projects / strongswan.git / blob
? search:


6f1d93f27c29872c05232f2a81ea5fa60f507653
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 *
20 * $Id$
21 */
22
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 #include <sys/time.h>
26 #include <linux/netlink.h>
27 #include <linux/rtnetlink.h>
28 #include <linux/xfrm.h>
29 #include <linux/udp.h>
30 #include <netinet/in.h>
31 #include <pthread.h>
32 #include <unistd.h>
33 #include <errno.h>
34 #include <string.h>
35
36 #include "kernel_netlink_ipsec.h"
37 #include "kernel_netlink_shared.h"
38
39 #include <daemon.h>
40 #include <utils/mutex.h>
41 #include <utils/linked_list.h>
42 #include <processing/jobs/callback_job.h>
43 #include <processing/jobs/acquire_job.h>
44 #include <processing/jobs/migrate_job.h>
45 #include <processing/jobs/rekey_child_sa_job.h>
46 #include <processing/jobs/delete_child_sa_job.h>
47 #include <processing/jobs/update_sa_job.h>
48
49 /** required for Linux 2.6.26 kernel and later */
50 #ifndef XFRM_STATE_AF_UNSPEC
51 #define XFRM_STATE_AF_UNSPEC 32
52 #endif
53
54 /** default priority of installed policies */
55 #define PRIO_LOW 3000
56 #define PRIO_HIGH 2000
57
58 /**
59 * Create ORable bitfield of XFRM NL groups
60 */
61 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
62
63 /**
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
66 */
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
68 /**
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
71 */
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
73 /**
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
76 */
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
78
79 typedef struct kernel_algorithm_t kernel_algorithm_t;
80
81 /**
82 * Mapping of IKEv2 kernel identifier to linux crypto API names
83 */
84 struct kernel_algorithm_t {
85 /**
86 * Identifier specified in IKEv2
87 */
88 int ikev2;
89
90 /**
91 * Name of the algorithm in linux crypto API
92 */
93 char *name;
94 };
95
96 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
97 "XFRMA_UNSPEC",
98 "XFRMA_ALG_AUTH",
99 "XFRMA_ALG_CRYPT",
100 "XFRMA_ALG_COMP",
101 "XFRMA_ENCAP",
102 "XFRMA_TMPL",
103 "XFRMA_SA",
104 "XFRMA_POLICY",
105 "XFRMA_SEC_CTX",
106 "XFRMA_LTIME_VAL",
107 "XFRMA_REPLAY_VAL",
108 "XFRMA_REPLAY_THRESH",
109 "XFRMA_ETIMER_THRESH",
110 "XFRMA_SRCADDR",
111 "XFRMA_COADDR",
112 "XFRMA_LASTUSED",
113 "XFRMA_POLICY_TYPE",
114 "XFRMA_MIGRATE",
115 "XFRMA_ALG_AEAD",
116 "XFRMA_KMADDRESS"
117 );
118
119 #define END_OF_LIST -1
120
121 /**
122 * Algorithms for encryption
123 */
124 static kernel_algorithm_t encryption_algs[] = {
125 /* {ENCR_DES_IV64, "***" }, */
126 {ENCR_DES, "des" },
127 {ENCR_3DES, "des3_ede" },
128 /* {ENCR_RC5, "***" }, */
129 /* {ENCR_IDEA, "***" }, */
130 {ENCR_CAST, "cast128" },
131 {ENCR_BLOWFISH, "blowfish" },
132 /* {ENCR_3IDEA, "***" }, */
133 /* {ENCR_DES_IV32, "***" }, */
134 {ENCR_NULL, "cipher_null" },
135 {ENCR_AES_CBC, "aes" },
136 /* {ENCR_AES_CTR, "***" }, */
137 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
138 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
139 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
140 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
141 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
142 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
143 {END_OF_LIST, NULL },
144 };
145
146 /**
147 * Algorithms for integrity protection
148 */
149 static kernel_algorithm_t integrity_algs[] = {
150 {AUTH_HMAC_MD5_96, "md5" },
151 {AUTH_HMAC_SHA1_96, "sha1" },
152 {AUTH_HMAC_SHA2_256_128, "sha256" },
153 {AUTH_HMAC_SHA2_384_192, "sha384" },
154 {AUTH_HMAC_SHA2_512_256, "sha512" },
155 /* {AUTH_DES_MAC, "***" }, */
156 /* {AUTH_KPDK_MD5, "***" }, */
157 {AUTH_AES_XCBC_96, "xcbc(aes)" },
158 {END_OF_LIST, NULL },
159 };
160
161 /**
162 * Algorithms for IPComp
163 */
164 static kernel_algorithm_t compression_algs[] = {
165 /* {IPCOMP_OUI, "***" }, */
166 {IPCOMP_DEFLATE, "deflate" },
167 {IPCOMP_LZS, "lzs" },
168 {IPCOMP_LZJH, "lzjh" },
169 {END_OF_LIST, NULL },
170 };
171
172 /**
173 * Look up a kernel algorithm name and its key size
174 */
175 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
176 {
177 while (list->ikev2 != END_OF_LIST)
178 {
179 if (list->ikev2 == ikev2)
180 {
181 return list->name;
182 }
183 list++;
184 }
185 return NULL;
186 }
187
188 typedef struct route_entry_t route_entry_t;
189
190 /**
191 * installed routing entry
192 */
193 struct route_entry_t {
194 /** Name of the interface the route is bound to */
195 char *if_name;
196
197 /** Source ip of the route */
198 host_t *src_ip;
199
200 /** gateway for this route */
201 host_t *gateway;
202
203 /** Destination net */
204 chunk_t dst_net;
205
206 /** Destination net prefixlen */
207 u_int8_t prefixlen;
208 };
209
210 /**
211 * destroy an route_entry_t object
212 */
213 static void route_entry_destroy(route_entry_t *this)
214 {
215 free(this->if_name);
216 this->src_ip->destroy(this->src_ip);
217 this->gateway->destroy(this->gateway);
218 chunk_free(&this->dst_net);
219 free(this);
220 }
221
222 typedef struct policy_entry_t policy_entry_t;
223
224 /**
225 * installed kernel policy.
