disabling routing for IPv6, does not work correctly
[strongswan.git] / src / charon / threads / kernel_interface.c
1 /**
2 * @file kernel_interface.c
3 *
4 * @brief Implementation of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2006-2007 Tobias Brunner
11 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
12 * Copyright (C) 2006 Daniel Roethlisberger
13 * Copyright (C) 2005 Jan Hutter
14 * Hochschule fuer Technik Rapperswil
15 * Copyright (C) 2003 Herbert Xu.
16 *
17 * Based on xfrm code from pluto.
18 *
19 * This program is free software; you can redistribute it and/or modify it
20 * under the terms of the GNU General Public License as published by the
21 * Free Software Foundation; either version 2 of the License, or (at your
22 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
23 *
24 * This program is distributed in the hope that it will be useful, but
25 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
26 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 * for more details.
28 */
29
30 #include <sys/types.h>
31 #include <sys/socket.h>
32 #include <linux/netlink.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/xfrm.h>
35 #include <linux/udp.h>
36 #include <pthread.h>
37 #include <unistd.h>
38 #include <fcntl.h>
39 #include <errno.h>
40 #include <string.h>
41 #include <net/if.h>
42 #include <sys/ioctl.h>
43 #include <ifaddrs.h>
44
45 #include "kernel_interface.h"
46
47 #include <daemon.h>
48 #include <utils/linked_list.h>
49 #include <queues/jobs/delete_child_sa_job.h>
50 #include <queues/jobs/rekey_child_sa_job.h>
51 #include <queues/jobs/acquire_job.h>
52
53 /** kernel level protocol identifiers */
54 #define KERNEL_ESP 50
55 #define KERNEL_AH 51
56
57 /** default priority of installed policies */
58 #define PRIO_LOW 3000
59 #define PRIO_HIGH 2000
60
61 #define BUFFER_SIZE 1024
62
63 /**
64 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
65 * 'usual' netlink data x like 'struct xfrm_usersa_info'
66 */
67 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
68 /**
69 * returns a pointer to the next rtattr following rta.
70 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
71 */
72 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
73 /**
74 * returns the total size of attached rta data
75 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
76 */
77 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
78
79 typedef struct kernel_algorithm_t kernel_algorithm_t;
80
81 /**
82 * Mapping from the algorithms defined in IKEv2 to
83 * kernel level algorithm names and their key length
84 */
85 struct kernel_algorithm_t {
86 /**
87 * Identifier specified in IKEv2
88 */
89 int ikev2_id;
90
91 /**
92 * Name of the algorithm, as used as kernel identifier
93 */
94 char *name;
95
96 /**
97 * Key length in bits, if fixed size
98 */
99 u_int key_size;
100 };
101 #define END_OF_LIST -1
102
103 /**
104 * Algorithms for encryption
105 */
106 kernel_algorithm_t encryption_algs[] = {
107 /* {ENCR_DES_IV64, "***", 0}, */
108 {ENCR_DES, "des", 64},
109 {ENCR_3DES, "des3_ede", 192},
110 /* {ENCR_RC5, "***", 0}, */
111 /* {ENCR_IDEA, "***", 0}, */
112 {ENCR_CAST, "cast128", 0},
113 {ENCR_BLOWFISH, "blowfish", 0},
114 /* {ENCR_3IDEA, "***", 0}, */
115 /* {ENCR_DES_IV32, "***", 0}, */
116 {ENCR_NULL, "cipher_null", 0},
117 {ENCR_AES_CBC, "aes", 0},
118 /* {ENCR_AES_CTR, "***", 0}, */
119 {END_OF_LIST, NULL, 0},
120 };
121
122 /**
123 * Algorithms for integrity protection
124 */
125 kernel_algorithm_t integrity_algs[] = {
126 {AUTH_HMAC_MD5_96, "md5", 128},
127 {AUTH_HMAC_SHA1_96, "sha1", 160},
128 {AUTH_HMAC_SHA2_256_128, "sha256", 256},
129 {AUTH_HMAC_SHA2_384_192, "sha384", 384},
130 {AUTH_HMAC_SHA2_512_256, "sha512", 512},
131 /* {AUTH_DES_MAC, "***", 0}, */
132 /* {AUTH_KPDK_MD5, "***", 0}, */
133 /* {AUTH_AES_XCBC_96, "***", 0}, */
134 {END_OF_LIST, NULL, 0},
135 };
136
137 /**
138 * Look up a kernel algorithm name and its key size
139 */
140 char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
141 algorithm_t *ikev2_algo, u_int *key_size)
142 {
143 while (kernel_algo->ikev2_id != END_OF_LIST)
144 {
145 if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
146 {
147 /* match, evaluate key length */
148 if (ikev2_algo->key_size)
149 { /* variable length */
150 *key_size = ikev2_algo->key_size;
151 }
152 else
153 { /* fixed length */
154 *key_size = kernel_algo->key_size;
155 }
156 return kernel_algo->name;
157 }
158 kernel_algo++;
159 }
160 return NULL;
161 }
162
163 typedef struct route_entry_t route_entry_t;
164
165 /**
166 * installed routing entry
167 */
168 struct route_entry_t {
169
170 /** Index of the interface the route is bound to */
171 int if_index;
172
173 /** Source ip of the route */
174 host_t *src_ip;
175
176 /** Destination net */
177 chunk_t dst_net;
178
179 /** Destination net prefixlen */
180 u_int8_t prefixlen;
181 };
182
183 /**
184 * destroy an route_entry_t object
185 */
186 static void route_entry_destroy(route_entry_t *this)
187 {
188 this->src_ip->destroy(this->src_ip);
189 chunk_free(&this->dst_net);
190 free(this);
191 }
192
193 typedef struct policy_entry_t policy_entry_t;
194
195 /**
196 * installed kernel policy.
197 */
198 struct policy_entry_t {
199
200 /** direction of this policy: in, out, forward */
201 u_int8_t direction;
202
203 /** reqid of the policy */
204 u_int32_t reqid;
205
206 /** parameters of installed policy */
207 struct xfrm_selector sel;
208
209 /** associated route installed for this policy */
210 route_entry_t *route;
211
212 /** by how many CHILD_SA's this policy is used */
213 u_int refcount;
214 };
215
216 typedef struct vip_entry_t vip_entry_t;
217
218 /**
219 * Installed virtual ip
220 */
221 struct vip_entry_t {
222 /** Index of the interface the ip is bound to */
223 u_int8_t if_index;
224
225 /** The ip address */
226 host_t *ip;
227
228 /** Number of times this IP is used */
229 u_int refcount;
230 };
231
232 /**
233 * destroy a vip_entry_t object
234 */
235 static void vip_entry_destroy(vip_entry_t *this)
236 {
237 this->ip->destroy(this->ip);
238 free(this);
239 }
240
241 typedef struct address_entry_t address_entry_t;
242
243 /**
244 * an address found on the system, containg address and interface info
245 */
246 struct address_entry_t {
247
248 /** address of this entry */
249 host_t *host;
250
251 /** interface index */
252 int ifindex;
253
254 /** name of the index */
255 char ifname[IFNAMSIZ];
256 };
257
258 /**
259 * destroy an address entry
260 */
261 static void address_entry_destroy(address_entry_t *this)
262 {
263 this->host->destroy(this->host);
264 free(this);
265 }
266
267 typedef struct private_kernel_interface_t private_kernel_interface_t;
268
269 /**
270 * Private variables and functions of kernel_interface class.
