Moving charon to libcharon.
[strongswan.git] / src / libcharon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2009 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <stdint.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <unistd.h>
30 #include <time.h>
31 #include <errno.h>
32 #include <string.h>
33 #include <fcntl.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <daemon.h>
39 #include <threading/thread.h>
40 #include <threading/mutex.h>
41 #include <utils/hashtable.h>
42 #include <processing/jobs/callback_job.h>
43 #include <processing/jobs/acquire_job.h>
44 #include <processing/jobs/migrate_job.h>
45 #include <processing/jobs/rekey_child_sa_job.h>
46 #include <processing/jobs/delete_child_sa_job.h>
47 #include <processing/jobs/update_sa_job.h>
48
49 /** required for Linux 2.6.26 kernel and later */
50 #ifndef XFRM_STATE_AF_UNSPEC
51 #define XFRM_STATE_AF_UNSPEC 32
52 #endif
53
54 /** from linux/in.h */
55 #ifndef IP_XFRM_POLICY
56 #define IP_XFRM_POLICY 17
57 #endif
58
59 /* missing on uclibc */
60 #ifndef IPV6_XFRM_POLICY
61 #define IPV6_XFRM_POLICY 34
62 #endif /*IPV6_XFRM_POLICY*/
63
64 /** default priority of installed policies */
65 #define PRIO_LOW 3000
66 #define PRIO_HIGH 2000
67
68 /**
69 * map the limit for bytes and packets to XFRM_INF per default
70 */
71 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
72
73 /**
74 * Create ORable bitfield of XFRM NL groups
75 */
76 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
77
78 /**
79 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
80 * 'usual' netlink data x like 'struct xfrm_usersa_info'
81 */
82 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
83 /**
84 * returns a pointer to the next rtattr following rta.
85 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
86 */
87 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
88 /**
89 * returns the total size of attached rta data
90 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
91 */
92 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
93
94 typedef struct kernel_algorithm_t kernel_algorithm_t;
95
96 /**
97 * Mapping of IKEv2 kernel identifier to linux crypto API names
98 */
99 struct kernel_algorithm_t {
100 /**
101 * Identifier specified in IKEv2
102 */
103 int ikev2;
104
105 /**
106 * Name of the algorithm in linux crypto API
107 */
108 char *name;
109 };
110
111 ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
112 "XFRM_MSG_NEWSA",
113 "XFRM_MSG_DELSA",
114 "XFRM_MSG_GETSA",
115 "XFRM_MSG_NEWPOLICY",
116 "XFRM_MSG_DELPOLICY",
117 "XFRM_MSG_GETPOLICY",
118 "XFRM_MSG_ALLOCSPI",
119 "XFRM_MSG_ACQUIRE",
120 "XFRM_MSG_EXPIRE",
121 "XFRM_MSG_UPDPOLICY",
122 "XFRM_MSG_UPDSA",
123 "XFRM_MSG_POLEXPIRE",
124 "XFRM_MSG_FLUSHSA",
125 "XFRM_MSG_FLUSHPOLICY",
126 "XFRM_MSG_NEWAE",
127 "XFRM_MSG_GETAE",
128 "XFRM_MSG_REPORT",
129 "XFRM_MSG_MIGRATE",
130 "XFRM_MSG_NEWSADINFO",
131 "XFRM_MSG_GETSADINFO",
132 "XFRM_MSG_NEWSPDINFO",
133 "XFRM_MSG_GETSPDINFO",
134 "XFRM_MSG_MAPPING"
135 );
136
137 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
138 "XFRMA_UNSPEC",
139 "XFRMA_ALG_AUTH",
140 "XFRMA_ALG_CRYPT",
141 "XFRMA_ALG_COMP",
142 "XFRMA_ENCAP",
143 "XFRMA_TMPL",
144 "XFRMA_SA",
145 "XFRMA_POLICY",
146 "XFRMA_SEC_CTX",
147 "XFRMA_LTIME_VAL",
148 "XFRMA_REPLAY_VAL",
149 "XFRMA_REPLAY_THRESH",
150 "XFRMA_ETIMER_THRESH",
151 "XFRMA_SRCADDR",
152 "XFRMA_COADDR",
153 "XFRMA_LASTUSED",
154 "XFRMA_POLICY_TYPE",
155 "XFRMA_MIGRATE",
156 "XFRMA_ALG_AEAD",
157 "XFRMA_KMADDRESS"
158 );
159
160 #define END_OF_LIST -1
161
162 /**
163 * Algorithms for encryption
164 */
165 static kernel_algorithm_t encryption_algs[] = {
166 /* {ENCR_DES_IV64, "***" }, */
167 {ENCR_DES, "des" },
168 {ENCR_3DES, "des3_ede" },
169 /* {ENCR_RC5, "***" }, */
170 /* {ENCR_IDEA, "***" }, */
171 {ENCR_CAST, "cast128" },
172 {ENCR_BLOWFISH, "blowfish" },
173 /* {ENCR_3IDEA, "***" }, */
174 /* {ENCR_DES_IV32, "***" }, */
175 {ENCR_NULL, "cipher_null" },
176 {ENCR_AES_CBC, "aes" },
177 {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
178 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
179 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
180 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
181 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
182 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
183 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
184 {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
185 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
186 /* {ENCR_CAMELLIA_CTR, "***" }, */
187 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
188 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
189 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
190 {END_OF_LIST, NULL }
191 };
192
193 /**
194 * Algorithms for integrity protection
195 */
196 static kernel_algorithm_t integrity_algs[] = {
197 {AUTH_HMAC_MD5_96, "md5" },
198 {AUTH_HMAC_SHA1_96, "sha1" },
199 {AUTH_HMAC_SHA2_256_96, "sha256" },
200 {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
201 {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
202 {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
203 /* {AUTH_DES_MAC, "***" }, */
204 /* {AUTH_KPDK_MD5, "***" }, */
205 {AUTH_AES_XCBC_96, "xcbc(aes)" },
206 {END_OF_LIST, NULL }
207 };
208
209 /**
210 * Algorithms for IPComp
211 */
212 static kernel_algorithm_t compression_algs[] = {
213 /* {IPCOMP_OUI, "***" }, */
214 {IPCOMP_DEFLATE, "deflate" },
215 {IPCOMP_LZS, "lzs" },
216 {IPCOMP_LZJH, "lzjh" },
217 {END_OF_LIST, NULL }
218 };
219
220 /**
221 * Look up a kernel algorithm name and its key size
222 */
223 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
224 {
225 while (list->ikev2 != END_OF_LIST)
226 {
227 if (list->ikev2 == ikev2)
228 {
229 return list->name;
230 }
231 list++;
232 }
233 return NULL;
234 }
235
236 typedef struct route_entry_t route_entry_t;
237
238 /**
239 * installed routing entry
240 */
241 struct route_entry_t {
242 /** Name of the interface the route is bound to */
243 char *if_name;
244
245 /** Source ip of the route */
246 host_t *src_ip;
247
248 /** gateway for this route */
249 host_t *gateway;
250
251 /** Destination net */
252 chunk_t dst_net;
253
254 /** Destination net prefixlen */
255 u_int8_t prefixlen;
256 };
257
258 /**
259 * destroy an route_entry_t object
260 */
261 static void route_entry_destroy(route_entry_t *this)
262 {
263 free(this->if_name);
264 this->src_ip->destroy(this->src_ip);
265 DESTROY_IF(this->gateway);
266 chunk_free(&this->dst_net);
267 free(this);
268 }
269
270 typedef struct policy_entry_t policy_entry_t;
271
272 /**
273 * installed kernel policy.
