refactored kernel interface, works reliable again
[strongswan.git] / src / charon / threads / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006 Daniel Roethlisberger
12 * Copyright (C) 2005-2006 Martin Willi
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Contains modified parts from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43 #include <ifaddrs.h>
44
45 #include "kernel_interface.h"
46
47 #include <daemon.h>
48 #include <utils/linked_list.h>
49 #include <queues/jobs/delete_child_sa_job.h>
50 #include <queues/jobs/rekey_child_sa_job.h>
51 #include <queues/jobs/acquire_job.h>
52
53 /** kernel level protocol identifiers */
54 #define KERNEL_ESP 50
55 #define KERNEL_AH 51
56
57 /** default priority of installed policies */
58 #define PRIO_LOW 3000
59 #define PRIO_HIGH 2000
60
61 #define BUFFER_SIZE 1024
62
63 /**
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
66 */
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
68 /**
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
71 */
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
73 /**
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
76 */
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
78
79 typedef struct kernel_algorithm_t kernel_algorithm_t;
80
81 /**
82 * Mapping from the algorithms defined in IKEv2 to
83 * kernel level algorithm names and their key length
84 */
85 struct kernel_algorithm_t {
86 /**
87 * Identifier specified in IKEv2
88 */
89 int ikev2_id;
90
91 /**
92 * Name of the algorithm, as used as kernel identifier
93 */
94 char *name;
95
96 /**
97 * Key length in bits, if fixed size
98 */
99 u_int key_size;
100 };
101 #define END_OF_LIST -1
102
103 /**
104 * Algorithms for encryption
105 */
106 kernel_algorithm_t encryption_algs[] = {
107 /* {ENCR_DES_IV64, "***", 0}, */
108 {ENCR_DES, "des", 64},
109 {ENCR_3DES, "des3_ede", 192},
110 /* {ENCR_RC5, "***", 0}, */
111 /* {ENCR_IDEA, "***", 0}, */
112 {ENCR_CAST, "cast128", 0},
113 {ENCR_BLOWFISH, "blowfish", 0},
114 /* {ENCR_3IDEA, "***", 0}, */
115 /* {ENCR_DES_IV32, "***", 0}, */
116 {ENCR_NULL, "cipher_null", 0},
117 {ENCR_AES_CBC, "aes", 0},
118 /* {ENCR_AES_CTR, "***", 0}, */
119 {END_OF_LIST, NULL, 0},
120 };
121
122 /**
123 * Algorithms for integrity protection
124 */
125 kernel_algorithm_t integrity_algs[] = {
126 {AUTH_HMAC_MD5_96, "md5", 128},
127 {AUTH_HMAC_SHA1_96, "sha1", 160},
128 /* {AUTH_DES_MAC, "***", 0}, */
129 /* {AUTH_KPDK_MD5, "***", 0}, */
130 /* {AUTH_AES_XCBC_96, "***", 0}, */
131 {END_OF_LIST, NULL, 0},
132 };
133
134 /**
135 * Look up a kernel algorithm name and its key size
136 */
137 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
138 algorithm_t *ikev2_algo, u_int *key_size)
139 {
140 while (kernel_algo->ikev2_id != END_OF_LIST)
141 {
142 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
143 {
144 /* match, evaluate key length */
145 if (ikev2_algo->key_size)
146 { /* variable length */
147 *key_size = ikev2_algo->key_size;
148 }
149 else
150 { /* fixed length */
151 *key_size = kernel_algo->key_size;
152 }
153 return kernel_algo->name;
154 }
155 kernel_algo++;
156 }
157 return NULL;
158 }
159
160 typedef struct route_entry_t route_entry_t;
161
162 /**
163 * installed routing entry
164 */
165 struct route_entry_t {
166
167 /** Index of the interface the route is bound to */
168 int if_index;
169
170 /** Source ip of the route */
171 host_t *src_ip;
172
173 /** Destination net */
174 chunk_t dst_net;
175
176 /** Destination net prefixlen */
177 u_int8_t prefixlen;
178 };
179
180 /**
181 * destroy an route_entry_t object
182 */
183 static void route_entry_destroy(route_entry_t *this)
184 {
185 this->src_ip->destroy(this->src_ip);
186 chunk_free(&this->dst_net);
187 free(this);
188 }
189
190 typedef struct policy_entry_t policy_entry_t;
191
192 /**
193 * installed kernel policy.
194 */
195 struct policy_entry_t {
196
197 /** direction of this policy: in, out, forward */
198 u_int8_t direction;
199
200 /** reqid of the policy */
201 u_int32_t reqid;
202
203 /** parameters of installed policy */
204 struct xfrm_selector sel;
205
206 /** associated route installed for this policy */
207 route_entry_t *route;
208
209 /** by how many CHILD_SA's this policy is used */
210 u_int refcount;
211 };
212
213 typedef struct vip_entry_t vip_entry_t;
214
215 /**
216 * Installed virtual ip
217 */
218 struct vip_entry_t {
219 /** Index of the interface the ip is bound to */
220 u_int8_t if_index;
221
222 /** The ip address */
223 host_t *ip;
224
225 /** Number of times this IP is used */
226 u_int refcount;
227 };
228
229 /**
230 * destroy a vip_entry_t object
231 */
232 static void vip_entry_destroy(vip_entry_t *this)
233 {
234 this->ip->destroy(this->ip);
235 free(this);
236 }
237
238 typedef struct private_kernel_interface_t private_kernel_interface_t;
239
240 /**
241 * Private variables and functions of kernel_interface class.
242 */
243 struct private_kernel_interface_t {
244 /**
245 * Public part of the kernel_interface_t object.
246 */
247 kernel_interface_t public;
248
249 /**
250 * List of installed policies (kernel_entry_t)
251 */
252 linked_list_t *policies;
253
254 /**
255 * Mutex locks access to policies
256 */
257 pthread_mutex_t policies_mutex;
258
259 /**
260 * List of installed virtual IPs. (vip_entry_t)
261 */
262 linked_list_t *vips;
263
264 /**
265 * Mutex to lock access to vips.
266 */
267 pthread_mutex_t vips_mutex;
268
269 /**
270 * netlink xfrm socket to receive acquire and expire events
271 */
272 int socket_xfrm_events;
273
274 /**
275 * Netlink xfrm socket (IPsec)
276 */
277 int socket_xfrm;
278
279 /**
280 * Netlink rt socket (routing)
281 */
282 int socket_rt;
283
284 /**
285 * Thread receiving events from kernel
286 */
287 pthread_t event_thread;
288 };
289
290 /**
291 * convert a host_t to a struct xfrm_address
292 */
293 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
294 {
295 chunk_t chunk = host->get_address(host);
296 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
297 }
298
299 /**
300 * convert a traffic selector address range to subnet and its mask.
