ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
strongswan/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c

3672 lines
91 KiB
C
Raw Blame History

/*
* Copyright (C) 2006-2019 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2008-2016 Andreas Steffen
* Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005 Jan Hutter
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/*
* Copyright (C) 2018 Mellanox Technologies.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <stdint.h>
#include <linux/ipsec.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/xfrm.h>
#include <linux/udp.h>
#include <linux/ethtool.h>
#include <linux/sockios.h>
#include <net/if.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <dlfcn.h>
#include "kernel_netlink_ipsec.h"
#include "kernel_netlink_shared.h"
#include <daemon.h>
#include <utils/debug.h>
#include <threading/mutex.h>
#include <threading/condvar.h>
#include <collections/array.h>
#include <collections/hashtable.h>
#include <collections/linked_list.h>
/** Required for Linux 2.6.26 kernel and later */
#ifndef XFRM_STATE_AF_UNSPEC
#define XFRM_STATE_AF_UNSPEC 32
#endif
/** From linux/in.h */
#ifndef IP_XFRM_POLICY
#define IP_XFRM_POLICY 17
#endif
/** Missing on uclibc */
#ifndef IPV6_XFRM_POLICY
#define IPV6_XFRM_POLICY 34
#endif /*IPV6_XFRM_POLICY*/
/* from linux/udp.h */
#ifndef UDP_ENCAP
#define UDP_ENCAP 100
#endif
#ifndef UDP_ENCAP_ESPINUDP
#define UDP_ENCAP_ESPINUDP 2
#endif
/* this is not defined on some platforms */
#ifndef SOL_UDP
#define SOL_UDP IPPROTO_UDP
#endif
/** Base priority for installed policies */
#define PRIO_BASE 200000
/**
* Map the limit for bytes and packets to XFRM_INF by default
*/
#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
/**
* Create ORable bitfield of XFRM NL groups
*/
#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
/**
* Returns a pointer to the first rtattr following the nlmsghdr *nlh and the
* 'usual' netlink data x like 'struct xfrm_usersa_info'
*/
#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \
NLMSG_ALIGN(sizeof(x))))
/**
* Returns the total size of attached rta data
* (after 'usual' netlink data x like 'struct xfrm_usersa_info')
*/
#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
typedef struct kernel_algorithm_t kernel_algorithm_t;
/**
* Mapping of IKEv2 kernel identifier to linux crypto API names
*/
struct kernel_algorithm_t {
/**
* Identifier specified in IKEv2
*/
int ikev2;
/**
* Name of the algorithm in linux crypto API
*/
const char *name;
};
ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
"XFRM_MSG_NEWSA",
"XFRM_MSG_DELSA",
"XFRM_MSG_GETSA",
"XFRM_MSG_NEWPOLICY",
"XFRM_MSG_DELPOLICY",
"XFRM_MSG_GETPOLICY",
"XFRM_MSG_ALLOCSPI",
"XFRM_MSG_ACQUIRE",
"XFRM_MSG_EXPIRE",
"XFRM_MSG_UPDPOLICY",
"XFRM_MSG_UPDSA",
"XFRM_MSG_POLEXPIRE",
"XFRM_MSG_FLUSHSA",
"XFRM_MSG_FLUSHPOLICY",
"XFRM_MSG_NEWAE",
"XFRM_MSG_GETAE",
"XFRM_MSG_REPORT",
"XFRM_MSG_MIGRATE",
"XFRM_MSG_NEWSADINFO",
"XFRM_MSG_GETSADINFO",
"XFRM_MSG_NEWSPDINFO",
"XFRM_MSG_GETSPDINFO",
"XFRM_MSG_MAPPING"
);
ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_OFFLOAD_DEV,
"XFRMA_UNSPEC",
"XFRMA_ALG_AUTH",
"XFRMA_ALG_CRYPT",
"XFRMA_ALG_COMP",
"XFRMA_ENCAP",
"XFRMA_TMPL",
"XFRMA_SA",
"XFRMA_POLICY",
"XFRMA_SEC_CTX",
"XFRMA_LTIME_VAL",
"XFRMA_REPLAY_VAL",
"XFRMA_REPLAY_THRESH",
"XFRMA_ETIMER_THRESH",
"XFRMA_SRCADDR",
"XFRMA_COADDR",
"XFRMA_LASTUSED",
"XFRMA_POLICY_TYPE",
"XFRMA_MIGRATE",
"XFRMA_ALG_AEAD",
"XFRMA_KMADDRESS",
"XFRMA_ALG_AUTH_TRUNC",
"XFRMA_MARK",
"XFRMA_TFCPAD",
"XFRMA_REPLAY_ESN_VAL",
"XFRMA_SA_EXTRA_FLAGS",
"XFRMA_PROTO",
"XFRMA_ADDRESS_FILTER",
"XFRMA_PAD",
"XFRMA_OFFLOAD_DEV",
);
/**
* Algorithms for encryption
*/
static kernel_algorithm_t encryption_algs[] = {
/* {ENCR_DES_IV64, "***" }, */
{ENCR_DES, "des" },
{ENCR_3DES, "des3_ede" },
/* {ENCR_RC5, "***" }, */
/* {ENCR_IDEA, "***" }, */
{ENCR_CAST, "cast5" },
{ENCR_BLOWFISH, "blowfish" },
/* {ENCR_3IDEA, "***" }, */
/* {ENCR_DES_IV32, "***" }, */
{ENCR_NULL, "cipher_null" },
{ENCR_AES_CBC, "aes" },
{ENCR_AES_CTR, "rfc3686(ctr(aes))" },
{ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
{ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
{ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
{ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
{ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
{ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
{ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
{ENCR_CAMELLIA_CBC, "cbc(camellia)" },
/* {ENCR_CAMELLIA_CTR, "***" }, */
/* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
/* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
/* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
{ENCR_SERPENT_CBC, "serpent" },
{ENCR_TWOFISH_CBC, "twofish" },
{ENCR_CHACHA20_POLY1305, "rfc7539esp(chacha20,poly1305)"},
};
/**
* Algorithms for integrity protection
*/
static kernel_algorithm_t integrity_algs[] = {
{AUTH_HMAC_MD5_96, "md5" },
{AUTH_HMAC_MD5_128, "hmac(md5)" },
{AUTH_HMAC_SHA1_96, "sha1" },
{AUTH_HMAC_SHA1_160, "hmac(sha1)" },
{AUTH_HMAC_SHA2_256_96, "sha256" },
{AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
{AUTH_HMAC_SHA2_256_256, "hmac(sha256)" },
{AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
{AUTH_HMAC_SHA2_384_384, "hmac(sha384)" },
{AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
{AUTH_HMAC_SHA2_512_512, "hmac(sha512)" },
/* {AUTH_DES_MAC, "***" }, */
/* {AUTH_KPDK_MD5, "***" }, */
{AUTH_AES_XCBC_96, "xcbc(aes)" },
{AUTH_AES_CMAC_96, "cmac(aes)" },
};
/**
* Algorithms for IPComp
*/
static kernel_algorithm_t compression_algs[] = {
/* {IPCOMP_OUI, "***" }, */
{IPCOMP_DEFLATE, "deflate" },
{IPCOMP_LZS, "lzs" },
{IPCOMP_LZJH, "lzjh" },
};
/**
* Look up a kernel algorithm name and its key size
*/
static const char* lookup_algorithm(transform_type_t type, int ikev2)
{
kernel_algorithm_t *list;
int i, count;
char *name;
switch (type)
{
case ENCRYPTION_ALGORITHM:
list = encryption_algs;
count = countof(encryption_algs);
break;
case INTEGRITY_ALGORITHM:
list = integrity_algs;
count = countof(integrity_algs);
break;
case COMPRESSION_ALGORITHM:
list = compression_algs;
count = countof(compression_algs);
break;
default:
return NULL;
}
for (i = 0; i < count; i++)
{
if (list[i].ikev2 == ikev2)
{
return list[i].name;
}
}
if (charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, NULL,
&name))
{
return name;
}
return NULL;
}
typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
/**
* Private variables and functions of kernel_netlink class.
*/
struct private_kernel_netlink_ipsec_t {
/**
* Public part of the kernel_netlink_t object
*/
kernel_netlink_ipsec_t public;
/**
* Mutex to lock access to installed policies
*/
mutex_t *mutex;
/**
* Condvar to synchronize access to individual policies
*/
condvar_t *condvar;
/**
* Hash table of installed policies (policy_entry_t)
*/
hashtable_t *policies;
/**
* Hash table of IPsec SAs using policies (ipsec_sa_t)
*/
hashtable_t *sas;
/**
* Netlink xfrm socket (IPsec)
*/
netlink_socket_t *socket_xfrm;
/**
* Netlink xfrm socket to receive acquire and expire events
*/
int socket_xfrm_events;
/**
* Whether to install routes along policies
*/
bool install_routes;
/**
* Whether to set protocol and ports on selector installed with transport
* mode IPsec SAs
*/
bool proto_port_transport;
/**
* Whether to always use UPDATE to install policies
*/
bool policy_update;
/**
* Installed port based IKE bypass policies, as bypass_t
*/
array_t *bypass;
/**
* Custom priority calculation function
*/
uint32_t (*get_priority)(kernel_ipsec_policy_id_t *id,
kernel_ipsec_manage_policy_t *data);
};
typedef struct ipsec_sa_t ipsec_sa_t;
/**
* IPsec SA assigned to a policy.
*/
struct ipsec_sa_t {
/** Source address of this SA */
host_t *src;
/** Destination address of this SA */
host_t *dst;
/** Optional mark */
mark_t mark;
/** Optional mark */
uint32_t if_id;
/** Description of this SA */
ipsec_sa_cfg_t cfg;
/** Reference count for this SA */
refcount_t refcount;
};
/**
* Hash function for ipsec_sa_t objects
*/
static u_int ipsec_sa_hash(ipsec_sa_t *sa)
{
return chunk_hash_inc(sa->src->get_address(sa->src),
chunk_hash_inc(sa->dst->get_address(sa->dst),
chunk_hash_inc(chunk_from_thing(sa->mark),
chunk_hash_inc(chunk_from_thing(sa->if_id),
chunk_hash(chunk_from_thing(sa->cfg))))));
}
/**
* Equality function for ipsec_sa_t objects
*/
static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
{
return sa->src->ip_equals(sa->src, other_sa->src) &&
sa->dst->ip_equals(sa->dst, other_sa->dst) &&
sa->mark.value == other_sa->mark.value &&
sa->mark.mask == other_sa->mark.mask &&
sa->if_id == other_sa->if_id &&
ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg);
}
/**
* Allocate or reference an IPsec SA object
*/
static ipsec_sa_t *ipsec_sa_create(private_kernel_netlink_ipsec_t *this,
host_t *src, host_t *dst, mark_t mark,
uint32_t if_id, ipsec_sa_cfg_t *cfg)
{
ipsec_sa_t *sa, *found;
INIT(sa,
.src = src,
.dst = dst,
.mark = mark,
.if_id = if_id,
.cfg = *cfg,
);
found = this->sas->get(this->sas, sa);
if (!found)
{
sa->src = src->clone(src);
sa->dst = dst->clone(dst);
this->sas->put(this->sas, sa, sa);
}
else
{
free(sa);
sa = found;
}
ref_get(&sa->refcount);
return sa;
}
/**
* Release and destroy an IPsec SA object
*/
static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this,
ipsec_sa_t *sa)
{
if (ref_put(&sa->refcount))
{
this->sas->remove(this->sas, sa);
DESTROY_IF(sa->src);
DESTROY_IF(sa->dst);
free(sa);
}
}
typedef struct policy_sa_t policy_sa_t;
typedef struct policy_sa_out_t policy_sa_out_t;
/**
* Mapping between a policy and an IPsec SA.
