9d8463a75f266282bcff3e9acf577ed17bff0f14
[strongswan.git] / src / charon / threads / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 * Copyright (C) 2003 Herbert Xu.
14 *
15 * Contains modified parts from pluto.
16 *
17 * This program is free software; you can redistribute it and/or modify it
18 * under the terms of the GNU General Public License as published by the
19 * Free Software Foundation; either version 2 of the License, or (at your
20 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
21 *
22 * This program is distributed in the hope that it will be useful, but
23 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
24 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
25 * for more details.
26 */
27
28 #include <sys/types.h>
29 #include <sys/socket.h>
30 #include <linux/netlink.h>
31 #include <linux/rtnetlink.h>
32 #include <pthread.h>
33 #include <unistd.h>
34 #include <fcntl.h>
35 #include <errno.h>
36 #include <string.h>
37
38 #include "kernel_interface.h"
39
40 #include <daemon.h>
41 #include <utils/linked_list.h>
42 #include <queues/jobs/delete_child_sa_job.h>
43 #include <queues/jobs/rekey_child_sa_job.h>
44
45
46 #define KERNEL_ESP 50
47 #define KERNEL_AH 51
48
49 #define SPD_PRIORITY 1024
50
51 #define BUFFER_SIZE 1024
52
53 /* returns a pointer to the first rtattr following the nlmsghdr *nlh and the 'usual' netlink data x like 'struct xfrm_usersa_info' */
54 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
55 /* returns a pointer to the next rtattr following rta.
56 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!! */
57 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
58 /* returns the total size of attached rta data (after 'usual' netlink data x like 'struct xfrm_usersa_info') */
59 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
60
61 typedef struct kernel_algorithm_t kernel_algorithm_t;
62
63 /**
64 * Mapping from the algorithms defined in IKEv2 to
65 * kernel level algorithm names and their key length
66 */
67 struct kernel_algorithm_t {
68 /**
69 * Identifier specified in IKEv2
70 */
71 int ikev2_id;
72
73 /**
74 * Name of the algorithm, as used as kernel identifier
75 */
76 char *name;
77
78 /**
79 * Key length in bits, if fixed size
80 */
81 u_int key_size;
82 };
83 #define END_OF_LIST -1
84
85 /**
86 * Algorithms for encryption
87 */
88 kernel_algorithm_t encryption_algs[] = {
89 /* {ENCR_DES_IV64, "***", 0}, */
90 {ENCR_DES, "des", 64},
91 {ENCR_3DES, "des3_ede", 192},
92 /* {ENCR_RC5, "***", 0}, */
93 /* {ENCR_IDEA, "***", 0}, */
94 {ENCR_CAST, "cast128", 0},
95 {ENCR_BLOWFISH, "blowfish", 0},
96 /* {ENCR_3IDEA, "***", 0}, */
97 /* {ENCR_DES_IV32, "***", 0}, */
98 {ENCR_NULL, "cipher_null", 0},
99 {ENCR_AES_CBC, "aes", 0},
100 /* {ENCR_AES_CTR, "***", 0}, */
101 {END_OF_LIST, NULL, 0},
102 };
103
104 /**
105 * Algorithms for integrity protection
106 */
107 kernel_algorithm_t integrity_algs[] = {
108 {AUTH_HMAC_MD5_96, "md5", 128},
109 {AUTH_HMAC_SHA1_96, "sha1", 160},
110 /* {AUTH_DES_MAC, "***", 0}, */
111 /* {AUTH_KPDK_MD5, "***", 0}, */
112 /* {AUTH_AES_XCBC_96, "***", 0}, */
113 {END_OF_LIST, NULL, 0},
114 };
115
116 /**
117 * Look up a kernel algorithm name and its key size
118 */
119 char* lookup_algorithm(kernel_algorithm_t *kernel_algo, algorithm_t *ikev2_algo, u_int *key_size)
120 {
121 while (kernel_algo->ikev2_id != END_OF_LIST)
122 {
123 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
124 {
125 /* match, evaluate key length */
126 if (ikev2_algo->key_size)
127 { /* variable length */
128 *key_size = ikev2_algo->key_size;
129 }
130 else
131 { /* fixed length */
132 *key_size = kernel_algo->key_size;
133 }
134 return kernel_algo->name;
135 }
136 kernel_algo++;
137 }
138 return NULL;
139 }
140
141 typedef struct private_kernel_interface_t private_kernel_interface_t;
142
143 /**
144 * @brief Private Variables and Functions of kernel_interface class.