301 */
302 static void ts2subnet(traffic_selector_t* ts,
303 xfrm_address_t *net, u_int8_t *mask)
304 {
305 /* there is no way to do this cleanly, as the address range may
306 * be anything else but a subnet. We use from_addr as subnet
307 * and try to calculate a usable subnet mask.
308 */
309 int byte, bit;
310 bool found = FALSE;
311 chunk_t from, to;
312 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
313
314 from = ts->get_from_address(ts);
315 to = ts->get_to_address(ts);
316
317 *mask = (size * 8);
318 /* go trough all bits of the addresses, beginning in the front.
319 * as long as they are equal, the subnet gets larger
320 */
321 for (byte = 0; byte < size; byte++)
322 {
323 for (bit = 7; bit >= 0; bit--)
324 {
325 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
326 {
327 *mask = ((7 - bit) + (byte * 8));
328 found = TRUE;
329 break;
330 }
331 }
332 if (found)
333 {
334 break;
335 }
336 }
337 memcpy(net, from.ptr, from.len);
338 chunk_free(&from);
339 chunk_free(&to);
340 }
341
342 /**
343 * convert a traffic selector port range to port/portmask
344 */
345 static void ts2ports(traffic_selector_t* ts,
346 u_int16_t *port, u_int16_t *mask)
347 {
348 /* linux does not seem to accept complex portmasks. Only
349 * any or a specific port is allowed. We set to any, if we have
350 * a port range, or to a specific, if we have one port only.
351 */
352 u_int16_t from, to;
353
354 from = ts->get_from_port(ts);
355 to = ts->get_to_port(ts);
356
357 if (from == to)
358 {
359 *port = htons(from);
360 *mask = ~0;
361 }
362 else
363 {
364 *port = 0;
365 *mask = 0;
366 }
367 }
368
369 /**
370 * convert a pair of traffic_selectors to a xfrm_selector
371 */
372 static struct xfrm_selector ts2selector(traffic_selector_t *src,
373 traffic_selector_t *dst)
374 {
375 struct xfrm_selector sel;
376
377 memset(&sel, 0, sizeof(sel));
378 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
379 /* src or dest proto may be "any" (0), use more restrictive one */
380 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
381 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
382 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
383 ts2ports(dst, &sel.dport, &sel.dport_mask);
384 ts2ports(src, &sel.sport, &sel.sport_mask);
385 sel.ifindex = 0;
386 sel.user = 0;
387
388 return sel;
389 }
390
391 /**
392 * Creates an rtattr and adds it to the netlink message
393 */
394 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
395 size_t buflen)
396 {
397 struct rtattr *rta;
398
399 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
400 {
401 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
402 return;
403 }
404
405 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
406 rta->rta_type = rta_type;
407 rta->rta_len = RTA_LENGTH(data.len);
408 memcpy(RTA_DATA(rta), data.ptr, data.len);
409 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
410 }
411
412 /**
413 * Receives events from kernel
414 */
415 static void receive_events(private_kernel_interface_t *this)
416 {
417 while(TRUE)
418 {
419 unsigned char response[512];
420 struct nlmsghdr *hdr;
421 struct sockaddr_nl addr;
422 socklen_t addr_len;
423 int len;
424
425 hdr = (struct nlmsghdr*)response;
426 len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
427 0, (struct sockaddr*)&addr, &addr_len);
428 if (len < 0)
429 {
430 if (errno == EINTR)
431 {
432 /* interrupted, try again */
433 continue;
434 }
435 charon->kill(charon, "unable to receive netlink events");
436 }
437
438 if (!NLMSG_OK(hdr, len))
439 {
440 /* bad netlink message */
441 continue;
442 }
443
444 if (addr.nl_pid != 0)
445 {
446 /* not from kernel. not interested, try another one */
447 continue;
448 }
449
450 /* we handle ACQUIRE and EXPIRE messages directly */
451 if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE)
452 {
453 u_int32_t reqid = 0;
454 job_t *job;
455 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
456 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
457 if (RTA_OK(rtattr, rtsize))
458 {
459 if (rtattr->rta_type == XFRMA_TMPL)
460 {
461 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
462 reqid = tmpl->reqid;
463 }
464 }
465 if (reqid == 0)
466 {
467 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
468 }
469 else
470 {
471 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
472 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d",
473 reqid);
474 job = (job_t*)acquire_job_create(reqid);
475 charon->job_queue->add(charon->job_queue, job);
476 }
477 }
478 else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE)
479 {
480 job_t *job;
481 protocol_id_t protocol;
482 u_int32_t spi, reqid;
483 struct xfrm_user_expire *expire;
484
485 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
486 protocol = expire->state.id.proto == KERNEL_ESP ?
