kernel-netlink: Extract shared route handling code in net/ipsec
[strongswan.git] / src / libcharon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2019 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008-2016 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * HSR Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20 /*
21 * Copyright (C) 2018 Mellanox Technologies.
22 *
23 * Permission is hereby granted, free of charge, to any person obtaining a copy
24 * of this software and associated documentation files (the "Software"), to deal
25 * in the Software without restriction, including without limitation the rights
26 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
27 * copies of the Software, and to permit persons to whom the Software is
28 * furnished to do so, subject to the following conditions:
29 *
30 * The above copyright notice and this permission notice shall be included in
31 * all copies or substantial portions of the Software.
32 *
33 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
34 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
35 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
36 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
37 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
38 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
39 * THE SOFTWARE.
40 */
41
42 #define _GNU_SOURCE
43 #include <sys/types.h>
44 #include <sys/socket.h>
45 #include <sys/ioctl.h>
46 #include <stdint.h>
47 #include <linux/ipsec.h>
48 #include <linux/netlink.h>
49 #include <linux/rtnetlink.h>
50 #include <linux/xfrm.h>
51 #include <linux/udp.h>
52 #include <linux/ethtool.h>
53 #include <linux/sockios.h>
54 #include <net/if.h>
55 #include <unistd.h>
56 #include <time.h>
57 #include <errno.h>
58 #include <string.h>
59 #include <fcntl.h>
60 #include <dlfcn.h>
61
62 #include "kernel_netlink_ipsec.h"
63 #include "kernel_netlink_shared.h"
64
65 #include <daemon.h>
66 #include <utils/debug.h>
67 #include <threading/mutex.h>
68 #include <threading/condvar.h>
69 #include <collections/array.h>
70 #include <collections/hashtable.h>
71 #include <collections/linked_list.h>
72
73 /** Required for Linux 2.6.26 kernel and later */
74 #ifndef XFRM_STATE_AF_UNSPEC
75 #define XFRM_STATE_AF_UNSPEC 32
76 #endif
77
78 /** From linux/in.h */
79 #ifndef IP_XFRM_POLICY
80 #define IP_XFRM_POLICY 17
81 #endif
82
83 /** Missing on uclibc */
84 #ifndef IPV6_XFRM_POLICY
85 #define IPV6_XFRM_POLICY 34
86 #endif /*IPV6_XFRM_POLICY*/
87
88 /* from linux/udp.h */
89 #ifndef UDP_ENCAP
90 #define UDP_ENCAP 100
91 #endif
92
93 #ifndef UDP_ENCAP_ESPINUDP
94 #define UDP_ENCAP_ESPINUDP 2
95 #endif
96
97 /* this is not defined on some platforms */
98 #ifndef SOL_UDP
99 #define SOL_UDP IPPROTO_UDP
100 #endif
101
102 /** Base priority for installed policies */
103 #define PRIO_BASE 200000
104
105 /**
106 * Map the limit for bytes and packets to XFRM_INF by default
107 */
108 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
109
110 /**
111 * Create ORable bitfield of XFRM NL groups
112 */
113 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
114
115 /**
116 * Returns a pointer to the first rtattr following the nlmsghdr *nlh and the
117 * 'usual' netlink data x like 'struct xfrm_usersa_info'
118 */
119 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \
120 NLMSG_ALIGN(sizeof(x))))
121 /**
122 * Returns the total size of attached rta data
123 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
124 */
125 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
126
127 typedef struct kernel_algorithm_t kernel_algorithm_t;
128
129 /**
130 * Mapping of IKEv2 kernel identifier to linux crypto API names
131 */
132 struct kernel_algorithm_t {
133 /**
134 * Identifier specified in IKEv2
135 */
136 int ikev2;
137
138 /**
139 * Name of the algorithm in linux crypto API
140 */
141 const char *name;
142 };
143
144 ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
145 "XFRM_MSG_NEWSA",
146 "XFRM_MSG_DELSA",
147 "XFRM_MSG_GETSA",
148 "XFRM_MSG_NEWPOLICY",
149 "XFRM_MSG_DELPOLICY",
150 "XFRM_MSG_GETPOLICY",
151 "XFRM_MSG_ALLOCSPI",
152 "XFRM_MSG_ACQUIRE",
153 "XFRM_MSG_EXPIRE",
154 "XFRM_MSG_UPDPOLICY",
155 "XFRM_MSG_UPDSA",
156 "XFRM_MSG_POLEXPIRE",
157 "XFRM_MSG_FLUSHSA",
158 "XFRM_MSG_FLUSHPOLICY",
159 "XFRM_MSG_NEWAE",
160 "XFRM_MSG_GETAE",
161 "XFRM_MSG_REPORT",
162 "XFRM_MSG_MIGRATE",
163 "XFRM_MSG_NEWSADINFO",
164 "XFRM_MSG_GETSADINFO",
165 "XFRM_MSG_NEWSPDINFO",
166 "XFRM_MSG_GETSPDINFO",
167 "XFRM_MSG_MAPPING"
168 );
169
170 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_OFFLOAD_DEV,
171 "XFRMA_UNSPEC",
172 "XFRMA_ALG_AUTH",
173 "XFRMA_ALG_CRYPT",
174 "XFRMA_ALG_COMP",
175 "XFRMA_ENCAP",
176 "XFRMA_TMPL",
177 "XFRMA_SA",
178 "XFRMA_POLICY",
179 "XFRMA_SEC_CTX",
180 "XFRMA_LTIME_VAL",
181 "XFRMA_REPLAY_VAL",
182 "XFRMA_REPLAY_THRESH",
183 "XFRMA_ETIMER_THRESH",
184 "XFRMA_SRCADDR",
185 "XFRMA_COADDR",
186 "XFRMA_LASTUSED",
187 "XFRMA_POLICY_TYPE",
188 "XFRMA_MIGRATE",
189 "XFRMA_ALG_AEAD",
190 "XFRMA_KMADDRESS",
191 "XFRMA_ALG_AUTH_TRUNC",
192 "XFRMA_MARK",
193 "XFRMA_TFCPAD",
194 "XFRMA_REPLAY_ESN_VAL",
195 "XFRMA_SA_EXTRA_FLAGS",
196 "XFRMA_PROTO",
197 "XFRMA_ADDRESS_FILTER",
198 "XFRMA_PAD",
199 "XFRMA_OFFLOAD_DEV",
200 );
201
202 /**
203 * Algorithms for encryption
204 */
205 static kernel_algorithm_t encryption_algs[] = {
206 /* {ENCR_DES_IV64, "***" }, */
207 {ENCR_DES, "des" },
208 {ENCR_3DES, "des3_ede" },
209 /* {ENCR_RC5, "***" }, */
210 /* {ENCR_IDEA, "***" }, */
211 {ENCR_CAST, "cast5" },
212 {ENCR_BLOWFISH, "blowfish" },
213 /* {ENCR_3IDEA, "***" }, */
214 /* {ENCR_DES_IV32, "***" }, */
215 {ENCR_NULL, "cipher_null" },
216 {ENCR_AES_CBC, "aes" },
217 {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
218 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
219 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
220 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
221 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
222 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
223 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
224 {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
225 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
226 /* {ENCR_CAMELLIA_CTR, "***" }, */
227 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
228 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
229 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
230 {ENCR_SERPENT_CBC, "serpent" },
231 {ENCR_TWOFISH_CBC, "twofish" },
232 {ENCR_CHACHA20_POLY1305, "rfc7539esp(chacha20,poly1305)"},
233 };
234
235 /**
236 * Algorithms for integrity protection
237 */
238 static kernel_algorithm_t integrity_algs[] = {
239 {AUTH_HMAC_MD5_96, "md5" },
240 {AUTH_HMAC_MD5_128, "hmac(md5)" },
241 {AUTH_HMAC_SHA1_96, "sha1" },
242 {AUTH_HMAC_SHA1_160, "hmac(sha1)" },
243 {AUTH_HMAC_SHA2_256_96, "sha256" },
244 {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
245 {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
246 {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
247 /* {AUTH_DES_MAC, "***" }, */
248 /* {AUTH_KPDK_MD5, "***" }, */
249 {AUTH_AES_XCBC_96, "xcbc(aes)" },
250 {AUTH_AES_CMAC_96, "cmac(aes)" },
251 };
252
253 /**
254 * Algorithms for IPComp
255 */
256 static kernel_algorithm_t compression_algs[] = {
257 /* {IPCOMP_OUI, "***" }, */
258 {IPCOMP_DEFLATE, "deflate" },
259 {IPCOMP_LZS, "lzs" },
260 {IPCOMP_LZJH, "lzjh" },
261 };
262
263 /**
264 * Look up a kernel algorithm name and its key size
265 */
266 static const char* lookup_algorithm(transform_type_t type, int ikev2)
267 {
268 kernel_algorithm_t *list;
269 int i, count;
270 char *name;
271
272 switch (type)
273 {
274 case ENCRYPTION_ALGORITHM:
275 list = encryption_algs;
276 count = countof(encryption_algs);
277 break;
278 case INTEGRITY_ALGORITHM:
279 list = integrity_algs;
280 count = countof(integrity_algs);
281 break;
282 case COMPRESSION_ALGORITHM:
283 list = compression_algs;
284 count = countof(compression_algs);
285 break;
286 default:
287 return NULL;
288 }
289 for (i = 0; i < count; i++)
290 {
291 if (list[i].ikev2 == ikev2)
292 {
293 return list[i].name;
294 }
295 }
296 if (charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, NULL,
297 &name))
298 {
299 return name;
300 }
301 return NULL;
302 }
303
304 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
305
306 /**
307 * Private variables and functions of kernel_netlink class.
308 */
309 struct private_kernel_netlink_ipsec_t {
310 /**
311 * Public part of the kernel_netlink_t object
312 */
313 kernel_netlink_ipsec_t public;
314
315 /**
316 * Mutex to lock access to installed policies
317 */
318 mutex_t *mutex;
319
320 /**
321 * Condvar to synchronize access to individual policies
322 */
323 condvar_t *condvar;
324
325 /**
326 * Hash table of installed policies (policy_entry_t)
327 */
328 hashtable_t *policies;
329
330 /**
331 * Hash table of IPsec SAs using policies (ipsec_sa_t)
332 */
333 hashtable_t *sas;
334
335 /**
336 * Netlink xfrm socket (IPsec)
337 */
338 netlink_socket_t *socket_xfrm;
339
340 /**
341 * Netlink xfrm socket to receive acquire and expire events
342 */
343 int socket_xfrm_events;
344
345 /**
346 * Whether to install routes along policies
347 */
348 bool install_routes;
349
350 /**
351 * Whether to set protocol and ports on selector installed with transport
352 * mode IPsec SAs
353 */
354 bool proto_port_transport;
355
356 /**
357 * Whether to always use UPDATE to install policies
358 */
359 bool policy_update;
360
361 /**
362 * Installed port based IKE bypass policies, as bypass_t
363 */
364 array_t *bypass;
365
366 /**
367 * Custom priority calculation function
368 */
369 uint32_t (*get_priority)(kernel_ipsec_policy_id_t *id,
370 kernel_ipsec_manage_policy_t *data);
371 };
372
373 typedef struct ipsec_sa_t ipsec_sa_t;
374
375 /**
376 * IPsec SA assigned to a policy.
