2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 #include <sys/types.h>
24 #include <sys/socket.h>
26 #include <linux/netlink.h>
27 #include <linux/rtnetlink.h>
28 #include <linux/xfrm.h>
29 #include <linux/udp.h>
30 #include <netinet/in.h>
36 #include "kernel_netlink_ipsec.h"
37 #include "kernel_netlink_shared.h"
40 #include <utils/mutex.h>
41 #include <utils/linked_list.h>
42 #include <processing/jobs/callback_job.h>
43 #include <processing/jobs/acquire_job.h>
44 #include <processing/jobs/migrate_job.h>
45 #include <processing/jobs/rekey_child_sa_job.h>
46 #include <processing/jobs/delete_child_sa_job.h>
47 #include <processing/jobs/update_sa_job.h>
49 /** required for Linux 2.6.26 kernel and later */
50 #ifndef XFRM_STATE_AF_UNSPEC
51 #define XFRM_STATE_AF_UNSPEC 32
54 /** default priority of installed policies */
56 #define PRIO_HIGH 2000
59 * Create ORable bitfield of XFRM NL groups
61 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
79 typedef struct kernel_algorithm_t kernel_algorithm_t
;
82 * Mapping of IKEv2 kernel identifier to linux crypto API names
84 struct kernel_algorithm_t
{
86 * Identifier specified in IKEv2
91 * Name of the algorithm in linux crypto API
96 ENUM(xfrm_attr_type_names
, XFRMA_UNSPEC
, XFRMA_KMADDRESS
,
108 "XFRMA_REPLAY_THRESH",
109 "XFRMA_ETIMER_THRESH",
119 #define END_OF_LIST -1
122 * Algorithms for encryption
124 static kernel_algorithm_t encryption_algs
[] = {
125 /* {ENCR_DES_IV64, "***" }, */
127 {ENCR_3DES
, "des3_ede" },
128 /* {ENCR_RC5, "***" }, */
129 /* {ENCR_IDEA, "***" }, */
130 {ENCR_CAST
, "cast128" },
131 {ENCR_BLOWFISH
, "blowfish" },
132 /* {ENCR_3IDEA, "***" }, */
133 /* {ENCR_DES_IV32, "***" }, */
134 {ENCR_NULL
, "cipher_null" },
135 {ENCR_AES_CBC
, "aes" },
136 /* {ENCR_AES_CTR, "***" }, */
137 {ENCR_AES_CCM_ICV8
, "rfc4309(ccm(aes))" },
138 {ENCR_AES_CCM_ICV12
, "rfc4309(ccm(aes))" },
139 {ENCR_AES_CCM_ICV16
, "rfc4309(ccm(aes))" },
140 {ENCR_AES_GCM_ICV8
, "rfc4106(gcm(aes))" },
141 {ENCR_AES_GCM_ICV12
, "rfc4106(gcm(aes))" },
142 {ENCR_AES_GCM_ICV16
, "rfc4106(gcm(aes))" },
143 {END_OF_LIST
, NULL
},
147 * Algorithms for integrity protection
149 static kernel_algorithm_t integrity_algs
[] = {
150 {AUTH_HMAC_MD5_96
, "md5" },
151 {AUTH_HMAC_SHA1_96
, "sha1" },
152 {AUTH_HMAC_SHA2_256_128
, "sha256" },
153 {AUTH_HMAC_SHA2_384_192
, "sha384" },
154 {AUTH_HMAC_SHA2_512_256
, "sha512" },
155 /* {AUTH_DES_MAC, "***" }, */
156 /* {AUTH_KPDK_MD5, "***" }, */
157 {AUTH_AES_XCBC_96
, "xcbc(aes)" },
158 {END_OF_LIST
, NULL
},
162 * Algorithms for IPComp
164 static kernel_algorithm_t compression_algs
[] = {
165 /* {IPCOMP_OUI, "***" }, */
166 {IPCOMP_DEFLATE
, "deflate" },
167 {IPCOMP_LZS
, "lzs" },
168 {IPCOMP_LZJH
, "lzjh" },
169 {END_OF_LIST
, NULL
},
173 * Look up a kernel algorithm name and its key size
175 static char* lookup_algorithm(kernel_algorithm_t
*list
, int ikev2
)
177 while (list
->ikev2
!= END_OF_LIST
)
179 if (list
->ikev2
== ikev2
)
188 typedef struct route_entry_t route_entry_t
;
191 * installed routing entry
193 struct route_entry_t
{
194 /** Name of the interface the route is bound to */
197 /** Source ip of the route */
200 /** gateway for this route */
203 /** Destination net */
206 /** Destination net prefixlen */
211 * destroy an route_entry_t object
213 static void route_entry_destroy(route_entry_t
*this)
216 this->src_ip
->destroy(this->src_ip
);
217 this->gateway
->destroy(this->gateway
);
218 chunk_free(&this->dst_net
);
222 typedef struct policy_entry_t policy_entry_t
;
225 * installed kernel policy.
227 struct policy_entry_t
{
229 /** direction of this policy: in, out, forward */
232 /** parameters of installed policy */
233 struct xfrm_selector sel
;
235 /** associated route installed for this policy */
236 route_entry_t
*route
;
238 /** by how many CHILD_SA's this policy is used */
242 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t
;
245 * Private variables and functions of kernel_netlink class.
247 struct private_kernel_netlink_ipsec_t
{
249 * Public part of the kernel_netlink_t object.
251 kernel_netlink_ipsec_t
public;
254 * mutex to lock access to various lists
259 * List of installed policies (policy_entry_t)
261 linked_list_t
*policies
;
264 * job receiving netlink events
269 * Netlink xfrm socket (IPsec)
271 netlink_socket_t
*socket_xfrm
;
274 * netlink xfrm socket to receive acquire and expire events
276 int socket_xfrm_events
;
279 * whether to install routes along policies
285 * convert a IKEv2 specific protocol identifier to the kernel one
287 static u_int8_t
proto_ike2kernel(protocol_id_t proto
)
301 * reverse of ike2kernel
303 static protocol_id_t
proto_kernel2ike(u_int8_t proto
)
317 * convert a host_t to a struct xfrm_address
319 static void host2xfrm(host_t
*host
, xfrm_address_t
*xfrm
)
321 chunk_t chunk
= host
->get_address(host
);
322 memcpy(xfrm
, chunk
.ptr
, min(chunk
.len
, sizeof(xfrm_address_t
)));
326 * convert a struct xfrm_address to a host_t
328 static host_t
* xfrm2host(int family
, xfrm_address_t
*xfrm
, u_int16_t port
)
335 chunk
= chunk_create((u_char
*)&xfrm
->a4
, sizeof(xfrm
->a4
));
338 chunk
= chunk_create((u_char
*)&xfrm
->a6
, sizeof(xfrm
->a6
));
343 return host_create_from_chunk(family
, chunk
, ntohs(port
));
347 * convert a traffic selector address range to subnet and its mask.
