projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
added non-standard SERPENT and TWOFISH support to kernel_netlink plugin
[strongswan.git] / src / libhydra / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2010 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <stdint.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <unistd.h>
30 #include <time.h>
31 #include <errno.h>
32 #include <string.h>
33 #include <fcntl.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <hydra.h>
39 #include <debug.h>
40 #include <threading/thread.h>
41 #include <threading/mutex.h>
42 #include <utils/hashtable.h>
43 #include <processing/jobs/callback_job.h>
44
45 /** required for Linux 2.6.26 kernel and later */
46 #ifndef XFRM_STATE_AF_UNSPEC
47 #define XFRM_STATE_AF_UNSPEC 32
48 #endif
49
50 /** from linux/in.h */
51 #ifndef IP_XFRM_POLICY
52 #define IP_XFRM_POLICY 17
53 #endif
54
55 /* missing on uclibc */
56 #ifndef IPV6_XFRM_POLICY
57 #define IPV6_XFRM_POLICY 34
58 #endif /*IPV6_XFRM_POLICY*/
59
60 /** default priority of installed policies */
61 #define PRIO_LOW 3000
62 #define PRIO_HIGH 2000
63
64 /**
65 * map the limit for bytes and packets to XFRM_INF per default
66 */
67 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
68
69 /**
70 * Create ORable bitfield of XFRM NL groups
71 */
72 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
73
74 /**
75 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
76 * 'usual' netlink data x like 'struct xfrm_usersa_info'
77 */
78 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
79 /**
80 * returns a pointer to the next rtattr following rta.
81 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
82 */
83 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
84 /**
85 * returns the total size of attached rta data
86 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
87 */
88 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
89
90 typedef struct kernel_algorithm_t kernel_algorithm_t;
91
92 /**
93 * Mapping of IKEv2 kernel identifier to linux crypto API names
94 */
95 struct kernel_algorithm_t {
96 /**
97 * Identifier specified in IKEv2
98 */
99 int ikev2;
100
101 /**
102 * Name of the algorithm in linux crypto API
103 */
104 char *name;
105 };
106
107 ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
108 "XFRM_MSG_NEWSA",
109 "XFRM_MSG_DELSA",
110 "XFRM_MSG_GETSA",
111 "XFRM_MSG_NEWPOLICY",
112 "XFRM_MSG_DELPOLICY",
113 "XFRM_MSG_GETPOLICY",
114 "XFRM_MSG_ALLOCSPI",
115 "XFRM_MSG_ACQUIRE",
116 "XFRM_MSG_EXPIRE",
117 "XFRM_MSG_UPDPOLICY",
118 "XFRM_MSG_UPDSA",
119 "XFRM_MSG_POLEXPIRE",
120 "XFRM_MSG_FLUSHSA",
121 "XFRM_MSG_FLUSHPOLICY",
122 "XFRM_MSG_NEWAE",
123 "XFRM_MSG_GETAE",
124 "XFRM_MSG_REPORT",
125 "XFRM_MSG_MIGRATE",
126 "XFRM_MSG_NEWSADINFO",
127 "XFRM_MSG_GETSADINFO",
128 "XFRM_MSG_NEWSPDINFO",
129 "XFRM_MSG_GETSPDINFO",
130 "XFRM_MSG_MAPPING"
131 );
132
133 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
134 "XFRMA_UNSPEC",
135 "XFRMA_ALG_AUTH",
136 "XFRMA_ALG_CRYPT",
137 "XFRMA_ALG_COMP",
138 "XFRMA_ENCAP",
139 "XFRMA_TMPL",
140 "XFRMA_SA",
141 "XFRMA_POLICY",
142 "XFRMA_SEC_CTX",
143 "XFRMA_LTIME_VAL",
144 "XFRMA_REPLAY_VAL",
145 "XFRMA_REPLAY_THRESH",
146 "XFRMA_ETIMER_THRESH",
147 "XFRMA_SRCADDR",
148 "XFRMA_COADDR",
149 "XFRMA_LASTUSED",
150 "XFRMA_POLICY_TYPE",
151 "XFRMA_MIGRATE",
152 "XFRMA_ALG_AEAD",
153 "XFRMA_KMADDRESS"
154 );
155
156 #define END_OF_LIST -1
157
158 /**
159 * Algorithms for encryption
160 */
161 static kernel_algorithm_t encryption_algs[] = {
162 /* {ENCR_DES_IV64, "***" }, */
163 {ENCR_DES, "des" },
164 {ENCR_3DES, "des3_ede" },
165 /* {ENCR_RC5, "***" }, */
166 /* {ENCR_IDEA, "***" }, */
167 {ENCR_CAST, "cast128" },
168 {ENCR_BLOWFISH, "blowfish" },
169 /* {ENCR_3IDEA, "***" }, */
170 /* {ENCR_DES_IV32, "***" }, */
171 {ENCR_NULL, "cipher_null" },
172 {ENCR_AES_CBC, "aes" },
173 {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
174 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
175 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
176 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
177 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
178 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
179 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
180 {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
181 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
182 /* {ENCR_CAMELLIA_CTR, "***" }, */
183 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
184 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
185 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
186 {ENCR_SERPENT_CBC, "serpent" },
187 {ENCR_TWOFISH_CBC, "twofish" },
188 {END_OF_LIST, NULL }
189 };
190
191 /**
192 * Algorithms for integrity protection
193 */
194 static kernel_algorithm_t integrity_algs[] = {
195 {AUTH_HMAC_MD5_96, "md5" },
196 {AUTH_HMAC_SHA1_96, "sha1" },
197 {AUTH_HMAC_SHA2_256_96, "sha256" },
198 {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
199 {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
200 {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
201 /* {AUTH_DES_MAC, "***" }, */
202 /* {AUTH_KPDK_MD5, "***" }, */
203 {AUTH_AES_XCBC_96, "xcbc(aes)" },
204 {END_OF_LIST, NULL }
205 };
206
207 /**
208 * Algorithms for IPComp
209 */
210 static kernel_algorithm_t compression_algs[] = {
211 /* {IPCOMP_OUI, "***" }, */
212 {IPCOMP_DEFLATE, "deflate" },
213 {IPCOMP_LZS, "lzs" },
214 {IPCOMP_LZJH, "lzjh" },
215 {END_OF_LIST, NULL }
216 };
217
218 /**
219 * Look up a kernel algorithm name and its key size
220 */
221 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
222 {
223 while (list->ikev2 != END_OF_LIST)
224 {
225 if (list->ikev2 == ikev2)
226 {
227 return list->name;
228 }
229 list++;
230 }
231 return NULL;
232 }
233
234 typedef struct route_entry_t route_entry_t;
235
236 /**
237 * installed routing entry
238 */
239 struct route_entry_t {
240 /** Name of the interface the route is bound to */
241 char *if_name;
242
243 /** Source ip of the route */
244 host_t *src_ip;
245
246 /** gateway for this route */
247 host_t *gateway;
248
249 /** Destination net */
250 chunk_t dst_net;
251
252 /** Destination net prefixlen */
253 u_int8_t prefixlen;
254 };
255
256 /**
257 * destroy an route_entry_t object
258 */
259 static void route_entry_destroy(route_entry_t *this)
260 {
261 free(this->if_name);
262 this->src_ip->destroy(this->src_ip);
263 DESTROY_IF(this->gateway);
264 chunk_free(&this->dst_net);
265 free(this);
266 }
267
268 typedef struct policy_entry_t policy_entry_t;
269
270 /**
271 * installed kernel policy.
