7fb6a260fe449efa4bf09c858700f0c4476c1329
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 *
19 * $Id$
20 */
21
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <sys/time.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <netinet/in.h>
30 #include <pthread.h>
31 #include <unistd.h>
32 #include <errno.h>
33 #include <string.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <daemon.h>
39 #include <utils/linked_list.h>
40 #include <processing/jobs/callback_job.h>
41 #include <processing/jobs/acquire_job.h>
42 #include <processing/jobs/rekey_child_sa_job.h>
43 #include <processing/jobs/delete_child_sa_job.h>
44 #include <processing/jobs/update_sa_job.h>
45
46 /** required for Linux 2.6.26 kernel and later */
47 #ifndef XFRM_STATE_AF_UNSPEC
48 #define XFRM_STATE_AF_UNSPEC 32
49 #endif
50
51 /** default priority of installed policies */
52 #define PRIO_LOW 3000
53 #define PRIO_HIGH 2000
54
55 /**
56 * Create ORable bitfield of XFRM NL groups
57 */
58 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
59
60 /**
61 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
62 * 'usual' netlink data x like 'struct xfrm_usersa_info'
63 */
64 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
65 /**
66 * returns a pointer to the next rtattr following rta.
67 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
68 */
69 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
70 /**
71 * returns the total size of attached rta data
72 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
73 */
74 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
75
76 typedef struct kernel_algorithm_t kernel_algorithm_t;
77
78 /**
79 * Mapping from the algorithms defined in IKEv2 to
80 * kernel level algorithm names and their key length
81 */
82 struct kernel_algorithm_t {
83 /**
84 * Identifier specified in IKEv2
85 */
86 int ikev2_id;
87
88 /**
89 * Name of the algorithm, as used as kernel identifier
90 */
91 char *name;
92
93 /**
94 * Key length in bits, if fixed size
95 */
96 u_int key_size;
97 };
98
99 #define END_OF_LIST -1
100
101 /**
102 * Algorithms for encryption
103 */
104 static kernel_algorithm_t encryption_algs[] = {
105 /* {ENCR_DES_IV64, "***", 0}, */
106 {ENCR_DES, "des", 64},
107 {ENCR_3DES, "des3_ede", 192},
108 /* {ENCR_RC5, "***", 0}, */
109 /* {ENCR_IDEA, "***", 0}, */
110 {ENCR_CAST, "cast128", 0},
111 {ENCR_BLOWFISH, "blowfish", 0},
112 /* {ENCR_3IDEA, "***", 0}, */
113 /* {ENCR_DES_IV32, "***", 0}, */
114 {ENCR_NULL, "cipher_null", 0},
115 {ENCR_AES_CBC, "aes", 0},
116 /* {ENCR_AES_CTR, "***", 0}, */
117 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))", 64}, /* key_size = ICV size */
118 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))", 96}, /* key_size = ICV size */
119 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))", 128}, /* key_size = ICV size */
120 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))", 64}, /* key_size = ICV size */
121 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))", 96}, /* key_size = ICV size */
122 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))", 128}, /* key_size = ICV size */
123 {END_OF_LIST, NULL, 0},
124 };
125
126 /**
127 * Algorithms for integrity protection
128 */
129 static kernel_algorithm_t integrity_algs[] = {
130 {AUTH_HMAC_MD5_96, "md5", 128},
131 {AUTH_HMAC_SHA1_96, "sha1", 160},
132 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
133 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
134 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
135 /* {AUTH_DES_MAC, "***", 0}, */
136 /* {AUTH_KPDK_MD5, "***", 0}, */
137 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
138 {END_OF_LIST, NULL, 0},
139 };
140
141 /**
142 * Algorithms for IPComp
143 */
144 static kernel_algorithm_t compression_algs[] = {
145 /* {IPCOMP_OUI, "***", 0}, */
146 {IPCOMP_DEFLATE, "deflate", 0},
147 {IPCOMP_LZS, "lzs", 0},
148 {IPCOMP_LZJH, "lzjh", 0},
149 {END_OF_LIST, NULL, 0},
150 };
151
152 /**
153 * Look up a kernel algorithm name and its key size
154 */
155 static char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
156 u_int16_t ikev2_algo, u_int16_t *key_size)
157 {
158 while (kernel_algo->ikev2_id != END_OF_LIST)
159 {
160 if (ikev2_algo == kernel_algo->ikev2_id)
161 {
162 /* match, evaluate key length */
163 if (key_size && *key_size == 0)
164 { /* update key size if not set */
165 *key_size = kernel_algo->key_size;
166 }
167 return kernel_algo->name;
168 }
169 kernel_algo++;
170 }
171 return NULL;
172 }
173
174 typedef struct route_entry_t route_entry_t;
175
176 /**
177 * installed routing entry
178 */
179 struct route_entry_t {
180 /** Name of the interface the route is bound to */
181 char *if_name;
182
183 /** Source ip of the route */
184 host_t *src_ip;
185
186 /** gateway for this route */
187 host_t *gateway;
188
189 /** Destination net */
190 chunk_t dst_net;
191
192 /** Destination net prefixlen */
193 u_int8_t prefixlen;
194 };
195
196 /**
197 * destroy an route_entry_t object
198 */
199 static void route_entry_destroy(route_entry_t *this)
200 {
201 free(this->if_name);
202 this->src_ip->destroy(this->src_ip);
203 this->gateway->destroy(this->gateway);
204 chunk_free(&this->dst_net);
205 free(this);
206 }
207
208 typedef struct policy_entry_t policy_entry_t;
209
210 /**
211 * installed kernel policy.