271 */
272 struct private_kernel_interface_t {
273 /**
274 * Public part of the kernel_interface_t object.
275 */
276 kernel_interface_t public;
277
278 /**
279 * List of installed policies (kernel_entry_t)
280 */
281 linked_list_t *policies;
282
283 /**
284 * Mutex locks access to policies
285 */
286 pthread_mutex_t policies_mutex;
287
288 /**
289 * List of installed virtual IPs. (vip_entry_t)
290 */
291 linked_list_t *vips;
292
293 /**
294 * Mutex to lock access to vips.
295 */
296 pthread_mutex_t vips_mutex;
297
298 /**
299 * netlink xfrm socket to receive acquire and expire events
300 */
301 int socket_xfrm_events;
302
303 /**
304 * Netlink xfrm socket (IPsec)
305 */
306 int socket_xfrm;
307
308 /**
309 * Netlink rt socket (routing)
310 */
311 int socket_rt;
312
313 /**
314 * Thread receiving events from kernel
315 */
316 pthread_t event_thread;
317 };
318
319 /**
320 * convert a host_t to a struct xfrm_address
321 */
322 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
323 {
324 chunk_t chunk = host->get_address(host);
325 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
326 }
327
328 /**
329 * convert a traffic selector address range to subnet and its mask.
330 */
331 static void ts2subnet(traffic_selector_t* ts,
332 xfrm_address_t *net, u_int8_t *mask)
333 {
334 /* there is no way to do this cleanly, as the address range may
335 * be anything else but a subnet. We use from_addr as subnet
336 * and try to calculate a usable subnet mask.
337 */
338 int byte, bit;
339 bool found = FALSE;
340 chunk_t from, to;
341 size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
342
343 from = ts->get_from_address(ts);
344 to = ts->get_to_address(ts);
345
346 *mask = (size * 8);
347 /* go trough all bits of the addresses, beginning in the front.
348 * as long as they are equal, the subnet gets larger
349 */
350 for (byte = 0; byte < size; byte++)
351 {
352 for (bit = 7; bit >= 0; bit--)
353 {
354 if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
355 {
356 *mask = ((7 - bit) + (byte * 8));
357 found = TRUE;
358 break;
359 }
360 }
361 if (found)
362 {
363 break;
364 }
365 }
366 memcpy(net, from.ptr, from.len);
367 chunk_free(&from);
368 chunk_free(&to);
369 }
370
371 /**
372 * convert a traffic selector port range to port/portmask
373 */
374 static void ts2ports(traffic_selector_t* ts,
375 u_int16_t *port, u_int16_t *mask)
376 {
377 /* linux does not seem to accept complex portmasks. Only
378 * any or a specific port is allowed. We set to any, if we have
379 * a port range, or to a specific, if we have one port only.
380 */
381 u_int16_t from, to;
382
383 from = ts->get_from_port(ts);
384 to = ts->get_to_port(ts);
385
386 if (from == to)
387 {
388 *port = htons(from);
389 *mask = ~0;
390 }
391 else
392 {
393 *port = 0;
394 *mask = 0;
395 }
396 }
397
398 /**
399 * convert a pair of traffic_selectors to a xfrm_selector
400 */
401 static struct xfrm_selector ts2selector(traffic_selector_t *src,
402 traffic_selector_t *dst)
403 {
404 struct xfrm_selector sel;
405
406 memset(&sel, 0, sizeof(sel));
407 sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
408 /* src or dest proto may be "any" (0), use more restrictive one */
409 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
410 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
411 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
412 ts2ports(dst, &sel.dport, &sel.dport_mask);
413 ts2ports(src, &sel.sport, &sel.sport_mask);
414 sel.ifindex = 0;
415 sel.user = 0;
416
417 return sel;
418 }
419
420 /**
421 * Creates an rtattr and adds it to the netlink message
422 */
423 static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
424 size_t buflen)
425 {
426 struct rtattr *rta;
427
428 if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
429 {
430 DBG1(DBG_KNL, "unable to add attribute, buffer too small");
431 return;
432 }
433
434 rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
435 rta->rta_type = rta_type;
436 rta->rta_len = RTA_LENGTH(data.len);
437 memcpy(RTA_DATA(rta), data.ptr, data.len);
438 hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
439 }
440
441 /**
442 * Receives events from kernel
443 */
444 static void receive_events(private_kernel_interface_t *this)
445 {
446 while(TRUE)
447 {
448 unsigned char response[512];
449 struct nlmsghdr *hdr;
450 struct sockaddr_nl addr;
451 socklen_t addr_len = sizeof(addr);
452 int len;
453
454 hdr = (struct nlmsghdr*)response;
455 len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
456 0, (struct sockaddr*)&addr, &addr_len);
457 if (len < 0)
458 {
459 if (errno == EINTR)
460 {
461 /* interrupted, try again */
462 continue;
463 }
464 charon->kill(charon, "unable to receive netlink events");
465 }
466
467 if (!NLMSG_OK(hdr, len))
468 {
469 /* bad netlink message */
470 continue;
471 }
472
473 if (addr.nl_pid != 0)
474 {
475 /* not from kernel. not interested, try another one */
476 continue;
477 }
478
479 /* we handle ACQUIRE and EXPIRE messages directly */
480 if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE)
481 {
482 u_int32_t reqid = 0;
483 job_t *job;
484 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
485 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
486 if (RTA_OK(rtattr, rtsize))
487 {
488 if (rtattr->rta_type == XFRMA_TMPL)
489 {
490 struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
491 reqid = tmpl->reqid;
492 }
493 }
494 if (reqid == 0)
495 {
496 DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
497 }
498 else
499 {
500 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
501 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d",
502 reqid);
503 job = (job_t*)acquire_job_create(reqid);
504 charon->job_queue->add(charon->job_queue, job);
505 }
506 }
507 else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE)
508 {
509 job_t *job;
510 protocol_id_t protocol;
511 u_int32_t spi, reqid;
512 struct xfrm_user_expire *expire;
513
514 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
515 protocol = expire->state.id.proto == KERNEL_ESP ?