272 */
273 struct policy_entry_t {
274
275 /** direction of this policy: in, out, forward */
276 u_int8_t direction;
277
278 /** parameters of installed policy */
279 struct xfrm_selector sel;
280
281 /** optional mark */
282 u_int32_t mark;
283
284 /** associated route installed for this policy */
285 route_entry_t *route;
286
287 /** by how many CHILD_SA's this policy is used */
288 u_int refcount;
289 };
290
291 /**
292 * Hash function for policy_entry_t objects
293 */
294 static u_int policy_hash(policy_entry_t *key)
295 {
296 chunk_t chunk = chunk_create((void*)&key->sel,
297 sizeof(struct xfrm_selector) + sizeof(u_int32_t));
298 return chunk_hash(chunk);
299 }
300
301 /**
302 * Equality function for policy_entry_t objects
303 */
304 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
305 {
306 return memeq(&key->sel, &other_key->sel,
307 sizeof(struct xfrm_selector) + sizeof(u_int32_t)) &&
308 key->direction == other_key->direction;
309 }
310
311 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
312
313 /**
314 * Private variables and functions of kernel_netlink class.
315 */
316 struct private_kernel_netlink_ipsec_t {
317 /**
318 * Public part of the kernel_netlink_t object.
319 */
320 kernel_netlink_ipsec_t public;
321
322 /**
323 * mutex to lock access to various lists
324 */
325 mutex_t *mutex;
326
327 /**
328 * Hash table of installed policies (policy_entry_t)
329 */
330 hashtable_t *policies;
331
332 /**
333 * job receiving netlink events
334 */
335 callback_job_t *job;
336
337 /**
338 * Netlink xfrm socket (IPsec)
339 */
340 netlink_socket_t *socket_xfrm;
341
342 /**
343 * netlink xfrm socket to receive acquire and expire events
344 */
345 int socket_xfrm_events;
346
347 /**
348 * whether to install routes along policies
349 */
350 bool install_routes;
351 };
352
353 /**
354 * convert the general ipsec mode to the one defined in xfrm.h
355 */
356 static u_int8_t mode2kernel(ipsec_mode_t mode)
357 {
358 switch (mode)
359 {
360 case MODE_TRANSPORT:
361 return XFRM_MODE_TRANSPORT;
362 case MODE_TUNNEL:
363 return XFRM_MODE_TUNNEL;
364 case MODE_BEET:
365 return XFRM_MODE_BEET;
366 default:
367 return mode;
368 }
369 }
370
371 /**
372 * convert a host_t to a struct xfrm_address
373 */
374 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
375 {
376 chunk_t chunk = host->get_address(host);
377 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
378 }
379
380 /**
381 * convert a struct xfrm_address to a host_t
382 */
383 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
384 {
385 chunk_t chunk;
386
387 switch (family)
388 {
389 case AF_INET:
390 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
391 break;
392 case AF_INET6:
393 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
394 break;
395 default:
396 return NULL;
397 }
398 return host_create_from_chunk(family, chunk, ntohs(port));
399 }
400
401 /**
402 * convert a traffic selector address range to subnet and its mask.
403 */
404 static void ts2subnet(traffic_selector_t* ts,
405 xfrm_address_t *net, u_int8_t *mask)
406 {
407 host_t *net_host;
408 chunk_t net_chunk;
409
410 ts->to_subnet(ts, &net_host, mask);
411 net_chunk = net_host->get_address(net_host);
412 memcpy(net, net_chunk.ptr, net_chunk.len);
413 net_host->destroy(net_host);
414 }
415
416 /**
417 * convert a traffic selector port range to port/portmask
418 */
419 static void ts2ports(traffic_selector_t* ts,
420 u_int16_t *port, u_int16_t *mask)
421 {
422 /* linux does not seem to accept complex portmasks. Only
423 * any or a specific port is allowed. We set to any, if we have
424 * a port range, or to a specific, if we have one port only.
425 */
426 u_int16_t from, to;
427
428 from = ts->get_from_port(ts);
429 to = ts->get_to_port(ts);
430
431 if (from == to)
432 {
433 *port = htons(from);
434 *mask = ~0;
435 }
436 else
437 {
438 *port = 0;
439 *mask = 0;
440 }
441 }
442
443 /**
444 * convert a pair of traffic_selectors to a xfrm_selector
445 */
446 static struct xfrm_selector ts2selector(traffic_selector_t *src,
447 traffic_selector_t *dst)
448 {
449 struct xfrm_selector sel;
450
451 memset(&sel, 0, sizeof(sel));
452 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
453 /* src or dest proto may be "any" (0), use more restrictive one */
454 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
455 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
456 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
457 ts2ports(dst, &sel.dport, &sel.dport_mask);
458 ts2ports(src, &sel.sport, &sel.sport_mask);
459 sel.ifindex = 0;
460 sel.user = 0;
461
462 return sel;
463 }
464
465 /**
466 * convert a xfrm_selector to a src|dst traffic_selector
467 */
468 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
469 {
470 u_char *addr;
471 u_int8_t prefixlen;
472 u_int16_t port = 0;
473 host_t *host = NULL;
474
475 if (src)
476 {
477 addr = (u_char*)&sel->saddr;
478 prefixlen = sel->prefixlen_s;
479 if (sel->sport_mask)
480 {
481 port = htons(sel->sport);
482 }
483 }
484 else
485 {
486 addr = (u_char*)&sel->daddr;
487 prefixlen = sel->prefixlen_d;
488 if (sel->dport_mask)
489 {
490 port = htons(sel->dport);
491 }
492 }
493
494 /* The Linux 2.6 kernel does not set the selector's family field,
495 * so as a kludge we additionally test the prefix length.