226 */
227 struct policy_entry_t {
228
229 /** direction of this policy: in, out, forward */
230 u_int8_t direction;
231
232 /** parameters of installed policy */
233 struct xfrm_selector sel;
234
235 /** associated route installed for this policy */
236 route_entry_t *route;
237
238 /** by how many CHILD_SA's this policy is used */
239 u_int refcount;
240 };
241
242 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
243
244 /**
245 * Private variables and functions of kernel_netlink class.
246 */
247 struct private_kernel_netlink_ipsec_t {
248 /**
249 * Public part of the kernel_netlink_t object.
250 */
251 kernel_netlink_ipsec_t public;
252
253 /**
254 * mutex to lock access to various lists
255 */
256 mutex_t *mutex;
257
258 /**
259 * List of installed policies (policy_entry_t)
260 */
261 linked_list_t *policies;
262
263 /**
264 * job receiving netlink events
265 */
266 callback_job_t *job;
267
268 /**
269 * Netlink xfrm socket (IPsec)
270 */
271 netlink_socket_t *socket_xfrm;
272
273 /**
274 * netlink xfrm socket to receive acquire and expire events
275 */
276 int socket_xfrm_events;
277
278 /**
279 * whether to install routes along policies
280 */
281 bool install_routes;
282 };
283
284 /**
285 * convert a IKEv2 specific protocol identifier to the kernel one
286 */
287 static u_int8_t proto_ike2kernel(protocol_id_t proto)
288 {
289 switch (proto)
290 {
291 case PROTO_ESP:
292 return IPPROTO_ESP;
293 case PROTO_AH:
294 return IPPROTO_AH;
295 default:
296 return proto;
297 }
298 }
299
300 /**
301 * reverse of ike2kernel
302 */
303 static protocol_id_t proto_kernel2ike(u_int8_t proto)
304 {
305 switch (proto)
306 {
307 case IPPROTO_ESP:
308 return PROTO_ESP;
309 case IPPROTO_AH:
310 return PROTO_AH;
311 default:
312 return proto;
313 }
314 }
315
316 /**
317 * convert a host_t to a struct xfrm_address
318 */
319 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
320 {
321 chunk_t chunk = host->get_address(host);
322 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
323 }
324
325 /**
326 * convert a struct xfrm_address to a host_t
327 */
328 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
329 {
330 chunk_t chunk;
331
332 switch (family)
333 {
334 case AF_INET:
335 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
336 break;
337 case AF_INET6:
338 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
339 break;
340 default:
341 return NULL;
342 }
343 return host_create_from_chunk(family, chunk, ntohs(port));
344 }
345
346 /**
347 * convert a traffic selector address range to subnet and its mask.
348 */
349 static void ts2subnet(traffic_selector_t* ts,
350 xfrm_address_t *net, u_int8_t *mask)
351 {
352 host_t *net_host;
353 chunk_t net_chunk;
354
355 ts->to_subnet(ts, &net_host, mask);
356 net_chunk = net_host->get_address(net_host);
357 memcpy(net, net_chunk.ptr, net_chunk.len);
358 net_host->destroy(net_host);
359 }
360
361 /**
362 * convert a traffic selector port range to port/portmask
363 */
364 static void ts2ports(traffic_selector_t* ts,
365 u_int16_t *port, u_int16_t *mask)
366 {
367 /* linux does not seem to accept complex portmasks. Only
368 * any or a specific port is allowed. We set to any, if we have
369 * a port range, or to a specific, if we have one port only.
370 */
371 u_int16_t from, to;
372
373 from = ts->get_from_port(ts);
374 to = ts->get_to_port(ts);
375
376 if (from == to)
377 {
378 *port = htons(from);
379 *mask = ~0;
380 }
381 else
382 {
383 *port = 0;
384 *mask = 0;
385 }
386 }
387
388 /**
389 * convert a pair of traffic_selectors to a xfrm_selector
390 */
391 static struct xfrm_selector ts2selector(traffic_selector_t *src,
392 traffic_selector_t *dst)
393 {
394 struct xfrm_selector sel;
395
396 memset(&sel, 0, sizeof(sel));
397 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
398 /* src or dest proto may be "any" (0), use more restrictive one */
399 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
400 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
401 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
402 ts2ports(dst, &sel.dport, &sel.dport_mask);
403 ts2ports(src, &sel.sport, &sel.sport_mask);
404 sel.ifindex = 0;
405 sel.user = 0;
406
407 return sel;
408 }
409
410 /**
411 * convert a xfrm_selector to a src|dst traffic_selector
412 */
413 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
414 {
415 int family;
416 chunk_t addr;
417 u_int8_t prefixlen;
418 u_int16_t port, port_mask;
419 host_t *host;
420 traffic_selector_t *ts;
421
422 if (src)
423 {
424 addr.ptr = (u_char*)&sel->saddr;
425 prefixlen = sel->prefixlen_s;
426 port = sel->sport;
427 port_mask = sel->sport_mask;
428 }
429 else
430 {
431 addr.ptr = (u_char*)&sel->daddr;
432 prefixlen = sel->prefixlen_d;
433 port = sel->dport;
434 port_mask = sel->dport_mask;
435 }
436
437 /* The Linux 2.6 kernel does not set the selector's family field,
438 * so as a kludge we additionally test the prefix length.
