615 DESTROY_IF(old_dst);
616 DESTROY_IF(new_src);
617 DESTROY_IF(new_dst);
618 }
619 rta = RTA_NEXT(rta, rtasize);
620 }
621
622 if (src_ts && dst_ts && local && remote)
623 {
624 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
625 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
626 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
627 local, remote);
628 charon->processor->queue_job(charon->processor, job);
629 }
630 else
631 {
632 DESTROY_IF(src_ts);
633 DESTROY_IF(dst_ts);
634 DESTROY_IF(local);
635 DESTROY_IF(remote);
636 }
637 }
638
639 /**
640 * process a XFRM_MSG_MAPPING from kernel
641 */
642 static void process_mapping(private_kernel_netlink_ipsec_t *this,
643 struct nlmsghdr *hdr)
644 {
645 job_t *job;
646 u_int32_t spi, reqid;
647 struct xfrm_user_mapping *mapping;
648 host_t *host;
649
650 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
651 spi = mapping->id.spi;
652 reqid = mapping->reqid;
653
654 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
655
656 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
657 {
658 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
659 mapping->new_sport);
660 if (host)
661 {
662 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
663 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
664 job = (job_t*)update_sa_job_create(reqid, host);
665 charon->processor->queue_job(charon->processor, job);
666 }
667 }
668 }
669
670 /**
671 * Receives events from kernel
672 */
673 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
674 {
675 char response[1024];
676 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
677 struct sockaddr_nl addr;
678 socklen_t addr_len = sizeof(addr);
679 int len, oldstate;
680
681 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
682 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
683 (struct sockaddr*)&addr, &addr_len);
684 pthread_setcancelstate(oldstate, NULL);
685
686 if (len < 0)
687 {
688 switch (errno)
689 {
690 case EINTR:
691 /* interrupted, try again */
692 return JOB_REQUEUE_DIRECT;
693 case EAGAIN:
694 /* no data ready, select again */
695 return JOB_REQUEUE_DIRECT;
696 default:
697 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
698 sleep(1);
699 return JOB_REQUEUE_FAIR;
700 }
701 }
702
703 if (addr.nl_pid != 0)
704 { /* not from kernel. not interested, try another one */
705 return JOB_REQUEUE_DIRECT;
706 }
707
708 while (NLMSG_OK(hdr, len))
709 {
710 switch (hdr->nlmsg_type)
711 {
712 case XFRM_MSG_ACQUIRE:
713 process_acquire(this, hdr);
714 break;
715 case XFRM_MSG_EXPIRE:
716 process_expire(this, hdr);
717 break;
718 case XFRM_MSG_MIGRATE:
719 process_migrate(this, hdr);
720 break;
721 case XFRM_MSG_MAPPING:
722 process_mapping(this, hdr);
723 break;
724 default:
725 break;
726 }
727 hdr = NLMSG_NEXT(hdr, len);
728 }
729 return JOB_REQUEUE_DIRECT;
730 }
731
732 /**
733 * Get an SPI for a specific protocol from the kernel.
734 */
735 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
736 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
737 u_int32_t reqid, u_int32_t *spi)
738 {
739 netlink_buf_t request;
740 struct nlmsghdr *hdr, *out;
741 struct xfrm_userspi_info *userspi;
742 u_int32_t received_spi = 0;
743 size_t len;
744
745 memset(&request, 0, sizeof(request));
746
747 hdr = (struct nlmsghdr*)request;
748 hdr->nlmsg_flags = NLM_F_REQUEST;
749 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
750 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
751
752 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
753 host2xfrm(src, &userspi->info.saddr);
754 host2xfrm(dst, &userspi->info.id.daddr);
755 userspi->info.id.proto = proto;
756 userspi->info.mode = TRUE; /* tunnel mode */
757 userspi->info.reqid = reqid;
758 userspi->info.family = src->get_family(src);
759 userspi->min = min;
760 userspi->max = max;
761
762 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
763 {
764 hdr = out;
765 while (NLMSG_OK(hdr, len))
766 {
767 switch (hdr->nlmsg_type)
768 {
769 case XFRM_MSG_NEWSA:
770 {
771 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
772 received_spi = usersa->id.spi;
773 break;
774 }
775 case NLMSG_ERROR:
776 {
777 struct nlmsgerr *err = NLMSG_DATA(hdr);
778
779 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
780 strerror(-err->error), -err->error);
781 break;
782 }
783 default:
784 hdr = NLMSG_NEXT(hdr, len);
785 continue;
786 case NLMSG_DONE:
787 break;
788 }
789 break;
790 }
791 free(out);
792 }
793
794 if (received_spi == 0)
795 {
796 return FAILED;
797 }
798
799 *spi = received_spi;
800 return SUCCESS;
801 }
802
803 /**
804 * Implementation of kernel_interface_t.get_spi.
