Moved migrate job creation to kernel event handler.
[strongswan.git] / src / libcharon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2009 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <stdint.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <unistd.h>
30 #include <time.h>
31 #include <errno.h>
32 #include <string.h>
33 #include <fcntl.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <hydra.h>
39 #include <daemon.h>
40 #include <threading/thread.h>
41 #include <threading/mutex.h>
42 #include <utils/hashtable.h>
43 #include <processing/jobs/callback_job.h>
44
45 /** required for Linux 2.6.26 kernel and later */
46 #ifndef XFRM_STATE_AF_UNSPEC
47 #define XFRM_STATE_AF_UNSPEC 32
48 #endif
49
50 /** from linux/in.h */
51 #ifndef IP_XFRM_POLICY
52 #define IP_XFRM_POLICY 17
53 #endif
54
55 /* missing on uclibc */
56 #ifndef IPV6_XFRM_POLICY
57 #define IPV6_XFRM_POLICY 34
58 #endif /*IPV6_XFRM_POLICY*/
59
60 /** default priority of installed policies */
61 #define PRIO_LOW 3000
62 #define PRIO_HIGH 2000
63
64 /**
65 * map the limit for bytes and packets to XFRM_INF per default
66 */
67 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
68
69 /**
70 * Create ORable bitfield of XFRM NL groups
71 */
72 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
73
74 /**
75 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
76 * 'usual' netlink data x like 'struct xfrm_usersa_info'
77 */
78 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
79 /**
80 * returns a pointer to the next rtattr following rta.
81 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
82 */
83 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
84 /**
85 * returns the total size of attached rta data
86 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
87 */
88 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
89
90 typedef struct kernel_algorithm_t kernel_algorithm_t;
91
92 /**
93 * Mapping of IKEv2 kernel identifier to linux crypto API names
94 */
95 struct kernel_algorithm_t {
96 /**
97 * Identifier specified in IKEv2
98 */
99 int ikev2;
100
101 /**
102 * Name of the algorithm in linux crypto API
103 */
104 char *name;
105 };
106
107 ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
108 "XFRM_MSG_NEWSA",
109 "XFRM_MSG_DELSA",
110 "XFRM_MSG_GETSA",
111 "XFRM_MSG_NEWPOLICY",
112 "XFRM_MSG_DELPOLICY",
113 "XFRM_MSG_GETPOLICY",
114 "XFRM_MSG_ALLOCSPI",
115 "XFRM_MSG_ACQUIRE",
116 "XFRM_MSG_EXPIRE",
117 "XFRM_MSG_UPDPOLICY",
118 "XFRM_MSG_UPDSA",
119 "XFRM_MSG_POLEXPIRE",
120 "XFRM_MSG_FLUSHSA",
121 "XFRM_MSG_FLUSHPOLICY",
122 "XFRM_MSG_NEWAE",
123 "XFRM_MSG_GETAE",
124 "XFRM_MSG_REPORT",
125 "XFRM_MSG_MIGRATE",
126 "XFRM_MSG_NEWSADINFO",
127 "XFRM_MSG_GETSADINFO",
128 "XFRM_MSG_NEWSPDINFO",
129 "XFRM_MSG_GETSPDINFO",
130 "XFRM_MSG_MAPPING"
131 );
132
133 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
134 "XFRMA_UNSPEC",
135 "XFRMA_ALG_AUTH",
136 "XFRMA_ALG_CRYPT",
137 "XFRMA_ALG_COMP",
138 "XFRMA_ENCAP",
139 "XFRMA_TMPL",
140 "XFRMA_SA",
141 "XFRMA_POLICY",
142 "XFRMA_SEC_CTX",
143 "XFRMA_LTIME_VAL",
144 "XFRMA_REPLAY_VAL",
145 "XFRMA_REPLAY_THRESH",
146 "XFRMA_ETIMER_THRESH",
147 "XFRMA_SRCADDR",
148 "XFRMA_COADDR",
149 "XFRMA_LASTUSED",
150 "XFRMA_POLICY_TYPE",
151 "XFRMA_MIGRATE",
152 "XFRMA_ALG_AEAD",
153 "XFRMA_KMADDRESS"
154 );
155
156 #define END_OF_LIST -1
157
158 /**
159 * Algorithms for encryption
160 */
161 static kernel_algorithm_t encryption_algs[] = {
162 /* {ENCR_DES_IV64, "***" }, */
163 {ENCR_DES, "des" },
164 {ENCR_3DES, "des3_ede" },
165 /* {ENCR_RC5, "***" }, */
166 /* {ENCR_IDEA, "***" }, */
167 {ENCR_CAST, "cast128" },
168 {ENCR_BLOWFISH, "blowfish" },
169 /* {ENCR_3IDEA, "***" }, */
170 /* {ENCR_DES_IV32, "***" }, */
171 {ENCR_NULL, "cipher_null" },
172 {ENCR_AES_CBC, "aes" },
173 {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
174 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
175 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
176 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
177 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
178 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
179 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
180 {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
181 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
182 /* {ENCR_CAMELLIA_CTR, "***" }, */
183 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
184 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
185 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
186 {END_OF_LIST, NULL }
187 };
188
189 /**
190 * Algorithms for integrity protection
191 */
192 static kernel_algorithm_t integrity_algs[] = {
193 {AUTH_HMAC_MD5_96, "md5" },
194 {AUTH_HMAC_SHA1_96, "sha1" },
195 {AUTH_HMAC_SHA2_256_96, "sha256" },
196 {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
197 {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
198 {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
199 /* {AUTH_DES_MAC, "***" }, */
200 /* {AUTH_KPDK_MD5, "***" }, */
201 {AUTH_AES_XCBC_96, "xcbc(aes)" },
202 {END_OF_LIST, NULL }
203 };
204
205 /**
206 * Algorithms for IPComp
207 */
208 static kernel_algorithm_t compression_algs[] = {
209 /* {IPCOMP_OUI, "***" }, */
210 {IPCOMP_DEFLATE, "deflate" },
211 {IPCOMP_LZS, "lzs" },
212 {IPCOMP_LZJH, "lzjh" },
213 {END_OF_LIST, NULL }
214 };
215
216 /**
217 * Look up a kernel algorithm name and its key size
218 */
219 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
220 {
221 while (list->ikev2 != END_OF_LIST)
222 {
223 if (list->ikev2 == ikev2)
224 {
225 return list->name;
226 }
227 list++;
228 }
229 return NULL;
230 }
231
232 typedef struct route_entry_t route_entry_t;
233
234 /**
235 * installed routing entry
236 */
237 struct route_entry_t {
238 /** Name of the interface the route is bound to */
239 char *if_name;
240
241 /** Source ip of the route */
242 host_t *src_ip;
243
244 /** gateway for this route */
245 host_t *gateway;
246
247 /** Destination net */
248 chunk_t dst_net;
249
250 /** Destination net prefixlen */
251 u_int8_t prefixlen;
252 };
253
254 /**
255 * destroy an route_entry_t object
256 */
257 static void route_entry_destroy(route_entry_t *this)
258 {
259 free(this->if_name);
260 this->src_ip->destroy(this->src_ip);
261 DESTROY_IF(this->gateway);
262 chunk_free(&this->dst_net);
263 free(this);
264 }
265
266 typedef struct policy_entry_t policy_entry_t;
267
268 /**
269 * installed kernel policy.
