Simplified destruction of policy_sa_t objects in Netlink interface.
[strongswan.git] / src / libhydra / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <stdint.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
29 #include <unistd.h>
30 #include <time.h>
31 #include <errno.h>
32 #include <string.h>
33 #include <fcntl.h>
34
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
37
38 #include <hydra.h>
39 #include <debug.h>
40 #include <threading/thread.h>
41 #include <threading/mutex.h>
42 #include <utils/hashtable.h>
43 #include <utils/linked_list.h>
44 #include <processing/jobs/callback_job.h>
45
46 /** Required for Linux 2.6.26 kernel and later */
47 #ifndef XFRM_STATE_AF_UNSPEC
48 #define XFRM_STATE_AF_UNSPEC 32
49 #endif
50
51 /** From linux/in.h */
52 #ifndef IP_XFRM_POLICY
53 #define IP_XFRM_POLICY 17
54 #endif
55
56 /** Missing on uclibc */
57 #ifndef IPV6_XFRM_POLICY
58 #define IPV6_XFRM_POLICY 34
59 #endif /*IPV6_XFRM_POLICY*/
60
61 /** Default priority of installed policies */
62 #define PRIO_LOW 1024
63 #define PRIO_HIGH 512
64
65 /** Default replay window size, if not set using charon.replay_window */
66 #define DEFAULT_REPLAY_WINDOW 32
67
68 /**
69 * Map the limit for bytes and packets to XFRM_INF by default
70 */
71 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
72
73 /**
74 * Create ORable bitfield of XFRM NL groups
75 */
76 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
77
78 /**
79 * Returns a pointer to the first rtattr following the nlmsghdr *nlh and the
80 * 'usual' netlink data x like 'struct xfrm_usersa_info'
81 */
82 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \
83 NLMSG_ALIGN(sizeof(x))))
84 /**
85 * Returns a pointer to the next rtattr following rta.
86 * !!! Do not use this to parse messages. Use RTA_NEXT and RTA_OK instead !!!
87 */
88 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + \
89 RTA_ALIGN((rta)->rta_len)))
90 /**
91 * Returns the total size of attached rta data
92 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
93 */
94 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
95
96 typedef struct kernel_algorithm_t kernel_algorithm_t;
97
98 /**
99 * Mapping of IKEv2 kernel identifier to linux crypto API names
100 */
101 struct kernel_algorithm_t {
102 /**
103 * Identifier specified in IKEv2
104 */
105 int ikev2;
106
107 /**
108 * Name of the algorithm in linux crypto API
109 */
110 char *name;
111 };
112
113 ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
114 "XFRM_MSG_NEWSA",
115 "XFRM_MSG_DELSA",
116 "XFRM_MSG_GETSA",
117 "XFRM_MSG_NEWPOLICY",
118 "XFRM_MSG_DELPOLICY",
119 "XFRM_MSG_GETPOLICY",
120 "XFRM_MSG_ALLOCSPI",
121 "XFRM_MSG_ACQUIRE",
122 "XFRM_MSG_EXPIRE",
123 "XFRM_MSG_UPDPOLICY",
124 "XFRM_MSG_UPDSA",
125 "XFRM_MSG_POLEXPIRE",
126 "XFRM_MSG_FLUSHSA",
127 "XFRM_MSG_FLUSHPOLICY",
128 "XFRM_MSG_NEWAE",
129 "XFRM_MSG_GETAE",
130 "XFRM_MSG_REPORT",
131 "XFRM_MSG_MIGRATE",
132 "XFRM_MSG_NEWSADINFO",
133 "XFRM_MSG_GETSADINFO",
134 "XFRM_MSG_NEWSPDINFO",
135 "XFRM_MSG_GETSPDINFO",
136 "XFRM_MSG_MAPPING"
137 );
138
139 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
140 "XFRMA_UNSPEC",
141 "XFRMA_ALG_AUTH",
142 "XFRMA_ALG_CRYPT",
143 "XFRMA_ALG_COMP",
144 "XFRMA_ENCAP",
145 "XFRMA_TMPL",
146 "XFRMA_SA",
147 "XFRMA_POLICY",
148 "XFRMA_SEC_CTX",
149 "XFRMA_LTIME_VAL",
150 "XFRMA_REPLAY_VAL",
151 "XFRMA_REPLAY_THRESH",
152 "XFRMA_ETIMER_THRESH",
153 "XFRMA_SRCADDR",
154 "XFRMA_COADDR",
155 "XFRMA_LASTUSED",
156 "XFRMA_POLICY_TYPE",
157 "XFRMA_MIGRATE",
158 "XFRMA_ALG_AEAD",
159 "XFRMA_KMADDRESS"
160 );
161
162 #define END_OF_LIST -1
163
164 /**
165 * Algorithms for encryption
166 */
167 static kernel_algorithm_t encryption_algs[] = {
168 /* {ENCR_DES_IV64, "***" }, */
169 {ENCR_DES, "des" },
170 {ENCR_3DES, "des3_ede" },
171 /* {ENCR_RC5, "***" }, */
172 /* {ENCR_IDEA, "***" }, */
173 {ENCR_CAST, "cast128" },
174 {ENCR_BLOWFISH, "blowfish" },
175 /* {ENCR_3IDEA, "***" }, */
176 /* {ENCR_DES_IV32, "***" }, */
177 {ENCR_NULL, "cipher_null" },
178 {ENCR_AES_CBC, "aes" },
179 {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
180 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
181 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
182 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
183 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
184 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
185 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
186 {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
187 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
188 /* {ENCR_CAMELLIA_CTR, "***" }, */
189 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
190 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
191 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
192 {ENCR_SERPENT_CBC, "serpent" },
193 {ENCR_TWOFISH_CBC, "twofish" },
194 {END_OF_LIST, NULL }
195 };
196
197 /**
198 * Algorithms for integrity protection
199 */
200 static kernel_algorithm_t integrity_algs[] = {
201 {AUTH_HMAC_MD5_96, "md5" },
202 {AUTH_HMAC_SHA1_96, "sha1" },
203 {AUTH_HMAC_SHA2_256_96, "sha256" },
204 {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
205 {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
206 {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
207 /* {AUTH_DES_MAC, "***" }, */
208 /* {AUTH_KPDK_MD5, "***" }, */
209 {AUTH_AES_XCBC_96, "xcbc(aes)" },
210 {END_OF_LIST, NULL }
211 };
212
213 /**
214 * Algorithms for IPComp
215 */
216 static kernel_algorithm_t compression_algs[] = {
217 /* {IPCOMP_OUI, "***" }, */
218 {IPCOMP_DEFLATE, "deflate" },
219 {IPCOMP_LZS, "lzs" },
220 {IPCOMP_LZJH, "lzjh" },
221 {END_OF_LIST, NULL }
222 };
223
224 /**
225 * Look up a kernel algorithm name and its key size
226 */
227 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
228 {
229 while (list->ikev2 != END_OF_LIST)
230 {
231 if (list->ikev2 == ikev2)
232 {
233 return list->name;
234 }
235 list++;
236 }
237 return NULL;
238 }
239
240 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
241
242 /**
243 * Private variables and functions of kernel_netlink class.
244 */
245 struct private_kernel_netlink_ipsec_t {
246 /**
247 * Public part of the kernel_netlink_t object
248 */
249 kernel_netlink_ipsec_t public;
250
251 /**
252 * Mutex to lock access to installed policies
253 */
254 mutex_t *mutex;
255
256 /**
257 * Hash table of installed policies (policy_entry_t)
258 */
259 hashtable_t *policies;
260
261 /**
262 * Hash table of IPsec SAs using policies (ipsec_sa_t)
263 */
264 hashtable_t *sas;
265
266 /**
267 * Job receiving netlink events
268 */
269 callback_job_t *job;
270
271 /**
272 * Netlink xfrm socket (IPsec)
273 */
274 netlink_socket_t *socket_xfrm;
275
276 /**
277 * Netlink xfrm socket to receive acquire and expire events
278 */
279 int socket_xfrm_events;
280
281 /**
282 * Whether to install routes along policies
283 */
284 bool install_routes;
285
286 /**
287 * Size of the replay window, in packets
288 */
289 u_int32_t replay_window;
290
291 /**
292 * Size of the replay window bitmap, in bytes
293 */
294 u_int32_t replay_bmp;
295 };
296
297 typedef struct route_entry_t route_entry_t;
298
299 /**
300 * Installed routing entry
301 */
302 struct route_entry_t {
303 /** Name of the interface the route is bound to */
304 char *if_name;
305
306 /** Source ip of the route */
307 host_t *src_ip;
308
309 /** Gateway for this route */
310 host_t *gateway;
311
312 /** Destination net */
313 chunk_t dst_net;
314
315 /** Destination net prefixlen */
316 u_int8_t prefixlen;
317 };
318
319 /**
320 * Destroy a route_entry_t object
321 */
322 static void route_entry_destroy(route_entry_t *this)
323 {
324 free(this->if_name);
325 this->src_ip->destroy(this->src_ip);
326 DESTROY_IF(this->gateway);
327 chunk_free(&this->dst_net);
328 free(this);
329 }
330
331 /**
332 * Compare two route_entry_t objects
333 */
334 static bool route_entry_equals(route_entry_t *a, route_entry_t *b)
335 {
336 return a->if_name && b->if_name && streq(a->if_name, b->if_name) &&
337 a->src_ip->equals(a->src_ip, b->src_ip) &&
338 a->gateway->equals(a->gateway, b->gateway) &&
339 chunk_equals(a->dst_net, b->dst_net) && a->prefixlen == b->prefixlen;
340 }
341
342 typedef struct ipsec_sa_t ipsec_sa_t;
343
344 /**
345 * IPsec SA assigned to a policy.