349 static void ts2subnet(traffic_selector_t
* ts
,
350 xfrm_address_t
*net
, u_int8_t
*mask
)
355 ts
->to_subnet(ts
, &net_host
, mask
);
356 net_chunk
= net_host
->get_address(net_host
);
357 memcpy(net
, net_chunk
.ptr
, net_chunk
.len
);
358 net_host
->destroy(net_host
);
362 * convert a traffic selector port range to port/portmask
364 static void ts2ports(traffic_selector_t
* ts
,
365 u_int16_t
*port
, u_int16_t
*mask
)
367 /* linux does not seem to accept complex portmasks. Only
368 * any or a specific port is allowed. We set to any, if we have
369 * a port range, or to a specific, if we have one port only.
373 from
= ts
->get_from_port(ts
);
374 to
= ts
->get_to_port(ts
);
389 * convert a pair of traffic_selectors to a xfrm_selector
391 static struct xfrm_selector
ts2selector(traffic_selector_t
*src
,
392 traffic_selector_t
*dst
)
394 struct xfrm_selector sel
;
396 memset(&sel
, 0, sizeof(sel
));
397 sel
.family
= (src
->get_type(src
) == TS_IPV4_ADDR_RANGE
) ? AF_INET
: AF_INET6
;
398 /* src or dest proto may be "any" (0), use more restrictive one */
399 sel
.proto
= max(src
->get_protocol(src
), dst
->get_protocol(dst
));
400 ts2subnet(dst
, &sel
.daddr
, &sel
.prefixlen_d
);
401 ts2subnet(src
, &sel
.saddr
, &sel
.prefixlen_s
);
402 ts2ports(dst
, &sel
.dport
, &sel
.dport_mask
);
403 ts2ports(src
, &sel
.sport
, &sel
.sport_mask
);
411 * convert a xfrm_selector to a src|dst traffic_selector
413 static traffic_selector_t
* selector2ts(struct xfrm_selector
*sel
, bool src
)
418 u_int16_t port
, port_mask
;
420 traffic_selector_t
*ts
;
424 addr
.ptr
= (u_char
*)&sel
->saddr
;
425 prefixlen
= sel
->prefixlen_s
;
427 port_mask
= sel
->sport_mask
;
431 addr
.ptr
= (u_char
*)&sel
->daddr
;
432 prefixlen
= sel
->prefixlen_d
;
434 port_mask
= sel
->dport_mask
;
437 /* The Linux 2.6 kernel does not set the selector's family field,
438 * so as a kludge we additionally test the prefix length.
440 if (sel
->family
== AF_INET
|| sel
->prefixlen_s
== 32)
445 else if (sel
->family
== AF_INET6
|| sel
->prefixlen_s
== 128)
454 host
= host_create_from_chunk(family
, addr
, 0);
455 port
= (port_mask
== 0) ?
0 : ntohs(port
);
457 ts
= traffic_selector_create_from_subnet(host
, prefixlen
, sel
->proto
, port
);
463 * process a XFRM_MSG_ACQUIRE from kernel
465 static void process_acquire(private_kernel_netlink_ipsec_t
*this, struct nlmsghdr
*hdr
)
469 traffic_selector_t
*src_ts
, *dst_ts
;
470 struct xfrm_user_acquire
*acquire
;
475 acquire
= (struct xfrm_user_acquire
*)NLMSG_DATA(hdr
);
476 rta
= XFRM_RTA(hdr
, struct xfrm_user_acquire
);
477 rtasize
= XFRM_PAYLOAD(hdr
, struct xfrm_user_acquire
);
479 DBG2(DBG_KNL
, "received a XFRM_MSG_ACQUIRE");
481 while (RTA_OK(rta
, rtasize
))
483 DBG2(DBG_KNL
, " %N", xfrm_attr_type_names
, rta
->rta_type
);
485 if (rta
->rta_type
== XFRMA_TMPL
)
487 struct xfrm_user_tmpl
* tmpl
;
489 tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rta
);
491 proto
= tmpl
->id
.proto
;
493 rta
= RTA_NEXT(rta
, rtasize
);
502 /* acquire for AH/ESP only, not for IPCOMP */
505 src_ts
= selector2ts(&acquire
->sel
, TRUE
);
506 dst_ts
= selector2ts(&acquire
->sel
, FALSE
);
507 DBG1(DBG_KNL
, "creating acquire job for policy %R === %R with reqid {%u}",
508 src_ts
, dst_ts
, reqid
);
509 job
= (job_t
*)acquire_job_create(reqid
, src_ts
, dst_ts
);
510 charon
->processor
->queue_job(charon
->processor
, job
);
514 * process a XFRM_MSG_EXPIRE from kernel
516 static void process_expire(private_kernel_netlink_ipsec_t
*this, struct nlmsghdr
*hdr
)
519 protocol_id_t protocol
;
520 u_int32_t spi
, reqid
;
521 struct xfrm_user_expire
*expire
;
523 expire
= (struct xfrm_user_expire
*)NLMSG_DATA(hdr
);
524 protocol
= proto_kernel2ike(expire
->state
.id
.proto
);
525 spi
= expire
->state
.id
.spi
;
526 reqid
= expire
->state
.reqid
;
528 DBG2(DBG_KNL
, "received a XFRM_MSG_EXPIRE");
530 if (protocol
!= PROTO_ESP
&& protocol
!= PROTO_AH
)
532 DBG2(DBG_KNL
, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
533 "which is not a CHILD_SA", ntohl(spi
), reqid
);
537 DBG1(DBG_KNL
, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
538 expire
->hard ?
