support of xfrm marks for IKEv2
[strongswan.git] / src / libcharon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2009 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <stdint.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <unistd.h>
30 #include <time.h>
31 #include <errno.h>
32 #include <string.h>
33 #include <fcntl.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <daemon.h>
39 #include <threading/thread.h>
40 #include <threading/mutex.h>
41 #include <utils/hashtable.h>
42 #include <processing/jobs/callback_job.h>
43 #include <processing/jobs/acquire_job.h>
44 #include <processing/jobs/migrate_job.h>
45 #include <processing/jobs/rekey_child_sa_job.h>
46 #include <processing/jobs/delete_child_sa_job.h>
47 #include <processing/jobs/update_sa_job.h>
48
49 /** required for Linux 2.6.26 kernel and later */
50 #ifndef XFRM_STATE_AF_UNSPEC
51 #define XFRM_STATE_AF_UNSPEC 32
52 #endif
53
54 /** from linux/in.h */
55 #ifndef IP_XFRM_POLICY
56 #define IP_XFRM_POLICY 17
57 #endif
58
59 /* missing on uclibc */
60 #ifndef IPV6_XFRM_POLICY
61 #define IPV6_XFRM_POLICY 34
62 #endif /*IPV6_XFRM_POLICY*/
63
64 /** default priority of installed policies */
65 #define PRIO_LOW 3000
66 #define PRIO_HIGH 2000
67
68 /**
69 * map the limit for bytes and packets to XFRM_INF per default
70 */
71 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
72
73 /**
74 * Create ORable bitfield of XFRM NL groups
75 */
76 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
77
78 /**
79 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
80 * 'usual' netlink data x like 'struct xfrm_usersa_info'
81 */
82 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
83 /**
84 * returns a pointer to the next rtattr following rta.
85 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
86 */
87 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
88 /**
89 * returns the total size of attached rta data
90 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
91 */
92 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
93
94 typedef struct kernel_algorithm_t kernel_algorithm_t;
95
96 /**
97 * Mapping of IKEv2 kernel identifier to linux crypto API names
98 */
99 struct kernel_algorithm_t {
100 /**
101 * Identifier specified in IKEv2
102 */
103 int ikev2;
104
105 /**
106 * Name of the algorithm in linux crypto API
107 */
108 char *name;
109 };
110
111 ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
112 "XFRM_MSG_NEWSA",
113 "XFRM_MSG_DELSA",
114 "XFRM_MSG_GETSA",
115 "XFRM_MSG_NEWPOLICY",
116 "XFRM_MSG_DELPOLICY",
117 "XFRM_MSG_GETPOLICY",
118 "XFRM_MSG_ALLOCSPI",
119 "XFRM_MSG_ACQUIRE",
120 "XFRM_MSG_EXPIRE",
121 "XFRM_MSG_UPDPOLICY",
122 "XFRM_MSG_UPDSA",
123 "XFRM_MSG_POLEXPIRE",
124 "XFRM_MSG_FLUSHSA",
125 "XFRM_MSG_FLUSHPOLICY",
126 "XFRM_MSG_NEWAE",
127 "XFRM_MSG_GETAE",
128 "XFRM_MSG_REPORT",
129 "XFRM_MSG_MIGRATE",
130 "XFRM_MSG_NEWSADINFO",
131 "XFRM_MSG_GETSADINFO",
132 "XFRM_MSG_NEWSPDINFO",
133 "XFRM_MSG_GETSPDINFO",
134 "XFRM_MSG_MAPPING"
135 );
136
137 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
138 "XFRMA_UNSPEC",
139 "XFRMA_ALG_AUTH",
140 "XFRMA_ALG_CRYPT",
141 "XFRMA_ALG_COMP",
142 "XFRMA_ENCAP",
143 "XFRMA_TMPL",
144 "XFRMA_SA",
145 "XFRMA_POLICY",
146 "XFRMA_SEC_CTX",
147 "XFRMA_LTIME_VAL",
148 "XFRMA_REPLAY_VAL",
149 "XFRMA_REPLAY_THRESH",
150 "XFRMA_ETIMER_THRESH",
151 "XFRMA_SRCADDR",
152 "XFRMA_COADDR",
153 "XFRMA_LASTUSED",
154 "XFRMA_POLICY_TYPE",
155 "XFRMA_MIGRATE",
156 "XFRMA_ALG_AEAD",
157 "XFRMA_KMADDRESS"
158 );
159
160 #define END_OF_LIST -1
161
162 /**
163 * Algorithms for encryption
164 */
165 static kernel_algorithm_t encryption_algs[] = {
166 /* {ENCR_DES_IV64, "***" }, */
167 {ENCR_DES, "des" },
168 {ENCR_3DES, "des3_ede" },
169 /* {ENCR_RC5, "***" }, */
170 /* {ENCR_IDEA, "***" }, */
171 {ENCR_CAST, "cast128" },
172 {ENCR_BLOWFISH, "blowfish" },
173 /* {ENCR_3IDEA, "***" }, */
174 /* {ENCR_DES_IV32, "***" }, */
175 {ENCR_NULL, "cipher_null" },
176 {ENCR_AES_CBC, "aes" },
177 {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
178 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
179 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
180 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
181 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
182 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
183 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
184 {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
185 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
186 /* {ENCR_CAMELLIA_CTR, "***" }, */
187 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
188 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
189 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
190 {END_OF_LIST, NULL }
191 };
192
193 /**
194 * Algorithms for integrity protection
195 */
196 static kernel_algorithm_t integrity_algs[] = {
197 {AUTH_HMAC_MD5_96, "md5" },
198 {AUTH_HMAC_SHA1_96, "sha1" },
199 {AUTH_HMAC_SHA2_256_96, "sha256" },
200 {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
201 {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
202 {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
203 /* {AUTH_DES_MAC, "***" }, */
204 /* {AUTH_KPDK_MD5, "***" }, */
205 {AUTH_AES_XCBC_96, "xcbc(aes)" },
206 {END_OF_LIST, NULL }
207 };
208
209 /**
210 * Algorithms for IPComp
211 */
212 static kernel_algorithm_t compression_algs[] = {
213 /* {IPCOMP_OUI, "***" }, */
214 {IPCOMP_DEFLATE, "deflate" },
215 {IPCOMP_LZS, "lzs" },
216 {IPCOMP_LZJH, "lzjh" },
217 {END_OF_LIST, NULL }
218 };
219
220 /**
221 * Look up a kernel algorithm name and its key size
222 */
223 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
224 {
225 while (list->ikev2 != END_OF_LIST)
226 {
227 if (list->ikev2 == ikev2)
228 {
229 return list->name;
230 }
231 list++;
232 }
233 return NULL;
234 }
235
236 typedef struct route_entry_t route_entry_t;
237
238 /**
239 * installed routing entry
240 */
241 struct route_entry_t {
242 /** Name of the interface the route is bound to */
243 char *if_name;
244
245 /** Source ip of the route */
246 host_t *src_ip;
247
248 /** gateway for this route */
249 host_t *gateway;
250
251 /** Destination net */
252 chunk_t dst_net;
253
254 /** Destination net prefixlen */
255 u_int8_t prefixlen;
256 };
257
258 /**
259 * destroy an route_entry_t object
260 */
261 static void route_entry_destroy(route_entry_t *this)
262 {
263 free(this->if_name);
264 this->src_ip->destroy(this->src_ip);
265 DESTROY_IF(this->gateway);
266 chunk_free(&this->dst_net);
267 free(this);
268 }
269
270 typedef struct policy_entry_t policy_entry_t;
271
272 /**
273 * installed kernel policy.
