]>
Commit | Line | Data |
---|---|---|
507f26f6 | 1 | /* |
b32c3ce8 | 2 | * Copyright (C) 2006-2019 Tobias Brunner |
469083cc | 3 | * Copyright (C) 2005-2009 Martin Willi |
6abae81f | 4 | * Copyright (C) 2008-2016 Andreas Steffen |
507f26f6 TB |
5 | * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser |
6 | * Copyright (C) 2006 Daniel Roethlisberger | |
7 | * Copyright (C) 2005 Jan Hutter | |
89da06ac | 8 | * HSR Hochschule fuer Technik Rapperswil |
507f26f6 TB |
9 | * |
10 | * This program is free software; you can redistribute it and/or modify it | |
11 | * under the terms of the GNU General Public License as published by the | |
12 | * Free Software Foundation; either version 2 of the License, or (at your | |
13 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
14 | * | |
15 | * This program is distributed in the hope that it will be useful, but | |
16 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
17 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
18 | * for more details. | |
507f26f6 | 19 | */ |
338cc581 AN |
20 | /* |
21 | * Copyright (C) 2018 Mellanox Technologies. | |
22 | * | |
23 | * Permission is hereby granted, free of charge, to any person obtaining a copy | |
24 | * of this software and associated documentation files (the "Software"), to deal | |
25 | * in the Software without restriction, including without limitation the rights | |
26 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
27 | * copies of the Software, and to permit persons to whom the Software is | |
28 | * furnished to do so, subject to the following conditions: | |
29 | * | |
30 | * The above copyright notice and this permission notice shall be included in | |
31 | * all copies or substantial portions of the Software. | |
32 | * | |
33 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |
34 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
35 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |
36 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |
37 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
38 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | |
39 | * THE SOFTWARE. | |
40 | */ | |
507f26f6 | 41 | |
fc21465c | 42 | #define _GNU_SOURCE |
507f26f6 TB |
43 | #include <sys/types.h> |
44 | #include <sys/socket.h> | |
338cc581 | 45 | #include <sys/ioctl.h> |
ea625fab TB |
46 | #include <stdint.h> |
47 | #include <linux/ipsec.h> | |
507f26f6 TB |
48 | #include <linux/netlink.h> |
49 | #include <linux/rtnetlink.h> | |
50 | #include <linux/xfrm.h> | |
51 | #include <linux/udp.h> | |
338cc581 AN |
52 | #include <linux/ethtool.h> |
53 | #include <linux/sockios.h> | |
c26e4330 | 54 | #include <net/if.h> |
507f26f6 | 55 | #include <unistd.h> |
4a5a5dd2 | 56 | #include <time.h> |
507f26f6 TB |
57 | #include <errno.h> |
58 | #include <string.h> | |
469083cc | 59 | #include <fcntl.h> |
fc21465c | 60 | #include <dlfcn.h> |
507f26f6 TB |
61 | |
62 | #include "kernel_netlink_ipsec.h" | |
63 | #include "kernel_netlink_shared.h" | |
64 | ||
8394ea2a | 65 | #include <daemon.h> |
f05b4272 | 66 | #include <utils/debug.h> |
eba64cef | 67 | #include <threading/mutex.h> |
ebeaac1f | 68 | #include <threading/condvar.h> |
87888f99 | 69 | #include <collections/array.h> |
12642a68 TB |
70 | #include <collections/hashtable.h> |
71 | #include <collections/linked_list.h> | |
507f26f6 | 72 | |
674bc343 | 73 | /** Required for Linux 2.6.26 kernel and later */ |
507f26f6 | 74 | #ifndef XFRM_STATE_AF_UNSPEC |
674bc343 | 75 | #define XFRM_STATE_AF_UNSPEC 32 |
507f26f6 TB |
76 | #endif |
77 | ||
674bc343 | 78 | /** From linux/in.h */ |
4a38687a MW |
79 | #ifndef IP_XFRM_POLICY |
80 | #define IP_XFRM_POLICY 17 | |
ea625fab TB |
81 | #endif |
82 | ||
674bc343 | 83 | /** Missing on uclibc */ |
4a38687a MW |
84 | #ifndef IPV6_XFRM_POLICY |
85 | #define IPV6_XFRM_POLICY 34 | |
86 | #endif /*IPV6_XFRM_POLICY*/ | |
addfea95 | 87 | |
e49abced TB |
88 | /* from linux/udp.h */ |
89 | #ifndef UDP_ENCAP | |
90 | #define UDP_ENCAP 100 | |
91 | #endif | |
92 | ||
93 | #ifndef UDP_ENCAP_ESPINUDP | |
94 | #define UDP_ENCAP_ESPINUDP 2 | |
95 | #endif | |
96 | ||
97 | /* this is not defined on some platforms */ | |
98 | #ifndef SOL_UDP | |
99 | #define SOL_UDP IPPROTO_UDP | |
100 | #endif | |
101 | ||
f1675e4e | 102 | /** Base priority for installed policies */ |
0e9d6c46 | 103 | #define PRIO_BASE 200000 |
507f26f6 | 104 | |
1087b9ce | 105 | /** |
674bc343 | 106 | * Map the limit for bytes and packets to XFRM_INF by default |
1087b9ce TB |
107 | */ |
108 | #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x)) | |
109 | ||
aa9a3006 MW |
110 | /** |
111 | * Create ORable bitfield of XFRM NL groups | |
112 | */ | |
113 | #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1)) | |
114 | ||
507f26f6 | 115 | /** |
674bc343 | 116 | * Returns a pointer to the first rtattr following the nlmsghdr *nlh and the |
7daf5226 | 117 | * 'usual' netlink data x like 'struct xfrm_usersa_info' |
507f26f6 | 118 | */ |
674bc343 TB |
119 | #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \ |
120 | NLMSG_ALIGN(sizeof(x)))) | |
507f26f6 | 121 | /** |
674bc343 | 122 | * Returns the total size of attached rta data |
7daf5226 | 123 | * (after 'usual' netlink data x like 'struct xfrm_usersa_info') |
507f26f6 TB |
124 | */ |
125 | #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x)) | |
126 | ||
127 | typedef struct kernel_algorithm_t kernel_algorithm_t; | |
128 | ||
129 | /** | |
e517b4b1 | 130 | * Mapping of IKEv2 kernel identifier to linux crypto API names |
507f26f6 TB |
131 | */ |
132 | struct kernel_algorithm_t { | |
133 | /** | |
134 | * Identifier specified in IKEv2 | |
135 | */ | |
e517b4b1 | 136 | int ikev2; |
7daf5226 | 137 | |
507f26f6 | 138 | /** |
e517b4b1 | 139 | * Name of the algorithm in linux crypto API |
507f26f6 | 140 | */ |
7085ca68 | 141 | const char *name; |
507f26f6 TB |
142 | }; |
143 | ||
37fbc741 AS |
144 | ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING, |
145 | "XFRM_MSG_NEWSA", | |
146 | "XFRM_MSG_DELSA", | |
147 | "XFRM_MSG_GETSA", | |
148 | "XFRM_MSG_NEWPOLICY", | |
149 | "XFRM_MSG_DELPOLICY", | |
150 | "XFRM_MSG_GETPOLICY", | |
151 | "XFRM_MSG_ALLOCSPI", | |
152 | "XFRM_MSG_ACQUIRE", | |
153 | "XFRM_MSG_EXPIRE", | |
154 | "XFRM_MSG_UPDPOLICY", | |
155 | "XFRM_MSG_UPDSA", | |
156 | "XFRM_MSG_POLEXPIRE", | |
157 | "XFRM_MSG_FLUSHSA", | |
158 | "XFRM_MSG_FLUSHPOLICY", | |
159 | "XFRM_MSG_NEWAE", | |
160 | "XFRM_MSG_GETAE", | |
161 | "XFRM_MSG_REPORT", | |
162 | "XFRM_MSG_MIGRATE", | |
163 | "XFRM_MSG_NEWSADINFO", | |
164 | "XFRM_MSG_GETSADINFO", | |
165 | "XFRM_MSG_NEWSPDINFO", | |
166 | "XFRM_MSG_GETSPDINFO", | |
167 | "XFRM_MSG_MAPPING" | |
168 | ); | |
169 | ||
e1803a20 | 170 | ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_OFFLOAD_DEV, |
b74bc438 AS |
171 | "XFRMA_UNSPEC", |
172 | "XFRMA_ALG_AUTH", | |
173 | "XFRMA_ALG_CRYPT", | |
174 | "XFRMA_ALG_COMP", | |
175 | "XFRMA_ENCAP", | |
176 | "XFRMA_TMPL", | |
177 | "XFRMA_SA", | |
178 | "XFRMA_POLICY", | |
179 | "XFRMA_SEC_CTX", | |
180 | "XFRMA_LTIME_VAL", | |
181 | "XFRMA_REPLAY_VAL", | |
182 | "XFRMA_REPLAY_THRESH", | |
183 | "XFRMA_ETIMER_THRESH", | |
184 | "XFRMA_SRCADDR", | |
185 | "XFRMA_COADDR", | |
186 | "XFRMA_LASTUSED", | |
187 | "XFRMA_POLICY_TYPE", | |
188 | "XFRMA_MIGRATE", | |
189 | "XFRMA_ALG_AEAD", | |
dbfd1a63 TE |
190 | "XFRMA_KMADDRESS", |
191 | "XFRMA_ALG_AUTH_TRUNC", | |
192 | "XFRMA_MARK", | |
193 | "XFRMA_TFCPAD", | |
194 | "XFRMA_REPLAY_ESN_VAL", | |
e1803a20 TB |
195 | "XFRMA_SA_EXTRA_FLAGS", |
196 | "XFRMA_PROTO", | |
197 | "XFRMA_ADDRESS_FILTER", | |
198 | "XFRMA_PAD", | |
199 | "XFRMA_OFFLOAD_DEV", | |
b74bc438 AS |
200 | ); |
201 | ||
507f26f6 TB |
202 | /** |
203 | * Algorithms for encryption | |
204 | */ | |
205 | static kernel_algorithm_t encryption_algs[] = { | |
89ec5bef TB |
206 | /* {ENCR_DES_IV64, "***" }, */ |
207 | {ENCR_DES, "des" }, | |
208 | {ENCR_3DES, "des3_ede" }, | |
209 | /* {ENCR_RC5, "***" }, */ | |
210 | /* {ENCR_IDEA, "***" }, */ | |
83995109 | 211 | {ENCR_CAST, "cast5" }, |
89ec5bef TB |
212 | {ENCR_BLOWFISH, "blowfish" }, |
213 | /* {ENCR_3IDEA, "***" }, */ | |
214 | /* {ENCR_DES_IV32, "***" }, */ | |
215 | {ENCR_NULL, "cipher_null" }, | |
b9b8a98f | 216 | {ENCR_AES_CBC, "aes" }, |
89ec5bef | 217 | {ENCR_AES_CTR, "rfc3686(ctr(aes))" }, |
e517b4b1 MW |
218 | {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" }, |
219 | {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" }, | |
220 | {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" }, | |
221 | {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" }, | |
222 | {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" }, | |
223 | {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" }, | |
71baf5a8 | 224 | {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" }, |
247e665a AS |
225 | {ENCR_CAMELLIA_CBC, "cbc(camellia)" }, |
226 | /* {ENCR_CAMELLIA_CTR, "***" }, */ | |
227 | /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */ | |
228 | /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */ | |
229 | /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */ | |
91a0825c AS |
230 | {ENCR_SERPENT_CBC, "serpent" }, |
231 | {ENCR_TWOFISH_CBC, "twofish" }, | |
405c5dcd | 232 | {ENCR_CHACHA20_POLY1305, "rfc7539esp(chacha20,poly1305)"}, |
507f26f6 TB |
233 | }; |
234 | ||
235 | /** | |
236 | * Algorithms for integrity protection | |
237 | */ | |
238 | static kernel_algorithm_t integrity_algs[] = { | |
89ec5bef | 239 | {AUTH_HMAC_MD5_96, "md5" }, |
686cfd4e | 240 | {AUTH_HMAC_MD5_128, "hmac(md5)" }, |
e517b4b1 | 241 | {AUTH_HMAC_SHA1_96, "sha1" }, |
686cfd4e | 242 | {AUTH_HMAC_SHA1_160, "hmac(sha1)" }, |
6546482a | 243 | {AUTH_HMAC_SHA2_256_96, "sha256" }, |
4b615eda | 244 | {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" }, |
c632aa7b | 245 | {AUTH_HMAC_SHA2_256_256, "hmac(sha256)" }, |
6780edc0 | 246 | {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" }, |
c632aa7b | 247 | {AUTH_HMAC_SHA2_384_384, "hmac(sha384)" }, |
6780edc0 | 248 | {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" }, |
c632aa7b | 249 | {AUTH_HMAC_SHA2_512_512, "hmac(sha512)" }, |
e517b4b1 MW |
250 | /* {AUTH_DES_MAC, "***" }, */ |
251 | /* {AUTH_KPDK_MD5, "***" }, */ | |
252 | {AUTH_AES_XCBC_96, "xcbc(aes)" }, | |
564a1996 | 253 | {AUTH_AES_CMAC_96, "cmac(aes)" }, |
507f26f6 TB |
254 | }; |
255 | ||
256 | /** | |
257 | * Algorithms for IPComp | |
258 | */ | |
259 | static kernel_algorithm_t compression_algs[] = { | |
89ec5bef | 260 | /* {IPCOMP_OUI, "***" }, */ |
e517b4b1 MW |
261 | {IPCOMP_DEFLATE, "deflate" }, |
262 | {IPCOMP_LZS, "lzs" }, | |
263 | {IPCOMP_LZJH, "lzjh" }, | |
507f26f6 TB |
264 | }; |
265 | ||
266 | /** | |
267 | * Look up a kernel algorithm name and its key size | |
268 | */ | |
7085ca68 | 269 | static const char* lookup_algorithm(transform_type_t type, int ikev2) |
507f26f6 | 270 | { |
08ad639f | 271 | kernel_algorithm_t *list; |
6ac601f5 MW |
272 | int i, count; |
273 | char *name; | |
08ad639f TB |
274 | |
275 | switch (type) | |
276 | { | |
277 | case ENCRYPTION_ALGORITHM: | |
278 | list = encryption_algs; | |
6ac601f5 | 279 | count = countof(encryption_algs); |
08ad639f TB |
280 | break; |
281 | case INTEGRITY_ALGORITHM: | |
282 | list = integrity_algs; | |
6ac601f5 | 283 | count = countof(integrity_algs); |
08ad639f TB |
284 | break; |
285 | case COMPRESSION_ALGORITHM: | |
286 | list = compression_algs; | |
6ac601f5 | 287 | count = countof(compression_algs); |
08ad639f TB |
288 | break; |
289 | default: | |
290 | return NULL; | |
291 | } | |
6ac601f5 | 292 | for (i = 0; i < count; i++) |
507f26f6 | 293 | { |
6ac601f5 | 294 | if (list[i].ikev2 == ikev2) |
507f26f6 | 295 | { |
6ac601f5 | 296 | return list[i].name; |
507f26f6 | 297 | } |
507f26f6 | 298 | } |
8394ea2a TB |
