userland support to process notifies for new NAT mappings detected in UDP encapsulation
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 *
19 * $Id$
20 */
21
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <sys/time.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <netinet/in.h>
30 #include <pthread.h>
31 #include <unistd.h>
32 #include <errno.h>
33 #include <string.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <daemon.h>
39 #include <utils/linked_list.h>
40 #include <processing/jobs/callback_job.h>
41 #include <processing/jobs/acquire_job.h>
42 #include <processing/jobs/rekey_child_sa_job.h>
43 #include <processing/jobs/delete_child_sa_job.h>
44 #include <processing/jobs/update_sa_job.h>
45
46 /** required for Linux 2.6.26 kernel and later */
47 #ifndef XFRM_STATE_AF_UNSPEC
48 #define XFRM_STATE_AF_UNSPEC 32
49 #endif
50
51 /** default priority of installed policies */
52 #define PRIO_LOW 3000
53 #define PRIO_HIGH 2000
54
55 /**
56 * Create ORable bitfield of XFRM NL groups
57 */
58 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
59
60 /**
61 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
62 * 'usual' netlink data x like 'struct xfrm_usersa_info'
63 */
64 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
65 /**
66 * returns a pointer to the next rtattr following rta.
67 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
68 */
69 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
70 /**
71 * returns the total size of attached rta data
72 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
73 */
74 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
75
76 typedef struct kernel_algorithm_t kernel_algorithm_t;
77
78 /**
79 * Mapping from the algorithms defined in IKEv2 to
80 * kernel level algorithm names and their key length
81 */
82 struct kernel_algorithm_t {
83 /**
84 * Identifier specified in IKEv2
85 */
86 int ikev2_id;
87
88 /**
89 * Name of the algorithm, as used as kernel identifier
90 */
91 char *name;
92
93 /**
94 * Key length in bits, if fixed size
95 */
96 u_int key_size;
97 };
98
99 ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
100 "in",
101 "out",
102 "fwd"
103 );
104
105 #define END_OF_LIST -1
106
107 /**
108 * Algorithms for encryption
109 */
110 static kernel_algorithm_t encryption_algs[] = {
111 /* {ENCR_DES_IV64, "***", 0}, */
112 {ENCR_DES, "des", 64},
113 {ENCR_3DES, "des3_ede", 192},
114 /* {ENCR_RC5, "***", 0}, */
115 /* {ENCR_IDEA, "***", 0}, */
116 {ENCR_CAST, "cast128", 0},
117 {ENCR_BLOWFISH, "blowfish", 0},
118 /* {ENCR_3IDEA, "***", 0}, */
119 /* {ENCR_DES_IV32, "***", 0}, */
120 {ENCR_NULL, "cipher_null", 0},
121 {ENCR_AES_CBC, "aes", 0},
122 /* {ENCR_AES_CTR, "***", 0}, */
123 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))", 64}, /* key_size = ICV size */
124 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))", 96}, /* key_size = ICV size */
125 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))", 128}, /* key_size = ICV size */
126 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))", 64}, /* key_size = ICV size */
127 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))", 96}, /* key_size = ICV size */
128 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))", 128}, /* key_size = ICV size */
129 {END_OF_LIST, NULL, 0},
130 };
131
132 /**
133 * Algorithms for integrity protection
134 */
135 static kernel_algorithm_t integrity_algs[] = {
136 {AUTH_HMAC_MD5_96, "md5", 128},
137 {AUTH_HMAC_SHA1_96, "sha1", 160},
138 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
139 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
140 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
141 /* {AUTH_DES_MAC, "***", 0}, */
142 /* {AUTH_KPDK_MD5, "***", 0}, */
143 {AUTH_AES_XCBC_96, "xcbc(aes)", 128},
144 {END_OF_LIST, NULL, 0},
145 };
146
147 /**
148 * Algorithms for IPComp
149 */
150 static kernel_algorithm_t compression_algs[] = {
151 /* {IPCOMP_OUI, "***", 0}, */
152 {IPCOMP_DEFLATE, "deflate", 0},
153 {IPCOMP_LZS, "lzs", 0},
154 {IPCOMP_LZJH, "lzjh", 0},
155 {END_OF_LIST, NULL, 0},
156 };
157
158 /**
159 * Look up a kernel algorithm name and its key size
160 */
161 static char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
162 u_int16_t ikev2_algo, u_int16_t *key_size)
163 {
164 while (kernel_algo->ikev2_id != END_OF_LIST)
165 {
166 if (ikev2_algo == kernel_algo->ikev2_id)
167 {
168 /* match, evaluate key length */
169 if (key_size && *key_size == 0)
170 { /* update key size if not set */
171 *key_size = kernel_algo->key_size;
172 }
173 return kernel_algo->name;
174 }
175 kernel_algo++;
176 }
177 return NULL;
178 }
179
180 typedef struct route_entry_t route_entry_t;
181
182 /**
183 * installed routing entry
184 */
185 struct route_entry_t {
186 /** Name of the interface the route is bound to */
187 char *if_name;
188
189 /** Source ip of the route */
190 host_t *src_ip;
191
192 /** gateway for this route */
193 host_t *gateway;
194
195 /** Destination net */
196 chunk_t dst_net;
197
198 /** Destination net prefixlen */
199 u_int8_t prefixlen;
200 };
201
202 /**
203 * destroy an route_entry_t object
204 */
205 static void route_entry_destroy(route_entry_t *this)
206 {
207 free(this->if_name);
208 this->src_ip->destroy(this->src_ip);
209 this->gateway->destroy(this->gateway);
210 chunk_free(&this->dst_net);
211 free(this);
212 }
213
214 typedef struct policy_entry_t policy_entry_t;
215
216 /**
217 * installed kernel policy.
218 */
219 struct policy_entry_t {
220
221 /** direction of this policy: in, out, forward */
222 u_int8_t direction;
223
224 /** reqid of the policy */
225 u_int32_t reqid;
226
227 /** parameters of installed policy */
228 struct xfrm_selector sel;
229
230 /** associated route installed for this policy */
231 route_entry_t *route;
232
233 /** by how many CHILD_SA's this policy is used */
234 u_int refcount;
235 };
236
237 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
238
239 /**
240 * Private variables and functions of kernel_netlink class.