496 */
497 if (sel->family == AF_INET || sel->prefixlen_s == 32)
498 {
499 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
500 }
501 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
502 {
503 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
504 }
505
506 if (host)
507 {
508 return traffic_selector_create_from_subnet(host, prefixlen,
509 sel->proto, port);
510 }
511 return NULL;
512 }
513
514 /**
515 * process a XFRM_MSG_ACQUIRE from kernel
516 */
517 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
518 {
519 u_int32_t reqid = 0;
520 int proto = 0;
521 traffic_selector_t *src_ts, *dst_ts;
522 struct xfrm_user_acquire *acquire;
523 struct rtattr *rta;
524 size_t rtasize;
525
526 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
527 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
528 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
529
530 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
531
532 while (RTA_OK(rta, rtasize))
533 {
534 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
535
536 if (rta->rta_type == XFRMA_TMPL)
537 {
538 struct xfrm_user_tmpl* tmpl;
539
540 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
541 reqid = tmpl->reqid;
542 proto = tmpl->id.proto;
543 }
544 rta = RTA_NEXT(rta, rtasize);
545 }
546 switch (proto)
547 {
548 case 0:
549 case IPPROTO_ESP:
550 case IPPROTO_AH:
551 break;
552 default:
553 /* acquire for AH/ESP only, not for IPCOMP */
554 return;
555 }
556 src_ts = selector2ts(&acquire->sel, TRUE);
557 dst_ts = selector2ts(&acquire->sel, FALSE);
558
559 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
560 dst_ts);
561 }
562
563 /**
564 * process a XFRM_MSG_EXPIRE from kernel
565 */
566 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
567 {
568 u_int8_t protocol;
569 u_int32_t spi, reqid;
570 struct xfrm_user_expire *expire;
571
572 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
573 protocol = expire->state.id.proto;
574 spi = expire->state.id.spi;
575 reqid = expire->state.reqid;
576
577 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
578
579 if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
580 {
581 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
582 "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
583 return;
584 }
585
586 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
587 spi, expire->hard != 0);
588 }
589
590 /**
591 * process a XFRM_MSG_MIGRATE from kernel
592 */
593 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
594 {
595 traffic_selector_t *src_ts, *dst_ts;
596 host_t *local = NULL, *remote = NULL;
597 host_t *old_src = NULL, *old_dst = NULL;
598 host_t *new_src = NULL, *new_dst = NULL;
599 struct xfrm_userpolicy_id *policy_id;
600 struct rtattr *rta;
601 size_t rtasize;
602 u_int32_t reqid = 0;
603 policy_dir_t dir;
604
605 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
606 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
607 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
608
609 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
610
611 src_ts = selector2ts(&policy_id->sel, TRUE);
612 dst_ts = selector2ts(&policy_id->sel, FALSE);
613 dir = (policy_dir_t)policy_id->dir;
614
615 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
616
617 while (RTA_OK(rta, rtasize))
618 {
619 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
620 if (rta->rta_type == XFRMA_KMADDRESS)
621 {
622 struct xfrm_user_kmaddress *kmaddress;
623
624 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
625 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
626 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
627 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
628 }
629 else if (rta->rta_type == XFRMA_MIGRATE)
630 {
631 struct xfrm_user_migrate *migrate;
632
633 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
634 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
635 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
636 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
637 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
638 reqid = migrate->reqid;
639 DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}",
640 old_src, old_dst, new_src, new_dst, reqid);
641 DESTROY_IF(old_src);
642 DESTROY_IF(old_dst);
643 DESTROY_IF(new_src);
644 DESTROY_IF(new_dst);
645 }
646 rta = RTA_NEXT(rta, rtasize);
647 }
648
649 if (src_ts && dst_ts && local && remote)
650 {
651 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
652 src_ts, dst_ts, dir, local, remote);
653 }
654 else
655 {
656 DESTROY_IF(src_ts);
657 DESTROY_IF(dst_ts);
658 DESTROY_IF(local);
659 DESTROY_IF(remote);
660 }
661 }
662
663 /**
664 * process a XFRM_MSG_MAPPING from kernel
665 */
666 static void process_mapping(private_kernel_netlink_ipsec_t *this,
667 struct nlmsghdr *hdr)
668 {
669 u_int32_t spi, reqid;
670 struct xfrm_user_mapping *mapping;
671 host_t *host;
672
673 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
674 spi = mapping->id.spi;
675 reqid = mapping->reqid;
676
677 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
678
679 if (mapping->id.proto == IPPROTO_ESP)
680 {
681 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
682 mapping->new_sport);
683 if (host)
684 {
685 hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
686 spi, host);
687 }
688 }
689 }
690
691 /**
692 * Receives events from kernel
693 */
694 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
695 {
696 char response[1024];
697 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
698 struct sockaddr_nl addr;
699 socklen_t addr_len = sizeof(addr);
700 int len;
701 bool oldstate;
702
703 oldstate = thread_cancelability(TRUE);
704 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
705 (struct sockaddr*)&addr, &addr_len);
706 thread_cancelability(oldstate);
707
708 if (len < 0)
709 {
710 switch (errno)
711 {
712 case EINTR:
713 /* interrupted, try again */
714 return JOB_REQUEUE_DIRECT;
715 case EAGAIN:
716 /* no data ready, select again */
717 return JOB_REQUEUE_DIRECT;
718 default:
719 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
720 sleep(1);
721 return JOB_REQUEUE_FAIR;
722 }
723 }
724
725 if (addr.nl_pid != 0)
726 { /* not from kernel. not interested, try another one */
727 return JOB_REQUEUE_DIRECT;
728 }
729
730 while (NLMSG_OK(hdr, len))
731 {
732 switch (hdr->nlmsg_type)
733 {
734 case XFRM_MSG_ACQUIRE:
735 process_acquire(this, hdr);
736 break;
737 case XFRM_MSG_EXPIRE:
738 process_expire(this, hdr);
739 break;
740 case XFRM_MSG_MIGRATE:
741 process_migrate(this, hdr);
742 break;
743 case XFRM_MSG_MAPPING:
744 process_mapping(this, hdr);
745 break;
746 default:
747 DBG1(DBG_KNL, "received unknown event from xfrm event socket: %d", hdr->nlmsg_type);
748 break;
749 }
750 hdr = NLMSG_NEXT(hdr, len);
751 }
752 return JOB_REQUEUE_DIRECT;
753 }
754
755 /**
756 * Get an SPI for a specific protocol from the kernel.
757 */
758 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
759 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
760 u_int32_t reqid, u_int32_t *spi)
761 {
762 netlink_buf_t request;
763 struct nlmsghdr *hdr, *out;
764 struct xfrm_userspi_info *userspi;
765 u_int32_t received_spi = 0;
766 size_t len;
767
768 memset(&request, 0, sizeof(request));
769
770 hdr = (struct nlmsghdr*)request;
771 hdr->nlmsg_flags = NLM_F_REQUEST;
772 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
773 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
774
775 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
776 host2xfrm(src, &userspi->info.saddr);
777 host2xfrm(dst, &userspi->info.id.daddr);
778 userspi->info.id.proto = proto;
779 userspi->info.mode = XFRM_MODE_TUNNEL;
780 userspi->info.reqid = reqid;
781 userspi->info.family = src->get_family(src);
782 userspi->min = min;
783 userspi->max = max;
784
785 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
786 {
787 hdr = out;
788 while (NLMSG_OK(hdr, len))
789 {
790 switch (hdr->nlmsg_type)
791 {
792 case XFRM_MSG_NEWSA:
793 {
794 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
795 received_spi = usersa->id.spi;
796 break;
797 }
798 case NLMSG_ERROR:
799 {
800 struct nlmsgerr *err = NLMSG_DATA(hdr);
801
802 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
803 strerror(-err->error), -err->error);
804 break;
805 }
806 default:
807 hdr = NLMSG_NEXT(hdr, len);
808 continue;
809 case NLMSG_DONE:
810 break;
811 }
812 break;
813 }
814 free(out);
815 }
816
817 if (received_spi == 0)
818 {
819 return FAILED;
820 }
821
822 *spi = received_spi;
823 return SUCCESS;
824 }
825
826 METHOD(kernel_ipsec_t, get_spi, status_t,
827 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
828 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
829 {
830 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
831
832 if (get_spi_internal(this, src, dst, protocol,
833 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
834 {
835 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
836 return FAILED;
837 }
838
839 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
840
841 return SUCCESS;
842 }
843
844 METHOD(kernel_ipsec_t, get_cpi, status_t,
845 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
846 u_int32_t reqid, u_int16_t *cpi)
847 {
848 u_int32_t received_spi = 0;
849
850 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
851
852 if (get_spi_internal(this, src, dst,
853 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
854 {
855 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
