do not install route if interface lookup failed
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 *
20 * $Id$
21 */
22
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 #include <sys/time.h>
26 #include <linux/netlink.h>
27 #include <linux/rtnetlink.h>
28 #include <linux/xfrm.h>
29 #include <linux/udp.h>
30 #include <netinet/in.h>
31 #include <pthread.h>
32 #include <unistd.h>
33 #include <errno.h>
34 #include <string.h>
35
36 #include "kernel_netlink_ipsec.h"
37 #include "kernel_netlink_shared.h"
38
39 #include <daemon.h>
40 #include <utils/linked_list.h>
41 #include <processing/jobs/callback_job.h>
42 #include <processing/jobs/acquire_job.h>
43 #include <processing/jobs/migrate_job.h>
44 #include <processing/jobs/rekey_child_sa_job.h>
45 #include <processing/jobs/delete_child_sa_job.h>
46 #include <processing/jobs/update_sa_job.h>
47
48 /** required for Linux 2.6.26 kernel and later */
49 #ifndef XFRM_STATE_AF_UNSPEC
50 #define XFRM_STATE_AF_UNSPEC 32
51 #endif
52
53 /** default priority of installed policies */
54 #define PRIO_LOW 3000
55 #define PRIO_HIGH 2000
56
57 /**
58 * Create ORable bitfield of XFRM NL groups
59 */
60 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
61
62 /**
63 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
64 * 'usual' netlink data x like 'struct xfrm_usersa_info'
65 */
66 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
67 /**
68 * returns a pointer to the next rtattr following rta.
69 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
70 */
71 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
72 /**
73 * returns the total size of attached rta data
74 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
75 */
76 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
77
78 typedef struct kernel_algorithm_t kernel_algorithm_t;
79
80 /**
81 * Mapping of IKEv2 kernel identifier to linux crypto API names
82 */
83 struct kernel_algorithm_t {
84 /**
85 * Identifier specified in IKEv2
86 */
87 int ikev2;
88
89 /**
90 * Name of the algorithm in linux crypto API
91 */
92 char *name;
93 };
94
95 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
96 "XFRMA_UNSPEC",
97 "XFRMA_ALG_AUTH",
98 "XFRMA_ALG_CRYPT",
99 "XFRMA_ALG_COMP",
100 "XFRMA_ENCAP",
101 "XFRMA_TMPL",
102 "XFRMA_SA",
103 "XFRMA_POLICY",
104 "XFRMA_SEC_CTX",
105 "XFRMA_LTIME_VAL",
106 "XFRMA_REPLAY_VAL",
107 "XFRMA_REPLAY_THRESH",
108 "XFRMA_ETIMER_THRESH",
109 "XFRMA_SRCADDR",
110 "XFRMA_COADDR",
111 "XFRMA_LASTUSED",
112 "XFRMA_POLICY_TYPE",
113 "XFRMA_MIGRATE",
114 "XFRMA_ALG_AEAD",
115 "XFRMA_KMADDRESS"
116 );
117
118 #define END_OF_LIST -1
119
120 /**
121 * Algorithms for encryption
122 */
123 static kernel_algorithm_t encryption_algs[] = {
124 /* {ENCR_DES_IV64, "***" }, */
125 {ENCR_DES, "des" },
126 {ENCR_3DES, "des3_ede" },
127 /* {ENCR_RC5, "***" }, */
128 /* {ENCR_IDEA, "***" }, */
129 {ENCR_CAST, "cast128" },
130 {ENCR_BLOWFISH, "blowfish" },
131 /* {ENCR_3IDEA, "***" }, */
132 /* {ENCR_DES_IV32, "***" }, */
133 {ENCR_NULL, "cipher_null" },
134 {ENCR_AES_CBC, "aes" },
135 /* {ENCR_AES_CTR, "***" }, */
136 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
137 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
138 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
139 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
140 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
141 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
142 {END_OF_LIST, NULL },
143 };
144
145 /**
146 * Algorithms for integrity protection
147 */
148 static kernel_algorithm_t integrity_algs[] = {
149 {AUTH_HMAC_MD5_96, "md5" },
150 {AUTH_HMAC_SHA1_96, "sha1" },
151 {AUTH_HMAC_SHA2_256_128, "sha256" },
152 {AUTH_HMAC_SHA2_384_192, "sha384" },
153 {AUTH_HMAC_SHA2_512_256, "sha512" },
154 /* {AUTH_DES_MAC, "***" }, */
155 /* {AUTH_KPDK_MD5, "***" }, */
156 {AUTH_AES_XCBC_96, "xcbc(aes)" },
157 {END_OF_LIST, NULL },
158 };
159
160 /**
161 * Algorithms for IPComp
162 */
163 static kernel_algorithm_t compression_algs[] = {
164 /* {IPCOMP_OUI, "***" }, */
165 {IPCOMP_DEFLATE, "deflate" },
166 {IPCOMP_LZS, "lzs" },
167 {IPCOMP_LZJH, "lzjh" },
168 {END_OF_LIST, NULL },
169 };
170
171 /**
172 * Look up a kernel algorithm name and its key size
173 */
174 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
175 {
176 while (list->ikev2 != END_OF_LIST)
177 {
178 if (list->ikev2 == ikev2)
179 {
180 return list->name;
181 }
182 list++;
183 }
184 return NULL;
185 }
186
187 typedef struct route_entry_t route_entry_t;
188
189 /**
190 * installed routing entry
191 */
192 struct route_entry_t {
193 /** Name of the interface the route is bound to */
194 char *if_name;
195
196 /** Source ip of the route */
197 host_t *src_ip;
198
199 /** gateway for this route */
200 host_t *gateway;
201
202 /** Destination net */
203 chunk_t dst_net;
204
205 /** Destination net prefixlen */
206 u_int8_t prefixlen;
207 };
208
209 /**
210 * destroy an route_entry_t object
211 */
212 static void route_entry_destroy(route_entry_t *this)
213 {
214 free(this->if_name);
215 this->src_ip->destroy(this->src_ip);
216 this->gateway->destroy(this->gateway);
217 chunk_free(&this->dst_net);
218 free(this);
219 }
220
221 typedef struct policy_entry_t policy_entry_t;
222
223 /**
224 * installed kernel policy.