274 */
275 struct policy_entry_t {
276
277 /** direction of this policy: in, out, forward */
278 u_int8_t direction;
279
280 /** parameters of installed policy */
281 struct xfrm_selector sel;
282
283 /** associated route installed for this policy */
284 route_entry_t *route;
285
286 /** by how many CHILD_SA's this policy is used */
287 u_int refcount;
288 };
289
290 /**
291 * Hash function for policy_entry_t objects
292 */
293 static u_int policy_hash(policy_entry_t *key)
294 {
295 chunk_t chunk = chunk_create((void*)&key->sel, sizeof(struct xfrm_selector));
296 return chunk_hash(chunk);
297 }
298
299 /**
300 * Equality function for policy_entry_t objects
301 */
302 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
303 {
304 return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
305 key->direction == other_key->direction;
306 }
307
308 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
309
310 /**
311 * Private variables and functions of kernel_netlink class.
312 */
313 struct private_kernel_netlink_ipsec_t {
314 /**
315 * Public part of the kernel_netlink_t object.
316 */
317 kernel_netlink_ipsec_t public;
318
319 /**
320 * mutex to lock access to various lists
321 */
322 mutex_t *mutex;
323
324 /**
325 * Hash table of installed policies (policy_entry_t)
326 */
327 hashtable_t *policies;
328
329 /**
330 * job receiving netlink events
331 */
332 callback_job_t *job;
333
334 /**
335 * Netlink xfrm socket (IPsec)
336 */
337 netlink_socket_t *socket_xfrm;
338
339 /**
340 * netlink xfrm socket to receive acquire and expire events
341 */
342 int socket_xfrm_events;
343
344 /**
345 * whether to install routes along policies
346 */
347 bool install_routes;
348 };
349
350 /**
351 * convert a IKEv2 specific protocol identifier to the kernel one
352 */
353 static u_int8_t proto_ike2kernel(protocol_id_t proto)
354 {
355 switch (proto)
356 {
357 case PROTO_ESP:
358 return IPPROTO_ESP;
359 case PROTO_AH:
360 return IPPROTO_AH;
361 default:
362 return proto;
363 }
364 }
365
366 /**
367 * reverse of ike2kernel
368 */
369 static protocol_id_t proto_kernel2ike(u_int8_t proto)
370 {
371 switch (proto)
372 {
373 case IPPROTO_ESP:
374 return PROTO_ESP;
375 case IPPROTO_AH:
376 return PROTO_AH;
377 default:
378 return proto;
379 }
380 }
381
382 /**
383 * convert the general ipsec mode to the one defined in xfrm.h
384 */
385 static u_int8_t mode2kernel(ipsec_mode_t mode)
386 {
387 switch (mode)
388 {
389 case MODE_TRANSPORT:
390 return XFRM_MODE_TRANSPORT;
391 case MODE_TUNNEL:
392 return XFRM_MODE_TUNNEL;
393 case MODE_BEET:
394 return XFRM_MODE_BEET;
395 default:
396 return mode;
397 }
398 }
399
400 /**
401 * convert a host_t to a struct xfrm_address
402 */
403 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
404 {
405 chunk_t chunk = host->get_address(host);
406 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
407 }
408
409 /**
410 * convert a struct xfrm_address to a host_t
411 */
412 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
413 {
414 chunk_t chunk;
415
416 switch (family)
417 {
418 case AF_INET:
419 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
420 break;
421 case AF_INET6:
422 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
423 break;
424 default:
425 return NULL;
426 }
427 return host_create_from_chunk(family, chunk, ntohs(port));
428 }
429
430 /**
431 * convert a traffic selector address range to subnet and its mask.
432 */
433 static void ts2subnet(traffic_selector_t* ts,
434 xfrm_address_t *net, u_int8_t *mask)
435 {
436 host_t *net_host;
437 chunk_t net_chunk;
438
439 ts->to_subnet(ts, &net_host, mask);
440 net_chunk = net_host->get_address(net_host);
441 memcpy(net, net_chunk.ptr, net_chunk.len);
442 net_host->destroy(net_host);
443 }
444
445 /**
446 * convert a traffic selector port range to port/portmask
447 */
448 static void ts2ports(traffic_selector_t* ts,
449 u_int16_t *port, u_int16_t *mask)
450 {
451 /* linux does not seem to accept complex portmasks. Only
452 * any or a specific port is allowed. We set to any, if we have
453 * a port range, or to a specific, if we have one port only.
454 */
455 u_int16_t from, to;
456
457 from = ts->get_from_port(ts);
458 to = ts->get_to_port(ts);
459
460 if (from == to)
461 {
462 *port = htons(from);
463 *mask = ~0;
464 }
465 else
466 {
467 *port = 0;
468 *mask = 0;
469 }
470 }
471
472 /**
473 * convert a pair of traffic_selectors to a xfrm_selector
474 */
475 static struct xfrm_selector ts2selector(traffic_selector_t *src,
476 traffic_selector_t *dst)
477 {
478 struct xfrm_selector sel;
479
480 memset(&sel, 0, sizeof(sel));
481 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
482 /* src or dest proto may be "any" (0), use more restrictive one */
483 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
484 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
485 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
486 ts2ports(dst, &sel.dport, &sel.dport_mask);
487 ts2ports(src, &sel.sport, &sel.sport_mask);
488 sel.ifindex = 0;
489 sel.user = 0;
490
491 return sel;
492 }
493
494 /**
495 * convert a xfrm_selector to a src|dst traffic_selector
496 */
497 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
498 {
499 u_char *addr;
500 u_int8_t prefixlen;
501 u_int16_t port = 0;
502 host_t *host = NULL;
503
504 if (src)
505 {
506 addr = (u_char*)&sel->saddr;
507 prefixlen = sel->prefixlen_s;
508 if (sel->sport_mask)
509 {
510 port = htons(sel->sport);
511 }
512 }
513 else
514 {
515 addr = (u_char*)&sel->daddr;
516 prefixlen = sel->prefixlen_d;
517 if (sel->dport_mask)
518 {
519 port = htons(sel->dport);
520 }
521 }
522
523 /* The Linux 2.6 kernel does not set the selector's family field,
524 * so as a kludge we additionally test the prefix length.