516 PROTO_ESP : PROTO_AH;
517 spi = expire->state.id.spi;
518 reqid = expire->state.reqid;
519
520 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
521 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
522 expire->hard ? "delete" : "rekey", protocol_id_names,
523 protocol, spi, reqid);
524 if (expire->hard)
525 {
526 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
527 }
528 else
529 {
530 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
531 }
532 charon->job_queue->add(charon->job_queue, job);
533 }
534 }
535 }
536
537 /**
538 * send a netlink message and wait for a reply
539 */
540 static status_t netlink_send(int socket, struct nlmsghdr *in,
541 struct nlmsghdr **out, size_t *out_len)
542 {
543 int len, addr_len;
544 struct sockaddr_nl addr;
545 chunk_t result = chunk_empty, tmp;
546 struct nlmsghdr *msg, peek;
547
548 static int seq = 200;
549 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
550
551
552 pthread_mutex_lock(&mutex);
553
554 in->nlmsg_seq = ++seq;
555 in->nlmsg_pid = getpid();
556
557 memset(&addr, 0, sizeof(addr));
558 addr.nl_family = AF_NETLINK;
559 addr.nl_pid = 0;
560 addr.nl_groups = 0;
561
562 while (TRUE)
563 {
564 len = sendto(socket, in, in->nlmsg_len, 0,
565 (struct sockaddr*)&addr, sizeof(addr));
566
567 if (len != in->nlmsg_len)
568 {
569 if (errno == EINTR)
570 {
571 /* interrupted, try again */
572 continue;
573 }
574 pthread_mutex_unlock(&mutex);
575 DBG1(DBG_KNL, "error sending to netlink socket: %m");
576 return FAILED;
577 }
578 break;
579 }
580
581 while (TRUE)
582 {
583 char buf[1024];
584 tmp.len = sizeof(buf);
585 tmp.ptr = buf;
586 msg = (struct nlmsghdr*)tmp.ptr;
587
588 memset(&addr, 0, sizeof(addr));
589 addr.nl_family = AF_NETLINK;
590 addr.nl_pid = getpid();
591 addr.nl_groups = 0;
592 addr_len = sizeof(addr);
593
594 len = recvfrom(socket, tmp.ptr, tmp.len, 0,
595 (struct sockaddr*)&addr, &addr_len);
596
597 if (len < 0)
598 {
599 if (errno == EINTR)
600 {
601 DBG1(DBG_IKE, "got interrupted");
602 /* interrupted, try again */
603 continue;
604 }
605 DBG1(DBG_IKE, "error reading from netlink socket: %m");
606 pthread_mutex_unlock(&mutex);
607 return FAILED;
608 }
609 if (!NLMSG_OK(msg, len))
610 {
611 DBG1(DBG_IKE, "received corrupted netlink message");
612 pthread_mutex_unlock(&mutex);
613 return FAILED;
614 }
615 if (msg->nlmsg_seq != seq)
616 {
617 DBG1(DBG_IKE, "received invalid netlink sequence number");
618 if (msg->nlmsg_seq < seq)
619 {
620 continue;
621 }
622 pthread_mutex_unlock(&mutex);
623 return FAILED;
624 }
625
626 tmp.len = len;
627 result = chunk_cata("cc", result, tmp);
628
629 /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
630 * numbers to detect multi header messages */
631 len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
632 (struct sockaddr*)&addr, &addr_len);
633
634 if (len == sizeof(peek) && peek.nlmsg_seq == seq)
635 {
636 /* seems to be multipart */
637 continue;
638 }
639 break;
640 }
641
642 *out_len = result.len;
643 *out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
644
645 pthread_mutex_unlock(&mutex);
646
647 return SUCCESS;
648 }
649
650 /**
651 * send a netlink message and wait for its acknowlegde
652 */
653 static status_t netlink_send_ack(int socket, struct nlmsghdr *in)
654 {
655 struct nlmsghdr *out, *hdr;
656 size_t len;
657
658 if (netlink_send(socket, in, &out, &len) != SUCCESS)
659 {
660 return FAILED;
661 }
662 hdr = out;
663 while (NLMSG_OK(hdr, len))
664 {
665 switch (hdr->nlmsg_type)
666 {
667 case NLMSG_ERROR:
668 {
669 struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
670
671 if (err->error)
672 {
673 DBG1(DBG_KNL, "received netlink error: %s (%d)",
674 strerror(-err->error), -err->error);
675 free(out);
676 return FAILED;
677 }
678 free(out);
679 return SUCCESS;
680 }
681 default:
682 hdr = NLMSG_NEXT(hdr, len);
683 continue;
684 case NLMSG_DONE:
685 break;
686 }
687 break;
688 }
689 DBG1(DBG_KNL, "netlink request not acknowlegded");
690 free(out);
691 return FAILED;
692 }
693
694 /**
695 * Create a list of local addresses.
696 */
697 static linked_list_t *create_address_list(private_kernel_interface_t *this)
698 {
699 char request[BUFFER_SIZE];
700 struct nlmsghdr *out, *hdr;
701 struct rtgenmsg *msg;
702 size_t len;
703 linked_list_t *list;
704
705 DBG2(DBG_IKE, "getting local address list");
706
707 list = linked_list_create();
708
709 memset(&request, 0, sizeof(request));
710
711 hdr = (struct nlmsghdr*)&request;
712 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
713 hdr->nlmsg_type = RTM_GETADDR;
714 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
715 msg = (struct rtgenmsg*)NLMSG_DATA(hdr);
716 msg->rtgen_family = AF_UNSPEC;
717
718 if (netlink_send(this->socket_rt, hdr, &out, &len) == SUCCESS)
719 {
720 hdr = out;
721 while (NLMSG_OK(hdr, len))
722 {
723 switch (hdr->nlmsg_type)
724 {
725 case RTM_NEWADDR:
726 {
727 struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
728 struct rtattr *rta = IFA_RTA(msg);
729 size_t rtasize = IFA_PAYLOAD (hdr);
730 host_t *host = NULL;
731 char *name = NULL;
732 chunk_t chunk;
733
734 while(RTA_OK(rta, rtasize))
735 {
736 switch (rta->rta_type)
737 {
738 case IFA_ADDRESS:
739 chunk.ptr = RTA_DATA(rta);
740 chunk.len = RTA_PAYLOAD(rta);
741 host = host_create_from_chunk(msg->ifa_family,
742 chunk, 0);
743 break;
744 case IFA_LABEL:
745 name = RTA_DATA(rta);
746 }
747 rta = RTA_NEXT(rta, rtasize);
748 }
749
750 if (host)
751 {
752 address_entry_t *entry;
753
754 entry = malloc_thing(address_entry_t);
755 entry->host = host;
756 entry->ifindex = msg->ifa_index;
757 if (name)
758 {
759 memcpy(entry->ifname, name, IFNAMSIZ);
760 }
761 else
762 {
763 strcpy(entry->ifname, "(unknown)");
764 }
765 list->insert_last(list, entry);
766 }
767 hdr = NLMSG_NEXT(hdr, len);
768 continue;
769 }
770 default:
771 hdr = NLMSG_NEXT(hdr, len);
772 continue;
773 case NLMSG_DONE:
774 break;
775 }
776 break;
777 }
778 free(out);
779 }
780 else
781 {
782 DBG1(DBG_IKE, "unable to get local address list");
783 }
784
785 return list;
786 }
787
788 /**
789 * Implements kernel_interface_t.create_address_list.