145 *
146 */
147 struct private_kernel_interface_t {
148 /**
149 * Public part of the kernel_interface_t object.
150 */
151 kernel_interface_t public;
152
153 /**
154 * Netlink communication socket.
155 */
156 int socket;
157
158 /**
159 * Process id of kernel thread
160 */
161 pid_t pid;
162
163 /**
164 * Sequence number for messages.
165 */
166 u_int32_t seq;
167
168 /**
169 * List of responded messages.
170 */
171 linked_list_t *responses;
172
173 /**
174 * Thread which receives messages.
175 */
176 pthread_t thread;
177
178 /**
179 * Mutex locks access to replies list.
180 */
181 pthread_mutex_t mutex;
182
183 /**
184 * Condvar allows signaling of threads waiting for a reply.
185 */
186 pthread_cond_t condvar;
187
188 /**
189 * Logger for XFRM stuff
190 */
191 logger_t *logger;
192
193 /**
194 * Function for the thread, receives messages.
195 */
196 void (*receive_messages) (private_kernel_interface_t *this);
197
198 /**
199 * Sends a netlink_message_t down to the kernel and wait for reply.
200 */
201 status_t (*send_message) (private_kernel_interface_t *this, struct nlmsghdr *request, struct nlmsghdr **response);
202 };
203
204 /**
205 * Implementation of kernel_interface_t.get_spi.
206 */
207 static status_t get_spi(private_kernel_interface_t *this,
208 host_t *src, host_t *dest,
209 protocol_id_t protocol, u_int32_t reqid,
210 u_int32_t *spi)
211 {
212 unsigned char request[BUFFER_SIZE];
213 struct nlmsghdr *response;
214
215 memset(&request, 0, sizeof(request));
216 status_t status = SUCCESS;
217
218 this->logger->log(this->logger, CONTROL|LEVEL2, "getting spi");
219
220 struct nlmsghdr *hdr = (struct nlmsghdr*)request;
221 hdr->nlmsg_flags = NLM_F_REQUEST;
222 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
223 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
224
225 struct xfrm_userspi_info *userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
226 userspi->info.saddr = src->get_xfrm_addr(src);
227 userspi->info.id.daddr = dest->get_xfrm_addr(dest);
228 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
229 userspi->info.mode = TRUE; /* tunnel mode */
230 userspi->info.reqid = reqid;
231 userspi->info.family = src->get_family(src);
232 userspi->min = 0xc0000000;
233 userspi->max = 0xcFFFFFFF;
234
235 if (this->send_message(this, hdr, &response) != SUCCESS)
236 {
237 this->logger->log(this->logger, ERROR, "netlink communication failed");
238 return FAILED;
239 }
240 else if (response->nlmsg_type == NLMSG_ERROR)
241 {
242 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_ALLOCSPI got an error: %s",
243 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
244 status = FAILED;
245 }
246 else if (response->nlmsg_type != XFRM_MSG_NEWSA)
247 {
248 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_ALLOCSPI got a unknown reply");
249 status = FAILED;
250 }
251 else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
252 {
253 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_ALLOCSPI got an invalid reply");
254 status = FAILED;
255 }
256 else
257 {
258 *spi = ((struct xfrm_usersa_info*)NLMSG_DATA(response))->id.spi;
259 this->logger->log(this->logger, CONTROL|LEVEL1, "SPI is 0x%x", *spi);
260 }
261 free(response);
262
263 return status;
264 }
265
266 /**
267 * Implementation of kernel_interface_t.add_sa.