346 */
347 struct ipsec_sa_t {
348 /** Source address of this SA */
349 host_t *src;
350
351 /** Destination address of this SA */
352 host_t *dst;
353
354 /** Optional mark */
355 mark_t mark;
356
357 /** Description of this SA */
358 ipsec_sa_cfg_t cfg;
359
360 /** Reference count for this SA */
361 refcount_t refcount;
362 };
363
364 /**
365 * Hash function for ipsec_sa_t objects
366 */
367 static u_int ipsec_sa_hash(ipsec_sa_t *sa)
368 {
369 return chunk_hash_inc(sa->src->get_address(sa->src),
370 chunk_hash_inc(sa->dst->get_address(sa->dst),
371 chunk_hash_inc(chunk_from_thing(sa->mark),
372 chunk_hash(chunk_from_thing(sa->cfg)))));
373 }
374
375 /**
376 * Equality function for ipsec_sa_t objects
377 */
378 static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
379 {
380 return sa->src->ip_equals(sa->src, other_sa->src) &&
381 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
382 memeq(&sa->mark, &other_sa->mark, sizeof(mark_t)) &&
383 memeq(&sa->cfg, &other_sa->cfg, sizeof(ipsec_sa_cfg_t));
384 }
385
386 /**
387 * Allocate or reference an IPsec SA object
388 */
389 static ipsec_sa_t *ipsec_sa_create(private_kernel_netlink_ipsec_t *this,
390 host_t *src, host_t *dst, mark_t mark,
391 ipsec_sa_cfg_t *cfg)
392 {
393 ipsec_sa_t *sa, *found;
394 INIT(sa,
395 .src = src,
396 .dst = dst,
397 .mark = mark,
398 .cfg = *cfg,
399 );
400 found = this->sas->get(this->sas, sa);
401 if (!found)
402 {
403 sa->src = src->clone(src);
404 sa->dst = dst->clone(dst);
405 this->sas->put(this->sas, sa, sa);
406 }
407 else
408 {
409 free(sa);
410 sa = found;
411 }
412 ref_get(&sa->refcount);
413 return sa;
414 }
415
416 /**
417 * Release and destroy an IPsec SA object
418 */
419 static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this,
420 ipsec_sa_t *sa)
421 {
422 if (ref_put(&sa->refcount))
423 {
424 this->sas->remove(this->sas, sa);
425 DESTROY_IF(sa->src);
426 DESTROY_IF(sa->dst);
427 free(sa);
428 }
429 }
430
431 typedef struct policy_sa_t policy_sa_t;
432 typedef struct policy_sa_fwd_t policy_sa_fwd_t;
433
434 /**
435 * Mapping between a policy and an IPsec SA.
436 */
437 struct policy_sa_t {
438 /** Priority assigned to the policy when installed with this SA */
439 u_int32_t priority;
440
441 /** Type of the policy */
442 policy_type_t type;
443
444 /** Assigned SA */
445 ipsec_sa_t *sa;
446 };
447
448 /**
449 * For forward policies we also cache the traffic selectors in order to install
450 * the route.
451 */
452 struct policy_sa_fwd_t {
453 /** Generic interface */
454 policy_sa_t generic;
455
456 /** Source traffic selector of this policy */
457 traffic_selector_t *src_ts;
458
459 /** Destination traffic selector of this policy */
460 traffic_selector_t *dst_ts;
461 };
462
463 /**
464 * Create a policy_sa(_fwd)_t object
465 */
466 static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
467 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
468 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark,
469 ipsec_sa_cfg_t *cfg)
470 {
471 policy_sa_t *policy;
472
473 if (dir == POLICY_FWD)
474 {
475 policy_sa_fwd_t *fwd;
476 INIT(fwd,
477 .src_ts = src_ts->clone(src_ts),
478 .dst_ts = dst_ts->clone(dst_ts),
479 );
480 policy = &fwd->generic;
481 }
482 else
483 {
484 INIT(policy);
485 }
486 policy->type = type;
487 policy->sa = ipsec_sa_create(this, src, dst, mark, cfg);
488 return policy;
489 }
490
491 /**
492 * Destroy a policy_sa(_fwd)_t object
493 */
494 static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t *dir,
495 private_kernel_netlink_ipsec_t *this)
496 {
497 if (*dir == POLICY_FWD)
498 {
499 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)policy;
500 fwd->src_ts->destroy(fwd->src_ts);
501 fwd->dst_ts->destroy(fwd->dst_ts);
502 }
503 ipsec_sa_destroy(this, policy->sa);
504 free(policy);
505 }
506
507 typedef struct policy_entry_t policy_entry_t;
508
509 /**
510 * Installed kernel policy.
511 */
512 struct policy_entry_t {
513
514 /** Direction of this policy: in, out, forward */
515 u_int8_t direction;
516
517 /** Parameters of installed policy */
518 struct xfrm_selector sel;
519
520 /** Optional mark */
521 u_int32_t mark;
522
523 /** Associated route installed for this policy */
524 route_entry_t *route;
525
526 /** List of SAs this policy is used by, ordered by priority */
527 linked_list_t *used_by;
528 };
529
530 /**
531 * Destroy a policy_entry_t object
532 */
533 static void policy_entry_destroy(private_kernel_netlink_ipsec_t *this,
534 policy_entry_t *policy)
535 {
536 if (policy->route)
537 {
538 route_entry_destroy(policy->route);
539 }
540 if (policy->used_by)
541 {
542 policy->used_by->invoke_function(policy->used_by,
543 (linked_list_invoke_t)policy_sa_destroy,
544 &policy->direction, this);
545 policy->used_by->destroy(policy->used_by);
546 }
547 free(policy);
548 }
549
550 /**
551 * Hash function for policy_entry_t objects
552 */
553 static u_int policy_hash(policy_entry_t *key)
554 {
555 chunk_t chunk = chunk_create((void*)&key->sel,
556 sizeof(struct xfrm_selector) + sizeof(u_int32_t));
557 return chunk_hash(chunk);
558 }
559
560 /**
561 * Equality function for policy_entry_t objects
562 */
563 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
564 {
565 return memeq(&key->sel, &other_key->sel,
566 sizeof(struct xfrm_selector) + sizeof(u_int32_t)) &&
567 key->direction == other_key->direction;
568 }
569
570 /**
571 * Convert the general ipsec mode to the one defined in xfrm.h
572 */
573 static u_int8_t mode2kernel(ipsec_mode_t mode)
574 {
575 switch (mode)
576 {
577 case MODE_TRANSPORT:
578 return XFRM_MODE_TRANSPORT;
579 case MODE_TUNNEL:
580 return XFRM_MODE_TUNNEL;
581 case MODE_BEET:
582 return XFRM_MODE_BEET;
583 default:
584 return mode;
585 }
586 }
587
588 /**
589 * Convert a host_t to a struct xfrm_address
590 */
591 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
592 {
593 chunk_t chunk = host->get_address(host);
594 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
595 }
596
597 /**
598 * Convert a struct xfrm_address to a host_t
599 */
600 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
601 {
602 chunk_t chunk;
603
604 switch (family)
605 {
606 case AF_INET:
607 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
608 break;
609 case AF_INET6:
610 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
611 break;
612 default:
613 return NULL;
614 }
615 return host_create_from_chunk(family, chunk, ntohs(port));
616 }
617
618 /**
619 * Convert a traffic selector address range to subnet and its mask.
620 */
621 static void ts2subnet(traffic_selector_t* ts,
622 xfrm_address_t *net, u_int8_t *mask)
623 {
624 host_t *net_host;
625 chunk_t net_chunk;
626
627 ts->to_subnet(ts, &net_host, mask);
628 net_chunk = net_host->get_address(net_host);
629 memcpy(net, net_chunk.ptr, net_chunk.len);
630 net_host->destroy(net_host);
631 }
632
633 /**
634 * Convert a traffic selector port range to port/portmask
635 */
636 static void ts2ports(traffic_selector_t* ts,
637 u_int16_t *port, u_int16_t *mask)
638 {
639 /* Linux does not seem to accept complex portmasks. Only
640 * any or a specific port is allowed. We set to any, if we have
641 * a port range, or to a specific, if we have one port only.
642 */
643 u_int16_t from, to;
644
645 from = ts->get_from_port(ts);
646 to = ts->get_to_port(ts);
647
648 if (from == to)
649 {
650 *port = htons(from);
651 *mask = ~0;
652 }
653 else
654 {
655 *port = 0;
656 *mask = 0;
657 }
658 }
659
660 /**
661 * Convert a pair of traffic_selectors to an xfrm_selector
662 */
663 static struct xfrm_selector ts2selector(traffic_selector_t *src,
664 traffic_selector_t *dst)
665 {
666 struct xfrm_selector sel;
667
668 memset(&sel, 0, sizeof(sel));
669 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
670 /* src or dest proto may be "any" (0), use more restrictive one */
671 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
672 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
673 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
674 ts2ports(dst, &sel.dport, &sel.dport_mask);
675 ts2ports(src, &sel.sport, &sel.sport_mask);
676 sel.ifindex = 0;
677 sel.user = 0;
678
679 return sel;
680 }
681
682 /**
683 * Convert an xfrm_selector to a src|dst traffic_selector
684 */
685 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
686 {
687 u_char *addr;
688 u_int8_t prefixlen;
689 u_int16_t port = 0;
690 host_t *host = NULL;
691
692 if (src)
693 {
694 addr = (u_char*)&sel->saddr;
695 prefixlen = sel->prefixlen_s;
696 if (sel->sport_mask)
697 {
698 port = htons(sel->sport);
699 }
700 }
701 else
702 {
703 addr = (u_char*)&sel->daddr;
704 prefixlen = sel->prefixlen_d;
705 if (sel->dport_mask)
706 {
707 port = htons(sel->dport);
708 }
709 }
710
711 /* The Linux 2.6 kernel does not set the selector's family field,
712 * so as a kludge we additionally test the prefix length.