377 */
378 struct ipsec_sa_t {
379 /** Source address of this SA */
380 host_t *src;
381
382 /** Destination address of this SA */
383 host_t *dst;
384
385 /** Optional mark */
386 mark_t mark;
387
388 /** Optional mark */
389 uint32_t if_id;
390
391 /** Description of this SA */
392 ipsec_sa_cfg_t cfg;
393
394 /** Reference count for this SA */
395 refcount_t refcount;
396 };
397
398 /**
399 * Hash function for ipsec_sa_t objects
400 */
401 static u_int ipsec_sa_hash(ipsec_sa_t *sa)
402 {
403 return chunk_hash_inc(sa->src->get_address(sa->src),
404 chunk_hash_inc(sa->dst->get_address(sa->dst),
405 chunk_hash_inc(chunk_from_thing(sa->mark),
406 chunk_hash_inc(chunk_from_thing(sa->if_id),
407 chunk_hash(chunk_from_thing(sa->cfg))))));
408 }
409
410 /**
411 * Equality function for ipsec_sa_t objects
412 */
413 static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
414 {
415 return sa->src->ip_equals(sa->src, other_sa->src) &&
416 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
417 sa->mark.value == other_sa->mark.value &&
418 sa->mark.mask == other_sa->mark.mask &&
419 sa->if_id == other_sa->if_id &&
420 ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg);
421 }
422
423 /**
424 * Allocate or reference an IPsec SA object
425 */
426 static ipsec_sa_t *ipsec_sa_create(private_kernel_netlink_ipsec_t *this,
427 host_t *src, host_t *dst, mark_t mark,
428 uint32_t if_id, ipsec_sa_cfg_t *cfg)
429 {
430 ipsec_sa_t *sa, *found;
431 INIT(sa,
432 .src = src,
433 .dst = dst,
434 .mark = mark,
435 .if_id = if_id,
436 .cfg = *cfg,
437 );
438 found = this->sas->get(this->sas, sa);
439 if (!found)
440 {
441 sa->src = src->clone(src);
442 sa->dst = dst->clone(dst);
443 this->sas->put(this->sas, sa, sa);
444 }
445 else
446 {
447 free(sa);
448 sa = found;
449 }
450 ref_get(&sa->refcount);
451 return sa;
452 }
453
454 /**
455 * Release and destroy an IPsec SA object
456 */
457 static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this,
458 ipsec_sa_t *sa)
459 {
460 if (ref_put(&sa->refcount))
461 {
462 this->sas->remove(this->sas, sa);
463 DESTROY_IF(sa->src);
464 DESTROY_IF(sa->dst);
465 free(sa);
466 }
467 }
468
469 typedef struct policy_sa_t policy_sa_t;
470 typedef struct policy_sa_out_t policy_sa_out_t;
471
472 /**
473 * Mapping between a policy and an IPsec SA.
474 */
475 struct policy_sa_t {
476 /** Priority assigned to the policy when installed with this SA */
477 uint32_t priority;
478
479 /** Automatic priority assigned to the policy when installed with this SA */
480 uint32_t auto_priority;
481
482 /** Type of the policy */
483 policy_type_t type;
484
485 /** Assigned SA */
486 ipsec_sa_t *sa;
487 };
488
489 /**
490 * For outbound policies we also cache the traffic selectors in order to install
491 * the route.
492 */
493 struct policy_sa_out_t {
494 /** Generic interface */
495 policy_sa_t generic;
496
497 /** Source traffic selector of this policy */
498 traffic_selector_t *src_ts;
499
500 /** Destination traffic selector of this policy */
501 traffic_selector_t *dst_ts;
502 };
503
504 /**
505 * Create a policy_sa(_in)_t object
506 */
507 static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
508 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
509 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark,
510 uint32_t if_id, ipsec_sa_cfg_t *cfg)
511 {
512 policy_sa_t *policy;
513
514 if (dir == POLICY_OUT)
515 {
516 policy_sa_out_t *out;
517 INIT(out,
518 .src_ts = src_ts->clone(src_ts),
519 .dst_ts = dst_ts->clone(dst_ts),
520 );
521 policy = &out->generic;
522 }
523 else
524 {
525 INIT(policy, .priority = 0);
526 }
527 policy->type = type;
528 policy->sa = ipsec_sa_create(this, src, dst, mark, if_id, cfg);
529 return policy;
530 }
531
532 /**
533 * Destroy a policy_sa(_in)_t object
534 */
535 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t dir,
536 private_kernel_netlink_ipsec_t *this)
537 {
538 if (dir == POLICY_OUT)
539 {
540 policy_sa_out_t *out = (policy_sa_out_t*)policy;
541 out->src_ts->destroy(out->src_ts);
542 out->dst_ts->destroy(out->dst_ts);
543 }
544 ipsec_sa_destroy(this, policy->sa);
545 free(policy);
546 }
547
548 CALLBACK(policy_sa_destroy_cb, void,
549 policy_sa_t *policy, va_list args)
550 {
551 private_kernel_netlink_ipsec_t *this;
552 policy_dir_t dir;
553
554 VA_ARGS_VGET(args, dir, this);
555 policy_sa_destroy(policy, dir, this);
556 }
557
558 typedef struct policy_entry_t policy_entry_t;
559
560 /**
561 * Installed kernel policy.
562 */
563 struct policy_entry_t {
564
565 /** Direction of this policy: in, out, forward */
566 uint8_t direction;
567
568 /** Parameters of installed policy */
569 struct xfrm_selector sel;
570
571 /** Optional mark */
572 uint32_t mark;
573
574 /** Optional interface ID */
575 uint32_t if_id;
576
577 /** Associated route installed for this policy */
578 route_entry_t *route;
579
580 /** List of SAs this policy is used by, ordered by priority */
581 linked_list_t *used_by;
582
583 /** reqid for this policy */
584 uint32_t reqid;
585
586 /** Number of threads waiting to work on this policy */
587 int waiting;
588
589 /** TRUE if a thread is working on this policy */
590 bool working;
591 };
592
593 /**
594 * Destroy a policy_entry_t object
595 */
596 static void policy_entry_destroy(private_kernel_netlink_ipsec_t *this,
597 policy_entry_t *policy)
598 {
599 if (policy->route)
600 {
601 route_entry_destroy(policy->route);
602 }
603 if (policy->used_by)
604 {
605 policy->used_by->invoke_function(policy->used_by, policy_sa_destroy_cb,
606 policy->direction, this);
607 policy->used_by->destroy(policy->used_by);
608 }
609 free(policy);
610 }
611
612 /**
613 * Hash function for policy_entry_t objects
614 */
615 static u_int policy_hash(policy_entry_t *key)
616 {
617 chunk_t chunk = chunk_from_thing(key->sel);
618 return chunk_hash_inc(chunk, chunk_hash_inc(chunk_from_thing(key->mark),
619 chunk_hash(chunk_from_thing(key->if_id))));
620 }
621
622 /**
623 * Equality function for policy_entry_t objects
624 */
625 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
626 {
627 return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
628 key->mark == other_key->mark &&
629 key->if_id == other_key->if_id &&
630 key->direction == other_key->direction;
631 }
632
633 /**
634 * Determine number of set bits in 16 bit port mask
635 */
636 static inline uint32_t port_mask_bits(uint16_t port_mask)
637 {
638 uint32_t bits;
639 uint16_t bit_mask = 0x8000;
640
641 port_mask = ntohs(port_mask);
642
643 for (bits = 0; bits < 16; bits++)
644 {
645 if (!(port_mask & bit_mask))
646 {
647 break;
648 }
649 bit_mask >>= 1;
650 }
651 return bits;
652 }
653
654 /**
655 * Calculate the priority of a policy
656 *
657 * bits 0-0: separate trap and regular policies (0..1) 1 bit
658 * bits 1-1: restriction to network interface (0..1) 1 bit
659 * bits 2-7: src + dst port mask bits (2 * 0..16) 6 bits
660 * bits 8-8: restriction to protocol (0..1) 1 bit
661 * bits 9-17: src + dst network mask bits (2 * 0..128) 9 bits
662 * 18 bits
663 *
664 * smallest value: 000000000 0 000000 0 0: 0, lowest priority = 200'000
665 * largest value : 100000000 1 100000 1 1: 131'459, highst priority = 68'541
666 */
667 static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
668 char *interface)
669 {
670 uint32_t priority = PRIO_BASE, sport_mask_bits, dport_mask_bits;
671
672 switch (prio)
673 {
674 case POLICY_PRIORITY_FALLBACK:
675 priority += PRIO_BASE;
676 /* fall-through to next case */
677 case POLICY_PRIORITY_ROUTED:
678 case POLICY_PRIORITY_DEFAULT:
679 priority += PRIO_BASE;
680 /* fall-through to next case */
681 case POLICY_PRIORITY_PASS:
682 break;
683 }
684 sport_mask_bits = port_mask_bits(policy->sel.sport_mask);
685 dport_mask_bits = port_mask_bits(policy->sel.dport_mask);
686
687 /* calculate priority */
688 priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 512;
689 priority -= policy->sel.proto ? 256 : 0;
690 priority -= (sport_mask_bits + dport_mask_bits) * 4;
691 priority -= (interface != NULL) * 2;
692 priority -= (prio != POLICY_PRIORITY_ROUTED);
693
694 return priority;
695 }
696
697 /**
698 * Convert the general ipsec mode to the one defined in xfrm.h
699 */
700 static uint8_t mode2kernel(ipsec_mode_t mode)
701 {
702 switch (mode)
703 {
704 case MODE_TRANSPORT:
705 return XFRM_MODE_TRANSPORT;
706 case MODE_TUNNEL:
707 return XFRM_MODE_TUNNEL;
708 case MODE_BEET:
709 return XFRM_MODE_BEET;
710 default:
711 return mode;
712 }
713 }
714
715 /**
716 * Convert a host_t to a struct xfrm_address
717 */
718 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
719 {
720 chunk_t chunk = host->get_address(host);
721 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
722 }
723
724 /**
725 * Convert a struct xfrm_address to a host_t
726 */
727 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, uint16_t port)
728 {
729 chunk_t chunk;
730
731 switch (family)
732 {
733 case AF_INET:
734 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
735 break;
736 case AF_INET6:
737 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
738 break;
739 default:
740 return NULL;
741 }
742 return host_create_from_chunk(family, chunk, ntohs(port));
743 }
744
745 /**
746 * Convert a traffic selector address range to subnet and its mask.
