Use XFRM instead of PF_KEY IKE bypass policies in netlink based kernel interface
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2009 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <stdint.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <pthread.h>
30 #include <unistd.h>
31 #include <errno.h>
32 #include <string.h>
33 #include <fcntl.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <daemon.h>
39 #include <utils/mutex.h>
40 #include <utils/hashtable.h>
41 #include <processing/jobs/callback_job.h>
42 #include <processing/jobs/acquire_job.h>
43 #include <processing/jobs/migrate_job.h>
44 #include <processing/jobs/rekey_child_sa_job.h>
45 #include <processing/jobs/delete_child_sa_job.h>
46 #include <processing/jobs/update_sa_job.h>
47
48 /** required for Linux 2.6.26 kernel and later */
49 #ifndef XFRM_STATE_AF_UNSPEC
50 #define XFRM_STATE_AF_UNSPEC 32
51 #endif
52
53 /** from linux/in.h */
54 #ifndef IP_XFRM_POLICY
55 #define IP_XFRM_POLICY 17
56 #endif
57
58 /* missing on uclibc */
59 #ifndef IPV6_XFRM_POLICY
60 #define IPV6_XFRM_POLICY 34
61 #endif /*IPV6_XFRM_POLICY*/
62
63 /** default priority of installed policies */
64 #define PRIO_LOW 3000
65 #define PRIO_HIGH 2000
66
67 /**
68 * map the limit for bytes and packets to XFRM_INF per default
69 */
70 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
71
72 /**
73 * Create ORable bitfield of XFRM NL groups
74 */
75 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
76
77 /**
78 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
79 * 'usual' netlink data x like 'struct xfrm_usersa_info'
80 */
81 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
82 /**
83 * returns a pointer to the next rtattr following rta.
84 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
85 */
86 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
87 /**
88 * returns the total size of attached rta data
89 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
90 */
91 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
92
93 typedef struct kernel_algorithm_t kernel_algorithm_t;
94
95 /**
96 * Mapping of IKEv2 kernel identifier to linux crypto API names
97 */
98 struct kernel_algorithm_t {
99 /**
100 * Identifier specified in IKEv2
101 */
102 int ikev2;
103
104 /**
105 * Name of the algorithm in linux crypto API
106 */
107 char *name;
108 };
109
110 ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
111 "XFRM_MSG_NEWSA",
112 "XFRM_MSG_DELSA",
113 "XFRM_MSG_GETSA",
114 "XFRM_MSG_NEWPOLICY",
115 "XFRM_MSG_DELPOLICY",
116 "XFRM_MSG_GETPOLICY",
117 "XFRM_MSG_ALLOCSPI",
118 "XFRM_MSG_ACQUIRE",
119 "XFRM_MSG_EXPIRE",
120 "XFRM_MSG_UPDPOLICY",
121 "XFRM_MSG_UPDSA",
122 "XFRM_MSG_POLEXPIRE",
123 "XFRM_MSG_FLUSHSA",
124 "XFRM_MSG_FLUSHPOLICY",
125 "XFRM_MSG_NEWAE",
126 "XFRM_MSG_GETAE",
127 "XFRM_MSG_REPORT",
128 "XFRM_MSG_MIGRATE",
129 "XFRM_MSG_NEWSADINFO",
130 "XFRM_MSG_GETSADINFO",
131 "XFRM_MSG_NEWSPDINFO",
132 "XFRM_MSG_GETSPDINFO",
133 "XFRM_MSG_MAPPING"
134 );
135
136 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
137 "XFRMA_UNSPEC",
138 "XFRMA_ALG_AUTH",
139 "XFRMA_ALG_CRYPT",
140 "XFRMA_ALG_COMP",
141 "XFRMA_ENCAP",
142 "XFRMA_TMPL",
143 "XFRMA_SA",
144 "XFRMA_POLICY",
145 "XFRMA_SEC_CTX",
146 "XFRMA_LTIME_VAL",
147 "XFRMA_REPLAY_VAL",
148 "XFRMA_REPLAY_THRESH",
149 "XFRMA_ETIMER_THRESH",
150 "XFRMA_SRCADDR",
151 "XFRMA_COADDR",
152 "XFRMA_LASTUSED",
153 "XFRMA_POLICY_TYPE",
154 "XFRMA_MIGRATE",
155 "XFRMA_ALG_AEAD",
156 "XFRMA_KMADDRESS"
157 );
158
159 #define END_OF_LIST -1
160
161 /**
162 * Algorithms for encryption
163 */
164 static kernel_algorithm_t encryption_algs[] = {
165 /* {ENCR_DES_IV64, "***" }, */
166 {ENCR_DES, "des" },
167 {ENCR_3DES, "des3_ede" },
168 /* {ENCR_RC5, "***" }, */
169 /* {ENCR_IDEA, "***" }, */
170 {ENCR_CAST, "cast128" },
171 {ENCR_BLOWFISH, "blowfish" },
172 /* {ENCR_3IDEA, "***" }, */
173 /* {ENCR_DES_IV32, "***" }, */
174 {ENCR_NULL, "cipher_null" },
175 {ENCR_AES_CBC, "aes" },
176 {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
177 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
178 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
179 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
180 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
181 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
182 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
183 /* {ENCR_NULL_AUTH_AES_GMAC, "***" }, */
184 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
185 /* {ENCR_CAMELLIA_CTR, "***" }, */
186 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
187 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
188 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
189 {END_OF_LIST, NULL }
190 };
191
192 /**
193 * Algorithms for integrity protection
194 */
195 static kernel_algorithm_t integrity_algs[] = {
196 {AUTH_HMAC_MD5_96, "md5" },
197 {AUTH_HMAC_SHA1_96, "sha1" },
198 {AUTH_HMAC_SHA2_256_128, "sha256" },
199 {AUTH_HMAC_SHA2_384_192, "sha384" },
200 {AUTH_HMAC_SHA2_512_256, "sha512" },
201 /* {AUTH_DES_MAC, "***" }, */
202 /* {AUTH_KPDK_MD5, "***" }, */
203 {AUTH_AES_XCBC_96, "xcbc(aes)" },
204 {END_OF_LIST, NULL }
205 };
206
207 /**
208 * Algorithms for IPComp
209 */
210 static kernel_algorithm_t compression_algs[] = {
211 /* {IPCOMP_OUI, "***" }, */
212 {IPCOMP_DEFLATE, "deflate" },
213 {IPCOMP_LZS, "lzs" },
214 {IPCOMP_LZJH, "lzjh" },
215 {END_OF_LIST, NULL }
216 };
217
218 /**
219 * Look up a kernel algorithm name and its key size
220 */
221 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
222 {
223 while (list->ikev2 != END_OF_LIST)
224 {
225 if (list->ikev2 == ikev2)
226 {
227 return list->name;
228 }
229 list++;
230 }
231 return NULL;
232 }
233
234 typedef struct route_entry_t route_entry_t;
235
236 /**
237 * installed routing entry
238 */
239 struct route_entry_t {
240 /** Name of the interface the route is bound to */
241 char *if_name;
242
243 /** Source ip of the route */
244 host_t *src_ip;
245
246 /** gateway for this route */
247 host_t *gateway;
248
249 /** Destination net */
250 chunk_t dst_net;
251
252 /** Destination net prefixlen */
253 u_int8_t prefixlen;
254 };
255
256 /**
257 * destroy an route_entry_t object
258 */
259 static void route_entry_destroy(route_entry_t *this)
260 {
261 free(this->if_name);
262 this->src_ip->destroy(this->src_ip);
263 this->gateway->destroy(this->gateway);
264 chunk_free(&this->dst_net);
265 free(this);
266 }
267
268 typedef struct policy_entry_t policy_entry_t;
269
270 /**
271 * installed kernel policy.