439 */
440 if (sel->family == AF_INET || sel->prefixlen_s == 32)
441 {
442 family = AF_INET;
443 addr.len = 4;
444 }
445 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
446 {
447 family = AF_INET6;
448 addr.len = 16;
449 }
450 else
451 {
452 return NULL;
453 }
454 host = host_create_from_chunk(family, addr, 0);
455 port = (port_mask == 0) ? 0 : ntohs(port);
456
457 ts = traffic_selector_create_from_subnet(host, prefixlen, sel->proto, port);
458 host->destroy(host);
459 return ts;
460 }
461
462 /**
463 * process a XFRM_MSG_ACQUIRE from kernel
464 */
465 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
466 {
467 u_int32_t reqid = 0;
468 int proto = 0;
469 traffic_selector_t *src_ts, *dst_ts;
470 struct xfrm_user_acquire *acquire;
471 struct rtattr *rta;
472 size_t rtasize;
473 job_t *job;
474
475 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
476 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
477 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
478
479 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
480
481 while (RTA_OK(rta, rtasize))
482 {
483 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
484
485 if (rta->rta_type == XFRMA_TMPL)
486 {
487 struct xfrm_user_tmpl* tmpl;
488
489 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
490 reqid = tmpl->reqid;
491 proto = tmpl->id.proto;
492 }
493 rta = RTA_NEXT(rta, rtasize);
494 }
495 switch (proto)
496 {
497 case 0:
498 case IPPROTO_ESP:
499 case IPPROTO_AH:
500 break;
501 default:
502 /* acquire for AH/ESP only, not for IPCOMP */
503 return;
504 }
505 src_ts = selector2ts(&acquire->sel, TRUE);
506 dst_ts = selector2ts(&acquire->sel, FALSE);
507 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
508 src_ts, dst_ts, reqid);
509 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
510 charon->processor->queue_job(charon->processor, job);
511 }
512
513 /**
514 * process a XFRM_MSG_EXPIRE from kernel
515 */
516 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
517 {
518 job_t *job;
519 protocol_id_t protocol;
520 u_int32_t spi, reqid;
521 struct xfrm_user_expire *expire;
522
523 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
524 protocol = proto_kernel2ike(expire->state.id.proto);
525 spi = expire->state.id.spi;
526 reqid = expire->state.reqid;
527
528 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
529
530 if (protocol != PROTO_ESP && protocol != PROTO_AH)
531 {
532 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
533 "which is not a CHILD_SA", ntohl(spi), reqid);
534 return;
535 }
536
537 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
538 expire->hard ? "delete" : "rekey", protocol_id_names,
539 protocol, ntohl(spi), reqid);
540 if (expire->hard)
541 {
542 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
543 }
544 else
545 {
546 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
547 }
548 charon->processor->queue_job(charon->processor, job);
549 }
550
551 /**
552 * process a XFRM_MSG_MIGRATE from kernel
553 */
554 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
555 {
556 traffic_selector_t *src_ts, *dst_ts;
557 host_t *local = NULL, *remote = NULL;
558 host_t *old_src = NULL, *old_dst = NULL;
559 host_t *new_src = NULL, *new_dst = NULL;
560 struct xfrm_userpolicy_id *policy_id;
561 struct rtattr *rta;
562 size_t rtasize;
563 u_int32_t reqid = 0;
564 policy_dir_t dir;
565 job_t *job;
566
567 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
568 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
569 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
570
571 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
572
573 src_ts = selector2ts(&policy_id->sel, TRUE);
574 dst_ts = selector2ts(&policy_id->sel, FALSE);
575 dir = (policy_dir_t)policy_id->dir;
576
577 DBG2(DBG_KNL, " policy: %R === %R %N, index %u", src_ts, dst_ts,
578 policy_dir_names, dir, policy_id->index);
579
580 while (RTA_OK(rta, rtasize))
581 {
582 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
583 if (rta->rta_type == XFRMA_KMADDRESS)
584 {
585 struct xfrm_user_kmaddress *kmaddress;
586
587 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
588 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
589 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
590 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
591 }
592 else if (rta->rta_type == XFRMA_MIGRATE)
593 {
594 struct xfrm_user_migrate *migrate;
595 protocol_id_t proto;
596
597 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
598 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
599 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
600 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
601 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
602 proto = proto_kernel2ike(migrate->proto);
603 reqid = migrate->reqid;
604 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
605 protocol_id_names, proto, old_src, old_dst,
606 new_src, new_dst, reqid);
607 DESTROY_IF(old_src);
608 DESTROY_IF(old_dst);
609 DESTROY_IF(new_src);
610 DESTROY_IF(new_dst);
611 }
612 rta = RTA_NEXT(rta, rtasize);
613 }
614
615 if (src_ts && dst_ts)
616 {
617 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
618 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
619 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
620 local, remote);
621 charon->processor->queue_job(charon->processor, job);
622 }
623 else
624 {
625 DESTROY_IF(src_ts);
626 DESTROY_IF(dst_ts);
627 DESTROY_IF(local);
628 DESTROY_IF(remote);
629 }
630 }
631
632 /**
633 * process a XFRM_MSG_MAPPING from kernel
634 */
635 static void process_mapping(private_kernel_netlink_ipsec_t *this,
636 struct nlmsghdr *hdr)
637 {
638 job_t *job;
639 u_int32_t spi, reqid;
640 struct xfrm_user_mapping *mapping;
641 host_t *host;
642
643 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
644 spi = mapping->id.spi;
645 reqid = mapping->reqid;
646
647 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
648
649 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
650 {
651 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
652 mapping->new_sport);
653 if (host)
654 {
655 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
656 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
657 job = (job_t*)update_sa_job_create(reqid, host);
658 charon->processor->queue_job(charon->processor, job);
659 }
660 }
661 }
662
663 /**
664 * Receives events from kernel
665 */
666 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
667 {
668 char response[1024];
669 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
670 struct sockaddr_nl addr;
671 socklen_t addr_len = sizeof(addr);
672 int len, oldstate;
673
674 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
675 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
676 (struct sockaddr*)&addr, &addr_len);
677 pthread_setcancelstate(oldstate, NULL);
678
679 if (len < 0)
680 {
681 switch (errno)
682 {
683 case EINTR:
684 /* interrupted, try again */
685 return JOB_REQUEUE_DIRECT;
686 case EAGAIN:
687 /* no data ready, select again */
688 return JOB_REQUEUE_DIRECT;
689 default:
690 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
691 sleep(1);
692 return JOB_REQUEUE_FAIR;
693 }
694 }
695
696 if (addr.nl_pid != 0)
697 { /* not from kernel. not interested, try another one */
698 return JOB_REQUEUE_DIRECT;
699 }
700
701 while (NLMSG_OK(hdr, len))
702 {
703 switch (hdr->nlmsg_type)
704 {
705 case XFRM_MSG_ACQUIRE:
706 process_acquire(this, hdr);
707 break;
708 case XFRM_MSG_EXPIRE:
709 process_expire(this, hdr);
710 break;
711 case XFRM_MSG_MIGRATE:
712 process_migrate(this, hdr);
713 break;
714 case XFRM_MSG_MAPPING:
715 process_mapping(this, hdr);
716 break;
717 default:
718 break;
719 }
720 hdr = NLMSG_NEXT(hdr, len);
721 }
722 return JOB_REQUEUE_DIRECT;
723 }
724
725 /**
726 * Get an SPI for a specific protocol from the kernel.