525 */
526 if (sel->family == AF_INET || sel->prefixlen_s == 32)
527 {
528 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
529 }
530 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
531 {
532 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
533 }
534
535 if (host)
536 {
537 return traffic_selector_create_from_subnet(host, prefixlen,
538 sel->proto, port);
539 }
540 return NULL;
541 }
542
543 /**
544 * process a XFRM_MSG_ACQUIRE from kernel
545 */
546 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
547 {
548 u_int32_t reqid = 0;
549 int proto = 0;
550 traffic_selector_t *src_ts, *dst_ts;
551 struct xfrm_user_acquire *acquire;
552 struct rtattr *rta;
553 size_t rtasize;
554 job_t *job;
555
556 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
557 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
558 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
559
560 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
561
562 while (RTA_OK(rta, rtasize))
563 {
564 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
565
566 if (rta->rta_type == XFRMA_TMPL)
567 {
568 struct xfrm_user_tmpl* tmpl;
569
570 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
571 reqid = tmpl->reqid;
572 proto = tmpl->id.proto;
573 }
574 rta = RTA_NEXT(rta, rtasize);
575 }
576 switch (proto)
577 {
578 case 0:
579 case IPPROTO_ESP:
580 case IPPROTO_AH:
581 break;
582 default:
583 /* acquire for AH/ESP only, not for IPCOMP */
584 return;
585 }
586 src_ts = selector2ts(&acquire->sel, TRUE);
587 dst_ts = selector2ts(&acquire->sel, FALSE);
588 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
589 src_ts, dst_ts, reqid);
590 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
591 charon->processor->queue_job(charon->processor, job);
592 }
593
594 /**
595 * process a XFRM_MSG_EXPIRE from kernel
596 */
597 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
598 {
599 job_t *job;
600 protocol_id_t protocol;
601 u_int32_t spi, reqid;
602 struct xfrm_user_expire *expire;
603
604 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
605 protocol = proto_kernel2ike(expire->state.id.proto);
606 spi = expire->state.id.spi;
607 reqid = expire->state.reqid;
608
609 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
610
611 if (protocol != PROTO_ESP && protocol != PROTO_AH)
612 {
613 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
614 "which is not a CHILD_SA", ntohl(spi), reqid);
615 return;
616 }
617
618 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
619 expire->hard ? "delete" : "rekey", protocol_id_names,
620 protocol, ntohl(spi), reqid);
621 if (expire->hard)
622 {
623 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
624 }
625 else
626 {
627 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
628 }
629 charon->processor->queue_job(charon->processor, job);
630 }
631
632 /**
633 * process a XFRM_MSG_MIGRATE from kernel
634 */
635 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
636 {
637 traffic_selector_t *src_ts, *dst_ts;
638 host_t *local = NULL, *remote = NULL;
639 host_t *old_src = NULL, *old_dst = NULL;
640 host_t *new_src = NULL, *new_dst = NULL;
641 struct xfrm_userpolicy_id *policy_id;
642 struct rtattr *rta;
643 size_t rtasize;
644 u_int32_t reqid = 0;
645 policy_dir_t dir;
646 job_t *job;
647
648 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
649 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
650 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
651
652 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
653
654 src_ts = selector2ts(&policy_id->sel, TRUE);
655 dst_ts = selector2ts(&policy_id->sel, FALSE);
656 dir = (policy_dir_t)policy_id->dir;
657
658 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
659
660 while (RTA_OK(rta, rtasize))
661 {
662 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
663 if (rta->rta_type == XFRMA_KMADDRESS)
664 {
665 struct xfrm_user_kmaddress *kmaddress;
666
667 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
668 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
669 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
670 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
671 }
672 else if (rta->rta_type == XFRMA_MIGRATE)
673 {
674 struct xfrm_user_migrate *migrate;
675 protocol_id_t proto;
676
677 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
678 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
679 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
680 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
681 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
682 proto = proto_kernel2ike(migrate->proto);
683 reqid = migrate->reqid;
684 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
685 protocol_id_names, proto, old_src, old_dst,
686 new_src, new_dst, reqid);
687 DESTROY_IF(old_src);
688 DESTROY_IF(old_dst);
689 DESTROY_IF(new_src);
690 DESTROY_IF(new_dst);
691 }
692 rta = RTA_NEXT(rta, rtasize);
693 }
694
695 if (src_ts && dst_ts && local && remote)
696 {
697 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
698 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
699 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
700 local, remote);
701 charon->processor->queue_job(charon->processor, job);
702 }
703 else
704 {
705 DESTROY_IF(src_ts);
706 DESTROY_IF(dst_ts);
707 DESTROY_IF(local);
708 DESTROY_IF(remote);
709 }
710 }
711
712 /**
713 * process a XFRM_MSG_MAPPING from kernel
714 */
715 static void process_mapping(private_kernel_netlink_ipsec_t *this,
716 struct nlmsghdr *hdr)
717 {
718 job_t *job;
719 u_int32_t spi, reqid;
720 struct xfrm_user_mapping *mapping;
721 host_t *host;
722
723 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
724 spi = mapping->id.spi;
725 reqid = mapping->reqid;
726
727 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
728
729 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
730 {
731 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
732 mapping->new_sport);
733 if (host)
734 {
735 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
736 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
737 job = (job_t*)update_sa_job_create(reqid, host);
738 charon->processor->queue_job(charon->processor, job);
739 }
740 }
741 }
742
743 /**
744 * Receives events from kernel
745 */
746 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
747 {
748 char response[1024];
749 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
750 struct sockaddr_nl addr;
751 socklen_t addr_len = sizeof(addr);
752 int len;
753 bool oldstate;
754
755 oldstate = thread_cancelability(TRUE);
756 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
757 (struct sockaddr*)&addr, &addr_len);
758 thread_cancelability(oldstate);
759
760 if (len < 0)
761 {
762 switch (errno)
763 {
764 case EINTR:
765 /* interrupted, try again */
766 return JOB_REQUEUE_DIRECT;
767 case EAGAIN:
768 /* no data ready, select again */
769 return JOB_REQUEUE_DIRECT;
770 default:
771 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
772 sleep(1);
773 return JOB_REQUEUE_FAIR;
774 }
775 }
776
777 if (addr.nl_pid != 0)
778 { /* not from kernel. not interested, try another one */
779 return JOB_REQUEUE_DIRECT;
780 }
781
782 while (NLMSG_OK(hdr, len))
783 {
784 switch (hdr->nlmsg_type)
785 {
786 case XFRM_MSG_ACQUIRE:
787 process_acquire(this, hdr);
788 break;
789 case XFRM_MSG_EXPIRE:
790 process_expire(this, hdr);
791 break;
792 case XFRM_MSG_MIGRATE:
793 process_migrate(this, hdr);
794 break;
795 case XFRM_MSG_MAPPING:
796 process_mapping(this, hdr);
797 break;
798 default:
799 DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
800 break;
801 }
802 hdr = NLMSG_NEXT(hdr, len);
803 }
804 return JOB_REQUEUE_DIRECT;
805 }
806
807 /**
808 * Get an SPI for a specific protocol from the kernel.