790 */
791 static linked_list_t *create_address_list_public(private_kernel_interface_t *this)
792 {
793 linked_list_t *result, *list;
794 address_entry_t *entry;
795
796 result = linked_list_create();
797 list = create_address_list(this);
798 while (list->remove_last(list, (void**)&entry) == SUCCESS)
799 {
800 result->insert_last(result, entry->host);
801 free(entry);
802 }
803 list->destroy(list);
804
805 return result;
806 }
807
808 /**
809 * implementation of kernel_interface_t.get_interface_name
810 */
811 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
812 {
813 linked_list_t *list;
814 address_entry_t *entry;
815 char *name = NULL;
816
817 DBG2(DBG_IKE, "getting interface name for %H", ip);
818
819 list = create_address_list(this);
820 while (!name && list->remove_last(list, (void**)&entry) == SUCCESS)
821 {
822 if (ip->ip_equals(ip, entry->host))
823 {
824 name = strdup(entry->ifname);
825 }
826 address_entry_destroy(entry);
827 }
828 list->destroy_function(list, (void*)address_entry_destroy);
829
830 if (name)
831 {
832 DBG2(DBG_IKE, "%H is on interface %s", ip, name);
833 }
834 else
835 {
836 DBG2(DBG_IKE, "%H is not a local address", ip);
837 }
838 return name;
839 }
840
841 /**
842 * Tries to find an ip address of a local interface that is included in the
843 * supplied traffic selector.
844 */
845 static status_t get_address_by_ts(private_kernel_interface_t *this,
846 traffic_selector_t *ts, host_t **ip)
847 {
848 address_entry_t *entry;
849 host_t *host;
850 int family;
851 linked_list_t *list;
852 bool found = FALSE;
853
854 DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts);
855
856 /* if we have a family which includes localhost, we do not
857 * search for an IP, we use the default */
858 family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
859
860 if (family == AF_INET)
861 {
862 host = host_create_from_string("127.0.0.1", 0);
863 }
864 else
865 {
866 host = host_create_from_string("::1", 0);
867 }
868
869 if (ts->includes(ts, host))
870 {
871 *ip = host_create_any(family);
872 host->destroy(host);
873 DBG2(DBG_IKE, "using host %H", *ip);
874 return SUCCESS;
875 }
876 host->destroy(host);
877
878 list = create_address_list(this);
879 while (!found && list->remove_last(list, (void**)&entry) == SUCCESS)
880 {
881 if (ts->includes(ts, entry->host))
882 {
883 found = TRUE;
884 *ip = entry->host->clone(entry->host);
885 }
886 address_entry_destroy(entry);
887 }
888 list->destroy_function(list, (void*)address_entry_destroy);
889
890 if (!found)
891 {
892 DBG1(DBG_IKE, "no local address found in traffic selector %R", ts);
893 return FAILED;
894 }
895 DBG2(DBG_IKE, "using host %H", *ip);
896 return SUCCESS;
897 }
898
899 /**
900 * get the interface of a local address
901 */
902 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
903 {
904 linked_list_t *list;
905 address_entry_t *entry;
906 int ifindex = 0;
907
908 DBG2(DBG_IKE, "getting iface for %H", ip);
909
910 list = create_address_list(this);
911 while (!ifindex && list->remove_last(list, (void**)&entry) == SUCCESS)
912 {
913 if (ip->ip_equals(ip, entry->host))
914 {
915 ifindex = entry->ifindex;
916 }
917 address_entry_destroy(entry);
918 }
919 list->destroy_function(list, (void*)address_entry_destroy);
920
921 if (ifindex == 0)
922 {
923 DBG1(DBG_IKE, "unable to get interface for %H", ip);
924 }
925 return ifindex;
926 }
927
928 /**
929 * Manages the creation and deletion of ip addresses on an interface.
930 * By setting the appropriate nlmsg_type, the ip will be set or unset.
931 */
932 static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
933 int flags, int if_index, host_t *ip)
934 {
935 unsigned char request[BUFFER_SIZE];
936 struct nlmsghdr *hdr;
937 struct ifaddrmsg *msg;
938 chunk_t chunk;
939
940 memset(&request, 0, sizeof(request));
941
942 chunk = ip->get_address(ip);
943
944 hdr = (struct nlmsghdr*)request;
945 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
946 hdr->nlmsg_type = nlmsg_type;
947 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
948
949 msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
950 msg->ifa_family = ip->get_family(ip);
951 msg->ifa_flags = 0;
952 msg->ifa_prefixlen = 8 * chunk.len;
953 msg->ifa_scope = RT_SCOPE_UNIVERSE;
954 msg->ifa_index = if_index;
955
956 add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
957
958 return netlink_send_ack(this->socket_rt, hdr);
959 }
960
961 /**
962 * Manages source routes in the routing table.
963 * By setting the appropriate nlmsg_type, the route added or r.
964 */
965 static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
966 int flags, route_entry_t *route)
967 {
968 unsigned char request[BUFFER_SIZE];
969 struct nlmsghdr *hdr;
970 struct rtmsg *msg;
971 chunk_t chunk;
972
973 /* if route is 0.0.0.0/0, we can't install it, as it would
974 * overwrite the default route. Instead, we add two routes:
975 * 0.0.0.0/1 and 128.0.0.0/1
976 * TODO: use metrics instead */
977 if (route->prefixlen == 0)
978 {
979 route_entry_t half;
980 status_t status;
981
982 half.dst_net = chunk_alloca(route->dst_net.len);
983 memset(half.dst_net.ptr, 0, half.dst_net.len);
984 half.src_ip = route->src_ip;
985 half.if_index = route->if_index;
986 half.prefixlen = 1;
987
988 status = manage_srcroute(this, nlmsg_type, flags, &half);
989 half.dst_net.ptr[0] |= 0x80;
990 status = manage_srcroute(this, nlmsg_type, flags, &half);
991 return status;
992 }
993
994 memset(&request, 0, sizeof(request));
995
996 hdr = (struct nlmsghdr*)request;
997 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
998 hdr->nlmsg_type = nlmsg_type;
999 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
1000
1001 msg = (struct rtmsg*)NLMSG_DATA(hdr);
1002 msg->rtm_family = route->src_ip->get_family(route->src_ip);
1003 msg->rtm_dst_len = route->prefixlen;
1004 msg->rtm_table = RT_TABLE_MAIN;
1005 msg->rtm_protocol = RTPROT_STATIC;
1006 msg->rtm_type = RTN_UNICAST;
1007 msg->rtm_scope = RT_SCOPE_UNIVERSE;
1008
1009 add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
1010 chunk = route->src_ip->get_address(route->src_ip);
1011 add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
1012 chunk.ptr = (char*)&route->if_index;
1013 chunk.len = sizeof(route->if_index);
1014 add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
1015
1016 return netlink_send_ack(this->socket_rt, hdr);
1017 }
1018
1019
1020 /**
1021 * Implementation of kernel_interface_t.add_ip.