241 */
242 struct private_kernel_netlink_ipsec_t {
243 /**
244 * Public part of the kernel_netlink_t object.
245 */
246 kernel_netlink_ipsec_t public;
247
248 /**
249 * mutex to lock access to various lists
250 */
251 pthread_mutex_t mutex;
252
253 /**
254 * List of installed policies (policy_entry_t)
255 */
256 linked_list_t *policies;
257
258 /**
259 * job receiving netlink events
260 */
261 callback_job_t *job;
262
263 /**
264 * Netlink xfrm socket (IPsec)
265 */
266 netlink_socket_t *socket_xfrm;
267
268 /**
269 * netlink xfrm socket to receive acquire and expire events
270 */
271 int socket_xfrm_events;
272
273 /**
274 * whether to install routes along policies
275 */
276 bool install_routes;
277 };
278
279 /**
280 * convert a IKEv2 specific protocol identifier to the kernel one
281 */
282 static u_int8_t proto_ike2kernel(protocol_id_t proto)
283 {
284 switch (proto)
285 {
286 case PROTO_ESP:
287 return IPPROTO_ESP;
288 case PROTO_AH:
289 return IPPROTO_AH;
290 default:
291 return proto;
292 }
293 }
294
295 /**
296 * reverse of ike2kernel
297 */
298 static protocol_id_t proto_kernel2ike(u_int8_t proto)
299 {
300 switch (proto)
301 {
302 case IPPROTO_ESP:
303 return PROTO_ESP;
304 case IPPROTO_AH:
305 return PROTO_AH;
306 default:
307 return proto;
308 }
309 }
310
311 /**
312 * convert a host_t to a struct xfrm_address
313 */
314 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
315 {
316 chunk_t chunk = host->get_address(host);
317 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
318 }
319
320 /**
321 * convert a struct xfrm_address to a host_t
322 */
323 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
324 {
325 chunk_t chunk;
326
327 switch (family)
328 {
329 case AF_INET:
330 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
331 break;
332 case AF_INET6:
333 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
334 break;
335 default:
336 return NULL;
337 }
338 return host_create_from_chunk(family, chunk, ntohs(port));
339 }
340
341 /**
342 * convert a traffic selector address range to subnet and its mask.
343 */
344 static void ts2subnet(traffic_selector_t* ts,
345 xfrm_address_t *net, u_int8_t *mask)
346 {
347 /* there is no way to do this cleanly, as the address range may
348 * be anything else but a subnet. We use from_addr as subnet
349 * and try to calculate a usable subnet mask.
350 */
351 int byte, bit;
352 bool found = FALSE;
353 chunk_t from, to;
354 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
355
356 from = ts->get_from_address(ts);
357 to = ts->get_to_address(ts);
358
359 *mask = (size * 8);
360 /* go trough all bits of the addresses, beginning in the front.
361 * as long as they are equal, the subnet gets larger
362 */
363 for (byte = 0; byte < size; byte++)
364 {
365 for (bit = 7; bit >= 0; bit--)
366 {
367 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
368 {
369 *mask = ((7 - bit) + (byte * 8));
370 found = TRUE;
371 break;
372 }
373 }
374 if (found)
375 {
376 break;
377 }
378 }
379 memcpy(net, from.ptr, from.len);
380 chunk_free(&from);
381 chunk_free(&to);
382 }
383
384 /**
385 * convert a traffic selector port range to port/portmask
386 */
387 static void ts2ports(traffic_selector_t* ts,
388 u_int16_t *port, u_int16_t *mask)
389 {
390 /* linux does not seem to accept complex portmasks. Only
391 * any or a specific port is allowed. We set to any, if we have
392 * a port range, or to a specific, if we have one port only.
393 */
394 u_int16_t from, to;
395
396 from = ts->get_from_port(ts);
397 to = ts->get_to_port(ts);
398
399 if (from == to)
400 {
401 *port = htons(from);
402 *mask = ~0;
403 }
404 else
405 {
406 *port = 0;
407 *mask = 0;
408 }
409 }
410
411 /**
412 * convert a pair of traffic_selectors to a xfrm_selector
413 */
414 static struct xfrm_selector ts2selector(traffic_selector_t *src,
415 traffic_selector_t *dst)
416 {
417 struct xfrm_selector sel;
418
419 memset(&sel, 0, sizeof(sel));
420 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
421 /* src or dest proto may be "any" (0), use more restrictive one */
422 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
423 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
424 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
425 ts2ports(dst, &sel.dport, &sel.dport_mask);
426 ts2ports(src, &sel.sport, &sel.sport_mask);
427 sel.ifindex = 0;
428 sel.user = 0;
429
430 return sel;
431 }
432
433
434 /**
435 * process a XFRM_MSG_ACQUIRE from kernel
436 */
437 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
438 {
439 u_int32_t reqid = 0;
440 int proto = 0;
441 job_t *job;
442 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
443 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
444
445 if (RTA_OK(rtattr, rtsize))
446 {
447 if (rtattr->rta_type == XFRMA_TMPL)
448 {
449 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
450 reqid = tmpl->reqid;
451 proto = tmpl->id.proto;
452 }
453 }
454 switch (proto)
455 {
456 case 0:
457 case IPPROTO_ESP:
458 case IPPROTO_AH:
459 break;
460 default:
461 /* acquire for AH/ESP only, not for IPCOMP */
462 return;
463 }
464 if (reqid == 0)
465 {
466 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
467 return;
468 }
469 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
470 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
471 job = (job_t*)acquire_job_create(reqid);
472 charon->processor->queue_job(charon->processor, job);
473 }
474
475 /**
476 * process a XFRM_MSG_EXPIRE from kernel
477 */
478 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
479 {
480 job_t *job;
481 protocol_id_t protocol;
482 u_int32_t spi, reqid;
483 struct xfrm_user_expire *expire;
484
485 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
486 protocol = proto_kernel2ike(expire->state.id.proto);
487 spi = expire->state.id.spi;
488 reqid = expire->state.reqid;
489
490 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
491
492 if (protocol != PROTO_ESP && protocol != PROTO_AH)
493 {