747 */
748 static void ts2subnet(traffic_selector_t* ts,
749 xfrm_address_t *net, uint8_t *mask)
750 {
751 host_t *net_host;
752 chunk_t net_chunk;
753
754 ts->to_subnet(ts, &net_host, mask);
755 net_chunk = net_host->get_address(net_host);
756 memcpy(net, net_chunk.ptr, net_chunk.len);
757 net_host->destroy(net_host);
758 }
759
760 /**
761 * Convert a traffic selector port range to port/portmask
762 */
763 static void ts2ports(traffic_selector_t* ts,
764 uint16_t *port, uint16_t *mask)
765 {
766 uint16_t from, to, bitmask;
767 int bit;
768
769 from = ts->get_from_port(ts);
770 to = ts->get_to_port(ts);
771
772 /* Quick check for a single port */
773 if (from == to)
774 {
775 *port = htons(from);
776 *mask = ~0;
777 }
778 else
779 {
780 /* Compute the port mask for port ranges */
781 *mask = 0;
782
783 for (bit = 15; bit >= 0; bit--)
784 {
785 bitmask = 1 << bit;
786
787 if ((bitmask & from) != (bitmask & to))
788 {
789 *port = htons(from & *mask);
790 *mask = htons(*mask);
791 return;
792 }
793 *mask |= bitmask;
794 }
795 }
796 return;
797 }
798
799 /**
800 * Convert a pair of traffic_selectors to an xfrm_selector
801 */
802 static struct xfrm_selector ts2selector(traffic_selector_t *src,
803 traffic_selector_t *dst,
804 char *interface)
805 {
806 struct xfrm_selector sel;
807 uint16_t port;
808
809 memset(&sel, 0, sizeof(sel));
810 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
811 /* src or dest proto may be "any" (0), use more restrictive one */
812 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
813 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
814 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
815 ts2ports(dst, &sel.dport, &sel.dport_mask);
816 ts2ports(src, &sel.sport, &sel.sport_mask);
817 if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
818 (sel.dport || sel.sport))
819 {
820 /* the kernel expects the ICMP type and code in the source and
821 * destination port fields, respectively. */
822 port = ntohs(max(sel.dport, sel.sport));
823 sel.sport = htons(traffic_selector_icmp_type(port));
824 sel.sport_mask = sel.sport ? ~0 : 0;
825 sel.dport = htons(traffic_selector_icmp_code(port));
826 sel.dport_mask = sel.dport ? ~0 : 0;
827 }
828 sel.ifindex = interface ? if_nametoindex(interface) : 0;
829 sel.user = 0;
830
831 return sel;
832 }
833
834 /**
835 * Convert an xfrm_selector to a src|dst traffic_selector
836 */
837 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
838 {
839 u_char *addr;
840 uint8_t prefixlen;
841 uint16_t port = 0;
842 host_t *host = NULL;
843
844 if (src)
845 {
846 addr = (u_char*)&sel->saddr;
847 prefixlen = sel->prefixlen_s;
848 if (sel->sport_mask)
849 {
850 port = ntohs(sel->sport);
851 }
852 }
853 else
854 {
855 addr = (u_char*)&sel->daddr;
856 prefixlen = sel->prefixlen_d;
857 if (sel->dport_mask)
858 {
859 port = ntohs(sel->dport);
860 }
861 }
862 if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
863 { /* convert ICMP[v6] message type and code as supplied by the kernel in
864 * source and destination ports (both in network order) */
865 port = (sel->sport >> 8) | (sel->dport & 0xff00);
866 port = ntohs(port);
867 }
868 /* The Linux 2.6 kernel does not set the selector's family field,
869 * so as a kludge we additionally test the prefix length.
870 */
871 if (sel->family == AF_INET || sel->prefixlen_s == 32)
872 {
873 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
874 }
875 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
876 {
877 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
878 }
879
880 if (host)
881 {
882 return traffic_selector_create_from_subnet(host, prefixlen,
883 sel->proto, port, port ?: 65535);
884 }
885 return NULL;
886 }
887
888 /**
889 * Process a XFRM_MSG_ACQUIRE from kernel
890 */
891 static void process_acquire(private_kernel_netlink_ipsec_t *this,
892 struct nlmsghdr *hdr)
893 {
894 struct xfrm_user_acquire *acquire;
895 struct rtattr *rta;
896 size_t rtasize;
897 traffic_selector_t *src_ts, *dst_ts;
898 uint32_t reqid = 0;
899 int proto = 0;
900
901 acquire = NLMSG_DATA(hdr);
902 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
903 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
904
905 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
906
907 while (RTA_OK(rta, rtasize))
908 {
909 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
910
911 if (rta->rta_type == XFRMA_TMPL)
912 {
913 struct xfrm_user_tmpl* tmpl;
914 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
915 reqid = tmpl->reqid;
916 proto = tmpl->id.proto;
917 }
918 rta = RTA_NEXT(rta, rtasize);
919 }
920 switch (proto)
921 {
922 case 0:
923 case IPPROTO_ESP:
924 case IPPROTO_AH:
925 break;
926 default:
927 /* acquire for AH/ESP only, not for IPCOMP */
928 return;
929 }
930 src_ts = selector2ts(&acquire->sel, TRUE);
931 dst_ts = selector2ts(&acquire->sel, FALSE);
932
933 charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
934 }
935
936 /**
937 * Process a XFRM_MSG_EXPIRE from kernel
938 */
939 static void process_expire(private_kernel_netlink_ipsec_t *this,
940 struct nlmsghdr *hdr)
941 {
942 struct xfrm_user_expire *expire;
943 uint32_t spi;
944 uint8_t protocol;
945 host_t *dst;
946
947 expire = NLMSG_DATA(hdr);
948 protocol = expire->state.id.proto;
949 spi = expire->state.id.spi;
950
951 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
952
953 if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
954 {
955 dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0);
956 if (dst)
957 {
958 charon->kernel->expire(charon->kernel, protocol, spi, dst,
959 expire->hard != 0);
960 dst->destroy(dst);
961 }
962 }
963 }
964
965 /**
966 * Process a XFRM_MSG_MIGRATE from kernel
967 */
968 static void process_migrate(private_kernel_netlink_ipsec_t *this,
969 struct nlmsghdr *hdr)
970 {
971 struct xfrm_userpolicy_id *policy_id;
972 struct rtattr *rta;
973 size_t rtasize;
974 traffic_selector_t *src_ts, *dst_ts;
975 host_t *local = NULL, *remote = NULL;
976 host_t *old_src = NULL, *old_dst = NULL;
977 host_t *new_src = NULL, *new_dst = NULL;
978 uint32_t reqid = 0;
979 policy_dir_t dir;
980
981 policy_id = NLMSG_DATA(hdr);
982 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
983 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
984
985 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
986
987 src_ts = selector2ts(&policy_id->sel, TRUE);
988 dst_ts = selector2ts(&policy_id->sel, FALSE);
989 dir = (policy_dir_t)policy_id->dir;
990
991 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
992
993 while (RTA_OK(rta, rtasize))
994 {
995 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
996 if (rta->rta_type == XFRMA_KMADDRESS)
997 {
998 struct xfrm_user_kmaddress *kmaddress;
999
1000 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
1001 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
1002 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
1003 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1004 }
1005 else if (rta->rta_type == XFRMA_MIGRATE)
1006 {
1007 struct xfrm_user_migrate *migrate;
1008
1009 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
1010 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
1011 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
1012 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
1013 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
1014 reqid = migrate->reqid;
1015 DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}",
1016 old_src, old_dst, new_src, new_dst, reqid);
1017 DESTROY_IF(old_src);
1018 DESTROY_IF(old_dst);
1019 DESTROY_IF(new_src);
1020 DESTROY_IF(new_dst);
1021 }
1022 rta = RTA_NEXT(rta, rtasize);
1023 }
1024
1025 if (src_ts && dst_ts && local && remote)
1026 {
1027 charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
1028 local, remote);
1029 }
1030 else
1031 {
1032 DESTROY_IF(src_ts);
1033 DESTROY_IF(dst_ts);
1034 DESTROY_IF(local);
1035 DESTROY_IF(remote);
1036 }
1037 }
1038
1039 /**
1040 * Process a XFRM_MSG_MAPPING from kernel
1041 */
1042 static void process_mapping(private_kernel_netlink_ipsec_t *this,
1043 struct nlmsghdr *hdr)
1044 {
1045 struct xfrm_user_mapping *mapping;
1046 uint32_t spi;
1047
1048 mapping = NLMSG_DATA(hdr);
1049 spi = mapping->id.spi;
1050
1051 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
1052
1053 if (mapping->id.proto == IPPROTO_ESP)
1054 {
1055 host_t *dst, *new;
1056
1057 dst = xfrm2host(mapping->id.family, &mapping->id.daddr, 0);
1058 if (dst)
1059 {
1060 new = xfrm2host(mapping->id.family, &mapping->new_saddr,
1061 mapping->new_sport);
1062 if (new)
1063 {
1064 charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst,
1065 new);
1066 new->destroy(new);
1067 }
1068 dst->destroy(dst);
1069 }
1070 }
1071 }
1072
1073 /**
1074 * Receives events from kernel
1075 */
1076 static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
1077 watcher_event_t event)
1078 {
1079 char response[netlink_get_buflen()];
1080 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
1081 struct sockaddr_nl addr;
1082 socklen_t addr_len = sizeof(addr);
1083 int len;
1084
1085 len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
1086 MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
1087 if (len < 0)
1088 {
1089 switch (errno)
1090 {
1091 case EINTR:
1092 /* interrupted, try again */
1093 return TRUE;
1094 case EAGAIN:
1095 /* no data ready, select again */
1096 return TRUE;
1097 default:
1098 DBG1(DBG_KNL, "unable to receive from XFRM event socket: %s "
1099 "(%d)", strerror(errno), errno);
1100 sleep(1);
1101 return TRUE;
1102 }
1103 }
1104
1105 if (addr.nl_pid != 0)
1106 { /* not from kernel. not interested, try another one */
1107 return TRUE;
1108 }
1109
1110 while (NLMSG_OK(hdr, len))
1111 {
1112 switch (hdr->nlmsg_type)
1113 {
1114 case XFRM_MSG_ACQUIRE:
1115 process_acquire(this, hdr);
1116 break;
1117 case XFRM_MSG_EXPIRE:
1118 process_expire(this, hdr);
1119 break;
1120 case XFRM_MSG_MIGRATE:
1121 process_migrate(this, hdr);
1122 break;
1123 case XFRM_MSG_MAPPING:
1124 process_mapping(this, hdr);
1125 break;
1126 default:
1127 DBG1(DBG_KNL, "received unknown event from XFRM event "
1128 "socket: %d", hdr->nlmsg_type);
1129 break;
1130 }
1131 hdr = NLMSG_NEXT(hdr, len);
1132 }
1133 return TRUE;
1134 }
1135
1136 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
1137 private_kernel_netlink_ipsec_t *this)
1138 {
1139 return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI;
1140 }
1141
1142 /**
1143 * Get an SPI for a specific protocol from the kernel.