212 */
213 struct policy_entry_t {
214
215 /** direction of this policy: in, out, forward */
216 u_int8_t direction;
217
218 /** parameters of installed policy */
219 struct xfrm_selector sel;
220
221 /** associated route installed for this policy */
222 route_entry_t *route;
223
224 /** by how many CHILD_SA's this policy is used */
225 u_int refcount;
226 };
227
228 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
229
230 /**
231 * Private variables and functions of kernel_netlink class.
232 */
233 struct private_kernel_netlink_ipsec_t {
234 /**
235 * Public part of the kernel_netlink_t object.
236 */
237 kernel_netlink_ipsec_t public;
238
239 /**
240 * mutex to lock access to various lists
241 */
242 pthread_mutex_t mutex;
243
244 /**
245 * List of installed policies (policy_entry_t)
246 */
247 linked_list_t *policies;
248
249 /**
250 * job receiving netlink events
251 */
252 callback_job_t *job;
253
254 /**
255 * Netlink xfrm socket (IPsec)
256 */
257 netlink_socket_t *socket_xfrm;
258
259 /**
260 * netlink xfrm socket to receive acquire and expire events
261 */
262 int socket_xfrm_events;
263
264 /**
265 * whether to install routes along policies
266 */
267 bool install_routes;
268 };
269
270 /**
271 * convert a IKEv2 specific protocol identifier to the kernel one
272 */
273 static u_int8_t proto_ike2kernel(protocol_id_t proto)
274 {
275 switch (proto)
276 {
277 case PROTO_ESP:
278 return IPPROTO_ESP;
279 case PROTO_AH:
280 return IPPROTO_AH;
281 default:
282 return proto;
283 }
284 }
285
286 /**
287 * reverse of ike2kernel
288 */
289 static protocol_id_t proto_kernel2ike(u_int8_t proto)
290 {
291 switch (proto)
292 {
293 case IPPROTO_ESP:
294 return PROTO_ESP;
295 case IPPROTO_AH:
296 return PROTO_AH;
297 default:
298 return proto;
299 }
300 }
301
302 /**
303 * convert a host_t to a struct xfrm_address
304 */
305 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
306 {
307 chunk_t chunk = host->get_address(host);
308 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
309 }
310
311 /**
312 * convert a struct xfrm_address to a host_t
313 */
314 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
315 {
316 chunk_t chunk;
317
318 switch (family)
319 {
320 case AF_INET:
321 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
322 break;
323 case AF_INET6:
324 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
325 break;
326 default:
327 return NULL;
328 }
329 return host_create_from_chunk(family, chunk, ntohs(port));
330 }
331
332 /**
333 * convert a traffic selector address range to subnet and its mask.
334 */
335 static void ts2subnet(traffic_selector_t* ts,
336 xfrm_address_t *net, u_int8_t *mask)
337 {
338 host_t *net_host;
339 chunk_t net_chunk;
340
341 ts->to_subnet(ts, &net_host, mask);
342 net_chunk = net_host->get_address(net_host);
343 memcpy(net, net_chunk.ptr, net_chunk.len);
344 net_host->destroy(net_host);
345 }
346
347 /**
348 * convert a traffic selector port range to port/portmask
349 */
350 static void ts2ports(traffic_selector_t* ts,
351 u_int16_t *port, u_int16_t *mask)
352 {
353 /* linux does not seem to accept complex portmasks. Only
354 * any or a specific port is allowed. We set to any, if we have
355 * a port range, or to a specific, if we have one port only.
356 */
357 u_int16_t from, to;
358
359 from = ts->get_from_port(ts);
360 to = ts->get_to_port(ts);
361
362 if (from == to)
363 {
364 *port = htons(from);
365 *mask = ~0;
366 }
367 else
368 {
369 *port = 0;
370 *mask = 0;
371 }
372 }
373
374 /**
375 * convert a pair of traffic_selectors to a xfrm_selector
376 */
377 static struct xfrm_selector ts2selector(traffic_selector_t *src,
378 traffic_selector_t *dst)
379 {
380 struct xfrm_selector sel;
381
382 memset(&sel, 0, sizeof(sel));
383 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
384 /* src or dest proto may be "any" (0), use more restrictive one */
385 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
386 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
387 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
388 ts2ports(dst, &sel.dport, &sel.dport_mask);
389 ts2ports(src, &sel.sport, &sel.sport_mask);
390 sel.ifindex = 0;
391 sel.user = 0;
392
393 return sel;
394 }
395
396
397 /**
398 * process a XFRM_MSG_ACQUIRE from kernel
399 */
400 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
401 {
402 u_int32_t reqid = 0;
403 int proto = 0;
404 job_t *job;
405 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
406 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
407
408 if (RTA_OK(rtattr, rtsize))
409 {
410 if (rtattr->rta_type == XFRMA_TMPL)
411 {
412 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
413 reqid = tmpl->reqid;
414 proto = tmpl->id.proto;
415 }
416 }
417 switch (proto)
418 {
419 case 0:
420 case IPPROTO_ESP:
421 case IPPROTO_AH:
422 break;
423 default:
424 /* acquire for AH/ESP only, not for IPCOMP */
425 return;
426 }
427 if (reqid == 0)
428 {
429 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
430 return;
431 }
432 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
433 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
434 job = (job_t*)acquire_job_create(reqid);
435 charon->processor->queue_job(charon->processor, job);
436 }
437
438 /**
439 * process a XFRM_MSG_EXPIRE from kernel
440 */
441 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
442 {
443 job_t *job;
444 protocol_id_t protocol;
445 u_int32_t spi, reqid;
446 struct xfrm_user_expire *expire;
447