*/
struct policy_sa_t {
/** Priority assigned to the policy when installed with this SA */
uint32_t priority;
/** Automatic priority assigned to the policy when installed with this SA */
uint32_t auto_priority;
/** Type of the policy */
policy_type_t type;
/** Assigned SA */
ipsec_sa_t *sa;
};
/**
* For outbound policies we also cache the traffic selectors in order to install
* the route.
*/
struct policy_sa_out_t {
/** Generic interface */
policy_sa_t generic;
/** Source traffic selector of this policy */
traffic_selector_t *src_ts;
/** Destination traffic selector of this policy */
traffic_selector_t *dst_ts;
};
/**
* Create a policy_sa(_in)_t object
*/
static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark,
uint32_t if_id, ipsec_sa_cfg_t *cfg)
{
policy_sa_t *policy;
if (dir == POLICY_OUT)
{
policy_sa_out_t *out;
INIT(out,
.src_ts = src_ts->clone(src_ts),
.dst_ts = dst_ts->clone(dst_ts),
);
policy = &out->generic;
}
else
{
INIT(policy, .priority = 0);
}
policy->type = type;
policy->sa = ipsec_sa_create(this, src, dst, mark, if_id, cfg);
return policy;
}
/**
* Destroy a policy_sa(_in)_t object
*/
static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t dir,
private_kernel_netlink_ipsec_t *this)
{
if (dir == POLICY_OUT)
{
policy_sa_out_t *out = (policy_sa_out_t*)policy;
out->src_ts->destroy(out->src_ts);
out->dst_ts->destroy(out->dst_ts);
}
ipsec_sa_destroy(this, policy->sa);
free(policy);
}
CALLBACK(policy_sa_destroy_cb, void,
policy_sa_t *policy, va_list args)
{
private_kernel_netlink_ipsec_t *this;
policy_dir_t dir;
VA_ARGS_VGET(args, dir, this);
policy_sa_destroy(policy, dir, this);
}
typedef struct policy_entry_t policy_entry_t;
/**
* Installed kernel policy.
*/
struct policy_entry_t {
/** Direction of this policy: in, out, forward */
uint8_t direction;
/** Parameters of installed policy */
struct xfrm_selector sel;
/** Optional mark */
uint32_t mark;
/** Optional interface ID */
uint32_t if_id;
/** Associated route installed for this policy */
route_entry_t *route;
/** List of SAs this policy is used by, ordered by priority */
linked_list_t *used_by;
/** reqid for this policy */
uint32_t reqid;
/** Number of threads waiting to work on this policy */
int waiting;
/** TRUE if a thread is working on this policy */
bool working;
};
/**
* Destroy a policy_entry_t object
*/
static void policy_entry_destroy(private_kernel_netlink_ipsec_t *this,
policy_entry_t *policy)
{
if (policy->route)
{
route_entry_destroy(policy->route);
}
if (policy->used_by)
{
policy->used_by->invoke_function(policy->used_by, policy_sa_destroy_cb,
policy->direction, this);
policy->used_by->destroy(policy->used_by);
}
free(policy);
}
/**
* Hash function for policy_entry_t objects
*/
static u_int policy_hash(policy_entry_t *key)
{
chunk_t chunk = chunk_from_thing(key->sel);
return chunk_hash_inc(chunk, chunk_hash_inc(chunk_from_thing(key->mark),
chunk_hash(chunk_from_thing(key->if_id))));
}
/**
* Equality function for policy_entry_t objects
*/
static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
{
return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
key->mark == other_key->mark &&
key->if_id == other_key->if_id &&
key->direction == other_key->direction;
}
/**
* Determine number of set bits in 16 bit port mask
*/
static inline uint32_t port_mask_bits(uint16_t port_mask)
{
uint32_t bits;
uint16_t bit_mask = 0x8000;
port_mask = ntohs(port_mask);
for (bits = 0; bits < 16; bits++)
{
if (!(port_mask & bit_mask))
{
break;
}
bit_mask >>= 1;
}
return bits;
}
/**
* Calculate the priority of a policy
*
* bits 0-0: separate trap and regular policies (0..1) 1 bit
* bits 1-1: restriction to network interface (0..1) 1 bit
* bits 2-7: src + dst port mask bits (2 * 0..16) 6 bits
* bits 8-8: restriction to protocol (0..1) 1 bit
* bits 9-17: src + dst network mask bits (2 * 0..128) 9 bits
* 18 bits
*
* smallest value: 000000000 0 000000 0 0: 0, lowest priority = 200'000
* largest value : 100000000 1 100000 1 1: 131'459, highst priority = 68'541
*/
static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
char *interface)
{
uint32_t priority = PRIO_BASE, sport_mask_bits, dport_mask_bits;
switch (prio)
{
case POLICY_PRIORITY_FALLBACK:
priority += PRIO_BASE;
/* fall-through to next case */
case POLICY_PRIORITY_ROUTED:
case POLICY_PRIORITY_DEFAULT:
priority += PRIO_BASE;
/* fall-through to next case */
case POLICY_PRIORITY_PASS:
break;
}
sport_mask_bits = port_mask_bits(policy->sel.sport_mask);
dport_mask_bits = port_mask_bits(policy->sel.dport_mask);
/* calculate priority */
priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 512;
priority -= policy->sel.proto ? 256 : 0;
priority -= (sport_mask_bits + dport_mask_bits) * 4;
priority -= (interface != NULL) * 2;
priority -= (prio != POLICY_PRIORITY_ROUTED);
return priority;
}
/**
* Convert the general ipsec mode to the one defined in xfrm.h
*/
static uint8_t mode2kernel(ipsec_mode_t mode)
{
switch (mode)
{
case MODE_TRANSPORT:
return XFRM_MODE_TRANSPORT;
case MODE_TUNNEL:
return XFRM_MODE_TUNNEL;
case MODE_BEET:
return XFRM_MODE_BEET;
default:
return mode;
}
}
/**
* Convert a host_t to a struct xfrm_address
*/
static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
{
chunk_t chunk = host->get_address(host);
memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
}
/**
* Convert a struct xfrm_address to a host_t
*/
static host_t* xfrm2host(int family, xfrm_address_t *xfrm, uint16_t port)
{
chunk_t chunk;
switch (family)
{
case AF_INET:
chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
break;
case AF_INET6:
chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
break;
default:
return NULL;
}
return host_create_from_chunk(family, chunk, ntohs(port));
}
/**
* Convert a traffic selector address range to subnet and its mask.
*/
static void ts2subnet(traffic_selector_t* ts,
xfrm_address_t *net, uint8_t *mask)
{
host_t *net_host;
chunk_t net_chunk;
ts->to_subnet(ts, &net_host, mask);
net_chunk = net_host->get_address(net_host);
memcpy(net, net_chunk.ptr, net_chunk.len);
net_host->destroy(net_host);
}
/**
* Convert a traffic selector port range to port/portmask
*/
static void ts2ports(traffic_selector_t* ts,
uint16_t *port, uint16_t *mask)
{
uint16_t from, to, bitmask;
int bit;
from = ts->get_from_port(ts);
to = ts->get_to_port(ts);
/* Quick check for a single port */
if (from == to)
{
*port = htons(from);
*mask = ~0;
}
else
{
/* Compute the port mask for port ranges */
*mask = 0;
for (bit = 15; bit >= 0; bit--)
{
bitmask = 1 << bit;
if ((bitmask & from) != (bitmask & to))
{
*port = htons(from & *mask);
*mask = htons(*mask);
return;
}
*mask |= bitmask;
}
}
return;
}
/**
* Convert a pair of traffic_selectors to an xfrm_selector
*/
static struct xfrm_selector ts2selector(traffic_selector_t *src,
traffic_selector_t *dst,
char *interface)
{
struct xfrm_selector sel;
uint16_t port;
memset(&sel, 0, sizeof(sel));
sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
/* src or dest proto may be "any" (0), use more restrictive one */
sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
ts2ports(dst, &sel.dport, &sel.dport_mask);
ts2ports(src, &sel.sport, &sel.sport_mask);
if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
(sel.dport || sel.sport))
{
/* the kernel expects the ICMP type and code in the source and
* destination port fields, respectively. */
port = ntohs(max(sel.dport, sel.sport));
sel.sport = htons(traffic_selector_icmp_type(port));
sel.sport_mask = sel.sport ? ~0 : 0;
sel.dport = htons(traffic_selector_icmp_code(port));
sel.dport_mask = sel.dport ? ~0 : 0;
}
sel.ifindex = interface ? if_nametoindex(interface) : 0;
sel.user = 0;
return sel;
}
/**
* Convert an xfrm_selector to a src|dst traffic_selector
*/
static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
{
u_char *addr;
uint8_t prefixlen;
uint16_t port = 0;
host_t *host = NULL;
if (src)
{
addr = (u_char*)&sel->saddr;
prefixlen = sel->prefixlen_s;
if (sel->sport_mask)
{
port = ntohs(sel->sport);
}
}
else
{
addr = (u_char*)&sel->daddr;
prefixlen = sel->prefixlen_d;
if (sel->dport_mask)
{
port = ntohs(sel->dport);
}
}
if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
{ /* convert ICMP[v6] message type and code as supplied by the kernel in
* source and destination ports (both in network order) */
port = (sel->sport >> 8) | (sel->dport & 0xff00);
port = ntohs(port);
}
/* The Linux 2.6 kernel does not set the selector's family field,
* so as a kludge we additionally test the prefix length.