1144 */
1145 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
1146 host_t *src, host_t *dst, uint8_t proto, uint32_t min, uint32_t max,
1147 uint32_t *spi)
1148 {
1149 netlink_buf_t request;
1150 struct nlmsghdr *hdr, *out;
1151 struct xfrm_userspi_info *userspi;
1152 uint32_t received_spi = 0;
1153 size_t len;
1154
1155 memset(&request, 0, sizeof(request));
1156
1157 hdr = &request.hdr;
1158 hdr->nlmsg_flags = NLM_F_REQUEST;
1159 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1160 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1161
1162 userspi = NLMSG_DATA(hdr);
1163 host2xfrm(src, &userspi->info.saddr);
1164 host2xfrm(dst, &userspi->info.id.daddr);
1165 userspi->info.id.proto = proto;
1166 userspi->info.mode = XFRM_MODE_TUNNEL;
1167 userspi->info.family = src->get_family(src);
1168 userspi->min = min;
1169 userspi->max = max;
1170
1171 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1172 {
1173 hdr = out;
1174 while (NLMSG_OK(hdr, len))
1175 {
1176 switch (hdr->nlmsg_type)
1177 {
1178 case XFRM_MSG_NEWSA:
1179 {
1180 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1181 received_spi = usersa->id.spi;
1182 break;
1183 }
1184 case NLMSG_ERROR:
1185 {
1186 struct nlmsgerr *err = NLMSG_DATA(hdr);
1187 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1188 strerror(-err->error), -err->error);
1189 break;
1190 }
1191 default:
1192 hdr = NLMSG_NEXT(hdr, len);
1193 continue;
1194 case NLMSG_DONE:
1195 break;
1196 }
1197 break;
1198 }
1199 free(out);
1200 }
1201
1202 if (received_spi == 0)
1203 {
1204 return FAILED;
1205 }
1206
1207 *spi = received_spi;
1208 return SUCCESS;
1209 }
1210
1211 METHOD(kernel_ipsec_t, get_spi, status_t,
1212 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1213 uint8_t protocol, uint32_t *spi)
1214 {
1215 uint32_t spi_min, spi_max;
1216
1217 spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
1218 KERNEL_SPI_MIN, lib->ns);
1219 spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
1220 KERNEL_SPI_MAX, lib->ns);
1221
1222 if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
1223 max(spi_min, spi_max), spi) != SUCCESS)
1224 {
1225 DBG1(DBG_KNL, "unable to get SPI");
1226 return FAILED;
1227 }
1228
1229 DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
1230 return SUCCESS;
1231 }
1232
1233 METHOD(kernel_ipsec_t, get_cpi, status_t,
1234 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1235 uint16_t *cpi)
1236 {
1237 uint32_t received_spi = 0;
1238
1239 if (get_spi_internal(this, src, dst, IPPROTO_COMP,
1240 0x100, 0xEFFF, &received_spi) != SUCCESS)
1241 {
1242 DBG1(DBG_KNL, "unable to get CPI");
1243 return FAILED;
1244 }
1245
1246 *cpi = htons((uint16_t)ntohl(received_spi));
1247
1248 DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
1249 return SUCCESS;
1250 }
1251
1252 /**
1253 * Format the mark for debug messages
1254 */
1255 static void format_mark(char *buf, int buflen, mark_t mark)
1256 {
1257 if (mark.value | mark.mask)
1258 {
1259 snprintf(buf, buflen, " (mark %u/0x%08x)", mark.value, mark.mask);
1260 }
1261 }
1262
1263 /**
1264 * Add a XFRM mark to message if required
1265 */
1266 static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
1267 {
1268 if (mark.value | mark.mask)
1269 {
1270 struct xfrm_mark *xmrk;
1271
1272 xmrk = netlink_reserve(hdr, buflen, XFRMA_MARK, sizeof(*xmrk));
1273 if (!xmrk)
1274 {
1275 return FALSE;
1276 }
1277 xmrk->v = mark.value;
1278 xmrk->m = mark.mask;
1279 }
1280 return TRUE;
1281 }
1282
1283 /**
1284 * Add a uint32 attribute to message
1285 */
1286 static bool add_uint32(struct nlmsghdr *hdr, int buflen,
1287 enum xfrm_attr_type_t type, uint32_t value)
1288 {
1289 uint32_t *xvalue;
1290
1291 xvalue = netlink_reserve(hdr, buflen, type, sizeof(*xvalue));
1292 if (!xvalue)
1293 {
1294 return FALSE;
1295 }
1296 *xvalue = value;
1297 return TRUE;
1298 }
1299
1300 /* ETHTOOL_GSSET_INFO is available since 2.6.34 and ETH_SS_FEATURES (enum) and
1301 * ETHTOOL_GFEATURES since 2.6.39, so check for the latter */
1302 #ifdef ETHTOOL_GFEATURES
1303
1304 /**
1305 * Global metadata used for IPsec HW offload
1306 */
1307 static struct {
1308 /** determined HW offload support */
1309 bool supported;
1310 /** bit in feature set */
1311 u_int bit;
1312 /** total number of device feature blocks */
1313 u_int total_blocks;
1314 } netlink_hw_offload;
1315
1316 /**
1317 * Check if kernel supports HW offload and determine feature flag
1318 */
1319 static void netlink_find_offload_feature(const char *ifname)
1320 {
1321 struct ethtool_sset_info *sset_info;
1322 struct ethtool_gstrings *cmd = NULL;
1323 struct ifreq ifr;
1324 uint32_t sset_len, i;
1325 char *str;
1326 int err, query_socket;
1327
1328 query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
1329 if (query_socket < 0)
1330 {
1331 return;
1332 }
1333
1334 /* determine number of device features */
1335 INIT_EXTRA(sset_info, sizeof(uint32_t),
1336 .cmd = ETHTOOL_GSSET_INFO,
1337 .sset_mask = 1ULL << ETH_SS_FEATURES,
1338 );
1339 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
1340 ifr.ifr_name[IFNAMSIZ-1] = '\0';
1341 ifr.ifr_data = (void*)sset_info;
1342
1343 err = ioctl(query_socket, SIOCETHTOOL, &ifr);
1344 if (err || sset_info->sset_mask != 1ULL << ETH_SS_FEATURES)
1345 {
1346 goto out;
1347 }
1348 sset_len = sset_info->data[0];
1349
1350 /* retrieve names of device features */
1351 INIT_EXTRA(cmd, ETH_GSTRING_LEN * sset_len,
1352 .cmd = ETHTOOL_GSTRINGS,
1353 .string_set = ETH_SS_FEATURES,
1354 );
1355 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
1356 ifr.ifr_name[IFNAMSIZ-1] = '\0';
1357 ifr.ifr_data = (void*)cmd;
1358
1359 err = ioctl(query_socket, SIOCETHTOOL, &ifr);
1360 if (err)
1361 {
1362 goto out;
1363 }
1364
1365 /* look for the ESP_HW feature bit */
1366 str = (char*)cmd->data;
1367 for (i = 0; i < cmd->len; i++)
1368 {
1369 if (strneq(str, "esp-hw-offload", ETH_GSTRING_LEN))
1370 {
1371 netlink_hw_offload.supported = TRUE;
1372 netlink_hw_offload.bit = i;
1373 netlink_hw_offload.total_blocks = (sset_len + 31) / 32;
1374 break;
1375 }
1376 str += ETH_GSTRING_LEN;
1377 }
1378
1379 out:
1380 free(sset_info);
1381 free(cmd);
1382 close(query_socket);
1383 }
1384
1385 /**
1386 * Check if interface supported HW offload
1387 */
1388 static bool netlink_detect_offload(const char *ifname)
1389 {
1390 struct ethtool_gfeatures *cmd;
1391 uint32_t feature_bit;
1392 struct ifreq ifr;
1393 int query_socket;
1394 int block;
1395 bool ret = FALSE;
1396
1397 if (!netlink_hw_offload.supported)
1398 {
1399 DBG1(DBG_KNL, "HW offload is not supported by kernel");
1400 return FALSE;
1401 }
1402
1403 query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
1404 if (query_socket < 0)
1405 {
1406 return FALSE;
1407 }
1408
1409 /* feature is supported by kernel, query device features */
1410 INIT_EXTRA(cmd, sizeof(cmd->features[0]) * netlink_hw_offload.total_blocks,
1411 .cmd = ETHTOOL_GFEATURES,
1412 .size = netlink_hw_offload.total_blocks,
1413 );
1414 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
1415 ifr.ifr_name[IFNAMSIZ-1] = '\0';
1416 ifr.ifr_data = (void*)cmd;
1417
1418 if (!ioctl(query_socket, SIOCETHTOOL, &ifr))
1419 {
1420 block = netlink_hw_offload.bit / 32;
1421 feature_bit = 1U << (netlink_hw_offload.bit % 32);
1422 if (cmd->features[block].active & feature_bit)
1423 {
1424 ret = TRUE;
1425 }
1426 }
1427
1428 if (!ret)
1429 {
1430 DBG1(DBG_KNL, "HW offload is not supported by device");
1431 }
1432 free(cmd);
1433 close(query_socket);
1434 return ret;
1435 }
1436
1437 #else
1438
1439 static void netlink_find_offload_feature(const char *ifname)
1440 {
1441 }
1442
1443 static bool netlink_detect_offload(const char *ifname)
1444 {
1445 return FALSE;
1446 }
1447
1448 #endif
1449
1450 /**
1451 * There are 3 HW offload configuration values:
1452 * 1. HW_OFFLOAD_NO : Do not configure HW offload.
1453 * 2. HW_OFFLOAD_YES : Configure HW offload.
1454 * Fail SA addition if offload is not supported.
1455 * 3. HW_OFFLOAD_AUTO : Configure HW offload if supported by the kernel
1456 * and device.
1457 * Do not fail SA addition otherwise.