494 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%d} "
495 "which is not a CHILD_SA", ntohl(spi), reqid);
496 return;
497 }
498
499 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
500 expire->hard ? "delete" : "rekey", protocol_id_names,
501 protocol, ntohl(spi), reqid);
502 if (expire->hard)
503 {
504 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
505 }
506 else
507 {
508 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
509 }
510 charon->processor->queue_job(charon->processor, job);
511 }
512
513 /**
514 * process a XFRM_MSG_MAPPING from kernel
515 */
516 static void process_mapping(private_kernel_netlink_ipsec_t *this,
517 struct nlmsghdr *hdr)
518 {
519 job_t *job;
520 u_int32_t spi, reqid;
521 struct xfrm_user_mapping *mapping;
522 host_t *host;
523
524 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
525 spi = mapping->id.spi;
526 reqid = mapping->reqid;
527
528 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
529
530 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
531 {
532 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
533 mapping->new_sport);
534 if (host)
535 {
536 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
537 "reqid {%d} changed, queueing update job", ntohl(spi), reqid);
538 job = (job_t*)update_sa_job_create(reqid, host);
539 charon->processor->queue_job(charon->processor, job);
540 }
541 }
542 }
543
544 /**
545 * Receives events from kernel
546 */
547 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
548 {
549 char response[1024];
550 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
551 struct sockaddr_nl addr;
552 socklen_t addr_len = sizeof(addr);
553 int len, oldstate;
554
555 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
556 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
557 (struct sockaddr*)&addr, &addr_len);
558 pthread_setcancelstate(oldstate, NULL);
559
560 if (len < 0)
561 {
562 switch (errno)
563 {
564 case EINTR:
565 /* interrupted, try again */
566 return JOB_REQUEUE_DIRECT;
567 case EAGAIN:
568 /* no data ready, select again */
569 return JOB_REQUEUE_DIRECT;
570 default:
571 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
572 sleep(1);
573 return JOB_REQUEUE_FAIR;
574 }
575 }
576
577 if (addr.nl_pid != 0)
578 { /* not from kernel. not interested, try another one */
579 return JOB_REQUEUE_DIRECT;
580 }
581
582 while (NLMSG_OK(hdr, len))
583 {
584 switch (hdr->nlmsg_type)
585 {
586 case XFRM_MSG_ACQUIRE:
587 process_acquire(this, hdr);
588 break;
589 case XFRM_MSG_EXPIRE:
590 process_expire(this, hdr);
591 break;
592 case XFRM_MSG_MAPPING:
593 process_mapping(this, hdr);
594 break;
595 default:
596 break;
597 }
598 hdr = NLMSG_NEXT(hdr, len);
599 }
600 return JOB_REQUEUE_DIRECT;
601 }
602
603 /**
604 * Tries to find an ip address of a local interface that is included in the
605 * supplied traffic selector.
606 */
607 static status_t get_address_by_ts(private_kernel_netlink_ipsec_t *this,
608 traffic_selector_t *ts, host_t **ip)
609 {
610 enumerator_t *addrs;
611 host_t *host;
612 int family;
613 bool found = FALSE;
614
615 DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
616
617 /* if we have a family which includes localhost, we do not
618 * search for an IP, we use the default */
619 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
620
621 if (family == AF_INET)
622 {
623 host = host_create_from_string("127.0.0.1", 0);
624 }
625 else
626 {
627 host = host_create_from_string("::1", 0);
628 }
629
630 if (ts->includes(ts, host))
631 {
632 *ip = host_create_any(family);
633 host->destroy(host);
634 DBG2(DBG_KNL, "using host %H", *ip);
635 return SUCCESS;
636 }
637 host->destroy(host);
638
639 addrs = charon->kernel_interface->create_address_enumerator(
640 charon->kernel_interface, TRUE, TRUE);
641 while (addrs->enumerate(addrs, (void**)&host))
642 {
643 if (ts->includes(ts, host))
644 {
645 found = TRUE;
646 *ip = host->clone(host);
647 break;
648 }
649 }
650 addrs->destroy(addrs);
651
652 if (!found)
653 {
654 DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
655 return FAILED;
656 }
657 DBG2(DBG_KNL, "using host %H", *ip);
658 return SUCCESS;
659 }
660
661 /**
662 * Get an SPI for a specific protocol from the kernel.
663 */
664 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
665 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
666 u_int32_t reqid, u_int32_t *spi)
667 {
668 unsigned char request[NETLINK_BUFFER_SIZE];
669 struct nlmsghdr *hdr, *out;
670 struct xfrm_userspi_info *userspi;
671 u_int32_t received_spi = 0;
672 size_t len;
673
674 memset(&request, 0, sizeof(request));
675
676 hdr = (struct nlmsghdr*)request;
677 hdr->nlmsg_flags = NLM_F_REQUEST;
678 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
679 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
680
681 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
682 host2xfrm(src, &userspi->info.saddr);
683 host2xfrm(dst, &userspi->info.id.daddr);
684 userspi->info.id.proto = proto;
685 userspi->info.mode = TRUE; /* tunnel mode */
686 userspi->info.reqid = reqid;
687 userspi->info.family = src->get_family(src);
688 userspi->min = min;
689 userspi->max = max;
690
691 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
692 {
693 hdr = out;
694 while (NLMSG_OK(hdr, len))
695 {
696 switch (hdr->nlmsg_type)
697 {
698 case XFRM_MSG_NEWSA:
699 {
700 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
701 received_spi = usersa->id.spi;
702 break;
703 }
704 case NLMSG_ERROR:
705 {
706 struct nlmsgerr *err = NLMSG_DATA(hdr);
707
708 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
709 strerror(-err->error), -err->error);
710 break;
711 }
712 default:
713 hdr = NLMSG_NEXT(hdr, len);
714 continue;
715 case NLMSG_DONE:
716 break;
717 }
718 break;
719 }
720 free(out);
721 }
722
723 if (received_spi == 0)
724 {
725 return FAILED;
726 }
727
728 *spi = received_spi;
729 return SUCCESS;
730 }
731
732 /**
733 * Implementation of kernel_interface_t.get_spi.