"delete" : "rekey", protocol_id_names
,
539 protocol
, ntohl(spi
), reqid
);
542 job
= (job_t
*)delete_child_sa_job_create(reqid
, protocol
, spi
);
546 job
= (job_t
*)rekey_child_sa_job_create(reqid
, protocol
, spi
);
548 charon
->processor
->queue_job(charon
->processor
, job
);
552 * process a XFRM_MSG_MIGRATE from kernel
554 static void process_migrate(private_kernel_netlink_ipsec_t
*this, struct nlmsghdr
*hdr
)
556 traffic_selector_t
*src_ts
, *dst_ts
;
557 host_t
*local
= NULL
, *remote
= NULL
;
558 host_t
*old_src
= NULL
, *old_dst
= NULL
;
559 host_t
*new_src
= NULL
, *new_dst
= NULL
;
560 struct xfrm_userpolicy_id
*policy_id
;
567 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
568 rta
= XFRM_RTA(hdr
, struct xfrm_userpolicy_id
);
569 rtasize
= XFRM_PAYLOAD(hdr
, struct xfrm_userpolicy_id
);
571 DBG2(DBG_KNL
, "received a XFRM_MSG_MIGRATE");
573 src_ts
= selector2ts(&policy_id
->sel
, TRUE
);
574 dst_ts
= selector2ts(&policy_id
->sel
, FALSE
);
575 dir
= (policy_dir_t
)policy_id
->dir
;
577 DBG2(DBG_KNL
, " policy: %R === %R %N, index %u", src_ts
, dst_ts
,
578 policy_dir_names
, dir
, policy_id
->index
);
580 while (RTA_OK(rta
, rtasize
))
582 DBG2(DBG_KNL
, " %N", xfrm_attr_type_names
, rta
->rta_type
);
583 if (rta
->rta_type
== XFRMA_KMADDRESS
)
585 struct xfrm_user_kmaddress
*kmaddress
;
587 kmaddress
= (struct xfrm_user_kmaddress
*)RTA_DATA(rta
);
588 local
= xfrm2host(kmaddress
->family
, &kmaddress
->local
, 0);
589 remote
= xfrm2host(kmaddress
->family
, &kmaddress
->remote
, 0);
590 DBG2(DBG_KNL
, " kmaddress: %H...%H", local
, remote
);
592 else if (rta
->rta_type
== XFRMA_MIGRATE
)
594 struct xfrm_user_migrate
*migrate
;
597 migrate
= (struct xfrm_user_migrate
*)RTA_DATA(rta
);
598 old_src
= xfrm2host(migrate
->old_family
, &migrate
->old_saddr
, 0);
599 old_dst
= xfrm2host(migrate
->old_family
, &migrate
->old_daddr
, 0);
600 new_src
= xfrm2host(migrate
->new_family
, &migrate
->new_saddr
, 0);
601 new_dst
= xfrm2host(migrate
->new_family
, &migrate
->new_daddr
, 0);
602 proto
= proto_kernel2ike(migrate
->proto
);
603 reqid
= migrate
->reqid
;
604 DBG2(DBG_KNL
, " migrate %N %H...%H to %H...%H, reqid {%u}",
605 protocol_id_names
, proto
, old_src
, old_dst
,
606 new_src
, new_dst
, reqid
);
612 rta
= RTA_NEXT(rta
, rtasize
);
615 if (src_ts
&& dst_ts
)
617 DBG1(DBG_KNL
, "creating migrate job for policy %R === %R %N with reqid {%u}",
618 src_ts
, dst_ts
, policy_dir_names
, dir
, reqid
, local
);
619 job
= (job_t
*)migrate_job_create(reqid
, src_ts
, dst_ts
, dir
,
621 charon
->processor
->queue_job(charon
->processor
, job
);
633 * process a XFRM_MSG_MAPPING from kernel
635 static void process_mapping(private_kernel_netlink_ipsec_t
*this,
636 struct nlmsghdr
*hdr
)
639 u_int32_t spi
, reqid
;
640 struct xfrm_user_mapping
*mapping
;
643 mapping
= (struct xfrm_user_mapping
*)NLMSG_DATA(hdr
);
644 spi
= mapping
->id
.spi
;
645 reqid
= mapping
->reqid
;
647 DBG2(DBG_KNL
, "received a XFRM_MSG_MAPPING");
649 if (proto_kernel2ike(mapping
->id
.proto
) == PROTO_ESP
)
651 host
= xfrm2host(mapping
->id
.family
, &mapping
->new_saddr
,
655 DBG1(DBG_KNL
, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
656 "reqid {%u} changed, queuing update job", ntohl(spi
), reqid
);
657 job
= (job_t
*)update_sa_job_create(reqid
, host
);
658 charon
->processor
->queue_job(charon
->processor
, job
);
664 * Receives events from kernel
666 static job_requeue_t
receive_events(private_kernel_netlink_ipsec_t
*this)
669 struct nlmsghdr
*hdr
= (struct nlmsghdr
*)response
;
670 struct sockaddr_nl addr
;
671 socklen_t addr_len
= sizeof(addr
);
674 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE
, &oldstate
);
675 len
= recvfrom(this->socket_xfrm_events
, response
, sizeof(response
), 0,
676 (struct sockaddr
*)&addr
, &addr_len
);
677 pthread_setcancelstate(oldstate
, NULL
);
684 /* interrupted, try again */
685 return JOB_REQUEUE_DIRECT
;
687 /* no data ready, select again */
688 return JOB_REQUEUE_DIRECT
;
690 DBG1(DBG_KNL
, "unable to receive from xfrm event socket");
692 return JOB_REQUEUE_FAIR
;
696 if (addr
.nl_pid
!= 0)
697 { /* not from kernel. not interested, try another one */
698 return JOB_REQUEUE_DIRECT
;
701 while (NLMSG_OK(hdr
, len
))
703 switch (hdr
->nlmsg_type
)
705 case XFRM_MSG_ACQUIRE
:
706 process_acquire(this, hdr
);
708 case XFRM_MSG_EXPIRE
:
709 process_expire(this, hdr
);
711 case XFRM_MSG_MIGRATE
:
712 process_migrate(this, hdr
);
714 case XFRM_MSG_MAPPING
:
715 process_mapping(this, hdr
);
720 hdr
= NLMSG_NEXT(hdr
, len
);
722 return JOB_REQUEUE_DIRECT
;
726 * Get an SPI for a specific protocol from the kernel.
728 static status_t
get_spi_internal(private_kernel_netlink_ipsec_t
*this,
729 host_t
*src
, host_t
*dst
, u_int8_t proto
, u_int32_t min
, u_int32_t max
,
730 u_int32_t reqid
, u_int32_t
*spi
)
732 unsigned char request
[NETLINK_BUFFER_SIZE
];
733 struct nlmsghdr
*hdr
, *out
;
734 struct xfrm_userspi_info
*userspi
;
735 u_int32_t received_spi
= 0;
738 memset(&request
, 0, sizeof(request
));
740 hdr
= (struct nlmsghdr
*)request
;
741 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
742 hdr
->nlmsg_type
= XFRM_MSG_ALLOCSPI
;
743 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userspi_info
));
745 userspi
= (struct xfrm_userspi_info
*)NLMSG_DATA(hdr
);
746 host2xfrm(src
, &userspi
->info
.saddr
);
747 host2xfrm(dst
, &userspi
->info
.id
.daddr
);
748 userspi
->info
.id
.proto
= proto
;
749 userspi
->info
.mode
= TRUE
; /* tunnel mode */
750 userspi
->info
.reqid
= reqid
;
751 userspi
->info
.family
= src
->get_family(src
);
755 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
758 while (NLMSG_OK(hdr
, len
))
760 switch (hdr
->nlmsg_type
)
764 struct xfrm_usersa_info
* usersa
= NLMSG_DATA(hdr
);
765 received_spi
= usersa
->id
.spi
;
770 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
772 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
773 strerror(-err
->error
), -err
->error
);
777 hdr
= NLMSG_NEXT(hdr
, len
);
787 if (received_spi
== 0)
797 * Implementation of kernel_interface_t.get_spi.