727 */
728 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
729 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
730 u_int32_t reqid, u_int32_t *spi)
731 {
732 unsigned char request[NETLINK_BUFFER_SIZE];
733 struct nlmsghdr *hdr, *out;
734 struct xfrm_userspi_info *userspi;
735 u_int32_t received_spi = 0;
736 size_t len;
737
738 memset(&request, 0, sizeof(request));
739
740 hdr = (struct nlmsghdr*)request;
741 hdr->nlmsg_flags = NLM_F_REQUEST;
742 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
743 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
744
745 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
746 host2xfrm(src, &userspi->info.saddr);
747 host2xfrm(dst, &userspi->info.id.daddr);
748 userspi->info.id.proto = proto;
749 userspi->info.mode = TRUE; /* tunnel mode */
750 userspi->info.reqid = reqid;
751 userspi->info.family = src->get_family(src);
752 userspi->min = min;
753 userspi->max = max;
754
755 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
756 {
757 hdr = out;
758 while (NLMSG_OK(hdr, len))
759 {
760 switch (hdr->nlmsg_type)
761 {
762 case XFRM_MSG_NEWSA:
763 {
764 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
765 received_spi = usersa->id.spi;
766 break;
767 }
768 case NLMSG_ERROR:
769 {
770 struct nlmsgerr *err = NLMSG_DATA(hdr);
771
772 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
773 strerror(-err->error), -err->error);
774 break;
775 }
776 default:
777 hdr = NLMSG_NEXT(hdr, len);
778 continue;
779 case NLMSG_DONE:
780 break;
781 }
782 break;
783 }
784 free(out);
785 }
786
787 if (received_spi == 0)
788 {
789 return FAILED;
790 }
791
792 *spi = received_spi;
793 return SUCCESS;
794 }
795
796 /**
797 * Implementation of kernel_interface_t.get_spi.
798 */
799 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
800 host_t *src, host_t *dst,
801 protocol_id_t protocol, u_int32_t reqid,
802 u_int32_t *spi)
803 {
804 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
805
806 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
807 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
808 {
809 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
810 return FAILED;
811 }
812
813 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
814
815 return SUCCESS;
816 }
817
818 /**
819 * Implementation of kernel_interface_t.get_cpi.
820 */
821 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
822 host_t *src, host_t *dst,
823 u_int32_t reqid, u_int16_t *cpi)
824 {
825 u_int32_t received_spi = 0;
826
827 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
828
829 if (get_spi_internal(this, src, dst,
830 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
831 {
832 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
833 return FAILED;
834 }
835
836 *cpi = htons((u_int16_t)ntohl(received_spi));
837
838 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
839
840 return SUCCESS;
841 }
842
843 /**
844 * Implementation of kernel_interface_t.add_sa.
845 */
846 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
847 host_t *src, host_t *dst, u_int32_t spi,
848 protocol_id_t protocol, u_int32_t reqid,
849 u_int64_t expire_soft, u_int64_t expire_hard,
850 u_int16_t enc_alg, chunk_t enc_key,
851 u_int16_t int_alg, chunk_t int_key,
852 ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
853 bool replace)
854 {
855 unsigned char request[NETLINK_BUFFER_SIZE];
856 char *alg_name;
857 struct nlmsghdr *hdr;
858 struct xfrm_usersa_info *sa;
859 u_int16_t icv_size = 64;
860
861 memset(&request, 0, sizeof(request));
862
863 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
864 ntohl(spi), reqid);
865
866 hdr = (struct nlmsghdr*)request;
867 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
868 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
869 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
870
871 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
872 host2xfrm(src, &sa->saddr);
873 host2xfrm(dst, &sa->id.daddr);
874 sa->id.spi = spi;
875 sa->id.proto = proto_ike2kernel(protocol);
876 sa->family = src->get_family(src);
877 sa->mode = mode;
878 if (mode == MODE_TUNNEL)
879 {
880 sa->flags |= XFRM_STATE_AF_UNSPEC;
881 }
882 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
883 sa->reqid = reqid;
884 /* we currently do not expire SAs by volume/packet count */
885 sa->lft.soft_byte_limit = XFRM_INF;
886 sa->lft.hard_byte_limit = XFRM_INF;
887 sa->lft.soft_packet_limit = XFRM_INF;
888 sa->lft.hard_packet_limit = XFRM_INF;
889 /* we use lifetimes since added, not since used */
890 sa->lft.soft_add_expires_seconds = expire_soft;
891 sa->lft.hard_add_expires_seconds = expire_hard;
892 sa->lft.soft_use_expires_seconds = 0;
893 sa->lft.hard_use_expires_seconds = 0;
894
895 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
896
897 switch (enc_alg)
898 {
899 case ENCR_UNDEFINED:
900 /* no encryption */
901 break;
902 case ENCR_AES_CCM_ICV16:
903 case ENCR_AES_GCM_ICV16:
904 icv_size += 32;
905 /* FALL */
906 case ENCR_AES_CCM_ICV12:
907 case ENCR_AES_GCM_ICV12:
908 icv_size += 32;
909 /* FALL */
910 case ENCR_AES_CCM_ICV8:
911 case ENCR_AES_GCM_ICV8:
912 {
913 rthdr->rta_type = XFRMA_ALG_AEAD;
914 alg_name = lookup_algorithm(encryption_algs, enc_alg);
915 if (alg_name == NULL)
916 {
917 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
918 encryption_algorithm_names, enc_alg);
919 return FAILED;
920 }
921 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
922 encryption_algorithm_names, enc_alg, enc_key.len * 8);
923
924 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
925 hdr->nlmsg_len += rthdr->rta_len;
926 if (hdr->nlmsg_len > sizeof(request))
927 {
928 return FAILED;
929 }
930
931 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
932 algo->alg_key_len = enc_key.len * 8;
933 algo->alg_icv_len = icv_size;
934 strcpy(algo->alg_name, alg_name);
935 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
936
937 rthdr = XFRM_RTA_NEXT(rthdr);
938 break;
939 }
940 default:
941 {