805 */
806 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
807 host_t *src, host_t *dst,
808 protocol_id_t protocol, u_int32_t reqid,
809 u_int32_t *spi)
810 {
811 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
812
813 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
814 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
815 {
816 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
817 return FAILED;
818 }
819
820 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
821
822 return SUCCESS;
823 }
824
825 /**
826 * Implementation of kernel_interface_t.get_cpi.
827 */
828 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
829 host_t *src, host_t *dst,
830 u_int32_t reqid, u_int16_t *cpi)
831 {
832 u_int32_t received_spi = 0;
833
834 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
835
836 if (get_spi_internal(this, src, dst,
837 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
838 {
839 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
840 return FAILED;
841 }
842
843 *cpi = htons((u_int16_t)ntohl(received_spi));
844
845 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
846
847 return SUCCESS;
848 }
849
850 /**
851 * Implementation of kernel_interface_t.add_sa.
852 */
853 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
854 host_t *src, host_t *dst, u_int32_t spi,
855 protocol_id_t protocol, u_int32_t reqid,
856 u_int64_t expire_soft, u_int64_t expire_hard,
857 u_int16_t enc_alg, chunk_t enc_key,
858 u_int16_t int_alg, chunk_t int_key,
859 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
860 bool encap, bool inbound)
861 {
862 netlink_buf_t request;
863 char *alg_name;
864 struct nlmsghdr *hdr;
865 struct xfrm_usersa_info *sa;
866 u_int16_t icv_size = 64;
867
868 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
869 * we are in the recursive call below */
870 if (ipcomp != IPCOMP_NONE && cpi != 0)
871 {
872 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, 0, 0,
873 ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
874 mode, ipcomp, 0, FALSE, inbound);
875 ipcomp = IPCOMP_NONE;
876 }
877
878 memset(&request, 0, sizeof(request));
879
880 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
881 ntohl(spi), reqid);
882
883 hdr = (struct nlmsghdr*)request;
884 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
885 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
886 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
887
888 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
889 host2xfrm(src, &sa->saddr);
890 host2xfrm(dst, &sa->id.daddr);
891 sa->id.spi = spi;
892 sa->id.proto = proto_ike2kernel(protocol);
893 sa->family = src->get_family(src);
894 sa->mode = mode;
895 if (mode == MODE_TUNNEL)
896 {
897 sa->flags |= XFRM_STATE_AF_UNSPEC;
898 }
899 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
900 sa->reqid = reqid;
901 /* we currently do not expire SAs by volume/packet count */
902 sa->lft.soft_byte_limit = XFRM_INF;
903 sa->lft.hard_byte_limit = XFRM_INF;
904 sa->lft.soft_packet_limit = XFRM_INF;
905 sa->lft.hard_packet_limit = XFRM_INF;
906 /* we use lifetimes since added, not since used */
907 sa->lft.soft_add_expires_seconds = expire_soft;
908 sa->lft.hard_add_expires_seconds = expire_hard;
909 sa->lft.soft_use_expires_seconds = 0;
910 sa->lft.hard_use_expires_seconds = 0;
911
912 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
913
914 switch (enc_alg)
915 {
916 case ENCR_UNDEFINED:
917 /* no encryption */
918 break;
919 case ENCR_AES_CCM_ICV16:
920 case ENCR_AES_GCM_ICV16:
921 icv_size += 32;
922 /* FALL */
923 case ENCR_AES_CCM_ICV12:
924 case ENCR_AES_GCM_ICV12:
925 icv_size += 32;
926 /* FALL */
927 case ENCR_AES_CCM_ICV8:
928 case ENCR_AES_GCM_ICV8:
929 {
930 rthdr->rta_type = XFRMA_ALG_AEAD;
931 alg_name = lookup_algorithm(encryption_algs, enc_alg);
932 if (alg_name == NULL)
933 {
934 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
935 encryption_algorithm_names, enc_alg);
936 return FAILED;
937 }
938 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
939 encryption_algorithm_names, enc_alg, enc_key.len * 8);
940
941 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