448 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
449 protocol = proto_kernel2ike(expire->state.id.proto);
450 spi = expire->state.id.spi;
451 reqid = expire->state.reqid;
452
453 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
454
455 if (protocol != PROTO_ESP && protocol != PROTO_AH)
456 {
457 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%d} "
458 "which is not a CHILD_SA", ntohl(spi), reqid);
459 return;
460 }
461
462 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
463 expire->hard ? "delete" : "rekey", protocol_id_names,
464 protocol, ntohl(spi), reqid);
465 if (expire->hard)
466 {
467 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
468 }
469 else
470 {
471 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
472 }
473 charon->processor->queue_job(charon->processor, job);
474 }
475
476 /**
477 * process a XFRM_MSG_MAPPING from kernel
478 */
479 static void process_mapping(private_kernel_netlink_ipsec_t *this,
480 struct nlmsghdr *hdr)
481 {
482 job_t *job;
483 u_int32_t spi, reqid;
484 struct xfrm_user_mapping *mapping;
485 host_t *host;
486
487 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
488 spi = mapping->id.spi;
489 reqid = mapping->reqid;
490
491 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
492
493 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
494 {
495 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
496 mapping->new_sport);
497 if (host)
498 {
499 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
500 "reqid {%d} changed, queuing update job", ntohl(spi), reqid);
501 job = (job_t*)update_sa_job_create(reqid, host);
502 charon->processor->queue_job(charon->processor, job);
503 }
504 }
505 }
506
507 /**
508 * Receives events from kernel
509 */
510 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
511 {
512 char response[1024];
513 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
514 struct sockaddr_nl addr;
515 socklen_t addr_len = sizeof(addr);
516 int len, oldstate;
517
518 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
519 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
520 (struct sockaddr*)&addr, &addr_len);
521 pthread_setcancelstate(oldstate, NULL);
522
523 if (len < 0)
524 {
525 switch (errno)
526 {
527 case EINTR:
528 /* interrupted, try again */
529 return JOB_REQUEUE_DIRECT;
530 case EAGAIN:
531 /* no data ready, select again */
532 return JOB_REQUEUE_DIRECT;
533 default:
534 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
535 sleep(1);
536 return JOB_REQUEUE_FAIR;
537 }
538 }
539
540 if (addr.nl_pid != 0)
541 { /* not from kernel. not interested, try another one */
542 return JOB_REQUEUE_DIRECT;
543 }
544
545 while (NLMSG_OK(hdr, len))
546 {
547 switch (hdr->nlmsg_type)
548 {
549 case XFRM_MSG_ACQUIRE:
550 process_acquire(this, hdr);
551 break;
552 case XFRM_MSG_EXPIRE:
553 process_expire(this, hdr);
554 break;
555 case XFRM_MSG_MAPPING:
556 process_mapping(this, hdr);
557 break;
558 default:
559 break;
560 }
561 hdr = NLMSG_NEXT(hdr, len);
562 }
563 return JOB_REQUEUE_DIRECT;
564 }
565
566 /**
567 * Get an SPI for a specific protocol from the kernel.
568 */
569 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
570 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
571 u_int32_t reqid, u_int32_t *spi)
572 {
573 unsigned char request[NETLINK_BUFFER_SIZE];
574 struct nlmsghdr *hdr, *out;
575 struct xfrm_userspi_info *userspi;
576 u_int32_t received_spi = 0;
577 size_t len;
578
579 memset(&request, 0, sizeof(request));
580
581 hdr = (struct nlmsghdr*)request;
582 hdr->nlmsg_flags = NLM_F_REQUEST;
583 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
584 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
585
586 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
587 host2xfrm(src, &userspi->info.saddr);
588 host2xfrm(dst, &userspi->info.id.daddr);
589 userspi->info.id.proto = proto;
590 userspi->info.mode = TRUE; /* tunnel mode */
591 userspi->info.reqid = reqid;
592 userspi->info.family = src->get_family(src);
593 userspi->min = min;
594 userspi->max = max;
595
596 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
597 {
598 hdr = out;
599 while (NLMSG_OK(hdr, len))
600 {
601 switch (hdr->nlmsg_type)
602 {
603 case XFRM_MSG_NEWSA:
604 {
605 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
606 received_spi = usersa->id.spi;
607 break;
608 }
609 case NLMSG_ERROR:
610 {
611 struct nlmsgerr *err = NLMSG_DATA(hdr);
612
613 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
614 strerror(-err->error), -err->error);
615 break;
616 }
617 default:
618 hdr = NLMSG_NEXT(hdr, len);
619 continue;
620 case NLMSG_DONE:
621 break;
622 }
623 break;
624 }
625 free(out);
626 }
627
628 if (received_spi == 0)
629 {
630 return FAILED;
631 }
632
633 *spi = received_spi;
634 return SUCCESS;
635 }
636
637 /**
638 * Implementation of kernel_interface_t.get_spi.
639 */
640 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
641 host_t *src, host_t *dst,
642 protocol_id_t protocol, u_int32_t reqid,
643 u_int32_t *spi)
644 {
645 DBG2(DBG_KNL, "getting SPI for reqid {%d}", reqid);
646
647 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
648 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
649 {
650 DBG1(DBG_KNL, "unable to get SPI for reqid {%d}", reqid);
651 return FAILED;
652 }
653
654 DBG2(DBG_KNL, "got SPI %.8x for reqid {%d}", ntohl(*spi), reqid);
655
656 return SUCCESS;
657 }
658
659 /**
660 * Implementation of kernel_interface_t.get_cpi.