268 */
269 static status_t add_sa(private_kernel_interface_t *this,
270 host_t *me, host_t *other,
271 u_int32_t spi, protocol_id_t protocol,
272 u_int32_t reqid,
273 u_int64_t expire_soft, u_int64_t expire_hard,
274 algorithm_t *enc_alg, algorithm_t *int_alg,
275 prf_plus_t *prf_plus, natt_conf_t *natt,
276 bool replace)
277 {
278 unsigned char request[BUFFER_SIZE];
279 struct nlmsghdr *response;
280 char *alg_name;
281 size_t key_size;
282
283 memset(&request, 0, sizeof(request));
284 status_t status = SUCCESS;
285
286 this->logger->log(this->logger, CONTROL|LEVEL2, "adding SA");
287
288 struct nlmsghdr *hdr = (struct nlmsghdr*)request;
289 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
290 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
291 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
292
293 struct xfrm_usersa_info *sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
294 sa->saddr = me->get_xfrm_addr(me);
295 sa->id.daddr = other->get_xfrm_addr(other);
296
297 sa->id.spi = spi;
298 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
299 sa->family = me->get_family(me);
300 sa->mode = TRUE; /* tunnel mode */
301 sa->replay_window = 32;
302 sa->reqid = reqid;
303 /* we currently do not expire SAs by volume/packet count */
304 sa->lft.soft_byte_limit = XFRM_INF;
305 sa->lft.hard_byte_limit = XFRM_INF;
306 sa->lft.soft_packet_limit = XFRM_INF;
307 sa->lft.hard_packet_limit = XFRM_INF;
308 /* we use lifetimes since added, not since used */
309 sa->lft.soft_add_expires_seconds = expire_soft;
310 sa->lft.hard_add_expires_seconds = expire_hard;
311 sa->lft.soft_use_expires_seconds = 0;
312 sa->lft.hard_use_expires_seconds = 0;
313
314 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
315
316 if (enc_alg->algorithm != ENCR_UNDEFINED)
317 {
318 rthdr->rta_type = XFRMA_ALG_CRYPT;
319 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
320 if (alg_name == NULL)
321 {
322 this->logger->log(this->logger, ERROR, "Algorithm %s not supported by kernel!",
323 mapping_find(encryption_algorithm_m, enc_alg->algorithm));
324 return FAILED;
325 }
326 this->logger->log(this->logger, CONTROL|LEVEL2, " using encryption algorithm %s with key size %d",
327 mapping_find(encryption_algorithm_m, enc_alg->algorithm), key_size);
328
329 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
330 hdr->nlmsg_len += rthdr->rta_len;
331 if (hdr->nlmsg_len > sizeof(request))
332 {
333 return FAILED;
334 }
335
336 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
337 algo->alg_key_len = key_size;
338 strcpy(algo->alg_name, alg_name);
339 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
340
341 rthdr = XFRM_RTA_NEXT(rthdr);
342 }
343
344 if (int_alg->algorithm != AUTH_UNDEFINED)
345 {
346 rthdr->rta_type = XFRMA_ALG_AUTH;
347 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
348 if (alg_name == NULL)
349 {
350 this->logger->log(this->logger, ERROR, "Algorithm %s not supported by kernel!",
351 mapping_find(integrity_algorithm_m, int_alg->algorithm));
352 return FAILED;
353 }
354 this->logger->log(this->logger, CONTROL|LEVEL2, " using integrity algorithm %s with key size %d",
355 mapping_find(integrity_algorithm_m, int_alg->algorithm), key_size);
356
357 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
358 hdr->nlmsg_len += rthdr->rta_len;
359 if (hdr->nlmsg_len > sizeof(request))
360 {
361 return FAILED;
362 }
363
364 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
365 algo->alg_key_len = key_size;
366 strcpy(algo->alg_name, alg_name);
367 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
368
369 rthdr = XFRM_RTA_NEXT(rthdr);
370 }
371
372 /* TODO: add IPComp here */
373
374 if (natt)
375 {
376 rthdr->rta_type = XFRMA_ENCAP;
377 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
378
379 hdr->nlmsg_len += rthdr->rta_len;
380 if (hdr->nlmsg_len > sizeof(request))
381 {
382 return FAILED;
383 }
384
385 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
386 /* UDP_ENCAP_ESPINUDP, see /usr/src/linux/include/linux/udp.h
387 * we could probably use 3 here (as pluto does) although the
388 * result is eventually the same. */
389 encap->encap_type = 2;
390 encap->encap_sport = ntohs(natt->sport);
391 encap->encap_dport = ntohs(natt->dport);
392 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
393 /* encap_oa could probably be derived from the
394 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
395 * pluto does the same as we do here but it uses encap_oa in the
396 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
397 * the kernel ignores it anyway
398 * -> does that mean that NAT-T encap doesn't work in transport mode?