270 */
271 struct policy_entry_t {
272
273 /** direction of this policy: in, out, forward */
274 u_int8_t direction;
275
276 /** parameters of installed policy */
277 struct xfrm_selector sel;
278
279 /** optional mark */
280 u_int32_t mark;
281
282 /** associated route installed for this policy */
283 route_entry_t *route;
284
285 /** by how many CHILD_SA's this policy is used */
286 u_int refcount;
287 };
288
289 /**
290 * Hash function for policy_entry_t objects
291 */
292 static u_int policy_hash(policy_entry_t *key)
293 {
294 chunk_t chunk = chunk_create((void*)&key->sel,
295 sizeof(struct xfrm_selector) + sizeof(u_int32_t));
296 return chunk_hash(chunk);
297 }
298
299 /**
300 * Equality function for policy_entry_t objects
301 */
302 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
303 {
304 return memeq(&key->sel, &other_key->sel,
305 sizeof(struct xfrm_selector) + sizeof(u_int32_t)) &&
306 key->direction == other_key->direction;
307 }
308
309 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
310
311 /**
312 * Private variables and functions of kernel_netlink class.
313 */
314 struct private_kernel_netlink_ipsec_t {
315 /**
316 * Public part of the kernel_netlink_t object.
317 */
318 kernel_netlink_ipsec_t public;
319
320 /**
321 * mutex to lock access to various lists
322 */
323 mutex_t *mutex;
324
325 /**
326 * Hash table of installed policies (policy_entry_t)
327 */
328 hashtable_t *policies;
329
330 /**
331 * job receiving netlink events
332 */
333 callback_job_t *job;
334
335 /**
336 * Netlink xfrm socket (IPsec)
337 */
338 netlink_socket_t *socket_xfrm;
339
340 /**
341 * netlink xfrm socket to receive acquire and expire events
342 */
343 int socket_xfrm_events;
344
345 /**
346 * whether to install routes along policies
347 */
348 bool install_routes;
349 };
350
351 /**
352 * convert a IKEv2 specific protocol identifier to the kernel one
353 */
354 static u_int8_t proto_ike2kernel(protocol_id_t proto)
355 {
356 switch (proto)
357 {
358 case PROTO_ESP:
359 return IPPROTO_ESP;
360 case PROTO_AH:
361 return IPPROTO_AH;
362 default:
363 return proto;
364 }
365 }
366
367 /**
368 * reverse of ike2kernel
369 */
370 static protocol_id_t proto_kernel2ike(u_int8_t proto)
371 {
372 switch (proto)
373 {
374 case IPPROTO_ESP:
375 return PROTO_ESP;
376 case IPPROTO_AH:
377 return PROTO_AH;
378 default:
379 return proto;
380 }
381 }
382
383 /**
384 * convert the general ipsec mode to the one defined in xfrm.h
385 */
386 static u_int8_t mode2kernel(ipsec_mode_t mode)
387 {
388 switch (mode)
389 {
390 case MODE_TRANSPORT:
391 return XFRM_MODE_TRANSPORT;
392 case MODE_TUNNEL:
393 return XFRM_MODE_TUNNEL;
394 case MODE_BEET:
395 return XFRM_MODE_BEET;
396 default:
397 return mode;
398 }
399 }
400
401 /**
402 * convert a host_t to a struct xfrm_address
403 */
404 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
405 {
406 chunk_t chunk = host->get_address(host);
407 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
408 }
409
410 /**
411 * convert a struct xfrm_address to a host_t
412 */
413 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
414 {
415 chunk_t chunk;
416
417 switch (family)
418 {
419 case AF_INET:
420 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
421 break;
422 case AF_INET6:
423 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
424 break;
425 default:
426 return NULL;
427 }
428 return host_create_from_chunk(family, chunk, ntohs(port));
429 }
430
431 /**
432 * convert a traffic selector address range to subnet and its mask.
433 */
434 static void ts2subnet(traffic_selector_t* ts,
435 xfrm_address_t *net, u_int8_t *mask)
436 {
437 host_t *net_host;
438 chunk_t net_chunk;
439
440 ts->to_subnet(ts, &net_host, mask);
441 net_chunk = net_host->get_address(net_host);
442 memcpy(net, net_chunk.ptr, net_chunk.len);
443 net_host->destroy(net_host);
444 }
445
446 /**
447 * convert a traffic selector port range to port/portmask
448 */
449 static void ts2ports(traffic_selector_t* ts,
450 u_int16_t *port, u_int16_t *mask)
451 {
452 /* linux does not seem to accept complex portmasks. Only
453 * any or a specific port is allowed. We set to any, if we have
454 * a port range, or to a specific, if we have one port only.
455 */
456 u_int16_t from, to;
457
458 from = ts->get_from_port(ts);
459 to = ts->get_to_port(ts);
460
461 if (from == to)
462 {
463 *port = htons(from);
464 *mask = ~0;
465 }
466 else
467 {
468 *port = 0;
469 *mask = 0;
470 }
471 }
472
473 /**
474 * convert a pair of traffic_selectors to a xfrm_selector
475 */
476 static struct xfrm_selector ts2selector(traffic_selector_t *src,
477 traffic_selector_t *dst)
478 {
479 struct xfrm_selector sel;
480
481 memset(&sel, 0, sizeof(sel));
482 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
483 /* src or dest proto may be "any" (0), use more restrictive one */
484 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
485 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
486 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
487 ts2ports(dst, &sel.dport, &sel.dport_mask);
488 ts2ports(src, &sel.sport, &sel.sport_mask);
489 sel.ifindex = 0;
490 sel.user = 0;
491
492 return sel;
493 }
494
495 /**
496 * convert a xfrm_selector to a src|dst traffic_selector
497 */
498 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
499 {
500 u_char *addr;
501 u_int8_t prefixlen;
502 u_int16_t port = 0;
503 host_t *host = NULL;
504
505 if (src)
506 {
507 addr = (u_char*)&sel->saddr;
508 prefixlen = sel->prefixlen_s;
509 if (sel->sport_mask)
510 {
511 port = htons(sel->sport);
512 }
513 }
514 else
515 {
516 addr = (u_char*)&sel->daddr;
517 prefixlen = sel->prefixlen_d;
518 if (sel->dport_mask)
519 {
520 port = htons(sel->dport);
521 }
522 }
523
524 /* The Linux 2.6 kernel does not set the selector's family field,
525 * so as a kludge we additionally test the prefix length.