1458 */
1459 static bool config_hw_offload(kernel_ipsec_sa_id_t *id,
1460 kernel_ipsec_add_sa_t *data, struct nlmsghdr *hdr,
1461 int buflen)
1462 {
1463 host_t *local = data->inbound ? id->dst : id->src;
1464 struct xfrm_user_offload *offload;
1465 bool hw_offload_yes, ret = FALSE;
1466 char *ifname;
1467
1468 /* do Ipsec configuration without offload */
1469 if (data->hw_offload == HW_OFFLOAD_NO)
1470 {
1471 return TRUE;
1472 }
1473
1474 hw_offload_yes = (data->hw_offload == HW_OFFLOAD_YES);
1475
1476 if (!charon->kernel->get_interface(charon->kernel, local, &ifname))
1477 {
1478 return !hw_offload_yes;
1479 }
1480
1481 /* check if interface supports hw_offload */
1482 if (!netlink_detect_offload(ifname))
1483 {
1484 ret = !hw_offload_yes;
1485 goto out;
1486 }
1487
1488 /* activate HW offload */
1489 offload = netlink_reserve(hdr, buflen,
1490 XFRMA_OFFLOAD_DEV, sizeof(*offload));
1491 if (!offload)
1492 {
1493 ret = !hw_offload_yes;
1494 goto out;
1495 }
1496 offload->ifindex = if_nametoindex(ifname);
1497 if (local->get_family(local) == AF_INET6)
1498 {
1499 offload->flags |= XFRM_OFFLOAD_IPV6;
1500 }
1501 offload->flags |= data->inbound ? XFRM_OFFLOAD_INBOUND : 0;
1502
1503 ret = TRUE;
1504
1505 out:
1506 free(ifname);
1507 return ret;
1508 }
1509
1510 METHOD(kernel_ipsec_t, add_sa, status_t,
1511 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
1512 kernel_ipsec_add_sa_t *data)
1513 {
1514 netlink_buf_t request;
1515 const char *alg_name;
1516 char markstr[32] = "";
1517 struct nlmsghdr *hdr;
1518 struct xfrm_usersa_info *sa;
1519 uint16_t icv_size = 64, ipcomp = data->ipcomp;
1520 ipsec_mode_t mode = data->mode, original_mode = data->mode;
1521 traffic_selector_t *first_src_ts, *first_dst_ts;
1522 status_t status = FAILED;
1523
1524 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
1525 * we are in the recursive call below */
1526 if (ipcomp != IPCOMP_NONE && data->cpi != 0)
1527 {
1528 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
1529 kernel_ipsec_sa_id_t ipcomp_id = {
1530 .src = id->src,
1531 .dst = id->dst,
1532 .spi = htonl(ntohs(data->cpi)),
1533 .proto = IPPROTO_COMP,
1534 .mark = id->mark,
1535 .if_id = id->if_id,
1536 };
1537 kernel_ipsec_add_sa_t ipcomp_sa = {
1538 .reqid = data->reqid,
1539 .mode = data->mode,
1540 .src_ts = data->src_ts,
1541 .dst_ts = data->dst_ts,
1542 .lifetime = &lft,
1543 .enc_alg = ENCR_UNDEFINED,
1544 .int_alg = AUTH_UNDEFINED,
1545 .tfc = data->tfc,
1546 .ipcomp = data->ipcomp,
1547 .initiator = data->initiator,
1548 .inbound = data->inbound,
1549 .update = data->update,
1550 };
1551 add_sa(this, &ipcomp_id, &ipcomp_sa);
1552 ipcomp = IPCOMP_NONE;
1553 /* use transport mode ESP SA, IPComp uses tunnel mode */
1554 mode = MODE_TRANSPORT;
1555 }
1556
1557 memset(&request, 0, sizeof(request));
1558 format_mark(markstr, sizeof(markstr), id->mark);
1559
1560 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}%s",
1561 ntohl(id->spi), data->reqid, markstr);
1562
1563 hdr = &request.hdr;
1564 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1565 hdr->nlmsg_type = data->update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1566 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1567
1568 sa = NLMSG_DATA(hdr);
1569 host2xfrm(id->src, &sa->saddr);
1570 host2xfrm(id->dst, &sa->id.daddr);
1571 sa->id.spi = id->spi;
1572 sa->id.proto = id->proto;
1573 sa->family = id->src->get_family(id->src);
1574 sa->mode = mode2kernel(mode);
1575
1576 if (!data->copy_df)
1577 {
1578 sa->flags |= XFRM_STATE_NOPMTUDISC;
1579 }
1580
1581 if (!data->copy_ecn)
1582 {
1583 sa->flags |= XFRM_STATE_NOECN;
1584 }
1585
1586 if (data->inbound)
1587 {
1588 switch (data->copy_dscp)
1589 {
1590 case DSCP_COPY_YES:
1591 case DSCP_COPY_IN_ONLY:
1592 sa->flags |= XFRM_STATE_DECAP_DSCP;
1593 break;
1594 default:
1595 break;
1596 }
1597 }
1598 else
1599 {
1600 switch (data->copy_dscp)
1601 {
1602 case DSCP_COPY_IN_ONLY:
1603 case DSCP_COPY_NO:
1604 {
1605 /* currently the only extra flag */
1606 if (!add_uint32(hdr, sizeof(request), XFRMA_SA_EXTRA_FLAGS,
1607 XFRM_SA_XFLAG_DONT_ENCAP_DSCP))
1608 {
1609 goto failed;
1610 }
1611 break;
1612 }
1613 default:
1614 break;
1615 }
1616 }
1617
1618 switch (mode)
1619 {
1620 case MODE_TUNNEL:
1621 sa->flags |= XFRM_STATE_AF_UNSPEC;
1622 break;
1623 case MODE_BEET:
1624 case MODE_TRANSPORT:
1625 if (original_mode == MODE_TUNNEL)
1626 { /* don't install selectors for switched SAs. because only one
1627 * selector can be installed other traffic would get dropped */
1628 break;
1629 }
1630 if (data->src_ts->get_first(data->src_ts,
1631 (void**)&first_src_ts) == SUCCESS &&
1632 data->dst_ts->get_first(data->dst_ts,
1633 (void**)&first_dst_ts) == SUCCESS)
1634 {
1635 sa->sel = ts2selector(first_src_ts, first_dst_ts,
1636 data->interface);
1637 if (!this->proto_port_transport)
1638 {
1639 /* don't install proto/port on SA. This would break
1640 * potential secondary SAs for the same address using a
1641 * different prot/port. */
1642 sa->sel.proto = 0;
1643 sa->sel.dport = sa->sel.dport_mask = 0;
1644 sa->sel.sport = sa->sel.sport_mask = 0;
1645 }
1646 }
1647 break;
1648 default:
1649 break;
1650 }
1651 if (id->proto == IPPROTO_AH && sa->family == AF_INET)
1652 { /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte
1653 * alignment that's used by default but is only valid for IPv6 */
1654 sa->flags |= XFRM_STATE_ALIGN4;
1655 }
1656
1657 sa->reqid = data->reqid;
1658 sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);
1659 sa->lft.hard_byte_limit = XFRM_LIMIT(data->lifetime->bytes.life);
1660 sa->lft.soft_packet_limit = XFRM_LIMIT(data->lifetime->packets.rekey);
1661 sa->lft.hard_packet_limit = XFRM_LIMIT(data->lifetime->packets.life);
1662 /* we use lifetimes since added, not since used */
1663 sa->lft.soft_add_expires_seconds = data->lifetime->time.rekey;
1664 sa->lft.hard_add_expires_seconds = data->lifetime->time.life;
1665 sa->lft.soft_use_expires_seconds = 0;
1666 sa->lft.hard_use_expires_seconds = 0;
1667
1668 switch (data->enc_alg)
1669 {
1670 case ENCR_UNDEFINED:
1671 /* no encryption */
1672 break;
1673 case ENCR_AES_CCM_ICV16:
1674 case ENCR_AES_GCM_ICV16:
1675 case ENCR_NULL_AUTH_AES_GMAC:
1676 case ENCR_CAMELLIA_CCM_ICV16:
1677 case ENCR_CHACHA20_POLY1305:
1678 icv_size += 32;
1679 /* FALL */
1680 case ENCR_AES_CCM_ICV12:
1681 case ENCR_AES_GCM_ICV12:
1682 case ENCR_CAMELLIA_CCM_ICV12:
1683 icv_size += 32;
1684 /* FALL */
1685 case ENCR_AES_CCM_ICV8:
1686 case ENCR_AES_GCM_ICV8:
1687 case ENCR_CAMELLIA_CCM_ICV8:
1688 {
1689 struct xfrm_algo_aead *algo;
1690
1691 alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
1692 if (alg_name == NULL)
1693 {
1694 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1695 encryption_algorithm_names, data->enc_alg);
1696 goto failed;
1697 }
1698 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1699 encryption_algorithm_names, data->enc_alg,
1700 data->enc_key.len * 8);
1701
1702 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AEAD,
1703 sizeof(*algo) + data->enc_key.len);
1704 if (!algo)
1705 {
1706 goto failed;
1707 }
1708 algo->alg_key_len = data->enc_key.len * 8;
1709 algo->alg_icv_len = icv_size;
1710 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1711 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1712 memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
1713 break;
1714 }
1715 default:
1716 {
1717 struct xfrm_algo *algo;
1718
1719 alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
1720 if (alg_name == NULL)
1721 {
1722 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1723 encryption_algorithm_names, data->enc_alg);
1724 goto failed;
1725 }
1726 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1727 encryption_algorithm_names, data->enc_alg,
1728 data->enc_key.len * 8);
1729
1730 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_CRYPT,
1731 sizeof(*algo) + data->enc_key.len);
1732 if (!algo)
1733 {
1734 goto failed;
1735 }
1736 algo->alg_key_len = data->enc_key.len * 8;
1737 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1738 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1739 memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
1740 }
1741 }
1742
1743 if (data->int_alg != AUTH_UNDEFINED)
1744 {
1745 u_int trunc_len = 0;
1746
1747 alg_name = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
1748 if (alg_name == NULL)
1749 {
1750 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1751 integrity_algorithm_names, data->int_alg);
1752 goto failed;
1753 }
1754 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1755 integrity_algorithm_names, data->int_alg, data->int_key.len * 8);
1756
1757 switch (data->int_alg)
1758 {
1759 case AUTH_HMAC_MD5_128:
1760 case AUTH_HMAC_SHA2_256_128:
1761 trunc_len = 128;
1762 break;
1763 case AUTH_HMAC_SHA1_160:
1764 trunc_len = 160;
1765 break;
1766 default:
1767 break;
1768 }
1769
1770 if (trunc_len)
1771 {
1772 struct xfrm_algo_auth* algo;
1773
1774 /* the kernel uses SHA256 with 96 bit truncation by default,
1775 * use specified truncation size supported by newer kernels.
1776 * also use this for untruncated MD5 and SHA1. */
1777 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC,
1778 sizeof(*algo) + data->int_key.len);
1779 if (!algo)
1780 {
1781 goto failed;
1782 }
1783 algo->alg_key_len = data->int_key.len * 8;
1784 algo->alg_trunc_len = trunc_len;
1785 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1786 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1787 memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
1788 }
1789 else
1790 {
1791 struct xfrm_algo* algo;
1792
1793 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH,
1794 sizeof(*algo) + data->int_key.len);
1795 if (!algo)
1796 {
1797 goto failed;
1798 }
1799 algo->alg_key_len = data->int_key.len * 8;
1800 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1801 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1802 memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
1803 }
1804 }
1805
1806 if (ipcomp != IPCOMP_NONE)
1807 {
1808 struct xfrm_algo* algo;
1809
1810 alg_name = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
1811 if (alg_name == NULL)
1812 {
1813 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1814 ipcomp_transform_names, ipcomp);
1815 goto failed;
1816 }
1817 DBG2(DBG_KNL, " using compression algorithm %N",
1818 ipcomp_transform_names, ipcomp);
1819
1820 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_COMP,
1821 sizeof(*algo));
1822 if (!algo)
1823 {
1824 goto failed;
1825 }
1826 algo->alg_key_len = 0;
1827 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1828 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1829 }
1830
1831 if (data->encap)
1832 {
1833 struct xfrm_encap_tmpl *tmpl;
1834
1835 tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
1836 if (!tmpl)
1837 {
1838 goto failed;
1839 }
1840 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1841 tmpl->encap_sport = htons(id->src->get_port(id->src));
1842 tmpl->encap_dport = htons(id->dst->get_port(id->dst));
1843 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1844 /* encap_oa could probably be derived from the
1845 * traffic selectors [rfc4306, p39]. In the netlink kernel
1846 * implementation pluto does the same as we do here but it uses
1847 * encap_oa in the pfkey implementation.
1848 * BUT as /usr/src/linux/net/key/af_key.c indicates the kernel ignores
1849 * it anyway
1850 * -> does that mean that NAT-T encap doesn't work in transport mode?