1022 */
1023 static status_t add_ip(private_kernel_interface_t *this,
1024 host_t *virtual_ip, host_t *iface_ip)
1025 {
1026 int targetif;
1027 vip_entry_t *listed;
1028 iterator_t *iterator;
1029
1030 DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
1031
1032 targetif = get_interface_index(this, iface_ip);
1033 if (targetif == 0)
1034 {
1035 DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H",
1036 virtual_ip, iface_ip);
1037 return FAILED;
1038 }
1039
1040 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1041 iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
1042 while (iterator->iterate(iterator, (void**)&listed))
1043 {
1044 if (listed->if_index == targetif &&
1045 virtual_ip->ip_equals(virtual_ip, listed->ip))
1046 {
1047 listed->refcount++;
1048 iterator->destroy(iterator);
1049 DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it",
1050 virtual_ip, targetif);
1051 return SUCCESS;
1052 }
1053 }
1054 iterator->destroy(iterator);
1055
1056 if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
1057 targetif, virtual_ip) == SUCCESS)
1058 {
1059 listed = malloc_thing(vip_entry_t);
1060 listed->ip = virtual_ip->clone(virtual_ip);
1061 listed->if_index = targetif;
1062 listed->refcount = 1;
1063 this->vips->insert_last(this->vips, listed);
1064 DBG2(DBG_KNL, "virtual IP %H added to iface %d",
1065 virtual_ip, targetif);
1066 return SUCCESS;
1067 }
1068
1069 DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d",
1070 virtual_ip, targetif);
1071 return FAILED;
1072 }
1073
1074 /**
1075 * Implementation of kernel_interface_t.del_ip.
1076 */
1077 static status_t del_ip(private_kernel_interface_t *this,
1078 host_t *virtual_ip, host_t *iface_ip)
1079 {
1080 int targetif;
1081 vip_entry_t *listed;
1082 iterator_t *iterator;
1083
1084 DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
1085
1086 targetif = get_interface_index(this, iface_ip);
1087 if (targetif == 0)
1088 {
1089 DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H",
1090 virtual_ip, iface_ip);
1091 return FAILED;
1092 }
1093
1094 /* beware of deadlocks (e.g. send/receive packets while holding the lock) */
1095 iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
1096 while (iterator->iterate(iterator, (void**)&listed))
1097 {
1098 if (listed->if_index == targetif &&
1099 virtual_ip->ip_equals(virtual_ip, listed->ip))
1100 {
1101 listed->refcount--;
1102 if (listed->refcount == 0)
1103 {
1104 iterator->remove(iterator);
1105 vip_entry_destroy(listed);
1106 iterator->destroy(iterator);
1107 return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
1108 }
1109 iterator->destroy(iterator);
1110 DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
1111 virtual_ip);
1112 return SUCCESS;
1113 }
1114 }
1115 iterator->destroy(iterator);
1116
1117 DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
1118 return FAILED;
1119 }
1120
1121 /**
1122 * Implementation of kernel_interface_t.get_spi.
1123 */
1124 static status_t get_spi(private_kernel_interface_t *this,
1125 host_t *src, host_t *dst,
1126 protocol_id_t protocol, u_int32_t reqid,
1127 u_int32_t *spi)
1128 {
1129 unsigned char request[BUFFER_SIZE];
1130 struct nlmsghdr *hdr, *out;
1131 struct xfrm_userspi_info *userspi;
1132 u_int32_t received_spi = 0;
1133 size_t len;
1134
1135 memset(&request, 0, sizeof(request));
1136
1137 DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
1138
1139 hdr = (struct nlmsghdr*)request;
1140 hdr->nlmsg_flags = NLM_F_REQUEST;
1141 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1142 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1143
1144 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
1145 host2xfrm(src, &userspi->info.saddr);
1146 host2xfrm(dst, &userspi->info.id.daddr);
1147 userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1148 userspi->info.mode = TRUE; /* tunnel mode */
1149 userspi->info.reqid = reqid;
1150 userspi->info.family = src->get_family(src);
1151 userspi->min = 0xc0000000;
1152 userspi->max = 0xcFFFFFFF;
1153
1154 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1155 {
1156 hdr = out;
1157 while (NLMSG_OK(hdr, len))
1158 {
1159 switch (hdr->nlmsg_type)
1160 {
1161 case XFRM_MSG_NEWSA:
1162 {
1163 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1164 received_spi = usersa->id.spi;
1165 break;
1166 }
1167 case NLMSG_ERROR:
1168 {
1169 struct nlmsgerr *err = NLMSG_DATA(hdr);
1170
1171 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1172 strerror(-err->error), -err->error);
1173 break;
1174 }
1175 default:
1176 hdr = NLMSG_NEXT(hdr, len);
1177 continue;
1178 case NLMSG_DONE:
1179 break;
1180 }
1181 break;
1182 }
1183 free(out);
1184 }
1185
1186 if (received_spi == 0)
1187 {
1188 DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
1189 return FAILED;
1190 }
1191
1192 DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
1193
1194 *spi = received_spi;
1195 return SUCCESS;
1196 }
1197
1198 /**
1199 * Implementation of kernel_interface_t.add_sa.