274 */
275 struct policy_entry_t {
276
277 /** direction of this policy: in, out, forward */
278 u_int8_t direction;
279
280 /** parameters of installed policy */
281 struct xfrm_selector sel;
282
283 /** optional mark */
284 u_int32_t mark;
285
286 /** associated route installed for this policy */
287 route_entry_t *route;
288
289 /** by how many CHILD_SA's this policy is used */
290 u_int refcount;
291 };
292
293 /**
294 * Hash function for policy_entry_t objects
295 */
296 static u_int policy_hash(policy_entry_t *key)
297 {
298 chunk_t chunk = chunk_create((void*)&key->sel,
299 sizeof(struct xfrm_selector) + sizeof(u_int32_t));
300 return chunk_hash(chunk);
301 }
302
303 /**
304 * Equality function for policy_entry_t objects
305 */
306 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
307 {
308 return memeq(&key->sel, &other_key->sel,
309 sizeof(struct xfrm_selector) + sizeof(u_int32_t)) &&
310 key->direction == other_key->direction;
311 }
312
313 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
314
315 /**
316 * Private variables and functions of kernel_netlink class.
317 */
318 struct private_kernel_netlink_ipsec_t {
319 /**
320 * Public part of the kernel_netlink_t object.
321 */
322 kernel_netlink_ipsec_t public;
323
324 /**
325 * mutex to lock access to various lists
326 */
327 mutex_t *mutex;
328
329 /**
330 * Hash table of installed policies (policy_entry_t)
331 */
332 hashtable_t *policies;
333
334 /**
335 * job receiving netlink events
336 */
337 callback_job_t *job;
338
339 /**
340 * Netlink xfrm socket (IPsec)
341 */
342 netlink_socket_t *socket_xfrm;
343
344 /**
345 * netlink xfrm socket to receive acquire and expire events
346 */
347 int socket_xfrm_events;
348
349 /**
350 * whether to install routes along policies
351 */
352 bool install_routes;
353 };
354
355 /**
356 * convert a IKEv2 specific protocol identifier to the kernel one
357 */
358 static u_int8_t proto_ike2kernel(protocol_id_t proto)
359 {
360 switch (proto)
361 {
362 case PROTO_ESP:
363 return IPPROTO_ESP;
364 case PROTO_AH:
365 return IPPROTO_AH;
366 default:
367 return proto;
368 }
369 }
370
371 /**
372 * reverse of ike2kernel
373 */
374 static protocol_id_t proto_kernel2ike(u_int8_t proto)
375 {
376 switch (proto)
377 {
378 case IPPROTO_ESP:
379 return PROTO_ESP;
380 case IPPROTO_AH:
381 return PROTO_AH;
382 default:
383 return proto;
384 }
385 }
386
387 /**
388 * convert the general ipsec mode to the one defined in xfrm.h
389 */
390 static u_int8_t mode2kernel(ipsec_mode_t mode)
391 {
392 switch (mode)
393 {
394 case MODE_TRANSPORT:
395 return XFRM_MODE_TRANSPORT;
396 case MODE_TUNNEL:
397 return XFRM_MODE_TUNNEL;
398 case MODE_BEET:
399 return XFRM_MODE_BEET;
400 default:
401 return mode;
402 }
403 }
404
405 /**
406 * convert a host_t to a struct xfrm_address
407 */
408 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
409 {
410 chunk_t chunk = host->get_address(host);
411 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
412 }
413
414 /**
415 * convert a struct xfrm_address to a host_t
416 */
417 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
418 {
419 chunk_t chunk;
420
421 switch (family)
422 {
423 case AF_INET:
424 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
425 break;
426 case AF_INET6:
427 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
428 break;
429 default:
430 return NULL;
431 }
432 return host_create_from_chunk(family, chunk, ntohs(port));
433 }
434
435 /**
436 * convert a traffic selector address range to subnet and its mask.
437 */
438 static void ts2subnet(traffic_selector_t* ts,
439 xfrm_address_t *net, u_int8_t *mask)
440 {
441 host_t *net_host;
442 chunk_t net_chunk;
443
444 ts->to_subnet(ts, &net_host, mask);
445 net_chunk = net_host->get_address(net_host);
446 memcpy(net, net_chunk.ptr, net_chunk.len);
447 net_host->destroy(net_host);
448 }
449
450 /**
451 * convert a traffic selector port range to port/portmask
452 */
453 static void ts2ports(traffic_selector_t* ts,
454 u_int16_t *port, u_int16_t *mask)
455 {
456 /* linux does not seem to accept complex portmasks. Only
457 * any or a specific port is allowed. We set to any, if we have
458 * a port range, or to a specific, if we have one port only.
459 */
460 u_int16_t from, to;
461
462 from = ts->get_from_port(ts);
463 to = ts->get_to_port(ts);
464
465 if (from == to)
466 {
467 *port = htons(from);
468 *mask = ~0;
469 }
470 else
471 {
472 *port = 0;
473 *mask = 0;
474 }
475 }
476
477 /**
478 * convert a pair of traffic_selectors to a xfrm_selector
479 */
480 static struct xfrm_selector ts2selector(traffic_selector_t *src,
481 traffic_selector_t *dst)
482 {
483 struct xfrm_selector sel;
484
485 memset(&sel, 0, sizeof(sel));
486 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
487 /* src or dest proto may be "any" (0), use more restrictive one */
488 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
489 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
490 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
491 ts2ports(dst, &sel.dport, &sel.dport_mask);
492 ts2ports(src, &sel.sport, &sel.sport_mask);
493 sel.ifindex = 0;
494 sel.user = 0;
495
496 return sel;
497 }
498
499 /**
500 * convert a xfrm_selector to a src|dst traffic_selector
501 */
502 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
503 {
504 u_char *addr;
505 u_int8_t prefixlen;
506 u_int16_t port = 0;
507 host_t *host = NULL;
508
509 if (src)
510 {
511 addr = (u_char*)&sel->saddr;
512 prefixlen = sel->prefixlen_s;
513 if (sel->sport_mask)
514 {
515 port = htons(sel->sport);
516 }
517 }
518 else
519 {
520 addr = (u_char*)&sel->daddr;
521 prefixlen = sel->prefixlen_d;
522 if (sel->dport_mask)
523 {
524 port = htons(sel->dport);
525 }
526 }
527
528 /* The Linux 2.6 kernel does not set the selector's family field,
529 * so as a kludge we additionally test the prefix length.