661 */
662 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
663 host_t *src, host_t *dst,
664 u_int32_t reqid, u_int16_t *cpi)
665 {
666 u_int32_t received_spi = 0;
667
668 DBG2(DBG_KNL, "getting CPI for reqid {%d}", reqid);
669
670 if (get_spi_internal(this, src, dst,
671 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
672 {
673 DBG1(DBG_KNL, "unable to get CPI for reqid {%d}", reqid);
674 return FAILED;
675 }
676
677 *cpi = htons((u_int16_t)ntohl(received_spi));
678
679 DBG2(DBG_KNL, "got CPI %.4x for reqid {%d}", ntohs(*cpi), reqid);
680
681 return SUCCESS;
682 }
683
684 /**
685 * Implementation of kernel_interface_t.add_sa.
686 */
687 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
688 host_t *src, host_t *dst, u_int32_t spi,
689 protocol_id_t protocol, u_int32_t reqid,
690 u_int64_t expire_soft, u_int64_t expire_hard,
691 u_int16_t enc_alg, u_int16_t enc_size,
692 u_int16_t int_alg, u_int16_t int_size,
693 prf_plus_t *prf_plus, ipsec_mode_t mode,
694 u_int16_t ipcomp, bool encap,
695 bool replace)
696 {
697 unsigned char request[NETLINK_BUFFER_SIZE];
698 char *alg_name;
699 /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
700 u_int16_t add_keymat = 32;
701 struct nlmsghdr *hdr;
702 struct xfrm_usersa_info *sa;
703
704 memset(&request, 0, sizeof(request));
705
706 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
707
708 hdr = (struct nlmsghdr*)request;
709 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
710 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
711 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
712
713 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
714 host2xfrm(src, &sa->saddr);
715 host2xfrm(dst, &sa->id.daddr);
716 sa->id.spi = spi;
717 sa->id.proto = proto_ike2kernel(protocol);
718 sa->family = src->get_family(src);
719 sa->mode = mode;
720 if (mode == MODE_TUNNEL)
721 {
722 sa->flags |= XFRM_STATE_AF_UNSPEC;
723 }
724 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
725 sa->reqid = reqid;
726 /* we currently do not expire SAs by volume/packet count */
727 sa->lft.soft_byte_limit = XFRM_INF;
728 sa->lft.hard_byte_limit = XFRM_INF;
729 sa->lft.soft_packet_limit = XFRM_INF;
730 sa->lft.hard_packet_limit = XFRM_INF;
731 /* we use lifetimes since added, not since used */
732 sa->lft.soft_add_expires_seconds = expire_soft;
733 sa->lft.hard_add_expires_seconds = expire_hard;
734 sa->lft.soft_use_expires_seconds = 0;
735 sa->lft.hard_use_expires_seconds = 0;
736
737 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
738
739 switch (enc_alg)
740 {
741 case ENCR_UNDEFINED:
742 /* no encryption */
743 break;
744 case ENCR_AES_CCM_ICV8:
745 case ENCR_AES_CCM_ICV12:
746 case ENCR_AES_CCM_ICV16:
747 /* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
748 add_keymat = 24;
749 /* fall-through */
750 case ENCR_AES_GCM_ICV8:
751 case ENCR_AES_GCM_ICV12:
752 case ENCR_AES_GCM_ICV16:
753 {
754 u_int16_t icv_size = 0;
755 rthdr->rta_type = XFRMA_ALG_AEAD;
756 alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
757 if (alg_name == NULL)
758 {
759 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
760 encryption_algorithm_names, enc_alg);
761 return FAILED;
762 }
763 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
764 encryption_algorithm_names, enc_alg, enc_size);
765
766 /* additional KEYMAT required */
767 enc_size += add_keymat;
768
769 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
770 hdr->nlmsg_len += rthdr->rta_len;
771 if (hdr->nlmsg_len > sizeof(request))
772 {
773 return FAILED;
774 }
775
776 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
777 algo->alg_key_len = enc_size;
778 algo->alg_icv_len = icv_size;
779 strcpy(algo->alg_name, alg_name);
780 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
781
782 rthdr = XFRM_RTA_NEXT(rthdr);
783 break;
784 }
785 default:
786 {
787 rthdr->rta_type = XFRMA_ALG_CRYPT;
788 alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
789 if (alg_name == NULL)
790 {
791 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
792 encryption_algorithm_names, enc_alg);
793 return FAILED;
794 }
795 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
796 encryption_algorithm_names, enc_alg, enc_size);
797
798 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
799 hdr->nlmsg_len += rthdr->rta_len;
800 if (hdr->nlmsg_len > sizeof(request))
801 {
802 return FAILED;
803 }
804
805 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
806 algo->alg_key_len = enc_size;
807 strcpy(algo->alg_name, alg_name);
808 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
809
810 rthdr = XFRM_RTA_NEXT(rthdr);
811 break;
812 }
813 }
814
815 if (int_alg != AUTH_UNDEFINED)
816 {
817 rthdr->rta_type = XFRMA_ALG_AUTH;
818 alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
819 if (alg_name == NULL)
820 {