809 */
810 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
811 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
812 u_int32_t reqid, u_int32_t *spi)
813 {
814 netlink_buf_t request;
815 struct nlmsghdr *hdr, *out;
816 struct xfrm_userspi_info *userspi;
817 u_int32_t received_spi = 0;
818 size_t len;
819
820 memset(&request, 0, sizeof(request));
821
822 hdr = (struct nlmsghdr*)request;
823 hdr->nlmsg_flags = NLM_F_REQUEST;
824 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
825 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
826
827 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
828 host2xfrm(src, &userspi->info.saddr);
829 host2xfrm(dst, &userspi->info.id.daddr);
830 userspi->info.id.proto = proto;
831 userspi->info.mode = XFRM_MODE_TUNNEL;
832 userspi->info.reqid = reqid;
833 userspi->info.family = src->get_family(src);
834 userspi->min = min;
835 userspi->max = max;
836
837 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
838 {
839 hdr = out;
840 while (NLMSG_OK(hdr, len))
841 {
842 switch (hdr->nlmsg_type)
843 {
844 case XFRM_MSG_NEWSA:
845 {
846 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
847 received_spi = usersa->id.spi;
848 break;
849 }
850 case NLMSG_ERROR:
851 {
852 struct nlmsgerr *err = NLMSG_DATA(hdr);
853
854 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
855 strerror(-err->error), -err->error);
856 break;
857 }
858 default:
859 hdr = NLMSG_NEXT(hdr, len);
860 continue;
861 case NLMSG_DONE:
862 break;
863 }
864 break;
865 }
866 free(out);
867 }
868
869 if (received_spi == 0)
870 {
871 return FAILED;
872 }
873
874 *spi = received_spi;
875 return SUCCESS;
876 }
877
878 METHOD(kernel_ipsec_t, get_spi, status_t,
879 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
880 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
881 {
882 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
883
884 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
885 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
886 {
887 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
888 return FAILED;
889 }
890
891 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
892
893 return SUCCESS;
894 }
895
896 METHOD(kernel_ipsec_t, get_cpi, status_t,
897 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
898 u_int32_t reqid, u_int16_t *cpi)
899 {
900 u_int32_t received_spi = 0;
901
902 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
903
904 if (get_spi_internal(this, src, dst,
905 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
906 {
907 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
908 return FAILED;
909 }
910
911 *cpi = htons((u_int16_t)ntohl(received_spi));
912
913 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
914
915 return SUCCESS;
916 }
917
918 METHOD(kernel_ipsec_t, add_sa, status_t,
919 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
920 u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
921 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
922 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
923 u_int16_t cpi, bool encap, bool inbound, traffic_selector_t* src_ts,
924 traffic_selector_t* dst_ts)
925 {
926 netlink_buf_t request;
927 char *alg_name;
928 struct nlmsghdr *hdr;
929 struct xfrm_usersa_info *sa;
930 u_int16_t icv_size = 64;
931
932 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
933 * we are in the recursive call below */
934 if (ipcomp != IPCOMP_NONE && cpi != 0)
935 {
936 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
937 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft,
938 ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
939 mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
940 ipcomp = IPCOMP_NONE;
941 /* use transport mode ESP SA, IPComp uses tunnel mode */
942 mode = MODE_TRANSPORT;
943 }
944
945 memset(&request, 0, sizeof(request));
946
947 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
948 ntohl(spi), reqid);
949
950 hdr = (struct nlmsghdr*)request;
951 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
952 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
953 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
954
955 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
956 host2xfrm(src, &sa->saddr);
957 host2xfrm(dst, &sa->id.daddr);
958 sa->id.spi = spi;
959 sa->id.proto = proto_ike2kernel(protocol);
960 sa->family = src->get_family(src);
961 sa->mode = mode2kernel(mode);
962 switch (mode)
963 {
964 case MODE_TUNNEL:
965 sa->flags |= XFRM_STATE_AF_UNSPEC;
966 break;
967 case MODE_BEET:
968 if(src_ts && dst_ts)
969 {
970 sa->sel = ts2selector(src_ts, dst_ts);
971 }
972 break;
973 default:
974 break;
975 }
976
977 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
978 sa->reqid = reqid;
979 sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
980 sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
981 sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
982 sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
983 /* we use lifetimes since added, not since used */
984 sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
985 sa->lft.hard_add_expires_seconds = lifetime->time.life;
986 sa->lft.soft_use_expires_seconds = 0;
987 sa->lft.hard_use_expires_seconds = 0;
988
989 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
990
991 switch (enc_alg)
992 {
993 case ENCR_UNDEFINED:
994 /* no encryption */
995 break;
996 case ENCR_AES_CCM_ICV16:
997 case ENCR_AES_GCM_ICV16:
998 case ENCR_NULL_AUTH_AES_GMAC:
999 case ENCR_CAMELLIA_CCM_ICV16:
1000 icv_size += 32;
1001 /* FALL */
1002 case ENCR_AES_CCM_ICV12:
1003 case ENCR_AES_GCM_ICV12:
1004 case ENCR_CAMELLIA_CCM_ICV12:
1005 icv_size += 32;
1006 /* FALL */
1007 case ENCR_AES_CCM_ICV8:
1008 case ENCR_AES_GCM_ICV8:
1009 case ENCR_CAMELLIA_CCM_ICV8:
1010 {
1011 struct xfrm_algo_aead *algo;
1012
1013 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1014 if (alg_name == NULL)
1015 {
1016 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1017 encryption_algorithm_names, enc_alg);
1018 return FAILED;
1019 }
1020 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1021 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1022
1023 rthdr->rta_type = XFRMA_ALG_AEAD;
1024 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
1025 hdr->nlmsg_len += rthdr->rta_len;
1026 if (hdr->nlmsg_len > sizeof(request))
1027 {
1028 return FAILED;
1029 }
1030
1031 algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
1032 algo->alg_key_len = enc_key.len * 8;
1033 algo->alg_icv_len = icv_size;
1034 strcpy(algo->alg_name, alg_name);
1035 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1036
1037 rthdr = XFRM_RTA_NEXT(rthdr);
1038 break;
1039 }
1040 default:
1041 {
1042 struct xfrm_algo *algo;
1043
1044 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1045 if (alg_name == NULL)
1046 {
1047 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1048 encryption_algorithm_names, enc_alg);
1049 return FAILED;
1050 }
1051 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1052 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1053
1054 rthdr->rta_type = XFRMA_ALG_CRYPT;