526 */
527 if (sel->family == AF_INET || sel->prefixlen_s == 32)
528 {
529 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
530 }
531 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
532 {
533 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
534 }
535
536 if (host)
537 {
538 return traffic_selector_create_from_subnet(host, prefixlen,
539 sel->proto, port);
540 }
541 return NULL;
542 }
543
544 /**
545 * process a XFRM_MSG_ACQUIRE from kernel
546 */
547 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
548 {
549 u_int32_t reqid = 0;
550 int proto = 0;
551 traffic_selector_t *src_ts, *dst_ts;
552 struct xfrm_user_acquire *acquire;
553 struct rtattr *rta;
554 size_t rtasize;
555
556 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
557 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
558 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
559
560 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
561
562 while (RTA_OK(rta, rtasize))
563 {
564 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
565
566 if (rta->rta_type == XFRMA_TMPL)
567 {
568 struct xfrm_user_tmpl* tmpl;
569
570 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
571 reqid = tmpl->reqid;
572 proto = tmpl->id.proto;
573 }
574 rta = RTA_NEXT(rta, rtasize);
575 }
576 switch (proto)
577 {
578 case 0:
579 case IPPROTO_ESP:
580 case IPPROTO_AH:
581 break;
582 default:
583 /* acquire for AH/ESP only, not for IPCOMP */
584 return;
585 }
586 src_ts = selector2ts(&acquire->sel, TRUE);
587 dst_ts = selector2ts(&acquire->sel, FALSE);
588
589 charon->kernel_interface->acquire(charon->kernel_interface, reqid, src_ts,
590 dst_ts);
591 }
592
593 /**
594 * process a XFRM_MSG_EXPIRE from kernel
595 */
596 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
597 {
598 protocol_id_t protocol;
599 u_int32_t spi, reqid;
600 struct xfrm_user_expire *expire;
601
602 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
603 protocol = proto_kernel2ike(expire->state.id.proto);
604 spi = expire->state.id.spi;
605 reqid = expire->state.reqid;
606
607 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
608
609 if (protocol != PROTO_ESP && protocol != PROTO_AH)
610 {
611 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
612 "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
613 return;
614 }
615
616 charon->kernel_interface->expire(charon->kernel_interface, reqid, protocol,
617 spi, expire->hard != 0);
618 }
619
620 /**
621 * process a XFRM_MSG_MIGRATE from kernel
622 */
623 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
624 {
625 traffic_selector_t *src_ts, *dst_ts;
626 host_t *local = NULL, *remote = NULL;
627 host_t *old_src = NULL, *old_dst = NULL;
628 host_t *new_src = NULL, *new_dst = NULL;
629 struct xfrm_userpolicy_id *policy_id;
630 struct rtattr *rta;
631 size_t rtasize;
632 u_int32_t reqid = 0;
633 policy_dir_t dir;
634
635 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
636 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
637 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
638
639 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
640
641 src_ts = selector2ts(&policy_id->sel, TRUE);
642 dst_ts = selector2ts(&policy_id->sel, FALSE);
643 dir = (policy_dir_t)policy_id->dir;
644
645 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
646
647 while (RTA_OK(rta, rtasize))
648 {
649 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
650 if (rta->rta_type == XFRMA_KMADDRESS)
651 {
652 struct xfrm_user_kmaddress *kmaddress;
653
654 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
655 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
656 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
657 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
658 }
659 else if (rta->rta_type == XFRMA_MIGRATE)
660 {
661 struct xfrm_user_migrate *migrate;
662 protocol_id_t proto;
663
664 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
665 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
666 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
667 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
668 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
669 proto = proto_kernel2ike(migrate->proto);
670 reqid = migrate->reqid;
671 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
672 protocol_id_names, proto, old_src, old_dst,
673 new_src, new_dst, reqid);
674 DESTROY_IF(old_src);
675 DESTROY_IF(old_dst);
676 DESTROY_IF(new_src);
677 DESTROY_IF(new_dst);
678 }
679 rta = RTA_NEXT(rta, rtasize);
680 }
681
682 if (src_ts && dst_ts && local && remote)
683 {
684 charon->kernel_interface->migrate(charon->kernel_interface, reqid,
685 src_ts, dst_ts, dir, local, remote);
686 }
687 else
688 {
689 DESTROY_IF(src_ts);
690 DESTROY_IF(dst_ts);
691 DESTROY_IF(local);
692 DESTROY_IF(remote);
693 }
694 }
695
696 /**
697 * process a XFRM_MSG_MAPPING from kernel
698 */
699 static void process_mapping(private_kernel_netlink_ipsec_t *this,
700 struct nlmsghdr *hdr)
701 {
702 u_int32_t spi, reqid;
703 struct xfrm_user_mapping *mapping;
704 host_t *host;
705
706 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
707 spi = mapping->id.spi;
708 reqid = mapping->reqid;
709
710 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
711
712 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
713 {
714 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
715 mapping->new_sport);
716 if (host)
717 {
718 charon->kernel_interface->mapping(charon->kernel_interface, reqid,
719 spi, host);
720 }
721 }
722 }
723
724 /**
725 * Receives events from kernel
726 */
727 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
728 {
729 char response[1024];
730 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
731 struct sockaddr_nl addr;
732 socklen_t addr_len = sizeof(addr);
733 int len;
734 bool oldstate;
735
736 oldstate = thread_cancelability(TRUE);
737 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
738 (struct sockaddr*)&addr, &addr_len);
739 thread_cancelability(oldstate);
740
741 if (len < 0)
742 {
743 switch (errno)
744 {
745 case EINTR:
746 /* interrupted, try again */
747 return JOB_REQUEUE_DIRECT;
748 case EAGAIN:
749 /* no data ready, select again */
750 return JOB_REQUEUE_DIRECT;
751 default:
752 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
753 sleep(1);
754 return JOB_REQUEUE_FAIR;
755 }
756 }
757
758 if (addr.nl_pid != 0)
759 { /* not from kernel. not interested, try another one */
760 return JOB_REQUEUE_DIRECT;
761 }
762
763 while (NLMSG_OK(hdr, len))
764 {
765 switch (hdr->nlmsg_type)
766 {
767 case XFRM_MSG_ACQUIRE:
768 process_acquire(this, hdr);
769 break;
770 case XFRM_MSG_EXPIRE:
771 process_expire(this, hdr);
772 break;
773 case XFRM_MSG_MIGRATE:
774 process_migrate(this, hdr);
775 break;
776 case XFRM_MSG_MAPPING:
777 process_mapping(this, hdr);
778 break;
779 default:
780 DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
781 break;
782 }
783 hdr = NLMSG_NEXT(hdr, len);
784 }
785 return JOB_REQUEUE_DIRECT;
786 }
787
788 /**
789 * Get an SPI for a specific protocol from the kernel.
790 */
791 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
792 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
793 u_int32_t reqid, u_int32_t *spi)
794 {
795 netlink_buf_t request;
796 struct nlmsghdr *hdr, *out;
797 struct xfrm_userspi_info *userspi;
798 u_int32_t received_spi = 0;
799 size_t len;
800
801 memset(&request, 0, sizeof(request));
802
803 hdr = (struct nlmsghdr*)request;
804 hdr->nlmsg_flags = NLM_F_REQUEST;
805 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
806 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
807
808 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
809 host2xfrm(src, &userspi->info.saddr);
810 host2xfrm(dst, &userspi->info.id.daddr);
811 userspi->info.id.proto = proto;
812 userspi->info.mode = XFRM_MODE_TUNNEL;
813 userspi->info.reqid = reqid;
814 userspi->info.family = src->get_family(src);
815 userspi->min = min;
816 userspi->max = max;
817
818 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
819 {
820 hdr = out;
821 while (NLMSG_OK(hdr, len))
822 {
823 switch (hdr->nlmsg_type)
824 {
825 case XFRM_MSG_NEWSA:
826 {
827 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
828 received_spi = usersa->id.spi;
829 break;
830 }
831 case NLMSG_ERROR:
832 {
833 struct nlmsgerr *err = NLMSG_DATA(hdr);
834
835 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
836 strerror(-err->error), -err->error);
837 break;
838 }
839 default:
840 hdr = NLMSG_NEXT(hdr, len);
841 continue;
842 case NLMSG_DONE:
843 break;
844 }
845 break;
846 }
847 free(out);
848 }
849
850 if (received_spi == 0)
851 {
852 return FAILED;
853 }
854
855 *spi = received_spi;
856 return SUCCESS;
857 }
858
859 METHOD(kernel_ipsec_t, get_spi, status_t,
860 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
861 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
862 {
863 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
864
865 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