799 static status_t
get_spi(private_kernel_netlink_ipsec_t
*this,
800 host_t
*src
, host_t
*dst
,
801 protocol_id_t protocol
, u_int32_t reqid
,
804 DBG2(DBG_KNL
, "getting SPI for reqid {%u}", reqid
);
806 if (get_spi_internal(this, src
, dst
, proto_ike2kernel(protocol
),
807 0xc0000000, 0xcFFFFFFF, reqid
, spi
) != SUCCESS
)
809 DBG1(DBG_KNL
, "unable to get SPI for reqid {%u}", reqid
);
813 DBG2(DBG_KNL
, "got SPI %.8x for reqid {%u}", ntohl(*spi
), reqid
);
819 * Implementation of kernel_interface_t.get_cpi.
821 static status_t
get_cpi(private_kernel_netlink_ipsec_t
*this,
822 host_t
*src
, host_t
*dst
,
823 u_int32_t reqid
, u_int16_t
*cpi
)
825 u_int32_t received_spi
= 0;
827 DBG2(DBG_KNL
, "getting CPI for reqid {%u}", reqid
);
829 if (get_spi_internal(this, src
, dst
,
830 IPPROTO_COMP
, 0x100, 0xEFFF, reqid
, &received_spi
) != SUCCESS
)
832 DBG1(DBG_KNL
, "unable to get CPI for reqid {%u}", reqid
);
836 *cpi
= htons((u_int16_t
)ntohl(received_spi
));
838 DBG2(DBG_KNL
, "got CPI %.4x for reqid {%u}", ntohs(*cpi
), reqid
);
844 * Implementation of kernel_interface_t.add_sa.
846 static status_t
add_sa(private_kernel_netlink_ipsec_t
*this,
847 host_t
*src
, host_t
*dst
, u_int32_t spi
,
848 protocol_id_t protocol
, u_int32_t reqid
,
849 u_int64_t expire_soft
, u_int64_t expire_hard
,
850 u_int16_t enc_alg
, chunk_t enc_key
,
851 u_int16_t int_alg
, chunk_t int_key
,
852 ipsec_mode_t mode
, u_int16_t ipcomp
, bool encap
,
855 unsigned char request
[NETLINK_BUFFER_SIZE
];
857 struct nlmsghdr
*hdr
;
858 struct xfrm_usersa_info
*sa
;
859 u_int16_t icv_size
= 64;
861 memset(&request
, 0, sizeof(request
));
863 DBG2(DBG_KNL
, "adding SAD entry with SPI %.8x and reqid {%u}",
866 hdr
= (struct nlmsghdr
*)request
;
867 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
868 hdr
->nlmsg_type
= replace ? XFRM_MSG_UPDSA
: XFRM_MSG_NEWSA
;
869 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
871 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
872 host2xfrm(src
, &sa
->saddr
);
873 host2xfrm(dst
, &sa
->id
.daddr
);
875 sa
->id
.proto
= proto_ike2kernel(protocol
);
876 sa
->family
= src
->get_family(src
);
878 if (mode
== MODE_TUNNEL
)
880 sa
->flags
|= XFRM_STATE_AF_UNSPEC
;
882 sa
->replay_window
= (protocol
== IPPROTO_COMP
) ?
0 : 32;
884 /* we currently do not expire SAs by volume/packet count */
885 sa
->lft
.soft_byte_limit
= XFRM_INF
;
886 sa
->lft
.hard_byte_limit
= XFRM_INF
;
887 sa
->lft
.soft_packet_limit
= XFRM_INF
;
888 sa
->lft
.hard_packet_limit
= XFRM_INF
;
889 /* we use lifetimes since added, not since used */
890 sa
->lft
.soft_add_expires_seconds
= expire_soft
;
891 sa
->lft
.hard_add_expires_seconds
= expire_hard
;
892 sa
->lft
.soft_use_expires_seconds
= 0;
893 sa
->lft
.hard_use_expires_seconds
= 0;
895 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_usersa_info
);
902 case ENCR_AES_CCM_ICV16
:
903 case ENCR_AES_GCM_ICV16
:
906 case ENCR_AES_CCM_ICV12
:
907 case ENCR_AES_GCM_ICV12
:
910 case ENCR_AES_CCM_ICV8
:
911 case ENCR_AES_GCM_ICV8
:
913 rthdr
->rta_type
= XFRMA_ALG_AEAD
;
914 alg_name
= lookup_algorithm(encryption_algs
, enc_alg
);
915 if (alg_name
== NULL
)
917 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
918 encryption_algorithm_names
, enc_alg
);
921 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
922 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
924 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo_aead
) + enc_key
.len
);
925 hdr
->nlmsg_len
+= rthdr
->rta_len
;
926 if (hdr
->nlmsg_len
> sizeof(request
))
931 struct xfrm_algo_aead
* algo
= (struct xfrm_algo_aead
*)RTA_DATA(rthdr
);
932 algo
->alg_key_len
= enc_key
.len
* 8;
933 algo
->alg_icv_len
= icv_size
;
934 strcpy(algo
->alg_name
, alg_name
);
935 memcpy(algo
->alg_key
, enc_key
.ptr
, enc_key
.len
);
937 rthdr
= XFRM_RTA_NEXT(rthdr
);
942 rthdr
->rta_type
= XFRMA_ALG_CRYPT
;
943 alg_name
= lookup_algorithm(encryption_algs
, enc_alg
);
944 if (alg_name
== NULL
)
946 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
947 encryption_algorithm_names
, enc_alg
);
950 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
951 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
953 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + enc_key
.len
);
954 hdr
->nlmsg_len
+= rthdr
->rta_len
;
955 if (hdr
->nlmsg_len
> sizeof(request
))
960 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
961 algo
->alg_key_len
= enc_key
.len
* 8;
962 strcpy(algo
->alg_name
, alg_name
);
963 memcpy(algo
->alg_key
, enc_key
.ptr
, enc_key
.len
);
965 rthdr
= XFRM_RTA_NEXT(rthdr
);
970 if (int_alg
!= AUTH_UNDEFINED
)