299 | if (charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, NULL, |
300 | &name)) | |
6ac601f5 MW |
301 | { |
302 | return name; | |
303 | } | |
304 | return NULL; | |
507f26f6 TB |
305 | } |
306 | ||
9f49464d TB |
307 | typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t; |
308 | ||
309 | /** | |
310 | * Private variables and functions of kernel_netlink class. | |
311 | */ | |
312 | struct private_kernel_netlink_ipsec_t { | |
313 | /** | |
674bc343 | 314 | * Public part of the kernel_netlink_t object |
9f49464d TB |
315 | */ |
316 | kernel_netlink_ipsec_t public; | |
317 | ||
318 | /** | |
674bc343 | 319 | * Mutex to lock access to installed policies |
9f49464d TB |
320 | */ |
321 | mutex_t *mutex; | |
322 | ||
ebeaac1f TB |
323 | /** |
324 | * Condvar to synchronize access to individual policies | |
325 | */ | |
326 | condvar_t *condvar; | |
327 | ||
9f49464d | 328 | /** |
cad259e3 | 329 | * Hash table of installed policies (policy_entry_t) |
9f49464d TB |
330 | */ |
331 | hashtable_t *policies; | |
332 | ||
333 | /** | |
334 | * Hash table of IPsec SAs using policies (ipsec_sa_t) | |
335 | */ | |
336 | hashtable_t *sas; | |
337 | ||
9f49464d TB |
338 | /** |
339 | * Netlink xfrm socket (IPsec) | |
340 | */ | |
341 | netlink_socket_t *socket_xfrm; | |
342 | ||
343 | /** | |
674bc343 | 344 | * Netlink xfrm socket to receive acquire and expire events |
9f49464d TB |
345 | */ |
346 | int socket_xfrm_events; | |
347 | ||
348 | /** | |
674bc343 | 349 | * Whether to install routes along policies |
9f49464d TB |
350 | */ |
351 | bool install_routes; | |
352 | ||
90e6675a TB |
353 | /** |
354 | * Whether to set protocol and ports on selector installed with transport | |
355 | * mode IPsec SAs | |
356 | */ | |
357 | bool proto_port_transport; | |
358 | ||
8925abbe | 359 | /** |
3000f6aa | 360 | * Whether to always use UPDATE to install policies |
8925abbe MW |
361 | */ |
362 | bool policy_update; | |
363 | ||
87888f99 MW |
364 | /** |
365 | * Installed port based IKE bypass policies, as bypass_t | |
366 | */ | |
367 | array_t *bypass; | |
fc21465c TB |
368 | |
369 | /** | |
370 | * Custom priority calculation function | |
371 | */ | |
372 | uint32_t (*get_priority)(kernel_ipsec_policy_id_t *id, | |
373 | kernel_ipsec_manage_policy_t *data); | |
9f49464d TB |
374 | }; |
375 | ||
9f49464d | 376 | typedef struct ipsec_sa_t ipsec_sa_t; |
f0ba8ae0 TB |
377 | |
378 | /** | |
379 | * IPsec SA assigned to a policy. | |
380 | */ | |
9f49464d | 381 | struct ipsec_sa_t { |
674bc343 | 382 | /** Source address of this SA */ |
9f49464d TB |
383 | host_t *src; |
384 | ||
674bc343 | 385 | /** Destination address of this SA */ |
9f49464d TB |
386 | host_t *dst; |
387 | ||
674bc343 | 388 | /** Optional mark */ |
9f49464d TB |
389 | mark_t mark; |
390 | ||
b32c3ce8 TB |
391 | /** Optional mark */ |
392 | uint32_t if_id; | |
393 | ||
674bc343 | 394 | /** Description of this SA */ |
9f49464d TB |
395 | ipsec_sa_cfg_t cfg; |
396 | ||
674bc343 | 397 | /** Reference count for this SA */ |
9f49464d TB |
398 | refcount_t refcount; |
399 | }; | |
400 | ||
401 | /** | |
402 | * Hash function for ipsec_sa_t objects | |
403 | */ | |
404 | static u_int ipsec_sa_hash(ipsec_sa_t *sa) | |
405 | { | |
406 | return chunk_hash_inc(sa->src->get_address(sa->src), | |
407 | chunk_hash_inc(sa->dst->get_address(sa->dst), | |
408 | chunk_hash_inc(chunk_from_thing(sa->mark), | |
b32c3ce8 TB |
409 | chunk_hash_inc(chunk_from_thing(sa->if_id), |
410 | chunk_hash(chunk_from_thing(sa->cfg)))))); | |
9f49464d TB |
411 | } |
412 | ||
413 | /** | |
414 | * Equality function for ipsec_sa_t objects | |
415 | */ | |
416 | static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa) | |
417 | { | |
418 | return sa->src->ip_equals(sa->src, other_sa->src) && | |
419 | sa->dst->ip_equals(sa->dst, other_sa->dst) && | |
87ed9a5f TB |
420 | sa->mark.value == other_sa->mark.value && |
421 | sa->mark.mask == other_sa->mark.mask && | |
b32c3ce8 | 422 | sa->if_id == other_sa->if_id && |
87ed9a5f | 423 | ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg); |
9f49464d TB |
424 | } |
425 | ||
426 | /** | |
674bc343 | 427 | * Allocate or reference an IPsec SA object |
9f49464d TB |
428 | */ |
429 | static ipsec_sa_t *ipsec_sa_create(private_kernel_netlink_ipsec_t *this, | |
430 | host_t *src, host_t *dst, mark_t mark, | |
b32c3ce8 | 431 | uint32_t if_id, ipsec_sa_cfg_t *cfg) |
9f49464d TB |
432 | { |
433 | ipsec_sa_t *sa, *found; | |
434 | INIT(sa, | |
435 | .src = src, | |
436 | .dst = dst, | |
437 | .mark = mark, | |
b32c3ce8 | 438 | .if_id = if_id, |
9f49464d TB |
439 | .cfg = *cfg, |
440 | ); | |
441 | found = this->sas->get(this->sas, sa); | |
442 | if (!found) | |
443 | { | |
444 | sa->src = src->clone(src); | |
445 | sa->dst = dst->clone(dst); | |
446 | this->sas->put(this->sas, sa, sa); | |
447 | } | |
448 | else | |
449 | { | |
450 | free(sa); | |
451 | sa = found; | |
452 | } | |
453 | ref_get(&sa->refcount); | |
454 | return sa; | |
455 | } | |
456 | ||
457 | /** | |
674bc343 | 458 | * Release and destroy an IPsec SA object |
9f49464d TB |
459 | */ |
460 | static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this, | |
461 | ipsec_sa_t *sa) | |
462 | { | |
463 | if (ref_put(&sa->refcount)) | |
464 | { | |
465 | this->sas->remove(this->sas, sa); | |
466 | DESTROY_IF(sa->src); | |
467 | DESTROY_IF(sa->dst); | |
468 | free(sa); | |
469 | } | |
470 | } | |
471 | ||
472 | typedef struct policy_sa_t policy_sa_t; | |
aea3c105 | 473 | typedef struct policy_sa_out_t policy_sa_out_t; |
9f49464d TB |
474 | |
475 | /** | |
476 | * Mapping between a policy and an IPsec SA. | |
477 | */ | |
f0ba8ae0 | 478 | struct policy_sa_t { |
674bc343 | 479 | /** Priority assigned to the policy when installed with this SA */ |
b12c53ce | 480 | uint32_t priority; |
f0ba8ae0 | 481 | |
869f4e90 TB |
482 | /** Automatic priority assigned to the policy when installed with this SA */ |
483 | uint32_t auto_priority; | |
484 | ||
674bc343 | 485 | /** Type of the policy */ |
f0ba8ae0 TB |
486 | policy_type_t type; |
487 | ||
674bc343 | 488 | /** Assigned SA */ |
9f49464d TB |
489 | ipsec_sa_t *sa; |
490 | }; | |
f0ba8ae0 | 491 | |
9f49464d | 492 | /** |
aea3c105 | 493 | * For outbound policies we also cache the traffic selectors in order to install |
9f49464d TB |
494 | * the route. |
495 | */ | |
aea3c105 | 496 | struct policy_sa_out_t { |
674bc343 | 497 | /** Generic interface */ |
9f49464d | 498 | policy_sa_t generic; |
f0ba8ae0 | 499 | |
674bc343 | 500 | /** Source traffic selector of this policy */ |
f0ba8ae0 TB |
501 | traffic_selector_t *src_ts; |
502 | ||
674bc343 | 503 | /** Destination traffic selector of this policy */ |
f0ba8ae0 | 504 | traffic_selector_t *dst_ts; |
9f49464d | 505 | }; |
f0ba8ae0 | 506 | |
9f49464d | 507 | /** |
c4387e99 | 508 | * Create a policy_sa(_in)_t object |
9f49464d TB |
509 | */ |
510 | static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this, | |
511 | policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst, | |
512 | traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark, | |
b32c3ce8 | 513 | uint32_t if_id, ipsec_sa_cfg_t *cfg) |
9f49464d TB |
514 | { |
515 | policy_sa_t *policy; | |
f0ba8ae0 | 516 | |
aea3c105 | 517 | if (dir == POLICY_OUT) |
9f49464d | 518 | { |
aea3c105 TB |
519 | policy_sa_out_t *out; |
520 | INIT(out, | |
9f49464d TB |
521 | .src_ts = src_ts->clone(src_ts), |
522 | .dst_ts = dst_ts->clone(dst_ts), | |
523 | ); | |
aea3c105 | 524 | policy = &out->generic; |
9f49464d TB |
525 | } |
526 | else | |
527 | { | |
25d59e9e | 528 | INIT(policy, .priority = 0); |
9f49464d TB |
529 | } |
530 | policy->type = type; | |
b32c3ce8 | 531 | policy->sa = ipsec_sa_create(this, src, dst, mark, if_id, cfg); |
9f49464d TB |
532 | return policy; |
533 | } | |
f0ba8ae0 | 534 | |
9f49464d | 535 | /** |
c4387e99 | 536 | * Destroy a policy_sa(_in)_t object |
9f49464d | 537 | */ |
8a2e4d4a | 538 | static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t dir, |
4e9e4372 | 539 | private_kernel_netlink_ipsec_t *this) |
f0ba8ae0 | 540 | { |
8a2e4d4a | 541 | if (dir == POLICY_OUT) |
9f49464d | 542 | { |
aea3c105 TB |
543 | policy_sa_out_t *out = (policy_sa_out_t*)policy; |
544 | out->src_ts->destroy(out->src_ts); | |
545 | out->dst_ts->destroy(out->dst_ts); | |
9f49464d TB |
546 | } |
547 | ipsec_sa_destroy(this, policy->sa); | |
548 | free(policy); | |
f0ba8ae0 TB |
549 | } |
550 | ||
8a2e4d4a TB |
551 | CALLBACK(policy_sa_destroy_cb, void, |
552 | policy_sa_t *policy, va_list args) | |
553 | { | |
554 | private_kernel_netlink_ipsec_t *this; | |
555 | policy_dir_t dir; | |
556 | ||
557 | VA_ARGS_VGET(args, dir, this); | |
558 | policy_sa_destroy(policy, dir, this); | |
559 | } | |
560 | ||
507f26f6 TB |
561 | typedef struct policy_entry_t policy_entry_t; |
562 | ||
563 | /** | |
674bc343 | 564 | * Installed kernel policy. |
507f26f6 TB |
565 | */ |
566 | struct policy_entry_t { | |
7daf5226 | 567 | |
674bc343 | 568 | /** Direction of this policy: in, out, forward */ |
b12c53ce | 569 | uint8_t direction; |
7daf5226 | 570 | |
674bc343 | 571 | /** Parameters of installed policy */ |
507f26f6 | 572 | struct xfrm_selector sel; |
7daf5226 | 573 | |
674bc343 | 574 | /** Optional mark */ |
b12c53ce | 575 | uint32_t mark; |
ee26c537 | 576 | |
b32c3ce8 TB |
577 | /** Optional interface ID */ |
578 | uint32_t if_id; | |
579 | ||
674bc343 | 580 | /** Associated route installed for this policy */ |
507f26f6 | 581 | route_entry_t *route; |
7daf5226 | 582 | |
674bc343 | 583 | /** List of SAs this policy is used by, ordered by priority */ |
9f49464d | 584 | linked_list_t *used_by; |
1551d8b1 MW |
585 | |
586 | /** reqid for this policy */ | |
b12c53ce | 587 | uint32_t reqid; |
ebeaac1f TB |
588 | |
589 | /** Number of threads waiting to work on this policy */ | |
590 | int waiting; | |
591 | ||
592 | /** TRUE if a thread is working on this policy */ | |
593 | bool working; | |
507f26f6 TB |
594 | }; |
595 | ||
674bc343 TB |
596 | /** |
597 | * Destroy a policy_entry_t object | |
598 | */ | |
9f49464d TB |
599 | static void policy_entry_destroy(private_kernel_netlink_ipsec_t *this, |
600 | policy_entry_t *policy) | |
f0ba8ae0 | 601 | { |
9f49464d | 602 | if (policy->route) |
f0ba8ae0 | 603 | { |
9f49464d | 604 | route_entry_destroy(policy->route); |
f0ba8ae0 | 605 | } |
9f49464d TB |
606 | if (policy->used_by) |
607 | { | |
8a2e4d4a TB |
608 | policy->used_by->invoke_function(policy->used_by, policy_sa_destroy_cb, |
609 | policy->direction, this); | |
9f49464d TB |
610 | policy->used_by->destroy(policy->used_by); |
611 | } | |
612 | free(policy); | |
f0ba8ae0 TB |
613 | } |
614 | ||
3fb404d8 TB |
615 | /** |
616 | * Hash function for policy_entry_t objects | |
617 | */ | |
618 | static u_int policy_hash(policy_entry_t *key) | |
619 | { | |
6ffb8f86 | 620 | chunk_t chunk = chunk_from_thing(key->sel); |
b32c3ce8 TB |
621 | return chunk_hash_inc(chunk, chunk_hash_inc(chunk_from_thing(key->mark), |
622 | chunk_hash(chunk_from_thing(key->if_id)))); | |
3fb404d8 TB |
623 | } |
624 | ||
625 | /** | |
626 | * Equality function for policy_entry_t objects | |
627 | */ | |
628 | static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key) | |
629 | { | |
6ffb8f86 TB |
630 | return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) && |
631 | key->mark == other_key->mark && | |
b32c3ce8 | 632 | key->if_id == other_key->if_id && |
3fb404d8 TB |
633 | key->direction == other_key->direction; |
634 | } | |
635 | ||
d3af3b79 AS |
636 | /** |
637 | * Determine number of set bits in 16 bit port mask | |
638 | */ | |
639 | static inline uint32_t port_mask_bits(uint16_t port_mask) | |
640 | { | |
641 | uint32_t bits; | |
642 | uint16_t bit_mask = 0x8000; | |
643 | ||
644 | port_mask = ntohs(port_mask); | |
645 | ||