272 */
273 struct policy_entry_t {
274
275 /** direction of this policy: in, out, forward */
276 u_int8_t direction;
277
278 /** parameters of installed policy */
279 struct xfrm_selector sel;
280
281 /** associated route installed for this policy */
282 route_entry_t *route;
283
284 /** by how many CHILD_SA's this policy is used */
285 u_int refcount;
286 };
287
288 /**
289 * Hash function for policy_entry_t objects
290 */
291 static u_int policy_hash(policy_entry_t *key)
292 {
293 chunk_t chunk = chunk_create((void*)&key->sel, sizeof(struct xfrm_selector));
294 return chunk_hash(chunk);
295 }
296
297 /**
298 * Equality function for policy_entry_t objects
299 */
300 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
301 {
302 return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
303 key->direction == other_key->direction;
304 }
305
306 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
307
308 /**
309 * Private variables and functions of kernel_netlink class.
310 */
311 struct private_kernel_netlink_ipsec_t {
312 /**
313 * Public part of the kernel_netlink_t object.
314 */
315 kernel_netlink_ipsec_t public;
316
317 /**
318 * mutex to lock access to various lists
319 */
320 mutex_t *mutex;
321
322 /**
323 * Hash table of installed policies (policy_entry_t)
324 */
325 hashtable_t *policies;
326
327 /**
328 * job receiving netlink events
329 */
330 callback_job_t *job;
331
332 /**
333 * Netlink xfrm socket (IPsec)
334 */
335 netlink_socket_t *socket_xfrm;
336
337 /**
338 * netlink xfrm socket to receive acquire and expire events
339 */
340 int socket_xfrm_events;
341
342 /**
343 * whether to install routes along policies
344 */
345 bool install_routes;
346 };
347
348 /**
349 * convert a IKEv2 specific protocol identifier to the kernel one
350 */
351 static u_int8_t proto_ike2kernel(protocol_id_t proto)
352 {
353 switch (proto)
354 {
355 case PROTO_ESP:
356 return IPPROTO_ESP;
357 case PROTO_AH:
358 return IPPROTO_AH;
359 default:
360 return proto;
361 }
362 }
363
364 /**
365 * reverse of ike2kernel
366 */
367 static protocol_id_t proto_kernel2ike(u_int8_t proto)
368 {
369 switch (proto)
370 {
371 case IPPROTO_ESP:
372 return PROTO_ESP;
373 case IPPROTO_AH:
374 return PROTO_AH;
375 default:
376 return proto;
377 }
378 }
379
380 /**
381 * convert the general ipsec mode to the one defined in xfrm.h
382 */
383 static u_int8_t mode2kernel(ipsec_mode_t mode)
384 {
385 switch (mode)
386 {
387 case MODE_TRANSPORT:
388 return XFRM_MODE_TRANSPORT;
389 case MODE_TUNNEL:
390 return XFRM_MODE_TUNNEL;
391 case MODE_BEET:
392 return XFRM_MODE_BEET;
393 default:
394 return mode;
395 }
396 }
397
398 /**
399 * convert a host_t to a struct xfrm_address
400 */
401 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
402 {
403 chunk_t chunk = host->get_address(host);
404 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
405 }
406
407 /**
408 * convert a struct xfrm_address to a host_t
409 */
410 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
411 {
412 chunk_t chunk;
413
414 switch (family)
415 {
416 case AF_INET:
417 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
418 break;
419 case AF_INET6:
420 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
421 break;
422 default:
423 return NULL;
424 }
425 return host_create_from_chunk(family, chunk, ntohs(port));
426 }
427
428 /**
429 * convert a traffic selector address range to subnet and its mask.
430 */
431 static void ts2subnet(traffic_selector_t* ts,
432 xfrm_address_t *net, u_int8_t *mask)
433 {
434 host_t *net_host;
435 chunk_t net_chunk;
436
437 ts->to_subnet(ts, &net_host, mask);
438 net_chunk = net_host->get_address(net_host);
439 memcpy(net, net_chunk.ptr, net_chunk.len);
440 net_host->destroy(net_host);
441 }
442
443 /**
444 * convert a traffic selector port range to port/portmask
445 */
446 static void ts2ports(traffic_selector_t* ts,
447 u_int16_t *port, u_int16_t *mask)
448 {
449 /* linux does not seem to accept complex portmasks. Only
450 * any or a specific port is allowed. We set to any, if we have
451 * a port range, or to a specific, if we have one port only.
452 */
453 u_int16_t from, to;
454
455 from = ts->get_from_port(ts);
456 to = ts->get_to_port(ts);
457
458 if (from == to)
459 {
460 *port = htons(from);
461 *mask = ~0;
462 }
463 else
464 {
465 *port = 0;
466 *mask = 0;
467 }
468 }
469
470 /**
471 * convert a pair of traffic_selectors to a xfrm_selector
472 */
473 static struct xfrm_selector ts2selector(traffic_selector_t *src,
474 traffic_selector_t *dst)
475 {
476 struct xfrm_selector sel;
477
478 memset(&sel, 0, sizeof(sel));
479 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
480 /* src or dest proto may be "any" (0), use more restrictive one */
481 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
482 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
483 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
484 ts2ports(dst, &sel.dport, &sel.dport_mask);
485 ts2ports(src, &sel.sport, &sel.sport_mask);
486 sel.ifindex = 0;
487 sel.user = 0;
488
489 return sel;
490 }
491
492 /**
493 * convert a xfrm_selector to a src|dst traffic_selector
494 */
495 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
496 {
497 u_char *addr;
498 u_int8_t prefixlen;
499 u_int16_t port = 0;
500 host_t *host = NULL;
501
502 if (src)
503 {
504 addr = (u_char*)&sel->saddr;
505 prefixlen = sel->prefixlen_s;
506 if (sel->sport_mask)
507 {
508 port = htons(sel->sport);
509 }
510 }
511 else
512 {
513 addr = (u_char*)&sel->daddr;
514 prefixlen = sel->prefixlen_d;
515 if (sel->dport_mask)
516 {
517 port = htons(sel->dport);
518 }
519 }
520
521 /* The Linux 2.6 kernel does not set the selector's family field,
522 * so as a kludge we additionally test the prefix length.