530 */
531 if (sel->family == AF_INET || sel->prefixlen_s == 32)
532 {
533 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
534 }
535 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
536 {
537 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
538 }
539
540 if (host)
541 {
542 return traffic_selector_create_from_subnet(host, prefixlen,
543 sel->proto, port);
544 }
545 return NULL;
546 }
547
548 /**
549 * process a XFRM_MSG_ACQUIRE from kernel
550 */
551 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
552 {
553 u_int32_t reqid = 0;
554 int proto = 0;
555 traffic_selector_t *src_ts, *dst_ts;
556 struct xfrm_user_acquire *acquire;
557 struct rtattr *rta;
558 size_t rtasize;
559 job_t *job;
560
561 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
562 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
563 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
564
565 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
566
567 while (RTA_OK(rta, rtasize))
568 {
569 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
570
571 if (rta->rta_type == XFRMA_TMPL)
572 {
573 struct xfrm_user_tmpl* tmpl;
574
575 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
576 reqid = tmpl->reqid;
577 proto = tmpl->id.proto;
578 }
579 rta = RTA_NEXT(rta, rtasize);
580 }
581 switch (proto)
582 {
583 case 0:
584 case IPPROTO_ESP:
585 case IPPROTO_AH:
586 break;
587 default:
588 /* acquire for AH/ESP only, not for IPCOMP */
589 return;
590 }
591 src_ts = selector2ts(&acquire->sel, TRUE);
592 dst_ts = selector2ts(&acquire->sel, FALSE);
593 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
594 src_ts, dst_ts, reqid);
595 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
596 charon->processor->queue_job(charon->processor, job);
597 }
598
599 /**
600 * process a XFRM_MSG_EXPIRE from kernel
601 */
602 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
603 {
604 job_t *job;
605 protocol_id_t protocol;
606 u_int32_t spi, reqid;
607 struct xfrm_user_expire *expire;
608
609 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
610 protocol = proto_kernel2ike(expire->state.id.proto);
611 spi = expire->state.id.spi;
612 reqid = expire->state.reqid;
613
614 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
615
616 if (protocol != PROTO_ESP && protocol != PROTO_AH)
617 {
618 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
619 "which is not a CHILD_SA", ntohl(spi), reqid);
620 return;
621 }
622
623 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
624 expire->hard ? "delete" : "rekey", protocol_id_names,
625 protocol, ntohl(spi), reqid);
626 if (expire->hard)
627 {
628 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
629 }
630 else
631 {
632 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
633 }
634 charon->processor->queue_job(charon->processor, job);
635 }
636
637 /**
638 * process a XFRM_MSG_MIGRATE from kernel
639 */
640 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
641 {
642 traffic_selector_t *src_ts, *dst_ts;
643 host_t *local = NULL, *remote = NULL;
644 host_t *old_src = NULL, *old_dst = NULL;
645 host_t *new_src = NULL, *new_dst = NULL;
646 struct xfrm_userpolicy_id *policy_id;
647 struct rtattr *rta;
648 size_t rtasize;
649 u_int32_t reqid = 0;
650 policy_dir_t dir;
651 job_t *job;
652
653 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
654 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
655 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
656
657 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
658
659 src_ts = selector2ts(&policy_id->sel, TRUE);
660 dst_ts = selector2ts(&policy_id->sel, FALSE);
661 dir = (policy_dir_t)policy_id->dir;
662
663 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
664
665 while (RTA_OK(rta, rtasize))
666 {
667 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
668 if (rta->rta_type == XFRMA_KMADDRESS)
669 {
670 struct xfrm_user_kmaddress *kmaddress;
671
672 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
673 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
674 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
675 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
676 }
677 else if (rta->rta_type == XFRMA_MIGRATE)
678 {
679 struct xfrm_user_migrate *migrate;
680 protocol_id_t proto;
681
682 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
683 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
684 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
685 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
686 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
687 proto = proto_kernel2ike(migrate->proto);
688 reqid = migrate->reqid;
689 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
690 protocol_id_names, proto, old_src, old_dst,
691 new_src, new_dst, reqid);
692 DESTROY_IF(old_src);
693 DESTROY_IF(old_dst);
694 DESTROY_IF(new_src);
695 DESTROY_IF(new_dst);
696 }
697 rta = RTA_NEXT(rta, rtasize);
698 }
699
700 if (src_ts && dst_ts && local && remote)
701 {
702 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
703 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
704 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
705 local, remote);
706 charon->processor->queue_job(charon->processor, job);
707 }
708 else
709 {
710 DESTROY_IF(src_ts);
711 DESTROY_IF(dst_ts);
712 DESTROY_IF(local);
713 DESTROY_IF(remote);
714 }
715 }
716
717 /**
718 * process a XFRM_MSG_MAPPING from kernel
719 */
720 static void process_mapping(private_kernel_netlink_ipsec_t *this,
721 struct nlmsghdr *hdr)
722 {
723 job_t *job;
724 u_int32_t spi, reqid;
725 struct xfrm_user_mapping *mapping;
726 host_t *host;
727
728 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
729 spi = mapping->id.spi;
730 reqid = mapping->reqid;
731
732 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
733
734 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
735 {
736 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
737 mapping->new_sport);
738 if (host)
739 {
740 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
741 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
742 job = (job_t*)update_sa_job_create(reqid, host);
743 charon->processor->queue_job(charon->processor, job);
744 }
745 }
746 }
747
748 /**
749 * Receives events from kernel
750 */
751 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
752 {
753 char response[1024];
754 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
755 struct sockaddr_nl addr;
756 socklen_t addr_len = sizeof(addr);
757 int len;
758 bool oldstate;
759
760 oldstate = thread_cancelability(TRUE);
761 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
762 (struct sockaddr*)&addr, &addr_len);
763 thread_cancelability(oldstate);
764
765 if (len < 0)
766 {
767 switch (errno)
768 {
769 case EINTR:
770 /* interrupted, try again */
771 return JOB_REQUEUE_DIRECT;
772 case EAGAIN:
773 /* no data ready, select again */
774 return JOB_REQUEUE_DIRECT;
775 default:
776 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
777 sleep(1);
778 return JOB_REQUEUE_FAIR;
779 }
780 }
781
782 if (addr.nl_pid != 0)
783 { /* not from kernel. not interested, try another one */
784 return JOB_REQUEUE_DIRECT;
785 }
786
787 while (NLMSG_OK(hdr, len))
788 {
789 switch (hdr->nlmsg_type)
790 {
791 case XFRM_MSG_ACQUIRE:
792 process_acquire(this, hdr);
793 break;
794 case XFRM_MSG_EXPIRE:
795 process_expire(this, hdr);
796 break;
797 case XFRM_MSG_MIGRATE:
798 process_migrate(this, hdr);
799 break;
800 case XFRM_MSG_MAPPING:
801 process_mapping(this, hdr);
802 break;
803 default:
804 DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
805 break;
806 }
807 hdr = NLMSG_NEXT(hdr, len);
808 }
809 return JOB_REQUEUE_DIRECT;
810 }
811
812 /**
813 * Get an SPI for a specific protocol from the kernel.