972 rthdr
->rta_type
= XFRMA_ALG_AUTH
;
973 alg_name
= lookup_algorithm(integrity_algs
, int_alg
);
974 if (alg_name
== NULL
)
976 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
977 integrity_algorithm_names
, int_alg
);
980 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
981 integrity_algorithm_names
, int_alg
, int_key
.len
* 8);
983 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + int_key
.len
);
984 hdr
->nlmsg_len
+= rthdr
->rta_len
;
985 if (hdr
->nlmsg_len
> sizeof(request
))
990 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
991 algo
->alg_key_len
= int_key
.len
* 8;
992 strcpy(algo
->alg_name
, alg_name
);
993 memcpy(algo
->alg_key
, int_key
.ptr
, int_key
.len
);
995 rthdr
= XFRM_RTA_NEXT(rthdr
);
998 if (ipcomp
!= IPCOMP_NONE
)
1000 rthdr
->rta_type
= XFRMA_ALG_COMP
;
1001 alg_name
= lookup_algorithm(compression_algs
, ipcomp
);
1002 if (alg_name
== NULL
)
1004 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1005 ipcomp_transform_names
, ipcomp
);
1008 DBG2(DBG_KNL
, " using compression algorithm %N",
1009 ipcomp_transform_names
, ipcomp
);
1011 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
));
1012 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1013 if (hdr
->nlmsg_len
> sizeof(request
))
1018 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1019 algo
->alg_key_len
= 0;
1020 strcpy(algo
->alg_name
, alg_name
);
1022 rthdr
= XFRM_RTA_NEXT(rthdr
);
1027 rthdr
->rta_type
= XFRMA_ENCAP
;
1028 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_encap_tmpl
));
1030 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1031 if (hdr
->nlmsg_len
> sizeof(request
))
1036 struct xfrm_encap_tmpl
* tmpl
= (struct xfrm_encap_tmpl
*)RTA_DATA(rthdr
);
1037 tmpl
->encap_type
= UDP_ENCAP_ESPINUDP
;
1038 tmpl
->encap_sport
= htons(src
->get_port(src
));
1039 tmpl
->encap_dport
= htons(dst
->get_port(dst
));
1040 memset(&tmpl
->encap_oa
, 0, sizeof (xfrm_address_t
));
1041 /* encap_oa could probably be derived from the
1042 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1043 * pluto does the same as we do here but it uses encap_oa in the
1044 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1045 * the kernel ignores it anyway
1046 * -> does that mean that NAT-T encap doesn't work in transport mode?
1047 * No. The reason the kernel ignores NAT-OA is that it recomputes
1048 * (or, rather, just ignores) the checksum. If packets pass
1049 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1050 rthdr
= XFRM_RTA_NEXT(rthdr
);
1053 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1055 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x", ntohl(spi
));
1062 * Get the replay state (i.e. sequence numbers) of an SA.
1064 static status_t
get_replay_state(private_kernel_netlink_ipsec_t
*this,
1065 u_int32_t spi
, protocol_id_t protocol
, host_t
*dst
,
1066 struct xfrm_replay_state
*replay
)
1068 unsigned char request
[NETLINK_BUFFER_SIZE
];
1069 struct nlmsghdr
*hdr
, *out
= NULL
;
1070 struct xfrm_aevent_id
*out_aevent
= NULL
, *aevent_id
;
1075 memset(&request
, 0, sizeof(request
));
1077 DBG2(DBG_KNL
, "querying replay state from SAD entry with SPI %.8x", ntohl(spi
));
1079 hdr
= (struct nlmsghdr
*)request
;
1080 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1081 hdr
->nlmsg_type
= XFRM_MSG_GETAE
;
1082 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_aevent_id
));
1084 aevent_id
= (struct xfrm_aevent_id
*)NLMSG_DATA(hdr
);
1085 aevent_id
->flags
= XFRM_AE_RVAL
;
1087 host2xfrm(dst
, &aevent_id
->sa_id
.daddr
);
1088 aevent_id
->sa_id
.spi
= spi
;
1089 aevent_id
->sa_id
.proto
= proto_ike2kernel(protocol
);
1090 aevent_id
->sa_id
.family
= dst
->get_family(dst
);
1092 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1095 while (NLMSG_OK(hdr
, len
))
1097 switch (hdr
->nlmsg_type
)
1099 case XFRM_MSG_NEWAE
:
1101 out_aevent
= NLMSG_DATA(hdr
);
1106 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1107 DBG1(DBG_KNL
, "querying replay state from SAD entry failed: %s (%d)",
1108 strerror(-err
->error
), -err
->error
);
1112 hdr
= NLMSG_NEXT(hdr
, len
);
1121 if (out_aevent
== NULL
)
1123 DBG1(DBG_KNL
, "unable to query replay state from SAD entry with SPI %.8x",
1129 rta
= XFRM_RTA(out
, struct xfrm_aevent_id
);
1130 rtasize
= XFRM_PAYLOAD(out
, struct xfrm_aevent_id
);
1131 while(RTA_OK(rta
, rtasize
))
1133 if (rta
->rta_type
== XFRMA_REPLAY_VAL
)
1135 memcpy(replay
, RTA_DATA(rta
), rta
->rta_len
);
1139 rta
= RTA_NEXT(rta
, rtasize
);
1142 DBG1(DBG_KNL
, "unable to query replay state from SAD entry with SPI %.8x",
1149 * Implementation of kernel_interface_t.update_sa.