1055 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
1056 hdr->nlmsg_len += rthdr->rta_len;
1057 if (hdr->nlmsg_len > sizeof(request))
1058 {
1059 return FAILED;
1060 }
1061
1062 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1063 algo->alg_key_len = enc_key.len * 8;
1064 strcpy(algo->alg_name, alg_name);
1065 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1066
1067 rthdr = XFRM_RTA_NEXT(rthdr);
1068 }
1069 }
1070
1071 if (int_alg != AUTH_UNDEFINED)
1072 {
1073 alg_name = lookup_algorithm(integrity_algs, int_alg);
1074 if (alg_name == NULL)
1075 {
1076 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1077 integrity_algorithm_names, int_alg);
1078 return FAILED;
1079 }
1080 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1081 integrity_algorithm_names, int_alg, int_key.len * 8);
1082
1083 if (int_alg == AUTH_HMAC_SHA2_256_128)
1084 {
1085 struct xfrm_algo_auth* algo;
1086
1087 /* the kernel uses SHA256 with 96 bit truncation by default,
1088 * use specified truncation size supported by newer kernels */
1089 rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
1090 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
1091
1092 hdr->nlmsg_len += rthdr->rta_len;
1093 if (hdr->nlmsg_len > sizeof(request))
1094 {
1095 return FAILED;
1096 }
1097
1098 algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
1099 algo->alg_key_len = int_key.len * 8;
1100 algo->alg_trunc_len = 128;
1101 strcpy(algo->alg_name, alg_name);
1102 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1103 }
1104 else
1105 {
1106 struct xfrm_algo* algo;
1107
1108 rthdr->rta_type = XFRMA_ALG_AUTH;
1109 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1110
1111 hdr->nlmsg_len += rthdr->rta_len;
1112 if (hdr->nlmsg_len > sizeof(request))
1113 {
1114 return FAILED;
1115 }
1116
1117 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1118 algo->alg_key_len = int_key.len * 8;
1119 strcpy(algo->alg_name, alg_name);
1120 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1121 }
1122 rthdr = XFRM_RTA_NEXT(rthdr);
1123 }
1124
1125 if (ipcomp != IPCOMP_NONE)
1126 {
1127 rthdr->rta_type = XFRMA_ALG_COMP;
1128 alg_name = lookup_algorithm(compression_algs, ipcomp);
1129 if (alg_name == NULL)
1130 {
1131 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1132 ipcomp_transform_names, ipcomp);
1133 return FAILED;
1134 }
1135 DBG2(DBG_KNL, " using compression algorithm %N",
1136 ipcomp_transform_names, ipcomp);
1137
1138 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1139 hdr->nlmsg_len += rthdr->rta_len;
1140 if (hdr->nlmsg_len > sizeof(request))
1141 {
1142 return FAILED;
1143 }
1144
1145 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1146 algo->alg_key_len = 0;
1147 strcpy(algo->alg_name, alg_name);
1148
1149 rthdr = XFRM_RTA_NEXT(rthdr);
1150 }
1151
1152 if (encap)
1153 {
1154 rthdr->rta_type = XFRMA_ENCAP;
1155 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1156
1157 hdr->nlmsg_len += rthdr->rta_len;
1158 if (hdr->nlmsg_len > sizeof(request))
1159 {
1160 return FAILED;
1161 }
1162
1163 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1164 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1165 tmpl->encap_sport = htons(src->get_port(src));
1166 tmpl->encap_dport = htons(dst->get_port(dst));
1167 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1168 /* encap_oa could probably be derived from the
1169 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1170 * pluto does the same as we do here but it uses encap_oa in the
1171 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1172 * the kernel ignores it anyway
1173 * -> does that mean that NAT-T encap doesn't work in transport mode?
1174 * No. The reason the kernel ignores NAT-OA is that it recomputes
1175 * (or, rather, just ignores) the checksum. If packets pass
1176 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1177 rthdr = XFRM_RTA_NEXT(rthdr);
1178 }
1179
1180 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1181 {
1182 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1183 return FAILED;
1184 }
1185 return SUCCESS;
1186 }
1187
1188 /**
1189 * Get the replay state (i.e. sequence numbers) of an SA.
1190 */
1191 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1192 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1193 struct xfrm_replay_state *replay)
1194 {
1195 netlink_buf_t request;
1196 struct nlmsghdr *hdr, *out = NULL;
1197 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1198 size_t len;
1199 struct rtattr *rta;
1200 size_t rtasize;
1201
1202 memset(&request, 0, sizeof(request));
1203
1204 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1205
1206 hdr = (struct nlmsghdr*)request;
1207 hdr->nlmsg_flags = NLM_F_REQUEST;
1208 hdr->nlmsg_type = XFRM_MSG_GETAE;
1209 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1210
1211 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1212 aevent_id->flags = XFRM_AE_RVAL;
1213
1214 host2xfrm(dst, &aevent_id->sa_id.daddr);
1215 aevent_id->sa_id.spi = spi;
1216 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1217 aevent_id->sa_id.family = dst->get_family(dst);
1218
1219 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1220 {
1221 hdr = out;
1222 while (NLMSG_OK(hdr, len))
1223 {
1224 switch (hdr->nlmsg_type)
1225 {
1226 case XFRM_MSG_NEWAE:
1227 {
1228 out_aevent = NLMSG_DATA(hdr);
1229 break;
1230 }
1231 case NLMSG_ERROR:
1232 {
1233 struct nlmsgerr *err = NLMSG_DATA(hdr);
1234 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1235 strerror(-err->error), -err->error);
1236 break;
1237 }
1238 default:
1239 hdr = NLMSG_NEXT(hdr, len);
1240 continue;
1241 case NLMSG_DONE:
1242 break;
1243 }
1244 break;
1245 }
1246 }
1247
1248 if (out_aevent == NULL)
1249 {
1250 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1251 ntohl(spi));
1252 free(out);
1253 return FAILED;
1254 }
1255
1256 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1257 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1258 while(RTA_OK(rta, rtasize))
1259 {
1260 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1261 RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
1262 {
1263 memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1264 free(out);
1265 return SUCCESS;
1266 }
1267 rta = RTA_NEXT(rta, rtasize);
1268 }
1269
1270 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1271 ntohl(spi));
1272 free(out);
1273 return FAILED;
1274 }
1275
1276 METHOD(kernel_ipsec_t, query_sa, status_t,
1277 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1278 u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
1279 {
1280 netlink_buf_t request;
1281 struct nlmsghdr *out = NULL, *hdr;
1282 struct xfrm_usersa_id *sa_id;
1283 struct xfrm_usersa_info *sa = NULL;
1284 size_t len;
1285
1286 memset(&request, 0, sizeof(request));
1287
1288 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1289
1290 hdr = (struct nlmsghdr*)request;
1291 hdr->nlmsg_flags = NLM_F_REQUEST;
1292 hdr->nlmsg_type = XFRM_MSG_GETSA;
1293 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1294
1295 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1296 host2xfrm(dst, &sa_id->daddr);