814 */
815 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
816 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
817 u_int32_t reqid, u_int32_t *spi)
818 {
819 netlink_buf_t request;
820 struct nlmsghdr *hdr, *out;
821 struct xfrm_userspi_info *userspi;
822 u_int32_t received_spi = 0;
823 size_t len;
824
825 memset(&request, 0, sizeof(request));
826
827 hdr = (struct nlmsghdr*)request;
828 hdr->nlmsg_flags = NLM_F_REQUEST;
829 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
830 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
831
832 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
833 host2xfrm(src, &userspi->info.saddr);
834 host2xfrm(dst, &userspi->info.id.daddr);
835 userspi->info.id.proto = proto;
836 userspi->info.mode = XFRM_MODE_TUNNEL;
837 userspi->info.reqid = reqid;
838 userspi->info.family = src->get_family(src);
839 userspi->min = min;
840 userspi->max = max;
841
842 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
843 {
844 hdr = out;
845 while (NLMSG_OK(hdr, len))
846 {
847 switch (hdr->nlmsg_type)
848 {
849 case XFRM_MSG_NEWSA:
850 {
851 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
852 received_spi = usersa->id.spi;
853 break;
854 }
855 case NLMSG_ERROR:
856 {
857 struct nlmsgerr *err = NLMSG_DATA(hdr);
858
859 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
860 strerror(-err->error), -err->error);
861 break;
862 }
863 default:
864 hdr = NLMSG_NEXT(hdr, len);
865 continue;
866 case NLMSG_DONE:
867 break;
868 }
869 break;
870 }
871 free(out);
872 }
873
874 if (received_spi == 0)
875 {
876 return FAILED;
877 }
878
879 *spi = received_spi;
880 return SUCCESS;
881 }
882
883 METHOD(kernel_ipsec_t, get_spi, status_t,
884 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
885 protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
886 {
887 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
888
889 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
890 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
891 {
892 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
893 return FAILED;
894 }
895
896 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
897
898 return SUCCESS;
899 }
900
901 METHOD(kernel_ipsec_t, get_cpi, status_t,
902 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
903 u_int32_t reqid, u_int16_t *cpi)
904 {
905 u_int32_t received_spi = 0;
906
907 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
908
909 if (get_spi_internal(this, src, dst,
910 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
911 {
912 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
913 return FAILED;
914 }
915
916 *cpi = htons((u_int16_t)ntohl(received_spi));
917
918 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
919
920 return SUCCESS;
921 }
922
923 METHOD(kernel_ipsec_t, add_sa, status_t,
924 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
925 u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
926 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
927 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
928 u_int16_t cpi, bool encap, bool inbound,
929 traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
930 {
931 netlink_buf_t request;
932 char *alg_name;
933 struct nlmsghdr *hdr;
934 struct xfrm_usersa_info *sa;
935 u_int16_t icv_size = 64;
936
937 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
938 * we are in the recursive call below */
939 if (ipcomp != IPCOMP_NONE && cpi != 0)
940 {
941 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
942 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
943 &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
944 mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
945 ipcomp = IPCOMP_NONE;
946 /* use transport mode ESP SA, IPComp uses tunnel mode */
947 mode = MODE_TRANSPORT;
948 }
949
950 memset(&request, 0, sizeof(request));
951
952 if (mark.value)
953 {
954 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u} "
955 "(mark %u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask);
956 }
957 else
958 {
959 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
960 ntohl(spi), reqid);
961 }
962 hdr = (struct nlmsghdr*)request;
963 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
964 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
965 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
966
967 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
968 host2xfrm(src, &sa->saddr);
969 host2xfrm(dst, &sa->id.daddr);
970 sa->id.spi = spi;
971 sa->id.proto = proto_ike2kernel(protocol);
972 sa->family = src->get_family(src);
973 sa->mode = mode2kernel(mode);
974 switch (mode)
975 {
976 case MODE_TUNNEL:
977 sa->flags |= XFRM_STATE_AF_UNSPEC;
978 break;
979 case MODE_BEET:
980 if(src_ts && dst_ts)
981 {
982 sa->sel = ts2selector(src_ts, dst_ts);
983 }
984 break;
985 default:
986 break;
987 }
988
989 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
990 sa->reqid = reqid;
991 sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
992 sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
993 sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
994 sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
995 /* we use lifetimes since added, not since used */
996 sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
997 sa->lft.hard_add_expires_seconds = lifetime->time.life;
998 sa->lft.soft_use_expires_seconds = 0;
999 sa->lft.hard_use_expires_seconds = 0;
1000
1001 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1002
1003 switch (enc_alg)
1004 {
1005 case ENCR_UNDEFINED:
1006 /* no encryption */
1007 break;
1008 case ENCR_AES_CCM_ICV16:
1009 case ENCR_AES_GCM_ICV16:
1010 case ENCR_NULL_AUTH_AES_GMAC:
1011 case ENCR_CAMELLIA_CCM_ICV16:
1012 icv_size += 32;
1013 /* FALL */
1014 case ENCR_AES_CCM_ICV12:
1015 case ENCR_AES_GCM_ICV12:
1016 case ENCR_CAMELLIA_CCM_ICV12:
1017 icv_size += 32;
1018 /* FALL */
1019 case ENCR_AES_CCM_ICV8:
1020 case ENCR_AES_GCM_ICV8:
1021 case ENCR_CAMELLIA_CCM_ICV8:
1022 {
1023 struct xfrm_algo_aead *algo;
1024
1025 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1026 if (alg_name == NULL)
1027 {
1028 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1029 encryption_algorithm_names, enc_alg);
1030 return FAILED;
1031 }
1032 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1033 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1034
1035 rthdr->rta_type = XFRMA_ALG_AEAD;
1036 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
1037 hdr->nlmsg_len += rthdr->rta_len;
1038 if (hdr->nlmsg_len > sizeof(request))
1039 {
1040 return FAILED;
1041 }
1042
1043 algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
1044 algo->alg_key_len = enc_key.len * 8;
1045 algo->alg_icv_len = icv_size;
1046 strcpy(algo->alg_name, alg_name);
1047 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1048
1049 rthdr = XFRM_RTA_NEXT(rthdr);
1050 break;
1051 }
1052 default:
1053 {
1054 struct xfrm_algo *algo;
1055
1056 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1057 if (alg_name == NULL)
1058 {
1059 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1060 encryption_algorithm_names, enc_alg);
1061 return FAILED;
1062 }
1063 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1064 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1065
1066 rthdr->rta_type = XFRMA_ALG_CRYPT;
1067 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
1068 hdr->nlmsg_len += rthdr->rta_len;
1069 if (hdr->nlmsg_len > sizeof(request))
1070 {
1071 return FAILED;
1072 }
1073
1074 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1075 algo->alg_key_len = enc_key.len * 8;
1076 strcpy(algo->alg_name, alg_name);
1077 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1078
1079 rthdr = XFRM_RTA_NEXT(rthdr);
1080 }
1081 }
1082
1083 if (int_alg != AUTH_UNDEFINED)
1084 {
1085 alg_name = lookup_algorithm(integrity_algs, int_alg);
1086 if (alg_name == NULL)
1087 {
1088 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1089 integrity_algorithm_names, int_alg);
1090 return FAILED;
1091 }
1092 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1093 integrity_algorithm_names, int_alg, int_key.len * 8);
1094
1095 if (int_alg == AUTH_HMAC_SHA2_256_128)
1096 {
1097 struct xfrm_algo_auth* algo;
1098
1099 /* the kernel uses SHA256 with 96 bit truncation by default,
1100 * use specified truncation size supported by newer kernels */
1101 rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
1102 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
1103
1104 hdr->nlmsg_len += rthdr->rta_len;
1105 if (hdr->nlmsg_len > sizeof(request))
1106 {
1107 return FAILED;
1108 }
1109
1110 algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
1111 algo->alg_key_len = int_key.len * 8;
1112 algo->alg_trunc_len = 128;
1113 strcpy(algo->alg_name, alg_name);
1114 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1115 }
1116 else
1117 {
1118 struct xfrm_algo* algo;
1119
1120 rthdr->rta_type = XFRMA_ALG_AUTH;
1121 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1122
1123 hdr->nlmsg_len += rthdr->rta_len;
1124 if (hdr->nlmsg_len > sizeof(request))
1125 {
1126 return FAILED;
1127 }
1128
1129 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1130 algo->alg_key_len = int_key.len * 8;
1131 strcpy(algo->alg_name, alg_name);
1132 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1133 }
1134 rthdr = XFRM_RTA_NEXT(rthdr);
1135 }
1136
1137 if (ipcomp != IPCOMP_NONE)
1138 {
1139 rthdr->rta_type = XFRMA_ALG_COMP;
1140 alg_name = lookup_algorithm(compression_algs, ipcomp);
1141 if (alg_name == NULL)
1142 {
1143 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1144 ipcomp_transform_names, ipcomp);
1145 return FAILED;
1146 }
1147 DBG2(DBG_KNL, " using compression algorithm %N",
1148 ipcomp_transform_names, ipcomp);
1149
1150 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1151 hdr->nlmsg_len += rthdr->rta_len;
1152 if (hdr->nlmsg_len > sizeof(request))
1153 {
1154 return FAILED;
1155 }
1156
1157 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1158 algo->alg_key_len = 0;
1159 strcpy(algo->alg_name, alg_name);
1160
1161 rthdr = XFRM_RTA_NEXT(rthdr);
1162 }
1163
1164 if (encap)
1165 {
1166 struct xfrm_encap_tmpl *tmpl;
1167
1168 rthdr->rta_type = XFRMA_ENCAP;
1169 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1170
1171 hdr->nlmsg_len += rthdr->rta_len;
1172 if (hdr->nlmsg_len > sizeof(request))
1173 {
1174 return FAILED;
1175 }
1176
1177 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1178 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1179 tmpl->encap_sport = htons(src->get_port(src));
1180 tmpl->encap_dport = htons(dst->get_port(dst));
1181 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1182 /* encap_oa could probably be derived from the
1183 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1184 * pluto does the same as we do here but it uses encap_oa in the
1185 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1186 * the kernel ignores it anyway
1187 * -> does that mean that NAT-T encap doesn't work in transport mode?