523 */
524 if (sel->family == AF_INET || sel->prefixlen_s == 32)
525 {
526 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
527 }
528 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
529 {
530 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
531 }
532
533 if (host)
534 {
535 return traffic_selector_create_from_subnet(host, prefixlen,
536 sel->proto, port);
537 }
538 return NULL;
539 }
540
541 /**
542 * process a XFRM_MSG_ACQUIRE from kernel
543 */
544 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
545 {
546 u_int32_t reqid = 0;
547 int proto = 0;
548 traffic_selector_t *src_ts, *dst_ts;
549 struct xfrm_user_acquire *acquire;
550 struct rtattr *rta;
551 size_t rtasize;
552 job_t *job;
553
554 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
555 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
556 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
557
558 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
559
560 while (RTA_OK(rta, rtasize))
561 {
562 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
563
564 if (rta->rta_type == XFRMA_TMPL)
565 {
566 struct xfrm_user_tmpl* tmpl;
567
568 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
569 reqid = tmpl->reqid;
570 proto = tmpl->id.proto;
571 }
572 rta = RTA_NEXT(rta, rtasize);
573 }
574 switch (proto)
575 {
576 case 0:
577 case IPPROTO_ESP:
578 case IPPROTO_AH:
579 break;
580 default:
581 /* acquire for AH/ESP only, not for IPCOMP */
582 return;
583 }
584 src_ts = selector2ts(&acquire->sel, TRUE);
585 dst_ts = selector2ts(&acquire->sel, FALSE);
586 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
587 src_ts, dst_ts, reqid);
588 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
589 charon->processor->queue_job(charon->processor, job);
590 }
591
592 /**
593 * process a XFRM_MSG_EXPIRE from kernel
594 */
595 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
596 {
597 job_t *job;
598 protocol_id_t protocol;
599 u_int32_t spi, reqid;
600 struct xfrm_user_expire *expire;
601
602 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
603 protocol = proto_kernel2ike(expire->state.id.proto);
604 spi = expire->state.id.spi;
605 reqid = expire->state.reqid;
606
607 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
608
609 if (protocol != PROTO_ESP && protocol != PROTO_AH)
610 {
611 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
612 "which is not a CHILD_SA", ntohl(spi), reqid);
613 return;
614 }
615
616 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
617 expire->hard ? "delete" : "rekey", protocol_id_names,
618 protocol, ntohl(spi), reqid);
619 if (expire->hard)
620 {
621 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
622 }
623 else
624 {
625 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
626 }
627 charon->processor->queue_job(charon->processor, job);
628 }
629
630 /**
631 * process a XFRM_MSG_MIGRATE from kernel
632 */
633 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
634 {
635 traffic_selector_t *src_ts, *dst_ts;
636 host_t *local = NULL, *remote = NULL;
637 host_t *old_src = NULL, *old_dst = NULL;
638 host_t *new_src = NULL, *new_dst = NULL;
639 struct xfrm_userpolicy_id *policy_id;
640 struct rtattr *rta;
641 size_t rtasize;
642 u_int32_t reqid = 0;
643 policy_dir_t dir;
644 job_t *job;
645
646 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
647 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
648 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
649
650 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
651
652 src_ts = selector2ts(&policy_id->sel, TRUE);
653 dst_ts = selector2ts(&policy_id->sel, FALSE);
654 dir = (policy_dir_t)policy_id->dir;
655
656 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
657
658 while (RTA_OK(rta, rtasize))
659 {
660 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
661 if (rta->rta_type == XFRMA_KMADDRESS)
662 {
663 struct xfrm_user_kmaddress *kmaddress;
664
665 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
666 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
667 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
668 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
669 }
670 else if (rta->rta_type == XFRMA_MIGRATE)
671 {
672 struct xfrm_user_migrate *migrate;
673 protocol_id_t proto;
674
675 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
676 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
677 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
678 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
679 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
680 proto = proto_kernel2ike(migrate->proto);
681 reqid = migrate->reqid;
682 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
683 protocol_id_names, proto, old_src, old_dst,
684 new_src, new_dst, reqid);
685 DESTROY_IF(old_src);
686 DESTROY_IF(old_dst);
687 DESTROY_IF(new_src);
688 DESTROY_IF(new_dst);
689 }
690 rta = RTA_NEXT(rta, rtasize);
691 }
692
693 if (src_ts && dst_ts && local && remote)
694 {
695 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
696 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
697 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
698 local, remote);
699 charon->processor->queue_job(charon->processor, job);
700 }
701 else
702 {
703 DESTROY_IF(src_ts);
704 DESTROY_IF(dst_ts);
705 DESTROY_IF(local);
706 DESTROY_IF(remote);
707 }
708 }
709
710 /**
711 * process a XFRM_MSG_MAPPING from kernel
712 */
713 static void process_mapping(private_kernel_netlink_ipsec_t *this,
714 struct nlmsghdr *hdr)
715 {
716 job_t *job;
717 u_int32_t spi, reqid;
718 struct xfrm_user_mapping *mapping;
719 host_t *host;
720
721 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
722 spi = mapping->id.spi;
723 reqid = mapping->reqid;
724
725 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
726
727 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
728 {
729 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
730 mapping->new_sport);
731 if (host)
732 {
733 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
734 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
735 job = (job_t*)update_sa_job_create(reqid, host);
736 charon->processor->queue_job(charon->processor, job);
737 }
738 }
739 }
740
741 /**
742 * Receives events from kernel
743 */
744 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
745 {
746 char response[1024];
747 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
748 struct sockaddr_nl addr;
749 socklen_t addr_len = sizeof(addr);
750 int len, oldstate;
751
752 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
753 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
754 (struct sockaddr*)&addr, &addr_len);
755 pthread_setcancelstate(oldstate, NULL);
756
757 if (len < 0)
758 {
759 switch (errno)
760 {
761 case EINTR:
762 /* interrupted, try again */
763 return JOB_REQUEUE_DIRECT;
764 case EAGAIN:
765 /* no data ready, select again */
766 return JOB_REQUEUE_DIRECT;
767 default:
768 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
769 sleep(1);
770 return JOB_REQUEUE_FAIR;
771 }
772 }
773
774 if (addr.nl_pid != 0)
775 { /* not from kernel. not interested, try another one */
776 return JOB_REQUEUE_DIRECT;
777 }
778
779 while (NLMSG_OK(hdr, len))
780 {
781 switch (hdr->nlmsg_type)
782 {
783 case XFRM_MSG_ACQUIRE:
784 process_acquire(this, hdr);
785 break;
786 case XFRM_MSG_EXPIRE:
787 process_expire(this, hdr);
788 break;
789 case XFRM_MSG_MIGRATE:
790 process_migrate(this, hdr);
791 break;
792 case XFRM_MSG_MAPPING:
793 process_mapping(this, hdr);
794 break;
795 default:
796 DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
797 break;
798 }
799 hdr = NLMSG_NEXT(hdr, len);
800 }
801 return JOB_REQUEUE_DIRECT;
802 }
803
804 /**
805 * Get an SPI for a specific protocol from the kernel.