1297 sa_id->spi = spi;
1298 sa_id->proto = proto_ike2kernel(protocol);
1299 sa_id->family = dst->get_family(dst);
1300
1301 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1302 {
1303 hdr = out;
1304 while (NLMSG_OK(hdr, len))
1305 {
1306 switch (hdr->nlmsg_type)
1307 {
1308 case XFRM_MSG_NEWSA:
1309 {
1310 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1311 break;
1312 }
1313 case NLMSG_ERROR:
1314 {
1315 struct nlmsgerr *err = NLMSG_DATA(hdr);
1316 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)",
1317 ntohl(spi), strerror(-err->error), -err->error);
1318 break;
1319 }
1320 default:
1321 hdr = NLMSG_NEXT(hdr, len);
1322 continue;
1323 case NLMSG_DONE:
1324 break;
1325 }
1326 break;
1327 }
1328 }
1329
1330 if (sa == NULL)
1331 {
1332 DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1333 free(out);
1334 return FAILED;
1335 }
1336 *bytes = sa->curlft.bytes;
1337
1338 free(out);
1339 return SUCCESS;
1340 }
1341
1342 METHOD(kernel_ipsec_t, del_sa, status_t,
1343 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1344 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1345 {
1346 netlink_buf_t request;
1347 struct nlmsghdr *hdr;
1348 struct xfrm_usersa_id *sa_id;
1349
1350 /* if IPComp was used, we first delete the additional IPComp SA */
1351 if (cpi)
1352 {
1353 del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
1354 }
1355
1356 memset(&request, 0, sizeof(request));
1357
1358 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1359
1360 hdr = (struct nlmsghdr*)request;
1361 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1362 hdr->nlmsg_type = XFRM_MSG_DELSA;
1363 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1364
1365 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1366 host2xfrm(dst, &sa_id->daddr);
1367 sa_id->spi = spi;
1368 sa_id->proto = proto_ike2kernel(protocol);
1369 sa_id->family = dst->get_family(dst);
1370
1371 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1372 {
1373 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1374 return FAILED;
1375 }
1376 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1377 return SUCCESS;
1378 }
1379
1380 METHOD(kernel_ipsec_t, update_sa, status_t,
1381 private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
1382 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1383 bool old_encap, bool new_encap)
1384 {
1385 netlink_buf_t request;
1386 u_char *pos;
1387 struct nlmsghdr *hdr, *out = NULL;
1388 struct xfrm_usersa_id *sa_id;
1389 struct xfrm_usersa_info *out_sa = NULL, *sa;
1390 size_t len;
1391 struct rtattr *rta;
1392 size_t rtasize;
1393 struct xfrm_encap_tmpl* tmpl = NULL;
1394 bool got_replay_state = FALSE;
1395 struct xfrm_replay_state replay;
1396
1397 /* if IPComp is used, we first update the IPComp SA */
1398 if (cpi)
1399 {
1400 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1401 src, dst, new_src, new_dst, FALSE, FALSE);
1402 }
1403
1404 memset(&request, 0, sizeof(request));
1405
1406 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1407
1408 /* query the existing SA first */
1409 hdr = (struct nlmsghdr*)request;
1410 hdr->nlmsg_flags = NLM_F_REQUEST;
1411 hdr->nlmsg_type = XFRM_MSG_GETSA;
1412 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1413
1414 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1415 host2xfrm(dst, &sa_id->daddr);
1416 sa_id->spi = spi;
1417 sa_id->proto = proto_ike2kernel(protocol);
1418 sa_id->family = dst->get_family(dst);
1419
1420 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1421 {
1422 hdr = out;
1423 while (NLMSG_OK(hdr, len))
1424 {
1425 switch (hdr->nlmsg_type)
1426 {
1427 case XFRM_MSG_NEWSA:
1428 {
1429 out_sa = NLMSG_DATA(hdr);
1430 break;
1431 }
1432 case NLMSG_ERROR:
1433 {
1434 struct nlmsgerr *err = NLMSG_DATA(hdr);
1435 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1436 strerror(-err->error), -err->error);
1437 break;
1438 }
1439 default:
1440 hdr = NLMSG_NEXT(hdr, len);
1441 continue;
1442 case NLMSG_DONE:
1443 break;
1444 }
1445 break;
1446 }
1447 }
1448 if (out_sa == NULL)
1449 {
1450 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1451 free(out);
1452 return FAILED;
1453 }
1454
1455 /* try to get the replay state */
1456 if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
1457 {
1458 got_replay_state = TRUE;
1459 }
1460
1461 /* delete the old SA (without affecting the IPComp SA) */
1462 if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
1463 {
1464 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1465 free(out);
1466 return FAILED;
1467 }
1468
1469 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1470 ntohl(spi), src, dst, new_src, new_dst);
1471 /* copy over the SA from out to request */
1472 hdr = (struct nlmsghdr*)request;
1473 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1474 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1475 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1476 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1477 sa = NLMSG_DATA(hdr);
1478 sa->family = new_dst->get_family(new_dst);
1479
1480 if (!src->ip_equals(src, new_src))
1481 {
1482 host2xfrm(new_src, &sa->saddr);
1483 }
1484 if (!dst->ip_equals(dst, new_dst))
1485 {
1486 host2xfrm(new_dst, &sa->id.daddr);
1487 }
1488
1489 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1490 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1491 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1492 while(RTA_OK(rta, rtasize))
1493 {
1494 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1495 if (rta->rta_type != XFRMA_ENCAP || new_encap)
1496 {
1497 if (rta->rta_type == XFRMA_ENCAP)
1498 { /* update encap tmpl */
1499 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1500 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1501 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1502 }
1503 memcpy(pos, rta, rta->rta_len);
1504 pos += RTA_ALIGN(rta->rta_len);
1505 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1506 }
1507 rta = RTA_NEXT(rta, rtasize);
1508 }
1509
1510 rta = (struct rtattr*)pos;
1511 if (tmpl == NULL && new_encap)
1512 { /* add tmpl if we are enabling it */
1513 rta->rta_type = XFRMA_ENCAP;
1514 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1515
1516 hdr->nlmsg_len += rta->rta_len;
1517 if (hdr->nlmsg_len > sizeof(request))
1518 {
1519 return FAILED;
1520 }
1521
1522 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1523 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1524 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1525 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1526 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1527
1528 rta = XFRM_RTA_NEXT(rta);
1529 }
1530
1531 if (got_replay_state)
1532 { /* copy the replay data if available */
1533 rta->rta_type = XFRMA_REPLAY_VAL;
1534 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1535
1536 hdr->nlmsg_len += rta->rta_len;
1537 if (hdr->nlmsg_len > sizeof(request))
1538 {
1539 return FAILED;
1540 }
1541 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1542
1543 rta = XFRM_RTA_NEXT(rta);
1544 }
1545