1151 static status_t
update_sa(private_kernel_netlink_ipsec_t
*this,
1152 u_int32_t spi
, protocol_id_t protocol
,
1153 host_t
*src
, host_t
*dst
,
1154 host_t
*new_src
, host_t
*new_dst
, bool encap
)
1156 unsigned char request
[NETLINK_BUFFER_SIZE
], *pos
;
1157 struct nlmsghdr
*hdr
, *out
= NULL
;
1158 struct xfrm_usersa_id
*sa_id
;
1159 struct xfrm_usersa_info
*out_sa
= NULL
, *sa
;
1163 struct xfrm_encap_tmpl
* tmpl
= NULL
;
1164 bool got_replay_state
;
1165 struct xfrm_replay_state replay
;
1167 memset(&request
, 0, sizeof(request
));
1169 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x for update", ntohl(spi
));
1171 /* query the existing SA first */
1172 hdr
= (struct nlmsghdr
*)request
;
1173 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1174 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1175 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1177 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1178 host2xfrm(dst
, &sa_id
->daddr
);
1180 sa_id
->proto
= proto_ike2kernel(protocol
);
1181 sa_id
->family
= dst
->get_family(dst
);
1183 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1186 while (NLMSG_OK(hdr
, len
))
1188 switch (hdr
->nlmsg_type
)
1190 case XFRM_MSG_NEWSA
:
1192 out_sa
= NLMSG_DATA(hdr
);
1197 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1198 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1199 strerror(-err
->error
), -err
->error
);
1203 hdr
= NLMSG_NEXT(hdr
, len
);
1213 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1218 /* try to get the replay state */
1219 got_replay_state
= (get_replay_state(
1220 this, spi
, protocol
, dst
, &replay
) == SUCCESS
);
1222 /* delete the old SA */
1223 if (this->public.interface
.del_sa(&this->public.interface
, dst
, spi
, protocol
) != SUCCESS
)
1225 DBG1(DBG_KNL
, "unable to delete old SAD entry with SPI %.8x", ntohl(spi
));
1230 DBG2(DBG_KNL
, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1231 ntohl(spi
), src
, dst
, new_src
, new_dst
);
1233 /* copy over the SA from out to request */
1234 hdr
= (struct nlmsghdr
*)request
;
1235 memcpy(hdr
, out
, min(out
->nlmsg_len
, sizeof(request
)));
1236 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1237 hdr
->nlmsg_type
= XFRM_MSG_NEWSA
;
1238 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1239 sa
= NLMSG_DATA(hdr
);
1240 sa
->family
= new_dst
->get_family(new_dst
);
1242 if (!src
->ip_equals(src
, new_src
))
1244 host2xfrm(new_src
, &sa
->saddr
);
1246 if (!dst
->ip_equals(dst
, new_dst
))
1248 host2xfrm(new_dst
, &sa
->id
.daddr
);
1251 rta
= XFRM_RTA(out
, struct xfrm_usersa_info
);
1252 rtasize
= XFRM_PAYLOAD(out
, struct xfrm_usersa_info
);
1253 pos
= (u_char
*)XFRM_RTA(hdr
, struct xfrm_usersa_info
);
1254 while(RTA_OK(rta
, rtasize
))
1256 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1257 if (rta
->rta_type
!= XFRMA_ENCAP
|| encap
)
1259 if (rta
->rta_type
== XFRMA_ENCAP
)
1260 { /* update encap tmpl */
1261 tmpl
= (struct xfrm_encap_tmpl
*)RTA_DATA(rta
);
1262 tmpl
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1263 tmpl
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1265 memcpy(pos
, rta
, rta
->rta_len
);
1266 pos
+= RTA_ALIGN(rta
->rta_len
);
1267 hdr
->nlmsg_len
+= RTA_ALIGN(rta
->rta_len
);
1269 rta
= RTA_NEXT(rta
, rtasize
);
1272 rta
= (struct rtattr
*)pos
;
1273 if (tmpl
== NULL
&& encap
)
1274 { /* add tmpl if we are enabling it */
1275 rta
->rta_type
= XFRMA_ENCAP
;
1276 rta
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_encap_tmpl
));
1278 hdr
->nlmsg_len
+= rta
->rta_len
;
1279 if (hdr
->nlmsg_len
> sizeof(request
))
1284 tmpl
= (struct xfrm_encap_tmpl
*)RTA_DATA(rta
);
1285 tmpl
->encap_type
= UDP_ENCAP_ESPINUDP
;
1286 tmpl
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1287 tmpl
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1288 memset(&tmpl
->encap_oa
, 0, sizeof (xfrm_address_t
));
1290 rta
= XFRM_RTA_NEXT(rta
);
1293 if (got_replay_state
)
1294 { /* copy the replay data if available */
1295 rta
->rta_type
= XFRMA_REPLAY_VAL
;
1296 rta
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_replay_state
));
1298 hdr
->nlmsg_len
+= rta
->rta_len
;
1299 if (hdr
->nlmsg_len
> sizeof(request
))
1303 memcpy(RTA_DATA(rta
), &replay
, sizeof(replay
));
1305 rta
= XFRM_RTA_NEXT(rta
);
1308 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1310 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1320 * Implementation of kernel_interface_t.del_sa.
1322 static status_t
del_sa(private_kernel_netlink_ipsec_t
*this, host_t
*dst
,
1323 u_int32_t spi
, protocol_id_t protocol
)
1325 unsigned char request
[NETLINK_BUFFER_SIZE
];
1326 struct nlmsghdr
*hdr
;
1327 struct xfrm_usersa_id
*sa_id
;
1329 memset(&request
, 0, sizeof(request
));
1331 DBG2(DBG_KNL
, "deleting SAD entry with SPI %.8x", ntohl(spi
));
1333 hdr
= (struct nlmsghdr
*)request
;
1334 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1335 hdr
->nlmsg_type
= XFRM_MSG_DELSA
;
1336 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1338 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1339 host2xfrm(dst
, &sa_id
->daddr
);
1341 sa_id
->proto
= proto_ike2kernel(protocol
);
1342 sa_id
->family
= dst
->get_family(dst
);
1344 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1346 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x", ntohl(spi
));
1349 DBG2(DBG_KNL
, "deleted SAD entry with SPI %.8x", ntohl(spi
));
1354 * Implementation of kernel_interface_t.add_policy.
1356 static status_t
add_policy(private_kernel_netlink_ipsec_t
*this,
1357 host_t
*src
, host_t
*dst
,
1358 traffic_selector_t
*src_ts
,
1359 traffic_selector_t
*dst_ts
,
1360 policy_dir_t direction
, protocol_id_t protocol
,
1361 u_int32_t reqid
, bool high_prio
, ipsec_mode_t mode
,
1364 iterator_t
*iterator
;
1365 policy_entry_t
*current
, *policy
;
1367 unsigned char request
[NETLINK_BUFFER_SIZE
];
1368 struct xfrm_userpolicy_info
*policy_info
;
1369 struct nlmsghdr
*hdr
;
1371 /* create a policy */
1372 policy
= malloc_thing(policy_entry_t
);
1373 memset(policy
, 0, sizeof(policy_entry_t
));
1374 policy
->sel
= ts2selector(src_ts
, dst_ts
);
1375 policy
->direction
= direction
;
1377 /* find the policy, which matches EXACTLY */
1378 this->mutex
->lock(this->mutex
);
1379 iterator
= this->policies
->create_iterator(this->policies
, TRUE
);
1380 while (iterator
->iterate(iterator
, (void**)¤t
))
1382 if (memeq(¤t
->sel
, &policy
->sel
, sizeof(struct xfrm_selector
)) &&
1383 policy
->direction
== current
->direction
)
1385 /* use existing policy */
1386 current
->refcount
++;
1387 DBG2(DBG_KNL
, "policy %R === %R %N already exists, increasing "
1388 "refcount", src_ts
, dst_ts
,
1389 policy_dir_names
, direction
);
1396 iterator
->destroy(iterator
);
1398 { /* apply the new one, if we have no such policy */
1399 this->policies
->insert_last(this->policies
, policy
);
1400 policy
->refcount
= 1;
1403 DBG2(DBG_KNL
, "adding policy %R === %R %N", src_ts
, dst_ts
,
1404 policy_dir_names
, direction
);
1406 memset(&request
, 0, sizeof(request
));
1407 hdr
= (struct nlmsghdr
*)request
;
1408 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1409 hdr
->nlmsg_type
= found ? XFRM_MSG_UPDPOLICY
: XFRM_MSG_NEWPOLICY
;
1410 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info
));
1412 policy_info
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
1413 policy_info
->sel
= policy
->sel
;
1414 policy_info
->dir
= policy
->direction
;
1415 /* calculate priority based on source selector size, small size = high prio */
1416 policy_info
->priority
= high_prio ? PRIO_HIGH
: PRIO_LOW
;
1417 policy_info
->priority
-= policy
->sel
.prefixlen_s
* 10;
1418 policy_info
->priority
-= policy
->sel
.proto ?