713 */
714 if (sel->family == AF_INET || sel->prefixlen_s == 32)
715 {
716 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
717 }
718 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
719 {
720 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
721 }
722
723 if (host)
724 {
725 return traffic_selector_create_from_subnet(host, prefixlen,
726 sel->proto, port);
727 }
728 return NULL;
729 }
730
731 /**
732 * Process a XFRM_MSG_ACQUIRE from kernel
733 */
734 static void process_acquire(private_kernel_netlink_ipsec_t *this,
735 struct nlmsghdr *hdr)
736 {
737 struct xfrm_user_acquire *acquire;
738 struct rtattr *rta;
739 size_t rtasize;
740 traffic_selector_t *src_ts, *dst_ts;
741 u_int32_t reqid = 0;
742 int proto = 0;
743
744 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
745 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
746 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
747
748 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
749
750 while (RTA_OK(rta, rtasize))
751 {
752 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
753
754 if (rta->rta_type == XFRMA_TMPL)
755 {
756 struct xfrm_user_tmpl* tmpl;
757 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
758 reqid = tmpl->reqid;
759 proto = tmpl->id.proto;
760 }
761 rta = RTA_NEXT(rta, rtasize);
762 }
763 switch (proto)
764 {
765 case 0:
766 case IPPROTO_ESP:
767 case IPPROTO_AH:
768 break;
769 default:
770 /* acquire for AH/ESP only, not for IPCOMP */
771 return;
772 }
773 src_ts = selector2ts(&acquire->sel, TRUE);
774 dst_ts = selector2ts(&acquire->sel, FALSE);
775
776 hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
777 dst_ts);
778 }
779
780 /**
781 * Process a XFRM_MSG_EXPIRE from kernel
782 */
783 static void process_expire(private_kernel_netlink_ipsec_t *this,
784 struct nlmsghdr *hdr)
785 {
786 struct xfrm_user_expire *expire;
787 u_int32_t spi, reqid;
788 u_int8_t protocol;
789
790 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
791 protocol = expire->state.id.proto;
792 spi = expire->state.id.spi;
793 reqid = expire->state.reqid;
794
795 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
796
797 if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
798 {
799 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
800 "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
801 return;
802 }
803
804 hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
805 spi, expire->hard != 0);
806 }
807
808 /**
809 * Process a XFRM_MSG_MIGRATE from kernel
810 */
811 static void process_migrate(private_kernel_netlink_ipsec_t *this,
812 struct nlmsghdr *hdr)
813 {
814 struct xfrm_userpolicy_id *policy_id;
815 struct rtattr *rta;
816 size_t rtasize;
817 traffic_selector_t *src_ts, *dst_ts;
818 host_t *local = NULL, *remote = NULL;
819 host_t *old_src = NULL, *old_dst = NULL;
820 host_t *new_src = NULL, *new_dst = NULL;
821 u_int32_t reqid = 0;
822 policy_dir_t dir;
823
824 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
825 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
826 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
827
828 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
829
830 src_ts = selector2ts(&policy_id->sel, TRUE);
831 dst_ts = selector2ts(&policy_id->sel, FALSE);
832 dir = (policy_dir_t)policy_id->dir;
833
834 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
835
836 while (RTA_OK(rta, rtasize))
837 {
838 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
839 if (rta->rta_type == XFRMA_KMADDRESS)
840 {
841 struct xfrm_user_kmaddress *kmaddress;
842
843 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
844 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
845 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
846 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
847 }
848 else if (rta->rta_type == XFRMA_MIGRATE)
849 {
850 struct xfrm_user_migrate *migrate;
851
852 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
853 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
854 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
855 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
856 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
857 reqid = migrate->reqid;
858 DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}",
859 old_src, old_dst, new_src, new_dst, reqid);
860 DESTROY_IF(old_src);
861 DESTROY_IF(old_dst);
862 DESTROY_IF(new_src);
863 DESTROY_IF(new_dst);
864 }
865 rta = RTA_NEXT(rta, rtasize);
866 }
867
868 if (src_ts && dst_ts && local && remote)
869 {
870 hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
871 src_ts, dst_ts, dir, local, remote);
872 }
873 else
874 {
875 DESTROY_IF(src_ts);
876 DESTROY_IF(dst_ts);
877 DESTROY_IF(local);
878 DESTROY_IF(remote);
879 }
880 }
881
882 /**
883 * Process a XFRM_MSG_MAPPING from kernel
884 */
885 static void process_mapping(private_kernel_netlink_ipsec_t *this,
886 struct nlmsghdr *hdr)
887 {
888 struct xfrm_user_mapping *mapping;
889 u_int32_t spi, reqid;
890
891 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
892 spi = mapping->id.spi;
893 reqid = mapping->reqid;
894
895 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
896
897 if (mapping->id.proto == IPPROTO_ESP)
898 {
899 host_t *host;
900 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
901 mapping->new_sport);
902 if (host)
903 {
904 hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
905 spi, host);
906 }
907 }
908 }
909
910 /**
911 * Receives events from kernel
912 */
913 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
914 {
915 char response[1024];
916 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
917 struct sockaddr_nl addr;
918 socklen_t addr_len = sizeof(addr);
919 int len;
920 bool oldstate;
921
922 oldstate = thread_cancelability(TRUE);
923 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
924 (struct sockaddr*)&addr, &addr_len);
925 thread_cancelability(oldstate);
926
927 if (len < 0)
928 {
929 switch (errno)
930 {
931 case EINTR:
932 /* interrupted, try again */
933 return JOB_REQUEUE_DIRECT;
934 case EAGAIN:
935 /* no data ready, select again */
936 return JOB_REQUEUE_DIRECT;
937 default:
938 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
939 sleep(1);
940 return JOB_REQUEUE_FAIR;
941 }
942 }
943
944 if (addr.nl_pid != 0)
945 { /* not from kernel. not interested, try another one */
946 return JOB_REQUEUE_DIRECT;
947 }
948
949 while (NLMSG_OK(hdr, len))
950 {
951 switch (hdr->nlmsg_type)
952 {
953 case XFRM_MSG_ACQUIRE:
954 process_acquire(this, hdr);
955 break;
956 case XFRM_MSG_EXPIRE:
957 process_expire(this, hdr);
958 break;
959 case XFRM_MSG_MIGRATE:
960 process_migrate(this, hdr);
961 break;
962 case XFRM_MSG_MAPPING:
963 process_mapping(this, hdr);
964 break;
965 default:
966 DBG1(DBG_KNL, "received unknown event from xfrm event "
967 "socket: %d", hdr->nlmsg_type);
968 break;
969 }
970 hdr = NLMSG_NEXT(hdr, len);
971 }
972 return JOB_REQUEUE_DIRECT;
973 }
974
975 /**
976 * Get an SPI for a specific protocol from the kernel.
