kernel-netlink: Associate routes with IN policies instead of FWD policies
[strongswan.git] / src / libcharon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2016 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008-2016 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * HSR Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <stdint.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <unistd.h>
30 #include <time.h>
31 #include <errno.h>
32 #include <string.h>
33 #include <fcntl.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <daemon.h>
39 #include <utils/debug.h>
40 #include <threading/mutex.h>
41 #include <collections/array.h>
42 #include <collections/hashtable.h>
43 #include <collections/linked_list.h>
44
45 /** Required for Linux 2.6.26 kernel and later */
46 #ifndef XFRM_STATE_AF_UNSPEC
47 #define XFRM_STATE_AF_UNSPEC 32
48 #endif
49
50 /** From linux/in.h */
51 #ifndef IP_XFRM_POLICY
52 #define IP_XFRM_POLICY 17
53 #endif
54
55 /** Missing on uclibc */
56 #ifndef IPV6_XFRM_POLICY
57 #define IPV6_XFRM_POLICY 34
58 #endif /*IPV6_XFRM_POLICY*/
59
60 /* from linux/udp.h */
61 #ifndef UDP_ENCAP
62 #define UDP_ENCAP 100
63 #endif
64
65 #ifndef UDP_ENCAP_ESPINUDP
66 #define UDP_ENCAP_ESPINUDP 2
67 #endif
68
69 /* this is not defined on some platforms */
70 #ifndef SOL_UDP
71 #define SOL_UDP IPPROTO_UDP
72 #endif
73
74 /** Base priority for installed policies */
75 #define PRIO_BASE 384
76
77 /** Default lifetime of an acquire XFRM state (in seconds) */
78 #define DEFAULT_ACQUIRE_LIFETIME 165
79
80 /**
81 * Map the limit for bytes and packets to XFRM_INF by default
82 */
83 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
84
85 /**
86 * Create ORable bitfield of XFRM NL groups
87 */
88 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
89
90 /**
91 * Returns a pointer to the first rtattr following the nlmsghdr *nlh and the
92 * 'usual' netlink data x like 'struct xfrm_usersa_info'
93 */
94 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \
95 NLMSG_ALIGN(sizeof(x))))
96 /**
97 * Returns the total size of attached rta data
98 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
99 */
100 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
101
102 typedef struct kernel_algorithm_t kernel_algorithm_t;
103
104 /**
105 * Mapping of IKEv2 kernel identifier to linux crypto API names
106 */
107 struct kernel_algorithm_t {
108 /**
109 * Identifier specified in IKEv2
110 */
111 int ikev2;
112
113 /**
114 * Name of the algorithm in linux crypto API
115 */
116 char *name;
117 };
118
119 ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
120 "XFRM_MSG_NEWSA",
121 "XFRM_MSG_DELSA",
122 "XFRM_MSG_GETSA",
123 "XFRM_MSG_NEWPOLICY",
124 "XFRM_MSG_DELPOLICY",
125 "XFRM_MSG_GETPOLICY",
126 "XFRM_MSG_ALLOCSPI",
127 "XFRM_MSG_ACQUIRE",
128 "XFRM_MSG_EXPIRE",
129 "XFRM_MSG_UPDPOLICY",
130 "XFRM_MSG_UPDSA",
131 "XFRM_MSG_POLEXPIRE",
132 "XFRM_MSG_FLUSHSA",
133 "XFRM_MSG_FLUSHPOLICY",
134 "XFRM_MSG_NEWAE",
135 "XFRM_MSG_GETAE",
136 "XFRM_MSG_REPORT",
137 "XFRM_MSG_MIGRATE",
138 "XFRM_MSG_NEWSADINFO",
139 "XFRM_MSG_GETSADINFO",
140 "XFRM_MSG_NEWSPDINFO",
141 "XFRM_MSG_GETSPDINFO",
142 "XFRM_MSG_MAPPING"
143 );
144
145 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_REPLAY_ESN_VAL,
146 "XFRMA_UNSPEC",
147 "XFRMA_ALG_AUTH",
148 "XFRMA_ALG_CRYPT",
149 "XFRMA_ALG_COMP",
150 "XFRMA_ENCAP",
151 "XFRMA_TMPL",
152 "XFRMA_SA",
153 "XFRMA_POLICY",
154 "XFRMA_SEC_CTX",
155 "XFRMA_LTIME_VAL",
156 "XFRMA_REPLAY_VAL",
157 "XFRMA_REPLAY_THRESH",
158 "XFRMA_ETIMER_THRESH",
159 "XFRMA_SRCADDR",
160 "XFRMA_COADDR",
161 "XFRMA_LASTUSED",
162 "XFRMA_POLICY_TYPE",
163 "XFRMA_MIGRATE",
164 "XFRMA_ALG_AEAD",
165 "XFRMA_KMADDRESS",
166 "XFRMA_ALG_AUTH_TRUNC",
167 "XFRMA_MARK",
168 "XFRMA_TFCPAD",
169 "XFRMA_REPLAY_ESN_VAL",
170 );
171
172 /**
173 * Algorithms for encryption
174 */
175 static kernel_algorithm_t encryption_algs[] = {
176 /* {ENCR_DES_IV64, "***" }, */
177 {ENCR_DES, "des" },
178 {ENCR_3DES, "des3_ede" },
179 /* {ENCR_RC5, "***" }, */
180 /* {ENCR_IDEA, "***" }, */
181 {ENCR_CAST, "cast5" },
182 {ENCR_BLOWFISH, "blowfish" },
183 /* {ENCR_3IDEA, "***" }, */
184 /* {ENCR_DES_IV32, "***" }, */
185 {ENCR_NULL, "cipher_null" },
186 {ENCR_AES_CBC, "aes" },
187 {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
188 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
189 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
190 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
191 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
192 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
193 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
194 {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
195 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
196 /* {ENCR_CAMELLIA_CTR, "***" }, */
197 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
198 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
199 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
200 {ENCR_SERPENT_CBC, "serpent" },
201 {ENCR_TWOFISH_CBC, "twofish" },
202 {ENCR_CHACHA20_POLY1305, "rfc7539esp(chacha20,poly1305)"},
203 };
204
205 /**
206 * Algorithms for integrity protection
207 */
208 static kernel_algorithm_t integrity_algs[] = {
209 {AUTH_HMAC_MD5_96, "md5" },
210 {AUTH_HMAC_MD5_128, "hmac(md5)" },
211 {AUTH_HMAC_SHA1_96, "sha1" },
212 {AUTH_HMAC_SHA1_160, "hmac(sha1)" },
213 {AUTH_HMAC_SHA2_256_96, "sha256" },
214 {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
215 {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
216 {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
217 /* {AUTH_DES_MAC, "***" }, */
218 /* {AUTH_KPDK_MD5, "***" }, */
219 {AUTH_AES_XCBC_96, "xcbc(aes)" },
220 };
221
222 /**
223 * Algorithms for IPComp
224 */
225 static kernel_algorithm_t compression_algs[] = {
226 /* {IPCOMP_OUI, "***" }, */
227 {IPCOMP_DEFLATE, "deflate" },
228 {IPCOMP_LZS, "lzs" },
229 {IPCOMP_LZJH, "lzjh" },
230 };
231
232 /**
233 * Look up a kernel algorithm name and its key size
234 */
235 static char* lookup_algorithm(transform_type_t type, int ikev2)
236 {
237 kernel_algorithm_t *list;
238 int i, count;
239 char *name;
240
241 switch (type)
242 {
243 case ENCRYPTION_ALGORITHM:
244 list = encryption_algs;
245 count = countof(encryption_algs);
246 break;
247 case INTEGRITY_ALGORITHM:
248 list = integrity_algs;
249 count = countof(integrity_algs);
250 break;
251 case COMPRESSION_ALGORITHM:
252 list = compression_algs;
253 count = countof(compression_algs);
254 break;
255 default:
256 return NULL;
257 }
258 for (i = 0; i < count; i++)
259 {
260 if (list[i].ikev2 == ikev2)
261 {
262 return list[i].name;
263 }
264 }
265 if (charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, NULL,
266 &name))
267 {
268 return name;
269 }
270 return NULL;
271 }
272
273 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
274
275 /**
276 * Private variables and functions of kernel_netlink class.
277 */
278 struct private_kernel_netlink_ipsec_t {
279 /**
280 * Public part of the kernel_netlink_t object
281 */
282 kernel_netlink_ipsec_t public;
283
284 /**
285 * Mutex to lock access to installed policies
286 */
287 mutex_t *mutex;
288
289 /**
290 * Hash table of installed policies (policy_entry_t)
291 */
292 hashtable_t *policies;
293
294 /**
295 * Hash table of IPsec SAs using policies (ipsec_sa_t)
296 */
297 hashtable_t *sas;
298
299 /**
300 * Netlink xfrm socket (IPsec)
301 */
302 netlink_socket_t *socket_xfrm;
303
304 /**
305 * Netlink xfrm socket to receive acquire and expire events
306 */
307 int socket_xfrm_events;
308
309 /**
310 * Whether to install routes along policies
311 */
312 bool install_routes;
313
314 /**
315 * Whether to set protocol and ports on selector installed with transport
316 * mode IPsec SAs
317 */
318 bool proto_port_transport;
319
320 /**
321 * Whether to always use UPDATE to install policies
322 */
323 bool policy_update;
324
325 /**
326 * Installed port based IKE bypass policies, as bypass_t
327 */
328 array_t *bypass;
329 };
330
331 typedef struct route_entry_t route_entry_t;
332
333 /**
334 * Installed routing entry
335 */
336 struct route_entry_t {
337 /** Name of the interface the route is bound to */
338 char *if_name;
339
340 /** Source ip of the route */
341 host_t *src_ip;
342
343 /** Gateway for this route */
344 host_t *gateway;
345
346 /** Destination net */
347 chunk_t dst_net;
348
349 /** Destination net prefixlen */
350 uint8_t prefixlen;
351 };
352
353 /**
354 * Destroy a route_entry_t object
355 */
356 static void route_entry_destroy(route_entry_t *this)
357 {
358 free(this->if_name);
359 this->src_ip->destroy(this->src_ip);
360 DESTROY_IF(this->gateway);
361 chunk_free(&this->dst_net);
362 free(this);
363 }
364
365 /**
366 * Compare two route_entry_t objects
367 */
368 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
369 {
370 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
371 a->src_ip->ip_equals(a->src_ip, b->src_ip) &&
372 a->gateway->ip_equals(a->gateway, b->gateway) &&
373 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
374 }
375
376 typedef struct ipsec_sa_t ipsec_sa_t;
377
378 /**
379 * IPsec SA assigned to a policy.