*/
if (sel->family == AF_INET || sel->prefixlen_s == 32)
{
host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
}
else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
{
host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
}
if (host)
{
return traffic_selector_create_from_subnet(host, prefixlen,
sel->proto, port, port ?: 65535);
}
return NULL;
}
/**
* Process a XFRM_MSG_ACQUIRE from kernel
*/
static void process_acquire(private_kernel_netlink_ipsec_t *this,
struct nlmsghdr *hdr)
{
struct xfrm_user_acquire *acquire;
struct rtattr *rta;
size_t rtasize;
traffic_selector_t *src_ts, *dst_ts;
uint32_t reqid = 0;
int proto = 0;
acquire = NLMSG_DATA(hdr);
rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
while (RTA_OK(rta, rtasize))
{
DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
if (rta->rta_type == XFRMA_TMPL)
{
struct xfrm_user_tmpl* tmpl;
tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
reqid = tmpl->reqid;
proto = tmpl->id.proto;
}
rta = RTA_NEXT(rta, rtasize);
}
switch (proto)
{
case 0:
case IPPROTO_ESP:
case IPPROTO_AH:
break;
default:
/* acquire for AH/ESP only, not for IPCOMP */
return;
}
src_ts = selector2ts(&acquire->sel, TRUE);
dst_ts = selector2ts(&acquire->sel, FALSE);
charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
}
/**
* Process a XFRM_MSG_EXPIRE from kernel
*/
static void process_expire(private_kernel_netlink_ipsec_t *this,
struct nlmsghdr *hdr)
{
struct xfrm_user_expire *expire;
uint32_t spi;
uint8_t protocol;
host_t *dst;
expire = NLMSG_DATA(hdr);
protocol = expire->state.id.proto;
spi = expire->state.id.spi;
DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
{
dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0);
if (dst)
{
charon->kernel->expire(charon->kernel, protocol, spi, dst,
expire->hard != 0);
dst->destroy(dst);
}
}
}
/**
* Process a XFRM_MSG_MIGRATE from kernel
*/
static void process_migrate(private_kernel_netlink_ipsec_t *this,
struct nlmsghdr *hdr)
{
struct xfrm_userpolicy_id *policy_id;
struct rtattr *rta;
size_t rtasize;
traffic_selector_t *src_ts, *dst_ts;
host_t *local = NULL, *remote = NULL;
host_t *old_src = NULL, *old_dst = NULL;
host_t *new_src = NULL, *new_dst = NULL;
uint32_t reqid = 0;
policy_dir_t dir;
policy_id = NLMSG_DATA(hdr);
rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
src_ts = selector2ts(&policy_id->sel, TRUE);
dst_ts = selector2ts(&policy_id->sel, FALSE);
dir = (policy_dir_t)policy_id->dir;
DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
while (RTA_OK(rta, rtasize))
{
DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
if (rta->rta_type == XFRMA_KMADDRESS)
{
struct xfrm_user_kmaddress *kmaddress;
kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
}
else if (rta->rta_type == XFRMA_MIGRATE)
{
struct xfrm_user_migrate *migrate;
migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
reqid = migrate->reqid;
DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}",
old_src, old_dst, new_src, new_dst, reqid);
DESTROY_IF(old_src);
DESTROY_IF(old_dst);
DESTROY_IF(new_src);
DESTROY_IF(new_dst);
}
rta = RTA_NEXT(rta, rtasize);
}
if (src_ts && dst_ts && local && remote)
{
charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
local, remote);
}
else
{
DESTROY_IF(src_ts);
DESTROY_IF(dst_ts);
DESTROY_IF(local);
DESTROY_IF(remote);
}
}
/**
* Process a XFRM_MSG_MAPPING from kernel
*/
static void process_mapping(private_kernel_netlink_ipsec_t *this,
struct nlmsghdr *hdr)
{
struct xfrm_user_mapping *mapping;
uint32_t spi;
mapping = NLMSG_DATA(hdr);
spi = mapping->id.spi;
DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
if (mapping->id.proto == IPPROTO_ESP)
{
host_t *dst, *new;
dst = xfrm2host(mapping->id.family, &mapping->id.daddr, 0);
if (dst)
{
new = xfrm2host(mapping->id.family, &mapping->new_saddr,
mapping->new_sport);
if (new)
{
charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst,
new);
new->destroy(new);
}
dst->destroy(dst);
}
}
}
/**
* Receives events from kernel
*/
static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
watcher_event_t event)
{
char response[netlink_get_buflen()];
struct nlmsghdr *hdr = (struct nlmsghdr*)response;
struct sockaddr_nl addr;
socklen_t addr_len = sizeof(addr);
int len;
len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
if (len < 0)
{
switch (errno)
{
case EINTR:
/* interrupted, try again */
return TRUE;
case EAGAIN:
/* no data ready, select again */
return TRUE;
default:
DBG1(DBG_KNL, "unable to receive from XFRM event socket: %s "
"(%d)", strerror(errno), errno);
sleep(1);
return TRUE;
}
}
if (addr.nl_pid != 0)
{ /* not from kernel. not interested, try another one */
return TRUE;
}
while (NLMSG_OK(hdr, len))
{
switch (hdr->nlmsg_type)
{
case XFRM_MSG_ACQUIRE:
process_acquire(this, hdr);
break;
case XFRM_MSG_EXPIRE:
process_expire(this, hdr);
break;
case XFRM_MSG_MIGRATE:
process_migrate(this, hdr);
break;
case XFRM_MSG_MAPPING:
process_mapping(this, hdr);
break;
default:
DBG1(DBG_KNL, "received unknown event from XFRM event "
"socket: %d", hdr->nlmsg_type);
break;
}
hdr = NLMSG_NEXT(hdr, len);
}
return TRUE;
}
METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
private_kernel_netlink_ipsec_t *this)
{
return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI;
}
/**
* Get an SPI for a specific protocol from the kernel.
*/
static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
host_t *src, host_t *dst, uint8_t proto, uint32_t min, uint32_t max,
uint32_t *spi)
{
netlink_buf_t request;
struct nlmsghdr *hdr, *out;
struct xfrm_userspi_info *userspi;
uint32_t received_spi = 0;
size_t len;
memset(&request, 0, sizeof(request));
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
userspi = NLMSG_DATA(hdr);
host2xfrm(src, &userspi->info.saddr);
host2xfrm(dst, &userspi->info.id.daddr);
userspi->info.id.proto = proto;
userspi->info.mode = XFRM_MODE_TUNNEL;
userspi->info.family = src->get_family(src);
userspi->min = min;
userspi->max = max;
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
while (NLMSG_OK(hdr, len))
{
switch (hdr->nlmsg_type)
{
case XFRM_MSG_NEWSA:
{
struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
received_spi = usersa->id.spi;
break;
}
case NLMSG_ERROR:
{
struct nlmsgerr *err = NLMSG_DATA(hdr);
DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
strerror(-err->error), -err->error);
break;
}
default:
hdr = NLMSG_NEXT(hdr, len);
continue;
case NLMSG_DONE:
break;
}
break;
}
free(out);
}
if (received_spi == 0)
{
return FAILED;
}
*spi = received_spi;
return SUCCESS;
}
METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
uint8_t protocol, uint32_t *spi)
{
uint32_t spi_min, spi_max;
spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
KERNEL_SPI_MIN, lib->ns);
spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
KERNEL_SPI_MAX, lib->ns);
if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
max(spi_min, spi_max), spi) != SUCCESS)
{
DBG1(DBG_KNL, "unable to get SPI");
return FAILED;
}
DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
return SUCCESS;
}
METHOD(kernel_ipsec_t, get_cpi, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
uint16_t *cpi)
{
uint32_t received_spi = 0;
if (get_spi_internal(this, src, dst, IPPROTO_COMP,
0x100, 0xEFFF, &received_spi) != SUCCESS)
{
DBG1(DBG_KNL, "unable to get CPI");
return FAILED;
}
*cpi = htons((uint16_t)ntohl(received_spi));
DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
return SUCCESS;
}
/**
* Format the mark for debug messages
*/
static void format_mark(char *buf, int buflen, mark_t mark)
{
if (mark.value | mark.mask)
{
snprintf(buf, buflen, " (mark %u/0x%08x)", mark.value, mark.mask);
}
}
/**
* Add a XFRM mark to message if required
*/
static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
{
if (mark.value | mark.mask)
{
struct xfrm_mark *xmrk;
xmrk = netlink_reserve(hdr, buflen, XFRMA_MARK, sizeof(*xmrk));
if (!xmrk)
{
return FALSE;
}
xmrk->v = mark.value;
xmrk->m = mark.mask;
}
return TRUE;
}
/**
* Add a uint32 attribute to message
*/
static bool add_uint32(struct nlmsghdr *hdr, int buflen,
enum xfrm_attr_type_t type, uint32_t value)
{
uint32_t *xvalue;
xvalue = netlink_reserve(hdr, buflen, type, sizeof(*xvalue));
if (!xvalue)
{
return FALSE;
}
*xvalue = value;
return TRUE;
}
/* ETHTOOL_GSSET_INFO is available since 2.6.34 and ETH_SS_FEATURES (enum) and
* ETHTOOL_GFEATURES since 2.6.39, so check for the latter */
#ifdef ETHTOOL_GFEATURES
/**
* Global metadata used for IPsec HW offload
*/
static struct {
/** determined HW offload support */
bool supported;
/** bit in feature set */
u_int bit;
/** total number of device feature blocks */
u_int total_blocks;
} netlink_hw_offload;
/**
* Check if kernel supports HW offload and determine feature flag
*/
static void netlink_find_offload_feature(const char *ifname)
{
struct ethtool_sset_info *sset_info;
struct ethtool_gstrings *cmd = NULL;
struct ifreq ifr = { 0 };
uint32_t sset_len, i;
char *str;
int err, query_socket;
query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
if (query_socket < 0)
{
return;
}
/* determine number of device features */
INIT_EXTRA(sset_info, sizeof(uint32_t),
.cmd = ETHTOOL_GSSET_INFO,
.sset_mask = 1ULL << ETH_SS_FEATURES,
);
strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
ifr.ifr_name[IFNAMSIZ-1] = '\0';
ifr.ifr_data = (void*)sset_info;
err = ioctl(query_socket, SIOCETHTOOL, &ifr);
if (err || sset_info->sset_mask != 1ULL << ETH_SS_FEATURES)
{
goto out;
}
sset_len = sset_info->data[0];
/* retrieve names of device features */
INIT_EXTRA(cmd, ETH_GSTRING_LEN * sset_len,
.cmd = ETHTOOL_GSTRINGS,
.string_set = ETH_SS_FEATURES,
);
strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
ifr.ifr_name[IFNAMSIZ-1] = '\0';
ifr.ifr_data = (void*)cmd;
err = ioctl(query_socket, SIOCETHTOOL, &ifr);
if (err)
{
goto out;
}
/* look for the ESP_HW feature bit */
str = (char*)cmd->data;
for (i = 0; i < cmd->len; i++)
{
if (strneq(str, "esp-hw-offload", ETH_GSTRING_LEN))
{
netlink_hw_offload.supported = TRUE;
netlink_hw_offload.bit = i;
netlink_hw_offload.total_blocks = (sset_len + 31) / 32;
break;
}
str += ETH_GSTRING_LEN;
}
out:
free(sset_info);
free(cmd);
close(query_socket);
}
/**
* Check if interface supported HW offload
*/
static bool netlink_detect_offload(const char *ifname)
{
struct ethtool_gfeatures *cmd;
uint32_t feature_bit;
struct ifreq ifr = { 0 };
int query_socket;
int block;
bool ret = FALSE;
if (!netlink_hw_offload.supported)
{
DBG1(DBG_KNL, "HW offload is not supported by kernel");
return FALSE;
}
query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
if (query_socket < 0)
{
return FALSE;
}
/* feature is supported by kernel, query device features */
INIT_EXTRA(cmd, sizeof(cmd->features[0]) * netlink_hw_offload.total_blocks,
.cmd = ETHTOOL_GFEATURES,
.size = netlink_hw_offload.total_blocks,
);
strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
ifr.ifr_name[IFNAMSIZ-1] = '\0';
ifr.ifr_data = (void*)cmd;
if (!ioctl(query_socket, SIOCETHTOOL, &ifr))
{
block = netlink_hw_offload.bit / 32;
feature_bit = 1U << (netlink_hw_offload.bit % 32);
if (cmd->features[block].active & feature_bit)
{
ret = TRUE;
}
}
if (!ret)
{
DBG1(DBG_KNL, "HW offload is not supported by device");
}
free(cmd);
close(query_socket);
return ret;
}
#else
static void netlink_find_offload_feature(const char *ifname)
{
}
static bool netlink_detect_offload(const char *ifname)
{
return FALSE;
}
#endif
/**
* There are 3 HW offload configuration values:
* 1. HW_OFFLOAD_NO : Do not configure HW offload.