646 | for (bits = 0; bits < 16; bits++) | |
647 | { | |
648 | if (!(port_mask & bit_mask)) | |
649 | { | |
650 | break; | |
651 | } | |
652 | bit_mask >>= 1; | |
653 | } | |
654 | return bits; | |
655 | } | |
656 | ||
fbedc6a4 TB |
657 | /** |
658 | * Calculate the priority of a policy | |
d3af3b79 | 659 | * |
0e9d6c46 TB |
660 | * bits 0-0: separate trap and regular policies (0..1) 1 bit |
661 | * bits 1-1: restriction to network interface (0..1) 1 bit | |
662 | * bits 2-7: src + dst port mask bits (2 * 0..16) 6 bits | |
663 | * bits 8-8: restriction to protocol (0..1) 1 bit | |
664 | * bits 9-17: src + dst network mask bits (2 * 0..128) 9 bits | |
665 | * 18 bits | |
d3af3b79 | 666 | * |
0e9d6c46 TB |
667 | * smallest value: 000000000 0 000000 0 0: 0, lowest priority = 200'000 |
668 | * largest value : 100000000 1 100000 1 1: 131'459, highst priority = 68'541 | |
fbedc6a4 | 669 | */ |
d3af3b79 AS |
670 | static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio, |
671 | char *interface) | |
fbedc6a4 | 672 | { |
d3af3b79 AS |
673 | uint32_t priority = PRIO_BASE, sport_mask_bits, dport_mask_bits; |
674 | ||
fbedc6a4 TB |
675 | switch (prio) |
676 | { | |
d7a59f19 | 677 | case POLICY_PRIORITY_FALLBACK: |
d3af3b79 AS |
678 | priority += PRIO_BASE; |
679 | /* fall-through to next case */ | |
fbedc6a4 | 680 | case POLICY_PRIORITY_ROUTED: |
fbedc6a4 | 681 | case POLICY_PRIORITY_DEFAULT: |
d3af3b79 AS |
682 | priority += PRIO_BASE; |
683 | /* fall-through to next case */ | |
f1675e4e | 684 | case POLICY_PRIORITY_PASS: |
fbedc6a4 TB |
685 | break; |
686 | } | |
d3af3b79 AS |
687 | sport_mask_bits = port_mask_bits(policy->sel.sport_mask); |
688 | dport_mask_bits = port_mask_bits(policy->sel.dport_mask); | |
689 | ||
690 | /* calculate priority */ | |
0e9d6c46 TB |
691 | priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 512; |
692 | priority -= policy->sel.proto ? 256 : 0; | |
693 | priority -= (sport_mask_bits + dport_mask_bits) * 4; | |
694 | priority -= (interface != NULL) * 2; | |
695 | priority -= (prio != POLICY_PRIORITY_ROUTED); | |
d3af3b79 | 696 | |
fbedc6a4 TB |
697 | return priority; |
698 | } | |
699 | ||
d24a74c5 | 700 | /** |
674bc343 | 701 | * Convert the general ipsec mode to the one defined in xfrm.h |
d24a74c5 | 702 | */ |
b12c53ce | 703 | static uint8_t mode2kernel(ipsec_mode_t mode) |
d24a74c5 TB |
704 | { |
705 | switch (mode) | |
706 | { | |
707 | case MODE_TRANSPORT: | |
708 | return XFRM_MODE_TRANSPORT; | |
709 | case MODE_TUNNEL: | |
710 | return XFRM_MODE_TUNNEL; | |
711 | case MODE_BEET: | |
712 | return XFRM_MODE_BEET; | |
713 | default: | |
714 | return mode; | |
715 | } | |
716 | } | |
717 | ||
507f26f6 | 718 | /** |
674bc343 | 719 | * Convert a host_t to a struct xfrm_address |
507f26f6 TB |
720 | */ |
721 | static void host2xfrm(host_t *host, xfrm_address_t *xfrm) | |
722 | { | |
723 | chunk_t chunk = host->get_address(host); | |
7daf5226 | 724 | memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); |
507f26f6 TB |
725 | } |
726 | ||
aa9a3006 | 727 | /** |
674bc343 | 728 | * Convert a struct xfrm_address to a host_t |
aa9a3006 | 729 | */ |
b12c53ce | 730 | static host_t* xfrm2host(int family, xfrm_address_t *xfrm, uint16_t port) |
aa9a3006 MW |
731 | { |
732 | chunk_t chunk; | |
7daf5226 | 733 | |
aa9a3006 MW |
734 | switch (family) |
735 | { | |
736 | case AF_INET: | |
737 | chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4)); | |
738 | break; | |
739 | case AF_INET6: | |
740 | chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6)); | |
741 | break; | |
742 | default: | |
743 | return NULL; | |
744 | } | |
745 | return host_create_from_chunk(family, chunk, ntohs(port)); | |
746 | } | |
747 | ||
507f26f6 | 748 | /** |
674bc343 | 749 | * Convert a traffic selector address range to subnet and its mask. |
507f26f6 | 750 | */ |
7daf5226 | 751 | static void ts2subnet(traffic_selector_t* ts, |
b12c53ce | 752 | xfrm_address_t *net, uint8_t *mask) |
507f26f6 | 753 | { |
1adaa02b TB |
754 | host_t *net_host; |
755 | chunk_t net_chunk; | |
7daf5226 | 756 | |
1adaa02b TB |
757 | ts->to_subnet(ts, &net_host, mask); |
758 | net_chunk = net_host->get_address(net_host); | |
759 | memcpy(net, net_chunk.ptr, net_chunk.len); | |
760 | net_host->destroy(net_host); | |
507f26f6 TB |
761 | } |
762 | ||
763 | /** | |
674bc343 | 764 | * Convert a traffic selector port range to port/portmask |
507f26f6 | 765 | */ |
7daf5226 | 766 | static void ts2ports(traffic_selector_t* ts, |
b12c53ce | 767 | uint16_t *port, uint16_t *mask) |
507f26f6 | 768 | { |
6abae81f AS |
769 | uint16_t from, to, bitmask; |
770 | int bit; | |
7daf5226 | 771 | |
507f26f6 TB |
772 | from = ts->get_from_port(ts); |
773 | to = ts->get_to_port(ts); | |
7daf5226 | 774 | |
6abae81f | 775 | /* Quick check for a single port */ |
507f26f6 TB |
776 | if (from == to) |
777 | { | |
778 | *port = htons(from); | |
779 | *mask = ~0; | |
780 | } | |
781 | else | |
782 | { | |
6abae81f | 783 | /* Compute the port mask for port ranges */ |
507f26f6 | 784 | *mask = 0; |
6abae81f AS |
785 | |
786 | for (bit = 15; bit >= 0; bit--) | |
787 | { | |
788 | bitmask = 1 << bit; | |
789 | ||
790 | if ((bitmask & from) != (bitmask & to)) | |
791 | { | |
792 | *port = htons(from & *mask); | |
793 | *mask = htons(*mask); | |
794 | return; | |
795 | } | |
796 | *mask |= bitmask; | |
797 | } | |
507f26f6 | 798 | } |
6abae81f | 799 | return; |
507f26f6 TB |
800 | } |
801 | ||
802 | /** | |
674bc343 | 803 | * Convert a pair of traffic_selectors to an xfrm_selector |
507f26f6 | 804 | */ |
7daf5226 | 805 | static struct xfrm_selector ts2selector(traffic_selector_t *src, |
c26e4330 AS |
806 | traffic_selector_t *dst, |
807 | char *interface) | |
507f26f6 TB |
808 | { |
809 | struct xfrm_selector sel; | |
b12c53ce | 810 | uint16_t port; |
507f26f6 TB |
811 | |
812 | memset(&sel, 0, sizeof(sel)); | |
813 | sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6; | |
814 | /* src or dest proto may be "any" (0), use more restrictive one */ | |
815 | sel.proto = max(src->get_protocol(src), dst->get_protocol(dst)); | |
816 | ts2subnet(dst, &sel.daddr, &sel.prefixlen_d); | |
817 | ts2subnet(src, &sel.saddr, &sel.prefixlen_s); | |
818 | ts2ports(dst, &sel.dport, &sel.dport_mask); | |
819 | ts2ports(src, &sel.sport, &sel.sport_mask); | |
ddc2d3c8 TB |
820 | if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) && |
821 | (sel.dport || sel.sport)) | |
822 | { | |
7b20ab0a TB |
823 | /* the kernel expects the ICMP type and code in the source and |
824 | * destination port fields, respectively. */ | |
825 | port = ntohs(max(sel.dport, sel.sport)); | |
826 | sel.sport = htons(traffic_selector_icmp_type(port)); | |
827 | sel.sport_mask = sel.sport ? ~0 : 0; | |
828 | sel.dport = htons(traffic_selector_icmp_code(port)); | |
829 | sel.dport_mask = sel.dport ? ~0 : 0; | |
ddc2d3c8 | 830 | } |
c26e4330 | 831 | sel.ifindex = interface ? if_nametoindex(interface) : 0; |
507f26f6 | 832 | sel.user = 0; |
7daf5226 | 833 | |
507f26f6 TB |
834 | return sel; |
835 | } | |
836 | ||
e526d228 | 837 | /** |
674bc343 | 838 | * Convert an xfrm_selector to a src|dst traffic_selector |
e526d228 AS |
839 | */ |
840 | static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) | |
841 | { | |
70691c31 | 842 | u_char *addr; |
b12c53ce AS |
843 | uint8_t prefixlen; |
844 | uint16_t port = 0; | |
70691c31 | 845 | host_t *host = NULL; |
7daf5226 | 846 | |
e526d228 AS |
847 | if (src) |
848 | { | |
70691c31 | 849 | addr = (u_char*)&sel->saddr; |
5145ae48 | 850 | prefixlen = sel->prefixlen_s; |
70691c31 MW |
851 | if (sel->sport_mask) |
852 | { | |
406a504c | 853 | port = ntohs(sel->sport); |
70691c31 | 854 | } |
e526d228 | 855 | } |
70691c31 | 856 | else |
e526d228 | 857 | { |
70691c31 | 858 | addr = (u_char*)&sel->daddr; |
5145ae48 | 859 | prefixlen = sel->prefixlen_d; |
70691c31 MW |
860 | if (sel->dport_mask) |
861 | { | |
406a504c | 862 | port = ntohs(sel->dport); |
70691c31 | 863 | } |
e526d228 | 864 | } |
406a504c TB |
865 | if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6) |
866 | { /* convert ICMP[v6] message type and code as supplied by the kernel in | |
867 | * source and destination ports (both in network order) */ | |
868 | port = (sel->sport >> 8) | (sel->dport & 0xff00); | |
869 | port = ntohs(port); | |
870 | } | |
e526d228 | 871 | /* The Linux 2.6 kernel does not set the selector's family field, |
7daf5226 | 872 | * so as a kludge we additionally test the prefix length. |
e526d228 | 873 | */ |
b74bc438 | 874 | if (sel->family == AF_INET || sel->prefixlen_s == 32) |
e526d228 | 875 | { |
70691c31 | 876 | host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0); |
e526d228 | 877 | } |
b74bc438 | 878 | else if (sel->family == AF_INET6 || sel->prefixlen_s == 128) |
e526d228 | 879 | { |
70691c31 | 880 | host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0); |
b74bc438 | 881 | } |
7daf5226 | 882 | |
70691c31 | 883 | if (host) |
b74bc438 | 884 | { |
70691c31 | 885 | return traffic_selector_create_from_subnet(host, prefixlen, |
a1db77de | 886 | sel->proto, port, port ?: 65535); |
b74bc438 | 887 | } |
70691c31 | 888 | return NULL; |
e526d228 | 889 | } |
507f26f6 TB |
890 | |
891 | /** | |
674bc343 | 892 | * Process a XFRM_MSG_ACQUIRE from kernel |
507f26f6 | 893 | */ |
674bc343 TB |
894 | static void process_acquire(private_kernel_netlink_ipsec_t *this, |
895 | struct nlmsghdr *hdr) | |
507f26f6 | 896 | { |
e526d228 | 897 | struct xfrm_user_acquire *acquire; |
b74bc438 AS |
898 | struct rtattr *rta; |
899 | size_t rtasize; | |
674bc343 | 900 | traffic_selector_t *src_ts, *dst_ts; |
b12c53ce | 901 | uint32_t reqid = 0; |
674bc343 | 902 | int proto = 0; |
7daf5226 | 903 | |
4c438cf0 | 904 | acquire = NLMSG_DATA(hdr); |
b74bc438 AS |
905 | rta = XFRM_RTA(hdr, struct xfrm_user_acquire); |
906 | rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire); | |
907 | ||
908 | DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE"); | |
e526d228 | 909 | |
b74bc438 | 910 | while (RTA_OK(rta, rtasize)) |
507f26f6 | 911 | { |
b74bc438 AS |
912 | DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type); |
913 | ||
914 | if (rta->rta_type == XFRMA_TMPL) | |
507f26f6 | 915 | { |
e526d228 | 916 | struct xfrm_user_tmpl* tmpl; |
b74bc438 | 917 | tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta); |
507f26f6 TB |
918 | reqid = tmpl->reqid; |
919 | proto = tmpl->id.proto; | |
920 | } | |
b74bc438 | 921 | rta = RTA_NEXT(rta, rtasize); |
507f26f6 TB |
922 | } |
923 | switch (proto) | |
924 | { | |
925 | case 0: | |
926 | case IPPROTO_ESP: | |
927 | case IPPROTO_AH: | |
928 | break; | |
929 | default: | |
930 | /* acquire for AH/ESP only, not for IPCOMP */ | |
931 | return; | |
932 | } | |
e526d228 AS |
933 | src_ts = selector2ts(&acquire->sel, TRUE); |
934 | dst_ts = selector2ts(&acquire->sel, FALSE); | |
81f6ec27 | 935 | |
8394ea2a | 936 | charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts); |
507f26f6 TB |
937 | } |
938 | ||
939 | /** | |
674bc343 | 940 | * Process a XFRM_MSG_EXPIRE from kernel |
507f26f6 | 941 | */ |
674bc343 TB |
942 | static void process_expire(private_kernel_netlink_ipsec_t *this, |
943 | struct nlmsghdr *hdr) | |
507f26f6 | 944 | { |
507f26f6 | 945 | struct xfrm_user_expire *expire; |
b12c53ce AS |
946 | uint32_t spi; |
947 | uint8_t protocol; | |
f81a9497 | 948 | host_t *dst; |
7daf5226 | 949 | |
4c438cf0 | 950 | expire = NLMSG_DATA(hdr); |
9f166d9a | 951 | protocol = expire->state.id.proto; |
507f26f6 | 952 | spi = expire->state.id.spi; |
7daf5226 | 953 | |
507f26f6 | 954 | DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); |
7daf5226 | 955 | |
f81a9497 | 956 | if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH) |
507f26f6 | 957 | { |
f81a9497 MW |