487 PROTO_ESP : PROTO_AH;
488 spi = expire->state.id.spi;
489 reqid = expire->state.reqid;
490
491 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
492 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
493 expire->hard ? "delete" : "rekey", protocol_id_names,
494 protocol, ntohl(spi), reqid);
495 if (expire->hard)
496 {
497 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
498 }
499 else
500 {
501 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
502 }
503 charon->job_queue->add(charon->job_queue, job);
504 }
505 }
506 }
507
508 /**
509 * send a netlink message and wait for a reply
510 */
511 static status_t netlink_send(int socket, struct nlmsghdr *in,
512 struct nlmsghdr **out, size_t *out_len)
513 {
514 int len, addr_len;
515 struct sockaddr_nl addr;
516 chunk_t result = chunk_empty, tmp;
517 struct nlmsghdr *msg, peek;
518
519 static int seq = 200;
520 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
521
522
523 pthread_mutex_lock(&mutex);
524
525 in->nlmsg_seq = ++seq;
526 in->nlmsg_pid = getpid();
527
528 memset(&addr, 0, sizeof(addr));
529 addr.nl_family = AF_NETLINK;
530 addr.nl_pid = 0;
531 addr.nl_groups = 0;
532
533 while (TRUE)
534 {
535 len = sendto(socket, in, in->nlmsg_len, 0,
536 (struct sockaddr*)&addr, sizeof(addr));
537
538 if (len != in->nlmsg_len)
539 {
540 if (errno == EINTR)
541 {
542 /* interrupted, try again */
543 continue;
544 }
545 pthread_mutex_unlock(&mutex);
546 DBG1(DBG_KNL, "error sending to netlink socket: %m");
547 return FAILED;
548 }
549 break;
550 }
551
552 while (TRUE)
553 {
554 char buf[1024];
555 tmp.len = sizeof(buf);
556 tmp.ptr = buf;
557 msg = (struct nlmsghdr*)tmp.ptr;
558
559 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
560 (struct sockaddr*)&addr, &addr_len);
561
562 if (len < 0)
563 {
564 if (errno == EINTR)
565 {
566 DBG1(DBG_IKE, "got interrupted");
567 /* interrupted, try again */
568 continue;
569 }
570 DBG1(DBG_IKE, "error reading from netlink socket: %m");
571 pthread_mutex_unlock(&mutex);
572 return FAILED;
573 }
574 if (!NLMSG_OK(msg, len))
575 {
576 DBG1(DBG_IKE, "received corrupted netlink message");
577 pthread_mutex_unlock(&mutex);
578 return FAILED;
579 }
580 if (msg->nlmsg_seq != seq)
581 {
582 DBG1(DBG_IKE, "received invalid netlink sequence number");
583 if (msg->nlmsg_seq < seq)
584 {
585 continue;
586 }
587 pthread_mutex_unlock(&mutex);
588 return FAILED;
589 }
590
591 tmp.len = len;
592 result = chunk_cata("cc", result, tmp);
593
594 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
595 * numbers to detect multi header messages */
596 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
597 (struct sockaddr*)&addr, &addr_len);
598
599 if (len == sizeof(peek) && peek.nlmsg_seq == seq)
600 {
601 /* seems to be multipart */
602 continue;
603 }
604 break;
605 }
606
607 *out_len = result.len;
608 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
609
610 pthread_mutex_unlock(&mutex);
611
612 return SUCCESS;
613 }
614
615 /**
616 * send a netlink message and wait for its acknowlegde
617 */
618 static status_t netlink_send_ack(int socket, struct nlmsghdr *in)
619 {
620 struct nlmsghdr *out, *hdr;
621 size_t len;
622
623 if (netlink_send(socket, in, &out, &len) != SUCCESS)
624 {
625 return FAILED;
626 }
627 hdr = out;
628 while (NLMSG_OK(hdr, len))
629 {
630 switch (hdr->nlmsg_type)
631 {
632 case NLMSG_ERROR:
633 {
634 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
635
636 if (err->error)
637 {
638 DBG1(DBG_KNL, "received netlink error: %s (%d)",
639 strerror(-err->error), -err->error);
640 free(out);
641 return FAILED;
642 }
643 free(out);
644 return SUCCESS;
645 }
646 default:
647 hdr = NLMSG_NEXT(hdr, len);
648 continue;
649 case NLMSG_DONE:
650 break;
651 }
652 break;
653 }
654 DBG1(DBG_KNL, "netlink request not acknowlegded");
655 free(out);
656 return FAILED;
657 }
658 /**
659 * Implements kernel_interface_t.create_address_list.
660 * Create a list of local addresses.
661 */
662 static linked_list_t *create_address_list(private_kernel_interface_t *this)
663 {
664 char request[128];
665 struct nlmsghdr *out, *hdr;
666 struct rtgenmsg *msg;
667 size_t len;
668 chunk_t chunk;
669 host_t *host;
670 linked_list_t *list;
671
672 DBG2(DBG_IKE, "getting local address list");
673
674 list = linked_list_create();
675
676 memset(&request, 0, sizeof(request));
677
678 hdr = (struct nlmsghdr*)&request;
679 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
680 hdr->nlmsg_type = RTM_GETADDR;
681 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
682 msg = (struct rtgenmsg*)NLMSG_DATA(hdr);
683 msg->rtgen_family = AF_UNSPEC;
684
685 if (netlink_send(this->socket_rt, hdr, &out, &len) == SUCCESS)
686 {
687 hdr = out;
688 while (NLMSG_OK(hdr, len))
689 {
690 switch (hdr->nlmsg_type)
691 {
692 case RTM_NEWADDR:
693 {
694 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
695 struct rtattr *rta = IFA_RTA(msg);
696 size_t rtasize = IFA_PAYLOAD (hdr);
697
698 while(RTA_OK(rta, rtasize))
699 {
700 if (rta->rta_type == IFA_ADDRESS)
701 {
702 chunk.ptr = RTA_DATA(rta);
703 chunk.len = RTA_PAYLOAD(rta);
704
705 /* we set the interface on the port of the host */
706 host = host_create_from_chunk(msg->ifa_family, chunk,
707 msg->ifa_index);
708 if (host)
709 {
710 list->insert_last(list, host);
711 }
712 }
713 rta = RTA_NEXT(rta, rtasize);
714 }
715 hdr = NLMSG_NEXT(hdr, len);
716 continue;
717 }
718 default:
719 hdr = NLMSG_NEXT(hdr, len);
720 continue;
721 case NLMSG_DONE:
722 break;
723 }
724 break;
725 }
726 free(out);
727 }
728 else
729 {
730 DBG1(DBG_IKE, "unable to get local address list");
731 }
732 return list;
733 }
734
735 /**
736 * implementation of kernel_interface_t.is_local_address
737 */
738 static bool is_local_address(private_kernel_interface_t *this, host_t* ip)
739 {
740 linked_list_t *list;
741 host_t *host;
742 bool found = FALSE;
743
744 DBG2(DBG_IKE, "checking if host %H is local", ip);
745
746 list = create_address_list(this);
747 while (!found && list->remove_last(list, (void**)&host) == SUCCESS)
748 {
749 if (host->ip_equals(host, ip))
750 {
751 found = TRUE;
752 }
753 host->destroy(host);
754 }
755 list->destroy_offset(list, offsetof(host_t, destroy));
756
757 DBG2(DBG_IKE, "%H is %slocal", ip, found ? "" : "not ");
758
759 return found;
760 }
761
762 /**
763 * Tries to find an ip address of a local interface that is included in the
764 * supplied traffic selector.