866 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
867 {
868 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
869 return FAILED;
870 }
871
872 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
873
874 return SUCCESS;
875 }
876
877 METHOD(kernel_ipsec_t, get_cpi, status_t,
878 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
879 u_int32_t reqid, u_int16_t *cpi)
880 {
881 u_int32_t received_spi = 0;
882
883 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
884
885 if (get_spi_internal(this, src, dst,
886 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
887 {
888 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
889 return FAILED;
890 }
891
892 *cpi = htons((u_int16_t)ntohl(received_spi));
893
894 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
895
896 return SUCCESS;
897 }
898
899 METHOD(kernel_ipsec_t, add_sa, status_t,
900 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
901 u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
902 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
903 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
904 u_int16_t cpi, bool encap, bool inbound,
905 traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
906 {
907 netlink_buf_t request;
908 char *alg_name;
909 struct nlmsghdr *hdr;
910 struct xfrm_usersa_info *sa;
911 u_int16_t icv_size = 64;
912
913 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
914 * we are in the recursive call below */
915 if (ipcomp != IPCOMP_NONE && cpi != 0)
916 {
917 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
918 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
919 &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
920 mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
921 ipcomp = IPCOMP_NONE;
922 /* use transport mode ESP SA, IPComp uses tunnel mode */
923 mode = MODE_TRANSPORT;
924 }
925
926 memset(&request, 0, sizeof(request));
927
928 if (mark.value)
929 {
930 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u} "
931 "(mark %u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask);
932 }
933 else
934 {
935 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
936 ntohl(spi), reqid);
937 }
938 hdr = (struct nlmsghdr*)request;
939 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
940 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
941 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
942
943 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
944 host2xfrm(src, &sa->saddr);
945 host2xfrm(dst, &sa->id.daddr);
946 sa->id.spi = spi;
947 sa->id.proto = proto_ike2kernel(protocol);
948 sa->family = src->get_family(src);
949 sa->mode = mode2kernel(mode);
950 switch (mode)
951 {
952 case MODE_TUNNEL:
953 sa->flags |= XFRM_STATE_AF_UNSPEC;
954 break;
955 case MODE_BEET:
956 if(src_ts && dst_ts)
957 {
958 sa->sel = ts2selector(src_ts, dst_ts);
959 }
960 break;
961 default:
962 break;
963 }
964
965 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
966 sa->reqid = reqid;
967 sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
968 sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
969 sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
970 sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
971 /* we use lifetimes since added, not since used */
972 sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
973 sa->lft.hard_add_expires_seconds = lifetime->time.life;
974 sa->lft.soft_use_expires_seconds = 0;
975 sa->lft.hard_use_expires_seconds = 0;
976
977 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
978
979 switch (enc_alg)
980 {
981 case ENCR_UNDEFINED:
982 /* no encryption */
983 break;
984 case ENCR_AES_CCM_ICV16:
985 case ENCR_AES_GCM_ICV16:
986 case ENCR_NULL_AUTH_AES_GMAC:
987 case ENCR_CAMELLIA_CCM_ICV16:
988 icv_size += 32;
989 /* FALL */
990 case ENCR_AES_CCM_ICV12:
991 case ENCR_AES_GCM_ICV12:
992 case ENCR_CAMELLIA_CCM_ICV12:
993 icv_size += 32;
994 /* FALL */
995 case ENCR_AES_CCM_ICV8:
996 case ENCR_AES_GCM_ICV8:
997 case ENCR_CAMELLIA_CCM_ICV8:
998 {
999 struct xfrm_algo_aead *algo;
1000
1001 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1002 if (alg_name == NULL)
1003 {
1004 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1005 encryption_algorithm_names, enc_alg);
1006 return FAILED;
1007 }
1008 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1009 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1010
1011 rthdr->rta_type = XFRMA_ALG_AEAD;
1012 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
1013 hdr->nlmsg_len += rthdr->rta_len;
1014 if (hdr->nlmsg_len > sizeof(request))
1015 {
1016 return FAILED;
1017 }
1018
1019 algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
1020 algo->alg_key_len = enc_key.len * 8;
1021 algo->alg_icv_len = icv_size;
1022 strcpy(algo->alg_name, alg_name);
1023 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1024
1025 rthdr = XFRM_RTA_NEXT(rthdr);
1026 break;
1027 }
1028 default:
1029 {
1030 struct xfrm_algo *algo;
1031
1032 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1033 if (alg_name == NULL)
1034 {
1035 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1036 encryption_algorithm_names, enc_alg);
1037 return FAILED;
1038 }
1039 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1040 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1041
1042 rthdr->rta_type = XFRMA_ALG_CRYPT;
1043 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
1044 hdr->nlmsg_len += rthdr->rta_len;
1045 if (hdr->nlmsg_len > sizeof(request))
1046 {
1047 return FAILED;
1048 }
1049
1050 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1051 algo->alg_key_len = enc_key.len * 8;
1052 strcpy(algo->alg_name, alg_name);
1053 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1054
1055 rthdr = XFRM_RTA_NEXT(rthdr);
1056 }
1057 }
1058
1059 if (int_alg != AUTH_UNDEFINED)
1060 {
1061 alg_name = lookup_algorithm(integrity_algs, int_alg);
1062 if (alg_name == NULL)
1063 {
1064 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1065 integrity_algorithm_names, int_alg);
1066 return FAILED;
1067 }
1068 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1069 integrity_algorithm_names, int_alg, int_key.len * 8);
1070
1071 if (int_alg == AUTH_HMAC_SHA2_256_128)
1072 {
1073 struct xfrm_algo_auth* algo;
1074
1075 /* the kernel uses SHA256 with 96 bit truncation by default,
1076 * use specified truncation size supported by newer kernels */
1077 rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
1078 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
1079
1080 hdr->nlmsg_len += rthdr->rta_len;
1081 if (hdr->nlmsg_len > sizeof(request))
1082 {
1083 return FAILED;
1084 }
1085
1086 algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
1087 algo->alg_key_len = int_key.len * 8;
1088 algo->alg_trunc_len = 128;
1089 strcpy(algo->alg_name, alg_name);
1090 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1091 }
1092 else
1093 {
1094 struct xfrm_algo* algo;
1095
1096 rthdr->rta_type = XFRMA_ALG_AUTH;
1097 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1098
1099 hdr->nlmsg_len += rthdr->rta_len;
1100 if (hdr->nlmsg_len > sizeof(request))
1101 {
1102 return FAILED;
1103 }
1104
1105 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1106 algo->alg_key_len = int_key.len * 8;
1107 strcpy(algo->alg_name, alg_name);
1108 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1109 }
1110 rthdr = XFRM_RTA_NEXT(rthdr);
1111 }
1112
1113 if (ipcomp != IPCOMP_NONE)
1114 {
1115 rthdr->rta_type = XFRMA_ALG_COMP;
1116 alg_name = lookup_algorithm(compression_algs, ipcomp);
1117 if (alg_name == NULL)
1118 {
1119 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1120 ipcomp_transform_names, ipcomp);
1121 return FAILED;
1122 }
1123 DBG2(DBG_KNL, " using compression algorithm %N",
1124 ipcomp_transform_names, ipcomp);
1125
1126 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1127 hdr->nlmsg_len += rthdr->rta_len;
1128 if (hdr->nlmsg_len > sizeof(request))
1129 {
1130 return FAILED;
1131 }
1132
1133 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1134 algo->alg_key_len = 0;
1135 strcpy(algo->alg_name, alg_name);
1136
1137 rthdr = XFRM_RTA_NEXT(rthdr);
1138 }
1139
1140 if (encap)
1141 {
1142 struct xfrm_encap_tmpl *tmpl;
1143
1144 rthdr->rta_type = XFRMA_ENCAP;
1145 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1146
1147 hdr->nlmsg_len += rthdr->rta_len;
1148 if (hdr->nlmsg_len > sizeof(request))
1149 {
1150 return FAILED;
1151 }
1152
1153 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1154 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1155 tmpl->encap_sport = htons(src->get_port(src));
1156 tmpl->encap_dport = htons(dst->get_port(dst));
1157 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1158 /* encap_oa could probably be derived from the
1159 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1160 * pluto does the same as we do here but it uses encap_oa in the
1161 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1162 * the kernel ignores it anyway
1163 * -> does that mean that NAT-T encap doesn't work in transport mode?