225 */
226 struct policy_entry_t {
227
228 /** direction of this policy: in, out, forward */
229 u_int8_t direction;
230
231 /** parameters of installed policy */
232 struct xfrm_selector sel;
233
234 /** associated route installed for this policy */
235 route_entry_t *route;
236
237 /** by how many CHILD_SA's this policy is used */
238 u_int refcount;
239 };
240
241 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
242
243 /**
244 * Private variables and functions of kernel_netlink class.
245 */
246 struct private_kernel_netlink_ipsec_t {
247 /**
248 * Public part of the kernel_netlink_t object.
249 */
250 kernel_netlink_ipsec_t public;
251
252 /**
253 * mutex to lock access to various lists
254 */
255 pthread_mutex_t mutex;
256
257 /**
258 * List of installed policies (policy_entry_t)
259 */
260 linked_list_t *policies;
261
262 /**
263 * job receiving netlink events
264 */
265 callback_job_t *job;
266
267 /**
268 * Netlink xfrm socket (IPsec)
269 */
270 netlink_socket_t *socket_xfrm;
271
272 /**
273 * netlink xfrm socket to receive acquire and expire events
274 */
275 int socket_xfrm_events;
276
277 /**
278 * whether to install routes along policies
279 */
280 bool install_routes;
281 };
282
283 /**
284 * convert a IKEv2 specific protocol identifier to the kernel one
285 */
286 static u_int8_t proto_ike2kernel(protocol_id_t proto)
287 {
288 switch (proto)
289 {
290 case PROTO_ESP:
291 return IPPROTO_ESP;
292 case PROTO_AH:
293 return IPPROTO_AH;
294 default:
295 return proto;
296 }
297 }
298
299 /**
300 * reverse of ike2kernel
301 */
302 static protocol_id_t proto_kernel2ike(u_int8_t proto)
303 {
304 switch (proto)
305 {
306 case IPPROTO_ESP:
307 return PROTO_ESP;
308 case IPPROTO_AH:
309 return PROTO_AH;
310 default:
311 return proto;
312 }
313 }
314
315 /**
316 * convert a host_t to a struct xfrm_address
317 */
318 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
319 {
320 chunk_t chunk = host->get_address(host);
321 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
322 }
323
324 /**
325 * convert a struct xfrm_address to a host_t
326 */
327 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
328 {
329 chunk_t chunk;
330
331 switch (family)
332 {
333 case AF_INET:
334 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
335 break;
336 case AF_INET6:
337 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
338 break;
339 default:
340 return NULL;
341 }
342 return host_create_from_chunk(family, chunk, ntohs(port));
343 }
344
345 /**
346 * convert a traffic selector address range to subnet and its mask.
347 */
348 static void ts2subnet(traffic_selector_t* ts,
349 xfrm_address_t *net, u_int8_t *mask)
350 {
351 host_t *net_host;
352 chunk_t net_chunk;
353
354 ts->to_subnet(ts, &net_host, mask);
355 net_chunk = net_host->get_address(net_host);
356 memcpy(net, net_chunk.ptr, net_chunk.len);
357 net_host->destroy(net_host);
358 }
359
360 /**
361 * convert a traffic selector port range to port/portmask
362 */
363 static void ts2ports(traffic_selector_t* ts,
364 u_int16_t *port, u_int16_t *mask)
365 {
366 /* linux does not seem to accept complex portmasks. Only
367 * any or a specific port is allowed. We set to any, if we have
368 * a port range, or to a specific, if we have one port only.
369 */
370 u_int16_t from, to;
371
372 from = ts->get_from_port(ts);
373 to = ts->get_to_port(ts);
374
375 if (from == to)
376 {
377 *port = htons(from);
378 *mask = ~0;
379 }
380 else
381 {
382 *port = 0;
383 *mask = 0;
384 }
385 }
386
387 /**
388 * convert a pair of traffic_selectors to a xfrm_selector
389 */
390 static struct xfrm_selector ts2selector(traffic_selector_t *src,
391 traffic_selector_t *dst)
392 {
393 struct xfrm_selector sel;
394
395 memset(&sel, 0, sizeof(sel));
396 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
397 /* src or dest proto may be "any" (0), use more restrictive one */
398 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
399 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
400 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
401 ts2ports(dst, &sel.dport, &sel.dport_mask);
402 ts2ports(src, &sel.sport, &sel.sport_mask);
403 sel.ifindex = 0;
404 sel.user = 0;
405
406 return sel;
407 }
408
409 /**
410 * convert a xfrm_selector to a src|dst traffic_selector
411 */
412 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
413 {
414 int family;
415 chunk_t addr;
416 u_int8_t prefixlen;
417 u_int16_t port, port_mask;
418 host_t *host;
419 traffic_selector_t *ts;
420
421 if (src)
422 {
423 addr.ptr = (u_char*)&sel->saddr;
424 prefixlen = sel->prefixlen_s;
425 port = sel->sport;
426 port_mask = sel->sport_mask;
427 }
428 else
429 {
430 addr.ptr = (u_char*)&sel->daddr;
431 prefixlen = sel->prefixlen_d;
432 port = sel->dport;
433 port_mask = sel->dport_mask;
434 }
435
436 /* The Linux 2.6 kernel does not set the selector's family field,
437 * so as a kludge we additionally test the prefix length.