2 : 0;
1419 policy_info
->priority
-= policy
->sel
.sport_mask ?
1 : 0;
1420 policy_info
->action
= XFRM_POLICY_ALLOW
;
1421 policy_info
->share
= XFRM_SHARE_ANY
;
1422 this->mutex
->unlock(this->mutex
);
1424 /* policies don't expire */
1425 policy_info
->lft
.soft_byte_limit
= XFRM_INF
;
1426 policy_info
->lft
.soft_packet_limit
= XFRM_INF
;
1427 policy_info
->lft
.hard_byte_limit
= XFRM_INF
;
1428 policy_info
->lft
.hard_packet_limit
= XFRM_INF
;
1429 policy_info
->lft
.soft_add_expires_seconds
= 0;
1430 policy_info
->lft
.hard_add_expires_seconds
= 0;
1431 policy_info
->lft
.soft_use_expires_seconds
= 0;
1432 policy_info
->lft
.hard_use_expires_seconds
= 0;
1434 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_userpolicy_info
);
1435 rthdr
->rta_type
= XFRMA_TMPL
;
1436 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_user_tmpl
));
1438 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1439 if (hdr
->nlmsg_len
> sizeof(request
))
1444 struct xfrm_user_tmpl
*tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rthdr
);
1446 if (ipcomp
!= IPCOMP_NONE
)
1448 tmpl
->reqid
= reqid
;
1449 tmpl
->id
.proto
= IPPROTO_COMP
;
1450 tmpl
->aalgos
= tmpl
->ealgos
= tmpl
->calgos
= ~0;
1452 tmpl
->optional
= direction
!= POLICY_OUT
;
1453 tmpl
->family
= src
->get_family(src
);
1455 host2xfrm(src
, &tmpl
->saddr
);
1456 host2xfrm(dst
, &tmpl
->id
.daddr
);
1458 /* add an additional xfrm_user_tmpl */
1459 rthdr
->rta_len
+= RTA_LENGTH(sizeof(struct xfrm_user_tmpl
));
1460 hdr
->nlmsg_len
+= RTA_LENGTH(sizeof(struct xfrm_user_tmpl
));
1461 if (hdr
->nlmsg_len
> sizeof(request
))
1469 tmpl
->reqid
= reqid
;
1470 tmpl
->id
.proto
= proto_ike2kernel(protocol
);
1471 tmpl
->aalgos
= tmpl
->ealgos
= tmpl
->calgos
= ~0;
1473 tmpl
->family
= src
->get_family(src
);
1475 host2xfrm(src
, &tmpl
->saddr
);
1476 host2xfrm(dst
, &tmpl
->id
.daddr
);
1478 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1480 DBG1(DBG_KNL
, "unable to add policy %R === %R %N", src_ts
, dst_ts
,
1481 policy_dir_names
, direction
);
1485 /* install a route, if:
1486 * - we are NOT updating a policy
1487 * - this is a forward policy (to just get one for each child)
1488 * - we are in tunnel mode
1489 * - we are not using IPv6 (does not work correctly yet!)
1490 * - routing is not disabled via strongswan.conf
1492 if (policy
->route
== NULL
&& direction
== POLICY_FWD
&&
1493 mode
!= MODE_TRANSPORT
&& src
->get_family(src
) != AF_INET6
&&
1494 this->install_routes
)
1496 route_entry_t
*route
= malloc_thing(route_entry_t
);
1498 if (charon
->kernel_interface
->get_address_by_ts(charon
->kernel_interface
,
1499 dst_ts
, &route
->src_ip
) == SUCCESS
)
1501 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1502 route
->gateway
= charon
->kernel_interface
->get_nexthop(
1503 charon
->kernel_interface
, src
);
1504 route
->if_name
= charon
->kernel_interface
->get_interface(
1505 charon
->kernel_interface
, dst
);
1506 route
->dst_net
= chunk_alloc(policy
->sel
.family
== AF_INET ?
4 : 16);
1507 memcpy(route
->dst_net
.ptr
, &policy
->sel
.saddr
, route
->dst_net
.len
);
1508 route
->prefixlen
= policy
->sel
.prefixlen_s
;
1512 switch (charon
->kernel_interface
->add_route(
1513 charon
->kernel_interface
, route
->dst_net
,
1514 route
->prefixlen
, route
->gateway
,
1515 route
->src_ip
, route
->if_name
))
1518 DBG1(DBG_KNL
, "unable to install source route for %H",
1522 /* route exists, do not uninstall */
1523 route_entry_destroy(route
);
1526 /* cache the installed route */
1527 policy
->route
= route
;
1533 route_entry_destroy(route
);
1545 * Implementation of kernel_interface_t.query_policy.
1547 static status_t
query_policy(private_kernel_netlink_ipsec_t
*this,
1548 traffic_selector_t
*src_ts
,
1549 traffic_selector_t
*dst_ts
,
1550 policy_dir_t direction
, u_int32_t
*use_time
)
1552 unsigned char request
[NETLINK_BUFFER_SIZE
];
1553 struct nlmsghdr
*out
= NULL
, *hdr
;
1554 struct xfrm_userpolicy_id
*policy_id
;
1555 struct xfrm_userpolicy_info
*policy
= NULL
;
1558 memset(&request
, 0, sizeof(request
));
1560 DBG2(DBG_KNL
, "querying policy %R === %R %N", src_ts
, dst_ts
,
1561 policy_dir_names
, direction
);
1563 hdr
= (struct nlmsghdr
*)request
;
1564 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1565 hdr
->nlmsg_type
= XFRM_MSG_GETPOLICY
;
1566 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
1568 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
1569 policy_id
->sel
= ts2selector(src_ts
, dst_ts
);
1570 policy_id
->dir
= direction
;
1572 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1575 while (NLMSG_OK(hdr
, len
))
1577 switch (hdr
->nlmsg_type
)
1579 case XFRM_MSG_NEWPOLICY
:
1581 policy
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
1586 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1587 DBG1(DBG_KNL
, "querying policy failed: %s (%d)",
1588 strerror(-err
->error
), -err
->error
);
1592 hdr
= NLMSG_NEXT(hdr
, len
);
1603 DBG2(DBG_KNL
, "unable to query policy %R === %R %N", src_ts
, dst_ts
,
1604 policy_dir_names
, direction
);
1608 *use_time
= (time_t)policy
->curlft
.use_time
;
1615 * Implementation of kernel_interface_t.del_policy.