942 rthdr->rta_type = XFRMA_ALG_CRYPT;
943 alg_name = lookup_algorithm(encryption_algs, enc_alg);
944 if (alg_name == NULL)
945 {
946 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
947 encryption_algorithm_names, enc_alg);
948 return FAILED;
949 }
950 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
951 encryption_algorithm_names, enc_alg, enc_key.len * 8);
952
953 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
954 hdr->nlmsg_len += rthdr->rta_len;
955 if (hdr->nlmsg_len > sizeof(request))
956 {
957 return FAILED;
958 }
959
960 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
961 algo->alg_key_len = enc_key.len * 8;
962 strcpy(algo->alg_name, alg_name);
963 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
964
965 rthdr = XFRM_RTA_NEXT(rthdr);
966 break;
967 }
968 }
969
970 if (int_alg != AUTH_UNDEFINED)
971 {
972 rthdr->rta_type = XFRMA_ALG_AUTH;
973 alg_name = lookup_algorithm(integrity_algs, int_alg);
974 if (alg_name == NULL)
975 {
976 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
977 integrity_algorithm_names, int_alg);
978 return FAILED;
979 }
980 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
981 integrity_algorithm_names, int_alg, int_key.len * 8);
982
983 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
984 hdr->nlmsg_len += rthdr->rta_len;
985 if (hdr->nlmsg_len > sizeof(request))
986 {
987 return FAILED;
988 }
989
990 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
991 algo->alg_key_len = int_key.len * 8;
992 strcpy(algo->alg_name, alg_name);
993 memcpy(algo->alg_key, int_key.ptr, int_key.len);
994
995 rthdr = XFRM_RTA_NEXT(rthdr);
996 }
997
998 if (ipcomp != IPCOMP_NONE)
999 {
1000 rthdr->rta_type = XFRMA_ALG_COMP;
1001 alg_name = lookup_algorithm(compression_algs, ipcomp);
1002 if (alg_name == NULL)
1003 {
1004 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1005 ipcomp_transform_names, ipcomp);
1006 return FAILED;
1007 }
1008 DBG2(DBG_KNL, " using compression algorithm %N",
1009 ipcomp_transform_names, ipcomp);
1010
1011 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1012 hdr->nlmsg_len += rthdr->rta_len;
1013 if (hdr->nlmsg_len > sizeof(request))
1014 {
1015 return FAILED;
1016 }
1017
1018 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1019 algo->alg_key_len = 0;
1020 strcpy(algo->alg_name, alg_name);
1021
1022 rthdr = XFRM_RTA_NEXT(rthdr);
1023 }
1024
1025 if (encap)
1026 {
1027 rthdr->rta_type = XFRMA_ENCAP;
1028 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1029
1030 hdr->nlmsg_len += rthdr->rta_len;
1031 if (hdr->nlmsg_len > sizeof(request))
1032 {
1033 return FAILED;
1034 }
1035
1036 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1037 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1038 tmpl->encap_sport = htons(src->get_port(src));
1039 tmpl->encap_dport = htons(dst->get_port(dst));
1040 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1041 /* encap_oa could probably be derived from the
1042 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1043 * pluto does the same as we do here but it uses encap_oa in the
1044 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1045 * the kernel ignores it anyway
1046 * -> does that mean that NAT-T encap doesn't work in transport mode?
1047 * No. The reason the kernel ignores NAT-OA is that it recomputes
1048 * (or, rather, just ignores) the checksum. If packets pass
1049 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1050 rthdr = XFRM_RTA_NEXT(rthdr);
1051 }
1052
1053 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1054 {
1055 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1056 return FAILED;
1057 }
1058 return SUCCESS;
1059 }
1060
1061 /**
1062 * Get the replay state (i.e. sequence numbers) of an SA.
1063 */
1064 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1065 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1066 struct xfrm_replay_state *replay)
1067 {
1068 unsigned char request[NETLINK_BUFFER_SIZE];
1069 struct nlmsghdr *hdr, *out = NULL;
1070 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1071 size_t len;
1072 struct rtattr *rta;
1073 size_t rtasize;
1074
1075 memset(&request, 0, sizeof(request));
1076
1077 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1078
1079 hdr = (struct nlmsghdr*)request;
1080 hdr->nlmsg_flags = NLM_F_REQUEST;
1081 hdr->nlmsg_type = XFRM_MSG_GETAE;
1082 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1083
1084 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1085 aevent_id->flags = XFRM_AE_RVAL;
1086
1087 host2xfrm(dst, &aevent_id->sa_id.daddr);
1088 aevent_id->sa_id.spi = spi;
1089 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1090 aevent_id->sa_id.family = dst->get_family(dst);
1091
1092 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1093 {
1094 hdr = out;
1095 while (NLMSG_OK(hdr, len))
1096 {
1097 switch (hdr->nlmsg_type)
1098 {
1099 case XFRM_MSG_NEWAE:
1100 {
1101 out_aevent = NLMSG_DATA(hdr);
1102 break;
1103 }
1104 case NLMSG_ERROR:
1105 {
1106 struct nlmsgerr *err = NLMSG_DATA(hdr);
1107 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1108 strerror(-err->error), -err->error);
1109 break;
1110 }
1111 default:
1112 hdr = NLMSG_NEXT(hdr, len);
1113 continue;
1114 case NLMSG_DONE:
1115 break;
1116 }
1117 break;
1118 }
1119 }
1120
1121 if (out_aevent == NULL)
1122 {
1123 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1124 ntohl(spi));
1125 free(out);
1126 return FAILED;
1127 }
1128
1129 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1130 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1131 while(RTA_OK(rta, rtasize))
1132 {
1133 if (rta->rta_type == XFRMA_REPLAY_VAL)
1134 {
1135 memcpy(replay, RTA_DATA(rta), rta->rta_len);
1136 free(out);
1137 return SUCCESS;
1138 }
1139 rta = RTA_NEXT(rta, rtasize);
1140 }
1141
1142 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1143 ntohl(spi));
1144 free(out);
1145 return FAILED;
1146 }
1147
1148 /**
1149 * Implementation of kernel_interface_t.update_sa.