1851 * No. The reason the kernel ignores NAT-OA is that it recomputes
1852 * (or, rather, just ignores) the checksum. If packets pass the IPsec
1853 * checks it marks them "checksum ok" so OA isn't needed. */
1854 }
1855
1856 if (!add_mark(hdr, sizeof(request), id->mark))
1857 {
1858 goto failed;
1859 }
1860
1861 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
1862 {
1863 goto failed;
1864 }
1865
1866 if (ipcomp == IPCOMP_NONE && (data->mark.value | data->mark.mask))
1867 {
1868 if (!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK,
1869 data->mark.value) ||
1870 !add_uint32(hdr, sizeof(request), XFRMA_SET_MARK_MASK,
1871 data->mark.mask))
1872 {
1873 goto failed;
1874 }
1875 }
1876
1877 if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL)
1878 { /* the kernel supports TFC padding only for tunnel mode ESP SAs */
1879 if (!add_uint32(hdr, sizeof(request), XFRMA_TFCPAD, data->tfc))
1880 {
1881 goto failed;
1882 }
1883 }
1884
1885 if (id->proto != IPPROTO_COMP)
1886 {
1887 /* generally, we don't need a replay window for outbound SAs, however,
1888 * when using ESN the kernel rejects the attribute if it is 0 */
1889 if (!data->inbound && data->replay_window)
1890 {
1891 data->replay_window = data->esn ? 1 : 0;
1892 }
1893 if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
1894 {
1895 /* for ESN or larger replay windows we need the new
1896 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
1897 struct xfrm_replay_state_esn *replay;
1898 uint32_t bmp_size;
1899
1900 bmp_size = round_up(data->replay_window, sizeof(uint32_t) * 8) / 8;
1901 replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
1902 sizeof(*replay) + bmp_size);
1903 if (!replay)
1904 {
1905 goto failed;
1906 }
1907 /* bmp_len contains number uf __u32's */
1908 replay->bmp_len = bmp_size / sizeof(uint32_t);
1909 replay->replay_window = data->replay_window;
1910 DBG2(DBG_KNL, " using replay window of %u packets",
1911 data->replay_window);
1912
1913 if (data->esn)
1914 {
1915 DBG2(DBG_KNL, " using extended sequence numbers (ESN)");
1916 sa->flags |= XFRM_STATE_ESN;
1917 }
1918 }
1919 else
1920 {
1921 DBG2(DBG_KNL, " using replay window of %u packets",
1922 data->replay_window);
1923 sa->replay_window = data->replay_window;
1924 }
1925
1926 DBG2(DBG_KNL, " HW offload: %N", hw_offload_names, data->hw_offload);
1927 if (!config_hw_offload(id, data, hdr, sizeof(request)))
1928 {
1929 DBG1(DBG_KNL, "failed to configure HW offload");
1930 goto failed;
1931 }
1932 }
1933
1934 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
1935 if (status == NOT_FOUND && data->update)
1936 {
1937 DBG1(DBG_KNL, "allocated SPI not found anymore, try to add SAD entry");
1938 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1939 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
1940 }
1941
1942 if (status != SUCCESS)
1943 {
1944 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s (%N)", ntohl(id->spi),
1945 markstr, status_names, status);
1946 status = FAILED;
1947 goto failed;
1948 }
1949
1950 status = SUCCESS;
1951
1952 failed:
1953 memwipe(&request, sizeof(request));
1954 return status;
1955 }
1956
1957 /**
1958 * Get the ESN replay state (i.e. sequence numbers) of an SA.
1959 *
1960 * Allocates into one the replay state structure we get from the kernel.
1961 */
1962 static void get_replay_state(private_kernel_netlink_ipsec_t *this,
1963 kernel_ipsec_sa_id_t *sa,
1964 struct xfrm_replay_state_esn **replay_esn,
1965 uint32_t *replay_esn_len,
1966 struct xfrm_replay_state **replay,
1967 struct xfrm_lifetime_cur **lifetime)
1968 {
1969 netlink_buf_t request;
1970 struct nlmsghdr *hdr, *out = NULL;
1971 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1972 size_t len;
1973 struct rtattr *rta;
1974 size_t rtasize;
1975
1976 memset(&request, 0, sizeof(request));
1977
1978 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x",
1979 ntohl(sa->spi));
1980
1981 hdr = &request.hdr;
1982 hdr->nlmsg_flags = NLM_F_REQUEST;
1983 hdr->nlmsg_type = XFRM_MSG_GETAE;
1984 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1985
1986 aevent_id = NLMSG_DATA(hdr);
1987 aevent_id->flags = XFRM_AE_RVAL;
1988
1989 host2xfrm(sa->dst, &aevent_id->sa_id.daddr);
1990 aevent_id->sa_id.spi = sa->spi;
1991 aevent_id->sa_id.proto = sa->proto;
1992 aevent_id->sa_id.family = sa->dst->get_family(sa->dst);
1993
1994 if (!add_mark(hdr, sizeof(request), sa->mark))
1995 {
1996 return;
1997 }
1998 if (sa->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, sa->if_id))
1999 {
2000 return;
2001 }
2002
2003 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2004 {
2005 hdr = out;
2006 while (NLMSG_OK(hdr, len))
2007 {
2008 switch (hdr->nlmsg_type)
2009 {
2010 case XFRM_MSG_NEWAE:
2011 {
2012 out_aevent = NLMSG_DATA(hdr);
2013 break;
2014 }
2015 case NLMSG_ERROR:
2016 {
2017 struct nlmsgerr *err = NLMSG_DATA(hdr);
2018 DBG1(DBG_KNL, "querying replay state from SAD entry "
2019 "failed: %s (%d)", strerror(-err->error), -err->error);
2020 break;
2021 }
2022 default:
2023 hdr = NLMSG_NEXT(hdr, len);
2024 continue;
2025 case NLMSG_DONE:
2026 break;
2027 }
2028 break;
2029 }
2030 }
2031
2032 if (out_aevent)
2033 {
2034 rta = XFRM_RTA(out, struct xfrm_aevent_id);
2035 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
2036 while (RTA_OK(rta, rtasize))
2037 {
2038 if (rta->rta_type == XFRMA_LTIME_VAL &&
2039 RTA_PAYLOAD(rta) == sizeof(**lifetime))
2040 {
2041 free(*lifetime);
2042 *lifetime = malloc(RTA_PAYLOAD(rta));
2043 memcpy(*lifetime, RTA_DATA(rta), RTA_PAYLOAD(rta));
2044 }
2045 if (rta->rta_type == XFRMA_REPLAY_VAL &&
2046 RTA_PAYLOAD(rta) == sizeof(**replay))
2047 {
2048 free(*replay);
2049 *replay = malloc(RTA_PAYLOAD(rta));
2050 memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
2051 }
2052 if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
2053 RTA_PAYLOAD(rta) >= sizeof(**replay_esn))
2054 {
2055 free(*replay_esn);
2056 *replay_esn = malloc(RTA_PAYLOAD(rta));
2057 *replay_esn_len = RTA_PAYLOAD(rta);
2058 memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
2059 }
2060 rta = RTA_NEXT(rta, rtasize);
2061 }
2062 }
2063 free(out);
2064 }
2065
2066 METHOD(kernel_ipsec_t, query_sa, status_t,
2067 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
2068 kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
2069 time_t *time)
2070 {
2071 netlink_buf_t request;
2072 struct nlmsghdr *out = NULL, *hdr;
2073 struct xfrm_usersa_id *sa_id;
2074 struct xfrm_usersa_info *sa = NULL;
2075 status_t status = FAILED;
2076 size_t len;
2077 char markstr[32] = "";
2078
2079 memset(&request, 0, sizeof(request));
2080 format_mark(markstr, sizeof(markstr), id->mark);
2081
2082 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s", ntohl(id->spi),
2083 markstr);
2084
2085 hdr = &request.hdr;
2086 hdr->nlmsg_flags = NLM_F_REQUEST;
2087 hdr->nlmsg_type = XFRM_MSG_GETSA;
2088 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2089
2090 sa_id = NLMSG_DATA(hdr);
2091 host2xfrm(id->dst, &sa_id->daddr);
2092 sa_id->spi = id->spi;
2093 sa_id->proto = id->proto;
2094 sa_id->family = id->dst->get_family(id->dst);
2095
2096 if (!add_mark(hdr, sizeof(request), id->mark))
2097 {
2098 return FAILED;
2099 }
2100 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2101 {
2102 return FAILED;
2103 }
2104
2105 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2106 {
2107 hdr = out;
2108 while (NLMSG_OK(hdr, len))
2109 {
2110 switch (hdr->nlmsg_type)
2111 {
2112 case XFRM_MSG_NEWSA:
2113 {
2114 sa = NLMSG_DATA(hdr);
2115 break;
2116 }
2117 case NLMSG_ERROR:
2118 {
2119 struct nlmsgerr *err = NLMSG_DATA(hdr);
2120
2121 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x%s failed: "
2122 "%s (%d)", ntohl(id->spi), markstr,
2123 strerror(-err->error), -err->error);
2124 break;
2125 }
2126 default:
2127 hdr = NLMSG_NEXT(hdr, len);
2128 continue;
2129 case NLMSG_DONE:
2130 break;
2131 }
2132 break;
2133 }
2134 }
2135
2136 if (sa == NULL)
2137 {
2138 DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x%s",
2139 ntohl(id->spi), markstr);
2140 }
2141 else
2142 {
2143 if (bytes)
2144 {
2145 *bytes = sa->curlft.bytes;
2146 }
2147 if (packets)
2148 {
2149 *packets = sa->curlft.packets;
2150 }
2151 if (time)
2152 { /* curlft contains an "use" time, but that contains a timestamp
2153 * of the first use, not the last. Last use time must be queried
2154 * on the policy on Linux */
2155 *time = 0;
2156 }
2157 status = SUCCESS;
2158 }
2159 memwipe(out, len);
2160 free(out);
2161 return status;
2162 }
2163
2164 METHOD(kernel_ipsec_t, del_sa, status_t,
2165 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
2166 kernel_ipsec_del_sa_t *data)
2167 {
2168 netlink_buf_t request;
2169 struct nlmsghdr *hdr;
2170 struct xfrm_usersa_id *sa_id;
2171 char markstr[32] = "";
2172
2173 /* if IPComp was used, we first delete the additional IPComp SA */
2174 if (data->cpi)
2175 {
2176 kernel_ipsec_sa_id_t ipcomp_id = {
2177 .src = id->src,
2178 .dst = id->dst,
2179 .spi = htonl(ntohs(data->cpi)),
2180 .proto = IPPROTO_COMP,
2181 .mark = id->mark,
2182 };
2183 kernel_ipsec_del_sa_t ipcomp = {};
2184 del_sa(this, &ipcomp_id, &ipcomp);
2185 }
2186
2187 memset(&request, 0, sizeof(request));
2188 format_mark(markstr, sizeof(markstr), id->mark);
2189
2190 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x%s", ntohl(id->spi),
2191 markstr);
2192
2193 hdr = &request.hdr;
2194 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2195 hdr->nlmsg_type = XFRM_MSG_DELSA;
2196 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2197
2198 sa_id = NLMSG_DATA(hdr);
2199 host2xfrm(id->dst, &sa_id->daddr);
2200 sa_id->spi = id->spi;
2201 sa_id->proto = id->proto;
2202 sa_id->family = id->dst->get_family(id->dst);
2203
2204 if (!add_mark(hdr, sizeof(request), id->mark))
2205 {
2206 return FAILED;
2207 }
2208 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2209 {
2210 return FAILED;
2211 }
2212
2213 switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr))
2214 {
2215 case SUCCESS:
2216 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x%s",
2217 ntohl(id->spi), markstr);
2218 return SUCCESS;
2219 case NOT_FOUND:
2220 return NOT_FOUND;
2221 default:
2222 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x%s",
2223 ntohl(id->spi), markstr);
2224 return FAILED;
2225 }
2226 }
2227
2228 METHOD(kernel_ipsec_t, update_sa, status_t,