765 */
766 static status_t get_address_by_ts(private_kernel_interface_t *this,
767 traffic_selector_t *ts, host_t **ip)
768 {
769 host_t *host;
770 int family;
771 linked_list_t *list;
772 bool found = FALSE;
773
774 DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts);
775
776 /* if we have a family which includes localhost, we do not
777 * search for an IP, we use the default */
778 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
779
780 if (family == AF_INET)
781 {
782 host = host_create_from_string("127.0.0.1", 0);
783 }
784 else
785 {
786 host = host_create_from_string("::1", 0);
787 }
788
789 if (ts->includes(ts, host))
790 {
791 *ip = host_create_any(family);
792 host->destroy(host);
793 DBG2(DBG_IKE, "using host %H", *ip);
794 return SUCCESS;
795 }
796 host->destroy(host);
797
798 list = create_address_list(this);
799 while (!found && list->remove_last(list, (void**)&host) == SUCCESS)
800 {
801 if (ts->includes(ts, host))
802 {
803 found = TRUE;
804 *ip = host;
805 }
806 else
807 {
808 host->destroy(host);
809 }
810 }
811 list->destroy_offset(list, offsetof(host_t, destroy));
812
813 if (!found)
814 {
815 DBG2(DBG_IKE, "no local address found in traffic selector %R", ts);
816 return FAILED;
817 }
818 DBG2(DBG_IKE, "using host %H", *ip);
819 return SUCCESS;
820 }
821
822 /**
823 * get the interface of a local address
824 */
825 static int get_interface(private_kernel_interface_t *this, host_t* ip)
826 {
827 linked_list_t *list;
828 host_t *host;
829 int ifindex = 0;
830
831 DBG2(DBG_IKE, "getting iface for %H", ip);
832
833 list = create_address_list(this);
834 while (!ifindex && list->remove_last(list, (void**)&host) == SUCCESS)
835 {
836 if (host->ip_equals(host, ip))
837 {
838 ifindex = host->get_port(host);
839 }
840 host->destroy(host);
841 }
842 list->destroy_offset(list, offsetof(host_t, destroy));
843
844 if (ifindex == 0)
845 {
846 DBG1(DBG_IKE, "unable to get interface for %H", ip);
847 }
848 return ifindex;
849 }
850
851 /**
852 * Manages the creation and deletion of ip addresses on an interface.
853 * By setting the appropriate nlmsg_type, the ip will be set or unset.
854 */
855 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
856 int flags, int if_index, host_t *ip)
857 {
858 unsigned char request[BUFFER_SIZE];
859 struct nlmsghdr *hdr;
860 struct ifaddrmsg *msg;
861 chunk_t chunk;
862
863 memset(&request, 0, sizeof(request));
864
865 chunk = ip->get_address(ip);
866
867 hdr = (struct nlmsghdr*)request;
868 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
869 hdr->nlmsg_type = nlmsg_type;
870 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
871
872 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
873 msg->ifa_family = ip->get_family(ip);
874 msg->ifa_flags = 0;
875 msg->ifa_prefixlen = 8 * chunk.len;
876 msg->ifa_scope = RT_SCOPE_UNIVERSE;
877 msg->ifa_index = if_index;
878
879 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
880
881 return netlink_send_ack(this->socket_rt, hdr);
882 }
883
884 /**
885 * Manages source routes in the routing table.
886 * By setting the appropriate nlmsg_type, the route added or r.
887 */
888 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
889 int flags, route_entry_t *route)
890 {
891 struct nlmsghdr *hdr;
892 struct rtmsg *msg;
893 unsigned char request[BUFFER_SIZE];
894 chunk_t chunk;
895
896 /* if route is 0.0.0.0/0, we can't install it, as it would
897 * overwrite the default route. Instead, we add two routes:
898 * 0.0.0.0/1 and 128.0.0.0/1 */
899 if (route->prefixlen == 0)
900 {
901 route_entry_t half;
902 status_t status;
903
904 half.dst_net = chunk_alloca(route->dst_net.len);
905 memset(half.dst_net.ptr, 0, half.dst_net.len);
906 half.src_ip = route->src_ip;
907 half.if_index = route->if_index;
908 half.prefixlen = 1;
909
910 status = manage_srcroute(this, nlmsg_type, flags, &half);
911 half.dst_net.ptr[0] |= 0x80;
912 status = manage_srcroute(this, nlmsg_type, flags, &half);
913 return status;
914 }
915
916 memset(&request, 0, sizeof(request));
917
918 hdr = (struct nlmsghdr*)request;
919 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
920 hdr->nlmsg_type = nlmsg_type;
921 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
922
923 msg = (struct rtmsg*)NLMSG_DATA(hdr);
924 msg->rtm_family = route->src_ip->get_family(route->src_ip);
925 msg->rtm_dst_len = route->prefixlen;
926 msg->rtm_table = RT_TABLE_MAIN;
927 msg->rtm_protocol = RTPROT_STATIC;
928 msg->rtm_type = RTN_UNICAST;
929 msg->rtm_scope = RT_SCOPE_UNIVERSE;
930
931 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
932 chunk = route->src_ip->get_address(route->src_ip);
933 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
934 chunk.ptr = (char*)&route->if_index;
935 chunk.len = sizeof(route->if_index);
936 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
937
938 return netlink_send_ack(this->socket_rt, hdr);
939 }
940
941
942 /**
943 * Implementation of kernel_interface_t.add_ip.
944 */
945 static status_t add_ip(private_kernel_interface_t *this,
946 host_t *virtual_ip, host_t *iface_ip)
947 {
948 int targetif;
949 vip_entry_t *listed;
950 iterator_t *iterator;
951
952 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
953
954 targetif = get_interface(this, iface_ip);
955 if (targetif == 0)
956 {
957 DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H",
958 virtual_ip, iface_ip);
959 return FAILED;
960 }
961
962 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
963 iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
964 while (iterator->iterate(iterator, (void**)&listed))
965 {
966 if (listed->if_index == targetif &&
967 virtual_ip->ip_equals(virtual_ip, listed->ip))
968 {
969 listed->refcount++;
970 iterator->destroy(iterator);
971 DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it",
972 virtual_ip, targetif);
973 return SUCCESS;
974 }
975 }
976 iterator->destroy(iterator);
977
978 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
979 targetif, virtual_ip) == SUCCESS)
980 {
981 listed = malloc_thing(vip_entry_t);
982 listed->ip = virtual_ip->clone(virtual_ip);
983 listed->if_index = targetif;
984 listed->refcount = 1;
985 this->vips->insert_last(this->vips, listed);
986 DBG2(DBG_KNL, "virtual IP %H added to iface %d",
987 virtual_ip, targetif);
988 return SUCCESS;
989 }
990
991 DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d",
992 virtual_ip, targetif);
993 return FAILED;
994 }
995
996 /**
997 * Implementation of kernel_interface_t.del_ip.