806 */
807 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
808 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
809 u_int32_t reqid, u_int32_t *spi)
810 {
811 netlink_buf_t request;
812 struct nlmsghdr *hdr, *out;
813 struct xfrm_userspi_info *userspi;
814 u_int32_t received_spi = 0;
815 size_t len;
816
817 memset(&request, 0, sizeof(request));
818
819 hdr = (struct nlmsghdr*)request;
820 hdr->nlmsg_flags = NLM_F_REQUEST;
821 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
822 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
823
824 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
825 host2xfrm(src, &userspi->info.saddr);
826 host2xfrm(dst, &userspi->info.id.daddr);
827 userspi->info.id.proto = proto;
828 userspi->info.mode = XFRM_MODE_TUNNEL;
829 userspi->info.reqid = reqid;
830 userspi->info.family = src->get_family(src);
831 userspi->min = min;
832 userspi->max = max;
833
834 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
835 {
836 hdr = out;
837 while (NLMSG_OK(hdr, len))
838 {
839 switch (hdr->nlmsg_type)
840 {
841 case XFRM_MSG_NEWSA:
842 {
843 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
844 received_spi = usersa->id.spi;
845 break;
846 }
847 case NLMSG_ERROR:
848 {
849 struct nlmsgerr *err = NLMSG_DATA(hdr);
850
851 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
852 strerror(-err->error), -err->error);
853 break;
854 }
855 default:
856 hdr = NLMSG_NEXT(hdr, len);
857 continue;
858 case NLMSG_DONE:
859 break;
860 }
861 break;
862 }
863 free(out);
864 }
865
866 if (received_spi == 0)
867 {
868 return FAILED;
869 }
870
871 *spi = received_spi;
872 return SUCCESS;
873 }
874
875 /**
876 * Implementation of kernel_interface_t.get_spi.
877 */
878 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
879 host_t *src, host_t *dst,
880 protocol_id_t protocol, u_int32_t reqid,
881 u_int32_t *spi)
882 {
883 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
884
885 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
886 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
887 {
888 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
889 return FAILED;
890 }
891
892 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
893
894 return SUCCESS;
895 }
896
897 /**
898 * Implementation of kernel_interface_t.get_cpi.
899 */
900 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
901 host_t *src, host_t *dst,
902 u_int32_t reqid, u_int16_t *cpi)
903 {
904 u_int32_t received_spi = 0;
905
906 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
907
908 if (get_spi_internal(this, src, dst,
909 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
910 {
911 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
912 return FAILED;
913 }
914
915 *cpi = htons((u_int16_t)ntohl(received_spi));
916
917 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
918
919 return SUCCESS;
920 }
921
922 /**
923 * Implementation of kernel_interface_t.add_sa.
924 */
925 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
926 host_t *src, host_t *dst, u_int32_t spi,
927 protocol_id_t protocol, u_int32_t reqid,
928 lifetime_cfg_t *lifetime,
929 u_int16_t enc_alg, chunk_t enc_key,
930 u_int16_t int_alg, chunk_t int_key,
931 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
932 bool encap, bool inbound)
933 {
934 netlink_buf_t request;
935 char *alg_name;
936 struct nlmsghdr *hdr;
937 struct xfrm_usersa_info *sa;
938 u_int16_t icv_size = 64;
939
940 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
941 * we are in the recursive call below */
942 if (ipcomp != IPCOMP_NONE && cpi != 0)
943 {
944 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
945 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft,
946 ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
947 mode, ipcomp, 0, FALSE, inbound);
948 ipcomp = IPCOMP_NONE;
949 }
950
951 memset(&request, 0, sizeof(request));
952
953 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
954 ntohl(spi), reqid);
955
956 hdr = (struct nlmsghdr*)request;
957 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
958 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
959 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
960
961 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
962 host2xfrm(src, &sa->saddr);
963 host2xfrm(dst, &sa->id.daddr);
964 sa->id.spi = spi;
965 sa->id.proto = proto_ike2kernel(protocol);
966 sa->family = src->get_family(src);
967 sa->mode = mode2kernel(mode);
968 if (mode == MODE_TUNNEL)
969 {
970 sa->flags |= XFRM_STATE_AF_UNSPEC;
971 }
972 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
973 sa->reqid = reqid;
974 sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
975 sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
976 sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
977 sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
978 /* we use lifetimes since added, not since used */
979 sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
980 sa->lft.hard_add_expires_seconds = lifetime->time.life;
981 sa->lft.soft_use_expires_seconds = 0;
982 sa->lft.hard_use_expires_seconds = 0;
983
984 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
985
986 switch (enc_alg)
987 {
988 case ENCR_UNDEFINED:
989 /* no encryption */
990 break;
991 case ENCR_AES_CCM_ICV16:
992 case ENCR_AES_GCM_ICV16:
993 case ENCR_CAMELLIA_CCM_ICV16:
994 icv_size += 32;
995 /* FALL */
996 case ENCR_AES_CCM_ICV12:
997 case ENCR_AES_GCM_ICV12:
998 case ENCR_CAMELLIA_CCM_ICV12:
999 icv_size += 32;
1000 /* FALL */
1001 case ENCR_AES_CCM_ICV8:
1002 case ENCR_AES_GCM_ICV8:
1003 case ENCR_CAMELLIA_CCM_ICV8:
1004 {
1005 struct xfrm_algo_aead *algo;
1006
1007 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1008 if (alg_name == NULL)
1009 {
1010 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1011 encryption_algorithm_names, enc_alg);
1012 return FAILED;
1013 }
1014 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1015 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1016
1017 rthdr->rta_type = XFRMA_ALG_AEAD;
1018 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
1019 hdr->nlmsg_len += rthdr->rta_len;
1020 if (hdr->nlmsg_len > sizeof(request))
1021 {
1022 return FAILED;
1023 }
1024
1025 algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
1026 algo->alg_key_len = enc_key.len * 8;
1027 algo->alg_icv_len = icv_size;
1028 strcpy(algo->alg_name, alg_name);
1029 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1030
1031 rthdr = XFRM_RTA_NEXT(rthdr);
1032 break;
1033 }
1034 default:
1035 {
1036 struct xfrm_algo *algo;
1037
1038 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1039 if (alg_name == NULL)
1040 {
1041 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1042 encryption_algorithm_names, enc_alg);
1043 return FAILED;
1044 }
1045 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1046 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1047
1048 rthdr->rta_type = XFRMA_ALG_CRYPT;
1049 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
1050 hdr->nlmsg_len += rthdr->rta_len;
1051 if (hdr->nlmsg_len > sizeof(request))
1052 {
1053 return FAILED;
1054 }
1055
1056 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1057 algo->alg_key_len = enc_key.len * 8;