942 hdr->nlmsg_len += rthdr->rta_len;
943 if (hdr->nlmsg_len > sizeof(request))
944 {
945 return FAILED;
946 }
947
948 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
949 algo->alg_key_len = enc_key.len * 8;
950 algo->alg_icv_len = icv_size;
951 strcpy(algo->alg_name, alg_name);
952 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
953
954 rthdr = XFRM_RTA_NEXT(rthdr);
955 break;
956 }
957 default:
958 {
959 rthdr->rta_type = XFRMA_ALG_CRYPT;
960 alg_name = lookup_algorithm(encryption_algs, enc_alg);
961 if (alg_name == NULL)
962 {
963 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
964 encryption_algorithm_names, enc_alg);
965 return FAILED;
966 }
967 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
968 encryption_algorithm_names, enc_alg, enc_key.len * 8);
969
970 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
971 hdr->nlmsg_len += rthdr->rta_len;
972 if (hdr->nlmsg_len > sizeof(request))
973 {
974 return FAILED;
975 }
976
977 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
978 algo->alg_key_len = enc_key.len * 8;
979 strcpy(algo->alg_name, alg_name);
980 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
981
982 rthdr = XFRM_RTA_NEXT(rthdr);
983 break;
984 }
985 }
986
987 if (int_alg != AUTH_UNDEFINED)
988 {
989 rthdr->rta_type = XFRMA_ALG_AUTH;
990 alg_name = lookup_algorithm(integrity_algs, int_alg);
991 if (alg_name == NULL)
992 {
993 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
994 integrity_algorithm_names, int_alg);
995 return FAILED;
996 }
997 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
998 integrity_algorithm_names, int_alg, int_key.len * 8);
999
1000 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1001 hdr->nlmsg_len += rthdr->rta_len;
1002 if (hdr->nlmsg_len > sizeof(request))
1003 {
1004 return FAILED;
1005 }
1006
1007 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1008 algo->alg_key_len = int_key.len * 8;
1009 strcpy(algo->alg_name, alg_name);
1010 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1011
1012 rthdr = XFRM_RTA_NEXT(rthdr);
1013 }
1014
1015 if (ipcomp != IPCOMP_NONE)
1016 {
1017 rthdr->rta_type = XFRMA_ALG_COMP;
1018 alg_name = lookup_algorithm(compression_algs, ipcomp);
1019 if (alg_name == NULL)
1020 {
1021 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1022 ipcomp_transform_names, ipcomp);
1023 return FAILED;
1024 }
1025 DBG2(DBG_KNL, " using compression algorithm %N",
1026 ipcomp_transform_names, ipcomp);
1027
1028 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1029 hdr->nlmsg_len += rthdr->rta_len;
1030 if (hdr->nlmsg_len > sizeof(request))
1031 {
1032 return FAILED;
1033 }
1034
1035 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1036 algo->alg_key_len = 0;
1037 strcpy(algo->alg_name, alg_name);
1038
1039 rthdr = XFRM_RTA_NEXT(rthdr);
1040 }
1041
1042 if (encap)
1043 {
1044 rthdr->rta_type = XFRMA_ENCAP;
1045 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1046
1047 hdr->nlmsg_len += rthdr->rta_len;
1048 if (hdr->nlmsg_len > sizeof(request))
1049 {
1050 return FAILED;
1051 }
1052
1053 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1054 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1055 tmpl->encap_sport = htons(src->get_port(src));
1056 tmpl->encap_dport = htons(dst->get_port(dst));
1057 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1058 /* encap_oa could probably be derived from the
1059 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1060 * pluto does the same as we do here but it uses encap_oa in the
1061 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1062 * the kernel ignores it anyway
1063 * -> does that mean that NAT-T encap doesn't work in transport mode?
1064 * No. The reason the kernel ignores NAT-OA is that it recomputes
1065 * (or, rather, just ignores) the checksum. If packets pass
1066 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1067 rthdr = XFRM_RTA_NEXT(rthdr);
1068 }
1069
1070 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1071 {
1072 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1073 return FAILED;
1074 }
1075 return SUCCESS;
1076 }
1077
1078 /**
1079 * Get the replay state (i.e. sequence numbers) of an SA.