998 */
999 static status_t del_ip(private_kernel_interface_t *this,
1000 host_t *virtual_ip, host_t *iface_ip)
1001 {
1002 int targetif;
1003 vip_entry_t *listed;
1004 iterator_t *iterator;
1005
1006 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1007
1008 targetif = get_interface(this, iface_ip);
1009 if (targetif == 0)
1010 {
1011 DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H",
1012 virtual_ip, iface_ip);
1013 return FAILED;
1014 }
1015
1016 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1017 iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
1018 while (iterator->iterate(iterator, (void**)&listed))
1019 {
1020 if (listed->if_index == targetif &&
1021 virtual_ip->ip_equals(virtual_ip, listed->ip))
1022 {
1023 listed->refcount--;
1024 if (listed->refcount == 0)
1025 {
1026 iterator->remove(iterator);
1027 vip_entry_destroy(listed);
1028 iterator->destroy(iterator);
1029 return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
1030 }
1031 iterator->destroy(iterator);
1032 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1033 virtual_ip);
1034 return SUCCESS;
1035 }
1036 }
1037 iterator->destroy(iterator);
1038
1039 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1040 return FAILED;
1041 }
1042
1043 /**
1044 * Implementation of kernel_interface_t.get_spi.
1045 */
1046 static status_t get_spi(private_kernel_interface_t *this,
1047 host_t *src, host_t *dst,
1048 protocol_id_t protocol, u_int32_t reqid,
1049 u_int32_t *spi)
1050 {
1051 unsigned char request[BUFFER_SIZE];
1052 struct nlmsghdr *hdr, *out;
1053 struct xfrm_userspi_info *userspi;
1054 u_int32_t received_spi = 0;
1055 size_t len;
1056
1057 memset(&request, 0, sizeof(request));
1058
1059 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1060
1061 hdr = (struct nlmsghdr*)request;
1062 hdr->nlmsg_flags = NLM_F_REQUEST;
1063 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1064 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1065
1066 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1067 host2xfrm(src, &userspi->info.saddr);
1068 host2xfrm(dst, &userspi->info.id.daddr);
1069 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1070 userspi->info.mode = TRUE; /* tunnel mode */
1071 userspi->info.reqid = reqid;
1072 userspi->info.family = src->get_family(src);
1073 userspi->min = 0xc0000000;
1074 userspi->max = 0xcFFFFFFF;
1075
1076 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1077 {
1078 hdr = out;
1079 while (NLMSG_OK(hdr, len))
1080 {
1081 switch (hdr->nlmsg_type)
1082 {
1083 case XFRM_MSG_NEWSA:
1084 {
1085 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1086 received_spi = usersa->id.spi;
1087 break;
1088 }
1089 case NLMSG_ERROR:
1090 {
1091 struct nlmsgerr *err = NLMSG_DATA(hdr);
1092
1093 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1094 strerror(-err->error), -err->error);
1095 break;
1096 }
1097 default:
1098 hdr = NLMSG_NEXT(hdr, len);
1099 continue;
1100 case NLMSG_DONE:
1101 break;
1102 }
1103 break;
1104 }
1105 free(out);
1106 }
1107
1108 if (received_spi == 0)
1109 {
1110 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1111 return FAILED;
1112 }
1113
1114 DBG2(DBG_KNL, "got SPI %x for reqid %d", received_spi, reqid);
1115
1116 *spi = received_spi;
1117 return SUCCESS;
1118 }
1119
1120 /**
1121 * Implementation of kernel_interface_t.add_sa.
1122 */
1123 static status_t add_sa(private_kernel_interface_t *this,
1124 host_t *src, host_t *dst, u_int32_t spi,
1125 protocol_id_t protocol, u_int32_t reqid,
1126 u_int64_t expire_soft, u_int64_t expire_hard,
1127 algorithm_t *enc_alg, algorithm_t *int_alg,
1128 prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
1129 bool replace)
1130 {
1131 unsigned char request[BUFFER_SIZE];
1132 char *alg_name;
1133 u_int key_size;
1134 struct nlmsghdr *hdr;
1135 struct xfrm_usersa_info *sa;
1136
1137 memset(&request, 0, sizeof(request));
1138
1139 DBG2(DBG_KNL, "adding SAD entry with SPI %x", spi);
1140
1141 hdr = (struct nlmsghdr*)request;
1142 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1143 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1144 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1145
1146 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1147 host2xfrm(src, &sa->saddr);
1148 host2xfrm(dst, &sa->id.daddr);
1149 sa->id.spi = spi;
1150 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1151 sa->family = src->get_family(src);
1152 sa->mode = mode;
1153 sa->replay_window = 32;
1154 sa->reqid = reqid;
1155 /* we currently do not expire SAs by volume/packet count */
1156 sa->lft.soft_byte_limit = XFRM_INF;
1157 sa->lft.hard_byte_limit = XFRM_INF;
1158 sa->lft.soft_packet_limit = XFRM_INF;
1159 sa->lft.hard_packet_limit = XFRM_INF;
1160 /* we use lifetimes since added, not since used */
1161 sa->lft.soft_add_expires_seconds = expire_soft;
1162 sa->lft.hard_add_expires_seconds = expire_hard;
1163 sa->lft.soft_use_expires_seconds = 0;
1164 sa->lft.hard_use_expires_seconds = 0;
1165
1166 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1167
1168 if (enc_alg->algorithm != ENCR_UNDEFINED)
1169 {
1170 rthdr->rta_type = XFRMA_ALG_CRYPT;
1171 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1172 if (alg_name == NULL)
1173 {
1174 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1175 encryption_algorithm_names, enc_alg->algorithm);
1176 return FAILED;
1177 }
1178 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1179 encryption_algorithm_names, enc_alg->algorithm, key_size);
1180
1181 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1182 hdr->nlmsg_len += rthdr->rta_len;
1183 if (hdr->nlmsg_len > sizeof(request))
1184 {
1185 return FAILED;
1186 }
1187
1188 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1189 algo->alg_key_len = key_size;
1190 strcpy(algo->alg_name, alg_name);
1191 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1192
1193 rthdr = XFRM_RTA_NEXT(rthdr);
1194 }
1195
1196 if (int_alg->algorithm != AUTH_UNDEFINED)
1197 {
1198 rthdr->rta_type = XFRMA_ALG_AUTH;
1199 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1200 if (alg_name == NULL)
1201 {
1202 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1203 integrity_algorithm_names, int_alg->algorithm);
1204 return FAILED;
1205 }
1206 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1207 integrity_algorithm_names, int_alg->algorithm, key_size);
1208
1209 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1210 hdr->nlmsg_len += rthdr->rta_len;
1211 if (hdr->nlmsg_len > sizeof(request))
1212 {
1213 return FAILED;
1214 }
1215
1216 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1217 algo->alg_key_len = key_size;
1218 strcpy(algo->alg_name, alg_name);
1219 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1220
1221 rthdr = XFRM_RTA_NEXT(rthdr);
1222 }
1223
1224 /* TODO: add IPComp here */
1225
1226 if (natt)
1227 {
1228 rthdr->rta_type = XFRMA_ENCAP;
1229 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1230
1231 hdr->nlmsg_len += rthdr->rta_len;
1232 if (hdr->nlmsg_len > sizeof(request))
1233 {
1234 return FAILED;
1235 }
1236
1237 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1238 encap->encap_type = UDP_ENCAP_ESPINUDP;
1239 encap->encap_sport = htons(natt->sport);
1240 encap->encap_dport = htons(natt->dport);
1241 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
1242 /* encap_oa could probably be derived from the
1243 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1244 * pluto does the same as we do here but it uses encap_oa in the
1245 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1246 * the kernel ignores it anyway
1247 * -> does that mean that NAT-T encap doesn't work in transport mode?