438 */
439 if (sel->family == AF_INET || sel->prefixlen_s == 32)
440 {
441 family = AF_INET;
442 addr.len = 4;
443 }
444 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
445 {
446 family = AF_INET6;
447 addr.len = 16;
448 }
449 else
450 {
451 return NULL;
452 }
453 host = host_create_from_chunk(family, addr, 0);
454 port = (port_mask == 0) ? 0 : ntohs(port);
455
456 ts = traffic_selector_create_from_subnet(host, prefixlen, sel->proto, port);
457 host->destroy(host);
458 return ts;
459 }
460
461 /**
462 * process a XFRM_MSG_ACQUIRE from kernel
463 */
464 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
465 {
466 u_int32_t reqid = 0;
467 int proto = 0;
468 traffic_selector_t *src_ts, *dst_ts;
469 struct xfrm_user_acquire *acquire;
470 struct rtattr *rta;
471 size_t rtasize;
472 job_t *job;
473
474 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
475 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
476 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
477
478 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
479
480 while (RTA_OK(rta, rtasize))
481 {
482 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
483
484 if (rta->rta_type == XFRMA_TMPL)
485 {
486 struct xfrm_user_tmpl* tmpl;
487
488 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
489 reqid = tmpl->reqid;
490 proto = tmpl->id.proto;
491 }
492 rta = RTA_NEXT(rta, rtasize);
493 }
494 switch (proto)
495 {
496 case 0:
497 case IPPROTO_ESP:
498 case IPPROTO_AH:
499 break;
500 default:
501 /* acquire for AH/ESP only, not for IPCOMP */
502 return;
503 }
504 src_ts = selector2ts(&acquire->sel, TRUE);
505 dst_ts = selector2ts(&acquire->sel, FALSE);
506 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
507 src_ts, dst_ts, reqid);
508 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
509 charon->processor->queue_job(charon->processor, job);
510 }
511
512 /**
513 * process a XFRM_MSG_EXPIRE from kernel
514 */
515 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
516 {
517 job_t *job;
518 protocol_id_t protocol;
519 u_int32_t spi, reqid;
520 struct xfrm_user_expire *expire;
521
522 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
523 protocol = proto_kernel2ike(expire->state.id.proto);
524 spi = expire->state.id.spi;
525 reqid = expire->state.reqid;
526
527 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
528
529 if (protocol != PROTO_ESP && protocol != PROTO_AH)
530 {
531 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
532 "which is not a CHILD_SA", ntohl(spi), reqid);
533 return;
534 }
535
536 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
537 expire->hard ? "delete" : "rekey", protocol_id_names,
538 protocol, ntohl(spi), reqid);
539 if (expire->hard)
540 {
541 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
542 }
543 else
544 {
545 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
546 }
547 charon->processor->queue_job(charon->processor, job);
548 }
549
550 /**
551 * process a XFRM_MSG_MIGRATE from kernel
552 */
553 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
554 {
555 traffic_selector_t *src_ts, *dst_ts;
556 host_t *local = NULL, *remote = NULL;
557 host_t *old_src = NULL, *old_dst = NULL;
558 host_t *new_src = NULL, *new_dst = NULL;
559 struct xfrm_userpolicy_id *policy_id;
560 struct rtattr *rta;
561 size_t rtasize;
562 u_int32_t reqid = 0;
563 policy_dir_t dir;
564 job_t *job;
565
566 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
567 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
568 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
569
570 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
571
572 src_ts = selector2ts(&policy_id->sel, TRUE);
573 dst_ts = selector2ts(&policy_id->sel, FALSE);
574 dir = (policy_dir_t)policy_id->dir;
575
576 DBG2(DBG_KNL, " policy: %R === %R %N, index %u", src_ts, dst_ts,
577 policy_dir_names, dir, policy_id->index);
578
579 while (RTA_OK(rta, rtasize))
580 {
581 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
582 if (rta->rta_type == XFRMA_KMADDRESS)
583 {
584 struct xfrm_user_kmaddress *kmaddress;
585
586 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
587 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
588 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
589 DBG2(DBG_KNL, " %H...%H", local, remote);
590 }
591 else if (rta->rta_type == XFRMA_MIGRATE)
592 {
593 struct xfrm_user_migrate *migrate;
594 protocol_id_t proto;
595
596 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
597 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
598 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
599 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
600 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
601 proto = proto_kernel2ike(migrate->proto);
602 reqid = migrate->reqid;
603 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
604 protocol_id_names, proto, old_src, old_dst,
605 new_src, new_dst, reqid);
606 DESTROY_IF(old_src);
607 DESTROY_IF(old_dst);
608 DESTROY_IF(new_src);
609 DESTROY_IF(new_dst);
610 }
611 rta = RTA_NEXT(rta, rtasize);
612 }
613
614 if (src_ts && dst_ts)
615 {
616 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
617 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
618 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
619 local, remote);
620 charon->processor->queue_job(charon->processor, job);
621 }
622 else
623 {
624 DESTROY_IF(src_ts);
625 DESTROY_IF(dst_ts);
626 DESTROY_IF(local);
627 DESTROY_IF(remote);
628 }
629 }
630
631 /**
632 * process a XFRM_MSG_MAPPING from kernel
633 */
634 static void process_mapping(private_kernel_netlink_ipsec_t *this,
635 struct nlmsghdr *hdr)
636 {
637 job_t *job;
638 u_int32_t spi, reqid;
639 struct xfrm_user_mapping *mapping;
640 host_t *host;
641
642 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
643 spi = mapping->id.spi;
644 reqid = mapping->reqid;
645
646 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
647
648 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
649 {
650 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
651 mapping->new_sport);
652 if (host)
653 {
654 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
655 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
656 job = (job_t*)update_sa_job_create(reqid, host);
657 charon->processor->queue_job(charon->processor, job);
658 }
659 }
660 }
661
662 /**
663 * Receives events from kernel
664 */
665 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
666 {
667 char response[1024];
668 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
669 struct sockaddr_nl addr;
670 socklen_t addr_len = sizeof(addr);
671 int len, oldstate;
672
673 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
674 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
675 (struct sockaddr*)&addr, &addr_len);
676 pthread_setcancelstate(oldstate, NULL);
677
678 if (len < 0)
679 {
680 switch (errno)
681 {
682 case EINTR:
683 /* interrupted, try again */
684 return JOB_REQUEUE_DIRECT;
685 case EAGAIN:
686 /* no data ready, select again */
687 return JOB_REQUEUE_DIRECT;
688 default:
689 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
690 sleep(1);
691 return JOB_REQUEUE_FAIR;
692 }
693 }
694
695 if (addr.nl_pid != 0)
696 { /* not from kernel. not interested, try another one */
697 return JOB_REQUEUE_DIRECT;
698 }
699
700 while (NLMSG_OK(hdr, len))
701 {
702 switch (hdr->nlmsg_type)
703 {
704 case XFRM_MSG_ACQUIRE:
705 process_acquire(this, hdr);
706 break;
707 case XFRM_MSG_EXPIRE:
708 process_expire(this, hdr);
709 break;
710 case XFRM_MSG_MIGRATE:
711 process_migrate(this, hdr);
712 break;
713 case XFRM_MSG_MAPPING:
714 process_mapping(this, hdr);
715 break;
716 default:
717 break;
718 }
719 hdr = NLMSG_NEXT(hdr, len);
720 }
721 return JOB_REQUEUE_DIRECT;
722 }
723
724 /**
725 * Get an SPI for a specific protocol from the kernel.