856 return FAILED;
857 }
858
859 *cpi = htons((u_int16_t)ntohl(received_spi));
860
861 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
862
863 return SUCCESS;
864 }
865
866 METHOD(kernel_ipsec_t, add_sa, status_t,
867 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
868 u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
869 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
870 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
871 u_int16_t cpi, bool encap, bool inbound,
872 traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
873 {
874 netlink_buf_t request;
875 char *alg_name;
876 struct nlmsghdr *hdr;
877 struct xfrm_usersa_info *sa;
878 u_int16_t icv_size = 64;
879
880 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
881 * we are in the recursive call below */
882 if (ipcomp != IPCOMP_NONE && cpi != 0)
883 {
884 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
885 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
886 &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
887 mode, ipcomp, 0, FALSE, inbound, NULL, NULL);
888 ipcomp = IPCOMP_NONE;
889 /* use transport mode ESP SA, IPComp uses tunnel mode */
890 mode = MODE_TRANSPORT;
891 }
892
893 memset(&request, 0, sizeof(request));
894
895 if (mark.value)
896 {
897 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u} "
898 "(mark %u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask);
899 }
900 else
901 {
902 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
903 ntohl(spi), reqid);
904 }
905 hdr = (struct nlmsghdr*)request;
906 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
907 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
908 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
909
910 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
911 host2xfrm(src, &sa->saddr);
912 host2xfrm(dst, &sa->id.daddr);
913 sa->id.spi = spi;
914 sa->id.proto = protocol;
915 sa->family = src->get_family(src);
916 sa->mode = mode2kernel(mode);
917 switch (mode)
918 {
919 case MODE_TUNNEL:
920 sa->flags |= XFRM_STATE_AF_UNSPEC;
921 break;
922 case MODE_BEET:
923 if(src_ts && dst_ts)
924 {
925 sa->sel = ts2selector(src_ts, dst_ts);
926 }
927 break;
928 default:
929 break;
930 }
931
932 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
933 sa->reqid = reqid;
934 sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
935 sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
936 sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
937 sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
938 /* we use lifetimes since added, not since used */
939 sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
940 sa->lft.hard_add_expires_seconds = lifetime->time.life;
941 sa->lft.soft_use_expires_seconds = 0;
942 sa->lft.hard_use_expires_seconds = 0;
943
944 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
945
946 switch (enc_alg)
947 {
948 case ENCR_UNDEFINED:
949 /* no encryption */
950 break;
951 case ENCR_AES_CCM_ICV16:
952 case ENCR_AES_GCM_ICV16:
953 case ENCR_NULL_AUTH_AES_GMAC:
954 case ENCR_CAMELLIA_CCM_ICV16:
955 icv_size += 32;
956 /* FALL */
957 case ENCR_AES_CCM_ICV12:
958 case ENCR_AES_GCM_ICV12:
959 case ENCR_CAMELLIA_CCM_ICV12:
960 icv_size += 32;
961 /* FALL */
962 case ENCR_AES_CCM_ICV8:
963 case ENCR_AES_GCM_ICV8:
964 case ENCR_CAMELLIA_CCM_ICV8:
965 {
966 struct xfrm_algo_aead *algo;
967
968 alg_name = lookup_algorithm(encryption_algs, enc_alg);
969 if (alg_name == NULL)
970 {
971 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
972 encryption_algorithm_names, enc_alg);
973 return FAILED;
974 }
975 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
976 encryption_algorithm_names, enc_alg, enc_key.len * 8);
977
978 rthdr->rta_type = XFRMA_ALG_AEAD;
979 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
980 hdr->nlmsg_len += rthdr->rta_len;
981 if (hdr->nlmsg_len > sizeof(request))
982 {
983 return FAILED;
984 }
985
986 algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
987 algo->alg_key_len = enc_key.len * 8;
988 algo->alg_icv_len = icv_size;
989 strcpy(algo->alg_name, alg_name);
990 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
991
992 rthdr = XFRM_RTA_NEXT(rthdr);
993 break;
994 }
995 default:
996 {
997 struct xfrm_algo *algo;
998
999 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1000 if (alg_name == NULL)
1001 {
1002 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1003 encryption_algorithm_names, enc_alg);
1004 return FAILED;
1005 }
1006 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1007 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1008
1009 rthdr->rta_type = XFRMA_ALG_CRYPT;
1010 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
1011 hdr->nlmsg_len += rthdr->rta_len;
1012 if (hdr->nlmsg_len > sizeof(request))
1013 {
1014 return FAILED;
1015 }
1016
1017 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1018 algo->alg_key_len = enc_key.len * 8;
1019 strcpy(algo->alg_name, alg_name);
1020 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1021
1022 rthdr = XFRM_RTA_NEXT(rthdr);
1023 }
1024 }
1025
1026 if (int_alg != AUTH_UNDEFINED)
1027 {
1028 alg_name = lookup_algorithm(integrity_algs, int_alg);
1029 if (alg_name == NULL)
1030 {
1031 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1032 integrity_algorithm_names, int_alg);
1033 return FAILED;
1034 }
1035 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1036 integrity_algorithm_names, int_alg, int_key.len * 8);
1037
1038 if (int_alg == AUTH_HMAC_SHA2_256_128)
1039 {
1040 struct xfrm_algo_auth* algo;
1041
1042 /* the kernel uses SHA256 with 96 bit truncation by default,
1043 * use specified truncation size supported by newer kernels */
1044 rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
1045 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len);
1046
1047 hdr->nlmsg_len += rthdr->rta_len;
1048 if (hdr->nlmsg_len > sizeof(request))
1049 {
1050 return FAILED;
1051 }
1052
1053 algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
1054 algo->alg_key_len = int_key.len * 8;
1055 algo->alg_trunc_len = 128;
1056 strcpy(algo->alg_name, alg_name);
1057 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1058 }
1059 else
1060 {
1061 struct xfrm_algo* algo;
1062
1063 rthdr->rta_type = XFRMA_ALG_AUTH;
1064 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1065
1066 hdr->nlmsg_len += rthdr->rta_len;
1067 if (hdr->nlmsg_len > sizeof(request))
1068 {
1069 return FAILED;
1070 }
1071
1072 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1073 algo->alg_key_len = int_key.len * 8;
1074 strcpy(algo->alg_name, alg_name);
1075 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1076 }
1077 rthdr = XFRM_RTA_NEXT(rthdr);
1078 }
1079
1080 if (ipcomp != IPCOMP_NONE)
1081 {
1082 rthdr->rta_type = XFRMA_ALG_COMP;
1083 alg_name = lookup_algorithm(compression_algs, ipcomp);
1084 if (alg_name == NULL)
1085 {
1086 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1087 ipcomp_transform_names, ipcomp);
1088 return FAILED;
1089 }
1090 DBG2(DBG_KNL, " using compression algorithm %N",
1091 ipcomp_transform_names, ipcomp);
1092
1093 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1094 hdr->nlmsg_len += rthdr->rta_len;
1095 if (hdr->nlmsg_len > sizeof(request))
1096 {
1097 return FAILED;
1098 }
1099
1100 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1101 algo->alg_key_len = 0;
1102 strcpy(algo->alg_name, alg_name);
1103
1104 rthdr = XFRM_RTA_NEXT(rthdr);
1105 }
1106
1107 if (encap)
1108 {
1109 struct xfrm_encap_tmpl *tmpl;
1110
1111 rthdr->rta_type = XFRMA_ENCAP;
1112 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1113
1114 hdr->nlmsg_len += rthdr->rta_len;
1115 if (hdr->nlmsg_len > sizeof(request))
1116 {
1117 return FAILED;
1118 }
1119
1120 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1121 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1122 tmpl->encap_sport = htons(src->get_port(src));
1123 tmpl->encap_dport = htons(dst->get_port(dst));
1124 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1125 /* encap_oa could probably be derived from the
1126 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1127 * pluto does the same as we do here but it uses encap_oa in the
1128 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1129 * the kernel ignores it anyway
1130 * -> does that mean that NAT-T encap doesn't work in transport mode?
1131 * No. The reason the kernel ignores NAT-OA is that it recomputes
1132 * (or, rather, just ignores) the checksum. If packets pass
1133 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1134 rthdr = XFRM_RTA_NEXT(rthdr);
1135 }
1136
1137 if (mark.value)
1138 {
1139 struct xfrm_mark *mrk;
1140
1141 rthdr->rta_type = XFRMA_MARK;
1142 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1143
1144 hdr->nlmsg_len += rthdr->rta_len;
1145 if (hdr->nlmsg_len > sizeof(request))
1146 {
1147 return FAILED;
1148 }
1149
1150 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1151 mrk->v = mark.value;
1152 mrk->m = mark.mask;
1153 rthdr = XFRM_RTA_NEXT(rthdr);
1154 }
1155
1156 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1157 {
1158 if (mark.value)
1159 {
1160 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x "
1161 "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
1162 }
1163 else
1164 {
1165 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1166 }
1167 return FAILED;
1168 }
1169 return SUCCESS;
1170 }
1171
1172 /**
1173 * Get the replay state (i.e. sequence numbers) of an SA.