821 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
822 integrity_algorithm_names, int_alg);
823 return FAILED;
824 }
825 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
826 integrity_algorithm_names, int_alg, int_size);
827
828 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
829 hdr->nlmsg_len += rthdr->rta_len;
830 if (hdr->nlmsg_len > sizeof(request))
831 {
832 return FAILED;
833 }
834
835 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
836 algo->alg_key_len = int_size;
837 strcpy(algo->alg_name, alg_name);
838 prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
839
840 rthdr = XFRM_RTA_NEXT(rthdr);
841 }
842
843 if (ipcomp != IPCOMP_NONE)
844 {
845 rthdr->rta_type = XFRMA_ALG_COMP;
846 alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
847 if (alg_name == NULL)
848 {
849 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
850 ipcomp_transform_names, ipcomp);
851 return FAILED;
852 }
853 DBG2(DBG_KNL, " using compression algorithm %N",
854 ipcomp_transform_names, ipcomp);
855
856 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
857 hdr->nlmsg_len += rthdr->rta_len;
858 if (hdr->nlmsg_len > sizeof(request))
859 {
860 return FAILED;
861 }
862
863 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
864 algo->alg_key_len = 0;
865 strcpy(algo->alg_name, alg_name);
866
867 rthdr = XFRM_RTA_NEXT(rthdr);
868 }
869
870 if (encap)
871 {
872 rthdr->rta_type = XFRMA_ENCAP;
873 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
874
875 hdr->nlmsg_len += rthdr->rta_len;
876 if (hdr->nlmsg_len > sizeof(request))
877 {
878 return FAILED;
879 }
880
881 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
882 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
883 tmpl->encap_sport = htons(src->get_port(src));
884 tmpl->encap_dport = htons(dst->get_port(dst));
885 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
886 /* encap_oa could probably be derived from the
887 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
888 * pluto does the same as we do here but it uses encap_oa in the
889 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
890 * the kernel ignores it anyway
891 * -> does that mean that NAT-T encap doesn't work in transport mode?
892 * No. The reason the kernel ignores NAT-OA is that it recomputes
893 * (or, rather, just ignores) the checksum. If packets pass
894 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
895 rthdr = XFRM_RTA_NEXT(rthdr);
896 }
897
898 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
899 {
900 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
901 return FAILED;
902 }
903 return SUCCESS;
904 }
905
906 /**
907 * Get the replay state (i.e. sequence numbers) of an SA.
908 */
909 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
910 u_int32_t spi, protocol_id_t protocol, host_t *dst,
911 struct xfrm_replay_state *replay)
912 {
913 unsigned char request[NETLINK_BUFFER_SIZE];
914 struct nlmsghdr *hdr, *out = NULL;
915 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
916 size_t len;
917 struct rtattr *rta;
918 size_t rtasize;
919
920 memset(&request, 0, sizeof(request));
921
922 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
923
924 hdr = (struct nlmsghdr*)request;
925 hdr->nlmsg_flags = NLM_F_REQUEST;
926 hdr->nlmsg_type = XFRM_MSG_GETAE;
927 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
928
929 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
930 aevent_id->flags = XFRM_AE_RVAL;
931
932 host2xfrm(dst, &aevent_id->sa_id.daddr);
933 aevent_id->sa_id.spi = spi;
934 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
935 aevent_id->sa_id.family = dst->get_family(dst);
936
937 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
938 {
939 hdr = out;
940 while (NLMSG_OK(hdr, len))
941 {
942 switch (hdr->nlmsg_type)
943 {
944 case XFRM_MSG_NEWAE:
945 {
946 out_aevent = NLMSG_DATA(hdr);
947 break;
948 }
949 case NLMSG_ERROR:
950 {
951 struct nlmsgerr *err = NLMSG_DATA(hdr);
952 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
953 strerror(-err->error), -err->error);
954 break;
955 }
956 default:
957 hdr = NLMSG_NEXT(hdr, len);
958 continue;
959 case NLMSG_DONE:
960 break;
961 }
962 break;
963 }
964 }
965
966 if (out_aevent == NULL)
967 {
968 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
969 ntohl(spi));
970 free(out);
971 return FAILED;
972 }
973
974 rta = XFRM_RTA(out, struct xfrm_aevent_id);
975 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
976 while(RTA_OK(rta, rtasize))
977 {
978 if (rta->rta_type == XFRMA_REPLAY_VAL)
979 {
980 memcpy(replay, RTA_DATA(rta), rta->rta_len);
981 free(out);
982 return SUCCESS;
983 }
984 rta = RTA_NEXT(rta, rtasize);
985 }
986
987 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
988 ntohl(spi));
989 free(out);
990 return FAILED;
991 }
992
993 /**
994 * Implementation of kernel_interface_t.update_sa.