958 | dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0); |
959 | if (dst) | |
960 | { | |
8394ea2a TB |
961 | charon->kernel->expire(charon->kernel, protocol, spi, dst, |
962 | expire->hard != 0); | |
f81a9497 MW |
963 | dst->destroy(dst); |
964 | } | |
507f26f6 | 965 | } |
507f26f6 TB |
966 | } |
967 | ||
e526d228 | 968 | /** |
674bc343 | 969 | * Process a XFRM_MSG_MIGRATE from kernel |
e526d228 | 970 | */ |
674bc343 TB |
971 | static void process_migrate(private_kernel_netlink_ipsec_t *this, |
972 | struct nlmsghdr *hdr) | |
e526d228 | 973 | { |
674bc343 TB |
974 | struct xfrm_userpolicy_id *policy_id; |
975 | struct rtattr *rta; | |
976 | size_t rtasize; | |
5145ae48 AS |
977 | traffic_selector_t *src_ts, *dst_ts; |
978 | host_t *local = NULL, *remote = NULL; | |
979 | host_t *old_src = NULL, *old_dst = NULL; | |
980 | host_t *new_src = NULL, *new_dst = NULL; | |
b12c53ce | 981 | uint32_t reqid = 0; |
ef6d339c | 982 | policy_dir_t dir; |
b74bc438 | 983 | |
4c438cf0 | 984 | policy_id = NLMSG_DATA(hdr); |
b74bc438 AS |
985 | rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id); |
986 | rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id); | |
987 | ||
e526d228 | 988 | DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE"); |
7daf5226 | 989 | |
5145ae48 AS |
990 | src_ts = selector2ts(&policy_id->sel, TRUE); |
991 | dst_ts = selector2ts(&policy_id->sel, FALSE); | |
ef6d339c AS |
992 | dir = (policy_dir_t)policy_id->dir; |
993 | ||
7a915d62 | 994 | DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names); |
b74bc438 AS |
995 | |
996 | while (RTA_OK(rta, rtasize)) | |
997 | { | |
5145ae48 AS |
998 | DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type); |
999 | if (rta->rta_type == XFRMA_KMADDRESS) | |
1000 | { | |
1001 | struct xfrm_user_kmaddress *kmaddress; | |
1002 | ||
1003 | kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta); | |
1004 | local = xfrm2host(kmaddress->family, &kmaddress->local, 0); | |
1005 | remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0); | |
2c815393 | 1006 | DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote); |
bab075b1 | 1007 | } |
5145ae48 AS |
1008 | else if (rta->rta_type == XFRMA_MIGRATE) |
1009 | { | |
1010 | struct xfrm_user_migrate *migrate; | |
5145ae48 AS |
1011 | |
1012 | migrate = (struct xfrm_user_migrate*)RTA_DATA(rta); | |
1013 | old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0); | |
1014 | old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0); | |
1015 | new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0); | |
1016 | new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0); | |
5145ae48 | 1017 | reqid = migrate->reqid; |
9f166d9a | 1018 | DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}", |
674bc343 | 1019 | old_src, old_dst, new_src, new_dst, reqid); |
5145ae48 AS |
1020 | DESTROY_IF(old_src); |
1021 | DESTROY_IF(old_dst); | |
1022 | DESTROY_IF(new_src); | |
1023 | DESTROY_IF(new_dst); | |
1024 | } | |
b74bc438 AS |
1025 | rta = RTA_NEXT(rta, rtasize); |
1026 | } | |
ef6d339c | 1027 | |
7a915d62 | 1028 | if (src_ts && dst_ts && local && remote) |
ef6d339c | 1029 | { |
8394ea2a TB |
1030 | charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir, |
1031 | local, remote); | |
ef6d339c AS |
1032 | } |
1033 | else | |
1034 | { | |
1035 | DESTROY_IF(src_ts); | |
1036 | DESTROY_IF(dst_ts); | |
1037 | DESTROY_IF(local); | |
bab075b1 | 1038 | DESTROY_IF(remote); |
ef6d339c | 1039 | } |
e526d228 AS |
1040 | } |
1041 | ||
aa9a3006 | 1042 | /** |
674bc343 | 1043 | * Process a XFRM_MSG_MAPPING from kernel |
aa9a3006 MW |
1044 | */ |
1045 | static void process_mapping(private_kernel_netlink_ipsec_t *this, | |
1046 | struct nlmsghdr *hdr) | |
1047 | { | |
aa9a3006 | 1048 | struct xfrm_user_mapping *mapping; |
b12c53ce | 1049 | uint32_t spi; |
7daf5226 | 1050 | |
4c438cf0 | 1051 | mapping = NLMSG_DATA(hdr); |
aa9a3006 | 1052 | spi = mapping->id.spi; |
7daf5226 | 1053 | |
aa9a3006 | 1054 | DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING"); |
7daf5226 | 1055 | |
9f166d9a | 1056 | if (mapping->id.proto == IPPROTO_ESP) |
aa9a3006 | 1057 | { |
b125839a MW |
1058 | host_t *dst, *new; |
1059 | ||
1060 | dst = xfrm2host(mapping->id.family, &mapping->id.daddr, 0); | |
1061 | if (dst) | |
aa9a3006 | 1062 | { |
b125839a MW |
1063 | new = xfrm2host(mapping->id.family, &mapping->new_saddr, |
1064 | mapping->new_sport); | |
1065 | if (new) | |
1066 | { | |
8394ea2a TB |
1067 | charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst, |
1068 | new); | |
b125839a MW |
1069 | new->destroy(new); |
1070 | } | |
1071 | dst->destroy(dst); | |
aa9a3006 MW |
1072 | } |
1073 | } | |
1074 | } | |
1075 | ||
507f26f6 TB |
1076 | /** |
1077 | * Receives events from kernel | |
1078 | */ | |
f4f77d74 MW |
1079 | static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd, |
1080 | watcher_event_t event) | |
507f26f6 | 1081 | { |
c5b94b24 | 1082 | char response[netlink_get_buflen()]; |
507f26f6 TB |
1083 | struct nlmsghdr *hdr = (struct nlmsghdr*)response; |
1084 | struct sockaddr_nl addr; | |
1085 | socklen_t addr_len = sizeof(addr); | |
4a5a5dd2 | 1086 | int len; |
7daf5226 | 1087 | |
f4f77d74 MW |
1088 | len = recvfrom(this->socket_xfrm_events, response, sizeof(response), |
1089 | MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len); | |
507f26f6 TB |
1090 | if (len < 0) |
1091 | { | |
1092 | switch (errno) | |
1093 | { | |
1094 | case EINTR: | |
1095 | /* interrupted, try again */ | |
f4f77d74 | 1096 | return TRUE; |
507f26f6 TB |
1097 | case EAGAIN: |
1098 | /* no data ready, select again */ | |
f4f77d74 | 1099 | return TRUE; |
507f26f6 | 1100 | default: |
a0178fe2 TB |
1101 | DBG1(DBG_KNL, "unable to receive from XFRM event socket: %s " |
1102 | "(%d)", strerror(errno), errno); | |
507f26f6 | 1103 | sleep(1); |
f4f77d74 | 1104 | return TRUE; |
507f26f6 TB |
1105 | } |
1106 | } | |
7daf5226 | 1107 | |
507f26f6 TB |
1108 | if (addr.nl_pid != 0) |
1109 | { /* not from kernel. not interested, try another one */ | |
f4f77d74 | 1110 | return TRUE; |
507f26f6 | 1111 | } |
7daf5226 | 1112 | |
507f26f6 TB |
1113 | while (NLMSG_OK(hdr, len)) |
1114 | { | |
1115 | switch (hdr->nlmsg_type) | |
1116 | { | |
1117 | case XFRM_MSG_ACQUIRE: | |
1118 | process_acquire(this, hdr); | |
1119 | break; | |
1120 | case XFRM_MSG_EXPIRE: | |
1121 | process_expire(this, hdr); | |
1122 | break; | |
e526d228 AS |
1123 | case XFRM_MSG_MIGRATE: |
1124 | process_migrate(this, hdr); | |
1125 | break; | |
aa9a3006 MW |
1126 | case XFRM_MSG_MAPPING: |
1127 | process_mapping(this, hdr); | |
1128 | break; | |
507f26f6 | 1129 | default: |
a0178fe2 TB |
1130 | DBG1(DBG_KNL, "received unknown event from XFRM event " |
1131 | "socket: %d", hdr->nlmsg_type); | |
507f26f6 TB |
1132 | break; |
1133 | } | |
1134 | hdr = NLMSG_NEXT(hdr, len); | |
1135 | } | |
f4f77d74 | 1136 | return TRUE; |
507f26f6 TB |
1137 | } |
1138 | ||
53e62f5d MW |
1139 | METHOD(kernel_ipsec_t, get_features, kernel_feature_t, |
1140 | private_kernel_netlink_ipsec_t *this) | |
1141 | { | |
2699c838 | 1142 | return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI; |
53e62f5d MW |
1143 | } |
1144 | ||
507f26f6 TB |
1145 | /** |
1146 | * Get an SPI for a specific protocol from the kernel. | |
1147 | */ | |
1148 | static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this, | |
b12c53ce AS |
1149 | host_t *src, host_t *dst, uint8_t proto, uint32_t min, uint32_t max, |
1150 | uint32_t *spi) | |
507f26f6 | 1151 | { |
21bf86f7 | 1152 | netlink_buf_t request; |
507f26f6 TB |
1153 | struct nlmsghdr *hdr, *out; |
1154 | struct xfrm_userspi_info *userspi; | |
b12c53ce | 1155 | uint32_t received_spi = 0; |
507f26f6 | 1156 | size_t len; |
7daf5226 | 1157 | |
507f26f6 | 1158 | memset(&request, 0, sizeof(request)); |
7daf5226 | 1159 | |
0404a29b | 1160 | hdr = &request.hdr; |
507f26f6 TB |
1161 | hdr->nlmsg_flags = NLM_F_REQUEST; |
1162 | hdr->nlmsg_type = XFRM_MSG_ALLOCSPI; | |
1163 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info)); | |
1164 | ||
4c438cf0 | 1165 | userspi = NLMSG_DATA(hdr); |
507f26f6 TB |
1166 | host2xfrm(src, &userspi->info.saddr); |
1167 | host2xfrm(dst, &userspi->info.id.daddr); | |
1168 | userspi->info.id.proto = proto; | |
d24a74c5 | 1169 | userspi->info.mode = XFRM_MODE_TUNNEL; |
507f26f6 TB |
1170 | userspi->info.family = src->get_family(src); |
1171 | userspi->min = min; | |
1172 | userspi->max = max; | |
7daf5226 | 1173 | |
507f26f6 TB |
1174 | if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) |
1175 | { | |
1176 | hdr = out; | |
1177 | while (NLMSG_OK(hdr, len)) | |
1178 | { | |
1179 | switch (hdr->nlmsg_type) | |
1180 | { | |
1181 | case XFRM_MSG_NEWSA: | |
1182 | { | |
1183 | struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr); | |
1184 | received_spi = usersa->id.spi; | |
1185 | break; | |
1186 | } | |
1187 | case NLMSG_ERROR: | |
1188 | { | |
1189 | struct nlmsgerr *err = NLMSG_DATA(hdr); | |
507f26f6 TB |
1190 | DBG1(DBG_KNL, "allocating SPI failed: %s (%d)", |
1191 | strerror(-err->error), -err->error); | |
1192 | break; | |
1193 | } | |
1194 | default: | |
1195 | hdr = NLMSG_NEXT(hdr, len); | |
1196 | continue; | |
1197 | case NLMSG_DONE: | |
1198 | break; | |
1199 | } | |
1200 | break; | |
1201 | } | |
1202 | free(out); | |
1203 | } | |
7daf5226 | 1204 | |
507f26f6 TB |
1205 | if (received_spi == 0) |
1206 | { | |
1207 | return FAILED; | |
1208 | } | |
7daf5226 | 1209 | |
507f26f6 TB |
1210 | *spi = received_spi; |
1211 | return SUCCESS; | |
1212 | } | |
1213 | ||
98ed9c6c MW |
1214 | METHOD(kernel_ipsec_t, get_spi, status_t, |
1215 | private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, | |
b12c53ce | 1216 | uint8_t protocol, uint32_t *spi) |
507f26f6 | 1217 | { |
6d86d0f5 TB |
1218 | uint32_t spi_min, spi_max; |
1219 | ||
1220 | spi_min = lib->settings->get_int(lib->settings, "%s.spi_min", | |
1221 | KERNEL_SPI_MIN, lib->ns); | |
1222 | spi_max = lib->settings->get_int(lib->settings, "%s.spi_max", | |
1223 | KERNEL_SPI_MAX, lib->ns); | |
1224 | ||
1225 | if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max), | |
1226 | max(spi_min, spi_max), spi) != SUCCESS) | |
507f26f6 | 1227 | { |
2a1c9e20 | 1228 | DBG1(DBG_KNL, "unable to get SPI"); |
507f26f6 TB |
1229 | return FAILED; |
1230 | } | |
7daf5226 | 1231 | |
2a1c9e20 | 1232 | DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi)); |
507f26f6 TB |
1233 | return SUCCESS; |
1234 | } | |
1235 | ||
98ed9c6c MW |
1236 | METHOD(kernel_ipsec_t, get_cpi, status_t, |
1237 | private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, | |
b12c53ce | 1238 | uint16_t *cpi) |
507f26f6 | 1239 | { |
b12c53ce | 1240 | uint32_t received_spi = 0; |
507f26f6 | 1241 | |
674bc343 | 1242 | if (get_spi_internal(this, src, dst, IPPROTO_COMP, |
2a1c9e20 | 1243 | 0x100, 0xEFFF, &received_spi) != SUCCESS) |
507f26f6 | 1244 | { |
2a1c9e20 | 1245 | DBG1(DBG_KNL, "unable to get CPI"); |
507f26f6 TB |
1246 | return FAILED; |
1247 | } | |
7daf5226 | 1248 | |
b12c53ce | 1249 | *cpi = htons((uint16_t)ntohl(received_spi)); |
7daf5226 | 1250 | |
2a1c9e20 | 1251 | DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi)); |
507f26f6 TB |
1252 | return SUCCESS; |
1253 | } | |
1254 | ||
25178f45 TB |
1255 | /** |
1256 | * Format the mark for debug messages | |
1257 | */ | |
1258 | static void format_mark(char *buf, int buflen, mark_t mark) | |
1259 | { | |
33d3ffde | 1260 | if (mark.value | mark.mask) |
25178f45 TB |
1261 | { |
1262 | snprintf(buf, buflen, " (mark %u/0x%08x)", mark.value, mark.mask); | |
1263 | } | |
1264 | } | |
1265 | ||
0d9f31e1 MW |
1266 | /** |
1267 | * Add a XFRM mark to message if required | |
1268 | */ | |
1269 | static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark) | |
1270 | { | |
33d3ffde | 1271 | if (mark.value | mark.mask) |