1058 strcpy(algo->alg_name, alg_name);
1059 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1060
1061 rthdr = XFRM_RTA_NEXT(rthdr);
1062 }
1063 }
1064
1065 if (int_alg != AUTH_UNDEFINED)
1066 {
1067 rthdr->rta_type = XFRMA_ALG_AUTH;
1068 alg_name = lookup_algorithm(integrity_algs, int_alg);
1069 if (alg_name == NULL)
1070 {
1071 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1072 integrity_algorithm_names, int_alg);
1073 return FAILED;
1074 }
1075 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1076 integrity_algorithm_names, int_alg, int_key.len * 8);
1077
1078 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1079 hdr->nlmsg_len += rthdr->rta_len;
1080 if (hdr->nlmsg_len > sizeof(request))
1081 {
1082 return FAILED;
1083 }
1084
1085 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1086 algo->alg_key_len = int_key.len * 8;
1087 strcpy(algo->alg_name, alg_name);
1088 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1089
1090 rthdr = XFRM_RTA_NEXT(rthdr);
1091 }
1092
1093 if (ipcomp != IPCOMP_NONE)
1094 {
1095 rthdr->rta_type = XFRMA_ALG_COMP;
1096 alg_name = lookup_algorithm(compression_algs, ipcomp);
1097 if (alg_name == NULL)
1098 {
1099 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1100 ipcomp_transform_names, ipcomp);
1101 return FAILED;
1102 }
1103 DBG2(DBG_KNL, " using compression algorithm %N",
1104 ipcomp_transform_names, ipcomp);
1105
1106 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1107 hdr->nlmsg_len += rthdr->rta_len;
1108 if (hdr->nlmsg_len > sizeof(request))
1109 {
1110 return FAILED;
1111 }
1112
1113 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1114 algo->alg_key_len = 0;
1115 strcpy(algo->alg_name, alg_name);
1116
1117 rthdr = XFRM_RTA_NEXT(rthdr);
1118 }
1119
1120 if (encap)
1121 {
1122 rthdr->rta_type = XFRMA_ENCAP;
1123 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1124
1125 hdr->nlmsg_len += rthdr->rta_len;
1126 if (hdr->nlmsg_len > sizeof(request))
1127 {
1128 return FAILED;
1129 }
1130
1131 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1132 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1133 tmpl->encap_sport = htons(src->get_port(src));
1134 tmpl->encap_dport = htons(dst->get_port(dst));
1135 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1136 /* encap_oa could probably be derived from the
1137 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1138 * pluto does the same as we do here but it uses encap_oa in the
1139 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1140 * the kernel ignores it anyway
1141 * -> does that mean that NAT-T encap doesn't work in transport mode?
1142 * No. The reason the kernel ignores NAT-OA is that it recomputes
1143 * (or, rather, just ignores) the checksum. If packets pass
1144 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1145 rthdr = XFRM_RTA_NEXT(rthdr);
1146 }
1147
1148 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1149 {
1150 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1151 return FAILED;
1152 }
1153 return SUCCESS;
1154 }
1155
1156 /**
1157 * Get the replay state (i.e. sequence numbers) of an SA.
1158 */
1159 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1160 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1161 struct xfrm_replay_state *replay)
1162 {
1163 netlink_buf_t request;
1164 struct nlmsghdr *hdr, *out = NULL;
1165 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1166 size_t len;
1167 struct rtattr *rta;
1168 size_t rtasize;
1169
1170 memset(&request, 0, sizeof(request));
1171
1172 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1173
1174 hdr = (struct nlmsghdr*)request;
1175 hdr->nlmsg_flags = NLM_F_REQUEST;
1176 hdr->nlmsg_type = XFRM_MSG_GETAE;
1177 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1178
1179 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1180 aevent_id->flags = XFRM_AE_RVAL;
1181
1182 host2xfrm(dst, &aevent_id->sa_id.daddr);
1183 aevent_id->sa_id.spi = spi;
1184 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1185 aevent_id->sa_id.family = dst->get_family(dst);
1186
1187 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1188 {
1189 hdr = out;
1190 while (NLMSG_OK(hdr, len))
1191 {
1192 switch (hdr->nlmsg_type)
1193 {
1194 case XFRM_MSG_NEWAE:
1195 {
1196 out_aevent = NLMSG_DATA(hdr);
1197 break;
1198 }
1199 case NLMSG_ERROR:
1200 {
1201 struct nlmsgerr *err = NLMSG_DATA(hdr);
1202 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1203 strerror(-err->error), -err->error);
1204 break;
1205 }
1206 default:
1207 hdr = NLMSG_NEXT(hdr, len);
1208 continue;
1209 case NLMSG_DONE:
1210 break;
1211 }
1212 break;
1213 }
1214 }
1215
1216 if (out_aevent == NULL)
1217 {
1218 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1219 ntohl(spi));
1220 free(out);
1221 return FAILED;
1222 }
1223
1224 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1225 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1226 while(RTA_OK(rta, rtasize))
1227 {
1228 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1229 RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
1230 {
1231 memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1232 free(out);
1233 return SUCCESS;
1234 }
1235 rta = RTA_NEXT(rta, rtasize);
1236 }
1237
1238 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1239 ntohl(spi));
1240 free(out);
1241 return FAILED;
1242 }
1243
1244 /**
1245 * Implementation of kernel_interface_t.query_sa.
1246 */
1247 static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
1248 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1249 u_int64_t *bytes)
1250 {
1251 netlink_buf_t request;
1252 struct nlmsghdr *out = NULL, *hdr;
1253 struct xfrm_usersa_id *sa_id;
1254 struct xfrm_usersa_info *sa = NULL;
1255 size_t len;
1256
1257 memset(&request, 0, sizeof(request));
1258
1259 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1260
1261 hdr = (struct nlmsghdr*)request;
1262 hdr->nlmsg_flags = NLM_F_REQUEST;
1263 hdr->nlmsg_type = XFRM_MSG_GETSA;
1264 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1265
1266 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1267 host2xfrm(dst, &sa_id->daddr);
1268 sa_id->spi = spi;
1269 sa_id->proto = proto_ike2kernel(protocol);
1270 sa_id->family = dst->get_family(dst);
1271
1272 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1273 {
1274 hdr = out;
1275 while (NLMSG_OK(hdr, len))
1276 {
1277 switch (hdr->nlmsg_type)
1278 {
1279 case XFRM_MSG_NEWSA:
1280 {
1281 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1282 break;
1283 }
1284 case NLMSG_ERROR:
1285 {
1286 struct nlmsgerr *err = NLMSG_DATA(hdr);
1287 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)",
1288 ntohl(spi), strerror(-err->error), -err->error);
1289 break;
1290 }
1291 default:
1292 hdr = NLMSG_NEXT(hdr, len);
1293 continue;
1294 case NLMSG_DONE:
1295 break;
1296 }
1297 break;
1298 }
1299 }
1300
1301 if (sa == NULL)
1302 {
1303 DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1304 free(out);
1305 return FAILED;
1306 }
1307 *bytes = sa->curlft.bytes;
1308
1309 free(out);
1310 return SUCCESS;
1311 }
1312 /**
1313 * Implementation of kernel_interface_t.del_sa.