399 * No. The reason the kernel ignores NAT-OA is that it recomputes
400 * (or, rather, just ignores) the checksum. If packets pass
401 * the IPSec checks it marks them "checksum ok" so OA isn't needed. */
402
403 rthdr = XFRM_RTA_NEXT(rthdr);
404 }
405
406 if (this->send_message(this, hdr, &response) != SUCCESS)
407 {
408 this->logger->log(this->logger, ERROR, "netlink communication failed");
409 return FAILED;
410 }
411 else if (response->nlmsg_type != NLMSG_ERROR)
412 {
413 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_NEWSA not acknowledged");
414 status = FAILED;
415 }
416 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
417 {
418 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_NEWSA got an error: %s",
419 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
420 status = FAILED;
421 }
422
423 free(response);
424 return status;
425 }
426
427 static status_t update_sa_hosts(
428 private_kernel_interface_t *this,
429 host_t *src, host_t *dst,
430 host_t *new_src, host_t *new_dst,
431 int src_changes, int dst_changes,
432 u_int32_t spi, protocol_id_t protocol)
433 {
434 unsigned char request[BUFFER_SIZE];
435 struct nlmsghdr *update, *response;
436
437 memset(&request, 0, sizeof(request));
438 status_t status = SUCCESS;
439
440 this->logger->log(this->logger, CONTROL|LEVEL2, "getting SA");
441
442 struct nlmsghdr *hdr = (struct nlmsghdr*)request;
443 hdr->nlmsg_flags = NLM_F_REQUEST ;
444 hdr->nlmsg_type = XFRM_MSG_GETSA;
445 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
446
447 struct xfrm_usersa_id *sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
448 sa_id->daddr = dst->get_xfrm_addr(dst);
449 sa_id->spi = spi;
450 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
451 sa_id->family = dst->get_family(dst);
452
453 if (this->send_message(this, hdr, &update) != SUCCESS)
454 {
455 this->logger->log(this->logger, ERROR, "netlink communication failed");
456 return FAILED;
457 }
458 else if (update->nlmsg_type == NLMSG_ERROR)
459 {
460 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_GETSA got an error: %s",
461 strerror(-((struct nlmsgerr*)NLMSG_DATA(update))->error));
462 free(update);
463 return FAILED;
464 }
465 else if (update->nlmsg_type != XFRM_MSG_NEWSA)
466 {
467 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_GETSA got a unknown reply");
468 free(update);
469 return FAILED;
470 }
471 else if (update->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
472 {
473 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_GETSA got an invalid reply");
474 free(update);
475 return FAILED;
476 }
477
478 this->logger->log(this->logger, CONTROL|LEVEL2, "updating SA");
479 update->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
480 update->nlmsg_type = XFRM_MSG_UPDSA;
481
482 struct xfrm_usersa_info *sa = (struct xfrm_usersa_info*)NLMSG_DATA(update);
483 if (src_changes & HOST_DIFF_ADDR)
484 {
485 sa->saddr = new_src->get_xfrm_addr(new_src);
486 }
487
488 if (dst_changes & HOST_DIFF_ADDR)
489 {
490 this->logger->log(this->logger, CONTROL|LEVEL2, "destination address changed! replacing SA");
491
492 update->nlmsg_type = XFRM_MSG_NEWSA;
493 sa->id.daddr = new_dst->get_xfrm_addr(new_dst);
494 }
495
496 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
497 {
498 struct rtattr *rthdr = XFRM_RTA(update, struct xfrm_usersa_info);
499 size_t rtsize = XFRM_PAYLOAD(update, struct xfrm_usersa_info);
500 while (RTA_OK(rthdr, rtsize))
501 {
502 if (rthdr->rta_type == XFRMA_ENCAP)
503 {
504 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
505 encap->encap_sport = ntohs(new_src->get_port(new_src));
506 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
507 break;
508 }
509 rthdr = RTA_NEXT(rthdr, rtsize);
510 }
511 }
512
513 if (this->send_message(this, update, &response) != SUCCESS)
514 {
515 this->logger->log(this->logger, ERROR, "netlink communication failed");
516 free(update);
517 return FAILED;
518 }
519 else if (response->nlmsg_type != NLMSG_ERROR)
520 {
521 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_XXXSA not acknowledged");
522 status = FAILED;
523 }
524 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
525 {
526 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_XXXSA got an error: %s",
527 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
528 status = FAILED;
529 }
530 else if (dst_changes & HOST_DIFF_ADDR)
531 {
532 this->logger->log(this->logger, CONTROL|LEVEL2, "deleting old SA");
533 status = this->public.del_sa(&this->public, dst, spi, protocol);
534 }
535
536 free(update);
537 free(response);
538 return status;
539 }
540