1248 * No. The reason the kernel ignores NAT-OA is that it recomputes
1249 * (or, rather, just ignores) the checksum. If packets pass
1250 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1251 rthdr = XFRM_RTA_NEXT(rthdr);
1252 }
1253
1254 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1255 {
1256 DBG1(DBG_KNL, "unalbe to add SAD entry with SPI %x", spi);
1257 return FAILED;
1258 }
1259 return SUCCESS;
1260 }
1261
1262 /**
1263 * Implementation of kernel_interface_t.update_sa.
1264 */
1265 static status_t update_sa(private_kernel_interface_t *this,
1266 host_t *src, host_t *dst,
1267 host_t *new_src, host_t *new_dst,
1268 host_diff_t src_changes, host_diff_t dst_changes,
1269 u_int32_t spi, protocol_id_t protocol)
1270 {
1271 unsigned char request[BUFFER_SIZE];
1272 struct nlmsghdr *hdr, *out = NULL;
1273 struct xfrm_usersa_id *sa_id;
1274 struct xfrm_usersa_info *sa = NULL;
1275 size_t len;
1276
1277 memset(&request, 0, sizeof(request));
1278
1279 DBG2(DBG_KNL, "querying SAD entry with SPI %x", spi);
1280
1281 hdr = (struct nlmsghdr*)request;
1282 hdr->nlmsg_flags = NLM_F_REQUEST;
1283 hdr->nlmsg_type = XFRM_MSG_GETSA;
1284 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1285
1286 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1287 host2xfrm(dst, &sa_id->daddr);
1288 sa_id->spi = spi;
1289 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1290 sa_id->family = dst->get_family(dst);
1291
1292 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1293 {
1294 hdr = out;
1295 while (NLMSG_OK(hdr, len))
1296 {
1297 switch (hdr->nlmsg_type)
1298 {
1299 case XFRM_MSG_NEWSA:
1300 {
1301 sa = NLMSG_DATA(hdr);
1302 break;
1303 }
1304 case NLMSG_ERROR:
1305 {
1306 struct nlmsgerr *err = NLMSG_DATA(hdr);
1307 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1308 strerror(-err->error), -err->error);
1309 break;
1310 }
1311 default:
1312 hdr = NLMSG_NEXT(hdr, len);
1313 continue;
1314 case NLMSG_DONE:
1315 break;
1316 }
1317 break;
1318 }
1319 }
1320 if (sa == NULL)
1321 {
1322 DBG1(DBG_KNL, "unable to update SAD entry with SPI %x", spi);
1323 free(out);
1324 return FAILED;
1325 }
1326
1327 DBG2(DBG_KNL, "updating SAD entry with SPI %x", spi);
1328
1329 hdr = out;
1330 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1331 hdr->nlmsg_type = XFRM_MSG_UPDSA;
1332
1333 if (src_changes & HOST_DIFF_ADDR)
1334 {
1335 host2xfrm(new_src, &sa->saddr);
1336 }
1337
1338 if (dst_changes & HOST_DIFF_ADDR)
1339 {
1340 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1341 host2xfrm(new_dst, &sa->id.daddr);
1342 }
1343
1344 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
1345 {
1346 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1347 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
1348 while (RTA_OK(rtattr, rtsize))
1349 {
1350 if (rtattr->rta_type == XFRMA_ENCAP)
1351 {
1352 struct xfrm_encap_tmpl* encap;
1353 encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
1354 encap->encap_sport = ntohs(new_src->get_port(new_src));
1355 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
1356 break;
1357 }
1358 rtattr = RTA_NEXT(rtattr, rtsize);
1359 }
1360 }
1361 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1362 {
1363 DBG1(DBG_KNL, "unalbe to update SAD entry with SPI %x", spi);
1364 free(out);
1365 return FAILED;
1366 }
1367 free(out);
1368
1369 if (dst_changes & HOST_DIFF_ADDR)
1370 {
1371 return this->public.del_sa(&this->public, dst, spi, protocol);
1372 }
1373 return SUCCESS;
1374 }
1375
1376 /**
1377 * Implementation of kernel_interface_t.query_sa.
1378 */
1379 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
1380 u_int32_t spi, protocol_id_t protocol,
1381 u_int32_t *use_time)
1382 {
1383 unsigned char request[BUFFER_SIZE];
1384 struct nlmsghdr *out = NULL, *hdr;
1385 struct xfrm_usersa_id *sa_id;
1386 struct xfrm_usersa_info *sa = NULL;
1387 size_t len;
1388
1389 DBG2(DBG_KNL, "querying SAD entry with SPI %x", spi);
1390 memset(&request, 0, sizeof(request));
1391
1392 hdr = (struct nlmsghdr*)request;
1393 hdr->nlmsg_flags = NLM_F_REQUEST;
1394 hdr->nlmsg_type = XFRM_MSG_GETSA;
1395 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1396
1397 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1398 host2xfrm(dst, &sa_id->daddr);
1399 sa_id->spi = spi;
1400 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1401 sa_id->family = dst->get_family(dst);
1402
1403 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1404 {
1405 hdr = out;
1406 while (NLMSG_OK(hdr, len))
1407 {
1408 switch (hdr->nlmsg_type)
1409 {
1410 case XFRM_MSG_NEWSA:
1411 {
1412 sa = NLMSG_DATA(hdr);
1413 break;
1414 }
1415 case NLMSG_ERROR:
1416 {
1417 struct nlmsgerr *err = NLMSG_DATA(hdr);
1418 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1419 strerror(-err->error), -err->error);
1420 break;
1421 }
1422 default:
1423 hdr = NLMSG_NEXT(hdr, len);
1424 continue;
1425 case NLMSG_DONE:
1426 break;
1427 }
1428 break;
1429 }
1430 }
1431
1432 if (sa == NULL)
1433 {
1434 DBG1(DBG_KNL, "unable to query SAD entry with SPI %x", spi);
1435 free(out);
1436 return FAILED;
1437 }
1438
1439 *use_time = sa->curlft.use_time;
1440 free (out);
1441 return SUCCESS;
1442 }
1443
1444 /**
1445 * Implementation of kernel_interface_t.del_sa.