1314 */
1315 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
1316 host_t *dst, u_int32_t spi, protocol_id_t protocol,
1317 u_int16_t cpi)
1318 {
1319 netlink_buf_t request;
1320 struct nlmsghdr *hdr;
1321 struct xfrm_usersa_id *sa_id;
1322
1323 /* if IPComp was used, we first delete the additional IPComp SA */
1324 if (cpi)
1325 {
1326 del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
1327 }
1328
1329 memset(&request, 0, sizeof(request));
1330
1331 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1332
1333 hdr = (struct nlmsghdr*)request;
1334 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1335 hdr->nlmsg_type = XFRM_MSG_DELSA;
1336 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1337
1338 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1339 host2xfrm(dst, &sa_id->daddr);
1340 sa_id->spi = spi;
1341 sa_id->proto = proto_ike2kernel(protocol);
1342 sa_id->family = dst->get_family(dst);
1343
1344 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1345 {
1346 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1347 return FAILED;
1348 }
1349 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1350 return SUCCESS;
1351 }
1352
1353 /**
1354 * Implementation of kernel_interface_t.update_sa.
1355 */
1356 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
1357 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1358 host_t *src, host_t *dst,
1359 host_t *new_src, host_t *new_dst,
1360 bool old_encap, bool new_encap)
1361 {
1362 netlink_buf_t request;
1363 u_char *pos;
1364 struct nlmsghdr *hdr, *out = NULL;
1365 struct xfrm_usersa_id *sa_id;
1366 struct xfrm_usersa_info *out_sa = NULL, *sa;
1367 size_t len;
1368 struct rtattr *rta;
1369 size_t rtasize;
1370 struct xfrm_encap_tmpl* tmpl = NULL;
1371 bool got_replay_state = FALSE;
1372 struct xfrm_replay_state replay;
1373
1374 /* if IPComp is used, we first update the IPComp SA */
1375 if (cpi)
1376 {
1377 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1378 src, dst, new_src, new_dst, FALSE, FALSE);
1379 }
1380
1381 memset(&request, 0, sizeof(request));
1382
1383 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1384
1385 /* query the existing SA first */
1386 hdr = (struct nlmsghdr*)request;
1387 hdr->nlmsg_flags = NLM_F_REQUEST;
1388 hdr->nlmsg_type = XFRM_MSG_GETSA;
1389 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1390
1391 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1392 host2xfrm(dst, &sa_id->daddr);
1393 sa_id->spi = spi;
1394 sa_id->proto = proto_ike2kernel(protocol);
1395 sa_id->family = dst->get_family(dst);
1396
1397 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1398 {
1399 hdr = out;
1400 while (NLMSG_OK(hdr, len))
1401 {
1402 switch (hdr->nlmsg_type)
1403 {
1404 case XFRM_MSG_NEWSA:
1405 {
1406 out_sa = NLMSG_DATA(hdr);
1407 break;
1408 }
1409 case NLMSG_ERROR:
1410 {
1411 struct nlmsgerr *err = NLMSG_DATA(hdr);
1412 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1413 strerror(-err->error), -err->error);
1414 break;
1415 }
1416 default:
1417 hdr = NLMSG_NEXT(hdr, len);
1418 continue;
1419 case NLMSG_DONE:
1420 break;
1421 }
1422 break;
1423 }
1424 }
1425 if (out_sa == NULL)
1426 {
1427 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1428 free(out);
1429 return FAILED;
1430 }
1431
1432 /* try to get the replay state */
1433 if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
1434 {
1435 got_replay_state = TRUE;
1436 }
1437
1438 /* delete the old SA (without affecting the IPComp SA) */
1439 if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
1440 {
1441 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1442 free(out);
1443 return FAILED;
1444 }
1445
1446 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1447 ntohl(spi), src, dst, new_src, new_dst);
1448 /* copy over the SA from out to request */
1449 hdr = (struct nlmsghdr*)request;
1450 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1451 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1452 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1453 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1454 sa = NLMSG_DATA(hdr);
1455 sa->family = new_dst->get_family(new_dst);
1456
1457 if (!src->ip_equals(src, new_src))
1458 {
1459 host2xfrm(new_src, &sa->saddr);
1460 }
1461 if (!dst->ip_equals(dst, new_dst))
1462 {
1463 host2xfrm(new_dst, &sa->id.daddr);
1464 }
1465
1466 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1467 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1468 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1469 while(RTA_OK(rta, rtasize))
1470 {
1471 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1472 if (rta->rta_type != XFRMA_ENCAP || new_encap)
1473 {
1474 if (rta->rta_type == XFRMA_ENCAP)
1475 { /* update encap tmpl */
1476 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1477 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1478 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1479 }
1480 memcpy(pos, rta, rta->rta_len);
1481 pos += RTA_ALIGN(rta->rta_len);
1482 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1483 }
1484 rta = RTA_NEXT(rta, rtasize);
1485 }
1486
1487 rta = (struct rtattr*)pos;
1488 if (tmpl == NULL && new_encap)
1489 { /* add tmpl if we are enabling it */
1490 rta->rta_type = XFRMA_ENCAP;
1491 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1492
1493 hdr->nlmsg_len += rta->rta_len;
1494 if (hdr->nlmsg_len > sizeof(request))
1495 {
1496 return FAILED;
1497 }
1498
1499 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1500 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1501 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1502 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1503 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1504
1505 rta = XFRM_RTA_NEXT(rta);
1506 }
1507
1508 if (got_replay_state)
1509 { /* copy the replay data if available */
1510 rta->rta_type = XFRMA_REPLAY_VAL;
1511 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1512
1513 hdr->nlmsg_len += rta->rta_len;
1514 if (hdr->nlmsg_len > sizeof(request))
1515 {
1516 return FAILED;
1517 }
1518 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1519
1520 rta = XFRM_RTA_NEXT(rta);
1521 }
1522
1523 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1524 {
1525 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1526 free(out);
1527 return FAILED;
1528 }
1529 free(out);
1530
1531 return SUCCESS;
1532 }
1533
1534 /**
1535 * Implementation of kernel_interface_t.add_policy.