995 */
996 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
997 u_int32_t spi, protocol_id_t protocol,
998 host_t *src, host_t *dst,
999 host_t *new_src, host_t *new_dst, bool encap)
1000 {
1001 unsigned char request[NETLINK_BUFFER_SIZE], *pos;
1002 struct nlmsghdr *hdr, *out = NULL;
1003 struct xfrm_usersa_id *sa_id;
1004 struct xfrm_usersa_info *out_sa = NULL, *sa;
1005 size_t len;
1006 struct rtattr *rta;
1007 size_t rtasize;
1008 struct xfrm_encap_tmpl* tmpl = NULL;
1009 bool got_replay_state;
1010 struct xfrm_replay_state replay;
1011
1012 memset(&request, 0, sizeof(request));
1013
1014 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1015
1016 /* query the existing SA first */
1017 hdr = (struct nlmsghdr*)request;
1018 hdr->nlmsg_flags = NLM_F_REQUEST;
1019 hdr->nlmsg_type = XFRM_MSG_GETSA;
1020 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1021
1022 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1023 host2xfrm(dst, &sa_id->daddr);
1024 sa_id->spi = spi;
1025 sa_id->proto = proto_ike2kernel(protocol);
1026 sa_id->family = dst->get_family(dst);
1027
1028 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1029 {
1030 hdr = out;
1031 while (NLMSG_OK(hdr, len))
1032 {
1033 switch (hdr->nlmsg_type)
1034 {
1035 case XFRM_MSG_NEWSA:
1036 {
1037 out_sa = NLMSG_DATA(hdr);
1038 break;
1039 }
1040 case NLMSG_ERROR:
1041 {
1042 struct nlmsgerr *err = NLMSG_DATA(hdr);
1043 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1044 strerror(-err->error), -err->error);
1045 break;
1046 }
1047 default:
1048 hdr = NLMSG_NEXT(hdr, len);
1049 continue;
1050 case NLMSG_DONE:
1051 break;
1052 }
1053 break;
1054 }
1055 }
1056 if (out_sa == NULL)
1057 {
1058 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1059 free(out);
1060 return FAILED;
1061 }
1062
1063 /* try to get the replay state */
1064 got_replay_state = (get_replay_state(
1065 this, spi, protocol, dst, &replay) == SUCCESS);
1066
1067 /* delete the old SA */
1068 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1069 {
1070 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1071 free(out);
1072 return FAILED;
1073 }
1074
1075 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1076 ntohl(spi), src, dst, new_src, new_dst);
1077
1078 /* copy over the SA from out to request */
1079 hdr = (struct nlmsghdr*)request;
1080 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1081 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1082 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1083 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1084 sa = NLMSG_DATA(hdr);
1085 sa->family = new_dst->get_family(new_dst);
1086
1087 if (!src->ip_equals(src, new_src))
1088 {
1089 host2xfrm(new_src, &sa->saddr);
1090 }
1091 if (!dst->ip_equals(dst, new_dst))
1092 {
1093 host2xfrm(new_dst, &sa->id.daddr);
1094 }
1095
1096 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1097 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1098 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1099 while(RTA_OK(rta, rtasize))
1100 {
1101 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1102 if (rta->rta_type != XFRMA_ENCAP || encap)
1103 {
1104 if (rta->rta_type == XFRMA_ENCAP)
1105 { /* update encap tmpl */
1106 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1107 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1108 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1109 }
1110 memcpy(pos, rta, rta->rta_len);
1111 pos += RTA_ALIGN(rta->rta_len);
1112 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1113 }
1114 rta = RTA_NEXT(rta, rtasize);
1115 }
1116
1117 rta = (struct rtattr*)pos;
1118 if (tmpl == NULL && encap)
1119 { /* add tmpl if we are enabling it */
1120 rta->rta_type = XFRMA_ENCAP;
1121 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1122
1123 hdr->nlmsg_len += rta->rta_len;
1124 if (hdr->nlmsg_len > sizeof(request))
1125 {
1126 return FAILED;
1127 }
1128
1129 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1130 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1131 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1132 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1133 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1134
1135 rta = XFRM_RTA_NEXT(rta);
1136 }
1137
1138 if (got_replay_state)
1139 { /* copy the replay data if available */
1140 rta->rta_type = XFRMA_REPLAY_VAL;
1141 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1142
1143 hdr->nlmsg_len += rta->rta_len;
1144 if (hdr->nlmsg_len > sizeof(request))
1145 {
1146 return FAILED;
1147 }
1148 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1149
1150 rta = XFRM_RTA_NEXT(rta);
1151 }
1152
1153 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1154 {
1155 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1156 free(out);
1157 return FAILED;
1158 }
1159 free(out);
1160
1161 return SUCCESS;
1162 }
1163
1164 /**
1165 * Implementation of kernel_interface_t.del_sa.
1166 */
1167 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1168 u_int32_t spi, protocol_id_t protocol)
1169 {
1170 unsigned char request[NETLINK_BUFFER_SIZE];
1171 struct nlmsghdr *hdr;
1172 struct xfrm_usersa_id *sa_id;
1173
1174 memset(&request, 0, sizeof(request));
1175
1176 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1177
1178 hdr = (struct nlmsghdr*)request;
1179 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1180 hdr->nlmsg_type = XFRM_MSG_DELSA;
1181 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1182
1183 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1184 host2xfrm(dst, &sa_id->daddr);
1185 sa_id->spi = spi;
1186 sa_id->proto = proto_ike2kernel(protocol);
1187 sa_id->family = dst->get_family(dst);
1188
1189 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1190 {
1191 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1192 return FAILED;
1193 }
1194 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1195 return SUCCESS;
1196 }
1197
1198 /**
1199 * Implementation of kernel_interface_t.add_policy.