380 */
381 struct ipsec_sa_t {
382 /** Source address of this SA */
383 host_t *src;
384
385 /** Destination address of this SA */
386 host_t *dst;
387
388 /** Optional mark */
389 mark_t mark;
390
391 /** Description of this SA */
392 ipsec_sa_cfg_t cfg;
393
394 /** Reference count for this SA */
395 refcount_t refcount;
396 };
397
398 /**
399 * Hash function for ipsec_sa_t objects
400 */
401 static u_int ipsec_sa_hash(ipsec_sa_t *sa)
402 {
403 return chunk_hash_inc(sa->src->get_address(sa->src),
404 chunk_hash_inc(sa->dst->get_address(sa->dst),
405 chunk_hash_inc(chunk_from_thing(sa->mark),
406 chunk_hash(chunk_from_thing(sa->cfg)))));
407 }
408
409 /**
410 * Equality function for ipsec_sa_t objects
411 */
412 static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
413 {
414 return sa->src->ip_equals(sa->src, other_sa->src) &&
415 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
416 memeq(&sa->mark, &other_sa->mark, sizeof(mark_t)) &&
417 memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
418 }
419
420 /**
421 * Allocate or reference an IPsec SA object
422 */
423 static ipsec_sa_t *ipsec_sa_create(private_kernel_netlink_ipsec_t *this,
424 host_t *src, host_t *dst, mark_t mark,
425 ipsec_sa_cfg_t *cfg)
426 {
427 ipsec_sa_t *sa, *found;
428 INIT(sa,
429 .src = src,
430 .dst = dst,
431 .mark = mark,
432 .cfg = *cfg,
433 );
434 found = this->sas->get(this->sas, sa);
435 if (!found)
436 {
437 sa->src = src->clone(src);
438 sa->dst = dst->clone(dst);
439 this->sas->put(this->sas, sa, sa);
440 }
441 else
442 {
443 free(sa);
444 sa = found;
445 }
446 ref_get(&sa->refcount);
447 return sa;
448 }
449
450 /**
451 * Release and destroy an IPsec SA object
452 */
453 static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this,
454 ipsec_sa_t *sa)
455 {
456 if (ref_put(&sa->refcount))
457 {
458 this->sas->remove(this->sas, sa);
459 DESTROY_IF(sa->src);
460 DESTROY_IF(sa->dst);
461 free(sa);
462 }
463 }
464
465 typedef struct policy_sa_t policy_sa_t;
466 typedef struct policy_sa_in_t policy_sa_in_t;
467
468 /**
469 * Mapping between a policy and an IPsec SA.
470 */
471 struct policy_sa_t {
472 /** Priority assigned to the policy when installed with this SA */
473 uint32_t priority;
474
475 /** Type of the policy */
476 policy_type_t type;
477
478 /** Assigned SA */
479 ipsec_sa_t *sa;
480 };
481
482 /**
483 * For inbound policies we also cache the traffic selectors in order to install
484 * the route.
485 */
486 struct policy_sa_in_t {
487 /** Generic interface */
488 policy_sa_t generic;
489
490 /** Source traffic selector of this policy */
491 traffic_selector_t *src_ts;
492
493 /** Destination traffic selector of this policy */
494 traffic_selector_t *dst_ts;
495 };
496
497 /**
498 * Create a policy_sa(_in)_t object
499 */
500 static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
501 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
502 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark,
503 ipsec_sa_cfg_t *cfg)
504 {
505 policy_sa_t *policy;
506
507 if (dir == POLICY_IN)
508 {
509 policy_sa_in_t *in;
510 INIT(in,
511 .src_ts = src_ts->clone(src_ts),
512 .dst_ts = dst_ts->clone(dst_ts),
513 );
514 policy = &in->generic;
515 }
516 else
517 {
518 INIT(policy, .priority = 0);
519 }
520 policy->type = type;
521 policy->sa = ipsec_sa_create(this, src, dst, mark, cfg);
522 return policy;
523 }
524
525 /**
526 * Destroy a policy_sa(_in)_t object
527 */
528 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
529 private_kernel_netlink_ipsec_t *this)
530 {
531 if (*dir == POLICY_IN)
532 {
533 policy_sa_in_t *in = (policy_sa_in_t*)policy;
534 in->src_ts->destroy(in->src_ts);
535 in->dst_ts->destroy(in->dst_ts);
536 }
537 ipsec_sa_destroy(this, policy->sa);
538 free(policy);
539 }
540
541 typedef struct policy_entry_t policy_entry_t;
542
543 /**
544 * Installed kernel policy.
545 */
546 struct policy_entry_t {
547
548 /** Direction of this policy: in, out, forward */
549 uint8_t direction;
550
551 /** Parameters of installed policy */
552 struct xfrm_selector sel;
553
554 /** Optional mark */
555 uint32_t mark;
556
557 /** Associated route installed for this policy */
558 route_entry_t *route;
559
560 /** List of SAs this policy is used by, ordered by priority */
561 linked_list_t *used_by;
562
563 /** reqid for this policy */
564 uint32_t reqid;
565 };
566
567 /**
568 * Destroy a policy_entry_t object
569 */
570 static void policy_entry_destroy(private_kernel_netlink_ipsec_t *this,
571 policy_entry_t *policy)
572 {
573 if (policy->route)
574 {
575 route_entry_destroy(policy->route);
576 }
577 if (policy->used_by)
578 {
579 policy->used_by->invoke_function(policy->used_by,
580 (linked_list_invoke_t)policy_sa_destroy,
581 &policy->direction, this);
582 policy->used_by->destroy(policy->used_by);
583 }
584 free(policy);
585 }
586
587 /**
588 * Hash function for policy_entry_t objects
589 */
590 static u_int policy_hash(policy_entry_t *key)
591 {
592 chunk_t chunk = chunk_from_thing(key->sel);
593 return chunk_hash_inc(chunk, chunk_hash(chunk_from_thing(key->mark)));
594 }
595
596 /**
597 * Equality function for policy_entry_t objects
598 */
599 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
600 {
601 return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
602 key->mark == other_key->mark &&
603 key->direction == other_key->direction;
604 }
605
606 /**
607 * Calculate the priority of a policy
608 */
609 static inline uint32_t get_priority(policy_entry_t *policy,
610 policy_priority_t prio)
611 {
612 uint32_t priority = PRIO_BASE;
613 switch (prio)
614 {
615 case POLICY_PRIORITY_FALLBACK:
616 priority <<= 1;
617 /* fall-through */
618 case POLICY_PRIORITY_ROUTED:
619 priority <<= 1;
620 /* fall-through */
621 case POLICY_PRIORITY_DEFAULT:
622 priority <<= 1;
623 /* fall-through */
624 case POLICY_PRIORITY_PASS:
625 break;
626 }
627 /* calculate priority based on selector size, small size = high prio */
628 priority -= policy->sel.prefixlen_s;
629 priority -= policy->sel.prefixlen_d;
630 priority <<= 2; /* make some room for the two flags */
631 priority += policy->sel.sport_mask || policy->sel.dport_mask ? 0 : 2;
632 priority += policy->sel.proto ? 0 : 1;
633 return priority;
634 }
635
636 /**
637 * Convert the general ipsec mode to the one defined in xfrm.h
638 */
639 static uint8_t mode2kernel(ipsec_mode_t mode)
640 {
641 switch (mode)
642 {
643 case MODE_TRANSPORT:
644 return XFRM_MODE_TRANSPORT;
645 case MODE_TUNNEL:
646 return XFRM_MODE_TUNNEL;
647 case MODE_BEET:
648 return XFRM_MODE_BEET;
649 default:
650 return mode;
651 }
652 }
653
654 /**
655 * Convert a host_t to a struct xfrm_address
656 */
657 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
658 {
659 chunk_t chunk = host->get_address(host);
660 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
661 }
662
663 /**
664 * Convert a struct xfrm_address to a host_t
665 */
666 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, uint16_t port)
667 {
668 chunk_t chunk;
669
670 switch (family)
671 {
672 case AF_INET:
673 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
674 break;
675 case AF_INET6:
676 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
677 break;
678 default:
679 return NULL;
680 }
681 return host_create_from_chunk(family, chunk, ntohs(port));
682 }
683
684 /**
685 * Convert a traffic selector address range to subnet and its mask.
686 */
687 static void ts2subnet(traffic_selector_t* ts,
688 xfrm_address_t *net, uint8_t *mask)
689 {
690 host_t *net_host;
691 chunk_t net_chunk;
692
693 ts->to_subnet(ts, &net_host, mask);
694 net_chunk = net_host->get_address(net_host);
695 memcpy(net, net_chunk.ptr, net_chunk.len);
696 net_host->destroy(net_host);
697 }
698
699 /**
700 * Convert a traffic selector port range to port/portmask
701 */
702 static void ts2ports(traffic_selector_t* ts,
703 uint16_t *port, uint16_t *mask)
704 {
705 uint16_t from, to, bitmask;
706 int bit;
707
708 from = ts->get_from_port(ts);
709 to = ts->get_to_port(ts);
710
711 /* Quick check for a single port */
712 if (from == to)
713 {
714 *port = htons(from);
715 *mask = ~0;
716 }
717 else
718 {
719 /* Compute the port mask for port ranges */
720 *mask = 0;
721
722 for (bit = 15; bit >= 0; bit--)
723 {
724 bitmask = 1 << bit;
725
726 if ((bitmask & from) != (bitmask & to))
727 {
728 *port = htons(from & *mask);
729 *mask = htons(*mask);
730 return;
731 }
732 *mask |= bitmask;
733 }
734 }
735 return;
736 }
737
738 /**
739 * Convert a pair of traffic_selectors to an xfrm_selector
740 */
741 static struct xfrm_selector ts2selector(traffic_selector_t *src,
742 traffic_selector_t *dst)
743 {
744 struct xfrm_selector sel;
745 uint16_t port;
746
747 memset(&sel, 0, sizeof(sel));
748 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
749 /* src or dest proto may be "any" (0), use more restrictive one */
750 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
751 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
752 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
753 ts2ports(dst, &sel.dport, &sel.dport_mask);
754 ts2ports(src, &sel.sport, &sel.sport_mask);
755 if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
756 (sel.dport || sel.sport))
757 {
758 /* the kernel expects the ICMP type and code in the source and
759 * destination port fields, respectively. */
760 port = ntohs(max(sel.dport, sel.sport));
761 sel.sport = htons(traffic_selector_icmp_type(port));
762 sel.sport_mask = sel.sport ? ~0 : 0;
763 sel.dport = htons(traffic_selector_icmp_code(port));
764 sel.dport_mask = sel.dport ? ~0 : 0;
765 }
766 sel.ifindex = 0;
767 sel.user = 0;
768
769 return sel;
770 }
771
772 /**
773 * Convert an xfrm_selector to a src|dst traffic_selector
774 */
775 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
776 {
777 u_char *addr;
778 uint8_t prefixlen;
779 uint16_t port = 0;
780 host_t *host = NULL;
781
782 if (src)
783 {
784 addr = (u_char*)&sel->saddr;
785 prefixlen = sel->prefixlen_s;
786 if (sel->sport_mask)
787 {
788 port = ntohs(sel->sport);
789 }
790 }
791 else
792 {
793 addr = (u_char*)&sel->daddr;
794 prefixlen = sel->prefixlen_d;
795 if (sel->dport_mask)
796 {
797 port = ntohs(sel->dport);
798 }
799 }
800 if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
801 { /* convert ICMP[v6] message type and code as supplied by the kernel in
802 * source and destination ports (both in network order) */
803 port = (sel->sport >> 8) | (sel->dport & 0xff00);
804 port = ntohs(port);
805 }
806 /* The Linux 2.6 kernel does not set the selector's family field,
807 * so as a kludge we additionally test the prefix length.