2229 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
2230 kernel_ipsec_update_sa_t *data)
2231 {
2232 netlink_buf_t request;
2233 struct nlmsghdr *hdr, *out_hdr = NULL, *out = NULL;
2234 struct xfrm_usersa_id *sa_id;
2235 struct xfrm_usersa_info *sa;
2236 size_t len;
2237 struct rtattr *rta;
2238 size_t rtasize;
2239 struct xfrm_encap_tmpl* encap = NULL;
2240 struct xfrm_replay_state *replay = NULL;
2241 struct xfrm_replay_state_esn *replay_esn = NULL;
2242 struct xfrm_lifetime_cur *lifetime = NULL;
2243 uint32_t replay_esn_len = 0;
2244 kernel_ipsec_del_sa_t del = { 0 };
2245 status_t status = FAILED;
2246 traffic_selector_t *ts;
2247 char markstr[32] = "";
2248
2249 /* if IPComp is used, we first update the IPComp SA */
2250 if (data->cpi)
2251 {
2252 kernel_ipsec_sa_id_t ipcomp_id = {
2253 .src = id->src,
2254 .dst = id->dst,
2255 .spi = htonl(ntohs(data->cpi)),
2256 .proto = IPPROTO_COMP,
2257 .mark = id->mark,
2258 .if_id = id->if_id,
2259 };
2260 kernel_ipsec_update_sa_t ipcomp = {
2261 .new_src = data->new_src,
2262 .new_dst = data->new_dst,
2263 };
2264 update_sa(this, &ipcomp_id, &ipcomp);
2265 }
2266
2267 memset(&request, 0, sizeof(request));
2268 format_mark(markstr, sizeof(markstr), id->mark);
2269
2270 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s for update",
2271 ntohl(id->spi), markstr);
2272
2273 /* query the existing SA first */
2274 hdr = &request.hdr;
2275 hdr->nlmsg_flags = NLM_F_REQUEST;
2276 hdr->nlmsg_type = XFRM_MSG_GETSA;
2277 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2278
2279 sa_id = NLMSG_DATA(hdr);
2280 host2xfrm(id->dst, &sa_id->daddr);
2281 sa_id->spi = id->spi;
2282 sa_id->proto = id->proto;
2283 sa_id->family = id->dst->get_family(id->dst);
2284
2285 if (!add_mark(hdr, sizeof(request), id->mark))
2286 {
2287 return FAILED;
2288 }
2289 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2290 {
2291 return FAILED;
2292 }
2293
2294 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2295 {
2296 hdr = out;
2297 while (NLMSG_OK(hdr, len))
2298 {
2299 switch (hdr->nlmsg_type)
2300 {
2301 case XFRM_MSG_NEWSA:
2302 {
2303 out_hdr = hdr;
2304 break;
2305 }
2306 case NLMSG_ERROR:
2307 {
2308 struct nlmsgerr *err = NLMSG_DATA(hdr);
2309 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2310 strerror(-err->error), -err->error);
2311 break;
2312 }
2313 default:
2314 hdr = NLMSG_NEXT(hdr, len);
2315 continue;
2316 case NLMSG_DONE:
2317 break;
2318 }
2319 break;
2320 }
2321 }
2322 if (!out_hdr)
2323 {
2324 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
2325 ntohl(id->spi), markstr);
2326 goto failed;
2327 }
2328
2329 get_replay_state(this, id, &replay_esn, &replay_esn_len, &replay,
2330 &lifetime);
2331
2332 /* delete the old SA (without affecting the IPComp SA) */
2333 if (del_sa(this, id, &del) != SUCCESS)
2334 {
2335 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x%s",
2336 ntohl(id->spi), markstr);
2337 goto failed;
2338 }
2339
2340 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x%s from %#H..%#H to "
2341 "%#H..%#H", ntohl(id->spi), markstr, id->src, id->dst, data->new_src,
2342 data->new_dst);
2343 /* copy over the SA from out to request */
2344 hdr = &request.hdr;
2345 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2346 hdr->nlmsg_type = XFRM_MSG_NEWSA;
2347 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2348 sa = NLMSG_DATA(hdr);
2349 memcpy(sa, NLMSG_DATA(out_hdr), sizeof(struct xfrm_usersa_info));
2350 sa->family = data->new_dst->get_family(data->new_dst);
2351
2352 if (!id->src->ip_equals(id->src, data->new_src))
2353 {
2354 host2xfrm(data->new_src, &sa->saddr);
2355
2356 ts = selector2ts(&sa->sel, TRUE);
2357 if (ts && ts->is_host(ts, id->src))
2358 {
2359 ts->set_address(ts, data->new_src);
2360 ts2subnet(ts, &sa->sel.saddr, &sa->sel.prefixlen_s);
2361 }
2362 DESTROY_IF(ts);
2363 }
2364 if (!id->dst->ip_equals(id->dst, data->new_dst))
2365 {
2366 host2xfrm(data->new_dst, &sa->id.daddr);
2367
2368 ts = selector2ts(&sa->sel, FALSE);
2369 if (ts && ts->is_host(ts, id->dst))
2370 {
2371 ts->set_address(ts, data->new_dst);
2372 ts2subnet(ts, &sa->sel.daddr, &sa->sel.prefixlen_d);
2373 }
2374 DESTROY_IF(ts);
2375 }
2376
2377 rta = XFRM_RTA(out_hdr, struct xfrm_usersa_info);
2378 rtasize = XFRM_PAYLOAD(out_hdr, struct xfrm_usersa_info);
2379 while (RTA_OK(rta, rtasize))
2380 {
2381 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
2382 if (rta->rta_type != XFRMA_ENCAP || data->new_encap)
2383 {
2384 if (rta->rta_type == XFRMA_ENCAP)
2385 { /* update encap tmpl */
2386 encap = RTA_DATA(rta);
2387 encap->encap_sport = ntohs(data->new_src->get_port(data->new_src));
2388 encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
2389 }
2390 if (rta->rta_type == XFRMA_OFFLOAD_DEV)
2391 { /* update offload device */
2392 struct xfrm_user_offload *offload;
2393 host_t *local;
2394 char *ifname;
2395
2396 offload = RTA_DATA(rta);
2397 local = offload->flags & XFRM_OFFLOAD_INBOUND ? data->new_dst
2398 : data->new_src;
2399
2400 if (charon->kernel->get_interface(charon->kernel, local,
2401 &ifname))
2402 {
2403 offload->ifindex = if_nametoindex(ifname);
2404 if (local->get_family(local) == AF_INET6)
2405 {
2406 offload->flags |= XFRM_OFFLOAD_IPV6;
2407 }
2408 else
2409 {
2410 offload->flags &= ~XFRM_OFFLOAD_IPV6;
2411 }
2412 free(ifname);
2413 }
2414 }
2415 netlink_add_attribute(hdr, rta->rta_type,
2416 chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)),
2417 sizeof(request));
2418 }
2419 rta = RTA_NEXT(rta, rtasize);
2420 }
2421
2422 if (encap == NULL && data->new_encap)
2423 { /* add tmpl if we are enabling it */
2424 encap = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP,
2425 sizeof(*encap));
2426 if (!encap)
2427 {
2428 goto failed;
2429 }
2430 encap->encap_type = UDP_ENCAP_ESPINUDP;
2431 encap->encap_sport = ntohs(data->new_src->get_port(data->new_src));
2432 encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
2433 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
2434 }
2435
2436 if (replay_esn)
2437 {
2438 struct xfrm_replay_state_esn *state;
2439
2440 state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
2441 replay_esn_len);
2442 if (!state)
2443 {
2444 goto failed;
2445 }
2446 memcpy(state, replay_esn, replay_esn_len);
2447 }
2448 else if (replay)
2449 {
2450 struct xfrm_replay_state *state;
2451
2452 state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_VAL,
2453 sizeof(*state));
2454 if (!state)
2455 {
2456 goto failed;
2457 }
2458 memcpy(state, replay, sizeof(*state));
2459 }
2460 else
2461 {
2462 DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with "
2463 "SPI %.8x%s", ntohl(id->spi), markstr);
2464 }
2465 if (lifetime)
2466 {
2467 struct xfrm_lifetime_cur *state;
2468
2469 state = netlink_reserve(hdr, sizeof(request), XFRMA_LTIME_VAL,
2470 sizeof(*state));
2471 if (!state)
2472 {
2473 goto failed;
2474 }
2475 memcpy(state, lifetime, sizeof(*state));
2476 }
2477 else
2478 {
2479 DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with "
2480 "SPI %.8x%s", ntohl(id->spi), markstr);
2481 }
2482
2483 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2484 {
2485 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
2486 ntohl(id->spi), markstr);
2487 goto failed;
2488 }
2489
2490 status = SUCCESS;
2491 failed:
2492 free(replay);
2493 free(replay_esn);
2494 free(lifetime);
2495 memwipe(out, len);
2496 memwipe(&request, sizeof(request));
2497 free(out);
2498
2499 return status;
2500 }
2501
2502 METHOD(kernel_ipsec_t, flush_sas, status_t,
2503 private_kernel_netlink_ipsec_t *this)
2504 {
2505 netlink_buf_t request;
2506 struct nlmsghdr *hdr;
2507 struct xfrm_usersa_flush *flush;
2508 struct {
2509 uint8_t proto;
2510 char *name;
2511 } protos[] = {
2512 { IPPROTO_AH, "AH" },
2513 { IPPROTO_ESP, "ESP" },
2514 { IPPROTO_COMP, "IPComp" },
2515 };
2516 int i;
2517
2518 memset(&request, 0, sizeof(request));
2519
2520 hdr = &request.hdr;
2521 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2522 hdr->nlmsg_type = XFRM_MSG_FLUSHSA;
2523 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush));
2524
2525 flush = NLMSG_DATA(hdr);
2526
2527 for (i = 0; i < countof(protos); i++)
2528 {
2529 DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
2530
2531 flush->proto = protos[i].proto;
2532
2533 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2534 {
2535 DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
2536 return FAILED;
2537 }
2538 }
2539 return SUCCESS;
2540 }
2541
2542 /**
2543 * Unlock the mutex and signal waiting threads
2544 */
2545 static void policy_change_done(private_kernel_netlink_ipsec_t *this,
2546 policy_entry_t *policy)
2547 {
2548 policy->working = FALSE;
2549 if (policy->waiting)
2550 { /* don't need to wake threads waiting for other policies */
2551 this->condvar->broadcast(this->condvar);
2552 }
2553 this->mutex->unlock(this->mutex);
2554 }
2555
2556 /**
2557 * Install a route for the given policy if enabled and required
2558 */
2559 static void install_route(private_kernel_netlink_ipsec_t *this,
2560 policy_entry_t *policy, policy_sa_t *mapping, ipsec_sa_t *ipsec)
2561 {
2562 policy_sa_out_t *out = (policy_sa_out_t*)mapping;
2563 route_entry_t *route;
2564 host_t *iface;
2565
2566 INIT(route,
2567 .prefixlen = policy->sel.prefixlen_d,
2568 .pass = mapping->type == POLICY_PASS,
2569 );
2570
2571 if (charon->kernel->get_address_by_ts(charon->kernel, out->src_ts,
2572 &route->src_ip, NULL) != SUCCESS)
2573 {
2574 if (!route->pass)
2575 {
2576 free(route);
2577 return;
2578 }
2579 /* allow blank source IP for passthrough policies */
2580 route->src_ip = host_create_any(policy->sel.family);
2581 }
2582
2583 if (!ipsec->dst->is_anyaddr(ipsec->dst))
2584 {
2585 route->gateway = charon->kernel->get_nexthop(charon->kernel,
2586 ipsec->dst, -1, ipsec->src,
2587 &route->if_name);
2588 }
2589 else
2590 { /* for shunt policies */
2591 iface = xfrm2host(policy->sel.family, &policy->sel.daddr, 0);
2592 route->gateway = charon->kernel->get_nexthop(charon->kernel,
2593 iface, policy->sel.prefixlen_d,
2594 route->src_ip, &route->if_name);
2595 iface->destroy(iface);
2596 }
2597 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2598 memcpy(route->dst_net.ptr, &policy->sel.daddr, route->dst_net.len);
2599
2600 /* get the interface to install the route for, if we haven't one yet.