977 */
978 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
979 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
980 u_int32_t reqid, u_int32_t *spi)
981 {
982 netlink_buf_t request;
983 struct nlmsghdr *hdr, *out;
984 struct xfrm_userspi_info *userspi;
985 u_int32_t received_spi = 0;
986 size_t len;
987
988 memset(&request, 0, sizeof(request));
989
990 hdr = (struct nlmsghdr*)request;
991 hdr->nlmsg_flags = NLM_F_REQUEST;
992 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
993 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
994
995 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
996 host2xfrm(src, &userspi->info.saddr);
997 host2xfrm(dst, &userspi->info.id.daddr);
998 userspi->info.id.proto = proto;
999 userspi->info.mode = XFRM_MODE_TUNNEL;
1000 userspi->info.reqid = reqid;
1001 userspi->info.family = src->get_family(src);
1002 userspi->min = min;
1003 userspi->max = max;
1004
1005 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1006 {
1007 hdr = out;
1008 while (NLMSG_OK(hdr, len))
1009 {
1010 switch (hdr->nlmsg_type)
1011 {
1012 case XFRM_MSG_NEWSA:
1013 {
1014 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1015 received_spi = usersa->id.spi;
1016 break;
1017 }
1018 case NLMSG_ERROR:
1019 {
1020 struct nlmsgerr *err = NLMSG_DATA(hdr);
1021 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1022 strerror(-err->error), -err->error);
1023 break;
1024 }
1025 default:
1026 hdr = NLMSG_NEXT(hdr, len);
1027 continue;
1028 case NLMSG_DONE:
1029 break;
1030 }
1031 break;
1032 }
1033 free(out);
1034 }
1035
1036 if (received_spi == 0)
1037 {
1038 return FAILED;
1039 }
1040
1041 *spi = received_spi;
1042 return SUCCESS;
1043 }
1044
1045 METHOD(kernel_ipsec_t, get_spi, status_t,
1046 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1047 u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
1048 {
1049 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
1050
1051 if (get_spi_internal(this, src, dst, protocol,
1052 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
1053 {
1054 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
1055 return FAILED;
1056 }
1057
1058 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
1059 return SUCCESS;
1060 }
1061
1062 METHOD(kernel_ipsec_t, get_cpi, status_t,
1063 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1064 u_int32_t reqid, u_int16_t *cpi)
1065 {
1066 u_int32_t received_spi = 0;
1067
1068 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
1069
1070 if (get_spi_internal(this, src, dst, IPPROTO_COMP,
1071 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
1072 {
1073 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
1074 return FAILED;
1075 }
1076
1077 *cpi = htons((u_int16_t)ntohl(received_spi));
1078
1079 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
1080 return SUCCESS;
1081 }
1082
1083 METHOD(kernel_ipsec_t, add_sa, status_t,
1084 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1085 u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
1086 u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
1087 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
1088 u_int16_t cpi, bool encap, bool esn, bool inbound,
1089 traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
1090 {
1091 netlink_buf_t request;
1092 char *alg_name;
1093 struct nlmsghdr *hdr;
1094 struct xfrm_usersa_info *sa;
1095 u_int16_t icv_size = 64;
1096 status_t status = FAILED;
1097
1098 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
1099 * we are in the recursive call below */
1100 if (ipcomp != IPCOMP_NONE && cpi != 0)
1101 {
1102 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
1103 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
1104 tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
1105 chunk_empty, mode, ipcomp, 0, FALSE, FALSE, inbound, NULL, NULL);
1106 ipcomp = IPCOMP_NONE;
1107 /* use transport mode ESP SA, IPComp uses tunnel mode */
1108 mode = MODE_TRANSPORT;
1109 }
1110
1111 memset(&request, 0, sizeof(request));
1112
1113 if (mark.value)
1114 {
1115 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u} (mark "
1116 "%u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask);
1117 }
1118 else
1119 {
1120 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
1121 ntohl(spi), reqid);
1122 }
1123 hdr = (struct nlmsghdr*)request;
1124 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1125 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1126 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1127
1128 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1129 host2xfrm(src, &sa->saddr);
1130 host2xfrm(dst, &sa->id.daddr);
1131 sa->id.spi = spi;
1132 sa->id.proto = protocol;
1133 sa->family = src->get_family(src);
1134 sa->mode = mode2kernel(mode);
1135 switch (mode)
1136 {
1137 case MODE_TUNNEL:
1138 sa->flags |= XFRM_STATE_AF_UNSPEC;
1139 break;
1140 case MODE_BEET:
1141 case MODE_TRANSPORT:
1142 if(src_ts && dst_ts)
1143 {
1144 sa->sel = ts2selector(src_ts, dst_ts);
1145 }
1146 break;
1147 default:
1148 break;
1149 }
1150
1151 sa->reqid = reqid;
1152 sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey);
1153 sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life);
1154 sa->lft.soft_packet_limit = XFRM_LIMIT(lifetime->packets.rekey);
1155 sa->lft.hard_packet_limit = XFRM_LIMIT(lifetime->packets.life);
1156 /* we use lifetimes since added, not since used */
1157 sa->lft.soft_add_expires_seconds = lifetime->time.rekey;
1158 sa->lft.hard_add_expires_seconds = lifetime->time.life;
1159 sa->lft.soft_use_expires_seconds = 0;
1160 sa->lft.hard_use_expires_seconds = 0;
1161
1162 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
1163
1164 switch (enc_alg)
1165 {
1166 case ENCR_UNDEFINED:
1167 /* no encryption */
1168 break;
1169 case ENCR_AES_CCM_ICV16:
1170 case ENCR_AES_GCM_ICV16:
1171 case ENCR_NULL_AUTH_AES_GMAC:
1172 case ENCR_CAMELLIA_CCM_ICV16:
1173 icv_size += 32;
1174 /* FALL */
1175 case ENCR_AES_CCM_ICV12:
1176 case ENCR_AES_GCM_ICV12:
1177 case ENCR_CAMELLIA_CCM_ICV12:
1178 icv_size += 32;
1179 /* FALL */
1180 case ENCR_AES_CCM_ICV8:
1181 case ENCR_AES_GCM_ICV8:
1182 case ENCR_CAMELLIA_CCM_ICV8:
1183 {
1184 struct xfrm_algo_aead *algo;
1185
1186 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1187 if (alg_name == NULL)
1188 {
1189 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1190 encryption_algorithm_names, enc_alg);
1191 goto failed;
1192 }
1193 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1194 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1195
1196 rthdr->rta_type = XFRMA_ALG_AEAD;
1197 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) +
1198 enc_key.len);
1199 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1200 if (hdr->nlmsg_len > sizeof(request))
1201 {
1202 goto failed;
1203 }
1204
1205 algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
1206 algo->alg_key_len = enc_key.len * 8;
1207 algo->alg_icv_len = icv_size;
1208 strcpy(algo->alg_name, alg_name);
1209 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1210
1211 rthdr = XFRM_RTA_NEXT(rthdr);
1212 break;
1213 }
1214 default:
1215 {
1216 struct xfrm_algo *algo;
1217
1218 alg_name = lookup_algorithm(encryption_algs, enc_alg);
1219 if (alg_name == NULL)
1220 {
1221 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1222 encryption_algorithm_names, enc_alg);
1223 goto failed;
1224 }
1225 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1226 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1227
1228 rthdr->rta_type = XFRMA_ALG_CRYPT;
1229 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
1230 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1231 if (hdr->nlmsg_len > sizeof(request))
1232 {
1233 goto failed;
1234 }
1235
1236 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1237 algo->alg_key_len = enc_key.len * 8;
1238 strcpy(algo->alg_name, alg_name);
1239 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
1240
1241 rthdr = XFRM_RTA_NEXT(rthdr);
1242 }
1243 }
1244
1245 if (int_alg != AUTH_UNDEFINED)
1246 {
1247 alg_name = lookup_algorithm(integrity_algs, int_alg);
1248 if (alg_name == NULL)
1249 {
1250 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1251 integrity_algorithm_names, int_alg);
1252 goto failed;
1253 }
1254 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1255 integrity_algorithm_names, int_alg, int_key.len * 8);
1256
1257 if (int_alg == AUTH_HMAC_SHA2_256_128)
1258 {
1259 struct xfrm_algo_auth* algo;
1260
1261 /* the kernel uses SHA256 with 96 bit truncation by default,
1262 * use specified truncation size supported by newer kernels */
1263 rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
1264 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) +
1265 int_key.len);
1266
1267 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1268 if (hdr->nlmsg_len > sizeof(request))
1269 {
1270 goto failed;
1271 }
1272
1273 algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
1274 algo->alg_key_len = int_key.len * 8;
1275 algo->alg_trunc_len = 128;
1276 strcpy(algo->alg_name, alg_name);
1277 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1278 }
1279 else
1280 {
1281 struct xfrm_algo* algo;
1282
1283 rthdr->rta_type = XFRMA_ALG_AUTH;
1284 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1285
1286 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1287 if (hdr->nlmsg_len > sizeof(request))
1288 {
1289 goto failed;
1290 }
1291
1292 algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1293 algo->alg_key_len = int_key.len * 8;
1294 strcpy(algo->alg_name, alg_name);
1295 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1296 }
1297 rthdr = XFRM_RTA_NEXT(rthdr);
1298 }
1299
1300 if (ipcomp != IPCOMP_NONE)
1301 {
1302 rthdr->rta_type = XFRMA_ALG_COMP;
1303 alg_name = lookup_algorithm(compression_algs, ipcomp);
1304 if (alg_name == NULL)
1305 {
1306 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1307 ipcomp_transform_names, ipcomp);
1308 goto failed;
1309 }
1310 DBG2(DBG_KNL, " using compression algorithm %N",
1311 ipcomp_transform_names, ipcomp);
1312
1313 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1314 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1315 if (hdr->nlmsg_len > sizeof(request))
1316 {
1317 goto failed;
1318 }
1319
1320 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1321 algo->alg_key_len = 0;
1322 strcpy(algo->alg_name, alg_name);
1323
1324 rthdr = XFRM_RTA_NEXT(rthdr);
1325 }
1326
1327 if (encap)
1328 {
1329 struct xfrm_encap_tmpl *tmpl;
1330
1331 rthdr->rta_type = XFRMA_ENCAP;
1332 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1333
1334 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1335 if (hdr->nlmsg_len > sizeof(request))
1336 {
1337 goto failed;
1338 }
1339
1340 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1341 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1342 tmpl->encap_sport = htons(src->get_port(src));
1343 tmpl->encap_dport = htons(dst->get_port(dst));
1344 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1345 /* encap_oa could probably be derived from the
1346 * traffic selectors [rfc4306, p39]. In the netlink kernel
1347 * implementation pluto does the same as we do here but it uses
1348 * encap_oa in the pfkey implementation.
1349 * BUT as /usr/src/linux/net/key/af_key.c indicates the kernel ignores
1350 * it anyway
1351 * -> does that mean that NAT-T encap doesn't work in transport mode?