1164 * No. The reason the kernel ignores NAT-OA is that it recomputes
1165 * (or, rather, just ignores) the checksum. If packets pass
1166 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1167 rthdr = XFRM_RTA_NEXT(rthdr);
1168 }
1169
1170 if (mark.value)
1171 {
1172 struct xfrm_mark *mrk;
1173
1174 rthdr->rta_type = XFRMA_MARK;
1175 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1176
1177 hdr->nlmsg_len += rthdr->rta_len;
1178 if (hdr->nlmsg_len > sizeof(request))
1179 {
1180 return FAILED;
1181 }
1182
1183 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1184 mrk->v = mark.value;
1185 mrk->m = mark.mask;
1186 rthdr = XFRM_RTA_NEXT(rthdr);
1187 }
1188
1189 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1190 {
1191 if (mark.value)
1192 {
1193 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x "
1194 "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
1195 }
1196 else
1197 {
1198 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1199 }
1200 return FAILED;
1201 }
1202 return SUCCESS;
1203 }
1204
1205 /**
1206 * Get the replay state (i.e. sequence numbers) of an SA.
1207 */
1208 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1209 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1210 struct xfrm_replay_state *replay)
1211 {
1212 netlink_buf_t request;
1213 struct nlmsghdr *hdr, *out = NULL;
1214 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1215 size_t len;
1216 struct rtattr *rta;
1217 size_t rtasize;
1218
1219 memset(&request, 0, sizeof(request));
1220
1221 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1222
1223 hdr = (struct nlmsghdr*)request;
1224 hdr->nlmsg_flags = NLM_F_REQUEST;
1225 hdr->nlmsg_type = XFRM_MSG_GETAE;
1226 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1227
1228 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1229 aevent_id->flags = XFRM_AE_RVAL;
1230
1231 host2xfrm(dst, &aevent_id->sa_id.daddr);
1232 aevent_id->sa_id.spi = spi;
1233 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1234 aevent_id->sa_id.family = dst->get_family(dst);
1235
1236 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1237 {
1238 hdr = out;
1239 while (NLMSG_OK(hdr, len))
1240 {
1241 switch (hdr->nlmsg_type)
1242 {
1243 case XFRM_MSG_NEWAE:
1244 {
1245 out_aevent = NLMSG_DATA(hdr);
1246 break;
1247 }
1248 case NLMSG_ERROR:
1249 {
1250 struct nlmsgerr *err = NLMSG_DATA(hdr);
1251 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1252 strerror(-err->error), -err->error);
1253 break;
1254 }
1255 default:
1256 hdr = NLMSG_NEXT(hdr, len);
1257 continue;
1258 case NLMSG_DONE:
1259 break;
1260 }
1261 break;
1262 }
1263 }
1264
1265 if (out_aevent == NULL)
1266 {
1267 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1268 ntohl(spi));
1269 free(out);
1270 return FAILED;
1271 }
1272
1273 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1274 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1275 while(RTA_OK(rta, rtasize))
1276 {
1277 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1278 RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
1279 {
1280 memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1281 free(out);
1282 return SUCCESS;
1283 }
1284 rta = RTA_NEXT(rta, rtasize);
1285 }
1286
1287 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1288 ntohl(spi));
1289 free(out);
1290 return FAILED;
1291 }
1292
1293 METHOD(kernel_ipsec_t, query_sa, status_t,
1294 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1295 u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
1296 {
1297 netlink_buf_t request;
1298 struct nlmsghdr *out = NULL, *hdr;
1299 struct xfrm_usersa_id *sa_id;
1300 struct xfrm_usersa_info *sa = NULL;
1301 size_t len;
1302
1303 memset(&request, 0, sizeof(request));
1304
1305 if (mark.value)
1306 {
1307 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x (mark %u/0x%8x)",
1308 ntohl(spi), mark.value, mark.mask);
1309 }
1310 else
1311 {
1312 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1313 }
1314 hdr = (struct nlmsghdr*)request;
1315 hdr->nlmsg_flags = NLM_F_REQUEST;
1316 hdr->nlmsg_type = XFRM_MSG_GETSA;
1317 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1318
1319 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1320 host2xfrm(dst, &sa_id->daddr);
1321 sa_id->spi = spi;
1322 sa_id->proto = proto_ike2kernel(protocol);
1323 sa_id->family = dst->get_family(dst);
1324
1325 if (mark.value)
1326 {
1327 struct xfrm_mark *mrk;
1328 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
1329
1330 rthdr->rta_type = XFRMA_MARK;
1331 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1332 hdr->nlmsg_len += rthdr->rta_len;
1333 if (hdr->nlmsg_len > sizeof(request))
1334 {
1335 return FAILED;
1336 }
1337
1338 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1339 mrk->v = mark.value;
1340 mrk->m = mark.mask;
1341 }
1342
1343 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1344 {
1345 hdr = out;
1346 while (NLMSG_OK(hdr, len))
1347 {
1348 switch (hdr->nlmsg_type)
1349 {
1350 case XFRM_MSG_NEWSA:
1351 {
1352 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1353 break;
1354 }
1355 case NLMSG_ERROR:
1356 {
1357 struct nlmsgerr *err = NLMSG_DATA(hdr);
1358
1359 if (mark.value)
1360 {
1361 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
1362 "(mark %u/0x%8x) failed: %s (%d)",
1363 ntohl(spi), mark.value, mark.mask,
1364 strerror(-err->error), -err->error);
1365 }
1366 else
1367 {
1368 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
1369 "failed: %s (%d)", ntohl(spi),
1370 strerror(-err->error), -err->error);
1371 }
1372 break;
1373 }
1374 default:
1375 hdr = NLMSG_NEXT(hdr, len);
1376 continue;
1377 case NLMSG_DONE:
1378 break;
1379 }
1380 break;
1381 }
1382 }
1383
1384 if (sa == NULL)
1385 {
1386 DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1387 free(out);
1388 return FAILED;
1389 }
1390 *bytes = sa->curlft.bytes;
1391
1392 free(out);
1393 return SUCCESS;
1394 }
1395
1396 METHOD(kernel_ipsec_t, del_sa, status_t,
1397 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1398 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
1399 {
1400 netlink_buf_t request;
1401 struct nlmsghdr *hdr;
1402 struct xfrm_usersa_id *sa_id;
1403
1404 /* if IPComp was used, we first delete the additional IPComp SA */
1405 if (cpi)
1406 {
1407 del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
1408 }
1409
1410 memset(&request, 0, sizeof(request));
1411
1412 if (mark.value)
1413 {
1414 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x (mark %u/0x%8x)",
1415 ntohl(spi), mark.value, mark.mask);
1416 }
1417 else
1418 {
1419 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1420 }
1421 hdr = (struct nlmsghdr*)request;
1422 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1423 hdr->nlmsg_type = XFRM_MSG_DELSA;
1424 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1425
1426 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1427 host2xfrm(dst, &sa_id->daddr);
1428 sa_id->spi = spi;
1429 sa_id->proto = proto_ike2kernel(protocol);
1430 sa_id->family = dst->get_family(dst);
1431
1432 if (mark.value)
1433 {
1434 struct xfrm_mark *mrk;
1435 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
1436
1437 rthdr->rta_type = XFRMA_MARK;
1438 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1439 hdr->nlmsg_len += rthdr->rta_len;
1440 if (hdr->nlmsg_len > sizeof(request))
1441 {
1442 return FAILED;
1443 }
1444
1445 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1446 mrk->v = mark.value;
1447 mrk->m = mark.mask;
1448 }
1449
1450 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1451 {