* 2. HW_OFFLOAD_YES : Configure HW offload.
* Fail SA addition if offload is not supported.
* 3. HW_OFFLOAD_AUTO : Configure HW offload if supported by the kernel
* and device.
* Do not fail SA addition otherwise.
*/
static bool config_hw_offload(kernel_ipsec_sa_id_t *id,
kernel_ipsec_add_sa_t *data, struct nlmsghdr *hdr,
int buflen)
{
host_t *local = data->inbound ? id->dst : id->src;
struct xfrm_user_offload *offload;
bool hw_offload_yes, ret = FALSE;
char *ifname;
/* do Ipsec configuration without offload */
if (data->hw_offload == HW_OFFLOAD_NO)
{
return TRUE;
}
hw_offload_yes = (data->hw_offload == HW_OFFLOAD_YES);
if (!charon->kernel->get_interface(charon->kernel, local, &ifname))
{
return !hw_offload_yes;
}
/* check if interface supports hw_offload */
if (!netlink_detect_offload(ifname))
{
ret = !hw_offload_yes;
goto out;
}
/* activate HW offload */
offload = netlink_reserve(hdr, buflen,
XFRMA_OFFLOAD_DEV, sizeof(*offload));
if (!offload)
{
ret = !hw_offload_yes;
goto out;
}
offload->ifindex = if_nametoindex(ifname);
if (local->get_family(local) == AF_INET6)
{
offload->flags |= XFRM_OFFLOAD_IPV6;
}
offload->flags |= data->inbound ? XFRM_OFFLOAD_INBOUND : 0;
ret = TRUE;
out:
free(ifname);
return ret;
}
METHOD(kernel_ipsec_t, add_sa, status_t,
private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
kernel_ipsec_add_sa_t *data)
{
netlink_buf_t request;
const char *alg_name;
char markstr[32] = "";
struct nlmsghdr *hdr;
struct xfrm_usersa_info *sa;
uint16_t icv_size = 64, ipcomp = data->ipcomp;
ipsec_mode_t mode = data->mode, original_mode = data->mode;
traffic_selector_t *first_src_ts, *first_dst_ts;
status_t status = FAILED;
/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
* we are in the recursive call below */
if (ipcomp != IPCOMP_NONE && data->cpi != 0)
{
lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
kernel_ipsec_sa_id_t ipcomp_id = {
.src = id->src,
.dst = id->dst,
.spi = htonl(ntohs(data->cpi)),
.proto = IPPROTO_COMP,
.mark = id->mark,
.if_id = id->if_id,
};
kernel_ipsec_add_sa_t ipcomp_sa = {
.reqid = data->reqid,
.mode = data->mode,
.src_ts = data->src_ts,
.dst_ts = data->dst_ts,
.lifetime = &lft,
.enc_alg = ENCR_UNDEFINED,
.int_alg = AUTH_UNDEFINED,
.tfc = data->tfc,
.ipcomp = data->ipcomp,
.initiator = data->initiator,
.inbound = data->inbound,
.update = data->update,
};
add_sa(this, &ipcomp_id, &ipcomp_sa);
ipcomp = IPCOMP_NONE;
/* use transport mode ESP SA, IPComp uses tunnel mode */
mode = MODE_TRANSPORT;
}
memset(&request, 0, sizeof(request));
format_mark(markstr, sizeof(markstr), id->mark);
DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}%s",
ntohl(id->spi), data->reqid, markstr);
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = data->update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
sa = NLMSG_DATA(hdr);
host2xfrm(id->src, &sa->saddr);
host2xfrm(id->dst, &sa->id.daddr);
sa->id.spi = id->spi;
sa->id.proto = id->proto;
sa->family = id->src->get_family(id->src);
sa->mode = mode2kernel(mode);
if (!data->copy_df)
{
sa->flags |= XFRM_STATE_NOPMTUDISC;
}
if (!data->copy_ecn)
{
sa->flags |= XFRM_STATE_NOECN;
}
if (data->inbound)
{
switch (data->copy_dscp)
{
case DSCP_COPY_YES:
case DSCP_COPY_IN_ONLY:
sa->flags |= XFRM_STATE_DECAP_DSCP;
break;
default:
break;
}
}
else
{
switch (data->copy_dscp)
{
case DSCP_COPY_IN_ONLY:
case DSCP_COPY_NO:
{
/* currently the only extra flag */
if (!add_uint32(hdr, sizeof(request), XFRMA_SA_EXTRA_FLAGS,
XFRM_SA_XFLAG_DONT_ENCAP_DSCP))
{
goto failed;
}
break;
}
default:
break;
}
}
switch (mode)
{
case MODE_TUNNEL:
sa->flags |= XFRM_STATE_AF_UNSPEC;
break;
case MODE_BEET:
case MODE_TRANSPORT:
if (original_mode == MODE_TUNNEL)
{ /* don't install selectors for switched SAs. because only one
* selector can be installed other traffic would get dropped */
break;
}
if (data->src_ts->get_first(data->src_ts,
(void**)&first_src_ts) == SUCCESS &&
data->dst_ts->get_first(data->dst_ts,
(void**)&first_dst_ts) == SUCCESS)
{
sa->sel = ts2selector(first_src_ts, first_dst_ts,
data->interface);
if (!this->proto_port_transport)
{
/* don't install proto/port on SA. This would break
* potential secondary SAs for the same address using a
* different prot/port. */
sa->sel.proto = 0;
sa->sel.dport = sa->sel.dport_mask = 0;
sa->sel.sport = sa->sel.sport_mask = 0;
}
}
break;
default:
break;
}
if (id->proto == IPPROTO_AH && sa->family == AF_INET)
{ /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte
* alignment that's used by default but is only valid for IPv6 */
sa->flags |= XFRM_STATE_ALIGN4;
}
sa->reqid = data->reqid;
sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);
sa->lft.hard_byte_limit = XFRM_LIMIT(data->lifetime->bytes.life);
sa->lft.soft_packet_limit = XFRM_LIMIT(data->lifetime->packets.rekey);
sa->lft.hard_packet_limit = XFRM_LIMIT(data->lifetime->packets.life);
/* we use lifetimes since added, not since used */
sa->lft.soft_add_expires_seconds = data->lifetime->time.rekey;
sa->lft.hard_add_expires_seconds = data->lifetime->time.life;
sa->lft.soft_use_expires_seconds = 0;
sa->lft.hard_use_expires_seconds = 0;
switch (data->enc_alg)
{
case ENCR_UNDEFINED:
/* no encryption */
break;
case ENCR_AES_CCM_ICV16:
case ENCR_AES_GCM_ICV16:
case ENCR_NULL_AUTH_AES_GMAC:
case ENCR_CAMELLIA_CCM_ICV16:
case ENCR_CHACHA20_POLY1305:
icv_size += 32;
/* FALL */
case ENCR_AES_CCM_ICV12:
case ENCR_AES_GCM_ICV12:
case ENCR_CAMELLIA_CCM_ICV12:
icv_size += 32;
/* FALL */
case ENCR_AES_CCM_ICV8:
case ENCR_AES_GCM_ICV8:
case ENCR_CAMELLIA_CCM_ICV8:
{
struct xfrm_algo_aead *algo;
alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
if (alg_name == NULL)
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
encryption_algorithm_names, data->enc_alg);
goto failed;
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, data->enc_alg,
data->enc_key.len * 8);
algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AEAD,
sizeof(*algo) + data->enc_key.len);
if (!algo)
{
goto failed;
}
algo->alg_key_len = data->enc_key.len * 8;
algo->alg_icv_len = icv_size;
strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
break;
}
default:
{
struct xfrm_algo *algo;
alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
if (alg_name == NULL)
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
encryption_algorithm_names, data->enc_alg);
goto failed;
}
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, data->enc_alg,
data->enc_key.len * 8);
algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_CRYPT,
sizeof(*algo) + data->enc_key.len);
if (!algo)
{
goto failed;
}
algo->alg_key_len = data->enc_key.len * 8;
strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
}
}
if (data->int_alg != AUTH_UNDEFINED)
{
u_int trunc_len = 0;
alg_name = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
if (alg_name == NULL)
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
integrity_algorithm_names, data->int_alg);
goto failed;
}
DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
integrity_algorithm_names, data->int_alg, data->int_key.len * 8);
switch (data->int_alg)
{
case AUTH_HMAC_MD5_128:
case AUTH_HMAC_SHA2_256_128:
trunc_len = 128;
break;
case AUTH_HMAC_SHA1_160:
trunc_len = 160;
break;
case AUTH_HMAC_SHA2_256_256:
trunc_len = 256;
break;
case AUTH_HMAC_SHA2_384_384:
trunc_len = 384;
break;
case AUTH_HMAC_SHA2_512_512:
trunc_len = 512;
break;
default:
break;
}
if (trunc_len)
{
struct xfrm_algo_auth* algo;
/* the kernel uses SHA256 with 96 bit truncation by default,
* use specified truncation size supported by newer kernels.
* also use this for untruncated MD5, SHA1 and SHA2. */
algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC,
sizeof(*algo) + data->int_key.len);
if (!algo)
{
goto failed;
}
algo->alg_key_len = data->int_key.len * 8;
algo->alg_trunc_len = trunc_len;
strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
}
else
{
struct xfrm_algo* algo;
algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH,
sizeof(*algo) + data->int_key.len);
if (!algo)
{
goto failed;
}
algo->alg_key_len = data->int_key.len * 8;
strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
}
}
if (ipcomp != IPCOMP_NONE)
{
struct xfrm_algo* algo;
alg_name = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
if (alg_name == NULL)
{
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
ipcomp_transform_names, ipcomp);
goto failed;
}
DBG2(DBG_KNL, " using compression algorithm %N",
ipcomp_transform_names, ipcomp);
algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_COMP,
sizeof(*algo));
if (!algo)
{
goto failed;
}
algo->alg_key_len = 0;
strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
}
if (data->encap)
{
struct xfrm_encap_tmpl *tmpl;
tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
if (!tmpl)
{
goto failed;
}
tmpl->encap_type = UDP_ENCAP_ESPINUDP;
tmpl->encap_sport = htons(id->src->get_port(id->src));
tmpl->encap_dport = htons(id->dst->get_port(id->dst));
memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
/* encap_oa could probably be derived from the
* traffic selectors [rfc4306, p39]. In the netlink kernel
* implementation pluto does the same as we do here but it uses
* encap_oa in the pfkey implementation.
* BUT as /usr/src/linux/net/key/af_key.c indicates the kernel ignores
* it anyway
* -> does that mean that NAT-T encap doesn't work in transport mode?