541 static status_t del_sa( private_kernel_interface_t *this,
542 host_t *dst,
543 u_int32_t spi,
544 protocol_id_t protocol)
545 {
546 unsigned char request[BUFFER_SIZE];
547 struct nlmsghdr *response;
548
549 memset(&request, 0, sizeof(request));
550 status_t status = SUCCESS;
551
552 this->logger->log(this->logger, CONTROL|LEVEL2, "deleting SA");
553
554 struct nlmsghdr *hdr = (struct nlmsghdr*)request;
555 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
556 hdr->nlmsg_type = XFRM_MSG_DELSA;
557 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
558
559 struct xfrm_usersa_id *sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
560 sa_id->daddr = dst->get_xfrm_addr(dst);
561 sa_id->spi = spi;
562 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
563 sa_id->family = dst->get_family(dst);
564
565 if (this->send_message(this, hdr, &response) != SUCCESS)
566 {
567 this->logger->log(this->logger, ERROR, "netlink communication failed");
568 return FAILED;
569 }
570 else if (response->nlmsg_type != NLMSG_ERROR)
571 {
572 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_DELSA not acknowledged");
573 status = FAILED;
574 }
575 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
576 {
577 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_DELSA got an error: %s",
578 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
579 status = FAILED;
580 }
581
582 free(response);
583 return status;
584 }
585
586 /**
587 * Implementation of kernel_interface_t.add_policy.
588 */
589 static status_t add_policy(private_kernel_interface_t *this,
590 host_t *me, host_t *other,
591 host_t *src, host_t *dst,
592 u_int8_t src_hostbits, u_int8_t dst_hostbits,
593 int direction, int upper_proto,
594 protocol_id_t protocol,
595 u_int32_t reqid)
596 {
597 unsigned char request[BUFFER_SIZE];
598 struct nlmsghdr *response;
599
600 memset(&request, 0, sizeof(request));
601 status_t status = SUCCESS;
602
603 this->logger->log(this->logger, CONTROL|LEVEL2, "adding policy");
604
605 struct nlmsghdr *hdr = (struct nlmsghdr*)request;
606 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
607 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
608 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
609
610 struct xfrm_userpolicy_info *policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
611
612 policy->sel.sport = htons(src->get_port(src));
613 policy->sel.sport_mask = (policy->sel.sport) ? ~0 : 0;
614 policy->sel.saddr = src->get_xfrm_addr(src);
615 policy->sel.prefixlen_s = src_hostbits;
616
617 policy->sel.dport = htons(dst->get_port(dst));
618 policy->sel.dport_mask = (policy->sel.dport) ? ~0 : 0;
619 policy->sel.daddr = dst->get_xfrm_addr(dst);
620 policy->sel.prefixlen_d = dst_hostbits;
621
622 policy->sel.proto = upper_proto;
623 policy->sel.family = src->get_family(src);
624
625 policy->dir = direction;
626 policy->priority = SPD_PRIORITY;
627 policy->action = XFRM_POLICY_ALLOW;
628 policy->share = XFRM_SHARE_ANY;
629
630 /* policies currently don't expire */
631 policy->lft.soft_byte_limit = XFRM_INF;
632 policy->lft.soft_packet_limit = XFRM_INF;
633 policy->lft.hard_byte_limit = XFRM_INF;
634 policy->lft.hard_packet_limit = XFRM_INF;
635 policy->lft.soft_add_expires_seconds = 0;
636 policy->lft.hard_add_expires_seconds = 0;
637 policy->lft.soft_use_expires_seconds = 0;
638 policy->lft.hard_use_expires_seconds = 0;
639
640 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
641 rthdr->rta_type = XFRMA_TMPL;
642
643 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
644 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
645
646 hdr->nlmsg_len += rthdr->rta_len;
647 if (hdr->nlmsg_len > sizeof(request))
648 {
649 return FAILED;
650 }
651
652 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
653 tmpl->reqid = reqid;
654 tmpl->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
655 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
656 tmpl->mode = TRUE;
657
658 tmpl->saddr = me->get_xfrm_addr(me);
659 tmpl->id.daddr = other->get_xfrm_addr(other);
660
661 if (this->send_message(this, hdr, &response) != SUCCESS)
662 {
663 this->logger->log(this->logger, ERROR, "netlink communication failed");
664 return FAILED;
665 }
666 else if (response->nlmsg_type != NLMSG_ERROR)
667 {
668 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_NEWPOLICY not acknowledged");
669 status = FAILED;
670 }
671 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
672 {
673 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_NEWPOLICY got an error: %s",
674 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