1188 * No. The reason the kernel ignores NAT-OA is that it recomputes
1189 * (or, rather, just ignores) the checksum. If packets pass
1190 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1191 rthdr = XFRM_RTA_NEXT(rthdr);
1192 }
1193
1194 if (mark.value)
1195 {
1196 struct xfrm_mark *mrk;
1197
1198 rthdr->rta_type = XFRMA_MARK;
1199 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1200
1201 hdr->nlmsg_len += rthdr->rta_len;
1202 if (hdr->nlmsg_len > sizeof(request))
1203 {
1204 return FAILED;
1205 }
1206
1207 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1208 mrk->v = mark.value;
1209 mrk->m = mark.mask;
1210 rthdr = XFRM_RTA_NEXT(rthdr);
1211 }
1212
1213 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1214 {
1215 if (mark.value)
1216 {
1217 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x "
1218 "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
1219 }
1220 else
1221 {
1222 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1223 }
1224 return FAILED;
1225 }
1226 return SUCCESS;
1227 }
1228
1229 /**
1230 * Get the replay state (i.e. sequence numbers) of an SA.
1231 */
1232 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1233 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1234 struct xfrm_replay_state *replay)
1235 {
1236 netlink_buf_t request;
1237 struct nlmsghdr *hdr, *out = NULL;
1238 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1239 size_t len;
1240 struct rtattr *rta;
1241 size_t rtasize;
1242
1243 memset(&request, 0, sizeof(request));
1244
1245 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1246
1247 hdr = (struct nlmsghdr*)request;
1248 hdr->nlmsg_flags = NLM_F_REQUEST;
1249 hdr->nlmsg_type = XFRM_MSG_GETAE;
1250 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1251
1252 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1253 aevent_id->flags = XFRM_AE_RVAL;
1254
1255 host2xfrm(dst, &aevent_id->sa_id.daddr);
1256 aevent_id->sa_id.spi = spi;
1257 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1258 aevent_id->sa_id.family = dst->get_family(dst);
1259
1260 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1261 {
1262 hdr = out;
1263 while (NLMSG_OK(hdr, len))
1264 {
1265 switch (hdr->nlmsg_type)
1266 {
1267 case XFRM_MSG_NEWAE:
1268 {
1269 out_aevent = NLMSG_DATA(hdr);
1270 break;
1271 }
1272 case NLMSG_ERROR:
1273 {
1274 struct nlmsgerr *err = NLMSG_DATA(hdr);
1275 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1276 strerror(-err->error), -err->error);
1277 break;
1278 }
1279 default:
1280 hdr = NLMSG_NEXT(hdr, len);
1281 continue;
1282 case NLMSG_DONE:
1283 break;
1284 }
1285 break;
1286 }
1287 }
1288
1289 if (out_aevent == NULL)
1290 {
1291 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1292 ntohl(spi));
1293 free(out);
1294 return FAILED;
1295 }
1296
1297 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1298 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1299 while(RTA_OK(rta, rtasize))
1300 {
1301 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1302 RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
1303 {
1304 memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1305 free(out);
1306 return SUCCESS;
1307 }
1308 rta = RTA_NEXT(rta, rtasize);
1309 }
1310
1311 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1312 ntohl(spi));
1313 free(out);
1314 return FAILED;
1315 }
1316
1317 METHOD(kernel_ipsec_t, query_sa, status_t,
1318 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1319 u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
1320 {
1321 netlink_buf_t request;
1322 struct nlmsghdr *out = NULL, *hdr;
1323 struct xfrm_usersa_id *sa_id;
1324 struct xfrm_usersa_info *sa = NULL;
1325 size_t len;
1326
1327 memset(&request, 0, sizeof(request));
1328
1329 if (mark.value)
1330 {
1331 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x (mark %u/0x%8x)",
1332 ntohl(spi), mark.value, mark.mask);
1333 }
1334 else
1335 {
1336 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1337 }
1338 hdr = (struct nlmsghdr*)request;
1339 hdr->nlmsg_flags = NLM_F_REQUEST;
1340 hdr->nlmsg_type = XFRM_MSG_GETSA;
1341 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1342
1343 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1344 host2xfrm(dst, &sa_id->daddr);
1345 sa_id->spi = spi;
1346 sa_id->proto = proto_ike2kernel(protocol);
1347 sa_id->family = dst->get_family(dst);
1348
1349 if (mark.value)
1350 {
1351 struct xfrm_mark *mrk;
1352 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
1353
1354 rthdr->rta_type = XFRMA_MARK;
1355 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1356 hdr->nlmsg_len += rthdr->rta_len;
1357 if (hdr->nlmsg_len > sizeof(request))
1358 {
1359 return FAILED;
1360 }
1361
1362 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1363 mrk->v = mark.value;
1364 mrk->m = mark.mask;
1365 }
1366
1367 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1368 {
1369 hdr = out;
1370 while (NLMSG_OK(hdr, len))
1371 {
1372 switch (hdr->nlmsg_type)
1373 {
1374 case XFRM_MSG_NEWSA:
1375 {
1376 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1377 break;
1378 }
1379 case NLMSG_ERROR:
1380 {
1381 struct nlmsgerr *err = NLMSG_DATA(hdr);
1382
1383 if (mark.value)
1384 {
1385 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
1386 "(mark %u/0x%8x) failed: %s (%d)",
1387 ntohl(spi), mark.value, mark.mask,
1388 strerror(-err->error), -err->error);
1389 }
1390 else
1391 {
1392 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
1393 "failed: %s (%d)", ntohl(spi),
1394 strerror(-err->error), -err->error);
1395 }
1396 break;
1397 }
1398 default:
1399 hdr = NLMSG_NEXT(hdr, len);
1400 continue;
1401 case NLMSG_DONE:
1402 break;
1403 }
1404 break;
1405 }
1406 }
1407
1408 if (sa == NULL)
1409 {
1410 DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1411 free(out);
1412 return FAILED;
1413 }
1414 *bytes = sa->curlft.bytes;
1415
1416 free(out);
1417 return SUCCESS;
1418 }
1419
1420 METHOD(kernel_ipsec_t, del_sa, status_t,
1421 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1422 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
1423 {
1424 netlink_buf_t request;
1425 struct nlmsghdr *hdr;
1426 struct xfrm_usersa_id *sa_id;
1427
1428 /* if IPComp was used, we first delete the additional IPComp SA */
1429 if (cpi)
1430 {
1431 del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
1432 }
1433
1434 memset(&request, 0, sizeof(request));
1435
1436 if (mark.value)
1437 {
1438 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x (mark %u/0x%8x)",
1439 ntohl(spi), mark.value, mark.mask);
1440 }
1441 else
1442 {
1443 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1444 }
1445 hdr = (struct nlmsghdr*)request;
1446 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1447 hdr->nlmsg_type = XFRM_MSG_DELSA;
1448 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1449
1450 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1451 host2xfrm(dst, &sa_id->daddr);
1452 sa_id->spi = spi;
1453 sa_id->proto = proto_ike2kernel(protocol);
1454 sa_id->family = dst->get_family(dst);
1455
1456 if (mark.value)
1457 {
1458 struct xfrm_mark *mrk;
1459 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
1460
1461 rthdr->rta_type = XFRMA_MARK;
1462 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1463 hdr->nlmsg_len += rthdr->rta_len;
1464 if (hdr->nlmsg_len > sizeof(request))
1465 {
1466 return FAILED;
1467 }
1468
1469 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1470 mrk->v = mark.value;
1471 mrk->m = mark.mask;
1472 }
1473
1474 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1475 {