1174 */
1175 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1176 u_int32_t spi, u_int8_t protocol, host_t *dst,
1177 struct xfrm_replay_state *replay)
1178 {
1179 netlink_buf_t request;
1180 struct nlmsghdr *hdr, *out = NULL;
1181 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1182 size_t len;
1183 struct rtattr *rta;
1184 size_t rtasize;
1185
1186 memset(&request, 0, sizeof(request));
1187
1188 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1189
1190 hdr = (struct nlmsghdr*)request;
1191 hdr->nlmsg_flags = NLM_F_REQUEST;
1192 hdr->nlmsg_type = XFRM_MSG_GETAE;
1193 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1194
1195 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1196 aevent_id->flags = XFRM_AE_RVAL;
1197
1198 host2xfrm(dst, &aevent_id->sa_id.daddr);
1199 aevent_id->sa_id.spi = spi;
1200 aevent_id->sa_id.proto = protocol;
1201 aevent_id->sa_id.family = dst->get_family(dst);
1202
1203 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1204 {
1205 hdr = out;
1206 while (NLMSG_OK(hdr, len))
1207 {
1208 switch (hdr->nlmsg_type)
1209 {
1210 case XFRM_MSG_NEWAE:
1211 {
1212 out_aevent = NLMSG_DATA(hdr);
1213 break;
1214 }
1215 case NLMSG_ERROR:
1216 {
1217 struct nlmsgerr *err = NLMSG_DATA(hdr);
1218 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1219 strerror(-err->error), -err->error);
1220 break;
1221 }
1222 default:
1223 hdr = NLMSG_NEXT(hdr, len);
1224 continue;
1225 case NLMSG_DONE:
1226 break;
1227 }
1228 break;
1229 }
1230 }
1231
1232 if (out_aevent == NULL)
1233 {
1234 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1235 ntohl(spi));
1236 free(out);
1237 return FAILED;
1238 }
1239
1240 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1241 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1242 while(RTA_OK(rta, rtasize))
1243 {
1244 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1245 RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
1246 {
1247 memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1248 free(out);
1249 return SUCCESS;
1250 }
1251 rta = RTA_NEXT(rta, rtasize);
1252 }
1253
1254 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1255 ntohl(spi));
1256 free(out);
1257 return FAILED;
1258 }
1259
1260 METHOD(kernel_ipsec_t, query_sa, status_t,
1261 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1262 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
1263 {
1264 netlink_buf_t request;
1265 struct nlmsghdr *out = NULL, *hdr;
1266 struct xfrm_usersa_id *sa_id;
1267 struct xfrm_usersa_info *sa = NULL;
1268 size_t len;
1269
1270 memset(&request, 0, sizeof(request));
1271
1272 if (mark.value)
1273 {
1274 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x (mark %u/0x%8x)",
1275 ntohl(spi), mark.value, mark.mask);
1276 }
1277 else
1278 {
1279 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1280 }
1281 hdr = (struct nlmsghdr*)request;
1282 hdr->nlmsg_flags = NLM_F_REQUEST;
1283 hdr->nlmsg_type = XFRM_MSG_GETSA;
1284 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1285
1286 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1287 host2xfrm(dst, &sa_id->daddr);
1288 sa_id->spi = spi;
1289 sa_id->proto = protocol;
1290 sa_id->family = dst->get_family(dst);
1291
1292 if (mark.value)
1293 {
1294 struct xfrm_mark *mrk;
1295 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
1296
1297 rthdr->rta_type = XFRMA_MARK;
1298 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1299 hdr->nlmsg_len += rthdr->rta_len;
1300 if (hdr->nlmsg_len > sizeof(request))
1301 {
1302 return FAILED;
1303 }
1304
1305 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1306 mrk->v = mark.value;
1307 mrk->m = mark.mask;
1308 }
1309
1310 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1311 {
1312 hdr = out;
1313 while (NLMSG_OK(hdr, len))
1314 {
1315 switch (hdr->nlmsg_type)
1316 {
1317 case XFRM_MSG_NEWSA:
1318 {
1319 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1320 break;
1321 }
1322 case NLMSG_ERROR:
1323 {
1324 struct nlmsgerr *err = NLMSG_DATA(hdr);
1325
1326 if (mark.value)
1327 {
1328 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
1329 "(mark %u/0x%8x) failed: %s (%d)",
1330 ntohl(spi), mark.value, mark.mask,
1331 strerror(-err->error), -err->error);
1332 }
1333 else
1334 {
1335 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
1336 "failed: %s (%d)", ntohl(spi),
1337 strerror(-err->error), -err->error);
1338 }
1339 break;
1340 }
1341 default:
1342 hdr = NLMSG_NEXT(hdr, len);
1343 continue;
1344 case NLMSG_DONE:
1345 break;
1346 }
1347 break;
1348 }
1349 }
1350
1351 if (sa == NULL)
1352 {
1353 DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1354 free(out);
1355 return FAILED;
1356 }
1357 *bytes = sa->curlft.bytes;
1358
1359 free(out);
1360 return SUCCESS;
1361 }
1362
1363 METHOD(kernel_ipsec_t, del_sa, status_t,
1364 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1365 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
1366 {
1367 netlink_buf_t request;
1368 struct nlmsghdr *hdr;
1369 struct xfrm_usersa_id *sa_id;
1370
1371 /* if IPComp was used, we first delete the additional IPComp SA */
1372 if (cpi)
1373 {
1374 del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
1375 }
1376
1377 memset(&request, 0, sizeof(request));
1378
1379 if (mark.value)
1380 {
1381 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x (mark %u/0x%8x)",
1382 ntohl(spi), mark.value, mark.mask);
1383 }
1384 else
1385 {
1386 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1387 }
1388 hdr = (struct nlmsghdr*)request;
1389 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1390 hdr->nlmsg_type = XFRM_MSG_DELSA;
1391 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1392
1393 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1394 host2xfrm(dst, &sa_id->daddr);
1395 sa_id->spi = spi;
1396 sa_id->proto = protocol;
1397 sa_id->family = dst->get_family(dst);
1398
1399 if (mark.value)
1400 {
1401 struct xfrm_mark *mrk;
1402 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
1403
1404 rthdr->rta_type = XFRMA_MARK;
1405 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1406 hdr->nlmsg_len += rthdr->rta_len;
1407 if (hdr->nlmsg_len > sizeof(request))
1408 {
1409 return FAILED;
1410 }
1411
1412 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1413 mrk->v = mark.value;
1414 mrk->m = mark.mask;
1415 }
1416
1417 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1418 {
1419 if (mark.value)
1420 {
1421 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x "
1422 "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
1423 }
1424 else
1425 {
1426 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1427 }
1428 return FAILED;
1429 }
1430 if (mark.value)
1431 {
1432 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%8x)",
1433 ntohl(spi), mark.value, mark.mask);
1434 }
1435 else
1436 {
1437 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1438 }
1439 return SUCCESS;
1440 }
1441
1442 METHOD(kernel_ipsec_t, update_sa, status_t,
1443 private_kernel_netlink_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1444 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1445 bool old_encap, bool new_encap, mark_t mark)
1446 {
1447 netlink_buf_t request;
1448 u_char *pos;
1449 struct nlmsghdr *hdr, *out = NULL;
1450 struct xfrm_usersa_id *sa_id;