* No. The reason the kernel ignores NAT-OA is that it recomputes
* (or, rather, just ignores) the checksum. If packets pass the IPsec
* checks it marks them "checksum ok" so OA isn't needed. */
}
if (!add_mark(hdr, sizeof(request), id->mark))
{
goto failed;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
goto failed;
}
if (ipcomp == IPCOMP_NONE && (data->mark.value | data->mark.mask))
{
if (!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK,
data->mark.value) ||
!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK_MASK,
data->mark.mask))
{
goto failed;
}
}
if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL)
{ /* the kernel supports TFC padding only for tunnel mode ESP SAs */
if (!add_uint32(hdr, sizeof(request), XFRMA_TFCPAD, data->tfc))
{
goto failed;
}
}
if (id->proto != IPPROTO_COMP)
{
/* generally, we don't need a replay window for outbound SAs, however,
* when using ESN the kernel rejects the attribute if it is 0 */
if (!data->inbound && data->replay_window)
{
data->replay_window = data->esn ? 1 : 0;
}
if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
{
/* for ESN or larger replay windows we need the new
* XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
struct xfrm_replay_state_esn *replay;
uint32_t bmp_size;
bmp_size = round_up(data->replay_window, sizeof(uint32_t) * 8) / 8;
replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
sizeof(*replay) + bmp_size);
if (!replay)
{
goto failed;
}
/* bmp_len contains number uf __u32's */
replay->bmp_len = bmp_size / sizeof(uint32_t);
replay->replay_window = data->replay_window;
DBG2(DBG_KNL, " using replay window of %u packets",
data->replay_window);
if (data->esn)
{
DBG2(DBG_KNL, " using extended sequence numbers (ESN)");
sa->flags |= XFRM_STATE_ESN;
}
}
else
{
DBG2(DBG_KNL, " using replay window of %u packets",
data->replay_window);
sa->replay_window = data->replay_window;
}
DBG2(DBG_KNL, " HW offload: %N", hw_offload_names, data->hw_offload);
if (!config_hw_offload(id, data, hdr, sizeof(request)))
{
DBG1(DBG_KNL, "failed to configure HW offload");
goto failed;
}
}
status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
if (status == NOT_FOUND && data->update)
{
DBG1(DBG_KNL, "allocated SPI not found anymore, try to add SAD entry");
hdr->nlmsg_type = XFRM_MSG_NEWSA;
status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
}
if (status != SUCCESS)
{
DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s (%N)", ntohl(id->spi),
markstr, status_names, status);
status = FAILED;
goto failed;
}
status = SUCCESS;
failed:
memwipe(&request, sizeof(request));
return status;
}
/**
* Get the ESN replay state (i.e. sequence numbers) of an SA.
*
* Allocates into one the replay state structure we get from the kernel.
*/
static void get_replay_state(private_kernel_netlink_ipsec_t *this,
kernel_ipsec_sa_id_t *sa,
struct xfrm_replay_state_esn **replay_esn,
uint32_t *replay_esn_len,
struct xfrm_replay_state **replay,
struct xfrm_lifetime_cur **lifetime)
{
netlink_buf_t request;
struct nlmsghdr *hdr, *out = NULL;
struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
size_t len;
struct rtattr *rta;
size_t rtasize;
memset(&request, 0, sizeof(request));
DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x",
ntohl(sa->spi));
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_GETAE;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
aevent_id = NLMSG_DATA(hdr);
aevent_id->flags = XFRM_AE_RVAL;
host2xfrm(sa->dst, &aevent_id->sa_id.daddr);
aevent_id->sa_id.spi = sa->spi;
aevent_id->sa_id.proto = sa->proto;
aevent_id->sa_id.family = sa->dst->get_family(sa->dst);
if (!add_mark(hdr, sizeof(request), sa->mark))
{
return;
}
if (sa->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, sa->if_id))
{
return;
}
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
while (NLMSG_OK(hdr, len))
{
switch (hdr->nlmsg_type)
{
case XFRM_MSG_NEWAE:
{
out_aevent = NLMSG_DATA(hdr);
break;
}
case NLMSG_ERROR:
{
struct nlmsgerr *err = NLMSG_DATA(hdr);
DBG1(DBG_KNL, "querying replay state from SAD entry "
"failed: %s (%d)", strerror(-err->error), -err->error);
break;
}
default:
hdr = NLMSG_NEXT(hdr, len);
continue;
case NLMSG_DONE:
break;
}
break;
}
}
if (out_aevent)
{
rta = XFRM_RTA(out, struct xfrm_aevent_id);
rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
while (RTA_OK(rta, rtasize))
{
if (rta->rta_type == XFRMA_LTIME_VAL &&
RTA_PAYLOAD(rta) == sizeof(**lifetime))
{
free(*lifetime);
*lifetime = malloc(RTA_PAYLOAD(rta));
memcpy(*lifetime, RTA_DATA(rta), RTA_PAYLOAD(rta));
}
if (rta->rta_type == XFRMA_REPLAY_VAL &&
RTA_PAYLOAD(rta) == sizeof(**replay))
{
free(*replay);
*replay = malloc(RTA_PAYLOAD(rta));
memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
}
if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
RTA_PAYLOAD(rta) >= sizeof(**replay_esn))
{
free(*replay_esn);
*replay_esn = malloc(RTA_PAYLOAD(rta));
*replay_esn_len = RTA_PAYLOAD(rta);
memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
}
rta = RTA_NEXT(rta, rtasize);
}
}
free(out);
}
METHOD(kernel_ipsec_t, query_sa, status_t,
private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
time_t *time)
{
netlink_buf_t request;
struct nlmsghdr *out = NULL, *hdr;
struct xfrm_usersa_id *sa_id;
struct xfrm_usersa_info *sa = NULL;
status_t status = FAILED;
size_t len;
char markstr[32] = "";
memset(&request, 0, sizeof(request));
format_mark(markstr, sizeof(markstr), id->mark);
DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s", ntohl(id->spi),
markstr);
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_GETSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
sa_id = NLMSG_DATA(hdr);
host2xfrm(id->dst, &sa_id->daddr);
sa_id->spi = id->spi;
sa_id->proto = id->proto;
sa_id->family = id->dst->get_family(id->dst);
if (!add_mark(hdr, sizeof(request), id->mark))
{
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
return FAILED;
}
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
while (NLMSG_OK(hdr, len))
{
switch (hdr->nlmsg_type)
{
case XFRM_MSG_NEWSA:
{
sa = NLMSG_DATA(hdr);
break;
}
case NLMSG_ERROR:
{
struct nlmsgerr *err = NLMSG_DATA(hdr);
DBG1(DBG_KNL, "querying SAD entry with SPI %.8x%s failed: "
"%s (%d)", ntohl(id->spi), markstr,
strerror(-err->error), -err->error);
break;
}
default:
hdr = NLMSG_NEXT(hdr, len);
continue;
case NLMSG_DONE:
break;
}
break;
}
}
if (sa == NULL)
{
DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x%s",
ntohl(id->spi), markstr);
}
else
{
if (bytes)
{
*bytes = sa->curlft.bytes;
}
if (packets)
{
*packets = sa->curlft.packets;
}
if (time)
{ /* curlft contains an "use" time, but that contains a timestamp
* of the first use, not the last. Last use time must be queried
* on the policy on Linux */
*time = 0;
}
status = SUCCESS;
}
memwipe(out, len);
free(out);
return status;
}
METHOD(kernel_ipsec_t, del_sa, status_t,
private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
kernel_ipsec_del_sa_t *data)
{
netlink_buf_t request;
struct nlmsghdr *hdr;
struct xfrm_usersa_id *sa_id;
char markstr[32] = "";
/* if IPComp was used, we first delete the additional IPComp SA */
if (data->cpi)
{
kernel_ipsec_sa_id_t ipcomp_id = {
.src = id->src,
.dst = id->dst,
.spi = htonl(ntohs(data->cpi)),
.proto = IPPROTO_COMP,
.mark = id->mark,
};
kernel_ipsec_del_sa_t ipcomp = {};
del_sa(this, &ipcomp_id, &ipcomp);
}
memset(&request, 0, sizeof(request));
format_mark(markstr, sizeof(markstr), id->mark);
DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x%s", ntohl(id->spi),
markstr);
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_DELSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
sa_id = NLMSG_DATA(hdr);
host2xfrm(id->dst, &sa_id->daddr);
sa_id->spi = id->spi;
sa_id->proto = id->proto;
sa_id->family = id->dst->get_family(id->dst);
if (!add_mark(hdr, sizeof(request), id->mark))
{
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
return FAILED;
}
switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr))
{
case SUCCESS:
DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x%s",
ntohl(id->spi), markstr);
return SUCCESS;
case NOT_FOUND:
return NOT_FOUND;
default:
DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x%s",
ntohl(id->spi), markstr);
return FAILED;
}
}
METHOD(kernel_ipsec_t, update_sa, status_t,
private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
kernel_ipsec_update_sa_t *data)
{
netlink_buf_t request;
struct nlmsghdr *hdr, *out_hdr = NULL, *out = NULL;
struct xfrm_usersa_id *sa_id;
struct xfrm_usersa_info *sa;
size_t len;
struct rtattr *rta;
size_t rtasize;
struct xfrm_encap_tmpl* encap = NULL;
struct xfrm_replay_state *replay = NULL;
struct xfrm_replay_state_esn *replay_esn = NULL;
struct xfrm_lifetime_cur *lifetime = NULL;
uint32_t replay_esn_len = 0;
kernel_ipsec_del_sa_t del = { 0 };
status_t status = FAILED;
traffic_selector_t *ts;
char markstr[32] = "";
/* if IPComp is used, we first update the IPComp SA */
if (data->cpi)
{
kernel_ipsec_sa_id_t ipcomp_id = {
.src = id->src,
.dst = id->dst,