2601 * If we have a local address, use it. Otherwise (for shunt policies)
2602 * use the route's source address. */
2603 if (!route->if_name)
2604 {
2605 iface = ipsec->src;
2606 if (iface->is_anyaddr(iface))
2607 {
2608 iface = route->src_ip;
2609 }
2610 if (!charon->kernel->get_interface(charon->kernel, iface,
2611 &route->if_name) &&
2612 !route->pass)
2613 { /* don't require an interface for passthrough policies */
2614 route_entry_destroy(route);
2615 return;
2616 }
2617 }
2618 if (policy->route)
2619 {
2620 route_entry_t *old = policy->route;
2621 if (route_entry_equals(old, route))
2622 {
2623 route_entry_destroy(route);
2624 return;
2625 }
2626 /* uninstall previously installed route */
2627 if (charon->kernel->del_route(charon->kernel, old->dst_net,
2628 old->prefixlen, old->gateway,
2629 old->src_ip, old->if_name,
2630 old->pass) != SUCCESS)
2631 {
2632 DBG1(DBG_KNL, "error uninstalling route installed with policy "
2633 "%R === %R %N", out->src_ts, out->dst_ts, policy_dir_names,
2634 policy->direction);
2635 }
2636 route_entry_destroy(old);
2637 policy->route = NULL;
2638 }
2639
2640 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", out->dst_ts,
2641 route->gateway, route->src_ip, route->if_name);
2642 switch (charon->kernel->add_route(charon->kernel, route->dst_net,
2643 route->prefixlen, route->gateway,
2644 route->src_ip, route->if_name,
2645 route->pass))
2646 {
2647 default:
2648 DBG1(DBG_KNL, "unable to install source route for %H",
2649 route->src_ip);
2650 /* FALL */
2651 case ALREADY_DONE:
2652 /* route exists, do not uninstall */
2653 route_entry_destroy(route);
2654 break;
2655 case SUCCESS:
2656 /* cache the installed route */
2657 policy->route = route;
2658 break;
2659 }
2660 }
2661
2662 /**
2663 * Add or update a policy in the kernel.
2664 *
2665 * Note: The mutex has to be locked when entering this function
2666 * and is unlocked here in any case.
2667 */
2668 static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
2669 policy_entry_t *policy, policy_sa_t *mapping, bool update)
2670 {
2671 netlink_buf_t request;
2672 policy_entry_t clone;
2673 ipsec_sa_t *ipsec = mapping->sa;
2674 struct xfrm_userpolicy_info *policy_info;
2675 struct nlmsghdr *hdr;
2676 status_t status;
2677 int i;
2678
2679 /* clone the policy so we are able to check it out again later */
2680 memcpy(&clone, policy, sizeof(policy_entry_t));
2681
2682 memset(&request, 0, sizeof(request));
2683 hdr = &request.hdr;
2684 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2685 hdr->nlmsg_type = update ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
2686 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2687
2688 policy_info = NLMSG_DATA(hdr);
2689 policy_info->sel = policy->sel;
2690 policy_info->dir = policy->direction;
2691
2692 /* calculate priority based on selector size, small size = high prio */
2693 policy_info->priority = mapping->priority;
2694 policy_info->action = mapping->type != POLICY_DROP ? XFRM_POLICY_ALLOW
2695 : XFRM_POLICY_BLOCK;
2696 policy_info->share = XFRM_SHARE_ANY;
2697
2698 /* policies don't expire */
2699 policy_info->lft.soft_byte_limit = XFRM_INF;
2700 policy_info->lft.soft_packet_limit = XFRM_INF;
2701 policy_info->lft.hard_byte_limit = XFRM_INF;
2702 policy_info->lft.hard_packet_limit = XFRM_INF;
2703 policy_info->lft.soft_add_expires_seconds = 0;
2704 policy_info->lft.hard_add_expires_seconds = 0;
2705 policy_info->lft.soft_use_expires_seconds = 0;
2706 policy_info->lft.hard_use_expires_seconds = 0;
2707
2708 if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid)
2709 {
2710 struct xfrm_user_tmpl *tmpl;
2711 struct {
2712 uint8_t proto;
2713 uint32_t spi;
2714 bool use;
2715 } protos[] = {
2716 { IPPROTO_COMP, htonl(ntohs(ipsec->cfg.ipcomp.cpi)),
2717 ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
2718 { IPPROTO_ESP, ipsec->cfg.esp.spi, ipsec->cfg.esp.use },
2719 { IPPROTO_AH, ipsec->cfg.ah.spi, ipsec->cfg.ah.use },
2720 };
2721 ipsec_mode_t proto_mode = ipsec->cfg.mode;
2722 int count = 0;
2723
2724 for (i = 0; i < countof(protos); i++)
2725 {
2726 if (protos[i].use)
2727 {
2728 count++;
2729 }
2730 }
2731 tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_TMPL,
2732 count * sizeof(*tmpl));
2733 if (!tmpl)
2734 {
2735 policy_change_done(this, policy);
2736 return FAILED;
2737 }
2738
2739 for (i = 0; i < countof(protos); i++)
2740 {
2741 if (!protos[i].use)
2742 {
2743 continue;
2744 }
2745 tmpl->reqid = ipsec->cfg.reqid;
2746 tmpl->id.proto = protos[i].proto;
2747 if (policy->direction == POLICY_OUT)
2748 {
2749 tmpl->id.spi = protos[i].spi;
2750 }
2751 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2752 tmpl->mode = mode2kernel(proto_mode);
2753 tmpl->optional = protos[i].proto == IPPROTO_COMP &&
2754 policy->direction != POLICY_OUT;
2755 tmpl->family = ipsec->src->get_family(ipsec->src);
2756
2757 if (proto_mode == MODE_TUNNEL || proto_mode == MODE_BEET)
2758 { /* only for tunnel mode */
2759 host2xfrm(ipsec->src, &tmpl->saddr);
2760 host2xfrm(ipsec->dst, &tmpl->id.daddr);
2761 }
2762
2763 tmpl++;
2764
2765 /* use transport mode for other SAs */
2766 proto_mode = MODE_TRANSPORT;
2767 }
2768 }
2769
2770 if (!add_mark(hdr, sizeof(request), ipsec->mark))
2771 {
2772 policy_change_done(this, policy);
2773 return FAILED;
2774 }
2775 if (ipsec->if_id &&
2776 !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, ipsec->if_id))
2777 {
2778 policy_change_done(this, policy);
2779 return FAILED;
2780 }
2781 this->mutex->unlock(this->mutex);
2782
2783 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
2784 if (status == ALREADY_DONE && !update)
2785 {
2786 DBG1(DBG_KNL, "policy already exists, try to update it");
2787 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2788 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
2789 }
2790
2791 this->mutex->lock(this->mutex);
2792 if (status != SUCCESS)
2793 {
2794 policy_change_done(this, policy);
2795 return FAILED;
2796 }
2797 /* install a route, if:
2798 * - this is an outbound policy (to just get one for each child)
2799 * - routing is not disabled via strongswan.conf
2800 * - the selector is not for a specific protocol/port
2801 * - no XFRM interface ID is configured
2802 * - we are in tunnel/BEET mode or install a bypass policy
2803 */
2804 if (policy->direction == POLICY_OUT && this->install_routes &&
2805 !policy->sel.proto && !policy->sel.dport && !policy->sel.sport &&
2806 !policy->if_id)
2807 {
2808 if (mapping->type == POLICY_PASS ||
2809 (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
2810 {
2811 install_route(this, policy, mapping, ipsec);
2812 }
2813 }
2814 policy_change_done(this, policy);
2815 return SUCCESS;
2816 }
2817
2818 METHOD(kernel_ipsec_t, add_policy, status_t,
2819 private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
2820 kernel_ipsec_manage_policy_t *data)
2821 {
2822 policy_entry_t *policy, *current;
2823 policy_sa_t *assigned_sa, *current_sa;
2824 enumerator_t *enumerator;
2825 bool found = FALSE, update = TRUE;
2826 char markstr[32] = "";
2827 uint32_t cur_priority = 0;
2828 int use_count;
2829
2830 /* create a policy */
2831 INIT(policy,
2832 .sel = ts2selector(id->src_ts, id->dst_ts, id->interface),
2833 .mark = id->mark.value & id->mark.mask,
2834 .if_id = id->if_id,
2835 .direction = id->dir,
2836 .reqid = data->sa->reqid,
2837 );
2838 format_mark(markstr, sizeof(markstr), id->mark);
2839
2840 /* find the policy, which matches EXACTLY */
2841 this->mutex->lock(this->mutex);
2842 current = this->policies->get(this->policies, policy);
2843 if (current)
2844 {
2845 if (current->reqid && data->sa->reqid &&
2846 current->reqid != data->sa->reqid)
2847 {
2848 DBG1(DBG_CFG, "unable to install policy %R === %R %N%s for reqid "
2849 "%u, the same policy for reqid %u exists",
2850 id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr,
2851 data->sa->reqid, current->reqid);
2852 policy_entry_destroy(this, policy);
2853 this->mutex->unlock(this->mutex);
2854 return INVALID_STATE;
2855 }
2856 /* use existing policy */
2857 DBG2(DBG_KNL, "policy %R === %R %N%s already exists, increasing "
2858 "refcount", id->src_ts, id->dst_ts, policy_dir_names, id->dir,