1476 if (mark.value)
1477 {
1478 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x "
1479 "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
1480 }
1481 else
1482 {
1483 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1484 }
1485 return FAILED;
1486 }
1487 if (mark.value)
1488 {
1489 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%8x)",
1490 ntohl(spi), mark.value, mark.mask);
1491 }
1492 else
1493 {
1494 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1495 }
1496 return SUCCESS;
1497 }
1498
1499 METHOD(kernel_ipsec_t, update_sa, status_t,
1500 private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
1501 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1502 bool old_encap, bool new_encap, mark_t mark)
1503 {
1504 netlink_buf_t request;
1505 u_char *pos;
1506 struct nlmsghdr *hdr, *out = NULL;
1507 struct xfrm_usersa_id *sa_id;
1508 struct xfrm_usersa_info *out_sa = NULL, *sa;
1509 size_t len;
1510 struct rtattr *rta;
1511 size_t rtasize;
1512 struct xfrm_encap_tmpl* tmpl = NULL;
1513 bool got_replay_state = FALSE;
1514 struct xfrm_replay_state replay;
1515
1516 /* if IPComp is used, we first update the IPComp SA */
1517 if (cpi)
1518 {
1519 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1520 src, dst, new_src, new_dst, FALSE, FALSE, mark);
1521 }
1522
1523 memset(&request, 0, sizeof(request));
1524
1525 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1526
1527 /* query the existing SA first */
1528 hdr = (struct nlmsghdr*)request;
1529 hdr->nlmsg_flags = NLM_F_REQUEST;
1530 hdr->nlmsg_type = XFRM_MSG_GETSA;
1531 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1532
1533 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1534 host2xfrm(dst, &sa_id->daddr);
1535 sa_id->spi = spi;
1536 sa_id->proto = proto_ike2kernel(protocol);
1537 sa_id->family = dst->get_family(dst);
1538
1539 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1540 {
1541 hdr = out;
1542 while (NLMSG_OK(hdr, len))
1543 {
1544 switch (hdr->nlmsg_type)
1545 {
1546 case XFRM_MSG_NEWSA:
1547 {
1548 out_sa = NLMSG_DATA(hdr);
1549 break;
1550 }
1551 case NLMSG_ERROR:
1552 {
1553 struct nlmsgerr *err = NLMSG_DATA(hdr);
1554 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1555 strerror(-err->error), -err->error);
1556 break;
1557 }
1558 default:
1559 hdr = NLMSG_NEXT(hdr, len);
1560 continue;
1561 case NLMSG_DONE:
1562 break;
1563 }
1564 break;
1565 }
1566 }
1567 if (out_sa == NULL)
1568 {
1569 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1570 free(out);
1571 return FAILED;
1572 }
1573
1574 /* try to get the replay state */
1575 if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
1576 {
1577 got_replay_state = TRUE;
1578 }
1579
1580 /* delete the old SA (without affecting the IPComp SA) */
1581 if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
1582 {
1583 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1584 free(out);
1585 return FAILED;
1586 }
1587
1588 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1589 ntohl(spi), src, dst, new_src, new_dst);
1590 /* copy over the SA from out to request */
1591 hdr = (struct nlmsghdr*)request;
1592 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1593 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1594 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1595 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1596 sa = NLMSG_DATA(hdr);
1597 sa->family = new_dst->get_family(new_dst);
1598
1599 if (!src->ip_equals(src, new_src))
1600 {
1601 host2xfrm(new_src, &sa->saddr);
1602 }
1603 if (!dst->ip_equals(dst, new_dst))
1604 {
1605 host2xfrm(new_dst, &sa->id.daddr);
1606 }
1607
1608 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1609 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1610 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1611 while(RTA_OK(rta, rtasize))
1612 {
1613 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1614 if (rta->rta_type != XFRMA_ENCAP || new_encap)
1615 {
1616 if (rta->rta_type == XFRMA_ENCAP)
1617 { /* update encap tmpl */
1618 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1619 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1620 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1621 }
1622 memcpy(pos, rta, rta->rta_len);
1623 pos += RTA_ALIGN(rta->rta_len);
1624 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1625 }
1626 rta = RTA_NEXT(rta, rtasize);
1627 }
1628
1629 rta = (struct rtattr*)pos;
1630 if (tmpl == NULL && new_encap)
1631 { /* add tmpl if we are enabling it */
1632 rta->rta_type = XFRMA_ENCAP;
1633 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1634
1635 hdr->nlmsg_len += rta->rta_len;
1636 if (hdr->nlmsg_len > sizeof(request))
1637 {
1638 return FAILED;
1639 }
1640
1641 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1642 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1643 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1644 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1645 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1646
1647 rta = XFRM_RTA_NEXT(rta);
1648 }
1649
1650 if (got_replay_state)
1651 { /* copy the replay data if available */
1652 rta->rta_type = XFRMA_REPLAY_VAL;
1653 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1654
1655 hdr->nlmsg_len += rta->rta_len;
1656 if (hdr->nlmsg_len > sizeof(request))
1657 {
1658 return FAILED;
1659 }
1660 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1661
1662 rta = XFRM_RTA_NEXT(rta);
1663 }
1664
1665 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1666 {
1667 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1668 free(out);
1669 return FAILED;
1670 }
1671 free(out);
1672
1673 return SUCCESS;
1674 }
1675
1676 METHOD(kernel_ipsec_t, add_policy, status_t,
1677 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1678 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
1679 policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
1680 u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
1681 u_int16_t cpi, bool routed)
1682 {
1683 policy_entry_t *current, *policy;
1684 bool found = FALSE;
1685 netlink_buf_t request;
1686 struct xfrm_userpolicy_info *policy_info;
1687 struct nlmsghdr *hdr;
1688
1689 /* create a policy */
1690 policy = malloc_thing(policy_entry_t);
1691 memset(policy, 0, sizeof(policy_entry_t));
1692 policy->sel = ts2selector(src_ts, dst_ts);
1693 policy->mark = mark.value & mark.mask;
1694 policy->direction = direction;
1695
1696 /* find the policy, which matches EXACTLY */
1697 this->mutex->lock(this->mutex);
1698 current = this->policies->get(this->policies, policy);
1699 if (current)
1700 {
1701 /* use existing policy */
1702 current->refcount++;
1703 if (mark.value)
1704 {
1705 DBG2(DBG_KNL, "policy %R === %R %N (mark %u/0x%8x) "
1706 "already exists, increasing refcount",
1707 src_ts, dst_ts, policy_dir_names, direction,
1708 mark.value, mark.mask);
1709 }
1710 else
1711 {
1712 DBG2(DBG_KNL, "policy %R === %R %N "
1713 "already exists, increasing refcount",
1714 src_ts, dst_ts, policy_dir_names, direction);
1715 }
1716 free(policy);
1717 policy = current;
1718 found = TRUE;
1719 }
1720 else
1721 { /* apply the new one, if we have no such policy */
1722 this->policies->put(this->policies, policy, policy);
1723 policy->refcount = 1;
1724 }
1725
1726 if (mark.value)
1727 {
1728 DBG2(DBG_KNL, "adding policy %R === %R %N (mark %u/0x%8x)",
1729 src_ts, dst_ts, policy_dir_names, direction,
1730 mark.value, mark.mask);
1731 }
1732 else
1733 {
1734 DBG2(DBG_KNL, "adding policy %R === %R %N",