808 */
809 if (sel->family == AF_INET || sel->prefixlen_s == 32)
810 {
811 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
812 }
813 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
814 {
815 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
816 }
817
818 if (host)
819 {
820 return traffic_selector_create_from_subnet(host, prefixlen,
821 sel->proto, port, port ?: 65535);
822 }
823 return NULL;
824 }
825
826 /**
827 * Process a XFRM_MSG_ACQUIRE from kernel
828 */
829 static void process_acquire(private_kernel_netlink_ipsec_t *this,
830 struct nlmsghdr *hdr)
831 {
832 struct xfrm_user_acquire *acquire;
833 struct rtattr *rta;
834 size_t rtasize;
835 traffic_selector_t *src_ts, *dst_ts;
836 uint32_t reqid = 0;
837 int proto = 0;
838
839 acquire = NLMSG_DATA(hdr);
840 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
841 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
842
843 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
844
845 while (RTA_OK(rta, rtasize))
846 {
847 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
848
849 if (rta->rta_type == XFRMA_TMPL)
850 {
851 struct xfrm_user_tmpl* tmpl;
852 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
853 reqid = tmpl->reqid;
854 proto = tmpl->id.proto;
855 }
856 rta = RTA_NEXT(rta, rtasize);
857 }
858 switch (proto)
859 {
860 case 0:
861 case IPPROTO_ESP:
862 case IPPROTO_AH:
863 break;
864 default:
865 /* acquire for AH/ESP only, not for IPCOMP */
866 return;
867 }
868 src_ts = selector2ts(&acquire->sel, TRUE);
869 dst_ts = selector2ts(&acquire->sel, FALSE);
870
871 charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
872 }
873
874 /**
875 * Process a XFRM_MSG_EXPIRE from kernel
876 */
877 static void process_expire(private_kernel_netlink_ipsec_t *this,
878 struct nlmsghdr *hdr)
879 {
880 struct xfrm_user_expire *expire;
881 uint32_t spi;
882 uint8_t protocol;
883 host_t *dst;
884
885 expire = NLMSG_DATA(hdr);
886 protocol = expire->state.id.proto;
887 spi = expire->state.id.spi;
888
889 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
890
891 if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
892 {
893 dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0);
894 if (dst)
895 {
896 charon->kernel->expire(charon->kernel, protocol, spi, dst,
897 expire->hard != 0);
898 dst->destroy(dst);
899 }
900 }
901 }
902
903 /**
904 * Process a XFRM_MSG_MIGRATE from kernel
905 */
906 static void process_migrate(private_kernel_netlink_ipsec_t *this,
907 struct nlmsghdr *hdr)
908 {
909 struct xfrm_userpolicy_id *policy_id;
910 struct rtattr *rta;
911 size_t rtasize;
912 traffic_selector_t *src_ts, *dst_ts;
913 host_t *local = NULL, *remote = NULL;
914 host_t *old_src = NULL, *old_dst = NULL;
915 host_t *new_src = NULL, *new_dst = NULL;
916 uint32_t reqid = 0;
917 policy_dir_t dir;
918
919 policy_id = NLMSG_DATA(hdr);
920 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
921 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
922
923 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
924
925 src_ts = selector2ts(&policy_id->sel, TRUE);
926 dst_ts = selector2ts(&policy_id->sel, FALSE);
927 dir = (policy_dir_t)policy_id->dir;
928
929 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
930
931 while (RTA_OK(rta, rtasize))
932 {
933 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
934 if (rta->rta_type == XFRMA_KMADDRESS)
935 {
936 struct xfrm_user_kmaddress *kmaddress;
937
938 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
939 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
940 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
941 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
942 }
943 else if (rta->rta_type == XFRMA_MIGRATE)
944 {
945 struct xfrm_user_migrate *migrate;
946
947 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
948 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
949 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
950 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
951 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
952 reqid = migrate->reqid;
953 DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}",
954 old_src, old_dst, new_src, new_dst, reqid);
955 DESTROY_IF(old_src);
956 DESTROY_IF(old_dst);
957 DESTROY_IF(new_src);
958 DESTROY_IF(new_dst);
959 }
960 rta = RTA_NEXT(rta, rtasize);
961 }
962
963 if (src_ts && dst_ts && local && remote)
964 {
965 charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
966 local, remote);
967 }
968 else
969 {
970 DESTROY_IF(src_ts);
971 DESTROY_IF(dst_ts);
972 DESTROY_IF(local);
973 DESTROY_IF(remote);
974 }
975 }
976
977 /**
978 * Process a XFRM_MSG_MAPPING from kernel
979 */
980 static void process_mapping(private_kernel_netlink_ipsec_t *this,
981 struct nlmsghdr *hdr)
982 {
983 struct xfrm_user_mapping *mapping;
984 uint32_t spi;
985
986 mapping = NLMSG_DATA(hdr);
987 spi = mapping->id.spi;
988
989 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
990
991 if (mapping->id.proto == IPPROTO_ESP)
992 {
993 host_t *dst, *new;
994
995 dst = xfrm2host(mapping->id.family, &mapping->id.daddr, 0);
996 if (dst)
997 {
998 new = xfrm2host(mapping->id.family, &mapping->new_saddr,
999 mapping->new_sport);
1000 if (new)
1001 {
1002 charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst,
1003 new);
1004 new->destroy(new);
1005 }
1006 dst->destroy(dst);
1007 }
1008 }
1009 }
1010
1011 /**
1012 * Receives events from kernel
1013 */
1014 static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
1015 watcher_event_t event)
1016 {
1017 char response[1024];
1018 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
1019 struct sockaddr_nl addr;
1020 socklen_t addr_len = sizeof(addr);
1021 int len;
1022
1023 len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
1024 MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
1025 if (len < 0)
1026 {
1027 switch (errno)
1028 {
1029 case EINTR:
1030 /* interrupted, try again */
1031 return TRUE;
1032 case EAGAIN:
1033 /* no data ready, select again */
1034 return TRUE;
1035 default:
1036 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
1037 sleep(1);
1038 return TRUE;
1039 }
1040 }
1041
1042 if (addr.nl_pid != 0)
1043 { /* not from kernel. not interested, try another one */
1044 return TRUE;
1045 }
1046
1047 while (NLMSG_OK(hdr, len))
1048 {
1049 switch (hdr->nlmsg_type)
1050 {
1051 case XFRM_MSG_ACQUIRE:
1052 process_acquire(this, hdr);
1053 break;
1054 case XFRM_MSG_EXPIRE:
1055 process_expire(this, hdr);
1056 break;
1057 case XFRM_MSG_MIGRATE:
1058 process_migrate(this, hdr);
1059 break;
1060 case XFRM_MSG_MAPPING:
1061 process_mapping(this, hdr);
1062 break;
1063 default:
1064 DBG1(DBG_KNL, "received unknown event from xfrm event "
1065 "socket: %d", hdr->nlmsg_type);
1066 break;
1067 }
1068 hdr = NLMSG_NEXT(hdr, len);
1069 }
1070 return TRUE;
1071 }
1072
1073 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
1074 private_kernel_netlink_ipsec_t *this)
1075 {
1076 return KERNEL_ESP_V3_TFC;
1077 }
1078
1079 /**
1080 * Get an SPI for a specific protocol from the kernel.
1081 */
1082 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
1083 host_t *src, host_t *dst, uint8_t proto, uint32_t min, uint32_t max,
1084 uint32_t *spi)
1085 {
1086 netlink_buf_t request;
1087 struct nlmsghdr *hdr, *out;
1088 struct xfrm_userspi_info *userspi;
1089 uint32_t received_spi = 0;
1090 size_t len;
1091
1092 memset(&request, 0, sizeof(request));
1093
1094 hdr = &request.hdr;
1095 hdr->nlmsg_flags = NLM_F_REQUEST;
1096 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1097 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1098
1099 userspi = NLMSG_DATA(hdr);
1100 host2xfrm(src, &userspi->info.saddr);
1101 host2xfrm(dst, &userspi->info.id.daddr);
1102 userspi->info.id.proto = proto;
1103 userspi->info.mode = XFRM_MODE_TUNNEL;
1104 userspi->info.family = src->get_family(src);
1105 userspi->min = min;
1106 userspi->max = max;
1107
1108 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1109 {
1110 hdr = out;
1111 while (NLMSG_OK(hdr, len))
1112 {
1113 switch (hdr->nlmsg_type)
1114 {
1115 case XFRM_MSG_NEWSA:
1116 {
1117 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1118 received_spi = usersa->id.spi;
1119 break;
1120 }
1121 case NLMSG_ERROR:
1122 {
1123 struct nlmsgerr *err = NLMSG_DATA(hdr);
1124 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1125 strerror(-err->error), -err->error);
1126 break;
1127 }
1128 default:
1129 hdr = NLMSG_NEXT(hdr, len);
1130 continue;
1131 case NLMSG_DONE:
1132 break;
1133 }
1134 break;
1135 }
1136 free(out);
1137 }
1138
1139 if (received_spi == 0)
1140 {
1141 return FAILED;
1142 }
1143
1144 *spi = received_spi;
1145 return SUCCESS;
1146 }
1147
1148 METHOD(kernel_ipsec_t, get_spi, status_t,
1149 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1150 uint8_t protocol, uint32_t *spi)
1151 {
1152 if (get_spi_internal(this, src, dst, protocol,
1153 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
1154 {
1155 DBG1(DBG_KNL, "unable to get SPI");
1156 return FAILED;
1157 }
1158
1159 DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
1160 return SUCCESS;
1161 }
1162
1163 METHOD(kernel_ipsec_t, get_cpi, status_t,
1164 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1165 uint16_t *cpi)
1166 {
1167 uint32_t received_spi = 0;
1168
1169 if (get_spi_internal(this, src, dst, IPPROTO_COMP,
1170 0x100, 0xEFFF, &received_spi) != SUCCESS)
1171 {
1172 DBG1(DBG_KNL, "unable to get CPI");
1173 return FAILED;
1174 }
1175
1176 *cpi = htons((uint16_t)ntohl(received_spi));
1177
1178 DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
1179 return SUCCESS;
1180 }
1181
1182 /**
1183 * Add a XFRM mark to message if required
1184 */
1185 static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
1186 {
1187 if (mark.value)
1188 {
1189 struct xfrm_mark *xmrk;
1190
1191 xmrk = netlink_reserve(hdr, buflen, XFRMA_MARK, sizeof(*xmrk));
1192 if (!xmrk)
1193 {
1194 return FALSE;
1195 }
1196 xmrk->v = mark.value;
1197 xmrk->m = mark.mask;
1198 }
1199 return TRUE;
1200 }
1201
1202 METHOD(kernel_ipsec_t, add_sa, status_t,
1203 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
1204 kernel_ipsec_add_sa_t *data)
1205 {
1206 netlink_buf_t request;
1207 char *alg_name;
1208 struct nlmsghdr *hdr;
1209 struct xfrm_usersa_info *sa;
1210 uint16_t icv_size = 64, ipcomp = data->ipcomp;
1211 ipsec_mode_t mode = data->mode, original_mode = data->mode;
1212 traffic_selector_t *first_src_ts, *first_dst_ts;
1213 status_t status = FAILED;
1214
1215 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
1216 * we are in the recursive call below */
1217 if (ipcomp != IPCOMP_NONE && data->cpi != 0)
1218 {
1219 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
1220 kernel_ipsec_sa_id_t ipcomp_id = {
1221 .src = id->src,