1452 if (mark.value)
1453 {
1454 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x "
1455 "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
1456 }
1457 else
1458 {
1459 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1460 }
1461 return FAILED;
1462 }
1463 if (mark.value)
1464 {
1465 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%8x)",
1466 ntohl(spi), mark.value, mark.mask);
1467 }
1468 else
1469 {
1470 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1471 }
1472 return SUCCESS;
1473 }
1474
1475 METHOD(kernel_ipsec_t, update_sa, status_t,
1476 private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
1477 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1478 bool old_encap, bool new_encap, mark_t mark)
1479 {
1480 netlink_buf_t request;
1481 u_char *pos;
1482 struct nlmsghdr *hdr, *out = NULL;
1483 struct xfrm_usersa_id *sa_id;
1484 struct xfrm_usersa_info *out_sa = NULL, *sa;
1485 size_t len;
1486 struct rtattr *rta;
1487 size_t rtasize;
1488 struct xfrm_encap_tmpl* tmpl = NULL;
1489 bool got_replay_state = FALSE;
1490 struct xfrm_replay_state replay;
1491
1492 /* if IPComp is used, we first update the IPComp SA */
1493 if (cpi)
1494 {
1495 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1496 src, dst, new_src, new_dst, FALSE, FALSE, mark);
1497 }
1498
1499 memset(&request, 0, sizeof(request));
1500
1501 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1502
1503 /* query the existing SA first */
1504 hdr = (struct nlmsghdr*)request;
1505 hdr->nlmsg_flags = NLM_F_REQUEST;
1506 hdr->nlmsg_type = XFRM_MSG_GETSA;
1507 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1508
1509 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1510 host2xfrm(dst, &sa_id->daddr);
1511 sa_id->spi = spi;
1512 sa_id->proto = proto_ike2kernel(protocol);
1513 sa_id->family = dst->get_family(dst);
1514
1515 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1516 {
1517 hdr = out;
1518 while (NLMSG_OK(hdr, len))
1519 {
1520 switch (hdr->nlmsg_type)
1521 {
1522 case XFRM_MSG_NEWSA:
1523 {
1524 out_sa = NLMSG_DATA(hdr);
1525 break;
1526 }
1527 case NLMSG_ERROR:
1528 {
1529 struct nlmsgerr *err = NLMSG_DATA(hdr);
1530 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1531 strerror(-err->error), -err->error);
1532 break;
1533 }
1534 default:
1535 hdr = NLMSG_NEXT(hdr, len);
1536 continue;
1537 case NLMSG_DONE:
1538 break;
1539 }
1540 break;
1541 }
1542 }
1543 if (out_sa == NULL)
1544 {
1545 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1546 free(out);
1547 return FAILED;
1548 }
1549
1550 /* try to get the replay state */
1551 if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
1552 {
1553 got_replay_state = TRUE;
1554 }
1555
1556 /* delete the old SA (without affecting the IPComp SA) */
1557 if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
1558 {
1559 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1560 free(out);
1561 return FAILED;
1562 }
1563
1564 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1565 ntohl(spi), src, dst, new_src, new_dst);
1566 /* copy over the SA from out to request */
1567 hdr = (struct nlmsghdr*)request;
1568 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1569 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1570 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1571 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1572 sa = NLMSG_DATA(hdr);
1573 sa->family = new_dst->get_family(new_dst);
1574
1575 if (!src->ip_equals(src, new_src))
1576 {
1577 host2xfrm(new_src, &sa->saddr);
1578 }
1579 if (!dst->ip_equals(dst, new_dst))
1580 {
1581 host2xfrm(new_dst, &sa->id.daddr);
1582 }
1583
1584 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1585 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1586 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1587 while(RTA_OK(rta, rtasize))
1588 {
1589 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1590 if (rta->rta_type != XFRMA_ENCAP || new_encap)
1591 {
1592 if (rta->rta_type == XFRMA_ENCAP)
1593 { /* update encap tmpl */
1594 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1595 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1596 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1597 }
1598 memcpy(pos, rta, rta->rta_len);
1599 pos += RTA_ALIGN(rta->rta_len);
1600 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1601 }
1602 rta = RTA_NEXT(rta, rtasize);
1603 }
1604
1605 rta = (struct rtattr*)pos;
1606 if (tmpl == NULL && new_encap)
1607 { /* add tmpl if we are enabling it */
1608 rta->rta_type = XFRMA_ENCAP;
1609 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1610
1611 hdr->nlmsg_len += rta->rta_len;
1612 if (hdr->nlmsg_len > sizeof(request))
1613 {
1614 return FAILED;
1615 }
1616
1617 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1618 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1619 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1620 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1621 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1622
1623 rta = XFRM_RTA_NEXT(rta);
1624 }
1625
1626 if (got_replay_state)
1627 { /* copy the replay data if available */
1628 rta->rta_type = XFRMA_REPLAY_VAL;
1629 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1630
1631 hdr->nlmsg_len += rta->rta_len;
1632 if (hdr->nlmsg_len > sizeof(request))
1633 {
1634 return FAILED;
1635 }
1636 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1637
1638 rta = XFRM_RTA_NEXT(rta);
1639 }
1640
1641 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1642 {
1643 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1644 free(out);
1645 return FAILED;
1646 }
1647 free(out);
1648
1649 return SUCCESS;
1650 }
1651
1652 METHOD(kernel_ipsec_t, add_policy, status_t,
1653 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1654 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
1655 policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
1656 u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
1657 u_int16_t cpi, bool routed)
1658 {
1659 policy_entry_t *current, *policy;
1660 bool found = FALSE;
1661 netlink_buf_t request;
1662 struct xfrm_userpolicy_info *policy_info;
1663 struct nlmsghdr *hdr;
1664
1665 /* create a policy */
1666 policy = malloc_thing(policy_entry_t);
1667 memset(policy, 0, sizeof(policy_entry_t));
1668 policy->sel = ts2selector(src_ts, dst_ts);
1669 policy->mark = mark.value & mark.mask;
1670 policy->direction = direction;
1671
1672 /* find the policy, which matches EXACTLY */
1673 this->mutex->lock(this->mutex);
1674 current = this->policies->get(this->policies, policy);
1675 if (current)
1676 {
1677 /* use existing policy */
1678 current->refcount++;
1679 if (mark.value)
1680 {
1681 DBG2(DBG_KNL, "policy %R === %R %N (mark %u/0x%8x) "
1682 "already exists, increasing refcount",
1683 src_ts, dst_ts, policy_dir_names, direction,
1684 mark.value, mark.mask);
1685 }
1686 else
1687 {
1688 DBG2(DBG_KNL, "policy %R === %R %N "
1689 "already exists, increasing refcount",
1690 src_ts, dst_ts, policy_dir_names, direction);
1691 }
1692 free(policy);
1693 policy = current;
1694 found = TRUE;
1695 }
1696 else
1697 { /* apply the new one, if we have no such policy */
1698 this->policies->put(this->policies, policy, policy);
1699 policy->refcount = 1;
1700 }
1701
1702 if (mark.value)
1703 {
1704 DBG2(DBG_KNL, "adding policy %R === %R %N (mark %u/0x%8x)",
1705 src_ts, dst_ts, policy_dir_names, direction,
1706 mark.value, mark.mask);
1707 }
1708 else
1709 {
1710 DBG2(DBG_KNL, "adding policy %R === %R %N",