1080 */
1081 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1082 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1083 struct xfrm_replay_state *replay)
1084 {
1085 netlink_buf_t request;
1086 struct nlmsghdr *hdr, *out = NULL;
1087 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1088 size_t len;
1089 struct rtattr *rta;
1090 size_t rtasize;
1091
1092 memset(&request, 0, sizeof(request));
1093
1094 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1095
1096 hdr = (struct nlmsghdr*)request;
1097 hdr->nlmsg_flags = NLM_F_REQUEST;
1098 hdr->nlmsg_type = XFRM_MSG_GETAE;
1099 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1100
1101 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1102 aevent_id->flags = XFRM_AE_RVAL;
1103
1104 host2xfrm(dst, &aevent_id->sa_id.daddr);
1105 aevent_id->sa_id.spi = spi;
1106 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1107 aevent_id->sa_id.family = dst->get_family(dst);
1108
1109 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1110 {
1111 hdr = out;
1112 while (NLMSG_OK(hdr, len))
1113 {
1114 switch (hdr->nlmsg_type)
1115 {
1116 case XFRM_MSG_NEWAE:
1117 {
1118 out_aevent = NLMSG_DATA(hdr);
1119 break;
1120 }
1121 case NLMSG_ERROR:
1122 {
1123 struct nlmsgerr *err = NLMSG_DATA(hdr);
1124 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1125 strerror(-err->error), -err->error);
1126 break;
1127 }
1128 default:
1129 hdr = NLMSG_NEXT(hdr, len);
1130 continue;
1131 case NLMSG_DONE:
1132 break;
1133 }
1134 break;
1135 }
1136 }
1137
1138 if (out_aevent == NULL)
1139 {
1140 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1141 ntohl(spi));
1142 free(out);
1143 return FAILED;
1144 }
1145
1146 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1147 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1148 while(RTA_OK(rta, rtasize))
1149 {
1150 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1151 RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
1152 {
1153 memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1154 free(out);
1155 return SUCCESS;
1156 }
1157 rta = RTA_NEXT(rta, rtasize);
1158 }
1159
1160 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1161 ntohl(spi));
1162 free(out);
1163 return FAILED;
1164 }
1165
1166 /**
1167 * Implementation of kernel_interface_t.del_sa.
1168 */
1169 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1170 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1171 {
1172 netlink_buf_t request;
1173 struct nlmsghdr *hdr;
1174 struct xfrm_usersa_id *sa_id;
1175
1176 /* if IPComp was used, we first delete the additional IPComp SA */
1177 if (cpi)
1178 {
1179 del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
1180 }
1181
1182 memset(&request, 0, sizeof(request));
1183
1184 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1185
1186 hdr = (struct nlmsghdr*)request;
1187 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1188 hdr->nlmsg_type = XFRM_MSG_DELSA;
1189 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1190
1191 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1192 host2xfrm(dst, &sa_id->daddr);
1193 sa_id->spi = spi;
1194 sa_id->proto = proto_ike2kernel(protocol);
1195 sa_id->family = dst->get_family(dst);
1196
1197 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1198 {
1199 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1200 return FAILED;
1201 }
1202 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1203 return SUCCESS;
1204 }
1205
1206 /**
1207 * Implementation of kernel_interface_t.update_sa.
1208 */
1209 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
1210 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1211 host_t *src, host_t *dst,
1212 host_t *new_src, host_t *new_dst,
1213 bool old_encap, bool new_encap)
1214 {
1215 netlink_buf_t request;
1216 u_char *pos;
1217 struct nlmsghdr *hdr, *out = NULL;
1218 struct xfrm_usersa_id *sa_id;
1219 struct xfrm_usersa_info *out_sa = NULL, *sa;
1220 size_t len;
1221 struct rtattr *rta;
1222 size_t rtasize;
1223 struct xfrm_encap_tmpl* tmpl = NULL;
1224 bool got_replay_state = FALSE;
1225 struct xfrm_replay_state replay;
1226
1227 /* if IPComp is used, we first update the IPComp SA */
1228 if (cpi)
1229 {
1230 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1231 src, dst, new_src, new_dst, FALSE, FALSE);
1232 }
1233
1234 memset(&request, 0, sizeof(request));
1235