1222 .dst = id->dst,
1223 .spi = htonl(ntohs(data->cpi)),
1224 .proto = IPPROTO_COMP,
1225 .mark = id->mark,
1226 };
1227 kernel_ipsec_add_sa_t ipcomp_sa = {
1228 .reqid = data->reqid,
1229 .mode = data->mode,
1230 .src_ts = data->src_ts,
1231 .dst_ts = data->dst_ts,
1232 .lifetime = &lft,
1233 .enc_alg = ENCR_UNDEFINED,
1234 .int_alg = AUTH_UNDEFINED,
1235 .tfc = data->tfc,
1236 .ipcomp = data->ipcomp,
1237 .initiator = data->initiator,
1238 .inbound = data->inbound,
1239 .update = data->update,
1240 };
1241 add_sa(this, &ipcomp_id, &ipcomp_sa);
1242 ipcomp = IPCOMP_NONE;
1243 /* use transport mode ESP SA, IPComp uses tunnel mode */
1244 mode = MODE_TRANSPORT;
1245 }
1246
1247 memset(&request, 0, sizeof(request));
1248
1249 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u} (mark "
1250 "%u/0x%08x)", ntohl(id->spi), data->reqid, id->mark.value,
1251 id->mark.mask);
1252
1253 hdr = &request.hdr;
1254 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1255 hdr->nlmsg_type = data->update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1256 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1257
1258 sa = NLMSG_DATA(hdr);
1259 host2xfrm(id->src, &sa->saddr);
1260 host2xfrm(id->dst, &sa->id.daddr);
1261 sa->id.spi = id->spi;
1262 sa->id.proto = id->proto;
1263 sa->family = id->src->get_family(id->src);
1264 sa->mode = mode2kernel(mode);
1265 switch (mode)
1266 {
1267 case MODE_TUNNEL:
1268 sa->flags |= XFRM_STATE_AF_UNSPEC;
1269 break;
1270 case MODE_BEET:
1271 case MODE_TRANSPORT:
1272 if (original_mode == MODE_TUNNEL)
1273 { /* don't install selectors for switched SAs. because only one
1274 * selector can be installed other traffic would get dropped */
1275 break;
1276 }
1277 if (data->src_ts->get_first(data->src_ts,
1278 (void**)&first_src_ts) == SUCCESS &&
1279 data->dst_ts->get_first(data->dst_ts,
1280 (void**)&first_dst_ts) == SUCCESS)
1281 {
1282 sa->sel = ts2selector(first_src_ts, first_dst_ts);
1283 if (!this->proto_port_transport)
1284 {
1285 /* don't install proto/port on SA. This would break
1286 * potential secondary SAs for the same address using a
1287 * different prot/port. */
1288 sa->sel.proto = 0;
1289 sa->sel.dport = sa->sel.dport_mask = 0;
1290 sa->sel.sport = sa->sel.sport_mask = 0;
1291 }
1292 }
1293 break;
1294 default:
1295 break;
1296 }
1297
1298 sa->reqid = data->reqid;
1299 sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);
1300 sa->lft.hard_byte_limit = XFRM_LIMIT(data->lifetime->bytes.life);
1301 sa->lft.soft_packet_limit = XFRM_LIMIT(data->lifetime->packets.rekey);
1302 sa->lft.hard_packet_limit = XFRM_LIMIT(data->lifetime->packets.life);
1303 /* we use lifetimes since added, not since used */
1304 sa->lft.soft_add_expires_seconds = data->lifetime->time.rekey;
1305 sa->lft.hard_add_expires_seconds = data->lifetime->time.life;
1306 sa->lft.soft_use_expires_seconds = 0;
1307 sa->lft.hard_use_expires_seconds = 0;
1308
1309 switch (data->enc_alg)
1310 {
1311 case ENCR_UNDEFINED:
1312 /* no encryption */
1313 break;
1314 case ENCR_AES_CCM_ICV16:
1315 case ENCR_AES_GCM_ICV16:
1316 case ENCR_NULL_AUTH_AES_GMAC:
1317 case ENCR_CAMELLIA_CCM_ICV16:
1318 case ENCR_CHACHA20_POLY1305:
1319 icv_size += 32;
1320 /* FALL */
1321 case ENCR_AES_CCM_ICV12:
1322 case ENCR_AES_GCM_ICV12:
1323 case ENCR_CAMELLIA_CCM_ICV12:
1324 icv_size += 32;
1325 /* FALL */
1326 case ENCR_AES_CCM_ICV8:
1327 case ENCR_AES_GCM_ICV8:
1328 case ENCR_CAMELLIA_CCM_ICV8:
1329 {
1330 struct xfrm_algo_aead *algo;
1331
1332 alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
1333 if (alg_name == NULL)
1334 {
1335 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1336 encryption_algorithm_names, data->enc_alg);
1337 goto failed;
1338 }
1339 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1340 encryption_algorithm_names, data->enc_alg,
1341 data->enc_key.len * 8);
1342
1343 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AEAD,
1344 sizeof(*algo) + data->enc_key.len);
1345 if (!algo)
1346 {
1347 goto failed;
1348 }
1349 algo->alg_key_len = data->enc_key.len * 8;
1350 algo->alg_icv_len = icv_size;
1351 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1352 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1353 memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
1354 break;
1355 }
1356 default:
1357 {
1358 struct xfrm_algo *algo;
1359
1360 alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
1361 if (alg_name == NULL)
1362 {
1363 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1364 encryption_algorithm_names, data->enc_alg);
1365 goto failed;
1366 }
1367 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1368 encryption_algorithm_names, data->enc_alg,
1369 data->enc_key.len * 8);
1370
1371 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_CRYPT,
1372 sizeof(*algo) + data->enc_key.len);
1373 if (!algo)
1374 {
1375 goto failed;
1376 }
1377 algo->alg_key_len = data->enc_key.len * 8;
1378 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1379 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1380 memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
1381 }
1382 }
1383
1384 if (data->int_alg != AUTH_UNDEFINED)
1385 {
1386 u_int trunc_len = 0;
1387
1388 alg_name = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
1389 if (alg_name == NULL)
1390 {
1391 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1392 integrity_algorithm_names, data->int_alg);
1393 goto failed;
1394 }
1395 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1396 integrity_algorithm_names, data->int_alg, data->int_key.len * 8);
1397
1398 switch (data->int_alg)
1399 {
1400 case AUTH_HMAC_MD5_128:
1401 case AUTH_HMAC_SHA2_256_128:
1402 trunc_len = 128;
1403 break;
1404 case AUTH_HMAC_SHA1_160:
1405 trunc_len = 160;
1406 break;
1407 default:
1408 break;
1409 }
1410
1411 if (trunc_len)
1412 {
1413 struct xfrm_algo_auth* algo;
1414
1415 /* the kernel uses SHA256 with 96 bit truncation by default,
1416 * use specified truncation size supported by newer kernels.
1417 * also use this for untruncated MD5 and SHA1. */
1418 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC,
1419 sizeof(*algo) + data->int_key.len);
1420 if (!algo)
1421 {
1422 goto failed;
1423 }
1424 algo->alg_key_len = data->int_key.len * 8;
1425 algo->alg_trunc_len = trunc_len;
1426 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1427 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1428 memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
1429 }
1430 else
1431 {
1432 struct xfrm_algo* algo;
1433
1434 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH,
1435 sizeof(*algo) + data->int_key.len);
1436 if (!algo)
1437 {
1438 goto failed;
1439 }
1440 algo->alg_key_len = data->int_key.len * 8;
1441 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1442 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1443 memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
1444 }
1445 }
1446
1447 if (ipcomp != IPCOMP_NONE)
1448 {
1449 struct xfrm_algo* algo;
1450
1451 alg_name = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
1452 if (alg_name == NULL)
1453 {
1454 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1455 ipcomp_transform_names, ipcomp);
1456 goto failed;
1457 }
1458 DBG2(DBG_KNL, " using compression algorithm %N",
1459 ipcomp_transform_names, ipcomp);
1460
1461 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_COMP,
1462 sizeof(*algo));
1463 if (!algo)
1464 {
1465 goto failed;
1466 }
1467 algo->alg_key_len = 0;
1468 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1469 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1470 }
1471
1472 if (data->encap)
1473 {
1474 struct xfrm_encap_tmpl *tmpl;
1475
1476 tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
1477 if (!tmpl)
1478 {
1479 goto failed;
1480 }
1481 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1482 tmpl->encap_sport = htons(id->src->get_port(id->src));
1483 tmpl->encap_dport = htons(id->dst->get_port(id->dst));
1484 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1485 /* encap_oa could probably be derived from the
1486 * traffic selectors [rfc4306, p39]. In the netlink kernel
1487 * implementation pluto does the same as we do here but it uses
1488 * encap_oa in the pfkey implementation.
1489 * BUT as /usr/src/linux/net/key/af_key.c indicates the kernel ignores
1490 * it anyway
1491 * -> does that mean that NAT-T encap doesn't work in transport mode?
1492 * No. The reason the kernel ignores NAT-OA is that it recomputes
1493 * (or, rather, just ignores) the checksum. If packets pass the IPsec
1494 * checks it marks them "checksum ok" so OA isn't needed. */
1495 }
1496
1497 if (!add_mark(hdr, sizeof(request), id->mark))
1498 {
1499 goto failed;
1500 }
1501
1502 if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL)
1503 { /* the kernel supports TFC padding only for tunnel mode ESP SAs */
1504 uint32_t *tfcpad;
1505
1506 tfcpad = netlink_reserve(hdr, sizeof(request), XFRMA_TFCPAD,
1507 sizeof(*tfcpad));
1508 if (!tfcpad)
1509 {
1510 goto failed;
1511 }
1512 *tfcpad = data->tfc;
1513 }
1514
1515 if (id->proto != IPPROTO_COMP)
1516 {
1517 if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
1518 {
1519 /* for ESN or larger replay windows we need the new
1520 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
1521 struct xfrm_replay_state_esn *replay;
1522 uint32_t bmp_size;
1523
1524 bmp_size = round_up(data->replay_window, sizeof(uint32_t) * 8) / 8;
1525 replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
1526 sizeof(*replay) + bmp_size);
1527 if (!replay)
1528 {
1529 goto failed;
1530 }
1531 /* bmp_len contains number uf __u32's */
1532 replay->bmp_len = bmp_size / sizeof(uint32_t);
1533 replay->replay_window = data->replay_window;
1534 DBG2(DBG_KNL, " using replay window of %u packets",
1535 data->replay_window);
1536
1537 if (data->esn)
1538 {
1539 DBG2(DBG_KNL, " using extended sequence numbers (ESN)");
1540 sa->flags |= XFRM_STATE_ESN;
1541 }
1542 }
1543 else
1544 {
1545 DBG2(DBG_KNL, " using replay window of %u packets",
1546 data->replay_window);
1547 sa->replay_window = data->replay_window;
1548 }
1549 }
1550
1551 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1552 {
1553 if (id->mark.value)
1554 {
1555 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x (mark "
1556 "%u/0x%08x)", ntohl(id->spi), id->mark.value,
1557 id->mark.mask);
1558 }
1559 else
1560 {
1561 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x",
1562 ntohl(id->spi));
1563 }
1564 goto failed;
1565 }
1566
1567 status = SUCCESS;
1568
1569 failed:
1570 memwipe(&request, sizeof(request));
1571 return status;
1572 }
1573
1574 /**
1575 * Get the ESN replay state (i.e. sequence numbers) of an SA.
1576 *
1577 * Allocates into one the replay state structure we get from the kernel.