1546 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1547 {
1548 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1549 free(out);
1550 return FAILED;
1551 }
1552 free(out);
1553
1554 return SUCCESS;
1555 }
1556
1557 METHOD(kernel_ipsec_t, add_policy, status_t,
1558 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1559 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
1560 policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
1561 u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1562 bool routed)
1563 {
1564 policy_entry_t *current, *policy;
1565 bool found = FALSE;
1566 netlink_buf_t request;
1567 struct xfrm_userpolicy_info *policy_info;
1568 struct nlmsghdr *hdr;
1569
1570 /* create a policy */
1571 policy = malloc_thing(policy_entry_t);
1572 memset(policy, 0, sizeof(policy_entry_t));
1573 policy->sel = ts2selector(src_ts, dst_ts);
1574 policy->direction = direction;
1575
1576 /* find the policy, which matches EXACTLY */
1577 this->mutex->lock(this->mutex);
1578 current = this->policies->get(this->policies, policy);
1579 if (current)
1580 {
1581 /* use existing policy */
1582 current->refcount++;
1583 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1584 "refcount", src_ts, dst_ts,
1585 policy_dir_names, direction);
1586 free(policy);
1587 policy = current;
1588 found = TRUE;
1589 }
1590 else
1591 { /* apply the new one, if we have no such policy */
1592 this->policies->put(this->policies, policy, policy);
1593 policy->refcount = 1;
1594 }
1595
1596 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1597 policy_dir_names, direction);
1598
1599 memset(&request, 0, sizeof(request));
1600 hdr = (struct nlmsghdr*)request;
1601 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1602 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1603 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1604
1605 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1606 policy_info->sel = policy->sel;
1607 policy_info->dir = policy->direction;
1608 /* calculate priority based on source selector size, small size = high prio */
1609 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1610 policy_info->priority -= policy->sel.prefixlen_s * 10;
1611 policy_info->priority -= policy->sel.proto ? 2 : 0;
1612 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1613 policy_info->action = XFRM_POLICY_ALLOW;
1614 policy_info->share = XFRM_SHARE_ANY;
1615 this->mutex->unlock(this->mutex);
1616
1617 /* policies don't expire */
1618 policy_info->lft.soft_byte_limit = XFRM_INF;
1619 policy_info->lft.soft_packet_limit = XFRM_INF;
1620 policy_info->lft.hard_byte_limit = XFRM_INF;
1621 policy_info->lft.hard_packet_limit = XFRM_INF;
1622 policy_info->lft.soft_add_expires_seconds = 0;
1623 policy_info->lft.hard_add_expires_seconds = 0;
1624 policy_info->lft.soft_use_expires_seconds = 0;
1625 policy_info->lft.hard_use_expires_seconds = 0;
1626
1627 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1628 rthdr->rta_type = XFRMA_TMPL;
1629 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1630
1631 hdr->nlmsg_len += rthdr->rta_len;
1632 if (hdr->nlmsg_len > sizeof(request))
1633 {
1634 return FAILED;
1635 }
1636
1637 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1638
1639 if (ipcomp != IPCOMP_NONE)
1640 {
1641 tmpl->reqid = reqid;
1642 tmpl->id.proto = IPPROTO_COMP;
1643 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1644 tmpl->mode = mode2kernel(mode);
1645 tmpl->optional = direction != POLICY_OUT;
1646 tmpl->family = src->get_family(src);
1647
1648 host2xfrm(src, &tmpl->saddr);
1649 host2xfrm(dst, &tmpl->id.daddr);
1650
1651 /* add an additional xfrm_user_tmpl */
1652 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1653 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1654 if (hdr->nlmsg_len > sizeof(request))
1655 {
1656 return FAILED;
1657 }
1658
1659 tmpl++;
1660
1661 /* use transport mode for ESP if we have a tunnel mode IPcomp SA */
1662 mode = MODE_TRANSPORT;
1663 }
1664 else
1665 {
1666 /* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
1667 host2xfrm(src, &tmpl->saddr);
1668 host2xfrm(dst, &tmpl->id.daddr);
1669 }
1670
1671 tmpl->reqid = reqid;
1672 tmpl->id.proto = proto_ike2kernel(protocol);
1673 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1674 tmpl->mode = mode2kernel(mode);
1675 tmpl->family = src->get_family(src);
1676
1677 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1678 {
1679 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1680 policy_dir_names, direction);
1681 return FAILED;
1682 }
1683
1684 /* install a route, if:
1685 * - we are NOT updating a policy
1686 * - this is a forward policy (to just get one for each child)
1687 * - we are in tunnel/BEET mode
1688 * - routing is not disabled via strongswan.conf
1689 */
1690 if (policy->route == NULL && direction == POLICY_FWD &&
1691 mode != MODE_TRANSPORT && this->install_routes)
1692 {
1693 route_entry_t *route = malloc_thing(route_entry_t);
1694
1695 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1696 dst_ts, &route->src_ip) == SUCCESS)
1697 {
1698 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1699 route->gateway = charon->kernel_interface->get_nexthop(
1700 charon->kernel_interface, src);
1701 /* install route via outgoing interface */
1702 route->if_name = charon->kernel_interface->get_interface(
1703 charon->kernel_interface, dst);
1704 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1705 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1706 route->prefixlen = policy->sel.prefixlen_s;
1707
1708 if (route->if_name)
1709 {
1710 switch (charon->kernel_interface->add_route(
1711 charon->kernel_interface, route->dst_net,
1712 route->prefixlen, route->gateway,
1713 route->src_ip, route->if_name))
1714 {
1715 default:
1716 DBG1(DBG_KNL, "unable to install source route for %H",
1717 route->src_ip);
1718 /* FALL */
1719 case ALREADY_DONE:
1720 /* route exists, do not uninstall */
1721 route_entry_destroy(route);
1722 break;
1723 case SUCCESS:
1724 /* cache the installed route */
1725 policy->route = route;
1726 break;
1727 }
1728 }
1729 else
1730 {
1731 route_entry_destroy(route);
1732 }
1733 }
1734 else
1735 {
1736 free(route);
1737 }
1738 }
1739 return SUCCESS;
1740 }
1741
1742 METHOD(kernel_ipsec_t, query_policy, status_t,
1743 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
1744 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time)
1745 {
1746 netlink_buf_t request;
1747 struct nlmsghdr *out = NULL, *hdr;
1748 struct xfrm_userpolicy_id *policy_id;
1749 struct xfrm_userpolicy_info *policy = NULL;
1750 size_t len;
1751
1752 memset(&request, 0, sizeof(request));
1753
1754 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1755 policy_dir_names, direction);
1756
1757 hdr = (struct nlmsghdr*)request;
1758 hdr->nlmsg_flags = NLM_F_REQUEST;
1759 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1760 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1761
1762 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1763 policy_id->sel = ts2selector(src_ts, dst_ts);
1764 policy_id->dir = direction;
1765
1766 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1767 {