734 */
735 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
736 host_t *src, host_t *dst,
737 protocol_id_t protocol, u_int32_t reqid,
738 u_int32_t *spi)
739 {
740 DBG2(DBG_KNL, "getting SPI for reqid {%d}", reqid);
741
742 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
743 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
744 {
745 DBG1(DBG_KNL, "unable to get SPI for reqid {%d}", reqid);
746 return FAILED;
747 }
748
749 DBG2(DBG_KNL, "got SPI %.8x for reqid {%d}", ntohl(*spi), reqid);
750
751 return SUCCESS;
752 }
753
754 /**
755 * Implementation of kernel_interface_t.get_cpi.
756 */
757 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
758 host_t *src, host_t *dst,
759 u_int32_t reqid, u_int16_t *cpi)
760 {
761 u_int32_t received_spi = 0;
762
763 DBG2(DBG_KNL, "getting CPI for reqid {%d}", reqid);
764
765 if (get_spi_internal(this, src, dst,
766 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
767 {
768 DBG1(DBG_KNL, "unable to get CPI for reqid {%d}", reqid);
769 return FAILED;
770 }
771
772 *cpi = htons((u_int16_t)ntohl(received_spi));
773
774 DBG2(DBG_KNL, "got CPI %.4x for reqid {%d}", ntohs(*cpi), reqid);
775
776 return SUCCESS;
777 }
778
779 /**
780 * Implementation of kernel_interface_t.add_sa.
781 */
782 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
783 host_t *src, host_t *dst, u_int32_t spi,
784 protocol_id_t protocol, u_int32_t reqid,
785 u_int64_t expire_soft, u_int64_t expire_hard,
786 u_int16_t enc_alg, u_int16_t enc_size,
787 u_int16_t int_alg, u_int16_t int_size,
788 prf_plus_t *prf_plus, ipsec_mode_t mode,
789 u_int16_t ipcomp, bool encap,
790 bool replace)
791 {
792 unsigned char request[NETLINK_BUFFER_SIZE];
793 char *alg_name;
794 /* additional 4 octets KEYMAT required for AES-GCM as of RFC4106 8.1. */
795 u_int16_t add_keymat = 32;
796 struct nlmsghdr *hdr;
797 struct xfrm_usersa_info *sa;
798
799 memset(&request, 0, sizeof(request));
800
801 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
802
803 hdr = (struct nlmsghdr*)request;
804 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
805 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
806 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
807
808 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
809 host2xfrm(src, &sa->saddr);
810 host2xfrm(dst, &sa->id.daddr);
811 sa->id.spi = spi;
812 sa->id.proto = proto_ike2kernel(protocol);
813 sa->family = src->get_family(src);
814 sa->mode = mode;
815 if (mode == MODE_TUNNEL)
816 {
817 sa->flags |= XFRM_STATE_AF_UNSPEC;
818 }
819 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
820 sa->reqid = reqid;
821 /* we currently do not expire SAs by volume/packet count */
822 sa->lft.soft_byte_limit = XFRM_INF;
823 sa->lft.hard_byte_limit = XFRM_INF;
824 sa->lft.soft_packet_limit = XFRM_INF;
825 sa->lft.hard_packet_limit = XFRM_INF;
826 /* we use lifetimes since added, not since used */
827 sa->lft.soft_add_expires_seconds = expire_soft;
828 sa->lft.hard_add_expires_seconds = expire_hard;
829 sa->lft.soft_use_expires_seconds = 0;
830 sa->lft.hard_use_expires_seconds = 0;
831
832 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
833
834 switch (enc_alg)
835 {
836 case ENCR_UNDEFINED:
837 /* no encryption */
838 break;
839 case ENCR_AES_CCM_ICV8:
840 case ENCR_AES_CCM_ICV12:
841 case ENCR_AES_CCM_ICV16:
842 /* AES-CCM needs only 3 additional octets KEYMAT as of RFC 4309 7.1. */
843 add_keymat = 24;
844 /* fall-through */
845 case ENCR_AES_GCM_ICV8:
846 case ENCR_AES_GCM_ICV12:
847 case ENCR_AES_GCM_ICV16:
848 {
849 u_int16_t icv_size = 0;
850 rthdr->rta_type = XFRMA_ALG_AEAD;
851 alg_name = lookup_algorithm(encryption_algs, enc_alg, &icv_size);
852 if (alg_name == NULL)
853 {
854 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
855 encryption_algorithm_names, enc_alg);
856 return FAILED;
857 }
858 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
859 encryption_algorithm_names, enc_alg, enc_size);
860
861 /* additional KEYMAT required */
862 enc_size += add_keymat;
863
864 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_size / 8);
865 hdr->nlmsg_len += rthdr->rta_len;
866 if (hdr->nlmsg_len > sizeof(request))
867 {
868 return FAILED;
869 }
870
871 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
872 algo->alg_key_len = enc_size;
873 algo->alg_icv_len = icv_size;
874 strcpy(algo->alg_name, alg_name);
875 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
876
877 rthdr = XFRM_RTA_NEXT(rthdr);
878 break;
879 }
880 default:
881 {
882 rthdr->rta_type = XFRMA_ALG_CRYPT;
883 alg_name = lookup_algorithm(encryption_algs, enc_alg, &enc_size);
884 if (alg_name == NULL)
885 {
886 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
887 encryption_algorithm_names, enc_alg);
888 return FAILED;
889 }
890 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
891 encryption_algorithm_names, enc_alg, enc_size);
892
893 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_size / 8);
894 hdr->nlmsg_len += rthdr->rta_len;
895 if (hdr->nlmsg_len > sizeof(request))
896 {
897 return FAILED;
898 }
899
900 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
901 algo->alg_key_len = enc_size;
902 strcpy(algo->alg_name, alg_name);
903 prf_plus->get_bytes(prf_plus, enc_size / 8, algo->alg_key);