1446 */
1447 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
1448 u_int32_t spi, protocol_id_t protocol)
1449 {
1450 unsigned char request[BUFFER_SIZE];
1451 struct nlmsghdr *hdr;
1452 struct xfrm_usersa_id *sa_id;
1453
1454 memset(&request, 0, sizeof(request));
1455
1456 DBG2(DBG_KNL, "deleting SAD entry with SPI %x", spi);
1457
1458 hdr = (struct nlmsghdr*)request;
1459 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1460 hdr->nlmsg_type = XFRM_MSG_DELSA;
1461 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1462
1463 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1464 host2xfrm(dst, &sa_id->daddr);
1465 sa_id->spi = spi;
1466 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1467 sa_id->family = dst->get_family(dst);
1468
1469 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1470 {
1471 DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI %x", spi);
1472 return FAILED;
1473 }
1474 DBG2(DBG_KNL, "deleted SAD entry with SPI %x", spi);
1475 return SUCCESS;
1476 }
1477
1478 /**
1479 * Implementation of kernel_interface_t.add_policy.
1480 */
1481 static status_t add_policy(private_kernel_interface_t *this,
1482 host_t *src, host_t *dst,
1483 traffic_selector_t *src_ts,
1484 traffic_selector_t *dst_ts,
1485 policy_dir_t direction, protocol_id_t protocol,
1486 u_int32_t reqid, bool high_prio, mode_t mode,
1487 bool update)
1488 {
1489 iterator_t *iterator;
1490 policy_entry_t *current, *policy;
1491 bool found = FALSE;
1492 unsigned char request[BUFFER_SIZE];
1493 struct xfrm_userpolicy_info *policy_info;
1494 struct nlmsghdr *hdr;
1495
1496 /* create a policy */
1497 policy = malloc_thing(policy_entry_t);
1498 memset(policy, 0, sizeof(policy_entry_t));
1499 policy->sel = ts2selector(src_ts, dst_ts);
1500 policy->direction = direction;
1501
1502 /* find the policy, which matches EXACTLY */
1503 pthread_mutex_lock(&this->policies_mutex);
1504 iterator = this->policies->create_iterator(this->policies, TRUE);
1505 while (iterator->iterate(iterator, (void**)&current))
1506 {
1507 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
1508 policy->direction == current->direction)
1509 {
1510 free(policy);
1511 /* use existing policy */
1512 if (!update)
1513 {
1514 current->refcount++;
1515 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
1516 "refcount", src_ts, dst_ts);
1517 if (!high_prio)
1518 {
1519 /* if added policy is for a ROUTED child_sa, do not
1520 * overwrite existing INSTALLED policy */
1521 iterator->destroy(iterator);
1522 pthread_mutex_unlock(&this->policies_mutex);
1523 return SUCCESS;
1524 }
1525 }
1526 policy = current;
1527 found = TRUE;
1528 break;
1529 }
1530 }
1531 iterator->destroy(iterator);
1532 if (!found)
1533 { /* apply the new one, if we have no such policy */
1534 this->policies->insert_last(this->policies, policy);
1535 policy->refcount = 1;
1536 }
1537
1538 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
1539
1540 memset(&request, 0, sizeof(request));
1541 hdr = (struct nlmsghdr*)request;
1542 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1543 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
1544 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1545
1546 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1547 policy_info->sel = policy->sel;
1548 policy_info->dir = policy->direction;
1549 /* calculate priority based on source selector size, small size = high prio */
1550 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1551 policy_info->priority -= policy->sel.prefixlen_s * 10;
1552 policy_info->priority -= policy->sel.proto ? 2 : 0;
1553 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1554 policy_info->action = XFRM_POLICY_ALLOW;
1555 policy_info->share = XFRM_SHARE_ANY;
1556 pthread_mutex_unlock(&this->policies_mutex);
1557
1558 /* policies don't expire */
1559 policy_info->lft.soft_byte_limit = XFRM_INF;
1560 policy_info->lft.soft_packet_limit = XFRM_INF;
1561 policy_info->lft.hard_byte_limit = XFRM_INF;
1562 policy_info->lft.hard_packet_limit = XFRM_INF;
1563 policy_info->lft.soft_add_expires_seconds = 0;
1564 policy_info->lft.hard_add_expires_seconds = 0;
1565 policy_info->lft.soft_use_expires_seconds = 0;
1566 policy_info->lft.hard_use_expires_seconds = 0;
1567
1568 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1569 rthdr->rta_type = XFRMA_TMPL;
1570
1571 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
1572 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
1573
1574 hdr->nlmsg_len += rthdr->rta_len;
1575 if (hdr->nlmsg_len > sizeof(request))
1576 {
1577 return FAILED;
1578 }
1579
1580 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1581 tmpl->reqid = reqid;
1582 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
1583 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1584 tmpl->mode = mode;
1585 tmpl->family = src->get_family(src);
1586
1587 host2xfrm(src, &tmpl->saddr);
1588 host2xfrm(dst, &tmpl->id.daddr);
1589
1590 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1591 {
1592 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
1593 return FAILED;
1594 }
1595
1596 if (direction == POLICY_FWD)
1597 {
1598 policy->route = malloc_thing(route_entry_t);
1599 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
1600 {
1601 policy->route->if_index = get_interface(this, dst);
1602 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1603 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
1604 policy->route->prefixlen = policy->sel.prefixlen_s;
1605
1606 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
1607 policy->route) != SUCCESS)
1608 {
1609 route_entry_destroy(policy->route);
1610 policy->route = NULL;
1611 }
1612 }
1613 else
1614 {
1615 free(policy->route);
1616 policy->route = NULL;
1617 }
1618 }
1619
1620 return SUCCESS;
1621 }
1622
1623 /**
1624 * Implementation of kernel_interface_t.query_policy.