675 status = FAILED;
676 }
677
678 free(response);
679 return status;
680 }
681
682 static status_t query_policy(private_kernel_interface_t *this,
683 host_t *me, host_t *other,
684 host_t *src, host_t *dst,
685 u_int8_t src_hostbits, u_int8_t dst_hostbits,
686 int direction, int upper_proto,
687 time_t *use_time)
688 {
689 unsigned char request[BUFFER_SIZE];
690 struct nlmsghdr *response;
691
692 memset(&request, 0, sizeof(request));
693 status_t status = SUCCESS;
694
695 this->logger->log(this->logger, CONTROL|LEVEL2, "querying policy");
696
697 struct nlmsghdr *hdr = (struct nlmsghdr*)request;
698 hdr->nlmsg_flags = NLM_F_REQUEST;
699 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
700 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
701
702 struct xfrm_userpolicy_id *policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
703 policy_id->sel.sport = htons(src->get_port(src));
704 policy_id->sel.sport_mask = (policy_id->sel.sport) ? ~0 : 0;
705 policy_id->sel.saddr = src->get_xfrm_addr(src);
706 policy_id->sel.prefixlen_s = src_hostbits;
707
708 policy_id->sel.dport = htons(dst->get_port(dst));
709 policy_id->sel.dport_mask = (policy_id->sel.dport) ? ~0 : 0;
710 policy_id->sel.daddr = dst->get_xfrm_addr(dst);
711 policy_id->sel.prefixlen_d = dst_hostbits;
712
713 policy_id->sel.proto = upper_proto;
714 policy_id->sel.family = src->get_family(src);
715
716 policy_id->dir = direction;
717
718 if (this->send_message(this, hdr, &response) != SUCCESS)
719 {
720 this->logger->log(this->logger, ERROR, "netlink communication failed");
721 return FAILED;
722 }
723 else if (response->nlmsg_type == NLMSG_ERROR)
724 {
725 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_GETPOLICY got an error: %s",
726 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
727 free(response);
728 return FAILED;
729 }
730 else if (response->nlmsg_type != XFRM_MSG_NEWPOLICY)
731 {
732 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_GETPOLICY got an unknown reply");
733 free(response);
734 return FAILED;
735 }
736 else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)))
737 {
738 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_GETPOLICY got an invalid reply");
739 free(response);
740 return FAILED;
741 }
742
743 struct xfrm_userpolicy_info *policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(response);
744
745 *use_time = (time_t)policy->curlft.use_time;
746
747 free(response);
748 return status;
749 }
750
751 /**
752 * Implementation of kernel_interface_t.del_policy.
753 */
754 static status_t del_policy(private_kernel_interface_t *this,
755 host_t *me, host_t *other,
756 host_t *src, host_t *dst,
757 u_int8_t src_hostbits, u_int8_t dst_hostbits,
758 int direction, int upper_proto)
759 {
760 unsigned char request[BUFFER_SIZE];
761 struct nlmsghdr *response;
762
763 memset(&request, 0, sizeof(request));
764 status_t status = SUCCESS;
765
766 this->logger->log(this->logger, CONTROL|LEVEL2, "deleting policy");
767
768 struct nlmsghdr *hdr = (struct nlmsghdr*)request;
769 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
770 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
771 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
772
773 struct xfrm_userpolicy_id *policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
774 policy_id->sel.sport = htons(src->get_port(src));
775 policy_id->sel.sport_mask = (policy_id->sel.sport) ? ~0 : 0;
776 policy_id->sel.saddr = src->get_xfrm_addr(src);
777 policy_id->sel.prefixlen_s = src_hostbits;
778
779 policy_id->sel.dport = htons(dst->get_port(dst));
780 policy_id->sel.dport_mask = (policy_id->sel.dport) ? ~0 : 0;
781 policy_id->sel.daddr = dst->get_xfrm_addr(dst);
782 policy_id->sel.prefixlen_d = dst_hostbits;
783
784 policy_id->sel.proto = upper_proto;
785 policy_id->sel.family = src->get_family(src);
786
787 policy_id->dir = direction;
788
789 if (this->send_message(this, hdr, &response) != SUCCESS)
790 {
791 this->logger->log(this->logger, ERROR, "netlink communication failed");
792 return FAILED;
793 }
794 else if (response->nlmsg_type != NLMSG_ERROR)
795 {
796 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_DELPOLICY not acknowledged");
797 status = FAILED;
798 }
799 else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
800 {
801 this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_DELPOLICY got an error: %s",
802 strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
803 status = FAILED;
804 }
805
806 free(response);
807 return status;
808 }
809
810 /**
811 * Implementation of private_kernel_interface_t.send_message.