904
905 rthdr = XFRM_RTA_NEXT(rthdr);
906 break;
907 }
908 }
909
910 if (int_alg != AUTH_UNDEFINED)
911 {
912 rthdr->rta_type = XFRMA_ALG_AUTH;
913 alg_name = lookup_algorithm(integrity_algs, int_alg, &int_size);
914 if (alg_name == NULL)
915 {
916 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
917 integrity_algorithm_names, int_alg);
918 return FAILED;
919 }
920 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
921 integrity_algorithm_names, int_alg, int_size);
922
923 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_size / 8);
924 hdr->nlmsg_len += rthdr->rta_len;
925 if (hdr->nlmsg_len > sizeof(request))
926 {
927 return FAILED;
928 }
929
930 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
931 algo->alg_key_len = int_size;
932 strcpy(algo->alg_name, alg_name);
933 prf_plus->get_bytes(prf_plus, int_size / 8, algo->alg_key);
934
935 rthdr = XFRM_RTA_NEXT(rthdr);
936 }
937
938 if (ipcomp != IPCOMP_NONE)
939 {
940 rthdr->rta_type = XFRMA_ALG_COMP;
941 alg_name = lookup_algorithm(compression_algs, ipcomp, NULL);
942 if (alg_name == NULL)
943 {
944 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
945 ipcomp_transform_names, ipcomp);
946 return FAILED;
947 }
948 DBG2(DBG_KNL, " using compression algorithm %N",
949 ipcomp_transform_names, ipcomp);
950
951 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
952 hdr->nlmsg_len += rthdr->rta_len;
953 if (hdr->nlmsg_len > sizeof(request))
954 {
955 return FAILED;
956 }
957
958 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
959 algo->alg_key_len = 0;
960 strcpy(algo->alg_name, alg_name);
961
962 rthdr = XFRM_RTA_NEXT(rthdr);
963 }
964
965 if (encap)
966 {
967 rthdr->rta_type = XFRMA_ENCAP;
968 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
969
970 hdr->nlmsg_len += rthdr->rta_len;
971 if (hdr->nlmsg_len > sizeof(request))
972 {
973 return FAILED;
974 }
975
976 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
977 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
978 tmpl->encap_sport = htons(src->get_port(src));
979 tmpl->encap_dport = htons(dst->get_port(dst));
980 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
981 /* encap_oa could probably be derived from the
982 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
983 * pluto does the same as we do here but it uses encap_oa in the
984 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
985 * the kernel ignores it anyway
986 * -> does that mean that NAT-T encap doesn't work in transport mode?
987 * No. The reason the kernel ignores NAT-OA is that it recomputes
988 * (or, rather, just ignores) the checksum. If packets pass
989 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
990 rthdr = XFRM_RTA_NEXT(rthdr);
991 }
992
993 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
994 {
995 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
996 return FAILED;
997 }
998 return SUCCESS;
999 }
1000
1001 /**
1002 * Get the replay state (i.e. sequence numbers) of an SA.
1003 */
1004 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1005 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1006 struct xfrm_replay_state *replay)
1007 {
1008 unsigned char request[NETLINK_BUFFER_SIZE];
1009 struct nlmsghdr *hdr, *out = NULL;
1010 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1011 size_t len;
1012 struct rtattr *rta;
1013 size_t rtasize;
1014
1015 memset(&request, 0, sizeof(request));
1016
1017 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1018
1019 hdr = (struct nlmsghdr*)request;
1020 hdr->nlmsg_flags = NLM_F_REQUEST;
1021 hdr->nlmsg_type = XFRM_MSG_GETAE;
1022 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1023
1024 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1025 aevent_id->flags = XFRM_AE_RVAL;
1026
1027 host2xfrm(dst, &aevent_id->sa_id.daddr);
1028 aevent_id->sa_id.spi = spi;
1029 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1030 aevent_id->sa_id.family = dst->get_family(dst);
1031
1032 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1033 {
1034 hdr = out;
1035 while (NLMSG_OK(hdr, len))
1036 {
1037 switch (hdr->nlmsg_type)
1038 {
1039 case XFRM_MSG_NEWAE:
1040 {
1041 out_aevent = NLMSG_DATA(hdr);
1042 break;
1043 }
1044 case NLMSG_ERROR:
1045 {
1046 struct nlmsgerr *err = NLMSG_DATA(hdr);
1047 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1048 strerror(-err->error), -err->error);
1049 break;
1050 }
1051 default:
1052 hdr = NLMSG_NEXT(hdr, len);
1053 continue;
1054 case NLMSG_DONE:
1055 break;
1056 }
1057 break;
1058 }
1059 }
1060
1061 if (out_aevent == NULL)
1062 {
1063 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1064 ntohl(spi));
1065 free(out);
1066 return FAILED;
1067 }
1068
1069 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1070 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1071 while(RTA_OK(rta, rtasize))
1072 {
1073 if (rta->rta_type == XFRMA_REPLAY_VAL)
1074 {
1075 memcpy(replay, RTA_DATA(rta), rta->rta_len);
1076 free(out);
1077 return SUCCESS;
1078 }
1079 rta = RTA_NEXT(rta, rtasize);
1080 }
1081
1082 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1083 ntohl(spi));
1084 free(out);
1085 return FAILED;
1086 }
1087
1088 /**
1089 * Implementation of kernel_interface_t.update_sa.