.spi = htonl(ntohs(data->cpi)),
.proto = IPPROTO_COMP,
.mark = id->mark,
.if_id = id->if_id,
};
kernel_ipsec_update_sa_t ipcomp = {
.new_src = data->new_src,
.new_dst = data->new_dst,
};
update_sa(this, &ipcomp_id, &ipcomp);
}
memset(&request, 0, sizeof(request));
format_mark(markstr, sizeof(markstr), id->mark);
DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s for update",
ntohl(id->spi), markstr);
/* query the existing SA first */
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_GETSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
sa_id = NLMSG_DATA(hdr);
host2xfrm(id->dst, &sa_id->daddr);
sa_id->spi = id->spi;
sa_id->proto = id->proto;
sa_id->family = id->dst->get_family(id->dst);
if (!add_mark(hdr, sizeof(request), id->mark))
{
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
return FAILED;
}
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
while (NLMSG_OK(hdr, len))
{
switch (hdr->nlmsg_type)
{
case XFRM_MSG_NEWSA:
{
out_hdr = hdr;
break;
}
case NLMSG_ERROR:
{
struct nlmsgerr *err = NLMSG_DATA(hdr);
DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
strerror(-err->error), -err->error);
break;
}
default:
hdr = NLMSG_NEXT(hdr, len);
continue;
case NLMSG_DONE:
break;
}
break;
}
}
if (!out_hdr)
{
DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
ntohl(id->spi), markstr);
goto failed;
}
get_replay_state(this, id, &replay_esn, &replay_esn_len, &replay,
&lifetime);
/* delete the old SA (without affecting the IPComp SA) */
if (del_sa(this, id, &del) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x%s",
ntohl(id->spi), markstr);
goto failed;
}
DBG2(DBG_KNL, "updating SAD entry with SPI %.8x%s from %#H..%#H to "
"%#H..%#H", ntohl(id->spi), markstr, id->src, id->dst, data->new_src,
data->new_dst);
/* copy over the SA from out to request */
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_NEWSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
sa = NLMSG_DATA(hdr);
memcpy(sa, NLMSG_DATA(out_hdr), sizeof(struct xfrm_usersa_info));
sa->family = data->new_dst->get_family(data->new_dst);
if (!id->src->ip_equals(id->src, data->new_src))
{
host2xfrm(data->new_src, &sa->saddr);
ts = selector2ts(&sa->sel, TRUE);
if (ts && ts->is_host(ts, id->src))
{
ts->set_address(ts, data->new_src);
ts2subnet(ts, &sa->sel.saddr, &sa->sel.prefixlen_s);
}
DESTROY_IF(ts);
}
if (!id->dst->ip_equals(id->dst, data->new_dst))
{
host2xfrm(data->new_dst, &sa->id.daddr);
ts = selector2ts(&sa->sel, FALSE);
if (ts && ts->is_host(ts, id->dst))
{
ts->set_address(ts, data->new_dst);
ts2subnet(ts, &sa->sel.daddr, &sa->sel.prefixlen_d);
}
DESTROY_IF(ts);
}
rta = XFRM_RTA(out_hdr, struct xfrm_usersa_info);
rtasize = XFRM_PAYLOAD(out_hdr, struct xfrm_usersa_info);
while (RTA_OK(rta, rtasize))
{
/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
if (rta->rta_type != XFRMA_ENCAP || data->new_encap)
{
if (rta->rta_type == XFRMA_ENCAP)
{ /* update encap tmpl */
encap = RTA_DATA(rta);
encap->encap_sport = ntohs(data->new_src->get_port(data->new_src));
encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
}
if (rta->rta_type == XFRMA_OFFLOAD_DEV)
{ /* update offload device */
struct xfrm_user_offload *offload;
host_t *local;
char *ifname;
offload = RTA_DATA(rta);
local = offload->flags & XFRM_OFFLOAD_INBOUND ? data->new_dst
: data->new_src;
if (charon->kernel->get_interface(charon->kernel, local,
&ifname))
{
offload->ifindex = if_nametoindex(ifname);
if (local->get_family(local) == AF_INET6)
{
offload->flags |= XFRM_OFFLOAD_IPV6;
}
else
{
offload->flags &= ~XFRM_OFFLOAD_IPV6;
}
free(ifname);
}
}
netlink_add_attribute(hdr, rta->rta_type,
chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)),
sizeof(request));
}
rta = RTA_NEXT(rta, rtasize);
}
if (encap == NULL && data->new_encap)
{ /* add tmpl if we are enabling it */
encap = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP,
sizeof(*encap));
if (!encap)
{
goto failed;
}
encap->encap_type = UDP_ENCAP_ESPINUDP;
encap->encap_sport = ntohs(data->new_src->get_port(data->new_src));
encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
}
if (replay_esn)
{
struct xfrm_replay_state_esn *state;
state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
replay_esn_len);
if (!state)
{
goto failed;
}
memcpy(state, replay_esn, replay_esn_len);
}
else if (replay)
{
struct xfrm_replay_state *state;
state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_VAL,
sizeof(*state));
if (!state)
{
goto failed;
}
memcpy(state, replay, sizeof(*state));
}
else
{
DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with "
"SPI %.8x%s", ntohl(id->spi), markstr);
}
if (lifetime)
{
struct xfrm_lifetime_cur *state;
state = netlink_reserve(hdr, sizeof(request), XFRMA_LTIME_VAL,
sizeof(*state));
if (!state)
{
goto failed;
}
memcpy(state, lifetime, sizeof(*state));
}
else
{
DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with "
"SPI %.8x%s", ntohl(id->spi), markstr);
}
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
ntohl(id->spi), markstr);
goto failed;
}
status = SUCCESS;
failed:
free(replay);
free(replay_esn);
free(lifetime);
memwipe(out, len);
memwipe(&request, sizeof(request));
free(out);
return status;
}
METHOD(kernel_ipsec_t, flush_sas, status_t,
private_kernel_netlink_ipsec_t *this)
{
netlink_buf_t request;
struct nlmsghdr *hdr;
struct xfrm_usersa_flush *flush;
struct {
uint8_t proto;
char *name;
} protos[] = {
{ IPPROTO_AH, "AH" },
{ IPPROTO_ESP, "ESP" },
{ IPPROTO_COMP, "IPComp" },
};
int i;
memset(&request, 0, sizeof(request));
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_FLUSHSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush));
flush = NLMSG_DATA(hdr);
for (i = 0; i < countof(protos); i++)
{
DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
flush->proto = protos[i].proto;
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
return FAILED;
}
}
return SUCCESS;
}
/**
* Unlock the mutex and signal waiting threads
*/
static void policy_change_done(private_kernel_netlink_ipsec_t *this,
policy_entry_t *policy)
{
policy->working = FALSE;
if (policy->waiting)
{ /* don't need to wake threads waiting for other policies */
this->condvar->broadcast(this->condvar);
}
this->mutex->unlock(this->mutex);
}
/**
* Install a route for the given policy if enabled and required
*/
static void install_route(private_kernel_netlink_ipsec_t *this,
policy_entry_t *policy, policy_sa_t *mapping, ipsec_sa_t *ipsec)
{
policy_sa_out_t *out = (policy_sa_out_t*)mapping;
route_entry_t *route;
host_t *iface;
INIT(route,
.prefixlen = policy->sel.prefixlen_d,
.pass = mapping->type == POLICY_PASS,
);
if (charon->kernel->get_address_by_ts(charon->kernel, out->src_ts,
&route->src_ip, NULL) != SUCCESS)
{
if (!route->pass)
{
free(route);
return;
}
/* allow blank source IP for passthrough policies */
route->src_ip = host_create_any(policy->sel.family);
}
if (!ipsec->dst->is_anyaddr(ipsec->dst))
{
route->gateway = charon->kernel->get_nexthop(charon->kernel,
ipsec->dst, -1, ipsec->src,
&route->if_name);
}
else
{ /* for shunt policies */
iface = xfrm2host(policy->sel.family, &policy->sel.daddr, 0);
route->gateway = charon->kernel->get_nexthop(charon->kernel,
iface, policy->sel.prefixlen_d,
route->src_ip, &route->if_name);
iface->destroy(iface);
}
route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
memcpy(route->dst_net.ptr, &policy->sel.daddr, route->dst_net.len);
/* get the interface to install the route for, if we haven't one yet.
* If we have a local address, use it. Otherwise (for shunt policies)
* use the route's source address. */
if (!route->if_name)
{
iface = ipsec->src;
if (iface->is_anyaddr(iface))
{
iface = route->src_ip;
}
if (!charon->kernel->get_interface(charon->kernel, iface,
&route->if_name) &&
!route->pass)
{ /* don't require an interface for passthrough policies */
route_entry_destroy(route);
return;
}
}
if (policy->route)
{
route_entry_t *old = policy->route;
if (route_entry_equals(old, route))
{
route_entry_destroy(route);
return;
}
/* uninstall previously installed route */
if (charon->kernel->del_route(charon->kernel, old->dst_net,
old->prefixlen, old->gateway,
old->src_ip, old->if_name,
old->pass) != SUCCESS)
{
DBG1(DBG_KNL, "error uninstalling route installed with policy "
"%R === %R %N", out->src_ts, out->dst_ts, policy_dir_names,
policy->direction);
}
route_entry_destroy(old);
policy->route = NULL;
}
DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", out->dst_ts,
route->gateway, route->src_ip, route->if_name);
switch (charon->kernel->add_route(charon->kernel, route->dst_net,
route->prefixlen, route->gateway,
route->src_ip, route->if_name,
route->pass))
{
default:
DBG1(DBG_KNL, "unable to install source route for %H",
route->src_ip);
/* FALL */
case ALREADY_DONE:
/* route exists, do not uninstall */
route_entry_destroy(route);
break;
case SUCCESS:
/* cache the installed route */
policy->route = route;
break;
}
}
/**
* Add or update a policy in the kernel.
*
* Note: The mutex has to be locked when entering this function
* and is unlocked here in any case.