1536 */
1537 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1538 host_t *src, host_t *dst,
1539 traffic_selector_t *src_ts,
1540 traffic_selector_t *dst_ts,
1541 policy_dir_t direction, u_int32_t spi,
1542 protocol_id_t protocol, u_int32_t reqid,
1543 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1544 bool routed)
1545 {
1546 policy_entry_t *current, *policy;
1547 bool found = FALSE;
1548 netlink_buf_t request;
1549 struct xfrm_userpolicy_info *policy_info;
1550 struct nlmsghdr *hdr;
1551
1552 /* create a policy */
1553 policy = malloc_thing(policy_entry_t);
1554 memset(policy, 0, sizeof(policy_entry_t));
1555 policy->sel = ts2selector(src_ts, dst_ts);
1556 policy->direction = direction;
1557
1558 /* find the policy, which matches EXACTLY */
1559 this->mutex->lock(this->mutex);
1560 current = this->policies->get(this->policies, policy);
1561 if (current)
1562 {
1563 /* use existing policy */
1564 current->refcount++;
1565 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1566 "refcount", src_ts, dst_ts,
1567 policy_dir_names, direction);
1568 free(policy);
1569 policy = current;
1570 found = TRUE;
1571 }
1572 else
1573 { /* apply the new one, if we have no such policy */
1574 this->policies->put(this->policies, policy, policy);
1575 policy->refcount = 1;
1576 }
1577
1578 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1579 policy_dir_names, direction);
1580
1581 memset(&request, 0, sizeof(request));
1582 hdr = (struct nlmsghdr*)request;
1583 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1584 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1585 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1586
1587 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1588 policy_info->sel = policy->sel;
1589 policy_info->dir = policy->direction;
1590 /* calculate priority based on source selector size, small size = high prio */
1591 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1592 policy_info->priority -= policy->sel.prefixlen_s * 10;
1593 policy_info->priority -= policy->sel.proto ? 2 : 0;
1594 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1595 policy_info->action = XFRM_POLICY_ALLOW;
1596 policy_info->share = XFRM_SHARE_ANY;
1597 this->mutex->unlock(this->mutex);
1598
1599 /* policies don't expire */
1600 policy_info->lft.soft_byte_limit = XFRM_INF;
1601 policy_info->lft.soft_packet_limit = XFRM_INF;
1602 policy_info->lft.hard_byte_limit = XFRM_INF;
1603 policy_info->lft.hard_packet_limit = XFRM_INF;
1604 policy_info->lft.soft_add_expires_seconds = 0;
1605 policy_info->lft.hard_add_expires_seconds = 0;
1606 policy_info->lft.soft_use_expires_seconds = 0;
1607 policy_info->lft.hard_use_expires_seconds = 0;
1608
1609 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1610 rthdr->rta_type = XFRMA_TMPL;
1611 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1612
1613 hdr->nlmsg_len += rthdr->rta_len;
1614 if (hdr->nlmsg_len > sizeof(request))
1615 {
1616 return FAILED;
1617 }
1618
1619 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1620
1621 if (ipcomp != IPCOMP_NONE)
1622 {
1623 tmpl->reqid = reqid;
1624 tmpl->id.proto = IPPROTO_COMP;
1625 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1626 tmpl->mode = mode2kernel(mode);
1627 tmpl->optional = direction != POLICY_OUT;
1628 tmpl->family = src->get_family(src);
1629
1630 host2xfrm(src, &tmpl->saddr);
1631 host2xfrm(dst, &tmpl->id.daddr);
1632
1633 /* add an additional xfrm_user_tmpl */
1634 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1635 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1636 if (hdr->nlmsg_len > sizeof(request))
1637 {
1638 return FAILED;
1639 }
1640
1641 tmpl++;
1642 }
1643
1644 tmpl->reqid = reqid;
1645 tmpl->id.proto = proto_ike2kernel(protocol);
1646 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1647 tmpl->mode = mode2kernel(mode);
1648 tmpl->family = src->get_family(src);
1649
1650 host2xfrm(src, &tmpl->saddr);
1651 host2xfrm(dst, &tmpl->id.daddr);
1652
1653 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1654 {
1655 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1656 policy_dir_names, direction);
1657 return FAILED;
1658 }
1659
1660 /* install a route, if:
1661 * - we are NOT updating a policy
1662 * - this is a forward policy (to just get one for each child)
1663 * - we are in tunnel mode
1664 * - we are not using IPv6 (does not work correctly yet!)
1665 * - routing is not disabled via strongswan.conf
1666 */
1667 if (policy->route == NULL && direction == POLICY_FWD &&
1668 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1669 this->install_routes)
1670 {
1671 route_entry_t *route = malloc_thing(route_entry_t);
1672
1673 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1674 dst_ts, &route->src_ip) == SUCCESS)
1675 {
1676 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1677 route->gateway = charon->kernel_interface->get_nexthop(
1678 charon->kernel_interface, src);
1679 route->if_name = charon->kernel_interface->get_interface(
1680 charon->kernel_interface, dst);
1681 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1682 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1683 route->prefixlen = policy->sel.prefixlen_s;
1684
1685 if (route->if_name)
1686 {
1687 switch (charon->kernel_interface->add_route(
1688 charon->kernel_interface, route->dst_net,
1689 route->prefixlen, route->gateway,
1690 route->src_ip, route->if_name))
1691 {
1692 default:
1693 DBG1(DBG_KNL, "unable to install source route for %H",
1694 route->src_ip);
1695 /* FALL */
1696 case ALREADY_DONE:
1697 /* route exists, do not uninstall */
1698 route_entry_destroy(route);
1699 break;
1700 case SUCCESS:
1701 /* cache the installed route */
1702 policy->route = route;
1703 break;
1704 }
1705 }
1706 else
1707 {
1708 route_entry_destroy(route);
1709 }
1710 }
1711 else
1712 {
1713 free(route);
1714 }
1715 }
1716 return SUCCESS;
1717 }
1718
1719 /**
1720 * Implementation of kernel_interface_t.query_policy.
1721 */
1722 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1723 traffic_selector_t *src_ts,
1724 traffic_selector_t *dst_ts,
1725 policy_dir_t direction, u_int32_t *use_time)
1726 {
1727 netlink_buf_t request;
1728 struct nlmsghdr *out = NULL, *hdr;
1729 struct xfrm_userpolicy_id *policy_id;
1730 struct xfrm_userpolicy_info *policy = NULL;
1731 size_t len;
1732
1733 memset(&request, 0, sizeof(request));
1734
1735 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1736 policy_dir_names, direction);
1737
1738 hdr = (struct nlmsghdr*)request;
1739 hdr->nlmsg_flags = NLM_F_REQUEST;
1740 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1741 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1742
1743 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1744 policy_id->sel = ts2selector(src_ts, dst_ts);
1745 policy_id->dir = direction;
1746
1747 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1748 {
1749 hdr = out;
1750 while (NLMSG_OK(hdr, len))
1751 {
1752 switch (hdr->nlmsg_type)
1753 {
1754 case XFRM_MSG_NEWPOLICY:
1755 {
1756 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1757 break;
1758 }
1759 case NLMSG_ERROR:
1760 {
1761 struct nlmsgerr *err = NLMSG_DATA(hdr);
1762 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1763 strerror(-err->error), -err->error);
1764 break;
1765 }
1766 default:
1767 hdr = NLMSG_NEXT(hdr, len);
1768 continue;
1769 case NLMSG_DONE:
1770 break;
1771 }
1772 break;
1773 }
1774 }
1775
1776 if (policy == NULL)
1777 {
1778 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1779 policy_dir_names, direction);
1780 free(out);
1781 return FAILED;
1782 }
1783
1784 if (policy->curlft.use_time)
1785 {
1786 /* we need the monotonic time, but the kernel returns system time. */
1787 *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
1788 }
1789 else
1790 {
1791 *use_time = 0;
1792 }
1793
1794 free(out);
1795 return SUCCESS;
1796 }
1797
1798 /**
1799 * Implementation of kernel_interface_t.del_policy.