1451 struct xfrm_usersa_info *out_sa = NULL, *sa;
1452 size_t len;
1453 struct rtattr *rta;
1454 size_t rtasize;
1455 struct xfrm_encap_tmpl* tmpl = NULL;
1456 bool got_replay_state = FALSE;
1457 struct xfrm_replay_state replay;
1458
1459 /* if IPComp is used, we first update the IPComp SA */
1460 if (cpi)
1461 {
1462 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1463 src, dst, new_src, new_dst, FALSE, FALSE, mark);
1464 }
1465
1466 memset(&request, 0, sizeof(request));
1467
1468 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1469
1470 /* query the existing SA first */
1471 hdr = (struct nlmsghdr*)request;
1472 hdr->nlmsg_flags = NLM_F_REQUEST;
1473 hdr->nlmsg_type = XFRM_MSG_GETSA;
1474 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1475
1476 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1477 host2xfrm(dst, &sa_id->daddr);
1478 sa_id->spi = spi;
1479 sa_id->proto = protocol;
1480 sa_id->family = dst->get_family(dst);
1481
1482 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1483 {
1484 hdr = out;
1485 while (NLMSG_OK(hdr, len))
1486 {
1487 switch (hdr->nlmsg_type)
1488 {
1489 case XFRM_MSG_NEWSA:
1490 {
1491 out_sa = NLMSG_DATA(hdr);
1492 break;
1493 }
1494 case NLMSG_ERROR:
1495 {
1496 struct nlmsgerr *err = NLMSG_DATA(hdr);
1497 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1498 strerror(-err->error), -err->error);
1499 break;
1500 }
1501 default:
1502 hdr = NLMSG_NEXT(hdr, len);
1503 continue;
1504 case NLMSG_DONE:
1505 break;
1506 }
1507 break;
1508 }
1509 }
1510 if (out_sa == NULL)
1511 {
1512 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1513 free(out);
1514 return FAILED;
1515 }
1516
1517 /* try to get the replay state */
1518 if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
1519 {
1520 got_replay_state = TRUE;
1521 }
1522
1523 /* delete the old SA (without affecting the IPComp SA) */
1524 if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
1525 {
1526 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1527 free(out);
1528 return FAILED;
1529 }
1530
1531 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1532 ntohl(spi), src, dst, new_src, new_dst);
1533 /* copy over the SA from out to request */
1534 hdr = (struct nlmsghdr*)request;
1535 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1536 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1537 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1538 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1539 sa = NLMSG_DATA(hdr);
1540 sa->family = new_dst->get_family(new_dst);
1541
1542 if (!src->ip_equals(src, new_src))
1543 {
1544 host2xfrm(new_src, &sa->saddr);
1545 }
1546 if (!dst->ip_equals(dst, new_dst))
1547 {
1548 host2xfrm(new_dst, &sa->id.daddr);
1549 }
1550
1551 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1552 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1553 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1554 while(RTA_OK(rta, rtasize))
1555 {
1556 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1557 if (rta->rta_type != XFRMA_ENCAP || new_encap)
1558 {
1559 if (rta->rta_type == XFRMA_ENCAP)
1560 { /* update encap tmpl */
1561 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1562 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1563 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1564 }
1565 memcpy(pos, rta, rta->rta_len);
1566 pos += RTA_ALIGN(rta->rta_len);
1567 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1568 }
1569 rta = RTA_NEXT(rta, rtasize);
1570 }
1571
1572 rta = (struct rtattr*)pos;
1573 if (tmpl == NULL && new_encap)
1574 { /* add tmpl if we are enabling it */
1575 rta->rta_type = XFRMA_ENCAP;
1576 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1577
1578 hdr->nlmsg_len += rta->rta_len;
1579 if (hdr->nlmsg_len > sizeof(request))
1580 {
1581 return FAILED;
1582 }
1583
1584 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1585 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1586 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1587 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1588 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1589
1590 rta = XFRM_RTA_NEXT(rta);
1591 }
1592
1593 if (got_replay_state)
1594 { /* copy the replay data if available */
1595 rta->rta_type = XFRMA_REPLAY_VAL;
1596 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1597
1598 hdr->nlmsg_len += rta->rta_len;
1599 if (hdr->nlmsg_len > sizeof(request))
1600 {
1601 return FAILED;
1602 }
1603 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1604
1605 rta = XFRM_RTA_NEXT(rta);
1606 }
1607
1608 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1609 {
1610 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1611 free(out);
1612 return FAILED;
1613 }
1614 free(out);
1615
1616 return SUCCESS;
1617 }
1618
1619 METHOD(kernel_ipsec_t, add_policy, status_t,
1620 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1621 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
1622 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
1623 mark_t mark, bool routed)
1624 {
1625 policy_entry_t *current, *policy;
1626 bool found = FALSE;
1627 netlink_buf_t request;
1628 struct xfrm_userpolicy_info *policy_info;
1629 struct nlmsghdr *hdr;
1630 int i;
1631
1632 /* create a policy */
1633 policy = malloc_thing(policy_entry_t);
1634 memset(policy, 0, sizeof(policy_entry_t));
1635 policy->sel = ts2selector(src_ts, dst_ts);
1636 policy->mark = mark.value & mark.mask;
1637 policy->direction = direction;
1638
1639 /* find the policy, which matches EXACTLY */
1640 this->mutex->lock(this->mutex);
1641 current = this->policies->get(this->policies, policy);
1642 if (current)
1643 {
1644 /* use existing policy */
1645 current->refcount++;
1646 if (mark.value)
1647 {
1648 DBG2(DBG_KNL, "policy %R === %R %N (mark %u/0x%8x) "
1649 "already exists, increasing refcount",
1650 src_ts, dst_ts, policy_dir_names, direction,
1651 mark.value, mark.mask);
1652 }
1653 else
1654 {
1655 DBG2(DBG_KNL, "policy %R === %R %N "
1656 "already exists, increasing refcount",
1657 src_ts, dst_ts, policy_dir_names, direction);
1658 }
1659 free(policy);
1660 policy = current;
1661 found = TRUE;
1662 }
1663 else
1664 { /* apply the new one, if we have no such policy */
1665 this->policies->put(this->policies, policy, policy);
1666 policy->refcount = 1;
1667 }
1668
1669 if (mark.value)
1670 {
1671 DBG2(DBG_KNL, "adding policy %R === %R %N (mark %u/0x%8x)",
1672 src_ts, dst_ts, policy_dir_names, direction,
1673 mark.value, mark.mask);
1674 }
1675 else
1676 {
1677 DBG2(DBG_KNL, "adding policy %R === %R %N",
1678 src_ts, dst_ts, policy_dir_names, direction);
1679 }
1680
1681 memset(&request, 0, sizeof(request));
1682 hdr = (struct nlmsghdr*)request;
1683 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1684 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1685 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1686
1687 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1688 policy_info->sel = policy->sel;
1689 policy_info->dir = policy->direction;
1690 /* calculate priority based on source selector size, small size = high prio */
1691 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1692 policy_info->priority -= policy->sel.prefixlen_s * 10;