1578 */
1579 static void get_replay_state(private_kernel_netlink_ipsec_t *this,
1580 kernel_ipsec_sa_id_t *sa,
1581 struct xfrm_replay_state_esn **replay_esn,
1582 uint32_t *replay_esn_len,
1583 struct xfrm_replay_state **replay,
1584 struct xfrm_lifetime_cur **lifetime)
1585 {
1586 netlink_buf_t request;
1587 struct nlmsghdr *hdr, *out = NULL;
1588 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1589 size_t len;
1590 struct rtattr *rta;
1591 size_t rtasize;
1592
1593 memset(&request, 0, sizeof(request));
1594
1595 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x",
1596 ntohl(sa->spi));
1597
1598 hdr = &request.hdr;
1599 hdr->nlmsg_flags = NLM_F_REQUEST;
1600 hdr->nlmsg_type = XFRM_MSG_GETAE;
1601 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1602
1603 aevent_id = NLMSG_DATA(hdr);
1604 aevent_id->flags = XFRM_AE_RVAL;
1605
1606 host2xfrm(sa->dst, &aevent_id->sa_id.daddr);
1607 aevent_id->sa_id.spi = sa->spi;
1608 aevent_id->sa_id.proto = sa->proto;
1609 aevent_id->sa_id.family = sa->dst->get_family(sa->dst);
1610
1611 if (!add_mark(hdr, sizeof(request), sa->mark))
1612 {
1613 return;
1614 }
1615
1616 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1617 {
1618 hdr = out;
1619 while (NLMSG_OK(hdr, len))
1620 {
1621 switch (hdr->nlmsg_type)
1622 {
1623 case XFRM_MSG_NEWAE:
1624 {
1625 out_aevent = NLMSG_DATA(hdr);
1626 break;
1627 }
1628 case NLMSG_ERROR:
1629 {
1630 struct nlmsgerr *err = NLMSG_DATA(hdr);
1631 DBG1(DBG_KNL, "querying replay state from SAD entry "
1632 "failed: %s (%d)", strerror(-err->error),
1633 -err->error);
1634 break;
1635 }
1636 default:
1637 hdr = NLMSG_NEXT(hdr, len);
1638 continue;
1639 case NLMSG_DONE:
1640 break;
1641 }
1642 break;
1643 }
1644 }
1645
1646 if (out_aevent)
1647 {
1648 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1649 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1650 while (RTA_OK(rta, rtasize))
1651 {
1652 if (rta->rta_type == XFRMA_LTIME_VAL &&
1653 RTA_PAYLOAD(rta) == sizeof(**lifetime))
1654 {
1655 free(*lifetime);
1656 *lifetime = malloc(RTA_PAYLOAD(rta));
1657 memcpy(*lifetime, RTA_DATA(rta), RTA_PAYLOAD(rta));
1658 }
1659 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1660 RTA_PAYLOAD(rta) == sizeof(**replay))
1661 {
1662 free(*replay);
1663 *replay = malloc(RTA_PAYLOAD(rta));
1664 memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1665 }
1666 if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
1667 RTA_PAYLOAD(rta) >= sizeof(**replay_esn))
1668 {
1669 free(*replay_esn);
1670 *replay_esn = malloc(RTA_PAYLOAD(rta));
1671 *replay_esn_len = RTA_PAYLOAD(rta);
1672 memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
1673 }
1674 rta = RTA_NEXT(rta, rtasize);
1675 }
1676 }
1677 free(out);
1678 }
1679
1680 METHOD(kernel_ipsec_t, query_sa, status_t,
1681 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
1682 kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
1683 time_t *time)
1684 {
1685 netlink_buf_t request;
1686 struct nlmsghdr *out = NULL, *hdr;
1687 struct xfrm_usersa_id *sa_id;
1688 struct xfrm_usersa_info *sa = NULL;
1689 status_t status = FAILED;
1690 size_t len;
1691
1692 memset(&request, 0, sizeof(request));
1693
1694 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x (mark %u/0x%08x)",
1695 ntohl(id->spi), id->mark.value, id->mark.mask);
1696
1697 hdr = &request.hdr;
1698 hdr->nlmsg_flags = NLM_F_REQUEST;
1699 hdr->nlmsg_type = XFRM_MSG_GETSA;
1700 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1701
1702 sa_id = NLMSG_DATA(hdr);
1703 host2xfrm(id->dst, &sa_id->daddr);
1704 sa_id->spi = id->spi;
1705 sa_id->proto = id->proto;
1706 sa_id->family = id->dst->get_family(id->dst);
1707
1708 if (!add_mark(hdr, sizeof(request), id->mark))
1709 {
1710 return FAILED;
1711 }
1712
1713 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1714 {
1715 hdr = out;
1716 while (NLMSG_OK(hdr, len))
1717 {
1718 switch (hdr->nlmsg_type)
1719 {
1720 case XFRM_MSG_NEWSA:
1721 {
1722 sa = NLMSG_DATA(hdr);
1723 break;
1724 }
1725 case NLMSG_ERROR:
1726 {
1727 struct nlmsgerr *err = NLMSG_DATA(hdr);
1728
1729 if (id->mark.value)
1730 {
1731 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x (mark "
1732 "%u/0x%08x) failed: %s (%d)", ntohl(id->spi),
1733 id->mark.value, id->mark.mask,
1734 strerror(-err->error), -err->error);
1735 }
1736 else
1737 {
1738 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
1739 "failed: %s (%d)", ntohl(id->spi),
1740 strerror(-err->error), -err->error);
1741 }
1742 break;
1743 }
1744 default:
1745 hdr = NLMSG_NEXT(hdr, len);
1746 continue;
1747 case NLMSG_DONE:
1748 break;
1749 }
1750 break;
1751 }
1752 }
1753
1754 if (sa == NULL)
1755 {
1756 DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1757 ntohl(id->spi));
1758 }
1759 else
1760 {
1761 if (bytes)
1762 {
1763 *bytes = sa->curlft.bytes;
1764 }
1765 if (packets)
1766 {
1767 *packets = sa->curlft.packets;
1768 }
1769 if (time)
1770 { /* curlft contains an "use" time, but that contains a timestamp
1771 * of the first use, not the last. Last use time must be queried
1772 * on the policy on Linux */
1773 *time = 0;
1774 }
1775 status = SUCCESS;
1776 }
1777 memwipe(out, len);
1778 free(out);
1779 return status;
1780 }
1781
1782 METHOD(kernel_ipsec_t, del_sa, status_t,
1783 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
1784 kernel_ipsec_del_sa_t *data)
1785 {
1786 netlink_buf_t request;
1787 struct nlmsghdr *hdr;
1788 struct xfrm_usersa_id *sa_id;
1789
1790 /* if IPComp was used, we first delete the additional IPComp SA */
1791 if (data->cpi)
1792 {
1793 kernel_ipsec_sa_id_t ipcomp_id = {
1794 .src = id->src,
1795 .dst = id->dst,
1796 .spi = htonl(ntohs(data->cpi)),
1797 .proto = IPPROTO_COMP,
1798 .mark = id->mark,
1799 };
1800 kernel_ipsec_del_sa_t ipcomp = {};
1801 del_sa(this, &ipcomp_id, &ipcomp);
1802 }
1803
1804 memset(&request, 0, sizeof(request));
1805
1806 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x (mark %u/0x%08x)",
1807 ntohl(id->spi), id->mark.value, id->mark.mask);
1808
1809 hdr = &request.hdr;
1810 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1811 hdr->nlmsg_type = XFRM_MSG_DELSA;
1812 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1813
1814 sa_id = NLMSG_DATA(hdr);
1815 host2xfrm(id->dst, &sa_id->daddr);
1816 sa_id->spi = id->spi;
1817 sa_id->proto = id->proto;
1818 sa_id->family = id->dst->get_family(id->dst);
1819
1820 if (!add_mark(hdr, sizeof(request), id->mark))
1821 {
1822 return FAILED;
1823 }
1824
1825 switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr))
1826 {
1827 case SUCCESS:
1828 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%08x)",
1829 ntohl(id->spi), id->mark.value, id->mark.mask);
1830 return SUCCESS;
1831 case NOT_FOUND:
1832 return NOT_FOUND;
1833 default:
1834 if (id->mark.value)
1835 {
1836 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x (mark "
1837 "%u/0x%08x)", ntohl(id->spi), id->mark.value,
1838 id->mark.mask);
1839 }
1840 else
1841 {
1842 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x",
1843 ntohl(id->spi));
1844 }
1845 return FAILED;
1846 }
1847 }
1848
1849 METHOD(kernel_ipsec_t, update_sa, status_t,
1850 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
1851 kernel_ipsec_update_sa_t *data)
1852 {
1853 netlink_buf_t request;
1854 struct nlmsghdr *hdr, *out = NULL;
1855 struct xfrm_usersa_id *sa_id;
1856 struct xfrm_usersa_info *out_sa = NULL, *sa;
1857 size_t len;
1858 struct rtattr *rta;
1859 size_t rtasize;
1860 struct xfrm_encap_tmpl* tmpl = NULL;
1861 struct xfrm_replay_state *replay = NULL;
1862 struct xfrm_replay_state_esn *replay_esn = NULL;
1863 struct xfrm_lifetime_cur *lifetime = NULL;
1864 uint32_t replay_esn_len = 0;
1865 kernel_ipsec_del_sa_t del = { 0 };
1866 status_t status = FAILED;
1867
1868 /* if IPComp is used, we first update the IPComp SA */
1869 if (data->cpi)
1870 {
1871 kernel_ipsec_sa_id_t ipcomp_id = {
1872 .src = id->src,
1873 .dst = id->dst,
1874 .spi = htonl(ntohs(data->cpi)),
1875 .proto = IPPROTO_COMP,
1876 .mark = id->mark,
1877 };
1878 kernel_ipsec_update_sa_t ipcomp = {
1879 .new_src = data->new_src,
1880 .new_dst = data->new_dst,
1881 };
1882 update_sa(this, &ipcomp_id, &ipcomp);
1883 }
1884
1885 memset(&request, 0, sizeof(request));
1886
1887 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update",
1888 ntohl(id->spi));
1889
1890 /* query the existing SA first */
1891 hdr = &request.hdr;
1892 hdr->nlmsg_flags = NLM_F_REQUEST;
1893 hdr->nlmsg_type = XFRM_MSG_GETSA;
1894 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1895
1896 sa_id = NLMSG_DATA(hdr);
1897 host2xfrm(id->dst, &sa_id->daddr);
1898 sa_id->spi = id->spi;
1899 sa_id->proto = id->proto;
1900 sa_id->family = id->dst->get_family(id->dst);
1901
1902 if (!add_mark(hdr, sizeof(request), id->mark))
1903 {
1904 return FAILED;
1905 }
1906
1907 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1908 {
1909 hdr = out;
1910 while (NLMSG_OK(hdr, len))
1911 {
1912 switch (hdr->nlmsg_type)
1913 {
1914 case XFRM_MSG_NEWSA:
1915 {
1916 out_sa = NLMSG_DATA(hdr);
1917 break;
1918 }
1919 case NLMSG_ERROR:
1920 {
1921 struct nlmsgerr *err = NLMSG_DATA(hdr);
1922 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1923 strerror(-err->error), -err->error);
1924 break;
1925 }
1926 default:
1927 hdr = NLMSG_NEXT(hdr, len);
1928 continue;
1929 case NLMSG_DONE:
1930 break;
1931 }
1932 break;
1933 }
1934 }
1935 if (out_sa == NULL)
1936 {
1937 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x",
1938 ntohl(id->spi));
1939 goto failed;
1940 }
1941
1942 get_replay_state(this, id, &replay_esn, &replay_esn_len, &replay,
1943 &lifetime);
1944
1945 /* delete the old SA (without affecting the IPComp SA) */
1946 if (del_sa(this, id, &del) != SUCCESS)
1947 {
1948 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x",
1949 ntohl(id->spi));
1950 goto failed;
1951 }
1952
1953 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1954 ntohl(id->spi), id->src, id->dst, data->new_src,
1955 data->new_dst);
1956 /* copy over the SA from out to request */
1957 hdr = &request.hdr;
1958 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1959 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1960 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1961 sa = NLMSG_DATA(hdr);