1236 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1237
1238 /* query the existing SA first */
1239 hdr = (struct nlmsghdr*)request;
1240 hdr->nlmsg_flags = NLM_F_REQUEST;
1241 hdr->nlmsg_type = XFRM_MSG_GETSA;
1242 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1243
1244 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1245 host2xfrm(dst, &sa_id->daddr);
1246 sa_id->spi = spi;
1247 sa_id->proto = proto_ike2kernel(protocol);
1248 sa_id->family = dst->get_family(dst);
1249
1250 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1251 {
1252 hdr = out;
1253 while (NLMSG_OK(hdr, len))
1254 {
1255 switch (hdr->nlmsg_type)
1256 {
1257 case XFRM_MSG_NEWSA:
1258 {
1259 out_sa = NLMSG_DATA(hdr);
1260 break;
1261 }
1262 case NLMSG_ERROR:
1263 {
1264 struct nlmsgerr *err = NLMSG_DATA(hdr);
1265 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1266 strerror(-err->error), -err->error);
1267 break;
1268 }
1269 default:
1270 hdr = NLMSG_NEXT(hdr, len);
1271 continue;
1272 case NLMSG_DONE:
1273 break;
1274 }
1275 break;
1276 }
1277 }
1278 if (out_sa == NULL)
1279 {
1280 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1281 free(out);
1282 return FAILED;
1283 }
1284
1285 /* try to get the replay state */
1286 if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
1287 {
1288 got_replay_state = TRUE;
1289 }
1290
1291 /* delete the old SA (without affecting the IPComp SA) */
1292 if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
1293 {
1294 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1295 free(out);
1296 return FAILED;
1297 }
1298
1299 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1300 ntohl(spi), src, dst, new_src, new_dst);
1301 /* copy over the SA from out to request */
1302 hdr = (struct nlmsghdr*)request;
1303 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1304 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1305 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1306 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1307 sa = NLMSG_DATA(hdr);
1308 sa->family = new_dst->get_family(new_dst);
1309
1310 if (!src->ip_equals(src, new_src))
1311 {
1312 host2xfrm(new_src, &sa->saddr);
1313 }
1314 if (!dst->ip_equals(dst, new_dst))
1315 {
1316 host2xfrm(new_dst, &sa->id.daddr);
1317 }
1318
1319 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1320 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1321 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1322 while(RTA_OK(rta, rtasize))
1323 {
1324 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1325 if (rta->rta_type != XFRMA_ENCAP || new_encap)
1326 {
1327 if (rta->rta_type == XFRMA_ENCAP)
1328 { /* update encap tmpl */
1329 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1330 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1331 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1332 }
1333 memcpy(pos, rta, rta->rta_len);
1334 pos += RTA_ALIGN(rta->rta_len);
1335 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1336 }
1337 rta = RTA_NEXT(rta, rtasize);
1338 }
1339
1340 rta = (struct rtattr*)pos;
1341 if (tmpl == NULL && new_encap)
1342 { /* add tmpl if we are enabling it */
1343 rta->rta_type = XFRMA_ENCAP;
1344 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1345
1346 hdr->nlmsg_len += rta->rta_len;
1347 if (hdr->nlmsg_len > sizeof(request))
1348 {
1349 return FAILED;
1350 }
1351
1352 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1353 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1354 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1355 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1356 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1357
1358 rta = XFRM_RTA_NEXT(rta);
1359 }
1360
1361 if (got_replay_state)
1362 { /* copy the replay data if available */
1363 rta->rta_type = XFRMA_REPLAY_VAL;
1364 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1365
1366 hdr->nlmsg_len += rta->rta_len;
1367 if (hdr->nlmsg_len > sizeof(request))
1368 {
1369 return FAILED;
1370 }
1371 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1372
1373 rta = XFRM_RTA_NEXT(rta);
1374 }
1375
1376 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1377 {
1378 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1379 free(out);
1380 return FAILED;
1381 }
1382 free(out);
1383
1384 return SUCCESS;
1385 }
1386
1387 /**
1388 * Implementation of kernel_interface_t.add_policy.