1800 */
1801 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1802 traffic_selector_t *src_ts,
1803 traffic_selector_t *dst_ts,
1804 policy_dir_t direction, bool unrouted)
1805 {
1806 policy_entry_t *current, policy, *to_delete = NULL;
1807 route_entry_t *route;
1808 netlink_buf_t request;
1809 struct nlmsghdr *hdr;
1810 struct xfrm_userpolicy_id *policy_id;
1811
1812 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1813 policy_dir_names, direction);
1814
1815 /* create a policy */
1816 memset(&policy, 0, sizeof(policy_entry_t));
1817 policy.sel = ts2selector(src_ts, dst_ts);
1818 policy.direction = direction;
1819
1820 /* find the policy */
1821 this->mutex->lock(this->mutex);
1822 current = this->policies->get(this->policies, &policy);
1823 if (current)
1824 {
1825 to_delete = current;
1826 if (--to_delete->refcount > 0)
1827 {
1828 /* is used by more SAs, keep in kernel */
1829 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1830 this->mutex->unlock(this->mutex);
1831 return SUCCESS;
1832 }
1833 /* remove if last reference */
1834 this->policies->remove(this->policies, to_delete);
1835 }
1836 this->mutex->unlock(this->mutex);
1837 if (!to_delete)
1838 {
1839 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1840 dst_ts, policy_dir_names, direction);
1841 return NOT_FOUND;
1842 }
1843
1844 memset(&request, 0, sizeof(request));
1845
1846 hdr = (struct nlmsghdr*)request;
1847 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1848 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1849 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1850
1851 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1852 policy_id->sel = to_delete->sel;
1853 policy_id->dir = direction;
1854
1855 route = to_delete->route;
1856 free(to_delete);
1857
1858 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1859 {
1860 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1861 policy_dir_names, direction);
1862 return FAILED;
1863 }
1864
1865 if (route)
1866 {
1867 if (charon->kernel_interface->del_route(charon->kernel_interface,
1868 route->dst_net, route->prefixlen, route->gateway,
1869 route->src_ip, route->if_name) != SUCCESS)
1870 {
1871 DBG1(DBG_KNL, "error uninstalling route installed with "
1872 "policy %R === %R %N", src_ts, dst_ts,
1873 policy_dir_names, direction);
1874 }
1875 route_entry_destroy(route);
1876 }
1877 return SUCCESS;
1878 }
1879
1880 /**
1881 * Implementation of kernel_interface_t.destroy.
1882 */
1883 static void destroy(private_kernel_netlink_ipsec_t *this)
1884 {
1885 enumerator_t *enumerator;
1886 policy_entry_t *policy;
1887
1888 this->job->cancel(this->job);
1889 close(this->socket_xfrm_events);
1890 this->socket_xfrm->destroy(this->socket_xfrm);
1891 enumerator = this->policies->create_enumerator(this->policies);
1892 while (enumerator->enumerate(enumerator, &policy, &policy))
1893 {
1894 free(policy);
1895 }
1896 enumerator->destroy(enumerator);
1897 this->policies->destroy(this->policies);
1898 this->mutex->destroy(this->mutex);
1899 free(this);
1900 }
1901
1902 /**
1903 * Add bypass policies for IKE on the sockets used by charon
1904 */
1905 static bool add_bypass_policies()
1906 {
1907 int fd, family, port;
1908 enumerator_t *sockets;
1909 bool status = TRUE;
1910
1911 sockets = charon->socket->create_enumerator(charon->socket);
1912 while (sockets->enumerate(sockets, &fd, &family, &port))
1913 {
1914 struct xfrm_userpolicy_info policy;
1915 u_int sol, ipsec_policy;
1916
1917 switch (family)
1918 {
1919 case AF_INET:
1920 sol = SOL_IP;
1921 ipsec_policy = IP_XFRM_POLICY;
1922 break;
1923 case AF_INET6:
1924 sol = SOL_IPV6;
1925 ipsec_policy = IPV6_XFRM_POLICY;
1926 break;
1927 default:
1928 continue;
1929 }
1930
1931 memset(&policy, 0, sizeof(policy));
1932 policy.action = XFRM_POLICY_ALLOW;
1933 policy.sel.family = family;
1934
1935 policy.dir = XFRM_POLICY_OUT;
1936 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1937 {
1938 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1939 strerror(errno));
1940 status = FALSE;
1941 break;
1942 }
1943 policy.dir = XFRM_POLICY_IN;
1944 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1945 {
1946 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1947 strerror(errno));
1948 status = FALSE;
1949 break;
1950 }
1951 }
1952 sockets->destroy(sockets);
1953 return status;
1954 }
1955
1956 /*
1957 * Described in header.
1958 */
1959 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1960 {
1961 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1962 struct sockaddr_nl addr;
1963 int fd;
1964
1965 /* public functions */
1966 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1967 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1968 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1969 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1970 this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
1971 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1972 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
1973 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1974 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
1975 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1976
1977 /* private members */
1978 this->policies = hashtable_create((hashtable_hash_t)policy_hash,
1979 (hashtable_equals_t)policy_equals, 32);
1980 this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
1981 this->install_routes = lib->settings->get_bool(lib->settings,
1982 "charon.install_routes", TRUE);
1983
1984 /* disable lifetimes for allocated SPIs in kernel */
1985 fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
1986 if (fd)
1987 {
1988 ignore_result(write(fd, "165", 3));
1989 close(fd);
1990 }
1991
1992 /* add bypass policies on the sockets used by charon */
1993 if (!add_bypass_policies())
1994 {
1995 charon->kill(charon, "unable to add bypass policies on sockets");
1996 }
1997
1998 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1999
2000 memset(&addr, 0, sizeof(addr));
2001 addr.nl_family = AF_NETLINK;
2002
2003 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2004 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2005 if (this->socket_xfrm_events <= 0)
2006 {
2007 charon->kill(charon, "unable to create XFRM event socket");
2008 }
2009 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
2010 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
2011 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2012 {
2013 charon->kill(charon, "unable to bind XFRM event socket");
2014 }
2015
2016 this->job = callback_job_create((callback_job_cb_t)receive_events,
2017 this, NULL, NULL);
2018 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2019
2020 return &this->public;
2021 }