1693 policy_info->priority -= policy->sel.proto ? 2 : 0;
1694 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1695 policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW
1696 : XFRM_POLICY_BLOCK;
1697 policy_info->share = XFRM_SHARE_ANY;
1698 this->mutex->unlock(this->mutex);
1699
1700 /* policies don't expire */
1701 policy_info->lft.soft_byte_limit = XFRM_INF;
1702 policy_info->lft.soft_packet_limit = XFRM_INF;
1703 policy_info->lft.hard_byte_limit = XFRM_INF;
1704 policy_info->lft.hard_packet_limit = XFRM_INF;
1705 policy_info->lft.soft_add_expires_seconds = 0;
1706 policy_info->lft.hard_add_expires_seconds = 0;
1707 policy_info->lft.soft_use_expires_seconds = 0;
1708 policy_info->lft.hard_use_expires_seconds = 0;
1709
1710 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1711
1712 if (type == POLICY_IPSEC)
1713 {
1714 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1715 struct {
1716 u_int8_t proto;
1717 bool use;
1718 } protos[] = {
1719 { IPPROTO_COMP, sa->ipcomp.transform != IPCOMP_NONE },
1720 { IPPROTO_ESP, sa->esp.use },
1721 { IPPROTO_AH, sa->ah.use },
1722 };
1723 ipsec_mode_t proto_mode = sa->mode;
1724
1725 rthdr->rta_type = XFRMA_TMPL;
1726 rthdr->rta_len = 0; /* actual length is set below */
1727
1728 for (i = 0; i < countof(protos); i++)
1729 {
1730 if (!protos[i].use)
1731 {
1732 continue;
1733 }
1734
1735 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1736 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1737 if (hdr->nlmsg_len > sizeof(request))
1738 {
1739 return FAILED;
1740 }
1741
1742 tmpl->reqid = sa->reqid;
1743 tmpl->id.proto = protos[i].proto;
1744 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1745 tmpl->mode = mode2kernel(proto_mode);
1746 tmpl->optional = protos[i].proto == IPPROTO_COMP &&
1747 direction != POLICY_OUT;
1748 tmpl->family = src->get_family(src);
1749
1750 if (proto_mode == MODE_TUNNEL)
1751 { /* only for tunnel mode */
1752 host2xfrm(src, &tmpl->saddr);
1753 host2xfrm(dst, &tmpl->id.daddr);
1754 }
1755
1756 tmpl++;
1757
1758 /* use transport mode for other SAs */
1759 proto_mode = MODE_TRANSPORT;
1760 }
1761
1762 rthdr = XFRM_RTA_NEXT(rthdr);
1763 }
1764
1765 if (mark.value)
1766 {
1767 struct xfrm_mark *mrk;
1768
1769 rthdr->rta_type = XFRMA_MARK;
1770 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1771
1772 hdr->nlmsg_len += rthdr->rta_len;
1773 if (hdr->nlmsg_len > sizeof(request))
1774 {
1775 return FAILED;
1776 }
1777
1778 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1779 mrk->v = mark.value;
1780 mrk->m = mark.mask;
1781 }
1782
1783 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1784 {
1785 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1786 policy_dir_names, direction);
1787 return FAILED;
1788 }
1789
1790 /* install a route, if:
1791 * - we are NOT updating a policy
1792 * - this is a forward policy (to just get one for each child)
1793 * - we are in tunnel/BEET mode
1794 * - routing is not disabled via strongswan.conf
1795 */
1796 if (policy->route == NULL && direction == POLICY_FWD &&
1797 sa->mode != MODE_TRANSPORT && this->install_routes)
1798 {
1799 route_entry_t *route = malloc_thing(route_entry_t);
1800
1801 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
1802 dst_ts, &route->src_ip) == SUCCESS)
1803 {
1804 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1805 route->gateway = hydra->kernel_interface->get_nexthop(
1806 hydra->kernel_interface, src);
1807 /* install route via outgoing interface */
1808 route->if_name = hydra->kernel_interface->get_interface(
1809 hydra->kernel_interface, dst);
1810 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1811 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1812 route->prefixlen = policy->sel.prefixlen_s;
1813
1814 if (route->if_name)
1815 {
1816 switch (hydra->kernel_interface->add_route(
1817 hydra->kernel_interface, route->dst_net,
1818 route->prefixlen, route->gateway,
1819 route->src_ip, route->if_name))
1820 {
1821 default:
1822 DBG1(DBG_KNL, "unable to install source route for %H",
1823 route->src_ip);
1824 /* FALL */
1825 case ALREADY_DONE:
1826 /* route exists, do not uninstall */
1827 route_entry_destroy(route);
1828 break;
1829 case SUCCESS:
1830 /* cache the installed route */
1831 policy->route = route;
1832 break;
1833 }
1834 }
1835 else
1836 {
1837 route_entry_destroy(route);
1838 }
1839 }
1840 else
1841 {
1842 free(route);
1843 }
1844 }
1845 return SUCCESS;
1846 }
1847
1848 METHOD(kernel_ipsec_t, query_policy, status_t,
1849 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
1850 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
1851 u_int32_t *use_time)
1852 {
1853 netlink_buf_t request;
1854 struct nlmsghdr *out = NULL, *hdr;
1855 struct xfrm_userpolicy_id *policy_id;
1856 struct xfrm_userpolicy_info *policy = NULL;
1857 size_t len;
1858
1859 memset(&request, 0, sizeof(request));
1860
1861 if (mark.value)
1862 {
1863 DBG2(DBG_KNL, "querying policy %R === %R %N (mark %u/0x%8x)",
1864 src_ts, dst_ts, policy_dir_names, direction,
1865 mark.value, mark.mask);
1866 }
1867 else
1868 {
1869 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1870 policy_dir_names, direction);
1871 }
1872 hdr = (struct nlmsghdr*)request;
1873 hdr->nlmsg_flags = NLM_F_REQUEST;
1874 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1875 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1876
1877 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1878 policy_id->sel = ts2selector(src_ts, dst_ts);
1879 policy_id->dir = direction;
1880
1881 if (mark.value)
1882 {
1883 struct xfrm_mark *mrk;
1884 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
1885
1886 rthdr->rta_type = XFRMA_MARK;
1887 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1888
1889 hdr->nlmsg_len += rthdr->rta_len;
1890 if (hdr->nlmsg_len > sizeof(request))
1891 {
1892 return FAILED;
1893 }
1894
1895 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1896 mrk->v = mark.value;
1897 mrk->m = mark.mask;
1898 }
1899
1900 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1901 {
1902 hdr = out;
1903 while (NLMSG_OK(hdr, len))
1904 {
1905 switch (hdr->nlmsg_type)
1906 {
1907 case XFRM_MSG_NEWPOLICY:
1908 {
1909 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1910 break;
1911 }
1912 case NLMSG_ERROR:
1913 {
1914 struct nlmsgerr *err = NLMSG_DATA(hdr);
1915 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1916 strerror(-err->error), -err->error);
1917 break;
1918 }
1919 default:
1920 hdr = NLMSG_NEXT(hdr, len);
1921 continue;
1922 case NLMSG_DONE:
1923 break;
1924 }
1925 break;
1926 }
1927 }
1928
1929 if (policy == NULL)
1930 {
1931 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1932 policy_dir_names, direction);
1933 free(out);
1934 return FAILED;
1935 }
1936
1937 if (policy->curlft.use_time)
1938 {
1939 /* we need the monotonic time, but the kernel returns system time. */
1940 *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
1941 }
1942 else
1943 {
1944 *use_time = 0;
1945 }
1946
1947 free(out);
1948 return SUCCESS;
1949 }
1950
1951 METHOD(kernel_ipsec_t, del_policy, status_t,
1952 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
1953 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
1954 bool unrouted)
1955 {
1956 policy_entry_t *current, policy, *to_delete = NULL;