1150 */
1151 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
1152 u_int32_t spi, protocol_id_t protocol,
1153 host_t *src, host_t *dst,
1154 host_t *new_src, host_t *new_dst, bool encap)
1155 {
1156 unsigned char request[NETLINK_BUFFER_SIZE], *pos;
1157 struct nlmsghdr *hdr, *out = NULL;
1158 struct xfrm_usersa_id *sa_id;
1159 struct xfrm_usersa_info *out_sa = NULL, *sa;
1160 size_t len;
1161 struct rtattr *rta;
1162 size_t rtasize;
1163 struct xfrm_encap_tmpl* tmpl = NULL;
1164 bool got_replay_state;
1165 struct xfrm_replay_state replay;
1166
1167 memset(&request, 0, sizeof(request));
1168
1169 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1170
1171 /* query the existing SA first */
1172 hdr = (struct nlmsghdr*)request;
1173 hdr->nlmsg_flags = NLM_F_REQUEST;
1174 hdr->nlmsg_type = XFRM_MSG_GETSA;
1175 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1176
1177 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1178 host2xfrm(dst, &sa_id->daddr);
1179 sa_id->spi = spi;
1180 sa_id->proto = proto_ike2kernel(protocol);
1181 sa_id->family = dst->get_family(dst);
1182
1183 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1184 {
1185 hdr = out;
1186 while (NLMSG_OK(hdr, len))
1187 {
1188 switch (hdr->nlmsg_type)
1189 {
1190 case XFRM_MSG_NEWSA:
1191 {
1192 out_sa = NLMSG_DATA(hdr);
1193 break;
1194 }
1195 case NLMSG_ERROR:
1196 {
1197 struct nlmsgerr *err = NLMSG_DATA(hdr);
1198 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1199 strerror(-err->error), -err->error);
1200 break;
1201 }
1202 default:
1203 hdr = NLMSG_NEXT(hdr, len);
1204 continue;
1205 case NLMSG_DONE:
1206 break;
1207 }
1208 break;
1209 }
1210 }
1211 if (out_sa == NULL)
1212 {
1213 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1214 free(out);
1215 return FAILED;
1216 }
1217
1218 /* try to get the replay state */
1219 got_replay_state = (get_replay_state(
1220 this, spi, protocol, dst, &replay) == SUCCESS);
1221
1222 /* delete the old SA */
1223 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1224 {
1225 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1226 free(out);
1227 return FAILED;
1228 }
1229
1230 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1231 ntohl(spi), src, dst, new_src, new_dst);
1232
1233 /* copy over the SA from out to request */
1234 hdr = (struct nlmsghdr*)request;
1235 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1236 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1237 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1238 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1239 sa = NLMSG_DATA(hdr);
1240 sa->family = new_dst->get_family(new_dst);
1241
1242 if (!src->ip_equals(src, new_src))
1243 {
1244 host2xfrm(new_src, &sa->saddr);
1245 }
1246 if (!dst->ip_equals(dst, new_dst))
1247 {
1248 host2xfrm(new_dst, &sa->id.daddr);
1249 }
1250
1251 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1252 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1253 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1254 while(RTA_OK(rta, rtasize))
1255 {
1256 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1257 if (rta->rta_type != XFRMA_ENCAP || encap)
1258 {
1259 if (rta->rta_type == XFRMA_ENCAP)
1260 { /* update encap tmpl */
1261 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1262 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1263 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1264 }
1265 memcpy(pos, rta, rta->rta_len);
1266 pos += RTA_ALIGN(rta->rta_len);
1267 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1268 }
1269 rta = RTA_NEXT(rta, rtasize);
1270 }
1271
1272 rta = (struct rtattr*)pos;
1273 if (tmpl == NULL && encap)
1274 { /* add tmpl if we are enabling it */
1275 rta->rta_type = XFRMA_ENCAP;
1276 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1277
1278 hdr->nlmsg_len += rta->rta_len;
1279 if (hdr->nlmsg_len > sizeof(request))
1280 {
1281 return FAILED;
1282 }
1283
1284 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1285 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1286 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1287 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1288 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1289
1290 rta = XFRM_RTA_NEXT(rta);
1291 }
1292
1293 if (got_replay_state)
1294 { /* copy the replay data if available */
1295 rta->rta_type = XFRMA_REPLAY_VAL;
1296 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1297
1298 hdr->nlmsg_len += rta->rta_len;
1299 if (hdr->nlmsg_len > sizeof(request))
1300 {
1301 return FAILED;
1302 }
1303 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1304
1305 rta = XFRM_RTA_NEXT(rta);
1306 }
1307
1308 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1309 {
1310 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1311 free(out);
1312 return FAILED;
1313 }
1314 free(out);
1315
1316 return SUCCESS;
1317 }
1318
1319 /**
1320 * Implementation of kernel_interface_t.del_sa.
1321 */
1322 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1323 u_int32_t spi, protocol_id_t protocol)
1324 {
1325 unsigned char request[NETLINK_BUFFER_SIZE];
1326 struct nlmsghdr *hdr;
1327 struct xfrm_usersa_id *sa_id;
1328
1329 memset(&request, 0, sizeof(request));
1330
1331 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1332
1333 hdr = (struct nlmsghdr*)request;
1334 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1335 hdr->nlmsg_type = XFRM_MSG_DELSA;
1336 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1337
1338 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1339 host2xfrm(dst, &sa_id->daddr);
1340 sa_id->spi = spi;
1341 sa_id->proto = proto_ike2kernel(protocol);
1342 sa_id->family = dst->get_family(dst);
1343
1344 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1345 {
1346 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1347 return FAILED;
1348 }
1349 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1350 return SUCCESS;
1351 }
1352
1353 /**
1354 * Implementation of kernel_interface_t.add_policy.