0d9f31e1 MW |
1272 | { |
1273 | struct xfrm_mark *xmrk; | |
1274 | ||
1275 | xmrk = netlink_reserve(hdr, buflen, XFRMA_MARK, sizeof(*xmrk)); | |
1276 | if (!xmrk) | |
1277 | { | |
1278 | return FALSE; | |
1279 | } | |
1280 | xmrk->v = mark.value; | |
1281 | xmrk->m = mark.mask; | |
1282 | } | |
1283 | return TRUE; | |
1284 | } | |
1285 | ||
9cee688f TB |
1286 | /** |
1287 | * Add a uint32 attribute to message | |
1288 | */ | |
1289 | static bool add_uint32(struct nlmsghdr *hdr, int buflen, | |
1290 | enum xfrm_attr_type_t type, uint32_t value) | |
1291 | { | |
1292 | uint32_t *xvalue; | |
1293 | ||
1294 | xvalue = netlink_reserve(hdr, buflen, type, sizeof(*xvalue)); | |
1295 | if (!xvalue) | |
1296 | { | |
1297 | return FALSE; | |
1298 | } | |
1299 | *xvalue = value; | |
1300 | return TRUE; | |
1301 | } | |
1302 | ||
c7f579fa TB |
1303 | /* ETHTOOL_GSSET_INFO is available since 2.6.34 and ETH_SS_FEATURES (enum) and |
1304 | * ETHTOOL_GFEATURES since 2.6.39, so check for the latter */ | |
1305 | #ifdef ETHTOOL_GFEATURES | |
1306 | ||
c7f579fa TB |
1307 | /** |
1308 | * Global metadata used for IPsec HW offload | |
1309 | */ | |
1310 | static struct { | |
a605452c TE |
1311 | /** determined HW offload support */ |
1312 | bool supported; | |
c7f579fa TB |
1313 | /** bit in feature set */ |
1314 | u_int bit; | |
1315 | /** total number of device feature blocks */ | |
1316 | u_int total_blocks; | |
c7f579fa TB |
1317 | } netlink_hw_offload; |
1318 | ||
338cc581 | 1319 | /** |
a605452c | 1320 | * Check if kernel supports HW offload and determine feature flag |
338cc581 | 1321 | */ |
a605452c | 1322 | static void netlink_find_offload_feature(const char *ifname) |
338cc581 | 1323 | { |
ee26f715 | 1324 | struct ethtool_sset_info *sset_info; |
338cc581 | 1325 | struct ethtool_gstrings *cmd = NULL; |
1c4e134f | 1326 | struct ifreq ifr = { 0 }; |
338cc581 AN |
1327 | uint32_t sset_len, i; |
1328 | char *str; | |
a605452c | 1329 | int err, query_socket; |
338cc581 | 1330 | |
a605452c TE |
1331 | query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); |
1332 | if (query_socket < 0) | |
1333 | { | |
1334 | return; | |
1335 | } | |
338cc581 | 1336 | |
ee26f715 TB |
1337 | /* determine number of device features */ |
1338 | INIT_EXTRA(sset_info, sizeof(uint32_t), | |
1339 | .cmd = ETHTOOL_GSSET_INFO, | |
1340 | .sset_mask = 1ULL << ETH_SS_FEATURES, | |
1341 | ); | |
d837d0b3 TB |
1342 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); |
1343 | ifr.ifr_name[IFNAMSIZ-1] = '\0'; | |
ee26f715 | 1344 | ifr.ifr_data = (void*)sset_info; |
338cc581 | 1345 | |
ee26f715 TB |
1346 | err = ioctl(query_socket, SIOCETHTOOL, &ifr); |
1347 | if (err || sset_info->sset_mask != 1ULL << ETH_SS_FEATURES) | |
338cc581 AN |
1348 | { |
1349 | goto out; | |
1350 | } | |
1351 | sset_len = sset_info->data[0]; | |
1352 | ||
ee26f715 TB |
1353 | /* retrieve names of device features */ |
1354 | INIT_EXTRA(cmd, ETH_GSTRING_LEN * sset_len, | |
1355 | .cmd = ETHTOOL_GSTRINGS, | |
1356 | .string_set = ETH_SS_FEATURES, | |
1357 | ); | |
d837d0b3 TB |
1358 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); |
1359 | ifr.ifr_name[IFNAMSIZ-1] = '\0'; | |
ee26f715 TB |
1360 | ifr.ifr_data = (void*)cmd; |
1361 | ||
1362 | err = ioctl(query_socket, SIOCETHTOOL, &ifr); | |
338cc581 AN |
1363 | if (err) |
1364 | { | |
1365 | goto out; | |
1366 | } | |
1367 | ||
ee26f715 TB |
1368 | /* look for the ESP_HW feature bit */ |
1369 | str = (char*)cmd->data; | |
338cc581 AN |
1370 | for (i = 0; i < cmd->len; i++) |
1371 | { | |
ee26f715 TB |
1372 | if (strneq(str, "esp-hw-offload", ETH_GSTRING_LEN)) |
1373 | { | |
a605452c | 1374 | netlink_hw_offload.supported = TRUE; |
ee26f715 TB |
1375 | netlink_hw_offload.bit = i; |
1376 | netlink_hw_offload.total_blocks = (sset_len + 31) / 32; | |
338cc581 | 1377 | break; |
ee26f715 | 1378 | } |
338cc581 AN |
1379 | str += ETH_GSTRING_LEN; |
1380 | } | |
338cc581 AN |
1381 | |
1382 | out: | |
ee26f715 TB |
1383 | free(sset_info); |
1384 | free(cmd); | |
a605452c | 1385 | close(query_socket); |
338cc581 AN |
1386 | } |
1387 | ||
1388 | /** | |
1389 | * Check if interface supported HW offload | |
1390 | */ | |
1391 | static bool netlink_detect_offload(const char *ifname) | |
1392 | { | |
1393 | struct ethtool_gfeatures *cmd; | |
1394 | uint32_t feature_bit; | |
1c4e134f | 1395 | struct ifreq ifr = { 0 }; |
ee26f715 | 1396 | int query_socket; |
338cc581 | 1397 | int block; |
ee26f715 | 1398 | bool ret = FALSE; |
338cc581 | 1399 | |
a605452c | 1400 | if (!netlink_hw_offload.supported) |
338cc581 | 1401 | { |
a605452c | 1402 | DBG1(DBG_KNL, "HW offload is not supported by kernel"); |
338cc581 AN |
1403 | return FALSE; |
1404 | } | |
1405 | ||
a605452c TE |
1406 | query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); |
1407 | if (query_socket < 0) | |
338cc581 | 1408 | { |
a605452c | 1409 | return FALSE; |
338cc581 AN |
1410 | } |
1411 | ||
ee26f715 TB |
1412 | /* feature is supported by kernel, query device features */ |
1413 | INIT_EXTRA(cmd, sizeof(cmd->features[0]) * netlink_hw_offload.total_blocks, | |
1414 | .cmd = ETHTOOL_GFEATURES, | |
1415 | .size = netlink_hw_offload.total_blocks, | |
1416 | ); | |
d837d0b3 TB |
1417 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); |
1418 | ifr.ifr_name[IFNAMSIZ-1] = '\0'; | |
ee26f715 | 1419 | ifr.ifr_data = (void*)cmd; |
338cc581 | 1420 | |
a605452c | 1421 | if (!ioctl(query_socket, SIOCETHTOOL, &ifr)) |
338cc581 | 1422 | { |
a605452c TE |
1423 | block = netlink_hw_offload.bit / 32; |
1424 | feature_bit = 1U << (netlink_hw_offload.bit % 32); | |
1425 | if (cmd->features[block].active & feature_bit) | |
1426 | { | |
1427 | ret = TRUE; | |
1428 | } | |
338cc581 AN |
1429 | } |
1430 | ||
ee26f715 | 1431 | if (!ret) |
338cc581 AN |
1432 | { |
1433 | DBG1(DBG_KNL, "HW offload is not supported by device"); | |
1434 | } | |
a605452c | 1435 | free(cmd); |
ee26f715 | 1436 | close(query_socket); |
338cc581 AN |
1437 | return ret; |
1438 | } | |
1439 | ||
c7f579fa TB |
1440 | #else |
1441 | ||
a605452c TE |
1442 | static void netlink_find_offload_feature(const char *ifname) |
1443 | { | |
1444 | } | |
1445 | ||
c7f579fa TB |
1446 | static bool netlink_detect_offload(const char *ifname) |
1447 | { | |
1448 | return FALSE; | |
1449 | } | |
1450 | ||
1451 | #endif | |
1452 | ||
338cc581 | 1453 | /** |
ee26f715 TB |
1454 | * There are 3 HW offload configuration values: |
1455 | * 1. HW_OFFLOAD_NO : Do not configure HW offload. | |
338cc581 AN |
1456 | * 2. HW_OFFLOAD_YES : Configure HW offload. |
1457 | * Fail SA addition if offload is not supported. | |
1458 | * 3. HW_OFFLOAD_AUTO : Configure HW offload if supported by the kernel | |
1459 | * and device. | |
1460 | * Do not fail SA addition otherwise. | |
1461 | */ | |
1462 | static bool config_hw_offload(kernel_ipsec_sa_id_t *id, | |
ee26f715 TB |
1463 | kernel_ipsec_add_sa_t *data, struct nlmsghdr *hdr, |
1464 | int buflen) | |
338cc581 | 1465 | { |
338cc581 AN |
1466 | host_t *local = data->inbound ? id->dst : id->src; |
1467 | struct xfrm_user_offload *offload; | |
ee26f715 | 1468 | bool hw_offload_yes, ret = FALSE; |
338cc581 AN |
1469 | char *ifname; |
1470 | ||
ee26f715 | 1471 | /* do Ipsec configuration without offload */ |
338cc581 AN |
1472 | if (data->hw_offload == HW_OFFLOAD_NO) |
1473 | { | |
1474 | return TRUE; | |
1475 | } | |
1476 | ||
ee26f715 TB |
1477 | hw_offload_yes = (data->hw_offload == HW_OFFLOAD_YES); |
1478 | ||
338cc581 AN |
1479 | if (!charon->kernel->get_interface(charon->kernel, local, &ifname)) |
1480 | { | |
ee26f715 | 1481 | return !hw_offload_yes; |
338cc581 AN |
1482 | } |
1483 | ||
ee26f715 TB |
1484 | /* check if interface supports hw_offload */ |
1485 | if (!netlink_detect_offload(ifname)) | |
338cc581 | 1486 | { |
ee26f715 | 1487 | ret = !hw_offload_yes; |
338cc581 AN |
1488 | goto out; |
1489 | } | |
1490 | ||
ee26f715 | 1491 | /* activate HW offload */ |
338cc581 AN |
1492 | offload = netlink_reserve(hdr, buflen, |
1493 | XFRMA_OFFLOAD_DEV, sizeof(*offload)); | |
1494 | if (!offload) | |
1495 | { | |
ee26f715 | 1496 | ret = !hw_offload_yes; |
338cc581 AN |
1497 | goto out; |
1498 | } | |
1499 | offload->ifindex = if_nametoindex(ifname); | |
338cc581 AN |
1500 | offload->flags |= data->inbound ? XFRM_OFFLOAD_INBOUND : 0; |
1501 | ||
1502 | ret = TRUE; | |
1503 | ||
1504 | out: | |
1505 | free(ifname); | |
1506 | return ret; | |
1507 | } | |
1508 | ||
98ed9c6c | 1509 | METHOD(kernel_ipsec_t, add_sa, status_t, |
89da06ac TB |
1510 | private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
1511 | kernel_ipsec_add_sa_t *data) | |
507f26f6 | 1512 | { |
21bf86f7 | 1513 | netlink_buf_t request; |
7085ca68 TE |
1514 | const char *alg_name; |
1515 | char markstr[32] = ""; | |
507f26f6 TB |
1516 | struct nlmsghdr *hdr; |
1517 | struct xfrm_usersa_info *sa; | |
89da06ac TB |
1518 | uint16_t icv_size = 64, ipcomp = data->ipcomp; |
1519 | ipsec_mode_t mode = data->mode, original_mode = data->mode; | |
d05d85fe | 1520 | traffic_selector_t *first_src_ts, *first_dst_ts; |
f7812f64 | 1521 | status_t status = FAILED; |
7daf5226 | 1522 | |
ea625fab TB |
1523 | /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0 |
1524 | * we are in the recursive call below */ | |
89da06ac | 1525 | if (ipcomp != IPCOMP_NONE && data->cpi != 0) |
ea625fab | 1526 | { |
e75f4237 | 1527 | lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}}; |
89da06ac TB |
1528 | kernel_ipsec_sa_id_t ipcomp_id = { |
1529 | .src = id->src, | |
1530 | .dst = id->dst, | |
1531 | .spi = htonl(ntohs(data->cpi)), | |
1532 | .proto = IPPROTO_COMP, | |
1533 | .mark = id->mark, | |
b32c3ce8 | 1534 | .if_id = id->if_id, |
89da06ac TB |
1535 | }; |
1536 | kernel_ipsec_add_sa_t ipcomp_sa = { | |
1537 | .reqid = data->reqid, | |
1538 | .mode = data->mode, | |
1539 | .src_ts = data->src_ts, | |
1540 | .dst_ts = data->dst_ts, | |
1541 | .lifetime = &lft, | |
1542 | .enc_alg = ENCR_UNDEFINED, | |
1543 | .int_alg = AUTH_UNDEFINED, | |
1544 | .tfc = data->tfc, | |
1545 | .ipcomp = data->ipcomp, | |
1546 | .initiator = data->initiator, | |
1547 | .inbound = data->inbound, | |
1548 | .update = data->update, | |
1549 | }; | |
1550 | add_sa(this, &ipcomp_id, &ipcomp_sa); | |
ea625fab | 1551 | ipcomp = IPCOMP_NONE; |
2b2c69e9 MW |
1552 | /* use transport mode ESP SA, IPComp uses tunnel mode */ |
1553 | mode = MODE_TRANSPORT; | |
ea625fab | 1554 | } |
7daf5226 | 1555 | |
507f26f6 | 1556 | memset(&request, 0, sizeof(request)); |
25178f45 | 1557 | format_mark(markstr, sizeof(markstr), id->mark); |
7daf5226 | 1558 | |
25178f45 TB |
1559 | DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}%s", |
1560 | ntohl(id->spi), data->reqid, markstr); | |
6e921f20 | 1561 | |
0404a29b | 1562 | hdr = &request.hdr; |
507f26f6 | 1563 | hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
89da06ac | 1564 | hdr->nlmsg_type = data->update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; |
507f26f6 | 1565 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); |
7daf5226 | 1566 | |
4c438cf0 | 1567 | sa = NLMSG_DATA(hdr); |
89da06ac TB |
1568 | host2xfrm(id->src, &sa->saddr); |
1569 | host2xfrm(id->dst, &sa->id.daddr); | |
1570 | sa->id.spi = id->spi; | |
1571 | sa->id.proto = id->proto; | |
1572 | sa->family = id->src->get_family(id->src); | |
d24a74c5 | 1573 | sa->mode = mode2kernel(mode); |
dc8b015d TB |
1574 | |
1575 | if (!data->copy_df) | |
1576 | { | |
1577 | sa->flags |= XFRM_STATE_NOPMTUDISC; | |
1578 | } | |
1579 | ||
1580 | if (!data->copy_ecn) | |
1581 | { | |
1582 | sa->flags |= XFRM_STATE_NOECN; | |
1583 | } | |
1584 | ||
c993eaf9 TB |
1585 | if (data->inbound) |
1586 | { | |
1587 | switch (data->copy_dscp) | |
1588 | { | |
1589 | case DSCP_COPY_YES: | |
1590 | case DSCP_COPY_IN_ONLY: | |