812 */
813 static status_t send_message(private_kernel_interface_t *this, struct nlmsghdr *request, struct nlmsghdr **response)
814 {
815 size_t length;
816 struct sockaddr_nl addr;
817
818 request->nlmsg_seq = ++this->seq;
819 request->nlmsg_pid = 0;
820
821 memset(&addr, 0, sizeof(struct sockaddr_nl));
822 addr.nl_family = AF_NETLINK;
823 addr.nl_pid = 0;
824 addr.nl_groups = 0;
825
826 length = sendto(this->socket,(void *)request, request->nlmsg_len, 0, (struct sockaddr *)&addr, sizeof(addr));
827
828 if (length < 0)
829 {
830 return FAILED;
831 }
832 else if (length != request->nlmsg_len)
833 {
834 return FAILED;
835 }
836
837 pthread_mutex_lock(&(this->mutex));
838
839 while (TRUE)
840 {
841 iterator_t *iterator;
842 bool found = FALSE;
843 /* search list, break if found */
844 iterator = this->responses->create_iterator(this->responses, TRUE);
845 while (iterator->has_next(iterator))
846 {
847 struct nlmsghdr *listed_response;
848 iterator->current(iterator, (void**)&listed_response);
849 if (listed_response->nlmsg_seq == request->nlmsg_seq)
850 {
851 /* matches our request, this is the reply */
852 *response = listed_response;
853 iterator->remove(iterator);
854 found = TRUE;
855 break;
856 }
857 }
858 iterator->destroy(iterator);
859
860 if (found)
861 {
862 break;
863 }
864 /* TODO: we should time out, if something goes wrong!??? */
865 pthread_cond_wait(&(this->condvar), &(this->mutex));
866 }
867
868 pthread_mutex_unlock(&(this->mutex));
869
870 return SUCCESS;
871 }
872
873 /**
874 * Implementation of private_kernel_interface_t.receive_messages.
875 */
876 static void receive_messages(private_kernel_interface_t *this)
877 {
878 while(TRUE)
879 {
880 unsigned char response[BUFFER_SIZE];
881 struct nlmsghdr *hdr, *listed_response;
882 while (TRUE)
883 {
884 struct sockaddr_nl addr;
885 socklen_t addr_length;
886 size_t length;
887
888 addr_length = sizeof(addr);
889
890 length = recvfrom(this->socket, &response, sizeof(response), 0, (struct sockaddr*)&addr, &addr_length);
891 if (length < 0)
892 {
893 if (errno == EINTR)
894 {
895 /* interrupted, try again */
896 continue;
897 }
898 charon->kill(charon, "receiving from netlink socket failed");
899 }
900 if (!NLMSG_OK((struct nlmsghdr *)response, length))
901 {
902 /* bad netlink message */
903 continue;
904 }
905 if (addr.nl_pid != 0)
906 {
907 /* not from kernel. not interested, try another one */
908 continue;
909 }
910 /* good message, handle it */
911 break;
912 }
913
914 /* we handle ACQUIRE and EXPIRE messages directly
915 */
916 hdr = (struct nlmsghdr*)response;
917 if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE)
918 {
919 this->logger->log(this->logger, CONTROL,
920 "Received a XFRM_MSG_ACQUIRE. Ignored");
921 }
922 else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE)
923 {
924 job_t *job;
925 protocol_id_t protocol;
926 u_int32_t spi;
927 struct xfrm_user_expire *expire;
928
929 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
930 protocol = expire->state.id.proto == KERNEL_ESP ?