1625 */
1626 static status_t query_policy(private_kernel_interface_t *this,
1627 traffic_selector_t *src_ts,
1628 traffic_selector_t *dst_ts,
1629 policy_dir_t direction, u_int32_t *use_time)
1630 {
1631 unsigned char request[BUFFER_SIZE];
1632 struct nlmsghdr *out = NULL, *hdr;
1633 struct xfrm_userpolicy_id *policy_id;
1634 struct xfrm_userpolicy_info *policy = NULL;
1635 size_t len;
1636
1637 memset(&request, 0, sizeof(request));
1638
1639 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
1640
1641 hdr = (struct nlmsghdr*)request;
1642 hdr->nlmsg_flags = NLM_F_REQUEST;
1643 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1644 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1645
1646 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1647 policy_id->sel = ts2selector(src_ts, dst_ts);
1648 policy_id->dir = direction;
1649
1650 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1651 {
1652 hdr = out;
1653 while (NLMSG_OK(hdr, len))
1654 {
1655 switch (hdr->nlmsg_type)
1656 {
1657 case XFRM_MSG_NEWPOLICY:
1658 {
1659 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1660 break;
1661 }
1662 case NLMSG_ERROR:
1663 {
1664 struct nlmsgerr *err = NLMSG_DATA(hdr);
1665 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1666 strerror(-err->error), -err->error);
1667 break;
1668 }
1669 default:
1670 hdr = NLMSG_NEXT(hdr, len);
1671 continue;
1672 case NLMSG_DONE:
1673 break;
1674 }
1675 break;
1676 }
1677 }
1678
1679 if (policy == NULL)
1680 {
1681 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
1682 free(out);
1683 return FAILED;
1684 }
1685 *use_time = (time_t)policy->curlft.use_time;
1686
1687 free(out);
1688 return SUCCESS;
1689 }
1690
1691 /**
1692 * Implementation of kernel_interface_t.del_policy.
1693 */
1694 static status_t del_policy(private_kernel_interface_t *this,
1695 traffic_selector_t *src_ts,
1696 traffic_selector_t *dst_ts,
1697 policy_dir_t direction)
1698 {
1699 policy_entry_t *current, policy, *to_delete = NULL;
1700 route_entry_t *route;
1701 unsigned char request[BUFFER_SIZE];
1702 struct nlmsghdr *hdr;
1703 struct xfrm_userpolicy_id *policy_id;
1704 iterator_t *iterator;
1705
1706 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
1707
1708 /* create a policy */
1709 memset(&policy, 0, sizeof(policy_entry_t));
1710 policy.sel = ts2selector(src_ts, dst_ts);
1711 policy.direction = direction;
1712
1713 /* find the policy */
1714 pthread_mutex_lock(&this->policies_mutex);
1715 iterator = this->policies->create_iterator(this->policies, TRUE);
1716 while (iterator->iterate(iterator, (void**)&current))
1717 {
1718 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
1719 policy.direction == current->direction)
1720 {
1721 to_delete = current;
1722 if (--to_delete->refcount > 0)
1723 {
1724 /* is used by more SAs, keep in kernel */
1725 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1726 iterator->destroy(iterator);
1727 pthread_mutex_unlock(&this->policies_mutex);
1728 return SUCCESS;
1729 }
1730 /* remove if last reference */
1731 iterator->remove(iterator);
1732 break;
1733 }
1734 }
1735 iterator->destroy(iterator);
1736 pthread_mutex_unlock(&this->policies_mutex);
1737 if (!to_delete)
1738 {
1739 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
1740 return NOT_FOUND;
1741 }
1742
1743 memset(&request, 0, sizeof(request));
1744
1745 hdr = (struct nlmsghdr*)request;
1746 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1747 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1748 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1749
1750 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1751 policy_id->sel = to_delete->sel;
1752 policy_id->dir = direction;
1753
1754 route = to_delete->route;
1755 free(to_delete);
1756
1757 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1758 {
1759 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
1760 return FAILED;
1761 }
1762
1763 if (route)
1764 {
1765 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
1766 {
1767 DBG1(DBG_KNL, "error uninstalling route installed with "
1768 "policy %R===%R", src_ts, dst_ts);
1769 }
1770 route_entry_destroy(route);
1771 }
1772 return SUCCESS;
1773 }
1774
1775 /**
1776 * Implementation of kernel_interface_t.destroy.
1777 */
1778 static void destroy(private_kernel_interface_t *this)
1779 {
1780 pthread_cancel(this->event_thread);
1781 pthread_join(this->event_thread, NULL);
1782 close(this->socket_xfrm_events);
1783 close(this->socket_xfrm);
1784 close(this->socket_rt);
1785 this->vips->destroy(this->vips);
1786 this->policies->destroy(this->policies);
1787 free(this);
1788 }
1789
1790 /*
1791 * Described in header.
1792 */
1793 kernel_interface_t *kernel_interface_create()
1794 {
1795 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
1796 struct sockaddr_nl addr;
1797
1798 /* public functions */
1799 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1800 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
1801 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
1802 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
1803 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1804 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
1805 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1806 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1807 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
1808 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
1809 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
1810
1811 /* private members */
1812 this->vips = linked_list_create();
1813 this->policies = linked_list_create();
1814 pthread_mutex_init(&this->policies_mutex,NULL);
1815 pthread_mutex_init(&this->vips_mutex,NULL);
1816
1817 addr.nl_family = AF_NETLINK;
1818 addr.nl_pid = 0;
1819 addr.nl_groups = 0;
1820
1821 /* create and bind XFRM socket */
1822 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1823 if (this->socket_xfrm <= 0)
1824 {
1825 charon->kill(charon, "unable to create XFRM netlink socket");
1826 }
1827
1828 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
1829 {
1830 charon->kill(charon, "unable to bind XFRM netlink socket");
1831 }
1832
1833 /* create and bind RT socket */
1834 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
1835 if (this->socket_rt <= 0)
1836 {
1837 charon->kill(charon, "unable to create RT netlink socket");
1838 }
1839
1840 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
1841 {
1842 charon->kill(charon, "unable to bind RT netlink socket");
1843 }
1844
1845 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
1846 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
1847 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1848 if (this->socket_xfrm_events <= 0)
1849 {
1850 charon->kill(charon, "unable to create XFRM event socket");
1851 }
1852
1853 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1854 {
1855 charon->kill(charon, "unable to bind XFRM event socket");
1856 }
1857
1858 /* create a thread receiving ACQUIRE & EXPIRE events */
1859 if (pthread_create(&this->event_thread, NULL,
1860 (void*(*)(void*))receive_events, this))
1861 {
1862 charon->kill(charon, "unable to create xfrm event dispatcher thread");
1863 }
1864
1865 return &this->public;
1866 }
1867
1868 /* vim: set ts=4 sw=4 noet: */