1735 src_ts, dst_ts, policy_dir_names, direction);
1736 }
1737
1738 memset(&request, 0, sizeof(request));
1739 hdr = (struct nlmsghdr*)request;
1740 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1741 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1742 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1743
1744 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1745 policy_info->sel = policy->sel;
1746 policy_info->dir = policy->direction;
1747 /* calculate priority based on source selector size, small size = high prio */
1748 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1749 policy_info->priority -= policy->sel.prefixlen_s * 10;
1750 policy_info->priority -= policy->sel.proto ? 2 : 0;
1751 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1752 policy_info->action = XFRM_POLICY_ALLOW;
1753 policy_info->share = XFRM_SHARE_ANY;
1754 this->mutex->unlock(this->mutex);
1755
1756 /* policies don't expire */
1757 policy_info->lft.soft_byte_limit = XFRM_INF;
1758 policy_info->lft.soft_packet_limit = XFRM_INF;
1759 policy_info->lft.hard_byte_limit = XFRM_INF;
1760 policy_info->lft.hard_packet_limit = XFRM_INF;
1761 policy_info->lft.soft_add_expires_seconds = 0;
1762 policy_info->lft.hard_add_expires_seconds = 0;
1763 policy_info->lft.soft_use_expires_seconds = 0;
1764 policy_info->lft.hard_use_expires_seconds = 0;
1765
1766 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1767 rthdr->rta_type = XFRMA_TMPL;
1768 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1769
1770 hdr->nlmsg_len += rthdr->rta_len;
1771 if (hdr->nlmsg_len > sizeof(request))
1772 {
1773 return FAILED;
1774 }
1775
1776 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1777
1778 if (ipcomp != IPCOMP_NONE)
1779 {
1780 tmpl->reqid = reqid;
1781 tmpl->id.proto = IPPROTO_COMP;
1782 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1783 tmpl->mode = mode2kernel(mode);
1784 tmpl->optional = direction != POLICY_OUT;
1785 tmpl->family = src->get_family(src);
1786
1787 host2xfrm(src, &tmpl->saddr);
1788 host2xfrm(dst, &tmpl->id.daddr);
1789
1790 /* add an additional xfrm_user_tmpl */
1791 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1792 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1793 if (hdr->nlmsg_len > sizeof(request))
1794 {
1795 return FAILED;
1796 }
1797
1798 tmpl++;
1799
1800 /* use transport mode for ESP if we have a tunnel mode IPcomp SA */
1801 mode = MODE_TRANSPORT;
1802 }
1803 else
1804 {
1805 /* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
1806 host2xfrm(src, &tmpl->saddr);
1807 host2xfrm(dst, &tmpl->id.daddr);
1808 }
1809
1810 tmpl->reqid = reqid;
1811 tmpl->id.proto = proto_ike2kernel(protocol);
1812 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1813 tmpl->mode = mode2kernel(mode);
1814 tmpl->family = src->get_family(src);
1815 rthdr = XFRM_RTA_NEXT(rthdr);
1816
1817 if (mark.value)
1818 {
1819 struct xfrm_mark *mrk;
1820
1821 rthdr->rta_type = XFRMA_MARK;
1822 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1823
1824 hdr->nlmsg_len += rthdr->rta_len;
1825 if (hdr->nlmsg_len > sizeof(request))
1826 {
1827 return FAILED;
1828 }
1829
1830 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1831 mrk->v = mark.value;
1832 mrk->m = mark.mask;
1833 }
1834
1835 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1836 {
1837 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1838 policy_dir_names, direction);
1839 return FAILED;
1840 }
1841
1842 /* install a route, if:
1843 * - we are NOT updating a policy
1844 * - this is a forward policy (to just get one for each child)
1845 * - we are in tunnel/BEET mode
1846 * - routing is not disabled via strongswan.conf
1847 */
1848 if (policy->route == NULL && direction == POLICY_FWD &&
1849 mode != MODE_TRANSPORT && this->install_routes)
1850 {
1851 route_entry_t *route = malloc_thing(route_entry_t);
1852
1853 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1854 dst_ts, &route->src_ip) == SUCCESS)
1855 {
1856 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1857 route->gateway = charon->kernel_interface->get_nexthop(
1858 charon->kernel_interface, src);
1859 /* install route via outgoing interface */
1860 route->if_name = charon->kernel_interface->get_interface(
1861 charon->kernel_interface, dst);
1862 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1863 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1864 route->prefixlen = policy->sel.prefixlen_s;
1865
1866 if (route->if_name)
1867 {
1868 switch (charon->kernel_interface->add_route(
1869 charon->kernel_interface, route->dst_net,
1870 route->prefixlen, route->gateway,
1871 route->src_ip, route->if_name))
1872 {
1873 default:
1874 DBG1(DBG_KNL, "unable to install source route for %H",
1875 route->src_ip);
1876 /* FALL */
1877 case ALREADY_DONE:
1878 /* route exists, do not uninstall */
1879 route_entry_destroy(route);
1880 break;
1881 case SUCCESS:
1882 /* cache the installed route */
1883 policy->route = route;
1884 break;
1885 }
1886 }
1887 else
1888 {
1889 route_entry_destroy(route);
1890 }
1891 }
1892 else
1893 {
1894 free(route);
1895 }
1896 }
1897 return SUCCESS;
1898 }
1899
1900 METHOD(kernel_ipsec_t, query_policy, status_t,
1901 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
1902 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
1903 u_int32_t *use_time)
1904 {
1905 netlink_buf_t request;
1906 struct nlmsghdr *out = NULL, *hdr;
1907 struct xfrm_userpolicy_id *policy_id;
1908 struct xfrm_userpolicy_info *policy = NULL;
1909 size_t len;
1910
1911 memset(&request, 0, sizeof(request));
1912
1913 if (mark.value)
1914 {
1915 DBG2(DBG_KNL, "querying policy %R === %R %N (mark %u/0x%8x)",
1916 src_ts, dst_ts, policy_dir_names, direction,
1917 mark.value, mark.mask);
1918 }
1919 else
1920 {
1921 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1922 policy_dir_names, direction);
1923 }
1924 hdr = (struct nlmsghdr*)request;
1925 hdr->nlmsg_flags = NLM_F_REQUEST;
1926 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1927 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1928
1929 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1930 policy_id->sel = ts2selector(src_ts, dst_ts);
1931 policy_id->dir = direction;
1932
1933 if (mark.value)
1934 {
1935 struct xfrm_mark *mrk;
1936 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
1937
1938 rthdr->rta_type = XFRMA_MARK;
1939 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1940
1941 hdr->nlmsg_len += rthdr->rta_len;
1942 if (hdr->nlmsg_len > sizeof(request))
1943 {
1944 return FAILED;
1945 }
1946
1947 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1948 mrk->v = mark.value;
1949 mrk->m = mark.mask;
1950 }
1951
1952 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1953 {
1954 hdr = out;
1955 while (NLMSG_OK(hdr, len))
1956 {
1957 switch (hdr->nlmsg_type)
1958 {
1959 case XFRM_MSG_NEWPOLICY:
1960 {
1961 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1962 break;
1963 }
1964 case NLMSG_ERROR:
1965 {
1966 struct nlmsgerr *err = NLMSG_DATA(hdr);
1967 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1968 strerror(-err->error), -err->error);
1969 break;
1970 }
1971 default:
1972 hdr = NLMSG_NEXT(hdr, len);
1973 continue;
1974 case NLMSG_DONE:
1975 break;
1976 }
1977 break;
1978 }
1979 }
1980
1981 if (policy == NULL)
1982 {
1983 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1984 policy_dir_names, direction);
1985 free(out);
1986 return FAILED;
1987 }
1988
1989 if (policy->curlft.use_time)
1990 {