931 PROTO_ESP : PROTO_AH;
932 spi = expire->state.id.spi;
933
934 this->logger->log(this->logger, CONTROL|LEVEL1,
935 "Received a XFRM_MSG_EXPIRE");
936 this->logger->log(this->logger, CONTROL,
937 "creating %s job for %s CHILD_SA 0x%x",
938 expire->hard ? "delete" : "rekey",
939 mapping_find(protocol_id_m, protocol), ntohl(spi));
940 if (expire->hard)
941 {
942 job = (job_t*)delete_child_sa_job_create(protocol, spi);
943 }
944 else
945 {
946 job = (job_t*)rekey_child_sa_job_create(protocol, spi);
947 }
948 charon->job_queue->add(charon->job_queue, job);
949 }
950 /* NLMSG_ERROR is sent back for acknowledge (or on error), an
951 * XFRM_MSG_NEWSA is returned when we alloc spis and when
952 * updating SAs.
953 * XFRM_MSG_NEWPOLICY is returned when we query a policy.
954 * list these responses for the sender
955 */
956 else if (hdr->nlmsg_type == NLMSG_ERROR ||
957 hdr->nlmsg_type == XFRM_MSG_NEWSA ||
958 hdr->nlmsg_type == XFRM_MSG_NEWPOLICY)
959 {
960 /* add response to queue */
961 listed_response = malloc(hdr->nlmsg_len);
962 memcpy(listed_response, &response, hdr->nlmsg_len);
963
964 pthread_mutex_lock(&(this->mutex));
965 this->responses->insert_last(this->responses, (void*)listed_response);
966 pthread_mutex_unlock(&(this->mutex));
967 /* signal ALL waiting threads */
968 pthread_cond_broadcast(&(this->condvar));
969 }
970 /* we are not interested in anything other.
971 * anyway, move on to the next message */
972 continue;
973 }
974 }
975
976 /**
977 * Implementation of kernel_interface_t.destroy.
978 */
979 static void destroy(private_kernel_interface_t *this)
980 {
981 pthread_cancel(this->thread);
982 pthread_join(this->thread, NULL);
983 close(this->socket);
984 this->responses->destroy(this->responses);
985 free(this);
986 }
987
988 /*
989 * Described in header.
990 */
991 kernel_interface_t *kernel_interface_create()
992 {
993 struct sockaddr_nl addr;
994 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
995
996 /* public functions */
997 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
998 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,bool))add_sa;
999 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*, host_t*,host_t*,host_t*,u_int8_t,u_int8_t,int,int,protocol_id_t,u_int32_t))add_policy;
1000 this->public.update_sa_hosts = (status_t(*)(kernel_interface_t*,host_t*,host_t*,host_t*,host_t*,int,int,u_int32_t,protocol_id_t))update_sa_hosts;
1001 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1002 this->public.query_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,host_t*,host_t*,u_int8_t,u_int8_t,int,int,time_t*))query_policy;
1003 this->public.del_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,host_t*,host_t*,u_int8_t,u_int8_t,int,int))del_policy;
1004
1005 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
1006
1007 /* private members */
1008 this->receive_messages = receive_messages;
1009 this->send_message = send_message;
1010 this->pid = getpid();
1011 this->responses = linked_list_create();
1012 this->logger = logger_manager->get_logger(logger_manager, XFRM);
1013 pthread_mutex_init(&(this->mutex),NULL);
1014 pthread_cond_init(&(this->condvar),NULL);
1015 this->seq = 0;
1016
1017 /* open netlink socket */
1018 this->socket = socket(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1019 if (this->socket <= 0)
1020 {
1021 this->responses->destroy(this->responses);
1022 free(this);
1023 charon->kill(charon, "Unable to create netlink socket");
1024 }
1025
1026 /* bind the socket and reqister for ACQUIRE & EXPIRE */
1027 addr.nl_family = AF_NETLINK;
1028 addr.nl_pid = getpid();
1029 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
1030 if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr)) != 0)
1031 {
1032 this->responses->destroy(this->responses);
1033 close(this->socket);
1034 free(this);
1035 charon->kill(charon, "Unable to bind netlink socket");
1036 }
1037
1038 if (pthread_create(&(this->thread), NULL, (void*(*)(void*))this->receive_messages, this) != 0)
1039 {
1040 this->responses->destroy(this->responses);
1041 close(this->socket);
1042 free(this);
1043 charon->kill(charon, "Unable to create netlink thread");
1044 }
1045
1046 return (&this->public);
1047 }