1957 route_entry_t *route;
1958 netlink_buf_t request;
1959 struct nlmsghdr *hdr;
1960 struct xfrm_userpolicy_id *policy_id;
1961
1962 if (mark.value)
1963 {
1964 DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x)",
1965 src_ts, dst_ts, policy_dir_names, direction,
1966 mark.value, mark.mask);
1967 }
1968 else
1969 {
1970 DBG2(DBG_KNL, "deleting policy %R === %R %N",
1971 src_ts, dst_ts, policy_dir_names, direction);
1972 }
1973
1974 /* create a policy */
1975 memset(&policy, 0, sizeof(policy_entry_t));
1976 policy.sel = ts2selector(src_ts, dst_ts);
1977 policy.mark = mark.value & mark.mask;
1978 policy.direction = direction;
1979
1980 /* find the policy */
1981 this->mutex->lock(this->mutex);
1982 current = this->policies->get(this->policies, &policy);
1983 if (current)
1984 {
1985 to_delete = current;
1986 if (--to_delete->refcount > 0)
1987 {
1988 /* is used by more SAs, keep in kernel */
1989 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1990 this->mutex->unlock(this->mutex);
1991 return SUCCESS;
1992 }
1993 /* remove if last reference */
1994 this->policies->remove(this->policies, to_delete);
1995 }
1996 this->mutex->unlock(this->mutex);
1997 if (!to_delete)
1998 {
1999 if (mark.value)
2000 {
2001 DBG1(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x) "
2002 "failed, not found", src_ts, dst_ts, policy_dir_names,
2003 direction, mark.value, mark.mask);
2004 }
2005 else
2006 {
2007 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
2008 src_ts, dst_ts, policy_dir_names, direction);
2009 }
2010 return NOT_FOUND;
2011 }
2012
2013 memset(&request, 0, sizeof(request));
2014
2015 hdr = (struct nlmsghdr*)request;
2016 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2017 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2018 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2019
2020 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2021 policy_id->sel = to_delete->sel;
2022 policy_id->dir = direction;
2023
2024 if (mark.value)
2025 {
2026 struct xfrm_mark *mrk;
2027 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
2028
2029 rthdr->rta_type = XFRMA_MARK;
2030 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
2031 hdr->nlmsg_len += rthdr->rta_len;
2032 if (hdr->nlmsg_len > sizeof(request))
2033 {
2034 return FAILED;
2035 }
2036
2037 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
2038 mrk->v = mark.value;
2039 mrk->m = mark.mask;
2040 }
2041
2042 route = to_delete->route;
2043 free(to_delete);
2044
2045 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2046 {
2047 if (mark.value)
2048 {
2049 DBG1(DBG_KNL, "unable to delete policy %R === %R %N "
2050 "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names,
2051 direction, mark.value, mark.mask);
2052 }
2053 else
2054 {
2055 DBG1(DBG_KNL, "unable to delete policy %R === %R %N",
2056 src_ts, dst_ts, policy_dir_names, direction);
2057 }
2058 return FAILED;
2059 }
2060
2061 if (route)
2062 {
2063 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2064 route->dst_net, route->prefixlen, route->gateway,
2065 route->src_ip, route->if_name) != SUCCESS)
2066 {
2067 DBG1(DBG_KNL, "error uninstalling route installed with "
2068 "policy %R === %R %N", src_ts, dst_ts,
2069 policy_dir_names, direction);
2070 }
2071 route_entry_destroy(route);
2072 }
2073 return SUCCESS;
2074 }
2075
2076 METHOD(kernel_ipsec_t, bypass_socket, bool,
2077 private_kernel_netlink_ipsec_t *this, int fd, int family)
2078 {
2079 struct xfrm_userpolicy_info policy;
2080 u_int sol, ipsec_policy;
2081
2082 switch (family)
2083 {
2084 case AF_INET:
2085 sol = SOL_IP;
2086 ipsec_policy = IP_XFRM_POLICY;
2087 break;
2088 case AF_INET6:
2089 sol = SOL_IPV6;
2090 ipsec_policy = IPV6_XFRM_POLICY;
2091 break;
2092 default:
2093 return FALSE;
2094 }
2095
2096 memset(&policy, 0, sizeof(policy));
2097 policy.action = XFRM_POLICY_ALLOW;
2098 policy.sel.family = family;
2099
2100 policy.dir = XFRM_POLICY_OUT;
2101 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2102 {
2103 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2104 strerror(errno));
2105 return FALSE;
2106 }
2107 policy.dir = XFRM_POLICY_IN;
2108 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2109 {
2110 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2111 strerror(errno));
2112 return FALSE;
2113 }
2114 return TRUE;
2115 }
2116
2117 METHOD(kernel_ipsec_t, destroy, void,
2118 private_kernel_netlink_ipsec_t *this)
2119 {
2120 enumerator_t *enumerator;
2121 policy_entry_t *policy;
2122
2123 if (this->job)
2124 {
2125 this->job->cancel(this->job);
2126 }
2127 if (this->socket_xfrm_events > 0)
2128 {
2129 close(this->socket_xfrm_events);
2130 }
2131 DESTROY_IF(this->socket_xfrm);
2132 enumerator = this->policies->create_enumerator(this->policies);
2133 while (enumerator->enumerate(enumerator, &policy, &policy))
2134 {
2135 free(policy);
2136 }
2137 enumerator->destroy(enumerator);
2138 this->policies->destroy(this->policies);
2139 this->mutex->destroy(this->mutex);
2140 free(this);
2141 }
2142
2143 /*
2144 * Described in header.
2145 */
2146 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
2147 {
2148 private_kernel_netlink_ipsec_t *this;
2149 struct sockaddr_nl addr;
2150 int fd;
2151
2152 INIT(this,
2153 .public = {
2154 .interface = {
2155 .get_spi = _get_spi,
2156 .get_cpi = _get_cpi,
2157 .add_sa = _add_sa,
2158 .update_sa = _update_sa,
2159 .query_sa = _query_sa,
2160 .del_sa = _del_sa,
2161 .add_policy = _add_policy,
2162 .query_policy = _query_policy,
2163 .del_policy = _del_policy,
2164 .bypass_socket = _bypass_socket,
2165 .destroy = _destroy,
2166 },
2167 },
2168 .policies = hashtable_create((hashtable_hash_t)policy_hash,
2169 (hashtable_equals_t)policy_equals, 32),
2170 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2171 .install_routes = lib->settings->get_bool(lib->settings,
2172 "%s.install_routes", TRUE,
2173 hydra->daemon),
2174 );
2175
2176 if (streq(hydra->daemon, "pluto"))
2177 { /* no routes for pluto, they are installed via updown script */
2178 this->install_routes = FALSE;
2179 }
2180
2181 /* disable lifetimes for allocated SPIs in kernel */
2182 fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
2183 if (fd)
2184 {
2185 ignore_result(write(fd, "165", 3));
2186 close(fd);
2187 }
2188
2189 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
2190 if (!this->socket_xfrm)
2191 {
2192 destroy(this);
2193 return NULL;
2194 }
2195
2196 memset(&addr, 0, sizeof(addr));
2197 addr.nl_family = AF_NETLINK;
2198
2199 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2200 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2201 if (this->socket_xfrm_events <= 0)
2202 {
2203 DBG1(DBG_KNL, "unable to create XFRM event socket");
2204 destroy(this);
2205 return NULL;
2206 }
2207 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
2208 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
2209 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2210 {
2211 DBG1(DBG_KNL, "unable to bind XFRM event socket");
2212 destroy(this);
2213 return NULL;
2214 }
2215 this->job = callback_job_create((callback_job_cb_t)receive_events,
2216 this, NULL, NULL);
2217 lib->processor->queue_job(lib->processor, (job_t*)this->job);
2218
2219 return &this->public;
2220 }
2221
strongSwan - IPsec VPN