726 */
727 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
728 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
729 u_int32_t reqid, u_int32_t *spi)
730 {
731 unsigned char request[NETLINK_BUFFER_SIZE];
732 struct nlmsghdr *hdr, *out;
733 struct xfrm_userspi_info *userspi;
734 u_int32_t received_spi = 0;
735 size_t len;
736
737 memset(&request, 0, sizeof(request));
738
739 hdr = (struct nlmsghdr*)request;
740 hdr->nlmsg_flags = NLM_F_REQUEST;
741 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
742 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
743
744 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
745 host2xfrm(src, &userspi->info.saddr);
746 host2xfrm(dst, &userspi->info.id.daddr);
747 userspi->info.id.proto = proto;
748 userspi->info.mode = TRUE; /* tunnel mode */
749 userspi->info.reqid = reqid;
750 userspi->info.family = src->get_family(src);
751 userspi->min = min;
752 userspi->max = max;
753
754 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
755 {
756 hdr = out;
757 while (NLMSG_OK(hdr, len))
758 {
759 switch (hdr->nlmsg_type)
760 {
761 case XFRM_MSG_NEWSA:
762 {
763 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
764 received_spi = usersa->id.spi;
765 break;
766 }
767 case NLMSG_ERROR:
768 {
769 struct nlmsgerr *err = NLMSG_DATA(hdr);
770
771 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
772 strerror(-err->error), -err->error);
773 break;
774 }
775 default:
776 hdr = NLMSG_NEXT(hdr, len);
777 continue;
778 case NLMSG_DONE:
779 break;
780 }
781 break;
782 }
783 free(out);
784 }
785
786 if (received_spi == 0)
787 {
788 return FAILED;
789 }
790
791 *spi = received_spi;
792 return SUCCESS;
793 }
794
795 /**
796 * Implementation of kernel_interface_t.get_spi.
797 */
798 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
799 host_t *src, host_t *dst,
800 protocol_id_t protocol, u_int32_t reqid,
801 u_int32_t *spi)
802 {
803 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
804
805 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
806 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
807 {
808 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
809 return FAILED;
810 }
811
812 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
813
814 return SUCCESS;
815 }
816
817 /**
818 * Implementation of kernel_interface_t.get_cpi.
819 */
820 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
821 host_t *src, host_t *dst,
822 u_int32_t reqid, u_int16_t *cpi)
823 {
824 u_int32_t received_spi = 0;
825
826 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
827
828 if (get_spi_internal(this, src, dst,
829 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
830 {
831 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
832 return FAILED;
833 }
834
835 *cpi = htons((u_int16_t)ntohl(received_spi));
836
837 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
838
839 return SUCCESS;
840 }
841
842 /**
843 * Implementation of kernel_interface_t.add_sa.
844 */
845 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
846 host_t *src, host_t *dst, u_int32_t spi,
847 protocol_id_t protocol, u_int32_t reqid,
848 u_int64_t expire_soft, u_int64_t expire_hard,
849 u_int16_t enc_alg, chunk_t enc_key,
850 u_int16_t int_alg, chunk_t int_key,
851 ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
852 bool replace)
853 {
854 unsigned char request[NETLINK_BUFFER_SIZE];
855 char *alg_name;
856 struct nlmsghdr *hdr;
857 struct xfrm_usersa_info *sa;
858 u_int16_t icv_size = 64;
859
860 memset(&request, 0, sizeof(request));
861
862 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
863 ntohl(spi), reqid);
864
865 hdr = (struct nlmsghdr*)request;
866 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
867 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
868 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
869
870 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
871 host2xfrm(src, &sa->saddr);
872 host2xfrm(dst, &sa->id.daddr);
873 sa->id.spi = spi;
874 sa->id.proto = proto_ike2kernel(protocol);
875 sa->family = src->get_family(src);
876 sa->mode = mode;
877 if (mode == MODE_TUNNEL)
878 {
879 sa->flags |= XFRM_STATE_AF_UNSPEC;
880 }
881 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
882 sa->reqid = reqid;
883 /* we currently do not expire SAs by volume/packet count */
884 sa->lft.soft_byte_limit = XFRM_INF;
885 sa->lft.hard_byte_limit = XFRM_INF;
886 sa->lft.soft_packet_limit = XFRM_INF;
887 sa->lft.hard_packet_limit = XFRM_INF;
888 /* we use lifetimes since added, not since used */
889 sa->lft.soft_add_expires_seconds = expire_soft;
890 sa->lft.hard_add_expires_seconds = expire_hard;
891 sa->lft.soft_use_expires_seconds = 0;
892 sa->lft.hard_use_expires_seconds = 0;
893
894 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
895
896 switch (enc_alg)
897 {
898 case ENCR_UNDEFINED:
899 /* no encryption */
900 break;
901 case ENCR_AES_CCM_ICV16:
902 case ENCR_AES_GCM_ICV16:
903 icv_size += 32;
904 /* FALL */
905 case ENCR_AES_CCM_ICV12:
906 case ENCR_AES_GCM_ICV12:
907 icv_size += 32;
908 /* FALL */
909 case ENCR_AES_CCM_ICV8:
910 case ENCR_AES_GCM_ICV8:
911 {
912 rthdr->rta_type = XFRMA_ALG_AEAD;
913 alg_name = lookup_algorithm(encryption_algs, enc_alg);
914 if (alg_name == NULL)
915 {
916 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
917 encryption_algorithm_names, enc_alg);
918 return FAILED;
919 }
920 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
921 encryption_algorithm_names, enc_alg, enc_key.len * 8);
922
923 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
924 hdr->nlmsg_len += rthdr->rta_len;
925 if (hdr->nlmsg_len > sizeof(request))
926 {
927 return FAILED;
928 }
929
930 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
931 algo->alg_key_len = enc_key.len * 8;
932 algo->alg_icv_len = icv_size;
933 strcpy(algo->alg_name, alg_name);
934 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
935
936 rthdr = XFRM_RTA_NEXT(rthdr);
937 break;
938 }
939 default:
940 {