*/
static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
policy_entry_t *policy, policy_sa_t *mapping, bool update)
{
netlink_buf_t request;
policy_entry_t clone;
ipsec_sa_t *ipsec = mapping->sa;
struct xfrm_userpolicy_info *policy_info;
struct nlmsghdr *hdr;
status_t status;
int i;
/* clone the policy so we are able to check it out again later */
memcpy(&clone, policy, sizeof(policy_entry_t));
memset(&request, 0, sizeof(request));
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = update ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
policy_info = NLMSG_DATA(hdr);
policy_info->sel = policy->sel;
policy_info->dir = policy->direction;
/* calculate priority based on selector size, small size = high prio */
policy_info->priority = mapping->priority;
policy_info->action = mapping->type != POLICY_DROP ? XFRM_POLICY_ALLOW
: XFRM_POLICY_BLOCK;
policy_info->share = XFRM_SHARE_ANY;
/* policies don't expire */
policy_info->lft.soft_byte_limit = XFRM_INF;
policy_info->lft.soft_packet_limit = XFRM_INF;
policy_info->lft.hard_byte_limit = XFRM_INF;
policy_info->lft.hard_packet_limit = XFRM_INF;
policy_info->lft.soft_add_expires_seconds = 0;
policy_info->lft.hard_add_expires_seconds = 0;
policy_info->lft.soft_use_expires_seconds = 0;
policy_info->lft.hard_use_expires_seconds = 0;
if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid)
{
struct xfrm_user_tmpl *tmpl;
struct {
uint8_t proto;
uint32_t spi;
bool use;
} protos[] = {
{ IPPROTO_COMP, htonl(ntohs(ipsec->cfg.ipcomp.cpi)),
ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
{ IPPROTO_ESP, ipsec->cfg.esp.spi, ipsec->cfg.esp.use },
{ IPPROTO_AH, ipsec->cfg.ah.spi, ipsec->cfg.ah.use },
};
ipsec_mode_t proto_mode = ipsec->cfg.mode;
int count = 0;
for (i = 0; i < countof(protos); i++)
{
if (protos[i].use)
{
count++;
}
}
tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_TMPL,
count * sizeof(*tmpl));
if (!tmpl)
{
policy_change_done(this, policy);
return FAILED;
}
for (i = 0; i < countof(protos); i++)
{
if (!protos[i].use)
{
continue;
}
tmpl->reqid = ipsec->cfg.reqid;
tmpl->id.proto = protos[i].proto;
if (policy->direction == POLICY_OUT)
{
tmpl->id.spi = protos[i].spi;
}
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
tmpl->mode = mode2kernel(proto_mode);
tmpl->optional = protos[i].proto == IPPROTO_COMP &&
policy->direction != POLICY_OUT;
tmpl->family = ipsec->src->get_family(ipsec->src);
if (proto_mode == MODE_TUNNEL || proto_mode == MODE_BEET)
{ /* only for tunnel mode */
host2xfrm(ipsec->src, &tmpl->saddr);
host2xfrm(ipsec->dst, &tmpl->id.daddr);
}
tmpl++;
/* use transport mode for other SAs */
proto_mode = MODE_TRANSPORT;
}
}
if (!add_mark(hdr, sizeof(request), ipsec->mark))
{
policy_change_done(this, policy);
return FAILED;
}
if (ipsec->if_id &&
!add_uint32(hdr, sizeof(request), XFRMA_IF_ID, ipsec->if_id))
{
policy_change_done(this, policy);
return FAILED;
}
this->mutex->unlock(this->mutex);
status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
if (status == ALREADY_DONE && !update)
{
DBG1(DBG_KNL, "policy already exists, try to update it");
hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
}
this->mutex->lock(this->mutex);
if (status != SUCCESS)
{
policy_change_done(this, policy);
return FAILED;
}
/* install a route, if:
* - this is an outbound policy (to just get one for each child)
* - routing is not disabled via strongswan.conf
* - the selector is not for a specific protocol/port
* - no XFRM interface ID is configured
* - we are in tunnel/BEET mode or install a bypass policy
*/
if (policy->direction == POLICY_OUT && this->install_routes &&
!policy->sel.proto && !policy->sel.dport && !policy->sel.sport &&
!policy->if_id)
{
if (mapping->type == POLICY_PASS ||
(mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
{
install_route(this, policy, mapping, ipsec);
}
}
policy_change_done(this, policy);
return SUCCESS;
}
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
kernel_ipsec_manage_policy_t *data)
{
policy_entry_t *policy, *current;
policy_sa_t *assigned_sa, *current_sa;
enumerator_t *enumerator;
bool found = FALSE, update = TRUE;
char markstr[32] = "";
uint32_t cur_priority = 0;
int use_count;
/* create a policy */
INIT(policy,
.sel = ts2selector(id->src_ts, id->dst_ts, id->interface),
.mark = id->mark.value & id->mark.mask,
.if_id = id->if_id,
.direction = id->dir,
.reqid = data->sa->reqid,
);
format_mark(markstr, sizeof(markstr), id->mark);
/* find the policy, which matches EXACTLY */
this->mutex->lock(this->mutex);
current = this->policies->get(this->policies, policy);
if (current)
{
if (current->reqid && data->sa->reqid &&
current->reqid != data->sa->reqid)
{
DBG1(DBG_CFG, "unable to install policy %R === %R %N%s for reqid "
"%u, the same policy for reqid %u exists",
id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr,
data->sa->reqid, current->reqid);
policy_entry_destroy(this, policy);
this->mutex->unlock(this->mutex);
return INVALID_STATE;
}
/* use existing policy */
DBG2(DBG_KNL, "policy %R === %R %N%s already exists, increasing "
"refcount", id->src_ts, id->dst_ts, policy_dir_names, id->dir,
markstr);
policy_entry_destroy(this, policy);
policy = current;
found = TRUE;
policy->waiting++;
while (policy->working)
{
this->condvar->wait(this->condvar, this->mutex);
}
policy->waiting--;
policy->working = TRUE;
}
else
{ /* use the new one, if we have no such policy */
policy->used_by = linked_list_create();
this->policies->put(this->policies, policy, policy);
}
/* cache the assigned IPsec SA */
assigned_sa = policy_sa_create(this, id->dir, data->type, data->src,
data->dst, id->src_ts, id->dst_ts, id->mark,
id->if_id, data->sa);
assigned_sa->auto_priority = get_priority(policy, data->prio, id->interface);
assigned_sa->priority = this->get_priority ? this->get_priority(id, data)
: data->manual_prio;
assigned_sa->priority = assigned_sa->priority ?: assigned_sa->auto_priority;
/* insert the SA according to its priority */
enumerator = policy->used_by->create_enumerator(policy->used_by);
while (enumerator->enumerate(enumerator, (void**)&current_sa))
{
if (current_sa->priority > assigned_sa->priority)
{
break;
}
if (current_sa->priority == assigned_sa->priority)
{
/* in case of equal manual prios order SAs by automatic priority */
if (current_sa->auto_priority > assigned_sa->auto_priority)
{
break;
}
/* prefer SAs with a reqid over those without */
if (current_sa->auto_priority == assigned_sa->auto_priority &&
(!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
{
break;
}
}
if (update)
{
cur_priority = current_sa->priority;
update = FALSE;
}
}
policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
enumerator->destroy(enumerator);
use_count = policy->used_by->get_count(policy->used_by);
if (!update)
{ /* we don't update the policy if the priority is lower than that of
* the currently installed one */
policy_change_done(this, policy);
DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, "
"refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
id->dir, markstr, cur_priority, use_count);
return SUCCESS;
}
policy->reqid = assigned_sa->sa->cfg.reqid;
if (this->policy_update)
{
found = TRUE;
}
DBG2(DBG_KNL, "%s policy %R === %R %N%s [priority %u, refcount %d]",
found ? "updating" : "adding", id->src_ts, id->dst_ts,
policy_dir_names, id->dir, markstr, assigned_sa->priority, use_count);
if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
{
DBG1(DBG_KNL, "unable to %s policy %R === %R %N%s",
found ? "update" : "add", id->src_ts, id->dst_ts,
policy_dir_names, id->dir, markstr);
return FAILED;
}
return SUCCESS;
}
METHOD(kernel_ipsec_t, query_policy, status_t,
private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
kernel_ipsec_query_policy_t *data, time_t *use_time)
{
netlink_buf_t request;
struct nlmsghdr *out = NULL, *hdr;
struct xfrm_userpolicy_id *policy_id;
struct xfrm_userpolicy_info *policy = NULL;
size_t len;
char markstr[32] = "";
memset(&request, 0, sizeof(request));
format_mark(markstr, sizeof(markstr), id->mark);
DBG2(DBG_KNL, "querying policy %R === %R %N%s", id->src_ts, id->dst_ts,
policy_dir_names, id->dir, markstr);
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
policy_id = NLMSG_DATA(hdr);
policy_id->sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
policy_id->dir = id->dir;
if (!add_mark(hdr, sizeof(request), id->mark))
{
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
return FAILED;
}
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
while (NLMSG_OK(hdr, len))
{
switch (hdr->nlmsg_type)
{
case XFRM_MSG_NEWPOLICY:
{
policy = NLMSG_DATA(hdr);
break;
}
case NLMSG_ERROR:
{
struct nlmsgerr *err = NLMSG_DATA(hdr);
DBG1(DBG_KNL, "querying policy failed: %s (%d)",
strerror(-err->error), -err->error);
break;
}
default:
hdr = NLMSG_NEXT(hdr, len);
continue;
case NLMSG_DONE:
break;
}
break;
}
}
if (policy == NULL)
{
DBG2(DBG_KNL, "unable to query policy %R === %R %N%s", id->src_ts,
id->dst_ts, policy_dir_names, id->dir, markstr);
free(out);
return FAILED;
}
if (policy->curlft.use_time)
{
/* we need the monotonic time, but the kernel returns system time. */
*use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
}
else
{
*use_time = 0;
}
free(out);
return SUCCESS;
}
METHOD(kernel_ipsec_t, del_policy, status_t,
private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
kernel_ipsec_manage_policy_t *data)
{
policy_entry_t *current, policy;
enumerator_t *enumerator;
policy_sa_t *mapping;
netlink_buf_t request;
struct nlmsghdr *hdr;
struct xfrm_userpolicy_id *policy_id;
bool is_installed = TRUE;
uint32_t priority, auto_priority, cur_priority;
ipsec_sa_t assigned_sa = {
.src = data->src,
.dst = data->dst,
.mark = id->mark,
.if_id = id->if_id,
.cfg = *data->sa,
};
char markstr[32] = "";
int use_count;
status_t status = SUCCESS;
format_mark(markstr, sizeof(markstr), id->mark);
DBG2(DBG_KNL, "deleting policy %R === %R %N%s", id->src_ts, id->dst_ts,
policy_dir_names, id->dir, markstr);
/* create a policy */
memset(&policy, 0, sizeof(policy_entry_t));
policy.sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
policy.mark = id->mark.value & id->mark.mask;
policy.if_id = id->if_id;
policy.direction = id->dir;
/* find the policy */
this->mutex->lock(this->mutex);
current = this->policies->get(this->policies, &policy);
if (!current)
{
DBG1(DBG_KNL, "deleting policy %R === %R %N%s failed, not found",
id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr);
this->mutex->unlock(this->mutex);
return NOT_FOUND;
}
current->waiting++;
while (current->working)
{
this->condvar->wait(this->condvar, this->mutex);
}
current->working = TRUE;
current->waiting--;
/* remove mapping to SA by reqid and priority */
auto_priority = get_priority(current, data->prio,id->interface);
priority = this->get_priority ? this->get_priority(id, data)
: data->manual_prio;
priority = priority ?: auto_priority;
enumerator = current->used_by->create_enumerator(current->used_by);
while (enumerator->enumerate(enumerator, (void**)&mapping))
{
if (priority == mapping->priority &&
auto_priority == mapping->auto_priority &&
data->type == mapping->type &&
ipsec_sa_equals(mapping->sa, &assigned_sa))
{
current->used_by->remove_at(current->used_by, enumerator);
policy_sa_destroy(mapping, id->dir, this);
break;
}
if (is_installed)
{
cur_priority = mapping->priority;
is_installed = FALSE;
}
}
enumerator->destroy(enumerator);
use_count = current->used_by->get_count(current->used_by);
if (use_count > 0)
{ /* policy is used by more SAs, keep in kernel */
DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
if (!is_installed)
{ /* no need to update as the policy was not installed for this SA */
policy_change_done(this, current);
DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, "
"refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
id->dir, markstr, cur_priority, use_count);
return SUCCESS;
}
current->used_by->get_first(current->used_by, (void**)&mapping);
current->reqid = mapping->sa->cfg.reqid;