1617 static status_t
del_policy(private_kernel_netlink_ipsec_t
*this,
1618 traffic_selector_t
*src_ts
,
1619 traffic_selector_t
*dst_ts
,
1620 policy_dir_t direction
)
1622 policy_entry_t
*current
, policy
, *to_delete
= NULL
;
1623 route_entry_t
*route
;
1624 unsigned char request
[NETLINK_BUFFER_SIZE
];
1625 struct nlmsghdr
*hdr
;
1626 struct xfrm_userpolicy_id
*policy_id
;
1627 enumerator_t
*enumerator
;
1629 DBG2(DBG_KNL
, "deleting policy %R === %R %N", src_ts
, dst_ts
,
1630 policy_dir_names
, direction
);
1632 /* create a policy */
1633 memset(&policy
, 0, sizeof(policy_entry_t
));
1634 policy
.sel
= ts2selector(src_ts
, dst_ts
);
1635 policy
.direction
= direction
;
1637 /* find the policy */
1638 this->mutex
->lock(this->mutex
);
1639 enumerator
= this->policies
->create_enumerator(this->policies
);
1640 while (enumerator
->enumerate(enumerator
, ¤t
))
1642 if (memeq(¤t
->sel
, &policy
.sel
, sizeof(struct xfrm_selector
)) &&
1643 policy
.direction
== current
->direction
)
1645 to_delete
= current
;
1646 if (--to_delete
->refcount
> 0)
1648 /* is used by more SAs, keep in kernel */
1649 DBG2(DBG_KNL
, "policy still used by another CHILD_SA, not removed");
1650 this->mutex
->unlock(this->mutex
);
1651 enumerator
->destroy(enumerator
);
1654 /* remove if last reference */
1655 this->policies
->remove_at(this->policies
, enumerator
);
1659 this->mutex
->unlock(this->mutex
);
1660 enumerator
->destroy(enumerator
);
1663 DBG1(DBG_KNL
, "deleting policy %R === %R %N failed, not found", src_ts
,
1664 dst_ts
, policy_dir_names
, direction
);
1668 memset(&request
, 0, sizeof(request
));
1670 hdr
= (struct nlmsghdr
*)request
;
1671 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1672 hdr
->nlmsg_type
= XFRM_MSG_DELPOLICY
;
1673 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
1675 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
1676 policy_id
->sel
= to_delete
->sel
;
1677 policy_id
->dir
= direction
;
1679 route
= to_delete
->route
;
1682 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1684 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N", src_ts
, dst_ts
,
1685 policy_dir_names
, direction
);
1691 if (charon
->kernel_interface
->del_route(charon
->kernel_interface
,
1692 route
->dst_net
, route
->prefixlen
, route
->gateway
,
1693 route
->src_ip
, route
->if_name
) != SUCCESS
)
1695 DBG1(DBG_KNL
, "error uninstalling route installed with "
1696 "policy %R === %R %N", src_ts
, dst_ts
,
1697 policy_dir_names
, direction
);
1699 route_entry_destroy(route
);
1705 * Implementation of kernel_interface_t.destroy.
1707 static void destroy(private_kernel_netlink_ipsec_t
*this)
1709 this->job
->cancel(this->job
);
1710 close(this->socket_xfrm_events
);
1711 this->socket_xfrm
->destroy(this->socket_xfrm
);
1712 this->policies
->destroy(this->policies
);
1713 this->mutex
->destroy(this->mutex
);
1718 * Described in header.
1720 kernel_netlink_ipsec_t
*kernel_netlink_ipsec_create()
1722 private_kernel_netlink_ipsec_t
*this = malloc_thing(private_kernel_netlink_ipsec_t
);
1723 struct sockaddr_nl addr
;
1725 /* public functions */
1726 this->public.interface
.get_spi
= (status_t(*)(kernel_ipsec_t
*,host_t
*,host_t
*,protocol_id_t
,u_int32_t
,u_int32_t
*))get_spi
;
1727 this->public.interface
.get_cpi
= (status_t(*)(kernel_ipsec_t
*,host_t
*,host_t
*,u_int32_t
,u_int16_t
*))get_cpi
;
1728 this->public.interface
.add_sa
= (status_t(*)(kernel_ipsec_t
*,host_t
*,host_t
*,u_int32_t
,protocol_id_t
,u_int32_t
,u_int64_t
,u_int64_t
,u_int16_t
,chunk_t
,u_int16_t
,chunk_t
,ipsec_mode_t
,u_int16_t
,bool,bool))add_sa
;
1729 this->public.interface
.update_sa
= (status_t(*)(kernel_ipsec_t
*,u_int32_t
,protocol_id_t
,host_t
*,host_t
*,host_t
*,host_t
*,bool))update_sa
;
1730 this->public.interface
.del_sa
= (status_t(*)(kernel_ipsec_t
*,host_t
*,u_int32_t
,protocol_id_t
))del_sa
;
1731 this->public.interface
.add_policy
= (status_t(*)(kernel_ipsec_t
*,host_t
*,host_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,protocol_id_t
,u_int32_t
,bool,ipsec_mode_t
,u_int16_t
))add_policy
;
1732 this->public.interface
.query_policy
= (status_t(*)(kernel_ipsec_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,u_int32_t
*))query_policy
;
1733 this->public.interface
.del_policy
= (status_t(*)(kernel_ipsec_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
))del_policy
;
1734 this->public.interface
.destroy
= (void(*)(kernel_ipsec_t
*)) destroy
;
1736 /* private members */
1737 this->policies
= linked_list_create();
1738 this->mutex
= mutex_create(MUTEX_DEFAULT
);
1739 this->install_routes
= lib
->settings
->get_bool(lib
->settings
,
1740 "charon.install_routes", TRUE
);
1742 this->socket_xfrm
= netlink_socket_create(NETLINK_XFRM
);
1744 memset(&addr
, 0, sizeof(addr
));
1745 addr
.nl_family
= AF_NETLINK
;
1747 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
1748 this->socket_xfrm_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
1749 if (this->socket_xfrm_events
<= 0)
1751 charon
->kill(charon
, "unable to create XFRM event socket");
1753 addr
.nl_groups
= XFRMNLGRP(ACQUIRE
) | XFRMNLGRP(EXPIRE
) |
1754 XFRMNLGRP(MIGRATE
) | XFRMNLGRP(MAPPING
);
1755 if (bind(this->socket_xfrm_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
1757 charon
->kill(charon
, "unable to bind XFRM event socket");
1760 this->job
= callback_job_create((callback_job_cb_t
)receive_events
,
1762 charon
->processor
->queue_job(charon
->processor
, (job_t
*)this->job
);
1764 return &this->public;