941 rthdr->rta_type = XFRMA_ALG_CRYPT;
942 alg_name = lookup_algorithm(encryption_algs, enc_alg);
943 if (alg_name == NULL)
944 {
945 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
946 encryption_algorithm_names, enc_alg);
947 return FAILED;
948 }
949 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
950 encryption_algorithm_names, enc_alg, enc_key.len * 8);
951
952 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
953 hdr->nlmsg_len += rthdr->rta_len;
954 if (hdr->nlmsg_len > sizeof(request))
955 {
956 return FAILED;
957 }
958
959 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
960 algo->alg_key_len = enc_key.len * 8;
961 strcpy(algo->alg_name, alg_name);
962 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
963
964 rthdr = XFRM_RTA_NEXT(rthdr);
965 break;
966 }
967 }
968
969 if (int_alg != AUTH_UNDEFINED)
970 {
971 rthdr->rta_type = XFRMA_ALG_AUTH;
972 alg_name = lookup_algorithm(integrity_algs, int_alg);
973 if (alg_name == NULL)
974 {
975 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
976 integrity_algorithm_names, int_alg);
977 return FAILED;
978 }
979 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
980 integrity_algorithm_names, int_alg, int_key.len * 8);
981
982 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
983 hdr->nlmsg_len += rthdr->rta_len;
984 if (hdr->nlmsg_len > sizeof(request))
985 {
986 return FAILED;
987 }
988
989 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
990 algo->alg_key_len = int_key.len * 8;
991 strcpy(algo->alg_name, alg_name);
992 memcpy(algo->alg_key, int_key.ptr, int_key.len);
993
994 rthdr = XFRM_RTA_NEXT(rthdr);
995 }
996
997 if (ipcomp != IPCOMP_NONE)
998 {
999 rthdr->rta_type = XFRMA_ALG_COMP;
1000 alg_name = lookup_algorithm(compression_algs, ipcomp);
1001 if (alg_name == NULL)
1002 {
1003 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1004 ipcomp_transform_names, ipcomp);
1005 return FAILED;
1006 }
1007 DBG2(DBG_KNL, " using compression algorithm %N",
1008 ipcomp_transform_names, ipcomp);
1009
1010 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1011 hdr->nlmsg_len += rthdr->rta_len;
1012 if (hdr->nlmsg_len > sizeof(request))
1013 {
1014 return FAILED;
1015 }
1016
1017 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1018 algo->alg_key_len = 0;
1019 strcpy(algo->alg_name, alg_name);
1020
1021 rthdr = XFRM_RTA_NEXT(rthdr);
1022 }
1023
1024 if (encap)
1025 {
1026 rthdr->rta_type = XFRMA_ENCAP;
1027 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1028
1029 hdr->nlmsg_len += rthdr->rta_len;
1030 if (hdr->nlmsg_len > sizeof(request))
1031 {
1032 return FAILED;
1033 }
1034
1035 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1036 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1037 tmpl->encap_sport = htons(src->get_port(src));
1038 tmpl->encap_dport = htons(dst->get_port(dst));
1039 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1040 /* encap_oa could probably be derived from the
1041 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1042 * pluto does the same as we do here but it uses encap_oa in the
1043 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1044 * the kernel ignores it anyway
1045 * -> does that mean that NAT-T encap doesn't work in transport mode?
1046 * No. The reason the kernel ignores NAT-OA is that it recomputes
1047 * (or, rather, just ignores) the checksum. If packets pass
1048 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1049 rthdr = XFRM_RTA_NEXT(rthdr);
1050 }
1051
1052 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1053 {
1054 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1055 return FAILED;
1056 }
1057 return SUCCESS;
1058 }
1059
1060 /**
1061 * Get the replay state (i.e. sequence numbers) of an SA.
1062 */
1063 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1064 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1065 struct xfrm_replay_state *replay)
1066 {
1067 unsigned char request[NETLINK_BUFFER_SIZE];
1068 struct nlmsghdr *hdr, *out = NULL;
1069 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1070 size_t len;
1071 struct rtattr *rta;
1072 size_t rtasize;
1073
1074 memset(&request, 0, sizeof(request));
1075
1076 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1077
1078 hdr = (struct nlmsghdr*)request;
1079 hdr->nlmsg_flags = NLM_F_REQUEST;
1080 hdr->nlmsg_type = XFRM_MSG_GETAE;
1081 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1082
1083 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1084 aevent_id->flags = XFRM_AE_RVAL;
1085
1086 host2xfrm(dst, &aevent_id->sa_id.daddr);
1087 aevent_id->sa_id.spi = spi;
1088 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1089 aevent_id->sa_id.family = dst->get_family(dst);
1090
1091 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1092 {
1093 hdr = out;
1094 while (NLMSG_OK(hdr, len))
1095 {
1096 switch (hdr->nlmsg_type)
1097 {
1098 case XFRM_MSG_NEWAE:
1099 {
1100 out_aevent = NLMSG_DATA(hdr);
1101 break;
1102 }
1103 case NLMSG_ERROR:
1104 {
1105 struct nlmsgerr *err = NLMSG_DATA(hdr);
1106 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1107 strerror(-err->error), -err->error);
1108 break;
1109 }
1110 default:
1111 hdr = NLMSG_NEXT(hdr, len);
1112 continue;
1113 case NLMSG_DONE:
1114 break;
1115 }
1116 break;
1117 }
1118 }
1119
1120 if (out_aevent == NULL)
1121 {
1122 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1123 ntohl(spi));
1124 free(out);
1125 return FAILED;
1126 }
1127
1128 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1129 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1130 while(RTA_OK(rta, rtasize))
1131 {
1132 if (rta->rta_type == XFRMA_REPLAY_VAL)
1133 {
1134 memcpy(replay, RTA_DATA(rta), rta->rta_len);
1135 free(out);
1136 return SUCCESS;
1137 }
1138 rta = RTA_NEXT(rta, rtasize);
1139 }
1140
1141 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1142 ntohl(spi));
1143 free(out);
1144 return FAILED;
1145 }
1146
1147 /**
1148 * Implementation of kernel_interface_t.update_sa.