1962 memcpy(sa, NLMSG_DATA(out), sizeof(struct xfrm_usersa_info));
1963 sa->family = data->new_dst->get_family(data->new_dst);
1964
1965 if (!id->src->ip_equals(id->src, data->new_src))
1966 {
1967 host2xfrm(data->new_src, &sa->saddr);
1968 }
1969 if (!id->dst->ip_equals(id->dst, data->new_dst))
1970 {
1971 host2xfrm(data->new_dst, &sa->id.daddr);
1972 }
1973
1974 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1975 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1976 while (RTA_OK(rta, rtasize))
1977 {
1978 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1979 if (rta->rta_type != XFRMA_ENCAP || data->new_encap)
1980 {
1981 if (rta->rta_type == XFRMA_ENCAP)
1982 { /* update encap tmpl */
1983 tmpl = RTA_DATA(rta);
1984 tmpl->encap_sport = ntohs(data->new_src->get_port(data->new_src));
1985 tmpl->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
1986 }
1987 netlink_add_attribute(hdr, rta->rta_type,
1988 chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)),
1989 sizeof(request));
1990 }
1991 rta = RTA_NEXT(rta, rtasize);
1992 }
1993
1994 if (tmpl == NULL && data->new_encap)
1995 { /* add tmpl if we are enabling it */
1996 tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
1997 if (!tmpl)
1998 {
1999 goto failed;
2000 }
2001 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
2002 tmpl->encap_sport = ntohs(data->new_src->get_port(data->new_src));
2003 tmpl->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
2004 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
2005 }
2006
2007 if (replay_esn)
2008 {
2009 struct xfrm_replay_state_esn *state;
2010
2011 state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
2012 replay_esn_len);
2013 if (!state)
2014 {
2015 goto failed;
2016 }
2017 memcpy(state, replay_esn, replay_esn_len);
2018 }
2019 else if (replay)
2020 {
2021 struct xfrm_replay_state *state;
2022
2023 state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_VAL,
2024 sizeof(*state));
2025 if (!state)
2026 {
2027 goto failed;
2028 }
2029 memcpy(state, replay, sizeof(*state));
2030 }
2031 else
2032 {
2033 DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with "
2034 "SPI %.8x", ntohl(id->spi));
2035 }
2036 if (lifetime)
2037 {
2038 struct xfrm_lifetime_cur *state;
2039
2040 state = netlink_reserve(hdr, sizeof(request), XFRMA_LTIME_VAL,
2041 sizeof(*state));
2042 if (!state)
2043 {
2044 goto failed;
2045 }
2046 memcpy(state, lifetime, sizeof(*state));
2047 }
2048 else
2049 {
2050 DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with "
2051 "SPI %.8x", ntohl(id->spi));
2052 }
2053
2054 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2055 {
2056 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x",
2057 ntohl(id->spi));
2058 goto failed;
2059 }
2060
2061 status = SUCCESS;
2062 failed:
2063 free(replay);
2064 free(replay_esn);
2065 free(lifetime);
2066 memwipe(out, len);
2067 memwipe(&request, sizeof(request));
2068 free(out);
2069
2070 return status;
2071 }
2072
2073 METHOD(kernel_ipsec_t, flush_sas, status_t,
2074 private_kernel_netlink_ipsec_t *this)
2075 {
2076 netlink_buf_t request;
2077 struct nlmsghdr *hdr;
2078 struct xfrm_usersa_flush *flush;
2079 struct {
2080 uint8_t proto;
2081 char *name;
2082 } protos[] = {
2083 { IPPROTO_AH, "AH" },
2084 { IPPROTO_ESP, "ESP" },
2085 { IPPROTO_COMP, "IPComp" },
2086 };
2087 int i;
2088
2089 memset(&request, 0, sizeof(request));
2090
2091 hdr = &request.hdr;
2092 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2093 hdr->nlmsg_type = XFRM_MSG_FLUSHSA;
2094 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush));
2095
2096 flush = NLMSG_DATA(hdr);
2097
2098 for (i = 0; i < countof(protos); i++)
2099 {
2100 DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
2101
2102 flush->proto = protos[i].proto;
2103
2104 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2105 {
2106 DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
2107 return FAILED;
2108 }
2109 }
2110 return SUCCESS;
2111 }
2112
2113 /**
2114 * Add or update a policy in the kernel.
2115 *
2116 * Note: The mutex has to be locked when entering this function
2117 * and is unlocked here in any case.
2118 */
2119 static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
2120 policy_entry_t *policy, policy_sa_t *mapping, bool update)
2121 {
2122 netlink_buf_t request;
2123 policy_entry_t clone;
2124 ipsec_sa_t *ipsec = mapping->sa;
2125 struct xfrm_userpolicy_info *policy_info;
2126 struct nlmsghdr *hdr;
2127 status_t status;
2128 int i;
2129
2130 /* clone the policy so we are able to check it out again later */
2131 memcpy(&clone, policy, sizeof(policy_entry_t));
2132
2133 memset(&request, 0, sizeof(request));
2134 hdr = &request.hdr;
2135 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2136 hdr->nlmsg_type = update ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
2137 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2138
2139 policy_info = NLMSG_DATA(hdr);
2140 policy_info->sel = policy->sel;
2141 policy_info->dir = policy->direction;
2142
2143 /* calculate priority based on selector size, small size = high prio */
2144 policy_info->priority = mapping->priority;
2145 policy_info->action = mapping->type != POLICY_DROP ? XFRM_POLICY_ALLOW
2146 : XFRM_POLICY_BLOCK;
2147 policy_info->share = XFRM_SHARE_ANY;
2148
2149 /* policies don't expire */
2150 policy_info->lft.soft_byte_limit = XFRM_INF;
2151 policy_info->lft.soft_packet_limit = XFRM_INF;
2152 policy_info->lft.hard_byte_limit = XFRM_INF;
2153 policy_info->lft.hard_packet_limit = XFRM_INF;
2154 policy_info->lft.soft_add_expires_seconds = 0;
2155 policy_info->lft.hard_add_expires_seconds = 0;
2156 policy_info->lft.soft_use_expires_seconds = 0;
2157 policy_info->lft.hard_use_expires_seconds = 0;
2158
2159 if (mapping->type == POLICY_IPSEC)
2160 {
2161 struct xfrm_user_tmpl *tmpl;
2162 struct {
2163 uint8_t proto;
2164 bool use;
2165 } protos[] = {
2166 { IPPROTO_COMP, ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
2167 { IPPROTO_ESP, ipsec->cfg.esp.use },
2168 { IPPROTO_AH, ipsec->cfg.ah.use },
2169 };
2170 ipsec_mode_t proto_mode = ipsec->cfg.mode;
2171 int count = 0;
2172
2173 for (i = 0; i < countof(protos); i++)
2174 {
2175 if (protos[i].use)
2176 {
2177 count++;
2178 }
2179 }
2180 tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_TMPL,
2181 count * sizeof(*tmpl));
2182 if (!tmpl)
2183 {
2184 this->mutex->unlock(this->mutex);
2185 return FAILED;
2186 }
2187
2188 for (i = 0; i < countof(protos); i++)
2189 {
2190 if (!protos[i].use)
2191 {
2192 continue;
2193 }
2194 tmpl->reqid = ipsec->cfg.reqid;
2195 tmpl->id.proto = protos[i].proto;
2196 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2197 tmpl->mode = mode2kernel(proto_mode);
2198 tmpl->optional = protos[i].proto == IPPROTO_COMP &&
2199 policy->direction != POLICY_OUT;
2200 tmpl->family = ipsec->src->get_family(ipsec->src);
2201
2202 if (proto_mode == MODE_TUNNEL || proto_mode == MODE_BEET)
2203 { /* only for tunnel mode */
2204 host2xfrm(ipsec->src, &tmpl->saddr);
2205 host2xfrm(ipsec->dst, &tmpl->id.daddr);
2206 }
2207
2208 tmpl++;
2209
2210 /* use transport mode for other SAs */
2211 proto_mode = MODE_TRANSPORT;
2212 }
2213 }
2214
2215 if (!add_mark(hdr, sizeof(request), ipsec->mark))
2216 {
2217 this->mutex->unlock(this->mutex);
2218 return FAILED;
2219 }
2220 this->mutex->unlock(this->mutex);
2221
2222 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
2223 if (status == ALREADY_DONE && !update)
2224 {
2225 DBG1(DBG_KNL, "policy already exists, try to update it");
2226 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2227 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
2228 }
2229 if (status != SUCCESS)
2230 {
2231 return FAILED;
2232 }
2233
2234 /* find the policy again */
2235 this->mutex->lock(this->mutex);
2236 policy = this->policies->get(this->policies, &clone);
2237 if (!policy ||
2238 policy->used_by->find_first(policy->used_by,
2239 NULL, (void**)&mapping) != SUCCESS)
2240 { /* policy or mapping is already gone, ignore */
2241 this->mutex->unlock(this->mutex);
2242 return SUCCESS;
2243 }
2244
2245 /* install a route, if:
2246 * - this is a inbound policy (to just get one for each child)
2247 * - we are in tunnel/BEET mode or install a bypass policy
2248 * - routing is not disabled via strongswan.conf
2249 */
2250 if (policy->direction == POLICY_IN && this->install_routes &&
2251 (mapping->type != POLICY_IPSEC || ipsec->cfg.mode != MODE_TRANSPORT))
2252 {
2253 policy_sa_in_t *in = (policy_sa_in_t*)mapping;
2254 route_entry_t *route;
2255 host_t *iface;
2256
2257 INIT(route,
2258 .prefixlen = policy->sel.prefixlen_s,
2259 );
2260
2261 if (charon->kernel->get_address_by_ts(charon->kernel, in->dst_ts,
2262 &route->src_ip, NULL) == SUCCESS)
2263 {
2264 /* get the nexthop to src (src as we are in POLICY_IN) */
2265 if (!ipsec->src->is_anyaddr(ipsec->src))
2266 {
2267 route->gateway = charon->kernel->get_nexthop(charon->kernel,
2268 ipsec->src, -1, ipsec->dst);
2269 }
2270 else
2271 { /* for shunt policies */
2272 iface = xfrm2host(policy->sel.family, &policy->sel.saddr, 0);
2273 route->gateway = charon->kernel->get_nexthop(charon->kernel,
2274 iface, policy->sel.prefixlen_s,
2275 route->src_ip);
2276 iface->destroy(iface);
2277 }
2278 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2279 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
2280
2281 /* get the interface to install the route for. If we have a local
2282 * address, use it. Otherwise (for shunt policies) use the
2283 * routes source address. */
2284 iface = ipsec->dst;
2285 if (iface->is_anyaddr(iface))
2286 {
2287 iface = route->src_ip;
2288 }
2289 /* install route via outgoing interface */
2290 if (!charon->kernel->get_interface(charon->kernel, iface,
2291 &route->if_name))
2292 {
2293 this->mutex->unlock(this->mutex);
2294 route_entry_destroy(route);
2295 return SUCCESS;
2296 }
2297
2298 if (policy->route)
2299 {
2300 route_entry_t *old = policy->route;
2301 if (route_entry_equals(old, route))
2302 {
2303 this->mutex->unlock(this->mutex);
2304 route_entry_destroy(route);
2305 return SUCCESS;
2306 }
2307 /* uninstall previously installed route */
2308 if (charon->kernel->del_route(charon->kernel, old->dst_net,
2309 old->prefixlen, old->gateway,