1352 * No. The reason the kernel ignores NAT-OA is that it recomputes
1353 * (or, rather, just ignores) the checksum. If packets pass the IPsec
1354 * checks it marks them "checksum ok" so OA isn't needed. */
1355 rthdr = XFRM_RTA_NEXT(rthdr);
1356 }
1357
1358 if (mark.value)
1359 {
1360 struct xfrm_mark *mrk;
1361
1362 rthdr->rta_type = XFRMA_MARK;
1363 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1364
1365 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1366 if (hdr->nlmsg_len > sizeof(request))
1367 {
1368 goto failed;
1369 }
1370
1371 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1372 mrk->v = mark.value;
1373 mrk->m = mark.mask;
1374 rthdr = XFRM_RTA_NEXT(rthdr);
1375 }
1376
1377 if (tfc)
1378 {
1379 u_int32_t *tfcpad;
1380
1381 rthdr->rta_type = XFRMA_TFCPAD;
1382 rthdr->rta_len = RTA_LENGTH(sizeof(u_int32_t));
1383
1384 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1385 if (hdr->nlmsg_len > sizeof(request))
1386 {
1387 goto failed;
1388 }
1389
1390 tfcpad = (u_int32_t*)RTA_DATA(rthdr);
1391 *tfcpad = tfc;
1392 rthdr = XFRM_RTA_NEXT(rthdr);
1393 }
1394
1395 if (protocol != IPPROTO_COMP)
1396 {
1397 if (esn || this->replay_window > DEFAULT_REPLAY_WINDOW)
1398 {
1399 /* for ESN or larger replay windows we need the new
1400 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
1401 struct xfrm_replay_state_esn *replay;
1402
1403 rthdr->rta_type = XFRMA_REPLAY_ESN_VAL;
1404 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) +
1405 (this->replay_window + 7) / 8);
1406
1407 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1408 if (hdr->nlmsg_len > sizeof(request))
1409 {
1410 goto failed;
1411 }
1412
1413 replay = (struct xfrm_replay_state_esn*)RTA_DATA(rthdr);
1414 /* bmp_len contains number uf __u32's */
1415 replay->bmp_len = this->replay_bmp;
1416 replay->replay_window = this->replay_window;
1417
1418 rthdr = XFRM_RTA_NEXT(rthdr);
1419 if (esn)
1420 {
1421 sa->flags |= XFRM_STATE_ESN;
1422 }
1423 }
1424 else
1425 {
1426 sa->replay_window = DEFAULT_REPLAY_WINDOW;
1427 }
1428 }
1429
1430 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1431 {
1432 if (mark.value)
1433 {
1434 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x "
1435 "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
1436 }
1437 else
1438 {
1439 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1440 }
1441 goto failed;
1442 }
1443
1444 status = SUCCESS;
1445
1446 failed:
1447 memwipe(request, sizeof(request));
1448 return status;
1449 }
1450
1451 /**
1452 * Get the ESN replay state (i.e. sequence numbers) of an SA.
1453 *
1454 * Allocates into one the replay state structure we get from the kernel.
1455 */
1456 static void get_replay_state(private_kernel_netlink_ipsec_t *this,
1457 u_int32_t spi, u_int8_t protocol, host_t *dst,
1458 struct xfrm_replay_state_esn **replay_esn,
1459 struct xfrm_replay_state **replay)
1460 {
1461 netlink_buf_t request;
1462 struct nlmsghdr *hdr, *out = NULL;
1463 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1464 size_t len;
1465 struct rtattr *rta;
1466 size_t rtasize;
1467
1468 memset(&request, 0, sizeof(request));
1469
1470 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x",
1471 ntohl(spi));
1472
1473 hdr = (struct nlmsghdr*)request;
1474 hdr->nlmsg_flags = NLM_F_REQUEST;
1475 hdr->nlmsg_type = XFRM_MSG_GETAE;
1476 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1477
1478 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1479 aevent_id->flags = XFRM_AE_RVAL;
1480
1481 host2xfrm(dst, &aevent_id->sa_id.daddr);
1482 aevent_id->sa_id.spi = spi;
1483 aevent_id->sa_id.proto = protocol;
1484 aevent_id->sa_id.family = dst->get_family(dst);
1485
1486 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1487 {
1488 hdr = out;
1489 while (NLMSG_OK(hdr, len))
1490 {
1491 switch (hdr->nlmsg_type)
1492 {
1493 case XFRM_MSG_NEWAE:
1494 {
1495 out_aevent = NLMSG_DATA(hdr);
1496 break;
1497 }
1498 case NLMSG_ERROR:
1499 {
1500 struct nlmsgerr *err = NLMSG_DATA(hdr);
1501 DBG1(DBG_KNL, "querying replay state from SAD entry "
1502 "failed: %s (%d)", strerror(-err->error),
1503 -err->error);
1504 break;
1505 }
1506 default:
1507 hdr = NLMSG_NEXT(hdr, len);
1508 continue;
1509 case NLMSG_DONE:
1510 break;
1511 }
1512 break;
1513 }
1514 }
1515
1516 if (out_aevent)
1517 {
1518 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1519 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1520 while (RTA_OK(rta, rtasize))
1521 {
1522 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1523 RTA_PAYLOAD(rta) == sizeof(**replay))
1524 {
1525 *replay = malloc(RTA_PAYLOAD(rta));
1526 memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1527 break;
1528 }
1529 if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
1530 RTA_PAYLOAD(rta) >= sizeof(**replay_esn) + this->replay_bmp)
1531 {
1532 *replay_esn = malloc(RTA_PAYLOAD(rta));
1533 memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
1534 break;
1535 }
1536 rta = RTA_NEXT(rta, rtasize);
1537 }
1538 }
1539 free(out);
1540 }
1541
1542 METHOD(kernel_ipsec_t, query_sa, status_t,
1543 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1544 u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
1545 {
1546 netlink_buf_t request;
1547 struct nlmsghdr *out = NULL, *hdr;
1548 struct xfrm_usersa_id *sa_id;
1549 struct xfrm_usersa_info *sa = NULL;
1550 status_t status = FAILED;
1551 size_t len;
1552
1553 memset(&request, 0, sizeof(request));
1554
1555 if (mark.value)
1556 {
1557 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x (mark %u/0x%8x)",
1558 ntohl(spi), mark.value, mark.mask);
1559 }
1560 else
1561 {
1562 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1563 }
1564 hdr = (struct nlmsghdr*)request;
1565 hdr->nlmsg_flags = NLM_F_REQUEST;
1566 hdr->nlmsg_type = XFRM_MSG_GETSA;
1567 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1568
1569 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1570 host2xfrm(dst, &sa_id->daddr);
1571 sa_id->spi = spi;
1572 sa_id->proto = protocol;
1573 sa_id->family = dst->get_family(dst);
1574
1575 if (mark.value)
1576 {
1577 struct xfrm_mark *mrk;
1578 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
1579
1580 rthdr->rta_type = XFRMA_MARK;
1581 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1582 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1583 if (hdr->nlmsg_len > sizeof(request))
1584 {
1585 return FAILED;
1586 }
1587
1588 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1589 mrk->v = mark.value;
1590 mrk->m = mark.mask;
1591 }
1592
1593 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1594 {
1595 hdr = out;
1596 while (NLMSG_OK(hdr, len))
1597 {
1598 switch (hdr->nlmsg_type)
1599 {
1600 case XFRM_MSG_NEWSA:
1601 {
1602 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
1603 break;
1604 }
1605 case NLMSG_ERROR:
1606 {
1607 struct nlmsgerr *err = NLMSG_DATA(hdr);
1608
1609 if (mark.value)
1610 {
1611 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
1612 "(mark %u/0x%8x) failed: %s (%d)",
1613 ntohl(spi), mark.value, mark.mask,
1614 strerror(-err->error), -err->error);
1615 }
1616 else
1617 {
1618 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x "
1619 "failed: %s (%d)", ntohl(spi),
1620 strerror(-err->error), -err->error);
1621 }
1622 break;
1623 }
1624 default:
1625 hdr = NLMSG_NEXT(hdr, len);
1626 continue;
1627 case NLMSG_DONE:
1628 break;
1629 }
1630 break;
1631 }
1632 }
1633
1634 if (sa == NULL)
1635 {
1636 DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
1637 }
1638 else
1639 {
1640 *bytes = sa->curlft.bytes;
1641 status = SUCCESS;
1642 }
1643 memwipe(out, len);
1644 free(out);
1645 return status;
1646 }
1647
1648 METHOD(kernel_ipsec_t, del_sa, status_t,
1649 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1650 u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
1651 {
1652 netlink_buf_t request;
1653 struct nlmsghdr *hdr;
1654 struct xfrm_usersa_id *sa_id;
1655
1656 /* if IPComp was used, we first delete the additional IPComp SA */
1657 if (cpi)
1658 {
1659 del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark);
1660 }
1661
1662 memset(&request, 0, sizeof(request));
1663
1664 if (mark.value)
1665 {
1666 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x (mark %u/0x%8x)",
1667 ntohl(spi), mark.value, mark.mask);
1668 }
1669 else
1670 {
1671 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1672 }
1673 hdr = (struct nlmsghdr*)request;
1674 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1675 hdr->nlmsg_type = XFRM_MSG_DELSA;
1676 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1677
1678 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1679 host2xfrm(dst, &sa_id->daddr);
1680 sa_id->spi = spi;
1681 sa_id->proto = protocol;
1682 sa_id->family = dst->get_family(dst);
1683
1684 if (mark.value)
1685 {
1686 struct xfrm_mark *mrk;
1687 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id);
1688
1689 rthdr->rta_type = XFRMA_MARK;
1690 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
1691 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
1692 if (hdr->nlmsg_len > sizeof(request))
1693 {
1694 return FAILED;
1695 }
1696
1697 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
1698 mrk->v = mark.value;
1699 mrk->m = mark.mask;
1700 }
1701
1702 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1703 {
1704 if (mark.value)
1705 {
1706 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x "