1149 */
1150 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
1151 u_int32_t spi, protocol_id_t protocol,
1152 host_t *src, host_t *dst,
1153 host_t *new_src, host_t *new_dst, bool encap)
1154 {
1155 unsigned char request[NETLINK_BUFFER_SIZE], *pos;
1156 struct nlmsghdr *hdr, *out = NULL;
1157 struct xfrm_usersa_id *sa_id;
1158 struct xfrm_usersa_info *out_sa = NULL, *sa;
1159 size_t len;
1160 struct rtattr *rta;
1161 size_t rtasize;
1162 struct xfrm_encap_tmpl* tmpl = NULL;
1163 bool got_replay_state;
1164 struct xfrm_replay_state replay;
1165
1166 memset(&request, 0, sizeof(request));
1167
1168 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1169
1170 /* query the existing SA first */
1171 hdr = (struct nlmsghdr*)request;
1172 hdr->nlmsg_flags = NLM_F_REQUEST;
1173 hdr->nlmsg_type = XFRM_MSG_GETSA;
1174 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1175
1176 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1177 host2xfrm(dst, &sa_id->daddr);
1178 sa_id->spi = spi;
1179 sa_id->proto = proto_ike2kernel(protocol);
1180 sa_id->family = dst->get_family(dst);
1181
1182 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1183 {
1184 hdr = out;
1185 while (NLMSG_OK(hdr, len))
1186 {
1187 switch (hdr->nlmsg_type)
1188 {
1189 case XFRM_MSG_NEWSA:
1190 {
1191 out_sa = NLMSG_DATA(hdr);
1192 break;
1193 }
1194 case NLMSG_ERROR:
1195 {
1196 struct nlmsgerr *err = NLMSG_DATA(hdr);
1197 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1198 strerror(-err->error), -err->error);
1199 break;
1200 }
1201 default:
1202 hdr = NLMSG_NEXT(hdr, len);
1203 continue;
1204 case NLMSG_DONE:
1205 break;
1206 }
1207 break;
1208 }
1209 }
1210 if (out_sa == NULL)
1211 {
1212 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1213 free(out);
1214 return FAILED;
1215 }
1216
1217 /* try to get the replay state */
1218 got_replay_state = (get_replay_state(
1219 this, spi, protocol, dst, &replay) == SUCCESS);
1220
1221 /* delete the old SA */
1222 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1223 {
1224 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1225 free(out);
1226 return FAILED;
1227 }
1228
1229 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1230 ntohl(spi), src, dst, new_src, new_dst);
1231
1232 /* copy over the SA from out to request */
1233 hdr = (struct nlmsghdr*)request;
1234 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1235 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1236 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1237 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1238 sa = NLMSG_DATA(hdr);
1239 sa->family = new_dst->get_family(new_dst);
1240
1241 if (!src->ip_equals(src, new_src))
1242 {
1243 host2xfrm(new_src, &sa->saddr);
1244 }
1245 if (!dst->ip_equals(dst, new_dst))
1246 {
1247 host2xfrm(new_dst, &sa->id.daddr);
1248 }
1249
1250 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1251 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1252 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1253 while(RTA_OK(rta, rtasize))
1254 {
1255 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1256 if (rta->rta_type != XFRMA_ENCAP || encap)
1257 {
1258 if (rta->rta_type == XFRMA_ENCAP)
1259 { /* update encap tmpl */
1260 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1261 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1262 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1263 }
1264 memcpy(pos, rta, rta->rta_len);
1265 pos += RTA_ALIGN(rta->rta_len);
1266 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1267 }
1268 rta = RTA_NEXT(rta, rtasize);
1269 }
1270
1271 rta = (struct rtattr*)pos;
1272 if (tmpl == NULL && encap)
1273 { /* add tmpl if we are enabling it */
1274 rta->rta_type = XFRMA_ENCAP;
1275 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1276
1277 hdr->nlmsg_len += rta->rta_len;
1278 if (hdr->nlmsg_len > sizeof(request))
1279 {
1280 return FAILED;
1281 }
1282
1283 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1284 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1285 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1286 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1287 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1288
1289 rta = XFRM_RTA_NEXT(rta);
1290 }
1291
1292 if (got_replay_state)
1293 { /* copy the replay data if available */
1294 rta->rta_type = XFRMA_REPLAY_VAL;
1295 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1296
1297 hdr->nlmsg_len += rta->rta_len;
1298 if (hdr->nlmsg_len > sizeof(request))
1299 {
1300 return FAILED;
1301 }
1302 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1303
1304 rta = XFRM_RTA_NEXT(rta);
1305 }
1306
1307 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1308 {
1309 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1310 free(out);
1311 return FAILED;
1312 }
1313 free(out);
1314
1315 return SUCCESS;
1316 }
1317
1318 /**
1319 * Implementation of kernel_interface_t.del_sa.
1320 */
1321 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1322 u_int32_t spi, protocol_id_t protocol)
1323 {
1324 unsigned char request[NETLINK_BUFFER_SIZE];
1325 struct nlmsghdr *hdr;
1326 struct xfrm_usersa_id *sa_id;
1327
1328 memset(&request, 0, sizeof(request));
1329
1330 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1331
1332 hdr = (struct nlmsghdr*)request;
1333 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1334 hdr->nlmsg_type = XFRM_MSG_DELSA;
1335 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1336
1337 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1338 host2xfrm(dst, &sa_id->daddr);
1339 sa_id->spi = spi;
1340 sa_id->proto = proto_ike2kernel(protocol);
1341 sa_id->family = dst->get_family(dst);
1342
1343 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1344 {
1345 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1346 return FAILED;
1347 }
1348 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1349 return SUCCESS;
1350 }
1351
1352 /**
1353 * Implementation of kernel_interface_t.add_policy.