1991 /* we need the monotonic time, but the kernel returns system time. */
1992 *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
1993 }
1994 else
1995 {
1996 *use_time = 0;
1997 }
1998
1999 free(out);
2000 return SUCCESS;
2001 }
2002
2003 METHOD(kernel_ipsec_t, del_policy, status_t,
2004 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
2005 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
2006 bool unrouted)
2007 {
2008 policy_entry_t *current, policy, *to_delete = NULL;
2009 route_entry_t *route;
2010 netlink_buf_t request;
2011 struct nlmsghdr *hdr;
2012 struct xfrm_userpolicy_id *policy_id;
2013
2014 if (mark.value)
2015 {
2016 DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x)",
2017 src_ts, dst_ts, policy_dir_names, direction,
2018 mark.value, mark.mask);
2019 }
2020 else
2021 {
2022 DBG2(DBG_KNL, "deleting policy %R === %R %N",
2023 src_ts, dst_ts, policy_dir_names, direction);
2024 }
2025
2026 /* create a policy */
2027 memset(&policy, 0, sizeof(policy_entry_t));
2028 policy.sel = ts2selector(src_ts, dst_ts);
2029 policy.mark = mark.value & mark.mask;
2030 policy.direction = direction;
2031
2032 /* find the policy */
2033 this->mutex->lock(this->mutex);
2034 current = this->policies->get(this->policies, &policy);
2035 if (current)
2036 {
2037 to_delete = current;
2038 if (--to_delete->refcount > 0)
2039 {
2040 /* is used by more SAs, keep in kernel */
2041 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2042 this->mutex->unlock(this->mutex);
2043 return SUCCESS;
2044 }
2045 /* remove if last reference */
2046 this->policies->remove(this->policies, to_delete);
2047 }
2048 this->mutex->unlock(this->mutex);
2049 if (!to_delete)
2050 {
2051 if (mark.value)
2052 {
2053 DBG1(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x) "
2054 "failed, not found", src_ts, dst_ts, policy_dir_names,
2055 direction, mark.value, mark.mask);
2056 }
2057 else
2058 {
2059 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
2060 src_ts, dst_ts, policy_dir_names, direction);
2061 }
2062 return NOT_FOUND;
2063 }
2064
2065 memset(&request, 0, sizeof(request));
2066
2067 hdr = (struct nlmsghdr*)request;
2068 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2069 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2070 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2071
2072 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2073 policy_id->sel = to_delete->sel;
2074 policy_id->dir = direction;
2075
2076 if (mark.value)
2077 {
2078 struct xfrm_mark *mrk;
2079 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
2080
2081 rthdr->rta_type = XFRMA_MARK;
2082 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
2083 hdr->nlmsg_len += rthdr->rta_len;
2084 if (hdr->nlmsg_len > sizeof(request))
2085 {
2086 return FAILED;
2087 }
2088
2089 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
2090 mrk->v = mark.value;
2091 mrk->m = mark.mask;
2092 }
2093
2094 route = to_delete->route;
2095 free(to_delete);
2096
2097 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2098 {
2099 if (mark.value)
2100 {
2101 DBG1(DBG_KNL, "unable to delete policy %R === %R %N "
2102 "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names,
2103 direction, mark.value, mark.mask);
2104 }
2105 else
2106 {
2107 DBG1(DBG_KNL, "unable to delete policy %R === %R %N",
2108 src_ts, dst_ts, policy_dir_names, direction);
2109 }
2110 return FAILED;
2111 }
2112
2113 if (route)
2114 {
2115 if (charon->kernel_interface->del_route(charon->kernel_interface,
2116 route->dst_net, route->prefixlen, route->gateway,
2117 route->src_ip, route->if_name) != SUCCESS)
2118 {
2119 DBG1(DBG_KNL, "error uninstalling route installed with "
2120 "policy %R === %R %N", src_ts, dst_ts,
2121 policy_dir_names, direction);
2122 }
2123 route_entry_destroy(route);
2124 }
2125 return SUCCESS;
2126 }
2127
2128 METHOD(kernel_ipsec_t, bypass_socket, bool,
2129 private_kernel_netlink_ipsec_t *this, int fd, int family)
2130 {
2131 struct xfrm_userpolicy_info policy;
2132 u_int sol, ipsec_policy;
2133
2134 switch (family)
2135 {
2136 case AF_INET:
2137 sol = SOL_IP;
2138 ipsec_policy = IP_XFRM_POLICY;
2139 break;
2140 case AF_INET6:
2141 sol = SOL_IPV6;
2142 ipsec_policy = IPV6_XFRM_POLICY;
2143 break;
2144 default:
2145 return FALSE;
2146 }
2147
2148 memset(&policy, 0, sizeof(policy));
2149 policy.action = XFRM_POLICY_ALLOW;
2150 policy.sel.family = family;
2151
2152 policy.dir = XFRM_POLICY_OUT;
2153 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2154 {
2155 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2156 strerror(errno));
2157 return FALSE;
2158 }
2159 policy.dir = XFRM_POLICY_IN;
2160 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2161 {
2162 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2163 strerror(errno));
2164 return FALSE;
2165 }
2166 return TRUE;
2167 }
2168
2169 METHOD(kernel_ipsec_t, destroy, void,
2170 private_kernel_netlink_ipsec_t *this)
2171 {
2172 enumerator_t *enumerator;
2173 policy_entry_t *policy;
2174
2175 if (this->job)
2176 {
2177 this->job->cancel(this->job);
2178 }
2179 if (this->socket_xfrm_events > 0)
2180 {
2181 close(this->socket_xfrm_events);
2182 }
2183 DESTROY_IF(this->socket_xfrm);
2184 enumerator = this->policies->create_enumerator(this->policies);
2185 while (enumerator->enumerate(enumerator, &policy, &policy))
2186 {
2187 free(policy);
2188 }
2189 enumerator->destroy(enumerator);
2190 this->policies->destroy(this->policies);
2191 this->mutex->destroy(this->mutex);
2192 free(this);
2193 }
2194
2195 /*
2196 * Described in header.
2197 */
2198 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
2199 {
2200 private_kernel_netlink_ipsec_t *this;
2201 struct sockaddr_nl addr;
2202 int fd;
2203
2204 INIT(this,
2205 .public.interface = {
2206 .get_spi = _get_spi,
2207 .get_cpi = _get_cpi,
2208 .add_sa = _add_sa,
2209 .update_sa = _update_sa,
2210 .query_sa = _query_sa,
2211 .del_sa = _del_sa,
2212 .add_policy = _add_policy,
2213 .query_policy = _query_policy,
2214 .del_policy = _del_policy,
2215 .bypass_socket = _bypass_socket,
2216 .destroy = _destroy,
2217 },
2218 .policies = hashtable_create((hashtable_hash_t)policy_hash,
2219 (hashtable_equals_t)policy_equals, 32),
2220 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2221 .install_routes = lib->settings->get_bool(lib->settings,
2222 "charon.install_routes", TRUE),
2223 );
2224
2225 /* disable lifetimes for allocated SPIs in kernel */
2226 fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
2227 if (fd)
2228 {
2229 ignore_result(write(fd, "165", 3));
2230 close(fd);
2231 }
2232
2233 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
2234 if (!this->socket_xfrm)
2235 {
2236 destroy(this);
2237 return NULL;
2238 }
2239
2240 memset(&addr, 0, sizeof(addr));
2241 addr.nl_family = AF_NETLINK;
2242
2243 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2244 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2245 if (this->socket_xfrm_events <= 0)
2246 {
2247 DBG1(DBG_KNL, "unable to create XFRM event socket");
2248 destroy(this);
2249 return NULL;
2250 }
2251 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
2252 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
2253 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2254 {
2255 DBG1(DBG_KNL, "unable to bind XFRM event socket");
2256 destroy(this);
2257 return NULL;
2258 }
2259 this->job = callback_job_create((callback_job_cb_t)receive_events,
2260 this, NULL, NULL);
2261 charon->processor->queue_job(charon->processor, (job_t*)this->job);
2262
2263 return &this->public;
2264 }
2265