1090 */
1091 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
1092 u_int32_t spi, protocol_id_t protocol,
1093 host_t *src, host_t *dst,
1094 host_t *new_src, host_t *new_dst, bool encap)
1095 {
1096 unsigned char request[NETLINK_BUFFER_SIZE], *pos;
1097 struct nlmsghdr *hdr, *out = NULL;
1098 struct xfrm_usersa_id *sa_id;
1099 struct xfrm_usersa_info *out_sa = NULL, *sa;
1100 size_t len;
1101 struct rtattr *rta;
1102 size_t rtasize;
1103 struct xfrm_encap_tmpl* tmpl = NULL;
1104 bool got_replay_state;
1105 struct xfrm_replay_state replay;
1106
1107 memset(&request, 0, sizeof(request));
1108
1109 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1110
1111 /* query the existing SA first */
1112 hdr = (struct nlmsghdr*)request;
1113 hdr->nlmsg_flags = NLM_F_REQUEST;
1114 hdr->nlmsg_type = XFRM_MSG_GETSA;
1115 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1116
1117 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1118 host2xfrm(dst, &sa_id->daddr);
1119 sa_id->spi = spi;
1120 sa_id->proto = proto_ike2kernel(protocol);
1121 sa_id->family = dst->get_family(dst);
1122
1123 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1124 {
1125 hdr = out;
1126 while (NLMSG_OK(hdr, len))
1127 {
1128 switch (hdr->nlmsg_type)
1129 {
1130 case XFRM_MSG_NEWSA:
1131 {
1132 out_sa = NLMSG_DATA(hdr);
1133 break;
1134 }
1135 case NLMSG_ERROR:
1136 {
1137 struct nlmsgerr *err = NLMSG_DATA(hdr);
1138 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1139 strerror(-err->error), -err->error);
1140 break;
1141 }
1142 default:
1143 hdr = NLMSG_NEXT(hdr, len);
1144 continue;
1145 case NLMSG_DONE:
1146 break;
1147 }
1148 break;
1149 }
1150 }
1151 if (out_sa == NULL)
1152 {
1153 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1154 free(out);
1155 return FAILED;
1156 }
1157
1158 /* try to get the replay state */
1159 got_replay_state = (get_replay_state(
1160 this, spi, protocol, dst, &replay) == SUCCESS);
1161
1162 /* delete the old SA */
1163 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1164 {
1165 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1166 free(out);
1167 return FAILED;
1168 }
1169
1170 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1171 ntohl(spi), src, dst, new_src, new_dst);
1172
1173 /* copy over the SA from out to request */
1174 hdr = (struct nlmsghdr*)request;
1175 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1176 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1177 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1178 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1179 sa = NLMSG_DATA(hdr);
1180 sa->family = new_dst->get_family(new_dst);
1181
1182 if (!src->ip_equals(src, new_src))
1183 {
1184 host2xfrm(new_src, &sa->saddr);
1185 }
1186 if (!dst->ip_equals(dst, new_dst))
1187 {
1188 host2xfrm(new_dst, &sa->id.daddr);
1189 }
1190
1191 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1192 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1193 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1194 while(RTA_OK(rta, rtasize))
1195 {
1196 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1197 if (rta->rta_type != XFRMA_ENCAP || encap)
1198 {
1199 if (rta->rta_type == XFRMA_ENCAP)
1200 { /* update encap tmpl */
1201 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1202 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1203 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1204 }
1205 memcpy(pos, rta, rta->rta_len);
1206 pos += RTA_ALIGN(rta->rta_len);
1207 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1208 }
1209 rta = RTA_NEXT(rta, rtasize);
1210 }
1211
1212 rta = (struct rtattr*)pos;
1213 if (tmpl == NULL && encap)
1214 { /* add tmpl if we are enabling it */
1215 rta->rta_type = XFRMA_ENCAP;
1216 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1217
1218 hdr->nlmsg_len += rta->rta_len;
1219 if (hdr->nlmsg_len > sizeof(request))
1220 {
1221 return FAILED;
1222 }
1223
1224 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1225 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1226 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1227 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1228 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1229
1230 rta = XFRM_RTA_NEXT(rta);
1231 }
1232
1233 if (got_replay_state)
1234 { /* copy the replay data if available */
1235 rta->rta_type = XFRMA_REPLAY_VAL;
1236 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1237
1238 hdr->nlmsg_len += rta->rta_len;
1239 if (hdr->nlmsg_len > sizeof(request))
1240 {
1241 return FAILED;
1242 }
1243 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1244
1245 rta = XFRM_RTA_NEXT(rta);
1246 }
1247
1248 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1249 {
1250 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1251 free(out);
1252 return FAILED;
1253 }
1254 free(out);
1255
1256 return SUCCESS;
1257 }
1258
1259 /**
1260 * Implementation of kernel_interface_t.query_sa.
1261 */
1262 static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1263 u_int32_t spi, protocol_id_t protocol,
1264 u_int32_t *use_time)
1265 {
1266 unsigned char request[NETLINK_BUFFER_SIZE];
1267 struct nlmsghdr *out = NULL, *hdr;
1268 struct xfrm_usersa_id *sa_id;
1269 struct xfrm_usersa_info *sa = NULL;
1270 size_t len;
1271
1272 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1273 memset(&request, 0, sizeof(request));
1274
1275 hdr = (struct nlmsghdr*)request;
1276 hdr->nlmsg_flags = NLM_F_REQUEST;
1277 hdr->nlmsg_type = XFRM_MSG_GETSA;
1278 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1279
1280 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1281 host2xfrm(dst, &sa_id->daddr);
1282 sa_id->spi = spi;
1283 sa_id->proto = proto_ike2kernel(protocol);
1284 sa_id->family = dst->get_family(dst);
1285
1286 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1287 {
1288 hdr = out;
1289 while (NLMSG_OK(hdr, len))
1290 {
1291 switch (hdr->nlmsg_type)
1292 {
1293 case XFRM_MSG_NEWSA:
1294 {
1295 sa = NLMSG_DATA(hdr);
1296 break;
1297 }
1298 case NLMSG_ERROR:
1299 {
1300 struct nlmsgerr *err = NLMSG_DATA(hdr);
1301 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1302 strerror(-err->error), -err->error);
1303 break;
1304 }
1305 default:
1306 hdr = NLMSG_NEXT(hdr, len);
1307 continue;
1308 case NLMSG_DONE:
1309 break;
1310 }
1311 break;
1312 }
1313 }
1314
1315 if (sa == NULL)
1316 {
1317 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1318 free(out);
1319 return FAILED;
1320 }
1321
1322 *use_time = sa->curlft.use_time;
1323 free (out);
1324 return SUCCESS;
1325 }
1326
1327 /**
1328 * Implementation of kernel_interface_t.del_sa.
1329 */
1330 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1331 u_int32_t spi, protocol_id_t protocol)
1332 {
1333 unsigned char request[NETLINK_BUFFER_SIZE];
1334 struct nlmsghdr *hdr;
1335 struct xfrm_usersa_id *sa_id;
1336
1337 memset(&request, 0, sizeof(request));
1338
1339 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1340
1341 hdr = (struct nlmsghdr*)request;
1342 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1343 hdr->nlmsg_type = XFRM_MSG_DELSA;
1344 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1345
1346 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1347 host2xfrm(dst, &sa_id->daddr);
1348 sa_id->spi = spi;
1349 sa_id->proto = proto_ike2kernel(protocol);
1350 sa_id->family = dst->get_family(dst);
1351
1352 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1353 {
1354 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1355 return FAILED;
1356 }
1357 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1358 return SUCCESS;
1359 }
1360
1361 /**
1362 * Implementation of kernel_interface_t.add_policy.