1354 */
1355 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1356 host_t *src, host_t *dst,
1357 traffic_selector_t *src_ts,
1358 traffic_selector_t *dst_ts,
1359 policy_dir_t direction, protocol_id_t protocol,
1360 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1361 u_int16_t ipcomp)
1362 {
1363 iterator_t *iterator;
1364 policy_entry_t *current, *policy;
1365 bool found = FALSE;
1366 unsigned char request[NETLINK_BUFFER_SIZE];
1367 struct xfrm_userpolicy_info *policy_info;
1368 struct nlmsghdr *hdr;
1369
1370 /* create a policy */
1371 policy = malloc_thing(policy_entry_t);
1372 memset(policy, 0, sizeof(policy_entry_t));
1373 policy->sel = ts2selector(src_ts, dst_ts);
1374 policy->direction = direction;
1375
1376 /* find the policy, which matches EXACTLY */
1377 pthread_mutex_lock(&this->mutex);
1378 iterator = this->policies->create_iterator(this->policies, TRUE);
1379 while (iterator->iterate(iterator, (void**)&current))
1380 {
1381 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
1382 policy->direction == current->direction)
1383 {
1384 /* use existing policy */
1385 current->refcount++;
1386 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1387 "refcount", src_ts, dst_ts,
1388 policy_dir_names, direction);
1389 free(policy);
1390 policy = current;
1391 found = TRUE;
1392 break;
1393 }
1394 }
1395 iterator->destroy(iterator);
1396 if (!found)
1397 { /* apply the new one, if we have no such policy */
1398 this->policies->insert_last(this->policies, policy);
1399 policy->refcount = 1;
1400 }
1401
1402 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1403 policy_dir_names, direction);
1404
1405 memset(&request, 0, sizeof(request));
1406 hdr = (struct nlmsghdr*)request;
1407 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1408 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1409 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1410
1411 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1412 policy_info->sel = policy->sel;
1413 policy_info->dir = policy->direction;
1414 /* calculate priority based on source selector size, small size = high prio */
1415 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1416 policy_info->priority -= policy->sel.prefixlen_s * 10;
1417 policy_info->priority -= policy->sel.proto ? 2 : 0;
1418 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1419 policy_info->action = XFRM_POLICY_ALLOW;
1420 policy_info->share = XFRM_SHARE_ANY;
1421 pthread_mutex_unlock(&this->mutex);
1422
1423 /* policies don't expire */
1424 policy_info->lft.soft_byte_limit = XFRM_INF;
1425 policy_info->lft.soft_packet_limit = XFRM_INF;
1426 policy_info->lft.hard_byte_limit = XFRM_INF;
1427 policy_info->lft.hard_packet_limit = XFRM_INF;
1428 policy_info->lft.soft_add_expires_seconds = 0;
1429 policy_info->lft.hard_add_expires_seconds = 0;
1430 policy_info->lft.soft_use_expires_seconds = 0;
1431 policy_info->lft.hard_use_expires_seconds = 0;
1432
1433 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1434 rthdr->rta_type = XFRMA_TMPL;
1435 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1436
1437 hdr->nlmsg_len += rthdr->rta_len;
1438 if (hdr->nlmsg_len > sizeof(request))
1439 {
1440 return FAILED;
1441 }
1442
1443 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1444
1445 if (ipcomp != IPCOMP_NONE)
1446 {
1447 tmpl->reqid = reqid;
1448 tmpl->id.proto = IPPROTO_COMP;
1449 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1450 tmpl->mode = mode;
1451 tmpl->optional = direction != POLICY_OUT;
1452 tmpl->family = src->get_family(src);
1453
1454 host2xfrm(src, &tmpl->saddr);
1455 host2xfrm(dst, &tmpl->id.daddr);
1456
1457 /* add an additional xfrm_user_tmpl */
1458 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1459 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1460 if (hdr->nlmsg_len > sizeof(request))
1461 {
1462 return FAILED;
1463 }
1464
1465 tmpl++;
1466 }
1467
1468 tmpl->reqid = reqid;
1469 tmpl->id.proto = proto_ike2kernel(protocol);
1470 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1471 tmpl->mode = mode;
1472 tmpl->family = src->get_family(src);
1473
1474 host2xfrm(src, &tmpl->saddr);
1475 host2xfrm(dst, &tmpl->id.daddr);
1476
1477 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1478 {
1479 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1480 policy_dir_names, direction);
1481 return FAILED;
1482 }
1483
1484 /* install a route, if:
1485 * - we are NOT updating a policy
1486 * - this is a forward policy (to just get one for each child)
1487 * - we are in tunnel mode
1488 * - we are not using IPv6 (does not work correctly yet!)
1489 * - routing is not disabled via strongswan.conf
1490 */
1491 if (policy->route == NULL && direction == POLICY_FWD &&
1492 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1493 this->install_routes)
1494 {
1495 route_entry_t *route = malloc_thing(route_entry_t);
1496
1497 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1498 dst_ts, &route->src_ip) == SUCCESS)
1499 {
1500 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1501 route->gateway = charon->kernel_interface->get_nexthop(
1502 charon->kernel_interface, src);
1503 route->if_name = charon->kernel_interface->get_interface(
1504 charon->kernel_interface, dst);
1505 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1506 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1507 route->prefixlen = policy->sel.prefixlen_s;
1508
1509 if (route->if_name)
1510 {
1511 switch (charon->kernel_interface->add_route(
1512 charon->kernel_interface, route->dst_net,
1513 route->prefixlen, route->gateway,
1514 route->src_ip, route->if_name))
1515 {
1516 default:
1517 DBG1(DBG_KNL, "unable to install source route for %H",
1518 route->src_ip);
1519 /* FALL */
1520 case ALREADY_DONE:
1521 /* route exists, do not uninstall */
1522 route_entry_destroy(route);
1523 break;
1524 case SUCCESS:
1525 /* cache the installed route */
1526 policy->route = route;
1527 break;
1528 }
1529 }
1530 else
1531 {
1532 route_entry_destroy(route);
1533 }
1534 }
1535 else
1536 {
1537 free(route);
1538 }
1539 }
1540 return SUCCESS;
1541 }
1542
1543 /**
1544 * Implementation of kernel_interface_t.query_policy.