1200 */
1201 static status_t add_sa(private_kernel_interface_t *this,
1202 host_t *src, host_t *dst, u_int32_t spi,
1203 protocol_id_t protocol, u_int32_t reqid,
1204 u_int64_t expire_soft, u_int64_t expire_hard,
1205 algorithm_t *enc_alg, algorithm_t *int_alg,
1206 prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
1207 bool replace)
1208 {
1209 unsigned char request[BUFFER_SIZE];
1210 char *alg_name;
1211 u_int key_size;
1212 struct nlmsghdr *hdr;
1213 struct xfrm_usersa_info *sa;
1214
1215 memset(&request, 0, sizeof(request));
1216
1217 DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
1218
1219 hdr = (struct nlmsghdr*)request;
1220 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1221 hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1222 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1223
1224 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1225 host2xfrm(src, &sa->saddr);
1226 host2xfrm(dst, &sa->id.daddr);
1227 sa->id.spi = spi;
1228 sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1229 sa->family = src->get_family(src);
1230 sa->mode = mode;
1231 sa->replay_window = 32;
1232 sa->reqid = reqid;
1233 /* we currently do not expire SAs by volume/packet count */
1234 sa->lft.soft_byte_limit = XFRM_INF;
1235 sa->lft.hard_byte_limit = XFRM_INF;
1236 sa->lft.soft_packet_limit = XFRM_INF;
1237 sa->lft.hard_packet_limit = XFRM_INF;
1238 /* we use lifetimes since added, not since used */
1239 sa->lft.soft_add_expires_seconds = expire_soft;
1240 sa->lft.hard_add_expires_seconds = expire_hard;
1241 sa->lft.soft_use_expires_seconds = 0;
1242 sa->lft.hard_use_expires_seconds = 0;
1243
1244 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1245
1246 if (enc_alg->algorithm != ENCR_UNDEFINED)
1247 {
1248 rthdr->rta_type = XFRMA_ALG_CRYPT;
1249 alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
1250 if (alg_name == NULL)
1251 {
1252 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1253 encryption_algorithm_names, enc_alg->algorithm);
1254 return FAILED;
1255 }
1256 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1257 encryption_algorithm_names, enc_alg->algorithm, key_size);
1258
1259 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1260 hdr->nlmsg_len += rthdr->rta_len;
1261 if (hdr->nlmsg_len > sizeof(request))
1262 {
1263 return FAILED;
1264 }
1265
1266 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1267 algo->alg_key_len = key_size;
1268 strcpy(algo->alg_name, alg_name);
1269 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1270
1271 rthdr = XFRM_RTA_NEXT(rthdr);
1272 }
1273
1274 if (int_alg->algorithm != AUTH_UNDEFINED)
1275 {
1276 rthdr->rta_type = XFRMA_ALG_AUTH;
1277 alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
1278 if (alg_name == NULL)
1279 {
1280 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1281 integrity_algorithm_names, int_alg->algorithm);
1282 return FAILED;
1283 }
1284 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1285 integrity_algorithm_names, int_alg->algorithm, key_size);
1286
1287 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
1288 hdr->nlmsg_len += rthdr->rta_len;
1289 if (hdr->nlmsg_len > sizeof(request))
1290 {
1291 return FAILED;
1292 }
1293
1294 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1295 algo->alg_key_len = key_size;
1296 strcpy(algo->alg_name, alg_name);
1297 prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
1298
1299 rthdr = XFRM_RTA_NEXT(rthdr);
1300 }
1301
1302 /* TODO: add IPComp here */
1303
1304 if (natt)
1305 {
1306 rthdr->rta_type = XFRMA_ENCAP;
1307 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1308
1309 hdr->nlmsg_len += rthdr->rta_len;
1310 if (hdr->nlmsg_len > sizeof(request))
1311 {
1312 return FAILED;
1313 }
1314
1315 struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1316 encap->encap_type = UDP_ENCAP_ESPINUDP;
1317 encap->encap_sport = htons(natt->sport);
1318 encap->encap_dport = htons(natt->dport);
1319 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
1320 /* encap_oa could probably be derived from the
1321 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1322 * pluto does the same as we do here but it uses encap_oa in the
1323 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1324 * the kernel ignores it anyway
1325 * -> does that mean that NAT-T encap doesn't work in transport mode?
1326 * No. The reason the kernel ignores NAT-OA is that it recomputes
1327 * (or, rather, just ignores) the checksum. If packets pass
1328 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1329 rthdr = XFRM_RTA_NEXT(rthdr);
1330 }
1331
1332 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1333 {
1334 DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
1335 return FAILED;
1336 }
1337 return SUCCESS;
1338 }
1339
1340 /**
1341 * Implementation of kernel_interface_t.update_sa.
1342 */
1343 static status_t update_sa(private_kernel_interface_t *this,
1344 host_t *src, host_t *dst,
1345 host_t *new_src, host_t *new_dst,
1346 host_diff_t src_changes, host_diff_t dst_changes,
1347 u_int32_t spi, protocol_id_t protocol)
1348 {
1349 unsigned char request[BUFFER_SIZE];
1350 struct nlmsghdr *hdr, *out = NULL;
1351 struct xfrm_usersa_id *sa_id;
1352 struct xfrm_usersa_info *sa = NULL;
1353 size_t len;
1354
1355 memset(&request, 0, sizeof(request));
1356
1357 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1358
1359 hdr = (struct nlmsghdr*)request;
1360 hdr->nlmsg_flags = NLM_F_REQUEST;
1361 hdr->nlmsg_type = XFRM_MSG_GETSA;
1362 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1363
1364 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1365 host2xfrm(dst, &sa_id->daddr);
1366 sa_id->spi = spi;
1367 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1368 sa_id->family = dst->get_family(dst);
1369
1370 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1371 {
1372 hdr = out;
1373 while (NLMSG_OK(hdr, len))
1374 {
1375 switch (hdr->nlmsg_type)
1376 {
1377 case XFRM_MSG_NEWSA:
1378 {
1379 sa = NLMSG_DATA(hdr);
1380 break;
1381 }
1382 case NLMSG_ERROR:
1383 {
1384 struct nlmsgerr *err = NLMSG_DATA(hdr);
1385 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1386 strerror(-err->error), -err->error);
1387 break;
1388 }
1389 default:
1390 hdr = NLMSG_NEXT(hdr, len);
1391 continue;
1392 case NLMSG_DONE:
1393 break;
1394 }
1395 break;
1396 }
1397 }
1398 if (sa == NULL)
1399 {
1400 DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
1401 free(out);
1402 return FAILED;
1403 }
1404
1405 DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi);
1406
1407 hdr = out;
1408 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1409 hdr->nlmsg_type = XFRM_MSG_UPDSA;
1410
1411 if (src_changes & HOST_DIFF_ADDR)
1412 {
1413 host2xfrm(new_src, &sa->saddr);
1414 }
1415
1416 if (dst_changes & HOST_DIFF_ADDR)
1417 {
1418 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1419 host2xfrm(new_dst, &sa->id.daddr);
1420 }
1421
1422 if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
1423 {
1424 struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1425 size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
1426 while (RTA_OK(rtattr, rtsize))
1427 {
1428 if (rtattr->rta_type == XFRMA_ENCAP)
1429 {
1430 struct xfrm_encap_tmpl* encap;
1431 encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
1432 encap->encap_sport = ntohs(new_src->get_port(new_src));
1433 encap->encap_dport = ntohs(new_dst->get_port(new_dst));
1434 break;
1435 }
1436 rtattr = RTA_NEXT(rtattr, rtsize);
1437 }
1438 }
1439 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1440 {
1441 DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
1442 free(out);
1443 return FAILED;
1444 }
1445 free(out);
1446
1447 if (dst_changes & HOST_DIFF_ADDR)
1448 {
1449 return this->public.del_sa(&this->public, dst, spi, protocol);
1450 }
1451 return SUCCESS;
1452 }
1453
1454 /**
1455 * Implementation of kernel_interface_t.query_sa.