1363 */
1364 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1365 host_t *src, host_t *dst,
1366 traffic_selector_t *src_ts,
1367 traffic_selector_t *dst_ts,
1368 policy_dir_t direction, protocol_id_t protocol,
1369 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1370 u_int16_t ipcomp)
1371 {
1372 iterator_t *iterator;
1373 policy_entry_t *current, *policy;
1374 bool found = FALSE;
1375 unsigned char request[NETLINK_BUFFER_SIZE];
1376 struct xfrm_userpolicy_info *policy_info;
1377 struct nlmsghdr *hdr;
1378
1379 /* create a policy */
1380 policy = malloc_thing(policy_entry_t);
1381 memset(policy, 0, sizeof(policy_entry_t));
1382 policy->sel = ts2selector(src_ts, dst_ts);
1383 policy->direction = direction;
1384
1385 /* find the policy, which matches EXACTLY */
1386 pthread_mutex_lock(&this->mutex);
1387 iterator = this->policies->create_iterator(this->policies, TRUE);
1388 while (iterator->iterate(iterator, (void**)&current))
1389 {
1390 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
1391 policy->direction == current->direction)
1392 {
1393 /* use existing policy */
1394 current->refcount++;
1395 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1396 "refcount", src_ts, dst_ts,
1397 policy_dir_names, direction);
1398 free(policy);
1399 policy = current;
1400 found = TRUE;
1401 break;
1402 }
1403 }
1404 iterator->destroy(iterator);
1405 if (!found)
1406 { /* apply the new one, if we have no such policy */
1407 this->policies->insert_last(this->policies, policy);
1408 policy->refcount = 1;
1409 }
1410
1411 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1412 policy_dir_names, direction);
1413
1414 memset(&request, 0, sizeof(request));
1415 hdr = (struct nlmsghdr*)request;
1416 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1417 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1418 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1419
1420 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1421 policy_info->sel = policy->sel;
1422 policy_info->dir = policy->direction;
1423 /* calculate priority based on source selector size, small size = high prio */
1424 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1425 policy_info->priority -= policy->sel.prefixlen_s * 10;
1426 policy_info->priority -= policy->sel.proto ? 2 : 0;
1427 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1428 policy_info->action = XFRM_POLICY_ALLOW;
1429 policy_info->share = XFRM_SHARE_ANY;
1430 pthread_mutex_unlock(&this->mutex);
1431
1432 /* policies don't expire */
1433 policy_info->lft.soft_byte_limit = XFRM_INF;
1434 policy_info->lft.soft_packet_limit = XFRM_INF;
1435 policy_info->lft.hard_byte_limit = XFRM_INF;
1436 policy_info->lft.hard_packet_limit = XFRM_INF;
1437 policy_info->lft.soft_add_expires_seconds = 0;
1438 policy_info->lft.hard_add_expires_seconds = 0;
1439 policy_info->lft.soft_use_expires_seconds = 0;
1440 policy_info->lft.hard_use_expires_seconds = 0;
1441
1442 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1443 rthdr->rta_type = XFRMA_TMPL;
1444 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1445
1446 hdr->nlmsg_len += rthdr->rta_len;
1447 if (hdr->nlmsg_len > sizeof(request))
1448 {
1449 return FAILED;
1450 }
1451
1452 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1453
1454 if (ipcomp != IPCOMP_NONE)
1455 {
1456 tmpl->reqid = reqid;
1457 tmpl->id.proto = IPPROTO_COMP;
1458 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1459 tmpl->mode = mode;
1460 tmpl->optional = direction != POLICY_OUT;
1461 tmpl->family = src->get_family(src);
1462
1463 host2xfrm(src, &tmpl->saddr);
1464 host2xfrm(dst, &tmpl->id.daddr);
1465
1466 /* add an additional xfrm_user_tmpl */
1467 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1468 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1469 if (hdr->nlmsg_len > sizeof(request))
1470 {
1471 return FAILED;
1472 }
1473
1474 tmpl++;
1475 }
1476
1477 tmpl->reqid = reqid;
1478 tmpl->id.proto = proto_ike2kernel(protocol);
1479 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1480 tmpl->mode = mode;
1481 tmpl->family = src->get_family(src);
1482
1483 host2xfrm(src, &tmpl->saddr);
1484 host2xfrm(dst, &tmpl->id.daddr);
1485
1486 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1487 {
1488 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1489 policy_dir_names, direction);
1490 return FAILED;
1491 }
1492
1493 /* install a route, if:
1494 * - we are NOT updating a policy
1495 * - this is a forward policy (to just get one for each child)
1496 * - we are in tunnel mode
1497 * - we are not using IPv6 (does not work correctly yet!)
1498 * - routing is not disabled via strongswan.conf
1499 */
1500 if (policy->route == NULL && direction == POLICY_FWD &&
1501 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1502 this->install_routes)
1503 {
1504 route_entry_t *route = malloc_thing(route_entry_t);
1505
1506 if (get_address_by_ts(this, dst_ts, &route->src_ip) == SUCCESS)
1507 {
1508 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1509 route->gateway = charon->kernel_interface->get_nexthop(
1510 charon->kernel_interface, src);
1511 route->if_name = charon->kernel_interface->get_interface(
1512 charon->kernel_interface, dst);
1513 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1514 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1515 route->prefixlen = policy->sel.prefixlen_s;
1516
1517 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1518 route->dst_net, route->prefixlen, route->gateway,
1519 route->src_ip, route->if_name))
1520 {
1521 default:
1522 DBG1(DBG_KNL, "unable to install source route for %H",
1523 route->src_ip);
1524 /* FALL */
1525 case ALREADY_DONE:
1526 /* route exists, do not uninstall */
1527 route_entry_destroy(route);
1528 break;
1529 case SUCCESS:
1530 /* cache the installed route */
1531 policy->route = route;
1532 break;
1533 }
1534 }
1535 else
1536 {
1537 free(route);
1538 }
1539 }
1540
1541 return SUCCESS;
1542 }
1543
1544 /**
1545 * Implementation of kernel_interface_t.query_policy.