DBG2(DBG_KNL, "updating policy %R === %R %N%s [priority %u, "
"refcount %d]", id->src_ts, id->dst_ts, policy_dir_names, id->dir,
markstr, mapping->priority, use_count);
if (add_policy_internal(this, current, mapping, TRUE) != SUCCESS)
{
DBG1(DBG_KNL, "unable to update policy %R === %R %N%s",
id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr);
return FAILED;
}
return SUCCESS;
}
memset(&request, 0, sizeof(request));
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
policy_id = NLMSG_DATA(hdr);
policy_id->sel = current->sel;
policy_id->dir = id->dir;
if (!add_mark(hdr, sizeof(request), id->mark))
{
policy_change_done(this, current);
return FAILED;
}
if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
{
policy_change_done(this, current);
return FAILED;
}
if (current->route)
{
route_entry_t *route = current->route;
if (charon->kernel->del_route(charon->kernel, route->dst_net,
route->prefixlen, route->gateway,
route->src_ip, route->if_name,
route->pass) != SUCCESS)
{
DBG1(DBG_KNL, "error uninstalling route installed with policy "
"%R === %R %N%s", id->src_ts, id->dst_ts, policy_dir_names,
id->dir, markstr);
}
}
this->mutex->unlock(this->mutex);
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete policy %R === %R %N%s", id->src_ts,
id->dst_ts, policy_dir_names, id->dir, markstr);
status = FAILED;
}
this->mutex->lock(this->mutex);
if (!current->waiting)
{ /* only if no other thread still needs the policy */
this->policies->remove(this->policies, current);
policy_entry_destroy(this, current);
this->mutex->unlock(this->mutex);
}
else
{
policy_change_done(this, current);
}
return status;
}
METHOD(kernel_ipsec_t, flush_policies, status_t,
private_kernel_netlink_ipsec_t *this)
{
netlink_buf_t request;
struct nlmsghdr *hdr;
memset(&request, 0, sizeof(request));
DBG2(DBG_KNL, "flushing all policies from SPD");
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_FLUSHPOLICY;
hdr->nlmsg_len = NLMSG_LENGTH(0); /* no data associated */
/* by adding an rtattr of type XFRMA_POLICY_TYPE we could restrict this
* to main or sub policies (default is main) */
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "unable to flush SPD entries");
return FAILED;
}
return SUCCESS;
}
/**
* Bypass socket using a per-socket policy
*/
static bool add_socket_bypass(private_kernel_netlink_ipsec_t *this,
int fd, int family)
{
struct xfrm_userpolicy_info policy;
u_int sol, ipsec_policy;
switch (family)
{
case AF_INET:
sol = SOL_IP;
ipsec_policy = IP_XFRM_POLICY;
break;
case AF_INET6:
sol = SOL_IPV6;
ipsec_policy = IPV6_XFRM_POLICY;
break;
default:
return FALSE;
}
memset(&policy, 0, sizeof(policy));
policy.action = XFRM_POLICY_ALLOW;
policy.sel.family = family;
policy.dir = XFRM_POLICY_OUT;
if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)",
strerror(errno), errno);
return FALSE;
}
policy.dir = XFRM_POLICY_IN;
if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)",
strerror(errno), errno);
return FALSE;
}
return TRUE;
}
/**
* Port based IKE bypass policy
*/
typedef struct {
/** address family */
int family;
/** layer 4 protocol */
int proto;
/** port number, network order */
uint16_t port;
} bypass_t;
/**
* Add or remove a bypass policy from/to kernel
*/
static bool manage_bypass(private_kernel_netlink_ipsec_t *this,
int type, policy_dir_t dir, bypass_t *bypass)
{
netlink_buf_t request;
struct xfrm_selector *sel;
struct nlmsghdr *hdr;
memset(&request, 0, sizeof(request));
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = type;
if (type == XFRM_MSG_NEWPOLICY)
{
struct xfrm_userpolicy_info *policy;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
policy = NLMSG_DATA(hdr);
policy->dir = dir;
policy->priority = 32;
policy->action = XFRM_POLICY_ALLOW;
policy->share = XFRM_SHARE_ANY;
policy->lft.soft_byte_limit = XFRM_INF;
policy->lft.soft_packet_limit = XFRM_INF;
policy->lft.hard_byte_limit = XFRM_INF;
policy->lft.hard_packet_limit = XFRM_INF;
sel = &policy->sel;
}
else /* XFRM_MSG_DELPOLICY */
{
struct xfrm_userpolicy_id *policy;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
policy = NLMSG_DATA(hdr);
policy->dir = dir;
sel = &policy->sel;
}
sel->family = bypass->family;
sel->proto = bypass->proto;
if (dir == POLICY_IN)
{
sel->dport = bypass->port;
sel->dport_mask = 0xffff;
}
else
{
sel->sport = bypass->port;
sel->sport_mask = 0xffff;
}
return this->socket_xfrm->send_ack(this->socket_xfrm, hdr) == SUCCESS;
}
/**
* Bypass socket using a port-based bypass policy
*/
static bool add_port_bypass(private_kernel_netlink_ipsec_t *this,
int fd, int family)
{
union {
struct sockaddr sa;
struct sockaddr_in in;
struct sockaddr_in6 in6;
} saddr;
socklen_t len;
bypass_t bypass = {
.family = family,
};
len = sizeof(saddr);
if (getsockname(fd, &saddr.sa, &len) != 0)
{
return FALSE;
}
#ifdef SO_PROTOCOL /* since 2.6.32 */
len = sizeof(bypass.proto);
if (getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &bypass.proto, &len) != 0)
#endif
{ /* assume UDP if SO_PROTOCOL not supported */
bypass.proto = IPPROTO_UDP;
}
switch (family)
{
case AF_INET:
bypass.port = saddr.in.sin_port;
break;
case AF_INET6:
bypass.port = saddr.in6.sin6_port;
break;
default:
return FALSE;
}
if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, &bypass))
{
return FALSE;
}
if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, &bypass))
{
manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, &bypass);
return FALSE;
}
array_insert(this->bypass, ARRAY_TAIL, &bypass);
return TRUE;
}
/**
* Remove installed port based bypass policy
*/
static void remove_port_bypass(bypass_t *bypass, int idx,
private_kernel_netlink_ipsec_t *this)
{
manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass);
manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass);
}
METHOD(kernel_ipsec_t, bypass_socket, bool,
private_kernel_netlink_ipsec_t *this, int fd, int family)
{
if (lib->settings->get_bool(lib->settings,
"%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns))
{
return add_port_bypass(this, fd, family);
}
return add_socket_bypass(this, fd, family);
}
METHOD(kernel_ipsec_t, enable_udp_decap, bool,
private_kernel_netlink_ipsec_t *this, int fd, int family, uint16_t port)
{
int type = UDP_ENCAP_ESPINUDP;
if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
{
DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
return FALSE;
}
return TRUE;
}
METHOD(kernel_ipsec_t, destroy, void,
private_kernel_netlink_ipsec_t *this)
{
enumerator_t *enumerator;
policy_entry_t *policy;
array_destroy_function(this->bypass,
(array_callback_t)remove_port_bypass, this);
if (this->socket_xfrm_events > 0)
{
lib->watcher->remove(lib->watcher, this->socket_xfrm_events);
close(this->socket_xfrm_events);
}
DESTROY_IF(this->socket_xfrm);
enumerator = this->policies->create_enumerator(this->policies);
while (enumerator->enumerate(enumerator, &policy, &policy))
{
policy_entry_destroy(this, policy);
}
enumerator->destroy(enumerator);
this->policies->destroy(this->policies);
this->sas->destroy(this->sas);
this->condvar->destroy(this->condvar);
this->mutex->destroy(this->mutex);
free(this);
}
/**
* Get the currently configured SPD hashing thresholds for an address family
*/
static bool get_spd_hash_thresh(private_kernel_netlink_ipsec_t *this,
int type, uint8_t *lbits, uint8_t *rbits)
{
netlink_buf_t request;
struct nlmsghdr *hdr, *out;
struct xfrmu_spdhthresh *thresh;
struct rtattr *rta;
size_t len, rtasize;
bool success = FALSE;
memset(&request, 0, sizeof(request));
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST;
hdr->nlmsg_type = XFRM_MSG_GETSPDINFO;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t));
if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
{
hdr = out;
while (NLMSG_OK(hdr, len))
{
switch (hdr->nlmsg_type)
{
case XFRM_MSG_NEWSPDINFO:
{
rta = XFRM_RTA(hdr, uint32_t);
rtasize = XFRM_PAYLOAD(hdr, uint32_t);
while (RTA_OK(rta, rtasize))
{
if (rta->rta_type == type &&
RTA_PAYLOAD(rta) == sizeof(*thresh))
{
thresh = RTA_DATA(rta);
*lbits = thresh->lbits;
*rbits = thresh->rbits;
success = TRUE;
break;
}
rta = RTA_NEXT(rta, rtasize);
}
break;
}
case NLMSG_ERROR:
{
struct nlmsgerr *err = NLMSG_DATA(hdr);
DBG1(DBG_KNL, "getting SPD hash threshold failed: %s (%d)",
strerror(-err->error), -err->error);
break;
}
default:
hdr = NLMSG_NEXT(hdr, len);
continue;
case NLMSG_DONE:
break;
}
break;
}
free(out);
}
return success;
}
/**
* Configure SPD hashing threshold for an address family
*/
static void setup_spd_hash_thresh(private_kernel_netlink_ipsec_t *this,
char *key, int type, uint8_t def)
{
struct xfrmu_spdhthresh *thresh;
struct nlmsghdr *hdr;
netlink_buf_t request;
uint8_t lbits, rbits;
if (!get_spd_hash_thresh(this, type, &lbits, &rbits))
{
return;
}
memset(&request, 0, sizeof(request));
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
hdr->nlmsg_type = XFRM_MSG_NEWSPDINFO;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t));
thresh = netlink_reserve(hdr, sizeof(request), type, sizeof(*thresh));
thresh->lbits = lib->settings->get_int(lib->settings,
"%s.plugins.kernel-netlink.spdh_thresh.%s.lbits",
def, lib->ns, key);
thresh->rbits = lib->settings->get_int(lib->settings,
"%s.plugins.kernel-netlink.spdh_thresh.%s.rbits",
def, lib->ns, key);
if (thresh->lbits != lbits || thresh->rbits != rbits)
{
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "setting SPD hash threshold failed");
}
}
}
/*
* Described in header.
*/
kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
{
private_kernel_netlink_ipsec_t *this;
bool register_for_events = TRUE;
INIT(this,
.public = {
.interface = {
.get_features = _get_features,
.get_spi = _get_spi,
.get_cpi = _get_cpi,
.add_sa = _add_sa,
.update_sa = _update_sa,
.query_sa = _query_sa,
.del_sa = _del_sa,
.flush_sas = _flush_sas,
.add_policy = _add_policy,
.query_policy = _query_policy,
.del_policy = _del_policy,
.flush_policies = _flush_policies,
.bypass_socket = _bypass_socket,
.enable_udp_decap = _enable_udp_decap,
.destroy = _destroy,
},
},
.policies = hashtable_create((hashtable_hash_t)policy_hash,
(hashtable_equals_t)policy_equals, 32),
.sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
(hashtable_equals_t)ipsec_sa_equals, 32),
.bypass = array_create(sizeof(bypass_t), 0),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
.get_priority = dlsym(RTLD_DEFAULT,
"kernel_netlink_get_priority_custom"),
.policy_update = lib->settings->get_bool(lib->settings,
"%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
.install_routes = lib->settings->get_bool(lib->settings,
"%s.install_routes", TRUE, lib->ns),
.proto_port_transport = lib->settings->get_bool(lib->settings,
"%s.plugins.kernel-netlink.set_proto_port_transport_sa",
FALSE, lib->ns),
);
if (streq(lib->ns, "starter"))
{ /* starter has no threads, so we do not register for kernel events */
register_for_events = FALSE;
}
this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names,
lib->settings->get_bool(lib->settings,
"%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns));
if (!this->socket_xfrm)
{
destroy(this);
return NULL;
}
setup_spd_hash_thresh(this, "ipv4", XFRMA_SPD_IPV4_HTHRESH, 32);
setup_spd_hash_thresh(this, "ipv6", XFRMA_SPD_IPV6_HTHRESH, 128);
if (register_for_events)
{
struct sockaddr_nl addr;
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
/* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
if (this->socket_xfrm_events <= 0)
{
DBG1(DBG_KNL, "unable to create XFRM event socket: %s (%d)",
strerror(errno), errno);
destroy(this);
return NULL;
}
addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
{
DBG1(DBG_KNL, "unable to bind XFRM event socket: %s (%d)",
strerror(errno), errno);
destroy(this);
return NULL;
}
lib->watcher->add(lib->watcher, this->socket_xfrm_events, WATCHER_READ,
(watcher_cb_t)receive_events, this);
}
netlink_find_offload_feature(lib->settings->get_str(lib->settings,
"%s.plugins.kernel-netlink.hw_offload_feature_interface",
"lo", lib->ns));
return &this->public;
}
View Git Blame Copy Permalink