1456 */
1457 static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
1458 u_int32_t spi, protocol_id_t protocol,
1459 u_int32_t *use_time)
1460 {
1461 unsigned char request[BUFFER_SIZE];
1462 struct nlmsghdr *out = NULL, *hdr;
1463 struct xfrm_usersa_id *sa_id;
1464 struct xfrm_usersa_info *sa = NULL;
1465 size_t len;
1466
1467 DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
1468 memset(&request, 0, sizeof(request));
1469
1470 hdr = (struct nlmsghdr*)request;
1471 hdr->nlmsg_flags = NLM_F_REQUEST;
1472 hdr->nlmsg_type = XFRM_MSG_GETSA;
1473 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1474
1475 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1476 host2xfrm(dst, &sa_id->daddr);
1477 sa_id->spi = spi;
1478 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1479 sa_id->family = dst->get_family(dst);
1480
1481 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1482 {
1483 hdr = out;
1484 while (NLMSG_OK(hdr, len))
1485 {
1486 switch (hdr->nlmsg_type)
1487 {
1488 case XFRM_MSG_NEWSA:
1489 {
1490 sa = NLMSG_DATA(hdr);
1491 break;
1492 }
1493 case NLMSG_ERROR:
1494 {
1495 struct nlmsgerr *err = NLMSG_DATA(hdr);
1496 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1497 strerror(-err->error), -err->error);
1498 break;
1499 }
1500 default:
1501 hdr = NLMSG_NEXT(hdr, len);
1502 continue;
1503 case NLMSG_DONE:
1504 break;
1505 }
1506 break;
1507 }
1508 }
1509
1510 if (sa == NULL)
1511 {
1512 DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
1513 free(out);
1514 return FAILED;
1515 }
1516
1517 *use_time = sa->curlft.use_time;
1518 free (out);
1519 return SUCCESS;
1520 }
1521
1522 /**
1523 * Implementation of kernel_interface_t.del_sa.
1524 */
1525 static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
1526 u_int32_t spi, protocol_id_t protocol)
1527 {
1528 unsigned char request[BUFFER_SIZE];
1529 struct nlmsghdr *hdr;
1530 struct xfrm_usersa_id *sa_id;
1531
1532 memset(&request, 0, sizeof(request));
1533
1534 DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
1535
1536 hdr = (struct nlmsghdr*)request;
1537 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1538 hdr->nlmsg_type = XFRM_MSG_DELSA;
1539 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1540
1541 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1542 host2xfrm(dst, &sa_id->daddr);
1543 sa_id->spi = spi;
1544 sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
1545 sa_id->family = dst->get_family(dst);
1546
1547 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1548 {
1549 DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
1550 return FAILED;
1551 }
1552 DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
1553 return SUCCESS;
1554 }
1555
1556 /**
1557 * Implementation of kernel_interface_t.add_policy.
1558 */
1559 static status_t add_policy(private_kernel_interface_t *this,
1560 host_t *src, host_t *dst,
1561 traffic_selector_t *src_ts,
1562 traffic_selector_t *dst_ts,
1563 policy_dir_t direction, protocol_id_t protocol,
1564 u_int32_t reqid, bool high_prio, mode_t mode,
1565 bool update)
1566 {
1567 iterator_t *iterator;
1568 policy_entry_t *current, *policy;
1569 bool found = FALSE;
1570 unsigned char request[BUFFER_SIZE];
1571 struct xfrm_userpolicy_info *policy_info;
1572 struct nlmsghdr *hdr;
1573
1574 /* create a policy */
1575 policy = malloc_thing(policy_entry_t);
1576 memset(policy, 0, sizeof(policy_entry_t));
1577 policy->sel = ts2selector(src_ts, dst_ts);
1578 policy->direction = direction;
1579
1580 /* find the policy, which matches EXACTLY */
1581 pthread_mutex_lock(&this->policies_mutex);
1582 iterator = this->policies->create_iterator(this->policies, TRUE);
1583 while (iterator->iterate(iterator, (void**)&current))
1584 {
1585 if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
1586 policy->direction == current->direction)
1587 {
1588 free(policy);
1589 /* use existing policy */
1590 if (!update)
1591 {
1592 current->refcount++;
1593 DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
1594 "refcount", src_ts, dst_ts);
1595 if (!high_prio)
1596 {
1597 /* if added policy is for a ROUTED child_sa, do not
1598 * overwrite existing INSTALLED policy */
1599 iterator->destroy(iterator);
1600 pthread_mutex_unlock(&this->policies_mutex);
1601 return SUCCESS;
1602 }
1603 }
1604 policy = current;
1605 found = TRUE;
1606 break;
1607 }
1608 }
1609 iterator->destroy(iterator);
1610 if (!found)
1611 { /* apply the new one, if we have no such policy */
1612 this->policies->insert_last(this->policies, policy);
1613 policy->refcount = 1;
1614 }
1615
1616 DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
1617
1618 memset(&request, 0, sizeof(request));
1619 hdr = (struct nlmsghdr*)request;
1620 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1621 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
1622 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1623
1624 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1625 policy_info->sel = policy->sel;
1626 policy_info->dir = policy->direction;
1627 /* calculate priority based on source selector size, small size = high prio */
1628 policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1629 policy_info->priority -= policy->sel.prefixlen_s * 10;
1630 policy_info->priority -= policy->sel.proto ? 2 : 0;
1631 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1632 policy_info->action = XFRM_POLICY_ALLOW;
1633 policy_info->share = XFRM_SHARE_ANY;
1634 pthread_mutex_unlock(&this->policies_mutex);
1635
1636 /* policies don't expire */
1637 policy_info->lft.soft_byte_limit = XFRM_INF;
1638 policy_info->lft.soft_packet_limit = XFRM_INF;
1639 policy_info->lft.hard_byte_limit = XFRM_INF;
1640 policy_info->lft.hard_packet_limit = XFRM_INF;
1641 policy_info->lft.soft_add_expires_seconds = 0;
1642 policy_info->lft.hard_add_expires_seconds = 0;
1643 policy_info->lft.soft_use_expires_seconds = 0;
1644 policy_info->lft.hard_use_expires_seconds = 0;
1645
1646 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1647 rthdr->rta_type = XFRMA_TMPL;
1648
1649 rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
1650 rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
1651
1652 hdr->nlmsg_len += rthdr->rta_len;
1653 if (hdr->nlmsg_len > sizeof(request))
1654 {
1655 return FAILED;
1656 }
1657
1658 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1659 tmpl->reqid = reqid;
1660 tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
1661 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1662 tmpl->mode = mode;
1663 tmpl->family = src->get_family(src);
1664
1665 host2xfrm(src, &tmpl->saddr);
1666 host2xfrm(dst, &tmpl->id.daddr);
1667
1668 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1669 {
1670 DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
1671 return FAILED;
1672 }
1673
1674 if (direction == POLICY_FWD && mode != MODE_TRANSPORT &&
1675 src->get_family(src) != AF_INET6)
1676 {
1677 policy->route = malloc_thing(route_entry_t);
1678 if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
1679 {
1680 policy->route->if_index = get_interface_index(this, dst);
1681 policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1682 memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
1683 policy->route->prefixlen = policy->sel.prefixlen_s;
1684
1685 if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
1686 policy->route) != SUCCESS)
1687 {
1688 DBG1(DBG_KNL, "unable to install source route for %H",
1689 policy->route->src_ip);
1690 route_entry_destroy(policy->route);
1691 policy->route = NULL;
1692 }
1693 }
1694 else
1695 {
1696 free(policy->route);
1697 policy->route = NULL;
1698 }
1699 }
1700
1701 return SUCCESS;
1702 }
1703
1704 /**
1705 * Implementation of kernel_interface_t.query_policy.