1591 | sa->flags |= XFRM_STATE_DECAP_DSCP; | |
1592 | break; | |
1593 | default: | |
1594 | break; | |
1595 | } | |
1596 | } | |
1597 | else | |
1598 | { | |
1599 | switch (data->copy_dscp) | |
1600 | { | |
1601 | case DSCP_COPY_IN_ONLY: | |
1602 | case DSCP_COPY_NO: | |
1603 | { | |
9cee688f TB |
1604 | /* currently the only extra flag */ |
1605 | if (!add_uint32(hdr, sizeof(request), XFRMA_SA_EXTRA_FLAGS, | |
1606 | XFRM_SA_XFLAG_DONT_ENCAP_DSCP)) | |
c993eaf9 TB |
1607 | { |
1608 | goto failed; | |
1609 | } | |
c993eaf9 TB |
1610 | break; |
1611 | } | |
1612 | default: | |
1613 | break; | |
1614 | } | |
1615 | } | |
1616 | ||
6ec949e0 | 1617 | switch (mode) |
507f26f6 | 1618 | { |
6ec949e0 MW |
1619 | case MODE_TUNNEL: |
1620 | sa->flags |= XFRM_STATE_AF_UNSPEC; | |
1621 | break; | |
1622 | case MODE_BEET: | |
19b7f763 | 1623 | case MODE_TRANSPORT: |
cc04a6db TB |
1624 | if (original_mode == MODE_TUNNEL) |
1625 | { /* don't install selectors for switched SAs. because only one | |
1626 | * selector can be installed other traffic would get dropped */ | |
1627 | break; | |
1628 | } | |
89da06ac TB |
1629 | if (data->src_ts->get_first(data->src_ts, |
1630 | (void**)&first_src_ts) == SUCCESS && | |
1631 | data->dst_ts->get_first(data->dst_ts, | |
1632 | (void**)&first_dst_ts) == SUCCESS) | |
6ec949e0 | 1633 | { |
c26e4330 AS |
1634 | sa->sel = ts2selector(first_src_ts, first_dst_ts, |
1635 | data->interface); | |
90e6675a TB |
1636 | if (!this->proto_port_transport) |
1637 | { | |
1638 | /* don't install proto/port on SA. This would break | |
1639 | * potential secondary SAs for the same address using a | |
1640 | * different prot/port. */ | |
1641 | sa->sel.proto = 0; | |
1642 | sa->sel.dport = sa->sel.dport_mask = 0; | |
1643 | sa->sel.sport = sa->sel.sport_mask = 0; | |
1644 | } | |
6ec949e0 MW |
1645 | } |
1646 | break; | |
1647 | default: | |
1648 | break; | |
507f26f6 | 1649 | } |
965daa1d TB |
1650 | if (id->proto == IPPROTO_AH && sa->family == AF_INET) |
1651 | { /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte | |
1652 | * alignment that's used by default but is only valid for IPv6 */ | |
1653 | sa->flags |= XFRM_STATE_ALIGN4; | |
1654 | } | |
6ec949e0 | 1655 | |
89da06ac TB |
1656 | sa->reqid = data->reqid; |
1657 | sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey); | |
1658 | sa->lft.hard_byte_limit = XFRM_LIMIT(data->lifetime->bytes.life); | |
1659 | sa->lft.soft_packet_limit = XFRM_LIMIT(data->lifetime->packets.rekey); | |
1660 | sa->lft.hard_packet_limit = XFRM_LIMIT(data->lifetime->packets.life); | |
507f26f6 | 1661 | /* we use lifetimes since added, not since used */ |
89da06ac TB |
1662 | sa->lft.soft_add_expires_seconds = data->lifetime->time.rekey; |
1663 | sa->lft.hard_add_expires_seconds = data->lifetime->time.life; | |
507f26f6 TB |
1664 | sa->lft.soft_use_expires_seconds = 0; |
1665 | sa->lft.hard_use_expires_seconds = 0; | |
7daf5226 | 1666 | |
89da06ac | 1667 | switch (data->enc_alg) |
507f26f6 TB |
1668 | { |
1669 | case ENCR_UNDEFINED: | |
1670 | /* no encryption */ | |
1671 | break; | |
507f26f6 | 1672 | case ENCR_AES_CCM_ICV16: |
507f26f6 | 1673 | case ENCR_AES_GCM_ICV16: |
71baf5a8 | 1674 | case ENCR_NULL_AUTH_AES_GMAC: |
8ddcac4c | 1675 | case ENCR_CAMELLIA_CCM_ICV16: |
405c5dcd | 1676 | case ENCR_CHACHA20_POLY1305: |
e517b4b1 MW |
1677 | icv_size += 32; |
1678 | /* FALL */ | |
1679 | case ENCR_AES_CCM_ICV12: | |
1680 | case ENCR_AES_GCM_ICV12: | |
8ddcac4c | 1681 | case ENCR_CAMELLIA_CCM_ICV12: |
e517b4b1 MW |
1682 | icv_size += 32; |
1683 | /* FALL */ | |
1684 | case ENCR_AES_CCM_ICV8: | |
1685 | case ENCR_AES_GCM_ICV8: | |
8ddcac4c | 1686 | case ENCR_CAMELLIA_CCM_ICV8: |
507f26f6 | 1687 | { |
c5ebd005 AS |
1688 | struct xfrm_algo_aead *algo; |
1689 | ||
89da06ac | 1690 | alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg); |
507f26f6 TB |
1691 | if (alg_name == NULL) |
1692 | { | |
1693 | DBG1(DBG_KNL, "algorithm %N not supported by kernel!", | |
89da06ac | 1694 | encryption_algorithm_names, data->enc_alg); |
08ad639f | 1695 | goto failed; |
507f26f6 TB |
1696 | } |
1697 | DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", | |
89da06ac TB |
1698 | encryption_algorithm_names, data->enc_alg, |
1699 | data->enc_key.len * 8); | |
7daf5226 | 1700 | |
6dfc6339 | 1701 | algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AEAD, |
89da06ac | 1702 | sizeof(*algo) + data->enc_key.len); |
6dfc6339 | 1703 | if (!algo) |
507f26f6 | 1704 | { |
f7812f64 | 1705 | goto failed; |
507f26f6 | 1706 | } |
89da06ac | 1707 | algo->alg_key_len = data->enc_key.len * 8; |
507f26f6 | 1708 | algo->alg_icv_len = icv_size; |
bef21bd3 TB |
1709 | strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name)); |
1710 | algo->alg_name[sizeof(algo->alg_name) - 1] = '\0'; | |
89da06ac | 1711 | memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len); |
507f26f6 TB |
1712 | break; |
1713 | } | |
1714 | default: | |
1715 | { | |
c5ebd005 AS |
1716 | struct xfrm_algo *algo; |
1717 | ||
89da06ac | 1718 | alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg); |
507f26f6 TB |
1719 | if (alg_name == NULL) |
1720 | { | |
1721 | DBG1(DBG_KNL, "algorithm %N not supported by kernel!", | |
89da06ac | 1722 | encryption_algorithm_names, data->enc_alg); |
f7812f64 | 1723 | goto failed; |
507f26f6 TB |
1724 | } |
1725 | DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", | |
89da06ac TB |
1726 | encryption_algorithm_names, data->enc_alg, |
1727 | data->enc_key.len * 8); | |
7daf5226 | 1728 | |
6dfc6339 | 1729 | algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_CRYPT, |
89da06ac | 1730 | sizeof(*algo) + data->enc_key.len); |
6dfc6339 | 1731 | if (!algo) |
507f26f6 | 1732 | { |
f7812f64 | 1733 | goto failed; |
507f26f6 | 1734 | } |
89da06ac | 1735 | algo->alg_key_len = data->enc_key.len * 8; |
bef21bd3 TB |
1736 | strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name)); |
1737 | algo->alg_name[sizeof(algo->alg_name) - 1] = '\0'; | |
89da06ac | 1738 | memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len); |
507f26f6 TB |
1739 | } |
1740 | } | |
7daf5226 | 1741 | |
89da06ac | 1742 | if (data->int_alg != AUTH_UNDEFINED) |
eebfa73f | 1743 | { |
686cfd4e TB |
1744 | u_int trunc_len = 0; |
1745 | ||
89da06ac | 1746 | alg_name = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg); |
507f26f6 TB |
1747 | if (alg_name == NULL) |
1748 | { | |
7daf5226 | 1749 | DBG1(DBG_KNL, "algorithm %N not supported by kernel!", |
89da06ac | 1750 | integrity_algorithm_names, data->int_alg); |
f7812f64 | 1751 | goto failed; |
507f26f6 TB |
1752 | } |
1753 | DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", | |
89da06ac | 1754 | integrity_algorithm_names, data->int_alg, data->int_key.len * 8); |
7daf5226 | 1755 | |
89da06ac | 1756 | switch (data->int_alg) |
686cfd4e TB |
1757 | { |
1758 | case AUTH_HMAC_MD5_128: | |
1759 | case AUTH_HMAC_SHA2_256_128: | |
1760 | trunc_len = 128; | |
1761 | break; | |
1762 | case AUTH_HMAC_SHA1_160: | |
1763 | trunc_len = 160; | |
1764 | break; | |
c632aa7b MS |
1765 | case AUTH_HMAC_SHA2_256_256: |
1766 | trunc_len = 256; | |
1767 | break; | |
1768 | case AUTH_HMAC_SHA2_384_384: | |
1769 | trunc_len = 384; | |
1770 | break; | |
1771 | case AUTH_HMAC_SHA2_512_512: | |
1772 | trunc_len = 512; | |
1773 | break; | |
686cfd4e TB |
1774 | default: |
1775 | break; | |
1776 | } | |
1777 | ||
1778 | if (trunc_len) | |
507f26f6 | 1779 | { |
4b615eda AS |
1780 | struct xfrm_algo_auth* algo; |
1781 | ||
1782 | /* the kernel uses SHA256 with 96 bit truncation by default, | |
686cfd4e | 1783 | * use specified truncation size supported by newer kernels. |
c632aa7b | 1784 | * also use this for untruncated MD5, SHA1 and SHA2. */ |
6dfc6339 | 1785 | algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC, |
89da06ac | 1786 | sizeof(*algo) + data->int_key.len); |
6dfc6339 | 1787 | if (!algo) |
4b615eda | 1788 | { |
f7812f64 | 1789 | goto failed; |
4b615eda | 1790 | } |
89da06ac | 1791 | algo->alg_key_len = data->int_key.len * 8; |
686cfd4e | 1792 | algo->alg_trunc_len = trunc_len; |
bef21bd3 TB |
1793 | strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name)); |
1794 | algo->alg_name[sizeof(algo->alg_name) - 1] = '\0'; | |
89da06ac | 1795 | memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len); |
507f26f6 | 1796 | } |
fc857869 | 1797 | else |
4b615eda AS |
1798 | { |
1799 | struct xfrm_algo* algo; | |
7daf5226 | 1800 | |
6dfc6339 | 1801 | algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH, |
89da06ac | 1802 | sizeof(*algo) + data->int_key.len); |
6dfc6339 | 1803 | if (!algo) |
4b615eda | 1804 | { |
f7812f64 | 1805 | goto failed; |
4b615eda | 1806 | } |
89da06ac | 1807 | algo->alg_key_len = data->int_key.len * 8; |
bef21bd3 TB |
1808 | strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name)); |
1809 | algo->alg_name[sizeof(algo->alg_name) - 1] = '\0'; | |
89da06ac | 1810 | memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len); |
4b615eda | 1811 | } |
507f26f6 | 1812 | } |
7daf5226 | 1813 | |
507f26f6 TB |
1814 | if (ipcomp != IPCOMP_NONE) |
1815 | { | |
6dfc6339 MW |
1816 | struct xfrm_algo* algo; |
1817 | ||
08ad639f | 1818 | alg_name = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp); |
507f26f6 TB |
1819 | if (alg_name == NULL) |
1820 | { | |
7daf5226 | 1821 | DBG1(DBG_KNL, "algorithm %N not supported by kernel!", |
507f26f6 | 1822 | ipcomp_transform_names, ipcomp); |
f7812f64 | 1823 | goto failed; |
507f26f6 TB |
1824 | } |
1825 | DBG2(DBG_KNL, " using compression algorithm %N", | |
1826 | ipcomp_transform_names, ipcomp); | |
7daf5226 | 1827 | |
6dfc6339 MW |
1828 | algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_COMP, |
1829 | sizeof(*algo)); | |
1830 | if (!algo) | |
507f26f6 | 1831 | { |
f7812f64 | 1832 | goto failed; |
507f26f6 | 1833 | } |
507f26f6 | 1834 | algo->alg_key_len = 0; |
bef21bd3 TB |
1835 | strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name)); |
1836 | algo->alg_name[sizeof(algo->alg_name) - 1] = '\0'; | |
507f26f6 | 1837 | } |
7daf5226 | 1838 | |
89da06ac | 1839 | if (data->encap) |
507f26f6 | 1840 | { |
ee26c537 AS |
1841 | struct xfrm_encap_tmpl *tmpl; |
1842 | ||
6dfc6339 MW |
1843 | tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl)); |
1844 | if (!tmpl) | |
507f26f6 | 1845 | { |
f7812f64 | 1846 | goto failed; |
507f26f6 | 1847 | } |
507f26f6 | 1848 | tmpl->encap_type = UDP_ENCAP_ESPINUDP; |
89da06ac TB |
1849 | tmpl->encap_sport = htons(id->src->get_port(id->src)); |
1850 | tmpl->encap_dport = htons(id->dst->get_port(id->dst)); | |
507f26f6 | 1851 | memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t)); |
7daf5226 | 1852 | /* encap_oa could probably be derived from the |
674bc343 TB |
1853 | * traffic selectors [rfc4306, p39]. In the netlink kernel |
1854 | * implementation pluto does the same as we do here but it uses | |
1855 | * encap_oa in the pfkey implementation. | |
1856 | * BUT as /usr/src/linux/net/key/af_key.c indicates the kernel ignores | |
1857 | * it anyway | |
507f26f6 | 1858 | * -> does that mean that NAT-T encap doesn't work in transport mode? |
7daf5226 | 1859 | * No. The reason the kernel ignores NAT-OA is that it recomputes |
674bc343 TB |
1860 | * (or, rather, just ignores) the checksum. If packets pass the IPsec |
1861 | * checks it marks them "checksum ok" so OA isn't needed. */ | |
507f26f6 | 1862 | } |
abc177e0 | 1863 | |
89da06ac | 1864 | if (!add_mark(hdr, sizeof(request), id->mark)) |
ee26c537 | 1865 | { |
0d9f31e1 | 1866 | goto failed; |
ee26c537 AS |
1867 | } |
1868 | ||
b32c3ce8 TB |
1869 | if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id)) |
1870 | { | |
1871 | goto failed; | |
1872 | } | |
1873 | ||
9cee688f TB |
1874 | if (ipcomp == IPCOMP_NONE && (data->mark.value | data->mark.mask)) |
1875 | { | |