1707 "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask);
1708 }
1709 else
1710 {
1711 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x",
1712 ntohl(spi));
1713 }
1714 return FAILED;
1715 }
1716 if (mark.value)
1717 {
1718 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%8x)",
1719 ntohl(spi), mark.value, mark.mask);
1720 }
1721 else
1722 {
1723 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1724 }
1725 return SUCCESS;
1726 }
1727
1728 METHOD(kernel_ipsec_t, update_sa, status_t,
1729 private_kernel_netlink_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
1730 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
1731 bool old_encap, bool new_encap, mark_t mark)
1732 {
1733 netlink_buf_t request;
1734 u_char *pos;
1735 struct nlmsghdr *hdr, *out = NULL;
1736 struct xfrm_usersa_id *sa_id;
1737 struct xfrm_usersa_info *out_sa = NULL, *sa;
1738 size_t len;
1739 struct rtattr *rta;
1740 size_t rtasize;
1741 struct xfrm_encap_tmpl* tmpl = NULL;
1742 struct xfrm_replay_state *replay = NULL;
1743 struct xfrm_replay_state_esn *replay_esn = NULL;
1744 status_t status = FAILED;
1745
1746 /* if IPComp is used, we first update the IPComp SA */
1747 if (cpi)
1748 {
1749 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1750 src, dst, new_src, new_dst, FALSE, FALSE, mark);
1751 }
1752
1753 memset(&request, 0, sizeof(request));
1754
1755 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1756
1757 /* query the existing SA first */
1758 hdr = (struct nlmsghdr*)request;
1759 hdr->nlmsg_flags = NLM_F_REQUEST;
1760 hdr->nlmsg_type = XFRM_MSG_GETSA;
1761 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1762
1763 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1764 host2xfrm(dst, &sa_id->daddr);
1765 sa_id->spi = spi;
1766 sa_id->proto = protocol;
1767 sa_id->family = dst->get_family(dst);
1768
1769 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1770 {
1771 hdr = out;
1772 while (NLMSG_OK(hdr, len))
1773 {
1774 switch (hdr->nlmsg_type)
1775 {
1776 case XFRM_MSG_NEWSA:
1777 {
1778 out_sa = NLMSG_DATA(hdr);
1779 break;
1780 }
1781 case NLMSG_ERROR:
1782 {
1783 struct nlmsgerr *err = NLMSG_DATA(hdr);
1784 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1785 strerror(-err->error), -err->error);
1786 break;
1787 }
1788 default:
1789 hdr = NLMSG_NEXT(hdr, len);
1790 continue;
1791 case NLMSG_DONE:
1792 break;
1793 }
1794 break;
1795 }
1796 }
1797 if (out_sa == NULL)
1798 {
1799 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1800 goto failed;
1801 }
1802
1803 get_replay_state(this, spi, protocol, dst, &replay_esn, &replay);
1804
1805 /* delete the old SA (without affecting the IPComp SA) */
1806 if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
1807 {
1808 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x",
1809 ntohl(spi));
1810 goto failed;
1811 }
1812
1813 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1814 ntohl(spi), src, dst, new_src, new_dst);
1815 /* copy over the SA from out to request */
1816 hdr = (struct nlmsghdr*)request;
1817 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1818 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1819 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1820 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1821 sa = NLMSG_DATA(hdr);
1822 sa->family = new_dst->get_family(new_dst);
1823
1824 if (!src->ip_equals(src, new_src))
1825 {
1826 host2xfrm(new_src, &sa->saddr);
1827 }
1828 if (!dst->ip_equals(dst, new_dst))
1829 {
1830 host2xfrm(new_dst, &sa->id.daddr);
1831 }
1832
1833 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1834 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1835 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1836 while(RTA_OK(rta, rtasize))
1837 {
1838 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1839 if (rta->rta_type != XFRMA_ENCAP || new_encap)
1840 {
1841 if (rta->rta_type == XFRMA_ENCAP)
1842 { /* update encap tmpl */
1843 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1844 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1845 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1846 }
1847 memcpy(pos, rta, rta->rta_len);
1848 pos += RTA_ALIGN(rta->rta_len);
1849 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1850 }
1851 rta = RTA_NEXT(rta, rtasize);
1852 }
1853
1854 rta = (struct rtattr*)pos;
1855 if (tmpl == NULL && new_encap)
1856 { /* add tmpl if we are enabling it */
1857 rta->rta_type = XFRMA_ENCAP;
1858 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1859
1860 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1861 if (hdr->nlmsg_len > sizeof(request))
1862 {
1863 goto failed;
1864 }
1865
1866 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1867 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1868 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1869 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1870 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1871
1872 rta = XFRM_RTA_NEXT(rta);
1873 }
1874
1875 if (replay_esn)
1876 {
1877 rta->rta_type = XFRMA_REPLAY_ESN_VAL;
1878 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) +
1879 this->replay_bmp);
1880
1881 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1882 if (hdr->nlmsg_len > sizeof(request))
1883 {
1884 goto failed;
1885 }
1886 memcpy(RTA_DATA(rta), replay_esn,
1887 sizeof(struct xfrm_replay_state_esn) + this->replay_bmp);
1888
1889 rta = XFRM_RTA_NEXT(rta);
1890 }
1891 else if (replay)
1892 {
1893 rta->rta_type = XFRMA_REPLAY_VAL;
1894 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1895
1896 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1897 if (hdr->nlmsg_len > sizeof(request))
1898 {
1899 goto failed;
1900 }
1901 memcpy(RTA_DATA(rta), replay, sizeof(replay));
1902
1903 rta = XFRM_RTA_NEXT(rta);
1904 }
1905 else
1906 {
1907 DBG1(DBG_KNL, "unable to copy replay state from old SAD entry "
1908 "with SPI %.8x", ntohl(spi));
1909 }
1910
1911 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1912 {
1913 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1914 goto failed;
1915 }
1916
1917 status = SUCCESS;
1918 failed:
1919 free(replay);
1920 free(replay_esn);
1921 memwipe(out, len);
1922 free(out);
1923
1924 return status;
1925 }
1926
1927 /**
1928 * Add or update a policy in the kernel.
1929 *
1930 * Note: The mutex has to be locked when entering this function.
1931 */
1932 static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
1933 policy_entry_t *policy, policy_sa_t *mapping, bool update)
1934 {
1935 netlink_buf_t request;
1936 policy_entry_t clone;
1937 ipsec_sa_t *ipsec = mapping->sa;
1938 struct xfrm_userpolicy_info *policy_info;
1939 struct nlmsghdr *hdr;
1940 int i;
1941
1942 /* clone the policy so we are able to check it out again later */
1943 memcpy(&clone, policy, sizeof(policy_entry_t));
1944
1945 memset(&request, 0, sizeof(request));
1946 hdr = (struct nlmsghdr*)request;
1947 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1948 hdr->nlmsg_type = update ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1949 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1950
1951 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1952 policy_info->sel = policy->sel;
1953 policy_info->dir = policy->direction;
1954
1955 /* calculate priority based on selector size, small size = high prio */
1956 policy_info->priority = mapping->priority;
1957 policy_info->action = mapping->type != POLICY_DROP ? XFRM_POLICY_ALLOW
1958 : XFRM_POLICY_BLOCK;
1959 policy_info->share = XFRM_SHARE_ANY;
1960
1961 /* policies don't expire */
1962 policy_info->lft.soft_byte_limit = XFRM_INF;
1963 policy_info->lft.soft_packet_limit = XFRM_INF;
1964 policy_info->lft.hard_byte_limit = XFRM_INF;
1965 policy_info->lft.hard_packet_limit = XFRM_INF;
1966 policy_info->lft.soft_add_expires_seconds = 0;
1967 policy_info->lft.hard_add_expires_seconds = 0;
1968 policy_info->lft.soft_use_expires_seconds = 0;
1969 policy_info->lft.hard_use_expires_seconds = 0;
1970
1971 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1972
1973 if (mapping->type == POLICY_IPSEC)
1974 {
1975 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1976 struct {
1977 u_int8_t proto;
1978 bool use;
1979 } protos[] = {
1980 { IPPROTO_COMP, ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
1981 { IPPROTO_ESP, ipsec->cfg.esp.use },
1982 { IPPROTO_AH, ipsec->cfg.ah.use },
1983 };
1984 ipsec_mode_t proto_mode = ipsec->cfg.mode;
1985
1986 rthdr->rta_type = XFRMA_TMPL;
1987 rthdr->rta_len = 0; /* actual length is set below */
1988
1989 for (i = 0; i < countof(protos); i++)
1990 {
1991 if (!protos[i].use)
1992 {
1993 continue;
1994 }
1995
1996 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1997 hdr->nlmsg_len += RTA_ALIGN(RTA_LENGTH(sizeof(struct xfrm_user_tmpl)));
1998 if (hdr->nlmsg_len > sizeof(request))
1999 {
2000 return FAILED;
2001 }
2002
2003 tmpl->reqid = ipsec->cfg.reqid;
2004 tmpl->id.proto = protos[i].proto;
2005 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2006 tmpl->mode = mode2kernel(proto_mode);
2007 tmpl->optional = protos[i].proto == IPPROTO_COMP &&
2008 policy->direction != POLICY_OUT;
2009 tmpl->family = ipsec->src->get_family(ipsec->src);
2010
2011 if (proto_mode == MODE_TUNNEL)
2012 { /* only for tunnel mode */
2013 host2xfrm(ipsec->src, &tmpl->saddr);
2014 host2xfrm(ipsec->dst, &tmpl->id.daddr);
2015 }
2016
2017 tmpl++;
2018