1768 hdr = out;
1769 while (NLMSG_OK(hdr, len))
1770 {
1771 switch (hdr->nlmsg_type)
1772 {
1773 case XFRM_MSG_NEWPOLICY:
1774 {
1775 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1776 break;
1777 }
1778 case NLMSG_ERROR:
1779 {
1780 struct nlmsgerr *err = NLMSG_DATA(hdr);
1781 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1782 strerror(-err->error), -err->error);
1783 break;
1784 }
1785 default:
1786 hdr = NLMSG_NEXT(hdr, len);
1787 continue;
1788 case NLMSG_DONE:
1789 break;
1790 }
1791 break;
1792 }
1793 }
1794
1795 if (policy == NULL)
1796 {
1797 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1798 policy_dir_names, direction);
1799 free(out);
1800 return FAILED;
1801 }
1802
1803 if (policy->curlft.use_time)
1804 {
1805 /* we need the monotonic time, but the kernel returns system time. */
1806 *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
1807 }
1808 else
1809 {
1810 *use_time = 0;
1811 }
1812
1813 free(out);
1814 return SUCCESS;
1815 }
1816
1817 METHOD(kernel_ipsec_t, del_policy, status_t,
1818 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
1819 traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted)
1820 {
1821 policy_entry_t *current, policy, *to_delete = NULL;
1822 route_entry_t *route;
1823 netlink_buf_t request;
1824 struct nlmsghdr *hdr;
1825 struct xfrm_userpolicy_id *policy_id;
1826
1827 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1828 policy_dir_names, direction);
1829
1830 /* create a policy */
1831 memset(&policy, 0, sizeof(policy_entry_t));
1832 policy.sel = ts2selector(src_ts, dst_ts);
1833 policy.direction = direction;
1834
1835 /* find the policy */
1836 this->mutex->lock(this->mutex);
1837 current = this->policies->get(this->policies, &policy);
1838 if (current)
1839 {
1840 to_delete = current;
1841 if (--to_delete->refcount > 0)
1842 {
1843 /* is used by more SAs, keep in kernel */
1844 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1845 this->mutex->unlock(this->mutex);
1846 return SUCCESS;
1847 }
1848 /* remove if last reference */
1849 this->policies->remove(this->policies, to_delete);
1850 }
1851 this->mutex->unlock(this->mutex);
1852 if (!to_delete)
1853 {
1854 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1855 dst_ts, policy_dir_names, direction);
1856 return NOT_FOUND;
1857 }
1858
1859 memset(&request, 0, sizeof(request));
1860
1861 hdr = (struct nlmsghdr*)request;
1862 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1863 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1864 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1865
1866 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1867 policy_id->sel = to_delete->sel;
1868 policy_id->dir = direction;
1869
1870 route = to_delete->route;
1871 free(to_delete);
1872
1873 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1874 {
1875 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1876 policy_dir_names, direction);
1877 return FAILED;
1878 }
1879
1880 if (route)
1881 {
1882 if (charon->kernel_interface->del_route(charon->kernel_interface,
1883 route->dst_net, route->prefixlen, route->gateway,
1884 route->src_ip, route->if_name) != SUCCESS)
1885 {
1886 DBG1(DBG_KNL, "error uninstalling route installed with "
1887 "policy %R === %R %N", src_ts, dst_ts,
1888 policy_dir_names, direction);
1889 }
1890 route_entry_destroy(route);
1891 }
1892 return SUCCESS;
1893 }
1894
1895 METHOD(kernel_ipsec_t, bypass_socket, bool,
1896 private_kernel_netlink_ipsec_t *this, int fd, int family)
1897 {
1898 struct xfrm_userpolicy_info policy;
1899 u_int sol, ipsec_policy;
1900
1901 switch (family)
1902 {
1903 case AF_INET:
1904 sol = SOL_IP;
1905 ipsec_policy = IP_XFRM_POLICY;
1906 break;
1907 case AF_INET6:
1908 sol = SOL_IPV6;
1909 ipsec_policy = IPV6_XFRM_POLICY;
1910 break;
1911 default:
1912 return FALSE;
1913 }
1914
1915 memset(&policy, 0, sizeof(policy));
1916 policy.action = XFRM_POLICY_ALLOW;
1917 policy.sel.family = family;
1918
1919 policy.dir = XFRM_POLICY_OUT;
1920 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1921 {
1922 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1923 strerror(errno));
1924 return FALSE;
1925 }
1926 policy.dir = XFRM_POLICY_IN;
1927 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1928 {
1929 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1930 strerror(errno));
1931 return FALSE;
1932 }
1933 return TRUE;
1934 }
1935
1936 METHOD(kernel_ipsec_t, destroy, void,
1937 private_kernel_netlink_ipsec_t *this)
1938 {
1939 enumerator_t *enumerator;
1940 policy_entry_t *policy;
1941
1942 if (this->job)
1943 {
1944 this->job->cancel(this->job);
1945 }
1946 if (this->socket_xfrm_events > 0)
1947 {
1948 close(this->socket_xfrm_events);
1949 }
1950 DESTROY_IF(this->socket_xfrm);
1951 enumerator = this->policies->create_enumerator(this->policies);
1952 while (enumerator->enumerate(enumerator, &policy, &policy))
1953 {
1954 free(policy);
1955 }
1956 enumerator->destroy(enumerator);
1957 this->policies->destroy(this->policies);
1958 this->mutex->destroy(this->mutex);
1959 free(this);
1960 }
1961
1962 /*
1963 * Described in header.
1964 */
1965 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1966 {
1967 private_kernel_netlink_ipsec_t *this;
1968 struct sockaddr_nl addr;
1969 int fd;
1970
1971 INIT(this,
1972 .public.interface = {
1973 .get_spi = _get_spi,
1974 .get_cpi = _get_cpi,
1975 .add_sa = _add_sa,
1976 .update_sa = _update_sa,
1977 .query_sa = _query_sa,
1978 .del_sa = _del_sa,
1979 .add_policy = _add_policy,
1980 .query_policy = _query_policy,
1981 .del_policy = _del_policy,
1982 .bypass_socket = _bypass_socket,
1983 .destroy = _destroy,
1984 },
1985 .policies = hashtable_create((hashtable_hash_t)policy_hash,
1986 (hashtable_equals_t)policy_equals, 32),
1987 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
1988 .install_routes = lib->settings->get_bool(lib->settings,
1989 "charon.install_routes", TRUE),
1990 );
1991
1992 /* disable lifetimes for allocated SPIs in kernel */
1993 fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
1994 if (fd)
1995 {
1996 ignore_result(write(fd, "165", 3));
1997 close(fd);
1998 }
1999
2000 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
2001 if (!this->socket_xfrm)
2002 {
2003 destroy(this);
2004 return NULL;
2005 }
2006
2007 memset(&addr, 0, sizeof(addr));
2008 addr.nl_family = AF_NETLINK;
2009
2010 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2011 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2012 if (this->socket_xfrm_events <= 0)
2013 {
2014 DBG1(DBG_KNL, "unable to create XFRM event socket");
2015 destroy(this);
2016 return NULL;
2017 }
2018 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
2019 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
2020 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2021 {
2022 DBG1(DBG_KNL, "unable to bind XFRM event socket");
2023 destroy(this);
2024 return NULL;
2025 }
2026 this->job = callback_job_create((callback_job_cb_t)receive_events,
2027 this, NULL, NULL);
2028 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2029
2030 return &this->public;
2031 }
2032