1200 */
1201 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1202 host_t *src, host_t *dst,
1203 traffic_selector_t *src_ts,
1204 traffic_selector_t *dst_ts,
1205 policy_dir_t direction, protocol_id_t protocol,
1206 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1207 u_int16_t ipcomp)
1208 {
1209 iterator_t *iterator;
1210 policy_entry_t *current, *policy;
1211 bool found = FALSE;
1212 unsigned char request[NETLINK_BUFFER_SIZE];
1213 struct xfrm_userpolicy_info *policy_info;
1214 struct nlmsghdr *hdr;
1215
1216 /* create a policy */
1217 policy = malloc_thing(policy_entry_t);
1218 memset(policy, 0, sizeof(policy_entry_t));
1219 policy->sel = ts2selector(src_ts, dst_ts);
1220 policy->direction = direction;
1221
1222 /* find the policy, which matches EXACTLY */
1223 pthread_mutex_lock(&this->mutex);
1224 iterator = this->policies->create_iterator(this->policies, TRUE);
1225 while (iterator->iterate(iterator, (void**)&current))
1226 {
1227 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
1228 policy->direction == current->direction)
1229 {
1230 /* use existing policy */
1231 current->refcount++;
1232 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1233 "refcount", src_ts, dst_ts,
1234 policy_dir_names, direction);
1235 free(policy);
1236 policy = current;
1237 found = TRUE;
1238 break;
1239 }
1240 }
1241 iterator->destroy(iterator);
1242 if (!found)
1243 { /* apply the new one, if we have no such policy */
1244 this->policies->insert_last(this->policies, policy);
1245 policy->refcount = 1;
1246 }
1247
1248 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1249 policy_dir_names, direction);
1250
1251 memset(&request, 0, sizeof(request));
1252 hdr = (struct nlmsghdr*)request;
1253 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1254 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1255 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1256
1257 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1258 policy_info->sel = policy->sel;
1259 policy_info->dir = policy->direction;
1260 /* calculate priority based on source selector size, small size = high prio */
1261 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1262 policy_info->priority -= policy->sel.prefixlen_s * 10;
1263 policy_info->priority -= policy->sel.proto ? 2 : 0;
1264 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1265 policy_info->action = XFRM_POLICY_ALLOW;
1266 policy_info->share = XFRM_SHARE_ANY;
1267 pthread_mutex_unlock(&this->mutex);
1268
1269 /* policies don't expire */
1270 policy_info->lft.soft_byte_limit = XFRM_INF;
1271 policy_info->lft.soft_packet_limit = XFRM_INF;
1272 policy_info->lft.hard_byte_limit = XFRM_INF;
1273 policy_info->lft.hard_packet_limit = XFRM_INF;
1274 policy_info->lft.soft_add_expires_seconds = 0;
1275 policy_info->lft.hard_add_expires_seconds = 0;
1276 policy_info->lft.soft_use_expires_seconds = 0;
1277 policy_info->lft.hard_use_expires_seconds = 0;
1278
1279 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1280 rthdr->rta_type = XFRMA_TMPL;
1281 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1282
1283 hdr->nlmsg_len += rthdr->rta_len;
1284 if (hdr->nlmsg_len > sizeof(request))
1285 {
1286 return FAILED;
1287 }
1288
1289 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1290
1291 if (ipcomp != IPCOMP_NONE)
1292 {
1293 tmpl->reqid = reqid;
1294 tmpl->id.proto = IPPROTO_COMP;
1295 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1296 tmpl->mode = mode;
1297 tmpl->optional = direction != POLICY_OUT;
1298 tmpl->family = src->get_family(src);
1299
1300 host2xfrm(src, &tmpl->saddr);
1301 host2xfrm(dst, &tmpl->id.daddr);
1302
1303 /* add an additional xfrm_user_tmpl */
1304 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1305 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1306 if (hdr->nlmsg_len > sizeof(request))
1307 {
1308 return FAILED;
1309 }
1310
1311 tmpl++;
1312 }
1313
1314 tmpl->reqid = reqid;
1315 tmpl->id.proto = proto_ike2kernel(protocol);
1316 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1317 tmpl->mode = mode;
1318 tmpl->family = src->get_family(src);
1319
1320 host2xfrm(src, &tmpl->saddr);
1321 host2xfrm(dst, &tmpl->id.daddr);
1322
1323 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1324 {
1325 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1326 policy_dir_names, direction);
1327 return FAILED;
1328 }
1329
1330 /* install a route, if:
1331 * - we are NOT updating a policy
1332 * - this is a forward policy (to just get one for each child)
1333 * - we are in tunnel mode
1334 * - we are not using IPv6 (does not work correctly yet!)
1335 * - routing is not disabled via strongswan.conf
1336 */
1337 if (policy->route == NULL && direction == POLICY_FWD &&
1338 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1339 this->install_routes)
1340 {
1341 route_entry_t *route = malloc_thing(route_entry_t);
1342
1343 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1344 dst_ts, &route->src_ip) == SUCCESS)
1345 {
1346 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1347 route->gateway = charon->kernel_interface->get_nexthop(
1348 charon->kernel_interface, src);
1349 route->if_name = charon->kernel_interface->get_interface(
1350 charon->kernel_interface, dst);
1351 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1352 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1353 route->prefixlen = policy->sel.prefixlen_s;
1354
1355 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1356 route->dst_net, route->prefixlen, route->gateway,
1357 route->src_ip, route->if_name))
1358 {
1359 default:
1360 DBG1(DBG_KNL, "unable to install source route for %H",
1361 route->src_ip);
1362 /* FALL */
1363 case ALREADY_DONE:
1364 /* route exists, do not uninstall */
1365 route_entry_destroy(route);
1366 break;
1367 case SUCCESS:
1368 /* cache the installed route */
1369 policy->route = route;
1370 break;
1371 }
1372 }
1373 else
1374 {
1375 free(route);
1376 }
1377 }
1378
1379 return SUCCESS;
1380 }
1381
1382 /**
1383 * Implementation of kernel_interface_t.query_policy.