1389 */
1390 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1391 host_t *src, host_t *dst,
1392 traffic_selector_t *src_ts,
1393 traffic_selector_t *dst_ts,
1394 policy_dir_t direction, u_int32_t spi,
1395 protocol_id_t protocol, u_int32_t reqid,
1396 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1397 bool routed)
1398 {
1399 iterator_t *iterator;
1400 policy_entry_t *current, *policy;
1401 bool found = FALSE;
1402 netlink_buf_t request;
1403 struct xfrm_userpolicy_info *policy_info;
1404 struct nlmsghdr *hdr;
1405
1406 /* create a policy */
1407 policy = malloc_thing(policy_entry_t);
1408 memset(policy, 0, sizeof(policy_entry_t));
1409 policy->sel = ts2selector(src_ts, dst_ts);
1410 policy->direction = direction;
1411
1412 /* find the policy, which matches EXACTLY */
1413 this->mutex->lock(this->mutex);
1414 iterator = this->policies->create_iterator(this->policies, TRUE);
1415 while (iterator->iterate(iterator, (void**)&current))
1416 {
1417 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
1418 policy->direction == current->direction)
1419 {
1420 /* use existing policy */
1421 current->refcount++;
1422 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1423 "refcount", src_ts, dst_ts,
1424 policy_dir_names, direction);
1425 free(policy);
1426 policy = current;
1427 found = TRUE;
1428 break;
1429 }
1430 }
1431 iterator->destroy(iterator);
1432 if (!found)
1433 { /* apply the new one, if we have no such policy */
1434 this->policies->insert_last(this->policies, policy);
1435 policy->refcount = 1;
1436 }
1437
1438 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1439 policy_dir_names, direction);
1440
1441 memset(&request, 0, sizeof(request));
1442 hdr = (struct nlmsghdr*)request;
1443 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1444 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1445 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1446
1447 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1448 policy_info->sel = policy->sel;
1449 policy_info->dir = policy->direction;
1450 /* calculate priority based on source selector size, small size = high prio */
1451 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1452 policy_info->priority -= policy->sel.prefixlen_s * 10;
1453 policy_info->priority -= policy->sel.proto ? 2 : 0;
1454 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1455 policy_info->action = XFRM_POLICY_ALLOW;
1456 policy_info->share = XFRM_SHARE_ANY;
1457 this->mutex->unlock(this->mutex);
1458
1459 /* policies don't expire */
1460 policy_info->lft.soft_byte_limit = XFRM_INF;
1461 policy_info->lft.soft_packet_limit = XFRM_INF;
1462 policy_info->lft.hard_byte_limit = XFRM_INF;
1463 policy_info->lft.hard_packet_limit = XFRM_INF;
1464 policy_info->lft.soft_add_expires_seconds = 0;
1465 policy_info->lft.hard_add_expires_seconds = 0;
1466 policy_info->lft.soft_use_expires_seconds = 0;
1467 policy_info->lft.hard_use_expires_seconds = 0;
1468
1469 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1470 rthdr->rta_type = XFRMA_TMPL;
1471 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1472
1473 hdr->nlmsg_len += rthdr->rta_len;
1474 if (hdr->nlmsg_len > sizeof(request))
1475 {
1476 return FAILED;
1477 }
1478
1479 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1480
1481 if (ipcomp != IPCOMP_NONE)
1482 {
1483 tmpl->reqid = reqid;
1484 tmpl->id.proto = IPPROTO_COMP;
1485 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1486 tmpl->mode = mode;
1487 tmpl->optional = direction != POLICY_OUT;
1488 tmpl->family = src->get_family(src);
1489
1490 host2xfrm(src, &tmpl->saddr);
1491 host2xfrm(dst, &tmpl->id.daddr);
1492
1493 /* add an additional xfrm_user_tmpl */
1494 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1495 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1496 if (hdr->nlmsg_len > sizeof(request))
1497 {
1498 return FAILED;
1499 }
1500
1501 tmpl++;
1502 }
1503
1504 tmpl->reqid = reqid;
1505 tmpl->id.proto = proto_ike2kernel(protocol);
1506 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1507 tmpl->mode = mode;
1508 tmpl->family = src->get_family(src);
1509
1510 host2xfrm(src, &tmpl->saddr);
1511 host2xfrm(dst, &tmpl->id.daddr);
1512
1513 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1514 {
1515 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1516 policy_dir_names, direction);
1517 return FAILED;
1518 }
1519
1520 /* install a route, if:
1521 * - we are NOT updating a policy
1522 * - this is a forward policy (to just get one for each child)
1523 * - we are in tunnel mode
1524 * - we are not using IPv6 (does not work correctly yet!)