2310 old->src_ip, old->if_name) != SUCCESS)
2311 {
2312 DBG1(DBG_KNL, "error uninstalling route installed with "
2313 "policy %R === %R %N", in->src_ts,
2314 in->dst_ts, policy_dir_names,
2315 policy->direction);
2316 }
2317 route_entry_destroy(old);
2318 policy->route = NULL;
2319 }
2320
2321 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
2322 in->src_ts, route->gateway, route->src_ip, route->if_name);
2323 switch (charon->kernel->add_route(charon->kernel, route->dst_net,
2324 route->prefixlen, route->gateway,
2325 route->src_ip, route->if_name))
2326 {
2327 default:
2328 DBG1(DBG_KNL, "unable to install source route for %H",
2329 route->src_ip);
2330 /* FALL */
2331 case ALREADY_DONE:
2332 /* route exists, do not uninstall */
2333 route_entry_destroy(route);
2334 break;
2335 case SUCCESS:
2336 /* cache the installed route */
2337 policy->route = route;
2338 break;
2339 }
2340 }
2341 else
2342 {
2343 free(route);
2344 }
2345 }
2346 this->mutex->unlock(this->mutex);
2347 return SUCCESS;
2348 }
2349
2350 METHOD(kernel_ipsec_t, add_policy, status_t,
2351 private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
2352 kernel_ipsec_manage_policy_t *data)
2353 {
2354 policy_entry_t *policy, *current;
2355 policy_sa_t *assigned_sa, *current_sa;
2356 enumerator_t *enumerator;
2357 bool found = FALSE, update = TRUE;
2358
2359 /* create a policy */
2360 INIT(policy,
2361 .sel = ts2selector(id->src_ts, id->dst_ts),
2362 .mark = id->mark.value & id->mark.mask,
2363 .direction = id->dir,
2364 .reqid = data->sa->reqid,
2365 );
2366
2367 /* find the policy, which matches EXACTLY */
2368 this->mutex->lock(this->mutex);
2369 current = this->policies->get(this->policies, policy);
2370 if (current)
2371 {
2372 if (current->reqid && data->sa->reqid &&
2373 current->reqid != data->sa->reqid)
2374 {
2375 DBG1(DBG_CFG, "unable to install policy %R === %R %N (mark "
2376 "%u/0x%08x) for reqid %u, the same policy for reqid %u exists",
2377 id->src_ts, id->dst_ts, policy_dir_names, id->dir,
2378 id->mark.value, id->mark.mask, data->sa->reqid, current->reqid);
2379 policy_entry_destroy(this, policy);
2380 this->mutex->unlock(this->mutex);
2381 return INVALID_STATE;
2382 }
2383 /* use existing policy */
2384 DBG2(DBG_KNL, "policy %R === %R %N (mark %u/0x%08x) already exists, "
2385 "increasing refcount", id->src_ts, id->dst_ts, policy_dir_names,
2386 id->dir, id->mark.value, id->mark.mask);
2387 policy_entry_destroy(this, policy);
2388 policy = current;
2389 found = TRUE;
2390 }
2391 else
2392 { /* use the new one, if we have no such policy */
2393 policy->used_by = linked_list_create();
2394 this->policies->put(this->policies, policy, policy);
2395 }
2396
2397 /* cache the assigned IPsec SA */
2398 assigned_sa = policy_sa_create(this, id->dir, data->type, data->src,
2399 data->dst, id->src_ts, id->dst_ts, id->mark, data->sa);
2400 assigned_sa->priority = get_priority(policy, data->prio);
2401
2402 /* insert the SA according to its priority */
2403 enumerator = policy->used_by->create_enumerator(policy->used_by);
2404 while (enumerator->enumerate(enumerator, (void**)&current_sa))
2405 {
2406 if (current_sa->priority >= assigned_sa->priority)
2407 {
2408 break;
2409 }
2410 update = FALSE;
2411 }
2412 policy->used_by->insert_before(policy->used_by, enumerator,
2413 assigned_sa);
2414 enumerator->destroy(enumerator);
2415
2416 if (!update)
2417 { /* we don't update the policy if the priority is lower than that of
2418 * the currently installed one */
2419 this->mutex->unlock(this->mutex);
2420 return SUCCESS;
2421 }
2422
2423 if (this->policy_update)
2424 {
2425 found = TRUE;
2426 }
2427
2428 DBG2(DBG_KNL, "%s policy %R === %R %N (mark %u/0x%08x)",
2429 found ? "updating" : "adding", id->src_ts, id->dst_ts,
2430 policy_dir_names, id->dir, id->mark.value, id->mark.mask);
2431
2432 if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2433 {
2434 DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
2435 found ? "update" : "add", id->src_ts, id->dst_ts,
2436 policy_dir_names, id->dir);
2437 return FAILED;
2438 }
2439 return SUCCESS;
2440 }
2441
2442 METHOD(kernel_ipsec_t, query_policy, status_t,
2443 private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
2444 kernel_ipsec_query_policy_t *data, time_t *use_time)
2445 {
2446 netlink_buf_t request;
2447 struct nlmsghdr *out = NULL, *hdr;
2448 struct xfrm_userpolicy_id *policy_id;
2449 struct xfrm_userpolicy_info *policy = NULL;
2450 size_t len;
2451
2452 memset(&request, 0, sizeof(request));
2453
2454 DBG2(DBG_KNL, "querying policy %R === %R %N (mark %u/0x%08x)",
2455 id->src_ts, id->dst_ts, policy_dir_names, id->dir, id->mark.value,
2456 id->mark.mask);
2457
2458 hdr = &request.hdr;
2459 hdr->nlmsg_flags = NLM_F_REQUEST;
2460 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2461 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2462
2463 policy_id = NLMSG_DATA(hdr);
2464 policy_id->sel = ts2selector(id->src_ts, id->dst_ts);
2465 policy_id->dir = id->dir;
2466
2467 if (!add_mark(hdr, sizeof(request), id->mark))
2468 {
2469 return FAILED;
2470 }
2471
2472 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2473 {
2474 hdr = out;
2475 while (NLMSG_OK(hdr, len))
2476 {
2477 switch (hdr->nlmsg_type)
2478 {
2479 case XFRM_MSG_NEWPOLICY:
2480 {
2481 policy = NLMSG_DATA(hdr);
2482 break;
2483 }
2484 case NLMSG_ERROR:
2485 {
2486 struct nlmsgerr *err = NLMSG_DATA(hdr);
2487 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2488 strerror(-err->error), -err->error);
2489 break;
2490 }
2491 default:
2492 hdr = NLMSG_NEXT(hdr, len);
2493 continue;
2494 case NLMSG_DONE:
2495 break;
2496 }
2497 break;
2498 }
2499 }
2500
2501 if (policy == NULL)
2502 {
2503 DBG2(DBG_KNL, "unable to query policy %R === %R %N", id->src_ts,
2504 id->dst_ts, policy_dir_names, id->dir);
2505 free(out);
2506 return FAILED;
2507 }
2508
2509 if (policy->curlft.use_time)
2510 {
2511 /* we need the monotonic time, but the kernel returns system time. */
2512 *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
2513 }
2514 else
2515 {
2516 *use_time = 0;
2517 }
2518
2519 free(out);
2520 return SUCCESS;
2521 }
2522
2523 METHOD(kernel_ipsec_t, del_policy, status_t,
2524 private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
2525 kernel_ipsec_manage_policy_t *data)
2526 {
2527 policy_entry_t *current, policy;
2528 enumerator_t *enumerator;
2529 policy_sa_t *mapping;
2530 netlink_buf_t request;
2531 struct nlmsghdr *hdr;
2532 struct xfrm_userpolicy_id *policy_id;
2533 bool is_installed = TRUE;
2534 uint32_t priority;
2535 ipsec_sa_t assigned_sa = {
2536 .src = data->src,
2537 .dst = data->dst,
2538 .mark = id->mark,
2539 .cfg = *data->sa,
2540 };
2541
2542 DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%08x)",
2543 id->src_ts, id->dst_ts, policy_dir_names, id->dir, id->mark.value,
2544 id->mark.mask);
2545
2546 /* create a policy */
2547 memset(&policy, 0, sizeof(policy_entry_t));
2548 policy.sel = ts2selector(id->src_ts, id->dst_ts);
2549 policy.mark = id->mark.value & id->mark.mask;
2550 policy.direction = id->dir;
2551
2552 /* find the policy */
2553 this->mutex->lock(this->mutex);
2554 current = this->policies->get(this->policies, &policy);
2555 if (!current)
2556 {
2557 if (id->mark.value)
2558 {
2559 DBG1(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%08x) "
2560 "failed, not found", id->src_ts, id->dst_ts,
2561 policy_dir_names, id->dir, id->mark.value, id->mark.mask);
2562 }
2563 else
2564 {
2565 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
2566 id->src_ts, id->dst_ts, policy_dir_names, id->dir);
2567 }
2568 this->mutex->unlock(this->mutex);
2569 return NOT_FOUND;
2570 }
2571
2572 /* remove mapping to SA by reqid and priority */
2573 priority = get_priority(current, data->prio);
2574 enumerator = current->used_by->create_enumerator(current->used_by);
2575 while (enumerator->enumerate(enumerator, (void**)&mapping))
2576 {
2577 if (priority == mapping->priority && data->type == mapping->type &&
2578 ipsec_sa_equals(mapping->sa, &assigned_sa))
2579 {
2580 current->used_by->remove_at(current->used_by, enumerator);
2581 policy_sa_destroy(mapping, &id->dir, this);
2582 break;
2583 }
2584 is_installed = FALSE;
2585 }
2586 enumerator->destroy(enumerator);
2587
2588 if (current->used_by->get_count(current->used_by) > 0)
2589 { /* policy is used by more SAs, keep in kernel */
2590 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2591 if (!is_installed)
2592 { /* no need to update as the policy was not installed for this SA */
2593 this->mutex->unlock(this->mutex);
2594 return SUCCESS;
2595 }
2596
2597 DBG2(DBG_KNL, "updating policy %R === %R %N (mark %u/0x%08x)",
2598 id->src_ts, id->dst_ts, policy_dir_names, id->dir, id->mark.value,
2599 id->mark.mask);
2600
2601 current->used_by->get_first(current->used_by, (void**)&mapping);
2602 if (add_policy_internal(this, current, mapping, TRUE) != SUCCESS)
2603 {
2604 DBG1(DBG_KNL, "unable to update policy %R === %R %N",
2605 id->src_ts, id->dst_ts, policy_dir_names, id->dir);
2606 return FAILED;
2607 }
2608 return SUCCESS;
2609 }
2610
2611 memset(&request, 0, sizeof(request));
2612
2613 hdr = &request.hdr;
2614 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2615 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2616 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2617
2618 policy_id = NLMSG_DATA(hdr);
2619 policy_id->sel = current->sel;
2620 policy_id->dir = id->dir;
2621
2622 if (!add_mark(hdr, sizeof(request), id->mark))
2623 {
2624 this->mutex->unlock(this->mutex);
2625 return FAILED;
2626 }
2627
2628 if (current->route)
2629 {
2630 route_entry_t *route = current->route;
2631 if (charon->kernel->del_route(charon->kernel, route->dst_net,
2632 route->prefixlen, route->gateway,
2633 route->src_ip, route->if_name) != SUCCESS)
2634 {
2635 DBG1(DBG_KNL, "error uninstalling route installed with policy "
2636 "%R === %R %N", id->src_ts, id->dst_ts, policy_dir_names,
2637 id->dir);
2638 }
2639 }
2640
2641 this->policies->remove(this->policies, current);
2642 policy_entry_destroy(this, current);
2643 this->mutex->unlock(this->mutex);
2644
2645 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2646 {
2647 if (id->mark.value)
2648 {