1711 src_ts, dst_ts, policy_dir_names, direction);
1712 }
1713
1714 memset(&request, 0, sizeof(request));
1715 hdr = (struct nlmsghdr*)request;
1716 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1717 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1718 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1719
1720 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1721 policy_info->sel = policy->sel;
1722 policy_info->dir = policy->direction;
1723 /* calculate priority based on source selector size, small size = high prio */
1724 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1725 policy_info->priority -= policy->sel.prefixlen_s * 10;
1726 policy_info->priority -= policy->sel.proto ? 2 : 0;
1727 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1728 policy_info->action = XFRM_POLICY_ALLOW;
1729 policy_info->share = XFRM_SHARE_ANY;
1730 this->mutex->unlock(this->mutex);
1731
1732 /* policies don't expire */
1733 policy_info->lft.soft_byte_limit = XFRM_INF;
1734 policy_info->lft.soft_packet_limit = XFRM_INF;
1735 policy_info->lft.hard_byte_limit = XFRM_INF;
1736 policy_info->lft.hard_packet_limit = XFRM_INF;
1737 policy_info->lft.soft_add_expires_seconds = 0;
1738 policy_info->lft.hard_add_expires_seconds = 0;
1739 policy_info->lft.soft_use_expires_seconds = 0;
1740 policy_info->lft.hard_use_expires_seconds = 0;
1741
1742 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1743 rthdr->rta_type = XFRMA_TMPL;
1744 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1745
1746 hdr->nlmsg_len += rthdr->rta_len;
1747 if (hdr->nlmsg_len > sizeof(request))
1748 {
1749 return FAILED;
1750 }
1751
1752 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1753
1754 if (ipcomp != IPCOMP_NONE)
1755 {
1756 tmpl->reqid = reqid;
1757 tmpl->id.proto = IPPROTO_COMP;
1758 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1759 tmpl->mode = mode2kernel(mode);
1760 tmpl->optional = direction != POLICY_OUT;
1761 tmpl->family = src->get_family(src);
1762
1763 host2xfrm(src, &tmpl->saddr);
1764 host2xfrm(dst, &tmpl->id.daddr);
1765
1766 /* add an additional xfrm_user_tmpl */
1767 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1768 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1769 if (hdr->nlmsg_len > sizeof(request))
1770 {
1771 return FAILED;
1772 }
1773
1774 tmpl++;
1775
1776 /* use transport mode for ESP if we have a tunnel mode IPcomp SA */
1777 mode = MODE_TRANSPORT;
1778 }
1779 else
1780 {
1781 /* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
1782 host2xfrm(src, &tmpl->saddr);
1783 host2xfrm(dst, &tmpl->id.daddr);
1784 }
1785
1786 tmpl->reqid = reqid;
1787 tmpl->id.proto = proto_ike2kernel(protocol);
1788 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1789 tmpl->mode = mode2kernel(mode);
1790 tmpl->family = src->get_family(src);
1791 rthdr = XFRM_RTA_NEXT(rthdr);
1792
1793 if (mark.value)
1794 {
1795 struct xfrm_mark *mrk;
1796
1797 rthdr->rta_type = XFRMA_MARK;
1798 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1799
1800 hdr->nlmsg_len += rthdr->rta_len;
1801 if (hdr->nlmsg_len > sizeof(request))
1802 {
1803 return FAILED;
1804 }
1805
1806 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1807 mrk->v = mark.value;
1808 mrk->m = mark.mask;
1809 }
1810
1811 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1812 {
1813 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1814 policy_dir_names, direction);
1815 return FAILED;
1816 }
1817
1818 /* install a route, if:
1819 * - we are NOT updating a policy
1820 * - this is a forward policy (to just get one for each child)
1821 * - we are in tunnel/BEET mode
1822 * - routing is not disabled via strongswan.conf
1823 */
1824 if (policy->route == NULL && direction == POLICY_FWD &&
1825 mode != MODE_TRANSPORT && this->install_routes)
1826 {
1827 route_entry_t *route = malloc_thing(route_entry_t);
1828
1829 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1830 dst_ts, &route->src_ip) == SUCCESS)
1831 {
1832 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1833 route->gateway = charon->kernel_interface->get_nexthop(
1834 charon->kernel_interface, src);
1835 /* install route via outgoing interface */
1836 route->if_name = charon->kernel_interface->get_interface(
1837 charon->kernel_interface, dst);
1838 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1839 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1840 route->prefixlen = policy->sel.prefixlen_s;
1841
1842 if (route->if_name)
1843 {
1844 switch (charon->kernel_interface->add_route(
1845 charon->kernel_interface, route->dst_net,
1846 route->prefixlen, route->gateway,
1847 route->src_ip, route->if_name))
1848 {
1849 default:
1850 DBG1(DBG_KNL, "unable to install source route for %H",
1851 route->src_ip);
1852 /* FALL */
1853 case ALREADY_DONE:
1854 /* route exists, do not uninstall */
1855 route_entry_destroy(route);
1856 break;
1857 case SUCCESS:
1858 /* cache the installed route */
1859 policy->route = route;
1860 break;
1861 }
1862 }
1863 else
1864 {
1865 route_entry_destroy(route);
1866 }
1867 }
1868 else
1869 {
1870 free(route);
1871 }
1872 }
1873 return SUCCESS;
1874 }
1875
1876 METHOD(kernel_ipsec_t, query_policy, status_t,
1877 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
1878 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
1879 u_int32_t *use_time)
1880 {
1881 netlink_buf_t request;
1882 struct nlmsghdr *out = NULL, *hdr;
1883 struct xfrm_userpolicy_id *policy_id;
1884 struct xfrm_userpolicy_info *policy = NULL;
1885 size_t len;
1886
1887 memset(&request, 0, sizeof(request));
1888
1889 if (mark.value)
1890 {
1891 DBG2(DBG_KNL, "querying policy %R === %R %N (mark %u/0x%8x)",
1892 src_ts, dst_ts, policy_dir_names, direction,
1893 mark.value, mark.mask);
1894 }
1895 else
1896 {
1897 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1898 policy_dir_names, direction);
1899 }
1900 hdr = (struct nlmsghdr*)request;
1901 hdr->nlmsg_flags = NLM_F_REQUEST;
1902 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1903 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1904
1905 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1906 policy_id->sel = ts2selector(src_ts, dst_ts);
1907 policy_id->dir = direction;
1908
1909 if (mark.value)
1910 {
1911 struct xfrm_mark *mrk;
1912 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
1913
1914 rthdr->rta_type = XFRMA_MARK;
1915 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1916
1917 hdr->nlmsg_len += rthdr->rta_len;
1918 if (hdr->nlmsg_len > sizeof(request))
1919 {
1920 return FAILED;
1921 }
1922
1923 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1924 mrk->v = mark.value;
1925 mrk->m = mark.mask;
1926 }
1927
1928 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1929 {
1930 hdr = out;
1931 while (NLMSG_OK(hdr, len))
1932 {
1933 switch (hdr->nlmsg_type)
1934 {
1935 case XFRM_MSG_NEWPOLICY:
1936 {
1937 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1938 break;
1939 }
1940 case NLMSG_ERROR:
1941 {
1942 struct nlmsgerr *err = NLMSG_DATA(hdr);
1943 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1944 strerror(-err->error), -err->error);
1945 break;
1946 }
1947 default:
1948 hdr = NLMSG_NEXT(hdr, len);
1949 continue;
1950 case NLMSG_DONE:
1951 break;
1952 }
1953 break;
1954 }
1955 }
1956
1957 if (policy == NULL)
1958 {
1959 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1960 policy_dir_names, direction);
1961 free(out);
1962 return FAILED;
1963 }
1964
1965 if (policy->curlft.use_time)
1966 {
1967 /* we need the monotonic time, but the kernel returns system time. */