1525 * - routing is not disabled via strongswan.conf
1526 */
1527 if (policy->route == NULL && direction == POLICY_FWD &&
1528 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1529 this->install_routes)
1530 {
1531 route_entry_t *route = malloc_thing(route_entry_t);
1532
1533 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1534 dst_ts, &route->src_ip) == SUCCESS)
1535 {
1536 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1537 route->gateway = charon->kernel_interface->get_nexthop(
1538 charon->kernel_interface, src);
1539 route->if_name = charon->kernel_interface->get_interface(
1540 charon->kernel_interface, dst);
1541 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1542 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1543 route->prefixlen = policy->sel.prefixlen_s;
1544
1545 if (route->if_name)
1546 {
1547 switch (charon->kernel_interface->add_route(
1548 charon->kernel_interface, route->dst_net,
1549 route->prefixlen, route->gateway,
1550 route->src_ip, route->if_name))
1551 {
1552 default:
1553 DBG1(DBG_KNL, "unable to install source route for %H",
1554 route->src_ip);
1555 /* FALL */
1556 case ALREADY_DONE:
1557 /* route exists, do not uninstall */
1558 route_entry_destroy(route);
1559 break;
1560 case SUCCESS:
1561 /* cache the installed route */
1562 policy->route = route;
1563 break;
1564 }
1565 }
1566 else
1567 {
1568 route_entry_destroy(route);
1569 }
1570 }
1571 else
1572 {
1573 free(route);
1574 }
1575 }
1576 return SUCCESS;
1577 }
1578
1579 /**
1580 * Implementation of kernel_interface_t.query_policy.
1581 */
1582 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1583 traffic_selector_t *src_ts,
1584 traffic_selector_t *dst_ts,
1585 policy_dir_t direction, u_int32_t *use_time)
1586 {
1587 netlink_buf_t request;
1588 struct nlmsghdr *out = NULL, *hdr;
1589 struct xfrm_userpolicy_id *policy_id;
1590 struct xfrm_userpolicy_info *policy = NULL;
1591 size_t len;
1592
1593 memset(&request, 0, sizeof(request));
1594
1595 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1596 policy_dir_names, direction);
1597
1598 hdr = (struct nlmsghdr*)request;
1599 hdr->nlmsg_flags = NLM_F_REQUEST;
1600 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1601 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1602
1603 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1604 policy_id->sel = ts2selector(src_ts, dst_ts);
1605 policy_id->dir = direction;
1606
1607 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1608 {
1609 hdr = out;
1610 while (NLMSG_OK(hdr, len))
1611 {
1612 switch (hdr->nlmsg_type)
1613 {
1614 case XFRM_MSG_NEWPOLICY:
1615 {
1616 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1617 break;
1618 }
1619 case NLMSG_ERROR:
1620 {
1621 struct nlmsgerr *err = NLMSG_DATA(hdr);
1622 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1623 strerror(-err->error), -err->error);
1624 break;
1625 }
1626 default:
1627 hdr = NLMSG_NEXT(hdr, len);
1628 continue;
1629 case NLMSG_DONE:
1630 break;
1631 }
1632 break;
1633 }
1634 }
1635
1636 if (policy == NULL)
1637 {
1638 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1639 policy_dir_names, direction);
1640 free(out);
1641 return FAILED;
1642 }
1643 *use_time = (time_t)policy->curlft.use_time;
1644
1645 free(out);
1646 return SUCCESS;
1647 }
1648
1649 /**
1650 * Implementation of kernel_interface_t.del_policy.
1651 */
1652 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1653 traffic_selector_t *src_ts,
1654 traffic_selector_t *dst_ts,
1655 policy_dir_t direction, bool unrouted)
1656 {
1657 policy_entry_t *current, policy, *to_delete = NULL;
1658 route_entry_t *route;
1659 netlink_buf_t request;
1660 struct nlmsghdr *hdr;
1661 struct xfrm_userpolicy_id *policy_id;
1662 enumerator_t *enumerator;
1663
1664 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1665 policy_dir_names, direction);
1666
1667 /* create a policy */
1668 memset(&policy, 0, sizeof(policy_entry_t));
1669 policy.sel = ts2selector(src_ts, dst_ts);
1670 policy.direction = direction;
1671
1672 /* find the policy */
1673 this->mutex->lock(this->mutex);
1674 enumerator = this->policies->create_enumerator(this->policies);
1675 while (enumerator->enumerate(enumerator, &current))
1676 {
1677 if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
1678 policy.direction == current->direction)
1679 {
1680 to_delete = current;
1681 if (--to_delete->refcount > 0)
1682 {
1683 /* is used by more SAs, keep in kernel */
1684 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1685 this->mutex->unlock(this->mutex);
1686 enumerator->destroy(enumerator);
1687 return SUCCESS;
1688 }
1689 /* remove if last reference */
1690 this->policies->remove_at(this->policies, enumerator);
1691 break;
1692 }
1693 }
1694 this->mutex->unlock(this->mutex);
1695 enumerator->destroy(enumerator);
1696 if (!to_delete)
1697 {
1698 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1699 dst_ts, policy_dir_names, direction);
1700 return NOT_FOUND;
1701 }
1702
1703 memset(&request, 0, sizeof(request));
1704
1705 hdr = (struct nlmsghdr*)request;
1706 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1707 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1708 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1709
1710 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1711 policy_id->sel = to_delete->sel;
1712 policy_id->dir = direction;
1713
1714 route = to_delete->route;
1715 free(to_delete);
1716
1717 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1718 {
1719 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1720 policy_dir_names, direction);
1721 return FAILED;
1722 }
1723
1724 if (route)
1725 {
1726 if (charon->kernel_interface->del_route(charon->kernel_interface,
1727 route->dst_net, route->prefixlen, route->gateway,
1728 route->src_ip, route->if_name) != SUCCESS)
1729 {
1730 DBG1(DBG_KNL, "error uninstalling route installed with "
1731 "policy %R === %R %N", src_ts, dst_ts,
1732 policy_dir_names, direction);
1733 }
1734 route_entry_destroy(route);
1735 }
1736 return SUCCESS;
1737 }
1738
1739 /**
1740 * Implementation of kernel_interface_t.destroy.