1355 */
1356 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1357 host_t *src, host_t *dst,
1358 traffic_selector_t *src_ts,
1359 traffic_selector_t *dst_ts,
1360 policy_dir_t direction, protocol_id_t protocol,
1361 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1362 u_int16_t ipcomp)
1363 {
1364 iterator_t *iterator;
1365 policy_entry_t *current, *policy;
1366 bool found = FALSE;
1367 unsigned char request[NETLINK_BUFFER_SIZE];
1368 struct xfrm_userpolicy_info *policy_info;
1369 struct nlmsghdr *hdr;
1370
1371 /* create a policy */
1372 policy = malloc_thing(policy_entry_t);
1373 memset(policy, 0, sizeof(policy_entry_t));
1374 policy->sel = ts2selector(src_ts, dst_ts);
1375 policy->direction = direction;
1376
1377 /* find the policy, which matches EXACTLY */
1378 this->mutex->lock(this->mutex);
1379 iterator = this->policies->create_iterator(this->policies, TRUE);
1380 while (iterator->iterate(iterator, (void**)&current))
1381 {
1382 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
1383 policy->direction == current->direction)
1384 {
1385 /* use existing policy */
1386 current->refcount++;
1387 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1388 "refcount", src_ts, dst_ts,
1389 policy_dir_names, direction);
1390 free(policy);
1391 policy = current;
1392 found = TRUE;
1393 break;
1394 }
1395 }
1396 iterator->destroy(iterator);
1397 if (!found)
1398 { /* apply the new one, if we have no such policy */
1399 this->policies->insert_last(this->policies, policy);
1400 policy->refcount = 1;
1401 }
1402
1403 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1404 policy_dir_names, direction);
1405
1406 memset(&request, 0, sizeof(request));
1407 hdr = (struct nlmsghdr*)request;
1408 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1409 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1410 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1411
1412 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1413 policy_info->sel = policy->sel;
1414 policy_info->dir = policy->direction;
1415 /* calculate priority based on source selector size, small size = high prio */
1416 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1417 policy_info->priority -= policy->sel.prefixlen_s * 10;
1418 policy_info->priority -= policy->sel.proto ? 2 : 0;
1419 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1420 policy_info->action = XFRM_POLICY_ALLOW;
1421 policy_info->share = XFRM_SHARE_ANY;
1422 this->mutex->unlock(this->mutex);
1423
1424 /* policies don't expire */
1425 policy_info->lft.soft_byte_limit = XFRM_INF;
1426 policy_info->lft.soft_packet_limit = XFRM_INF;
1427 policy_info->lft.hard_byte_limit = XFRM_INF;
1428 policy_info->lft.hard_packet_limit = XFRM_INF;
1429 policy_info->lft.soft_add_expires_seconds = 0;
1430 policy_info->lft.hard_add_expires_seconds = 0;
1431 policy_info->lft.soft_use_expires_seconds = 0;
1432 policy_info->lft.hard_use_expires_seconds = 0;
1433
1434 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1435 rthdr->rta_type = XFRMA_TMPL;
1436 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1437
1438 hdr->nlmsg_len += rthdr->rta_len;
1439 if (hdr->nlmsg_len > sizeof(request))
1440 {
1441 return FAILED;
1442 }
1443
1444 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1445
1446 if (ipcomp != IPCOMP_NONE)
1447 {
1448 tmpl->reqid = reqid;
1449 tmpl->id.proto = IPPROTO_COMP;
1450 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1451 tmpl->mode = mode;
1452 tmpl->optional = direction != POLICY_OUT;
1453 tmpl->family = src->get_family(src);
1454
1455 host2xfrm(src, &tmpl->saddr);
1456 host2xfrm(dst, &tmpl->id.daddr);
1457
1458 /* add an additional xfrm_user_tmpl */
1459 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1460 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1461 if (hdr->nlmsg_len > sizeof(request))
1462 {
1463 return FAILED;
1464 }
1465
1466 tmpl++;
1467 }
1468
1469 tmpl->reqid = reqid;
1470 tmpl->id.proto = proto_ike2kernel(protocol);
1471 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1472 tmpl->mode = mode;
1473 tmpl->family = src->get_family(src);
1474
1475 host2xfrm(src, &tmpl->saddr);
1476 host2xfrm(dst, &tmpl->id.daddr);
1477
1478 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1479 {
1480 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1481 policy_dir_names, direction);
1482 return FAILED;
1483 }
1484
1485 /* install a route, if:
1486 * - we are NOT updating a policy
1487 * - this is a forward policy (to just get one for each child)
1488 * - we are in tunnel mode
1489 * - we are not using IPv6 (does not work correctly yet!)
1490 * - routing is not disabled via strongswan.conf
1491 */
1492 if (policy->route == NULL && direction == POLICY_FWD &&
1493 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1494 this->install_routes)
1495 {
1496 route_entry_t *route = malloc_thing(route_entry_t);
1497
1498 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1499 dst_ts, &route->src_ip) == SUCCESS)
1500 {
1501 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1502 route->gateway = charon->kernel_interface->get_nexthop(
1503 charon->kernel_interface, src);
1504 route->if_name = charon->kernel_interface->get_interface(
1505 charon->kernel_interface, dst);
1506 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1507 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1508 route->prefixlen = policy->sel.prefixlen_s;
1509
1510 if (route->if_name)
1511 {
1512 switch (charon->kernel_interface->add_route(
1513 charon->kernel_interface, route->dst_net,
1514 route->prefixlen, route->gateway,
1515 route->src_ip, route->if_name))
1516 {
1517 default:
1518 DBG1(DBG_KNL, "unable to install source route for %H",
1519 route->src_ip);
1520 /* FALL */
1521 case ALREADY_DONE:
1522 /* route exists, do not uninstall */
1523 route_entry_destroy(route);
1524 break;
1525 case SUCCESS:
1526 /* cache the installed route */
1527 policy->route = route;
1528 break;
1529 }
1530 }
1531 else
1532 {
1533 route_entry_destroy(route);
1534 }
1535 }
1536 else
1537 {
1538 free(route);
1539 }
1540 }
1541 return SUCCESS;
1542 }
1543
1544 /**
1545 * Implementation of kernel_interface_t.query_policy.