1968 *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
1969 }
1970 else
1971 {
1972 *use_time = 0;
1973 }
1974
1975 free(out);
1976 return SUCCESS;
1977 }
1978
1979 METHOD(kernel_ipsec_t, del_policy, status_t,
1980 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
1981 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
1982 bool unrouted)
1983 {
1984 policy_entry_t *current, policy, *to_delete = NULL;
1985 route_entry_t *route;
1986 netlink_buf_t request;
1987 struct nlmsghdr *hdr;
1988 struct xfrm_userpolicy_id *policy_id;
1989
1990 if (mark.value)
1991 {
1992 DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x)",
1993 src_ts, dst_ts, policy_dir_names, direction,
1994 mark.value, mark.mask);
1995 }
1996 else
1997 {
1998 DBG2(DBG_KNL, "deleting policy %R === %R %N",
1999 src_ts, dst_ts, policy_dir_names, direction);
2000 }
2001
2002 /* create a policy */
2003 memset(&policy, 0, sizeof(policy_entry_t));
2004 policy.sel = ts2selector(src_ts, dst_ts);
2005 policy.mark = mark.value & mark.mask;
2006 policy.direction = direction;
2007
2008 /* find the policy */
2009 this->mutex->lock(this->mutex);
2010 current = this->policies->get(this->policies, &policy);
2011 if (current)
2012 {
2013 to_delete = current;
2014 if (--to_delete->refcount > 0)
2015 {
2016 /* is used by more SAs, keep in kernel */
2017 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2018 this->mutex->unlock(this->mutex);
2019 return SUCCESS;
2020 }
2021 /* remove if last reference */
2022 this->policies->remove(this->policies, to_delete);
2023 }
2024 this->mutex->unlock(this->mutex);
2025 if (!to_delete)
2026 {
2027 if (mark.value)
2028 {
2029 DBG1(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x) "
2030 "failed, not found", src_ts, dst_ts, policy_dir_names,
2031 direction, mark.value, mark.mask);
2032 }
2033 else
2034 {
2035 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
2036 src_ts, dst_ts, policy_dir_names, direction);
2037 }
2038 return NOT_FOUND;
2039 }
2040
2041 memset(&request, 0, sizeof(request));
2042
2043 hdr = (struct nlmsghdr*)request;
2044 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2045 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2046 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2047
2048 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2049 policy_id->sel = to_delete->sel;
2050 policy_id->dir = direction;
2051
2052 if (mark.value)
2053 {
2054 struct xfrm_mark *mrk;
2055 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
2056
2057 rthdr->rta_type = XFRMA_MARK;
2058 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
2059 hdr->nlmsg_len += rthdr->rta_len;
2060 if (hdr->nlmsg_len > sizeof(request))
2061 {
2062 return FAILED;
2063 }
2064
2065 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
2066 mrk->v = mark.value;
2067 mrk->m = mark.mask;
2068 }
2069
2070 route = to_delete->route;
2071 free(to_delete);
2072
2073 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2074 {
2075 if (mark.value)
2076 {
2077 DBG1(DBG_KNL, "unable to delete policy %R === %R %N "
2078 "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names,
2079 direction, mark.value, mark.mask);
2080 }
2081 else
2082 {
2083 DBG1(DBG_KNL, "unable to delete policy %R === %R %N",
2084 src_ts, dst_ts, policy_dir_names, direction);
2085 }
2086 return FAILED;
2087 }
2088
2089 if (route)
2090 {
2091 if (charon->kernel_interface->del_route(charon->kernel_interface,
2092 route->dst_net, route->prefixlen, route->gateway,
2093 route->src_ip, route->if_name) != SUCCESS)
2094 {
2095 DBG1(DBG_KNL, "error uninstalling route installed with "
2096 "policy %R === %R %N", src_ts, dst_ts,
2097 policy_dir_names, direction);
2098 }
2099 route_entry_destroy(route);
2100 }
2101 return SUCCESS;
2102 }
2103
2104 METHOD(kernel_ipsec_t, bypass_socket, bool,
2105 private_kernel_netlink_ipsec_t *this, int fd, int family)
2106 {
2107 struct xfrm_userpolicy_info policy;
2108 u_int sol, ipsec_policy;
2109
2110 switch (family)
2111 {
2112 case AF_INET:
2113 sol = SOL_IP;
2114 ipsec_policy = IP_XFRM_POLICY;
2115 break;
2116 case AF_INET6:
2117 sol = SOL_IPV6;
2118 ipsec_policy = IPV6_XFRM_POLICY;
2119 break;
2120 default:
2121 return FALSE;
2122 }
2123
2124 memset(&policy, 0, sizeof(policy));
2125 policy.action = XFRM_POLICY_ALLOW;
2126 policy.sel.family = family;
2127
2128 policy.dir = XFRM_POLICY_OUT;
2129 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2130 {
2131 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2132 strerror(errno));
2133 return FALSE;
2134 }
2135 policy.dir = XFRM_POLICY_IN;
2136 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2137 {
2138 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2139 strerror(errno));
2140 return FALSE;
2141 }
2142 return TRUE;
2143 }
2144
2145 METHOD(kernel_ipsec_t, destroy, void,
2146 private_kernel_netlink_ipsec_t *this)
2147 {
2148 enumerator_t *enumerator;
2149 policy_entry_t *policy;
2150
2151 if (this->job)
2152 {
2153 this->job->cancel(this->job);
2154 }
2155 if (this->socket_xfrm_events > 0)
2156 {
2157 close(this->socket_xfrm_events);
2158 }
2159 DESTROY_IF(this->socket_xfrm);
2160 enumerator = this->policies->create_enumerator(this->policies);
2161 while (enumerator->enumerate(enumerator, &policy, &policy))
2162 {
2163 free(policy);
2164 }
2165 enumerator->destroy(enumerator);
2166 this->policies->destroy(this->policies);
2167 this->mutex->destroy(this->mutex);
2168 free(this);
2169 }
2170
2171 /*
2172 * Described in header.
2173 */
2174 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
2175 {
2176 private_kernel_netlink_ipsec_t *this;
2177 struct sockaddr_nl addr;
2178 int fd;
2179
2180 INIT(this,
2181 .public = {
2182 .interface = {
2183 .get_spi = _get_spi,
2184 .get_cpi = _get_cpi,
2185 .add_sa = _add_sa,
2186 .update_sa = _update_sa,
2187 .query_sa = _query_sa,
2188 .del_sa = _del_sa,
2189 .add_policy = _add_policy,
2190 .query_policy = _query_policy,
2191 .del_policy = _del_policy,
2192 .bypass_socket = _bypass_socket,
2193 .destroy = _destroy,
2194 },
2195 },
2196 .policies = hashtable_create((hashtable_hash_t)policy_hash,
2197 (hashtable_equals_t)policy_equals, 32),
2198 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2199 .install_routes = lib->settings->get_bool(lib->settings,
2200 "charon.install_routes", TRUE),
2201 );
2202
2203 /* disable lifetimes for allocated SPIs in kernel */
2204 fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
2205 if (fd)
2206 {
2207 ignore_result(write(fd, "165", 3));
2208 close(fd);
2209 }
2210
2211 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
2212 if (!this->socket_xfrm)
2213 {
2214 destroy(this);
2215 return NULL;
2216 }
2217
2218 memset(&addr, 0, sizeof(addr));
2219 addr.nl_family = AF_NETLINK;
2220
2221 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2222 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2223 if (this->socket_xfrm_events <= 0)
2224 {
2225 DBG1(DBG_KNL, "unable to create XFRM event socket");
2226 destroy(this);
2227 return NULL;
2228 }
2229 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
2230 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
2231 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2232 {
2233 DBG1(DBG_KNL, "unable to bind XFRM event socket");
2234 destroy(this);
2235 return NULL;
2236 }
2237 this->job = callback_job_create((callback_job_cb_t)receive_events,
2238 this, NULL, NULL);
2239 hydra->processor->queue_job(hydra->processor, (job_t*)this->job);
2240
2241 return &this->public;
2242 }
2243