1384 */
1385 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1386 traffic_selector_t *src_ts,
1387 traffic_selector_t *dst_ts,
1388 policy_dir_t direction, u_int32_t *use_time)
1389 {
1390 unsigned char request[NETLINK_BUFFER_SIZE];
1391 struct nlmsghdr *out = NULL, *hdr;
1392 struct xfrm_userpolicy_id *policy_id;
1393 struct xfrm_userpolicy_info *policy = NULL;
1394 size_t len;
1395
1396 memset(&request, 0, sizeof(request));
1397
1398 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1399 policy_dir_names, direction);
1400
1401 hdr = (struct nlmsghdr*)request;
1402 hdr->nlmsg_flags = NLM_F_REQUEST;
1403 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1404 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1405
1406 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1407 policy_id->sel = ts2selector(src_ts, dst_ts);
1408 policy_id->dir = direction;
1409
1410 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1411 {
1412 hdr = out;
1413 while (NLMSG_OK(hdr, len))
1414 {
1415 switch (hdr->nlmsg_type)
1416 {
1417 case XFRM_MSG_NEWPOLICY:
1418 {
1419 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1420 break;
1421 }
1422 case NLMSG_ERROR:
1423 {
1424 struct nlmsgerr *err = NLMSG_DATA(hdr);
1425 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1426 strerror(-err->error), -err->error);
1427 break;
1428 }
1429 default:
1430 hdr = NLMSG_NEXT(hdr, len);
1431 continue;
1432 case NLMSG_DONE:
1433 break;
1434 }
1435 break;
1436 }
1437 }
1438
1439 if (policy == NULL)
1440 {
1441 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1442 policy_dir_names, direction);
1443 free(out);
1444 return FAILED;
1445 }
1446 *use_time = (time_t)policy->curlft.use_time;
1447
1448 free(out);
1449 return SUCCESS;
1450 }
1451
1452 /**
1453 * Implementation of kernel_interface_t.del_policy.
1454 */
1455 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1456 traffic_selector_t *src_ts,
1457 traffic_selector_t *dst_ts,
1458 policy_dir_t direction)
1459 {
1460 policy_entry_t *current, policy, *to_delete = NULL;
1461 route_entry_t *route;
1462 unsigned char request[NETLINK_BUFFER_SIZE];
1463 struct nlmsghdr *hdr;
1464 struct xfrm_userpolicy_id *policy_id;
1465 iterator_t *iterator;
1466
1467 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1468 policy_dir_names, direction);
1469
1470 /* create a policy */
1471 memset(&policy, 0, sizeof(policy_entry_t));
1472 policy.sel = ts2selector(src_ts, dst_ts);
1473 policy.direction = direction;
1474
1475 /* find the policy */
1476 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
1477 while (iterator->iterate(iterator, (void**)&current))
1478 {
1479 if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
1480 policy.direction == current->direction)
1481 {
1482 to_delete = current;
1483 if (--to_delete->refcount > 0)
1484 {
1485 /* is used by more SAs, keep in kernel */
1486 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1487 iterator->destroy(iterator);
1488 return SUCCESS;
1489 }
1490 /* remove if last reference */
1491 iterator->remove(iterator);
1492 break;
1493 }
1494 }
1495 iterator->destroy(iterator);
1496 if (!to_delete)
1497 {
1498 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1499 dst_ts, policy_dir_names, direction);
1500 return NOT_FOUND;
1501 }
1502
1503 memset(&request, 0, sizeof(request));
1504
1505 hdr = (struct nlmsghdr*)request;
1506 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1507 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1508 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1509
1510 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1511 policy_id->sel = to_delete->sel;
1512 policy_id->dir = direction;
1513
1514 route = to_delete->route;
1515 free(to_delete);
1516
1517 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1518 {
1519 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1520 policy_dir_names, direction);
1521 return FAILED;
1522 }
1523
1524 if (route)
1525 {
1526 if (charon->kernel_interface->del_route(charon->kernel_interface,
1527 route->dst_net, route->prefixlen, route->gateway,
1528 route->src_ip, route->if_name) != SUCCESS)
1529 {
1530 DBG1(DBG_KNL, "error uninstalling route installed with "
1531 "policy %R === %R %N", src_ts, dst_ts,
1532 policy_dir_names, direction);
1533 }
1534 route_entry_destroy(route);
1535 }
1536 return SUCCESS;
1537 }
1538
1539 /**
1540 * Implementation of kernel_interface_t.destroy.
1541 */
1542 static void destroy(private_kernel_netlink_ipsec_t *this)
1543 {
1544 this->job->cancel(this->job);
1545 close(this->socket_xfrm_events);
1546 this->socket_xfrm->destroy(this->socket_xfrm);
1547 this->policies->destroy(this->policies);
1548 free(this);
1549 }
1550
1551 /*
1552 * Described in header.
1553 */
1554 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1555 {
1556 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1557 struct sockaddr_nl addr;
1558
1559 /* public functions */
1560 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1561 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1562 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1563 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1564 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1565 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1566 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1567 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1568 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1569
1570 /* private members */
1571 this->policies = linked_list_create();
1572 pthread_mutex_init(&this->mutex, NULL);
1573 this->install_routes = lib->settings->get_bool(lib->settings,
1574 "charon.install_routes", TRUE);
1575
1576 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1577
1578 memset(&addr, 0, sizeof(addr));
1579 addr.nl_family = AF_NETLINK;
1580
1581 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
1582 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1583 if (this->socket_xfrm_events <= 0)
1584 {
1585 charon->kill(charon, "unable to create XFRM event socket");
1586 }
1587 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | XFRMNLGRP(MAPPING);
1588 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1589 {
1590 charon->kill(charon, "unable to bind XFRM event socket");
1591 }
1592
1593 this->job = callback_job_create((callback_job_cb_t)receive_events,
1594 this, NULL, NULL);
1595 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1596
1597 return &this->public;
1598 }