1545 */
1546 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1547 traffic_selector_t *src_ts,
1548 traffic_selector_t *dst_ts,
1549 policy_dir_t direction, u_int32_t *use_time)
1550 {
1551 unsigned char request[NETLINK_BUFFER_SIZE];
1552 struct nlmsghdr *out = NULL, *hdr;
1553 struct xfrm_userpolicy_id *policy_id;
1554 struct xfrm_userpolicy_info *policy = NULL;
1555 size_t len;
1556
1557 memset(&request, 0, sizeof(request));
1558
1559 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1560 policy_dir_names, direction);
1561
1562 hdr = (struct nlmsghdr*)request;
1563 hdr->nlmsg_flags = NLM_F_REQUEST;
1564 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1565 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1566
1567 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1568 policy_id->sel = ts2selector(src_ts, dst_ts);
1569 policy_id->dir = direction;
1570
1571 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1572 {
1573 hdr = out;
1574 while (NLMSG_OK(hdr, len))
1575 {
1576 switch (hdr->nlmsg_type)
1577 {
1578 case XFRM_MSG_NEWPOLICY:
1579 {
1580 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1581 break;
1582 }
1583 case NLMSG_ERROR:
1584 {
1585 struct nlmsgerr *err = NLMSG_DATA(hdr);
1586 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1587 strerror(-err->error), -err->error);
1588 break;
1589 }
1590 default:
1591 hdr = NLMSG_NEXT(hdr, len);
1592 continue;
1593 case NLMSG_DONE:
1594 break;
1595 }
1596 break;
1597 }
1598 }
1599
1600 if (policy == NULL)
1601 {
1602 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1603 policy_dir_names, direction);
1604 free(out);
1605 return FAILED;
1606 }
1607 *use_time = (time_t)policy->curlft.use_time;
1608
1609 free(out);
1610 return SUCCESS;
1611 }
1612
1613 /**
1614 * Implementation of kernel_interface_t.del_policy.
1615 */
1616 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1617 traffic_selector_t *src_ts,
1618 traffic_selector_t *dst_ts,
1619 policy_dir_t direction)
1620 {
1621 policy_entry_t *current, policy, *to_delete = NULL;
1622 route_entry_t *route;
1623 unsigned char request[NETLINK_BUFFER_SIZE];
1624 struct nlmsghdr *hdr;
1625 struct xfrm_userpolicy_id *policy_id;
1626 iterator_t *iterator;
1627
1628 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1629 policy_dir_names, direction);
1630
1631 /* create a policy */
1632 memset(&policy, 0, sizeof(policy_entry_t));
1633 policy.sel = ts2selector(src_ts, dst_ts);
1634 policy.direction = direction;
1635
1636 /* find the policy */
1637 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
1638 while (iterator->iterate(iterator, (void**)&current))
1639 {
1640 if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
1641 policy.direction == current->direction)
1642 {
1643 to_delete = current;
1644 if (--to_delete->refcount > 0)
1645 {
1646 /* is used by more SAs, keep in kernel */
1647 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1648 iterator->destroy(iterator);
1649 return SUCCESS;
1650 }
1651 /* remove if last reference */
1652 iterator->remove(iterator);
1653 break;
1654 }
1655 }
1656 iterator->destroy(iterator);
1657 if (!to_delete)
1658 {
1659 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1660 dst_ts, policy_dir_names, direction);
1661 return NOT_FOUND;
1662 }
1663
1664 memset(&request, 0, sizeof(request));
1665
1666 hdr = (struct nlmsghdr*)request;
1667 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1668 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1669 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1670
1671 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1672 policy_id->sel = to_delete->sel;
1673 policy_id->dir = direction;
1674
1675 route = to_delete->route;
1676 free(to_delete);
1677
1678 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1679 {
1680 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1681 policy_dir_names, direction);
1682 return FAILED;
1683 }
1684
1685 if (route)
1686 {
1687 if (charon->kernel_interface->del_route(charon->kernel_interface,
1688 route->dst_net, route->prefixlen, route->gateway,
1689 route->src_ip, route->if_name) != SUCCESS)
1690 {
1691 DBG1(DBG_KNL, "error uninstalling route installed with "
1692 "policy %R === %R %N", src_ts, dst_ts,
1693 policy_dir_names, direction);
1694 }
1695 route_entry_destroy(route);
1696 }
1697 return SUCCESS;
1698 }
1699
1700 /**
1701 * Implementation of kernel_interface_t.destroy.
1702 */
1703 static void destroy(private_kernel_netlink_ipsec_t *this)
1704 {
1705 this->job->cancel(this->job);
1706 close(this->socket_xfrm_events);
1707 this->socket_xfrm->destroy(this->socket_xfrm);
1708 this->policies->destroy(this->policies);
1709 free(this);
1710 }
1711
1712 /*
1713 * Described in header.
1714 */
1715 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1716 {
1717 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1718 struct sockaddr_nl addr;
1719
1720 /* public functions */
1721 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1722 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1723 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1724 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1725 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1726 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1727 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1728 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1729 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1730
1731 /* private members */
1732 this->policies = linked_list_create();
1733 pthread_mutex_init(&this->mutex, NULL);
1734 this->install_routes = lib->settings->get_bool(lib->settings,
1735 "charon.install_routes", TRUE);
1736
1737 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1738
1739 memset(&addr, 0, sizeof(addr));
1740 addr.nl_family = AF_NETLINK;
1741
1742 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
1743 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1744 if (this->socket_xfrm_events <= 0)
1745 {
1746 charon->kill(charon, "unable to create XFRM event socket");
1747 }
1748 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
1749 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
1750 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1751 {
1752 charon->kill(charon, "unable to bind XFRM event socket");
1753 }
1754
1755 this->job = callback_job_create((callback_job_cb_t)receive_events,
1756 this, NULL, NULL);
1757 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1758
1759 return &this->public;
1760 }