2649 DBG1(DBG_KNL, "unable to delete policy %R === %R %N (mark "
2650 "%u/0x%08x)", id->src_ts, id->dst_ts, policy_dir_names,
2651 id->dir, id->mark.value, id->mark.mask);
2652 }
2653 else
2654 {
2655 DBG1(DBG_KNL, "unable to delete policy %R === %R %N",
2656 id->src_ts, id->dst_ts, policy_dir_names, id->dir);
2657 }
2658 return FAILED;
2659 }
2660 return SUCCESS;
2661 }
2662
2663 METHOD(kernel_ipsec_t, flush_policies, status_t,
2664 private_kernel_netlink_ipsec_t *this)
2665 {
2666 netlink_buf_t request;
2667 struct nlmsghdr *hdr;
2668
2669 memset(&request, 0, sizeof(request));
2670
2671 DBG2(DBG_KNL, "flushing all policies from SPD");
2672
2673 hdr = &request.hdr;
2674 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2675 hdr->nlmsg_type = XFRM_MSG_FLUSHPOLICY;
2676 hdr->nlmsg_len = NLMSG_LENGTH(0); /* no data associated */
2677
2678 /* by adding an rtattr of type XFRMA_POLICY_TYPE we could restrict this
2679 * to main or sub policies (default is main) */
2680
2681 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2682 {
2683 DBG1(DBG_KNL, "unable to flush SPD entries");
2684 return FAILED;
2685 }
2686 return SUCCESS;
2687 }
2688
2689 /**
2690 * Bypass socket using a per-socket policy
2691 */
2692 static bool add_socket_bypass(private_kernel_netlink_ipsec_t *this,
2693 int fd, int family)
2694 {
2695 struct xfrm_userpolicy_info policy;
2696 u_int sol, ipsec_policy;
2697
2698 switch (family)
2699 {
2700 case AF_INET:
2701 sol = SOL_IP;
2702 ipsec_policy = IP_XFRM_POLICY;
2703 break;
2704 case AF_INET6:
2705 sol = SOL_IPV6;
2706 ipsec_policy = IPV6_XFRM_POLICY;
2707 break;
2708 default:
2709 return FALSE;
2710 }
2711
2712 memset(&policy, 0, sizeof(policy));
2713 policy.action = XFRM_POLICY_ALLOW;
2714 policy.sel.family = family;
2715
2716 policy.dir = XFRM_POLICY_OUT;
2717 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2718 {
2719 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2720 strerror(errno));
2721 return FALSE;
2722 }
2723 policy.dir = XFRM_POLICY_IN;
2724 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2725 {
2726 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2727 strerror(errno));
2728 return FALSE;
2729 }
2730 return TRUE;
2731 }
2732
2733 /**
2734 * Port based IKE bypass policy
2735 */
2736 typedef struct {
2737 /** address family */
2738 int family;
2739 /** layer 4 protocol */
2740 int proto;
2741 /** port number, network order */
2742 uint16_t port;
2743 } bypass_t;
2744
2745 /**
2746 * Add or remove a bypass policy from/to kernel
2747 */
2748 static bool manage_bypass(private_kernel_netlink_ipsec_t *this,
2749 int type, policy_dir_t dir, bypass_t *bypass)
2750 {
2751 netlink_buf_t request;
2752 struct xfrm_selector *sel;
2753 struct nlmsghdr *hdr;
2754
2755 memset(&request, 0, sizeof(request));
2756 hdr = &request.hdr;
2757 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2758 hdr->nlmsg_type = type;
2759
2760 if (type == XFRM_MSG_NEWPOLICY)
2761 {
2762 struct xfrm_userpolicy_info *policy;
2763
2764 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2765
2766 policy = NLMSG_DATA(hdr);
2767 policy->dir = dir;
2768 policy->priority = 32;
2769 policy->action = XFRM_POLICY_ALLOW;
2770 policy->share = XFRM_SHARE_ANY;
2771
2772 policy->lft.soft_byte_limit = XFRM_INF;
2773 policy->lft.soft_packet_limit = XFRM_INF;
2774 policy->lft.hard_byte_limit = XFRM_INF;
2775 policy->lft.hard_packet_limit = XFRM_INF;
2776
2777 sel = &policy->sel;
2778 }
2779 else /* XFRM_MSG_DELPOLICY */
2780 {
2781 struct xfrm_userpolicy_id *policy;
2782
2783 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2784
2785 policy = NLMSG_DATA(hdr);
2786 policy->dir = dir;
2787
2788 sel = &policy->sel;
2789 }
2790
2791 sel->family = bypass->family;
2792 sel->proto = bypass->proto;
2793 if (dir == POLICY_IN)
2794 {
2795 sel->dport = bypass->port;
2796 sel->dport_mask = 0xffff;
2797 }
2798 else
2799 {
2800 sel->sport = bypass->port;
2801 sel->sport_mask = 0xffff;
2802 }
2803 return this->socket_xfrm->send_ack(this->socket_xfrm, hdr) == SUCCESS;
2804 }
2805
2806 /**
2807 * Bypass socket using a port-based bypass policy
2808 */
2809 static bool add_port_bypass(private_kernel_netlink_ipsec_t *this,
2810 int fd, int family)
2811 {
2812 union {
2813 struct sockaddr sa;
2814 struct sockaddr_in in;
2815 struct sockaddr_in6 in6;
2816 } saddr;
2817 socklen_t len;
2818 bypass_t bypass = {
2819 .family = family,
2820 };
2821
2822 len = sizeof(saddr);
2823 if (getsockname(fd, &saddr.sa, &len) != 0)
2824 {
2825 return FALSE;
2826 }
2827 #ifdef SO_PROTOCOL /* since 2.6.32 */
2828 len = sizeof(bypass.proto);
2829 if (getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &bypass.proto, &len) != 0)
2830 #endif
2831 { /* assume UDP if SO_PROTOCOL not supported */
2832 bypass.proto = IPPROTO_UDP;
2833 }
2834 switch (family)
2835 {
2836 case AF_INET:
2837 bypass.port = saddr.in.sin_port;
2838 break;
2839 case AF_INET6:
2840 bypass.port = saddr.in6.sin6_port;
2841 break;
2842 default:
2843 return FALSE;
2844 }
2845
2846 if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, &bypass))
2847 {
2848 return FALSE;
2849 }
2850 if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, &bypass))
2851 {
2852 manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, &bypass);
2853 return FALSE;
2854 }
2855 array_insert(this->bypass, ARRAY_TAIL, &bypass);
2856
2857 return TRUE;
2858 }
2859
2860 /**
2861 * Remove installed port based bypass policy
2862 */
2863 static void remove_port_bypass(bypass_t *bypass, int idx,
2864 private_kernel_netlink_ipsec_t *this)
2865 {
2866 manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass);
2867 manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass);
2868 }
2869
2870 METHOD(kernel_ipsec_t, bypass_socket, bool,
2871 private_kernel_netlink_ipsec_t *this, int fd, int family)
2872 {
2873 if (lib->settings->get_bool(lib->settings,
2874 "%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns))
2875 {
2876 return add_port_bypass(this, fd, family);
2877 }
2878 return add_socket_bypass(this, fd, family);
2879 }
2880
2881 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
2882 private_kernel_netlink_ipsec_t *this, int fd, int family, uint16_t port)
2883 {
2884 int type = UDP_ENCAP_ESPINUDP;
2885
2886 if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
2887 {
2888 DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
2889 return FALSE;
2890 }
2891 return TRUE;
2892 }
2893
2894 METHOD(kernel_ipsec_t, destroy, void,
2895 private_kernel_netlink_ipsec_t *this)
2896 {
2897 enumerator_t *enumerator;
2898 policy_entry_t *policy;
2899
2900 array_destroy_function(this->bypass,
2901 (array_callback_t)remove_port_bypass, this);
2902 if (this->socket_xfrm_events > 0)
2903 {
2904 lib->watcher->remove(lib->watcher, this->socket_xfrm_events);
2905 close(this->socket_xfrm_events);
2906 }
2907 DESTROY_IF(this->socket_xfrm);
2908 enumerator = this->policies->create_enumerator(this->policies);
2909 while (enumerator->enumerate(enumerator, &policy, &policy))
2910 {
2911 policy_entry_destroy(this, policy);
2912 }
2913 enumerator->destroy(enumerator);
2914 this->policies->destroy(this->policies);
2915 this->sas->destroy(this->sas);
2916 this->mutex->destroy(this->mutex);
2917 free(this);
2918 }
2919
2920 /*
2921 * Described in header.
2922 */
2923 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
2924 {
2925 private_kernel_netlink_ipsec_t *this;
2926 bool register_for_events = TRUE;
2927 FILE *f;
2928
2929 INIT(this,
2930 .public = {
2931 .interface = {
2932 .get_features = _get_features,
2933 .get_spi = _get_spi,
2934 .get_cpi = _get_cpi,
2935 .add_sa = _add_sa,
2936 .update_sa = _update_sa,
2937 .query_sa = _query_sa,
2938 .del_sa = _del_sa,
2939 .flush_sas = _flush_sas,
2940 .add_policy = _add_policy,
2941 .query_policy = _query_policy,
2942 .del_policy = _del_policy,
2943 .flush_policies = _flush_policies,
2944 .bypass_socket = _bypass_socket,
2945 .enable_udp_decap = _enable_udp_decap,
2946 .destroy = _destroy,
2947 },
2948 },
2949 .policies = hashtable_create((hashtable_hash_t)policy_hash,
2950 (hashtable_equals_t)policy_equals, 32),
2951 .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
2952 (hashtable_equals_t)ipsec_sa_equals, 32),
2953 .bypass = array_create(sizeof(bypass_t), 0),
2954 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2955 .policy_update = lib->settings->get_bool(lib->settings,
2956 "%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
2957 .install_routes = lib->settings->get_bool(lib->settings,
2958 "%s.install_routes", TRUE, lib->ns),
2959 .proto_port_transport = lib->settings->get_bool(lib->settings,
2960 "%s.plugins.kernel-netlink.set_proto_port_transport_sa",
2961 FALSE, lib->ns),
2962 );
2963
2964 if (streq(lib->ns, "starter"))
2965 { /* starter has no threads, so we do not register for kernel events */
2966 register_for_events = FALSE;
2967 }
2968
2969 f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w");
2970 if (f)
2971 {
2972 fprintf(f, "%u", lib->settings->get_int(lib->settings,
2973 "%s.plugins.kernel-netlink.xfrm_acq_expires",
2974 DEFAULT_ACQUIRE_LIFETIME, lib->ns));
2975 fclose(f);
2976 }
2977
2978 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names,
2979 lib->settings->get_bool(lib->settings,
2980 "%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns));
2981 if (!this->socket_xfrm)
2982 {
2983 destroy(this);
2984 return NULL;
2985 }
2986
2987 if (register_for_events)
2988 {
2989 struct sockaddr_nl addr;
2990
2991 memset(&addr, 0, sizeof(addr));
2992 addr.nl_family = AF_NETLINK;
2993
2994 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2995 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2996 if (this->socket_xfrm_events <= 0)
2997 {
2998 DBG1(DBG_KNL, "unable to create XFRM event socket");
2999 destroy(this);
3000 return NULL;
3001 }
3002 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
3003 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
3004 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
3005 {
3006 DBG1(DBG_KNL, "unable to bind XFRM event socket");
3007 destroy(this);
3008 return NULL;
3009 }
3010 lib->watcher->add(lib->watcher, this->socket_xfrm_events, WATCHER_READ,
3011 (watcher_cb_t)receive_events, this);
3012 }
3013
3014 return &this->public;
3015 }