2019 /* use transport mode for other SAs */
2020 proto_mode = MODE_TRANSPORT;
2021 }
2022
2023 rthdr = XFRM_RTA_NEXT(rthdr);
2024 }
2025
2026 if (ipsec->mark.value)
2027 {
2028 struct xfrm_mark *mrk;
2029
2030 rthdr->rta_type = XFRMA_MARK;
2031 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
2032
2033 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
2034 if (hdr->nlmsg_len > sizeof(request))
2035 {
2036 return FAILED;
2037 }
2038
2039 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
2040 mrk->v = ipsec->mark.value;
2041 mrk->m = ipsec->mark.mask;
2042 }
2043 this->mutex->unlock(this->mutex);
2044
2045 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2046 {
2047 return FAILED;
2048 }
2049
2050 /* find the policy again */
2051 this->mutex->lock(this->mutex);
2052 policy = this->policies->get(this->policies, &clone);
2053 if (!policy ||
2054 policy->used_by->find_first(policy->used_by,
2055 NULL, (void**)&mapping) != SUCCESS)
2056 { /* policy or mapping is already gone, ignore */
2057 this->mutex->unlock(this->mutex);
2058 return SUCCESS;
2059 }
2060
2061 /* install a route, if:
2062 * - this is a forward policy (to just get one for each child)
2063 * - we are in tunnel/BEET mode
2064 * - routing is not disabled via strongswan.conf
2065 */
2066 if (policy->direction == POLICY_FWD &&
2067 ipsec->cfg.mode != MODE_TRANSPORT && this->install_routes)
2068 {
2069 route_entry_t *route = malloc_thing(route_entry_t);
2070 policy_sa_fwd_t *fwd = (policy_sa_fwd_t*)mapping;
2071
2072 if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
2073 fwd->dst_ts, &route->src_ip) == SUCCESS)
2074 {
2075 /* get the nexthop to src (src as we are in POLICY_FWD) */
2076 route->gateway = hydra->kernel_interface->get_nexthop(
2077 hydra->kernel_interface, ipsec->src);
2078 /* install route via outgoing interface */
2079 route->if_name = hydra->kernel_interface->get_interface(
2080 hydra->kernel_interface, ipsec->dst);
2081 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2082 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
2083 route->prefixlen = policy->sel.prefixlen_s;
2084
2085 if (!route->if_name)
2086 {
2087 this->mutex->unlock(this->mutex);
2088 route_entry_destroy(route);
2089 return SUCCESS;
2090 }
2091
2092 if (policy->route)
2093 {
2094 route_entry_t *old = policy->route;
2095 if (route_entry_equals(old, route))
2096 { /* keep previously installed route */
2097 this->mutex->unlock(this->mutex);
2098 route_entry_destroy(route);
2099 return SUCCESS;
2100 }
2101 /* uninstall previously installed route */
2102 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2103 old->dst_net, old->prefixlen, old->gateway,
2104 old->src_ip, old->if_name) != SUCCESS)
2105 {
2106 DBG1(DBG_KNL, "error uninstalling route installed with "
2107 "policy %R === %R %N", fwd->src_ts,
2108 fwd->dst_ts, policy_dir_names,
2109 policy->direction);
2110 }
2111 route_entry_destroy(old);
2112 policy->route = NULL;
2113 }
2114
2115 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
2116 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
2117 switch (hydra->kernel_interface->add_route(
2118 hydra->kernel_interface, route->dst_net,
2119 route->prefixlen, route->gateway,
2120 route->src_ip, route->if_name))
2121 {
2122 default:
2123 DBG1(DBG_KNL, "unable to install source route for %H",
2124 route->src_ip);
2125 /* FALL */
2126 case ALREADY_DONE:
2127 /* route exists, do not uninstall */
2128 route_entry_destroy(route);
2129 break;
2130 case SUCCESS:
2131 /* cache the installed route */
2132 policy->route = route;
2133 break;
2134 }
2135 }
2136 else
2137 {
2138 free(route);
2139 }
2140 }
2141 this->mutex->unlock(this->mutex);
2142 return SUCCESS;
2143 }
2144
2145 METHOD(kernel_ipsec_t, add_policy, status_t,
2146 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
2147 traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
2148 policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
2149 mark_t mark, bool routed)
2150 {
2151 policy_entry_t *policy, *current;
2152 policy_sa_t *assigned_sa, *current_sa;
2153 enumerator_t *enumerator;
2154 bool found = FALSE, update = TRUE;
2155
2156 /* create a policy */
2157 INIT(policy,
2158 .sel = ts2selector(src_ts, dst_ts),
2159 .mark = mark.value & mark.mask,
2160 .direction = direction,
2161 );
2162
2163 /* find the policy, which matches EXACTLY */
2164 this->mutex->lock(this->mutex);
2165 current = this->policies->get(this->policies, policy);
2166 if (current)
2167 {
2168 /* use existing policy */
2169 if (mark.value)
2170 {
2171 DBG2(DBG_KNL, "policy %R === %R %N (mark %u/0x%8x) "
2172 "already exists, increasing refcount",
2173 src_ts, dst_ts, policy_dir_names, direction,
2174 mark.value, mark.mask);
2175 }
2176 else
2177 {
2178 DBG2(DBG_KNL, "policy %R === %R %N "
2179 "already exists, increasing refcount",
2180 src_ts, dst_ts, policy_dir_names, direction);
2181 }
2182 policy_entry_destroy(this, policy);
2183 policy = current;
2184 found = TRUE;
2185 }
2186 else
2187 { /* use the new one, if we have no such policy */
2188 policy->used_by = linked_list_create();
2189 this->policies->put(this->policies, policy, policy);
2190 }
2191
2192 /* cache the assigned IPsec SA */
2193 assigned_sa = policy_sa_create(this, direction, type, src, dst, src_ts,
2194 dst_ts, mark, sa);
2195
2196 /* calculate priority based on selector size, small size = high prio */
2197 assigned_sa->priority = routed ? PRIO_LOW : PRIO_HIGH;
2198 assigned_sa->priority -= policy->sel.prefixlen_s;
2199 assigned_sa->priority -= policy->sel.prefixlen_d;
2200 assigned_sa->priority <<= 2; /* make some room for the two flags */
2201 assigned_sa->priority += policy->sel.sport_mask ||
2202 policy->sel.dport_mask ? 0 : 2;
2203 assigned_sa->priority += policy->sel.proto ? 0 : 1;
2204
2205 /* insert the SA according to its priority */
2206 enumerator = policy->used_by->create_enumerator(policy->used_by);
2207 while (enumerator->enumerate(enumerator, (void**)&current_sa))
2208 {
2209 if (current_sa->priority >= assigned_sa->priority)
2210 {
2211 break;
2212 }
2213 update = FALSE;
2214 }
2215 policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
2216 enumerator->destroy(enumerator);
2217
2218 if (!update)
2219 { /* we don't update the policy if the priority is lower than that of the
2220 * currently installed one */
2221 this->mutex->unlock(this->mutex);
2222 return SUCCESS;
2223 }
2224
2225 if (mark.value)
2226 {
2227 DBG2(DBG_KNL, "%s policy %R === %R %N (mark %u/0x%8x)",
2228 found ? "updating" : "adding", src_ts, dst_ts,
2229 policy_dir_names, direction, mark.value, mark.mask);
2230 }
2231 else
2232 {
2233 DBG2(DBG_KNL, "%s policy %R === %R %N",
2234 found ? "updating" : "adding", src_ts, dst_ts,
2235 policy_dir_names, direction);
2236 }
2237
2238 if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2239 {
2240 DBG1(DBG_KNL, "unable to %s policy %R === %R %N",
2241 found ? "update" : "add", src_ts, dst_ts,
2242 policy_dir_names, direction);
2243 return FAILED;
2244 }
2245 return SUCCESS;
2246 }
2247
2248 METHOD(kernel_ipsec_t, query_policy, status_t,
2249 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
2250 traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
2251 u_int32_t *use_time)
2252 {
2253 netlink_buf_t request;
2254 struct nlmsghdr *out = NULL, *hdr;
2255 struct xfrm_userpolicy_id *policy_id;
2256 struct xfrm_userpolicy_info *policy = NULL;
2257 size_t len;
2258
2259 memset(&request, 0, sizeof(request));
2260
2261 if (mark.value)
2262 {
2263 DBG2(DBG_KNL, "querying policy %R === %R %N (mark %u/0x%8x)",
2264 src_ts, dst_ts, policy_dir_names, direction,
2265 mark.value, mark.mask);
2266 }
2267 else
2268 {
2269 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
2270 policy_dir_names, direction);
2271 }
2272 hdr = (struct nlmsghdr*)request;
2273 hdr->nlmsg_flags = NLM_F_REQUEST;
2274 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2275 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2276
2277 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2278 policy_id->sel = ts2selector(src_ts, dst_ts);
2279 policy_id->dir = direction;
2280
2281 if (mark.value)
2282 {
2283 struct xfrm_mark *mrk;
2284 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
2285
2286 rthdr->rta_type = XFRMA_MARK;
2287 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
2288
2289 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
2290 if (hdr->nlmsg_len > sizeof(request))
2291 {
2292 return FAILED;
2293 }
2294
2295 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
2296 mrk->v = mark.value;
2297 mrk->m = mark.mask;
2298 }
2299
2300 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2301 {
2302 hdr = out;
2303 while (NLMSG_OK(hdr, len))
2304 {
2305 switch (hdr->nlmsg_type)
2306 {
2307 case XFRM_MSG_NEWPOLICY:
2308 {
2309 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
2310 break;
2311 }
2312 case NLMSG_ERROR:
2313 {
2314 struct nlmsgerr *err = NLMSG_DATA(hdr);
2315 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
2316 strerror(-err->error), -err->error);
2317 break;
2318 }
2319 default:
2320 hdr = NLMSG_NEXT(hdr, len);
2321 continue;
2322 case NLMSG_DONE:
2323 break;
2324 }
2325 break;
2326 }
2327 }
2328
2329 if (policy == NULL)
2330 {
2331 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
2332 policy_dir_names, direction);
2333 free(out);
2334 return FAILED;
2335 }
2336
2337 if (policy->curlft.use_time)
2338 {