1876 | if (!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK, | |
1877 | data->mark.value) || | |
1878 | !add_uint32(hdr, sizeof(request), XFRMA_SET_MARK_MASK, | |
1879 | data->mark.mask)) | |
1880 | { | |
1881 | goto failed; | |
1882 | } | |
1883 | } | |
1884 | ||
89da06ac | 1885 | if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL) |
38a4f196 | 1886 | { /* the kernel supports TFC padding only for tunnel mode ESP SAs */ |
9cee688f | 1887 | if (!add_uint32(hdr, sizeof(request), XFRMA_TFCPAD, data->tfc)) |
d86bb6ef | 1888 | { |
f7812f64 | 1889 | goto failed; |
d86bb6ef | 1890 | } |
d86bb6ef MW |
1891 | } |
1892 | ||
89da06ac | 1893 | if (id->proto != IPPROTO_COMP) |
ee8c89e2 | 1894 | { |
40828219 TB |
1895 | /* generally, we don't need a replay window for outbound SAs, however, |
1896 | * when using ESN the kernel rejects the attribute if it is 0 */ | |
1897 | if (!data->inbound && data->replay_window) | |
1898 | { | |
1899 | data->replay_window = data->esn ? 1 : 0; | |
1900 | } | |
89da06ac | 1901 | if (data->replay_window != 0 && (data->esn || data->replay_window > 32)) |
ee8c89e2 MW |
1902 | { |
1903 | /* for ESN or larger replay windows we need the new | |
1904 | * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */ | |
1905 | struct xfrm_replay_state_esn *replay; | |
b12c53ce | 1906 | uint32_t bmp_size; |
ee8c89e2 | 1907 | |
89da06ac | 1908 | bmp_size = round_up(data->replay_window, sizeof(uint32_t) * 8) / 8; |
6dfc6339 | 1909 | replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL, |
44098fba | 1910 | sizeof(*replay) + bmp_size); |
6dfc6339 | 1911 | if (!replay) |
ee8c89e2 | 1912 | { |
f7812f64 | 1913 | goto failed; |
ee8c89e2 | 1914 | } |
ee8c89e2 | 1915 | /* bmp_len contains number uf __u32's */ |
b12c53ce | 1916 | replay->bmp_len = bmp_size / sizeof(uint32_t); |
89da06ac TB |
1917 | replay->replay_window = data->replay_window; |
1918 | DBG2(DBG_KNL, " using replay window of %u packets", | |
1919 | data->replay_window); | |
ee8c89e2 | 1920 | |
89da06ac | 1921 | if (data->esn) |
ee8c89e2 | 1922 | { |
6101ee9b | 1923 | DBG2(DBG_KNL, " using extended sequence numbers (ESN)"); |
ee8c89e2 MW |
1924 | sa->flags |= XFRM_STATE_ESN; |
1925 | } | |
1926 | } | |
1927 | else | |
1928 | { | |
89da06ac TB |
1929 | DBG2(DBG_KNL, " using replay window of %u packets", |
1930 | data->replay_window); | |
1931 | sa->replay_window = data->replay_window; | |
ee8c89e2 | 1932 | } |
d42948fc | 1933 | |
ee26f715 | 1934 | DBG2(DBG_KNL, " HW offload: %N", hw_offload_names, data->hw_offload); |
338cc581 AN |
1935 | if (!config_hw_offload(id, data, hdr, sizeof(request))) |
1936 | { | |
1937 | DBG1(DBG_KNL, "failed to configure HW offload"); | |
1938 | goto failed; | |
d42948fc | 1939 | } |
ee8c89e2 MW |
1940 | } |
1941 | ||
d140b3bd TE |
1942 | status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); |
1943 | if (status == NOT_FOUND && data->update) | |
507f26f6 | 1944 | { |
d140b3bd TE |
1945 | DBG1(DBG_KNL, "allocated SPI not found anymore, try to add SAD entry"); |
1946 | hdr->nlmsg_type = XFRM_MSG_NEWSA; | |
1947 | status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); | |
1948 | } | |
1949 | ||
1950 | if (status != SUCCESS) | |
1951 | { | |
1952 | DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s (%N)", ntohl(id->spi), | |
1953 | markstr, status_names, status); | |
1954 | status = FAILED; | |
f7812f64 | 1955 | goto failed; |
507f26f6 | 1956 | } |
f7812f64 MW |
1957 | |
1958 | status = SUCCESS; | |
1959 | ||
1960 | failed: | |
0404a29b | 1961 | memwipe(&request, sizeof(request)); |
f7812f64 | 1962 | return status; |
507f26f6 TB |
1963 | } |
1964 | ||
1965 | /** | |
05e95897 MW |
1966 | * Get the ESN replay state (i.e. sequence numbers) of an SA. |
1967 | * | |
1968 | * Allocates into one the replay state structure we get from the kernel. | |
507f26f6 | 1969 | */ |
05e95897 | 1970 | static void get_replay_state(private_kernel_netlink_ipsec_t *this, |
89da06ac | 1971 | kernel_ipsec_sa_id_t *sa, |
05e95897 | 1972 | struct xfrm_replay_state_esn **replay_esn, |
b12c53ce | 1973 | uint32_t *replay_esn_len, |
a3c2edb1 TB |
1974 | struct xfrm_replay_state **replay, |
1975 | struct xfrm_lifetime_cur **lifetime) | |
507f26f6 | 1976 | { |
21bf86f7 | 1977 | netlink_buf_t request; |
507f26f6 TB |
1978 | struct nlmsghdr *hdr, *out = NULL; |
1979 | struct xfrm_aevent_id *out_aevent = NULL, *aevent_id; | |
1980 | size_t len; | |
1981 | struct rtattr *rta; | |
1982 | size_t rtasize; | |
7daf5226 | 1983 | |
507f26f6 | 1984 | memset(&request, 0, sizeof(request)); |
7daf5226 | 1985 | |
05e95897 | 1986 | DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", |
89da06ac | 1987 | ntohl(sa->spi)); |
507f26f6 | 1988 | |
0404a29b | 1989 | hdr = &request.hdr; |
507f26f6 TB |
1990 | hdr->nlmsg_flags = NLM_F_REQUEST; |
1991 | hdr->nlmsg_type = XFRM_MSG_GETAE; | |
1992 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); | |
7daf5226 | 1993 | |
4c438cf0 | 1994 | aevent_id = NLMSG_DATA(hdr); |
507f26f6 | 1995 | aevent_id->flags = XFRM_AE_RVAL; |
7daf5226 | 1996 | |
89da06ac TB |
1997 | host2xfrm(sa->dst, &aevent_id->sa_id.daddr); |
1998 | aevent_id->sa_id.spi = sa->spi; | |
1999 | aevent_id->sa_id.proto = sa->proto; | |
2000 | aevent_id->sa_id.family = sa->dst->get_family(sa->dst); | |
7daf5226 | 2001 | |
89da06ac | 2002 | if (!add_mark(hdr, sizeof(request), sa->mark)) |
ac24c4d3 | 2003 | { |
0d9f31e1 | 2004 | return; |
ac24c4d3 | 2005 | } |
b32c3ce8 TB |
2006 | if (sa->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, sa->if_id)) |
2007 | { | |
2008 | return; | |
2009 | } | |
ac24c4d3 | 2010 | |
507f26f6 TB |
2011 | if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) |
2012 | { | |
2013 | hdr = out; | |
2014 | while (NLMSG_OK(hdr, len)) | |
2015 | { | |
2016 | switch (hdr->nlmsg_type) | |
2017 | { | |
2018 | case XFRM_MSG_NEWAE: | |
2019 | { | |
2020 | out_aevent = NLMSG_DATA(hdr); | |
2021 | break; | |
2022 | } | |
2023 | case NLMSG_ERROR: | |
2024 | { | |
2025 | struct nlmsgerr *err = NLMSG_DATA(hdr); | |
674bc343 | 2026 | DBG1(DBG_KNL, "querying replay state from SAD entry " |
a0178fe2 | 2027 | "failed: %s (%d)", strerror(-err->error), -err->error); |
507f26f6 TB |
2028 | break; |
2029 | } | |
2030 | default: | |
2031 | hdr = NLMSG_NEXT(hdr, len); | |
2032 | continue; | |
2033 | case NLMSG_DONE: | |
2034 | break; | |
2035 | } | |
2036 | break; | |
2037 | } | |
2038 | } | |
7daf5226 | 2039 | |
05e95897 | 2040 | if (out_aevent) |
507f26f6 | 2041 | { |
05e95897 MW |
2042 | rta = XFRM_RTA(out, struct xfrm_aevent_id); |
2043 | rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id); | |
2044 | while (RTA_OK(rta, rtasize)) | |
507f26f6 | 2045 | { |
a3c2edb1 TB |
2046 | if (rta->rta_type == XFRMA_LTIME_VAL && |
2047 | RTA_PAYLOAD(rta) == sizeof(**lifetime)) | |
2048 | { | |
2049 | free(*lifetime); | |
2050 | *lifetime = malloc(RTA_PAYLOAD(rta)); | |
2051 | memcpy(*lifetime, RTA_DATA(rta), RTA_PAYLOAD(rta)); | |
2052 | } | |
05e95897 MW |
2053 | if (rta->rta_type == XFRMA_REPLAY_VAL && |
2054 | RTA_PAYLOAD(rta) == sizeof(**replay)) | |
2055 | { | |
a3c2edb1 | 2056 | free(*replay); |
05e95897 MW |
2057 | *replay = malloc(RTA_PAYLOAD(rta)); |
2058 | memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta)); | |
05e95897 MW |
2059 | } |
2060 | if (rta->rta_type == XFRMA_REPLAY_ESN_VAL && | |
44098fba | 2061 | RTA_PAYLOAD(rta) >= sizeof(**replay_esn)) |
05e95897 | 2062 | { |
a3c2edb1 | 2063 | free(*replay_esn); |
05e95897 | 2064 | *replay_esn = malloc(RTA_PAYLOAD(rta)); |
44098fba | 2065 | *replay_esn_len = RTA_PAYLOAD(rta); |
05e95897 | 2066 | memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta)); |
05e95897 MW |
2067 | } |
2068 | rta = RTA_NEXT(rta, rtasize); | |
507f26f6 | 2069 | } |
507f26f6 | 2070 | } |
507f26f6 | 2071 | free(out); |
507f26f6 TB |
2072 | } |
2073 | ||
98ed9c6c | 2074 | METHOD(kernel_ipsec_t, query_sa, status_t, |
89da06ac TB |
2075 | private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
2076 | kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets, | |
2077 | time_t *time) | |
2ad51539 AS |
2078 | { |
2079 | netlink_buf_t request; | |
2080 | struct nlmsghdr *out = NULL, *hdr; | |
2081 | struct xfrm_usersa_id *sa_id; | |
2082 | struct xfrm_usersa_info *sa = NULL; | |
f7812f64 | 2083 | status_t status = FAILED; |
2ad51539 | 2084 | size_t len; |
25178f45 | 2085 | char markstr[32] = ""; |
7daf5226 | 2086 | |
2ad51539 | 2087 | memset(&request, 0, sizeof(request)); |
25178f45 | 2088 | format_mark(markstr, sizeof(markstr), id->mark); |
2ad51539 | 2089 | |
25178f45 TB |
2090 | DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s", ntohl(id->spi), |
2091 | markstr); | |
6e921f20 | 2092 | |
0404a29b | 2093 | hdr = &request.hdr; |
2ad51539 AS |
2094 | hdr->nlmsg_flags = NLM_F_REQUEST; |
2095 | hdr->nlmsg_type = XFRM_MSG_GETSA; | |
2096 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); | |
2097 | ||
4c438cf0 | 2098 | sa_id = NLMSG_DATA(hdr); |
89da06ac TB |
2099 | host2xfrm(id->dst, &sa_id->daddr); |
2100 | sa_id->spi = id->spi; | |
2101 | sa_id->proto = id->proto; | |
2102 | sa_id->family = id->dst->get_family(id->dst); | |
7daf5226 | 2103 | |
89da06ac | 2104 | if (!add_mark(hdr, sizeof(request), id->mark)) |
ee26c537 | 2105 | { |
0d9f31e1 | 2106 | return FAILED; |
ee26c537 | 2107 | } |
b32c3ce8 TB |
2108 | if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id)) |
2109 | { | |
2110 | return FAILED; | |
2111 | } | |
ee26c537 | 2112 | |
2ad51539 AS |
2113 | if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) |
2114 | { | |
2115 | hdr = out; | |
2116 | while (NLMSG_OK(hdr, len)) | |
2117 | { | |
2118 | switch (hdr->nlmsg_type) | |
2119 | { | |
2120 | case XFRM_MSG_NEWSA: | |
2121 | { | |
4c438cf0 | 2122 | sa = NLMSG_DATA(hdr); |
2ad51539 AS |
2123 | break; |
2124 | } | |
2125 | case NLMSG_ERROR: | |
2126 | { | |
2127 | struct nlmsgerr *err = NLMSG_DATA(hdr); | |
ba31fe1f | 2128 | |
25178f45 TB |
2129 | DBG1(DBG_KNL, "querying SAD entry with SPI %.8x%s failed: " |
2130 | "%s (%d)", ntohl(id->spi), markstr, | |
2131 | strerror(-err->error), -err->error); | |
2ad51539 AS |
2132 | break; |
2133 | } | |
2134 | default: | |
2135 | hdr = NLMSG_NEXT(hdr, len); | |
2136 | continue; | |
2137 | case NLMSG_DONE: | |
2138 | break; | |
2139 | } | |
2140 | break; | |
2141 | } | |
2142 | } | |
7daf5226 | 2143 | |
2ad51539 AS |
2144 | if (sa == NULL) |
2145 | { | |
25178f45 TB |
2146 | DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x%s", |
2147 | ntohl(id->spi), markstr); | |
2ad51539 | 2148 | } |
f7812f64 MW |
2149 | else |
2150 | { | |
7eeeb1c7 MW |
2151 | if (bytes) |
2152 | { | |
2153 | *bytes = sa->curlft.bytes; | |
2154 | } | |
2155 | if (packets) | |
2156 | { | |
2157 | *packets = sa->curlft.packets; | |
2158 | } | |
5c12700f MW |
2159 | if (time) |
2160 | { /* curlft contains an "use" time, but that contains a timestamp | |
2161 | * of the first use, not the last. Last use time must be queried | |
2162 | * on the policy on Linux */ | |
2163 | *time = 0; | |
2164 | } | |
f7812f64 MW |
2165 | status = SUCCESS; |
2166 | } | |
2167 | memwipe(out, len); | |
2ad51539 | 2168 | free(out); |
38865ece | 2169 | return status; |
2ad51539 | 2170 | } |
98ed9c6c MW |
2171 | |
2172 | METHOD(kernel_ipsec_t, del_sa, status_t, | |
89da06ac TB |
2173 | private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
2174 | kernel_ipsec_del_sa_t *data) | |
f5812086 | 2175 | { |
21bf86f7 | 2176 | netlink_buf_t request; |
f5812086 MW |
2177 | struct nlmsghdr *hdr; |
2178 | struct xfrm_usersa_id *sa_id; | |
25178f45 | 2179 | char markstr[32] = ""; |
7daf5226 | 2180 | |
f5812086 | 2181 | /* if IPComp was used, we first delete the additional IPComp SA */ |
89da06ac TB |
2182 | if (data->cpi) |
2183 | { | |
2184 | kernel_ipsec_sa_id_t ipcomp_id = { | |