1741 */
1742 static void destroy(private_kernel_netlink_ipsec_t *this)
1743 {
1744 this->job->cancel(this->job);
1745 close(this->socket_xfrm_events);
1746 this->socket_xfrm->destroy(this->socket_xfrm);
1747 this->policies->destroy(this->policies);
1748 this->mutex->destroy(this->mutex);
1749 free(this);
1750 }
1751
1752 /**
1753 * Add bypass policies for IKE on the sockets used by charon
1754 */
1755 static bool add_bypass_policies()
1756 {
1757 int fd, family, port;
1758 enumerator_t *sockets;
1759 bool status = TRUE;
1760
1761 /* we open an AF_KEY socket to autoload the af_key module. Otherwise
1762 * setsockopt(IPSEC_POLICY) won't work. */
1763 fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
1764 if (fd == 0)
1765 {
1766 DBG1(DBG_KNL, "could not open AF_KEY socket");
1767 return FALSE;
1768 }
1769 close(fd);
1770
1771 sockets = charon->socket->create_enumerator(charon->socket);
1772 while (sockets->enumerate(sockets, &fd, &family, &port))
1773 {
1774 struct sadb_x_policy policy;
1775 u_int sol, ipsec_policy;
1776
1777 switch (family)
1778 {
1779 case AF_INET:
1780 sol = SOL_IP;
1781 ipsec_policy = IP_IPSEC_POLICY;
1782 break;
1783 case AF_INET6:
1784 sol = SOL_IPV6;
1785 ipsec_policy = IPV6_IPSEC_POLICY;
1786 break;
1787 default:
1788 continue;
1789 }
1790
1791 memset(&policy, 0, sizeof(policy));
1792 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
1793 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1794 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
1795
1796 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
1797 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1798 {
1799 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1800 strerror(errno));
1801 status = FALSE;
1802 break;
1803 }
1804 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1805 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1806 {
1807 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1808 strerror(errno));
1809 status = FALSE;
1810 break;
1811 }
1812 }
1813 sockets->destroy(sockets);
1814 return status;
1815 }
1816
1817 /*
1818 * Described in header.
1819 */
1820 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1821 {
1822 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1823 struct sockaddr_nl addr;
1824
1825 /* public functions */
1826 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1827 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1828 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1829 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1830 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1831 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
1832 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1833 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
1834 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1835
1836 /* private members */
1837 this->policies = linked_list_create();
1838 this->mutex = mutex_create(MUTEX_DEFAULT);
1839 this->install_routes = lib->settings->get_bool(lib->settings,
1840 "charon.install_routes", TRUE);
1841
1842 /* add bypass policies on the sockets used by charon */
1843 if (!add_bypass_policies())
1844 {
1845 charon->kill(charon, "unable to add bypass policies on sockets");
1846 }
1847
1848 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1849
1850 memset(&addr, 0, sizeof(addr));
1851 addr.nl_family = AF_NETLINK;
1852
1853 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
1854 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1855 if (this->socket_xfrm_events <= 0)
1856 {
1857 charon->kill(charon, "unable to create XFRM event socket");
1858 }
1859 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
1860 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
1861 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1862 {
1863 charon->kill(charon, "unable to bind XFRM event socket");
1864 }
1865
1866 this->job = callback_job_create((callback_job_cb_t)receive_events,
1867 this, NULL, NULL);
1868 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1869
1870 return &this->public;
1871 }