2339 /* we need the monotonic time, but the kernel returns system time. */
2340 *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
2341 }
2342 else
2343 {
2344 *use_time = 0;
2345 }
2346
2347 free(out);
2348 return SUCCESS;
2349 }
2350
2351 METHOD(kernel_ipsec_t, del_policy, status_t,
2352 private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
2353 traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
2354 mark_t mark, bool unrouted)
2355 {
2356 policy_entry_t *current, policy;
2357 enumerator_t *enumerator;
2358 policy_sa_t *mapping;
2359 netlink_buf_t request;
2360 struct nlmsghdr *hdr;
2361 struct xfrm_userpolicy_id *policy_id;
2362 bool is_installed = TRUE;
2363
2364 if (mark.value)
2365 {
2366 DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x)",
2367 src_ts, dst_ts, policy_dir_names, direction,
2368 mark.value, mark.mask);
2369 }
2370 else
2371 {
2372 DBG2(DBG_KNL, "deleting policy %R === %R %N",
2373 src_ts, dst_ts, policy_dir_names, direction);
2374 }
2375
2376 /* create a policy */
2377 memset(&policy, 0, sizeof(policy_entry_t));
2378 policy.sel = ts2selector(src_ts, dst_ts);
2379 policy.mark = mark.value & mark.mask;
2380 policy.direction = direction;
2381
2382 /* find the policy */
2383 this->mutex->lock(this->mutex);
2384 current = this->policies->get(this->policies, &policy);
2385 if (!current)
2386 {
2387 if (mark.value)
2388 {
2389 DBG1(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x) "
2390 "failed, not found", src_ts, dst_ts, policy_dir_names,
2391 direction, mark.value, mark.mask);
2392 }
2393 else
2394 {
2395 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found",
2396 src_ts, dst_ts, policy_dir_names, direction);
2397 }
2398 this->mutex->unlock(this->mutex);
2399 return NOT_FOUND;
2400 }
2401
2402 /* remove mapping to SA by reqid */
2403 enumerator = current->used_by->create_enumerator(current->used_by);
2404 while (enumerator->enumerate(enumerator, (void**)&mapping))
2405 {
2406 if (reqid == mapping->sa->cfg.reqid)
2407 {
2408 current->used_by->remove_at(current->used_by, enumerator);
2409 policy_sa_destroy(mapping, &direction, this);
2410 break;
2411 }
2412 is_installed = FALSE;
2413 }
2414 enumerator->destroy(enumerator);
2415
2416 if (current->used_by->get_count(current->used_by) > 0)
2417 { /* policy is used by more SAs, keep in kernel */
2418 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
2419 if (!is_installed)
2420 { /* no need to update as the policy was not installed for this SA */
2421 this->mutex->unlock(this->mutex);
2422 return SUCCESS;
2423 }
2424
2425 if (mark.value)
2426 {
2427 DBG2(DBG_KNL, "updating policy %R === %R %N (mark %u/0x%8x)",
2428 src_ts, dst_ts, policy_dir_names, direction,
2429 mark.value, mark.mask);
2430 }
2431 else
2432 {
2433 DBG2(DBG_KNL, "updating policy %R === %R %N",
2434 src_ts, dst_ts, policy_dir_names, direction);
2435 }
2436
2437 current->used_by->get_first(current->used_by, (void**)&mapping);
2438 if (add_policy_internal(this, current, mapping, TRUE) != SUCCESS)
2439 {
2440 DBG1(DBG_KNL, "unable to update policy %R === %R %N",
2441 src_ts, dst_ts, policy_dir_names, direction);
2442 return FAILED;
2443 }
2444 return SUCCESS;
2445 }
2446
2447 memset(&request, 0, sizeof(request));
2448
2449 hdr = (struct nlmsghdr*)request;
2450 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2451 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
2452 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2453
2454 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
2455 policy_id->sel = current->sel;
2456 policy_id->dir = direction;
2457
2458 if (mark.value)
2459 {
2460 struct xfrm_mark *mrk;
2461 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
2462
2463 rthdr->rta_type = XFRMA_MARK;
2464 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark));
2465 hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len);
2466 if (hdr->nlmsg_len > sizeof(request))
2467 {
2468 return FAILED;
2469 }
2470
2471 mrk = (struct xfrm_mark*)RTA_DATA(rthdr);
2472 mrk->v = mark.value;
2473 mrk->m = mark.mask;
2474 }
2475
2476 if (current->route)
2477 {
2478 route_entry_t *route = current->route;
2479 if (hydra->kernel_interface->del_route(hydra->kernel_interface,
2480 route->dst_net, route->prefixlen, route->gateway,
2481 route->src_ip, route->if_name) != SUCCESS)
2482 {
2483 DBG1(DBG_KNL, "error uninstalling route installed with "
2484 "policy %R === %R %N", src_ts, dst_ts,
2485 policy_dir_names, direction);
2486 }
2487 }
2488
2489 this->policies->remove(this->policies, current);
2490 policy_entry_destroy(this, current);
2491 this->mutex->unlock(this->mutex);
2492
2493 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2494 {
2495 if (mark.value)
2496 {
2497 DBG1(DBG_KNL, "unable to delete policy %R === %R %N "
2498 "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names,
2499 direction, mark.value, mark.mask);
2500 }
2501 else
2502 {
2503 DBG1(DBG_KNL, "unable to delete policy %R === %R %N",
2504 src_ts, dst_ts, policy_dir_names, direction);
2505 }
2506 return FAILED;
2507 }
2508 return SUCCESS;
2509 }
2510
2511 METHOD(kernel_ipsec_t, bypass_socket, bool,
2512 private_kernel_netlink_ipsec_t *this, int fd, int family)
2513 {
2514 struct xfrm_userpolicy_info policy;
2515 u_int sol, ipsec_policy;
2516
2517 switch (family)
2518 {
2519 case AF_INET:
2520 sol = SOL_IP;
2521 ipsec_policy = IP_XFRM_POLICY;
2522 break;
2523 case AF_INET6:
2524 sol = SOL_IPV6;
2525 ipsec_policy = IPV6_XFRM_POLICY;
2526 break;
2527 default:
2528 return FALSE;
2529 }
2530
2531 memset(&policy, 0, sizeof(policy));
2532 policy.action = XFRM_POLICY_ALLOW;
2533 policy.sel.family = family;
2534
2535 policy.dir = XFRM_POLICY_OUT;
2536 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2537 {
2538 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2539 strerror(errno));
2540 return FALSE;
2541 }
2542 policy.dir = XFRM_POLICY_IN;
2543 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
2544 {
2545 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
2546 strerror(errno));
2547 return FALSE;
2548 }
2549 return TRUE;
2550 }
2551
2552 METHOD(kernel_ipsec_t, destroy, void,
2553 private_kernel_netlink_ipsec_t *this)
2554 {
2555 enumerator_t *enumerator;
2556 policy_entry_t *policy;
2557
2558 if (this->job)
2559 {
2560 this->job->cancel(this->job);
2561 }
2562 if (this->socket_xfrm_events > 0)
2563 {
2564 close(this->socket_xfrm_events);
2565 }
2566 DESTROY_IF(this->socket_xfrm);
2567 enumerator = this->policies->create_enumerator(this->policies);
2568 while (enumerator->enumerate(enumerator, &policy, &policy))
2569 {
2570 policy_entry_destroy(this, policy);
2571 }
2572 enumerator->destroy(enumerator);
2573 this->policies->destroy(this->policies);
2574 this->sas->destroy(this->sas);
2575 this->mutex->destroy(this->mutex);
2576 free(this);
2577 }
2578
2579 /*
2580 * Described in header.
2581 */
2582 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
2583 {
2584 private_kernel_netlink_ipsec_t *this;
2585 struct sockaddr_nl addr;
2586 int fd;
2587
2588 INIT(this,
2589 .public = {
2590 .interface = {
2591 .get_spi = _get_spi,
2592 .get_cpi = _get_cpi,
2593 .add_sa = _add_sa,
2594 .update_sa = _update_sa,
2595 .query_sa = _query_sa,
2596 .del_sa = _del_sa,
2597 .add_policy = _add_policy,
2598 .query_policy = _query_policy,
2599 .del_policy = _del_policy,
2600 .bypass_socket = _bypass_socket,
2601 .destroy = _destroy,
2602 },
2603 },
2604 .policies = hashtable_create((hashtable_hash_t)policy_hash,
2605 (hashtable_equals_t)policy_equals, 32),
2606 .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
2607 (hashtable_equals_t)ipsec_sa_equals, 32),
2608 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
2609 .install_routes = lib->settings->get_bool(lib->settings,
2610 "%s.install_routes", TRUE, hydra->daemon),
2611 .replay_window = lib->settings->get_int(lib->settings,
2612 "%s.replay_window", DEFAULT_REPLAY_WINDOW, hydra->daemon),
2613 );
2614
2615 this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) /
2616 (sizeof(u_int32_t) * 8);
2617
2618 if (streq(hydra->daemon, "pluto"))
2619 { /* no routes for pluto, they are installed via updown script */
2620 this->install_routes = FALSE;
2621 }
2622
2623 /* disable lifetimes for allocated SPIs in kernel */
2624 fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
2625 if (fd)
2626 {
2627 ignore_result(write(fd, "165", 3));
2628 close(fd);
2629 }
2630
2631 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
2632 if (!this->socket_xfrm)
2633 {
2634 destroy(this);
2635 return NULL;
2636 }
2637
2638 memset(&addr, 0, sizeof(addr));
2639 addr.nl_family = AF_NETLINK;
2640
2641 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2642 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
2643 if (this->socket_xfrm_events <= 0)
2644 {
2645 DBG1(DBG_KNL, "unable to create XFRM event socket");
2646 destroy(this);
2647 return NULL;
2648 }
2649 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
2650 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
2651 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
2652 {
2653 DBG1(DBG_KNL, "unable to bind XFRM event socket");
2654 destroy(this);
2655 return NULL;
2656 }
2657 this->job = callback_job_create_with_prio((callback_job_cb_t)receive_events,
2658 this, NULL, NULL, JOB_PRIO_CRITICAL);
2659 lib->processor->queue_job(lib->processor, (job_t*)this->job);
2660
2661 return &this->public;
2662 }
2663