1546 */
1547 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1548 traffic_selector_t *src_ts,
1549 traffic_selector_t *dst_ts,
1550 policy_dir_t direction, u_int32_t *use_time)
1551 {
1552 unsigned char request[NETLINK_BUFFER_SIZE];
1553 struct nlmsghdr *out = NULL, *hdr;
1554 struct xfrm_userpolicy_id *policy_id;
1555 struct xfrm_userpolicy_info *policy = NULL;
1556 size_t len;
1557
1558 memset(&request, 0, sizeof(request));
1559
1560 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1561 policy_dir_names, direction);
1562
1563 hdr = (struct nlmsghdr*)request;
1564 hdr->nlmsg_flags = NLM_F_REQUEST;
1565 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1566 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1567
1568 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1569 policy_id->sel = ts2selector(src_ts, dst_ts);
1570 policy_id->dir = direction;
1571
1572 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1573 {
1574 hdr = out;
1575 while (NLMSG_OK(hdr, len))
1576 {
1577 switch (hdr->nlmsg_type)
1578 {
1579 case XFRM_MSG_NEWPOLICY:
1580 {
1581 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1582 break;
1583 }
1584 case NLMSG_ERROR:
1585 {
1586 struct nlmsgerr *err = NLMSG_DATA(hdr);
1587 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1588 strerror(-err->error), -err->error);
1589 break;
1590 }
1591 default:
1592 hdr = NLMSG_NEXT(hdr, len);
1593 continue;
1594 case NLMSG_DONE:
1595 break;
1596 }
1597 break;
1598 }
1599 }
1600
1601 if (policy == NULL)
1602 {
1603 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1604 policy_dir_names, direction);
1605 free(out);
1606 return FAILED;
1607 }
1608 *use_time = (time_t)policy->curlft.use_time;
1609
1610 free(out);
1611 return SUCCESS;
1612 }
1613
1614 /**
1615 * Implementation of kernel_interface_t.del_policy.
1616 */
1617 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1618 traffic_selector_t *src_ts,
1619 traffic_selector_t *dst_ts,
1620 policy_dir_t direction)
1621 {
1622 policy_entry_t *current, policy, *to_delete = NULL;
1623 route_entry_t *route;
1624 unsigned char request[NETLINK_BUFFER_SIZE];
1625 struct nlmsghdr *hdr;
1626 struct xfrm_userpolicy_id *policy_id;
1627 enumerator_t *enumerator;
1628
1629 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1630 policy_dir_names, direction);
1631
1632 /* create a policy */
1633 memset(&policy, 0, sizeof(policy_entry_t));
1634 policy.sel = ts2selector(src_ts, dst_ts);
1635 policy.direction = direction;
1636
1637 /* find the policy */
1638 this->mutex->lock(this->mutex);
1639 enumerator = this->policies->create_enumerator(this->policies);
1640 while (enumerator->enumerate(enumerator, &current))
1641 {
1642 if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
1643 policy.direction == current->direction)
1644 {
1645 to_delete = current;
1646 if (--to_delete->refcount > 0)
1647 {
1648 /* is used by more SAs, keep in kernel */
1649 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1650 this->mutex->unlock(this->mutex);
1651 enumerator->destroy(enumerator);
1652 return SUCCESS;
1653 }
1654 /* remove if last reference */
1655 this->policies->remove_at(this->policies, enumerator);
1656 break;
1657 }
1658 }
1659 this->mutex->unlock(this->mutex);
1660 enumerator->destroy(enumerator);
1661 if (!to_delete)
1662 {
1663 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1664 dst_ts, policy_dir_names, direction);
1665 return NOT_FOUND;
1666 }
1667
1668 memset(&request, 0, sizeof(request));
1669
1670 hdr = (struct nlmsghdr*)request;
1671 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1672 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1673 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1674
1675 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1676 policy_id->sel = to_delete->sel;
1677 policy_id->dir = direction;
1678
1679 route = to_delete->route;
1680 free(to_delete);
1681
1682 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1683 {
1684 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1685 policy_dir_names, direction);
1686 return FAILED;
1687 }
1688
1689 if (route)
1690 {
1691 if (charon->kernel_interface->del_route(charon->kernel_interface,
1692 route->dst_net, route->prefixlen, route->gateway,
1693 route->src_ip, route->if_name) != SUCCESS)
1694 {
1695 DBG1(DBG_KNL, "error uninstalling route installed with "
1696 "policy %R === %R %N", src_ts, dst_ts,
1697 policy_dir_names, direction);
1698 }
1699 route_entry_destroy(route);
1700 }
1701 return SUCCESS;
1702 }
1703
1704 /**
1705 * Implementation of kernel_interface_t.destroy.
1706 */
1707 static void destroy(private_kernel_netlink_ipsec_t *this)
1708 {
1709 this->job->cancel(this->job);
1710 close(this->socket_xfrm_events);
1711 this->socket_xfrm->destroy(this->socket_xfrm);
1712 this->policies->destroy(this->policies);
1713 this->mutex->destroy(this->mutex);
1714 free(this);
1715 }
1716
1717 /*
1718 * Described in header.
1719 */
1720 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1721 {
1722 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1723 struct sockaddr_nl addr;
1724
1725 /* public functions */
1726 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1727 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1728 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1729 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1730 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1731 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1732 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1733 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1734 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1735
1736 /* private members */
1737 this->policies = linked_list_create();
1738 this->mutex = mutex_create(MUTEX_DEFAULT);
1739 this->install_routes = lib->settings->get_bool(lib->settings,
1740 "charon.install_routes", TRUE);
1741
1742 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1743
1744 memset(&addr, 0, sizeof(addr));
1745 addr.nl_family = AF_NETLINK;
1746
1747 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
1748 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1749 if (this->socket_xfrm_events <= 0)
1750 {
1751 charon->kill(charon, "unable to create XFRM event socket");
1752 }
1753 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
1754 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
1755 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1756 {
1757 charon->kill(charon, "unable to bind XFRM event socket");
1758 }
1759
1760 this->job = callback_job_create((callback_job_cb_t)receive_events,
1761 this, NULL, NULL);
1762 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1763
1764 return &this->public;
1765 }
strongSwan - IPsec VPN