1706 */
1707 static status_t query_policy(private_kernel_interface_t *this,
1708 traffic_selector_t *src_ts,
1709 traffic_selector_t *dst_ts,
1710 policy_dir_t direction, u_int32_t *use_time)
1711 {
1712 unsigned char request[BUFFER_SIZE];
1713 struct nlmsghdr *out = NULL, *hdr;
1714 struct xfrm_userpolicy_id *policy_id;
1715 struct xfrm_userpolicy_info *policy = NULL;
1716 size_t len;
1717
1718 memset(&request, 0, sizeof(request));
1719
1720 DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
1721
1722 hdr = (struct nlmsghdr*)request;
1723 hdr->nlmsg_flags = NLM_F_REQUEST;
1724 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1725 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1726
1727 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1728 policy_id->sel = ts2selector(src_ts, dst_ts);
1729 policy_id->dir = direction;
1730
1731 if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1732 {
1733 hdr = out;
1734 while (NLMSG_OK(hdr, len))
1735 {
1736 switch (hdr->nlmsg_type)
1737 {
1738 case XFRM_MSG_NEWPOLICY:
1739 {
1740 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1741 break;
1742 }
1743 case NLMSG_ERROR:
1744 {
1745 struct nlmsgerr *err = NLMSG_DATA(hdr);
1746 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1747 strerror(-err->error), -err->error);
1748 break;
1749 }
1750 default:
1751 hdr = NLMSG_NEXT(hdr, len);
1752 continue;
1753 case NLMSG_DONE:
1754 break;
1755 }
1756 break;
1757 }
1758 }
1759
1760 if (policy == NULL)
1761 {
1762 DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
1763 free(out);
1764 return FAILED;
1765 }
1766 *use_time = (time_t)policy->curlft.use_time;
1767
1768 free(out);
1769 return SUCCESS;
1770 }
1771
1772 /**
1773 * Implementation of kernel_interface_t.del_policy.
1774 */
1775 static status_t del_policy(private_kernel_interface_t *this,
1776 traffic_selector_t *src_ts,
1777 traffic_selector_t *dst_ts,
1778 policy_dir_t direction)
1779 {
1780 policy_entry_t *current, policy, *to_delete = NULL;
1781 route_entry_t *route;
1782 unsigned char request[BUFFER_SIZE];
1783 struct nlmsghdr *hdr;
1784 struct xfrm_userpolicy_id *policy_id;
1785 iterator_t *iterator;
1786
1787 DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
1788
1789 /* create a policy */
1790 memset(&policy, 0, sizeof(policy_entry_t));
1791 policy.sel = ts2selector(src_ts, dst_ts);
1792 policy.direction = direction;
1793
1794 /* find the policy */
1795 pthread_mutex_lock(&this->policies_mutex);
1796 iterator = this->policies->create_iterator(this->policies, TRUE);
1797 while (iterator->iterate(iterator, (void**)&current))
1798 {
1799 if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
1800 policy.direction == current->direction)
1801 {
1802 to_delete = current;
1803 if (--to_delete->refcount > 0)
1804 {
1805 /* is used by more SAs, keep in kernel */
1806 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1807 iterator->destroy(iterator);
1808 pthread_mutex_unlock(&this->policies_mutex);
1809 return SUCCESS;
1810 }
1811 /* remove if last reference */
1812 iterator->remove(iterator);
1813 break;
1814 }
1815 }
1816 iterator->destroy(iterator);
1817 pthread_mutex_unlock(&this->policies_mutex);
1818 if (!to_delete)
1819 {
1820 DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
1821 return NOT_FOUND;
1822 }
1823
1824 memset(&request, 0, sizeof(request));
1825
1826 hdr = (struct nlmsghdr*)request;
1827 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1828 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1829 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1830
1831 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1832 policy_id->sel = to_delete->sel;
1833 policy_id->dir = direction;
1834
1835 route = to_delete->route;
1836 free(to_delete);
1837
1838 if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
1839 {
1840 DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
1841 return FAILED;
1842 }
1843
1844 if (route)
1845 {
1846 if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
1847 {
1848 DBG1(DBG_KNL, "error uninstalling route installed with "
1849 "policy %R===%R", src_ts, dst_ts);
1850 }
1851 route_entry_destroy(route);
1852 }
1853 return SUCCESS;
1854 }
1855
1856 /**
1857 * Implementation of kernel_interface_t.destroy.
1858 */
1859 static void destroy(private_kernel_interface_t *this)
1860 {
1861 pthread_cancel(this->event_thread);
1862 pthread_join(this->event_thread, NULL);
1863 close(this->socket_xfrm_events);
1864 close(this->socket_xfrm);
1865 close(this->socket_rt);
1866 this->vips->destroy(this->vips);
1867 this->policies->destroy(this->policies);
1868 free(this);
1869 }
1870
1871 /*
1872 * Described in header.
1873 */
1874 kernel_interface_t *kernel_interface_create()
1875 {
1876 private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
1877 struct sockaddr_nl addr;
1878
1879 /* public functions */
1880 this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1881 this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
1882 this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
1883 this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
1884 this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1885 this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
1886 this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1887 this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1888
1889 this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
1890 this->public.create_address_list = (linked_list_t*(*)(kernel_interface_t*))create_address_list_public;
1891 this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
1892 this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
1893 this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
1894
1895 /* private members */
1896 this->vips = linked_list_create();
1897 this->policies = linked_list_create();
1898 pthread_mutex_init(&this->policies_mutex,NULL);
1899 pthread_mutex_init(&this->vips_mutex,NULL);
1900
1901 addr.nl_family = AF_NETLINK;
1902 addr.nl_pid = 0;
1903 addr.nl_groups = 0;
1904
1905 /* create and bind XFRM socket */
1906 this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1907 if (this->socket_xfrm <= 0)
1908 {
1909 charon->kill(charon, "unable to create XFRM netlink socket");
1910 }
1911
1912 if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
1913 {
1914 charon->kill(charon, "unable to bind XFRM netlink socket");
1915 }
1916
1917 /* create and bind RT socket */
1918 this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
1919 if (this->socket_rt <= 0)
1920 {
1921 charon->kill(charon, "unable to create RT netlink socket");
1922 }
1923
1924 if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
1925 {
1926 charon->kill(charon, "unable to bind RT netlink socket");
1927 }
1928
1929 /* create and bind XFRM socket for ACQUIRE & EXPIRE */
1930 addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
1931 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1932 if (this->socket_xfrm_events <= 0)
1933 {
1934 charon->kill(charon, "unable to create XFRM event socket");
1935 }
1936
1937 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1938 {
1939 charon->kill(charon, "unable to bind XFRM event socket");
1940 }
1941
1942 /* create a thread receiving ACQUIRE & EXPIRE events */
1943 if (pthread_create(&this->event_thread, NULL,
1944 (void*(*)(void*))receive_events, this))
1945 {
1946 charon->kill(charon, "unable to create xfrm event dispatcher thread");
1947 }
1948
1949 return &this->public;
1950 }
1951
1952 /* vim: set ts=4 sw=4 noet: */