1546 */
1547 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1548 traffic_selector_t *src_ts,
1549 traffic_selector_t *dst_ts,
1550 policy_dir_t direction, u_int32_t *use_time)
1551 {
1552 unsigned char request[NETLINK_BUFFER_SIZE];
1553 struct nlmsghdr *out = NULL, *hdr;
1554 struct xfrm_userpolicy_id *policy_id;
1555 struct xfrm_userpolicy_info *policy = NULL;
1556 size_t len;
1557
1558 memset(&request, 0, sizeof(request));
1559
1560 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1561 policy_dir_names, direction);
1562
1563 hdr = (struct nlmsghdr*)request;
1564 hdr->nlmsg_flags = NLM_F_REQUEST;
1565 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1566 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1567
1568 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1569 policy_id->sel = ts2selector(src_ts, dst_ts);
1570 policy_id->dir = direction;
1571
1572 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1573 {
1574 hdr = out;
1575 while (NLMSG_OK(hdr, len))
1576 {
1577 switch (hdr->nlmsg_type)
1578 {
1579 case XFRM_MSG_NEWPOLICY:
1580 {
1581 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1582 break;
1583 }
1584 case NLMSG_ERROR:
1585 {
1586 struct nlmsgerr *err = NLMSG_DATA(hdr);
1587 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1588 strerror(-err->error), -err->error);
1589 break;
1590 }
1591 default:
1592 hdr = NLMSG_NEXT(hdr, len);
1593 continue;
1594 case NLMSG_DONE:
1595 break;
1596 }
1597 break;
1598 }
1599 }
1600
1601 if (policy == NULL)
1602 {
1603 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1604 policy_dir_names, direction);
1605 free(out);
1606 return FAILED;
1607 }
1608 *use_time = (time_t)policy->curlft.use_time;
1609
1610 free(out);
1611 return SUCCESS;
1612 }
1613
1614 /**
1615 * Implementation of kernel_interface_t.del_policy.
1616 */
1617 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1618 traffic_selector_t *src_ts,
1619 traffic_selector_t *dst_ts,
1620 policy_dir_t direction)
1621 {
1622 policy_entry_t *current, policy, *to_delete = NULL;
1623 route_entry_t *route;
1624 unsigned char request[NETLINK_BUFFER_SIZE];
1625 struct nlmsghdr *hdr;
1626 struct xfrm_userpolicy_id *policy_id;
1627 iterator_t *iterator;
1628
1629 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1630 policy_dir_names, direction);
1631
1632 /* create a policy */
1633 memset(&policy, 0, sizeof(policy_entry_t));
1634 policy.sel = ts2selector(src_ts, dst_ts);
1635 policy.direction = direction;
1636
1637 /* find the policy */
1638 iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
1639 while (iterator->iterate(iterator, (void**)&current))
1640 {
1641 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
1642 policy.direction == current->direction)
1643 {
1644 to_delete = current;
1645 if (--to_delete->refcount > 0)
1646 {
1647 /* is used by more SAs, keep in kernel */
1648 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1649 iterator->destroy(iterator);
1650 return SUCCESS;
1651 }
1652 /* remove if last reference */
1653 iterator->remove(iterator);
1654 break;
1655 }
1656 }
1657 iterator->destroy(iterator);
1658 if (!to_delete)
1659 {
1660 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1661 dst_ts, policy_dir_names, direction);
1662 return NOT_FOUND;
1663 }
1664
1665 memset(&request, 0, sizeof(request));
1666
1667 hdr = (struct nlmsghdr*)request;
1668 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1669 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1670 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1671
1672 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1673 policy_id->sel = to_delete->sel;
1674 policy_id->dir = direction;
1675
1676 route = to_delete->route;
1677 free(to_delete);
1678
1679 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1680 {
1681 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1682 policy_dir_names, direction);
1683 return FAILED;
1684 }
1685
1686 if (route)
1687 {
1688 if (charon->kernel_interface->del_route(charon->kernel_interface,
1689 route->dst_net, route->prefixlen, route->gateway,
1690 route->src_ip, route->if_name) != SUCCESS)
1691 {
1692 DBG1(DBG_KNL, "error uninstalling route installed with "
1693 "policy %R === %R %N", src_ts, dst_ts,
1694 policy_dir_names, direction);
1695 }
1696 route_entry_destroy(route);
1697 }
1698 return SUCCESS;
1699 }
1700
1701 /**
1702 * Implementation of kernel_interface_t.destroy.
1703 */
1704 static void destroy(private_kernel_netlink_ipsec_t *this)
1705 {
1706 this->job->cancel(this->job);
1707 close(this->socket_xfrm_events);
1708 this->socket_xfrm->destroy(this->socket_xfrm);
1709 this->policies->destroy(this->policies);
1710 free(this);
1711 }
1712
1713 /*
1714 * Described in header.
1715 */
1716 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1717 {
1718 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1719 struct sockaddr_nl addr;
1720
1721 /* public functions */
1722 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1723 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1724 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1725 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1726 this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
1727 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1728 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1729 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1730 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1731 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1732
1733 /* private members */
1734 this->policies = linked_list_create();
1735 pthread_mutex_init(&this->mutex, NULL);
1736 this->install_routes = lib->settings->get_bool(lib->settings,
1737 "charon.install_routes", TRUE);
1738
1739 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1740
1741 memset(&addr, 0, sizeof(addr));
1742 addr.nl_family = AF_NETLINK;
1743
1744 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
1745 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1746 if (this->socket_xfrm_events <= 0)
1747 {
1748 charon->kill(charon, "unable to create XFRM event socket");
1749 }
1750 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | XFRMNLGRP(MAPPING);
1751 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1752 {
1753 charon->kill(charon, "unable to bind XFRM event socket");
1754 }
1755
1756 this->job = callback_job_create((callback_job_cb_t)receive_events,
1757 this, NULL, NULL);
1758 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1759
1760 return &this->public;
1761 }