2185 | .src = id->src, | |
2186 | .dst = id->dst, | |
2187 | .spi = htonl(ntohs(data->cpi)), | |
2188 | .proto = IPPROTO_COMP, | |
2189 | .mark = id->mark, | |
2190 | }; | |
2191 | kernel_ipsec_del_sa_t ipcomp = {}; | |
2192 | del_sa(this, &ipcomp_id, &ipcomp); | |
f5812086 | 2193 | } |
7daf5226 | 2194 | |
f5812086 | 2195 | memset(&request, 0, sizeof(request)); |
25178f45 | 2196 | format_mark(markstr, sizeof(markstr), id->mark); |
7daf5226 | 2197 | |
25178f45 TB |
2198 | DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x%s", ntohl(id->spi), |
2199 | markstr); | |
6e921f20 | 2200 | |
0404a29b | 2201 | hdr = &request.hdr; |
f5812086 MW |
2202 | hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
2203 | hdr->nlmsg_type = XFRM_MSG_DELSA; | |
2204 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); | |
7daf5226 | 2205 | |
4c438cf0 | 2206 | sa_id = NLMSG_DATA(hdr); |
89da06ac TB |
2207 | host2xfrm(id->dst, &sa_id->daddr); |
2208 | sa_id->spi = id->spi; | |
2209 | sa_id->proto = id->proto; | |
2210 | sa_id->family = id->dst->get_family(id->dst); | |
7daf5226 | 2211 | |
89da06ac | 2212 | if (!add_mark(hdr, sizeof(request), id->mark)) |
ee26c537 | 2213 | { |
0d9f31e1 | 2214 | return FAILED; |
ee26c537 | 2215 | } |
b32c3ce8 TB |
2216 | if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id)) |
2217 | { | |
2218 | return FAILED; | |
2219 | } | |
ee26c537 | 2220 | |
07202a2b | 2221 | switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr)) |
ee26c537 | 2222 | { |
07202a2b | 2223 | case SUCCESS: |
25178f45 TB |
2224 | DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x%s", |
2225 | ntohl(id->spi), markstr); | |
07202a2b MW |
2226 | return SUCCESS; |
2227 | case NOT_FOUND: | |
2228 | return NOT_FOUND; | |
2229 | default: | |
25178f45 TB |
2230 | DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x%s", |
2231 | ntohl(id->spi), markstr); | |
07202a2b | 2232 | return FAILED; |
ee26c537 | 2233 | } |
f5812086 MW |
2234 | } |
2235 | ||
98ed9c6c | 2236 | METHOD(kernel_ipsec_t, update_sa, status_t, |
89da06ac TB |
2237 | private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id, |
2238 | kernel_ipsec_update_sa_t *data) | |
507f26f6 | 2239 | { |
21bf86f7 | 2240 | netlink_buf_t request; |
0b5dfaeb | 2241 | struct nlmsghdr *hdr, *out_hdr = NULL, *out = NULL; |
507f26f6 | 2242 | struct xfrm_usersa_id *sa_id; |
0b5dfaeb | 2243 | struct xfrm_usersa_info *sa; |
94163816 | 2244 | size_t len; |
507f26f6 TB |
2245 | struct rtattr *rta; |
2246 | size_t rtasize; | |
48ea6550 | 2247 | struct xfrm_encap_tmpl* encap = NULL; |
05e95897 MW |
2248 | struct xfrm_replay_state *replay = NULL; |
2249 | struct xfrm_replay_state_esn *replay_esn = NULL; | |
a3c2edb1 | 2250 | struct xfrm_lifetime_cur *lifetime = NULL; |
b12c53ce | 2251 | uint32_t replay_esn_len = 0; |
89da06ac | 2252 | kernel_ipsec_del_sa_t del = { 0 }; |
05e95897 | 2253 | status_t status = FAILED; |
a9b9450c | 2254 | traffic_selector_t *ts; |
25178f45 | 2255 | char markstr[32] = ""; |
7daf5226 | 2256 | |
ea625fab | 2257 | /* if IPComp is used, we first update the IPComp SA */ |
89da06ac TB |
2258 | if (data->cpi) |
2259 | { | |
2260 | kernel_ipsec_sa_id_t ipcomp_id = { | |
2261 | .src = id->src, | |
2262 | .dst = id->dst, | |
2263 | .spi = htonl(ntohs(data->cpi)), | |
2264 | .proto = IPPROTO_COMP, | |
2265 | .mark = id->mark, | |
b32c3ce8 | 2266 | .if_id = id->if_id, |
89da06ac TB |
2267 | }; |
2268 | kernel_ipsec_update_sa_t ipcomp = { | |
2269 | .new_src = data->new_src, | |
2270 | .new_dst = data->new_dst, | |
2271 | }; | |
2272 | update_sa(this, &ipcomp_id, &ipcomp); | |
ea625fab | 2273 | } |
7daf5226 | 2274 | |
507f26f6 | 2275 | memset(&request, 0, sizeof(request)); |
25178f45 | 2276 | format_mark(markstr, sizeof(markstr), id->mark); |
7daf5226 | 2277 | |
25178f45 TB |
2278 | DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s for update", |
2279 | ntohl(id->spi), markstr); | |
7daf5226 | 2280 | |
507f26f6 | 2281 | /* query the existing SA first */ |
0404a29b | 2282 | hdr = &request.hdr; |
507f26f6 TB |
2283 | hdr->nlmsg_flags = NLM_F_REQUEST; |
2284 | hdr->nlmsg_type = XFRM_MSG_GETSA; | |
2285 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); | |
7daf5226 | 2286 | |
4c438cf0 | 2287 | sa_id = NLMSG_DATA(hdr); |
89da06ac TB |
2288 | host2xfrm(id->dst, &sa_id->daddr); |
2289 | sa_id->spi = id->spi; | |
2290 | sa_id->proto = id->proto; | |
2291 | sa_id->family = id->dst->get_family(id->dst); | |
7daf5226 | 2292 | |
89da06ac | 2293 | if (!add_mark(hdr, sizeof(request), id->mark)) |
2925aa72 | 2294 | { |
0d9f31e1 | 2295 | return FAILED; |
2925aa72 | 2296 | } |
b32c3ce8 TB |
2297 | if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id)) |
2298 | { | |
2299 | return FAILED; | |
2300 | } | |
2925aa72 | 2301 | |
507f26f6 TB |
2302 | if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) |
2303 | { | |
2304 | hdr = out; | |
2305 | while (NLMSG_OK(hdr, len)) | |
2306 | { | |
2307 | switch (hdr->nlmsg_type) | |
2308 | { | |
2309 | case XFRM_MSG_NEWSA: | |
2310 | { | |
0b5dfaeb | 2311 | out_hdr = hdr; |
507f26f6 TB |
2312 | break; |
2313 | } | |
2314 | case NLMSG_ERROR: | |
2315 | { | |
2316 | struct nlmsgerr *err = NLMSG_DATA(hdr); | |
2317 | DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)", | |
2318 | strerror(-err->error), -err->error); | |
2319 | break; | |
2320 | } | |
2321 | default: | |
2322 | hdr = NLMSG_NEXT(hdr, len); | |
2323 | continue; | |
2324 | case NLMSG_DONE: | |
2325 | break; | |
2326 | } | |
2327 | break; | |
2328 | } | |
2329 | } | |
0b5dfaeb | 2330 | if (!out_hdr) |
507f26f6 | 2331 | { |
25178f45 TB |
2332 | DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s", |
2333 | ntohl(id->spi), markstr); | |
05e95897 | 2334 | goto failed; |
507f26f6 | 2335 | } |
7daf5226 | 2336 | |
89da06ac TB |
2337 | get_replay_state(this, id, &replay_esn, &replay_esn_len, &replay, |
2338 | &lifetime); | |
7daf5226 | 2339 | |
ea625fab | 2340 | /* delete the old SA (without affecting the IPComp SA) */ |
89da06ac | 2341 | if (del_sa(this, id, &del) != SUCCESS) |
507f26f6 | 2342 | { |
25178f45 TB |
2343 | DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x%s", |
2344 | ntohl(id->spi), markstr); | |
05e95897 | 2345 | goto failed; |
507f26f6 | 2346 | } |
7daf5226 | 2347 | |
25178f45 TB |
2348 | DBG2(DBG_KNL, "updating SAD entry with SPI %.8x%s from %#H..%#H to " |
2349 | "%#H..%#H", ntohl(id->spi), markstr, id->src, id->dst, data->new_src, | |
89da06ac | 2350 | data->new_dst); |
507f26f6 | 2351 | /* copy over the SA from out to request */ |
0404a29b | 2352 | hdr = &request.hdr; |
7daf5226 | 2353 | hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
507f26f6 TB |
2354 | hdr->nlmsg_type = XFRM_MSG_NEWSA; |
2355 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); | |
2356 | sa = NLMSG_DATA(hdr); | |
0b5dfaeb | 2357 | memcpy(sa, NLMSG_DATA(out_hdr), sizeof(struct xfrm_usersa_info)); |
89da06ac | 2358 | sa->family = data->new_dst->get_family(data->new_dst); |
7daf5226 | 2359 | |
89da06ac | 2360 | if (!id->src->ip_equals(id->src, data->new_src)) |
507f26f6 | 2361 | { |
89da06ac | 2362 | host2xfrm(data->new_src, &sa->saddr); |
a9b9450c TB |
2363 | |
2364 | ts = selector2ts(&sa->sel, TRUE); | |
2365 | if (ts && ts->is_host(ts, id->src)) | |
2366 | { | |
2367 | ts->set_address(ts, data->new_src); | |
2368 | ts2subnet(ts, &sa->sel.saddr, &sa->sel.prefixlen_s); | |
2369 | } | |
2370 | DESTROY_IF(ts); | |
507f26f6 | 2371 | } |
89da06ac | 2372 | if (!id->dst->ip_equals(id->dst, data->new_dst)) |
507f26f6 | 2373 | { |
89da06ac | 2374 | host2xfrm(data->new_dst, &sa->id.daddr); |
a9b9450c TB |
2375 | |
2376 | ts = selector2ts(&sa->sel, FALSE); | |
2377 | if (ts && ts->is_host(ts, id->dst)) | |
2378 | { | |
2379 | ts->set_address(ts, data->new_dst); | |
2380 | ts2subnet(ts, &sa->sel.daddr, &sa->sel.prefixlen_d); | |
2381 | } | |
2382 | DESTROY_IF(ts); | |
507f26f6 | 2383 | } |
7daf5226 | 2384 | |
0b5dfaeb TB |
2385 | rta = XFRM_RTA(out_hdr, struct xfrm_usersa_info); |
2386 | rtasize = XFRM_PAYLOAD(out_hdr, struct xfrm_usersa_info); | |
6dfc6339 | 2387 | while (RTA_OK(rta, rtasize)) |
507f26f6 TB |
2388 | { |
2389 | /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */ | |
89da06ac | 2390 | if (rta->rta_type != XFRMA_ENCAP || data->new_encap) |
507f26f6 TB |
2391 | { |
2392 | if (rta->rta_type == XFRMA_ENCAP) | |
2393 | { /* update encap tmpl */ | |
48ea6550 TB |
2394 | encap = RTA_DATA(rta); |
2395 | encap->encap_sport = ntohs(data->new_src->get_port(data->new_src)); | |
2396 | encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst)); | |
2397 | } | |
2398 | if (rta->rta_type == XFRMA_OFFLOAD_DEV) | |
2399 | { /* update offload device */ | |
2400 | struct xfrm_user_offload *offload; | |
2401 | host_t *local; | |
2402 | char *ifname; | |
2403 | ||
2404 | offload = RTA_DATA(rta); | |
2405 | local = offload->flags & XFRM_OFFLOAD_INBOUND ? data->new_dst | |
2406 | : data->new_src; | |
2407 | ||
2408 | if (charon->kernel->get_interface(charon->kernel, local, | |
2409 | &ifname)) | |
2410 | { | |
2411 | offload->ifindex = if_nametoindex(ifname); | |
48ea6550 TB |
2412 | free(ifname); |
2413 | } | |
7daf5226 | 2414 | } |
94163816 MW |
2415 | netlink_add_attribute(hdr, rta->rta_type, |
2416 | chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), | |
2417 | sizeof(request)); | |
507f26f6 TB |
2418 | } |
2419 | rta = RTA_NEXT(rta, rtasize); | |
2420 | } | |
7daf5226 | 2421 | |
48ea6550 | 2422 | if (encap == NULL && data->new_encap) |
507f26f6 | 2423 | { /* add tmpl if we are enabling it */ |
48ea6550 TB |
2424 | encap = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, |
2425 | sizeof(*encap)); | |
2426 | if (!encap) | |
507f26f6 | 2427 | { |
05e95897 | 2428 | goto failed; |
507f26f6 | 2429 | } |
48ea6550 TB |
2430 | encap->encap_type = UDP_ENCAP_ESPINUDP; |
2431 | encap->encap_sport = ntohs(data->new_src->get_port(data->new_src)); | |
2432 | encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst)); | |
2433 | memset(&encap->encap_oa, 0, sizeof (xfrm_address_t)); | |
507f26f6 | 2434 | } |
7daf5226 | 2435 | |
05e95897 MW |
2436 | if (replay_esn) |
2437 | { | |
6dfc6339 MW |
2438 | struct xfrm_replay_state_esn *state; |
2439 | ||
2440 | state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL, | |
44098fba | 2441 | replay_esn_len); |
6dfc6339 | 2442 | if (!state) |
05e95897 MW |
2443 | { |
2444 | goto failed; | |
2445 | } | |
44098fba | 2446 | memcpy(state, replay_esn, replay_esn_len); |
05e95897 MW |
2447 | } |
2448 | else if (replay) | |
2449 | { | |
6dfc6339 MW |
2450 | struct xfrm_replay_state *state; |
2451 | ||
2452 | state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_VAL, | |
2453 | sizeof(*state)); | |
2454 | if (!state) | |
507f26f6 | 2455 | { |
05e95897 | 2456 | goto failed; |
507f26f6 | 2457 | } |
6dfc6339 | 2458 | memcpy(state, replay, sizeof(*state)); |
507f26f6 | 2459 | } |
05e95897 MW |
2460 | else |
2461 | { | |
a3c2edb1 | 2462 | DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with " |
25178f45 | 2463 | "SPI %.8x%s", ntohl(id->spi), markstr); |
a3c2edb1 TB |
2464 | } |
2465 | if (lifetime) | |
2466 | { | |
2467 | struct xfrm_lifetime_cur *state; | |
2468 | ||
2469 | state = netlink_reserve(hdr, sizeof(request), XFRMA_LTIME_VAL, | |
2470 | sizeof(*state)); | |
2471 | if (!state) | |
2472 | { | |
2473 | goto failed; | |
2474 | } | |
2475 | memcpy(state, lifetime, sizeof(*state)); | |
2476 | } | |
2477 | else | |
2478 | { | |
2479 | DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with " | |
25178f45 | 2480 | "SPI %.8x%s", ntohl(id->spi), markstr); |
05e95897 | 2481 | } |
abc177e0 | 2482 | |
507f26f6 TB |
2483 | if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) |
2484 | { | |
25178f45 TB |
2485 | DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s", |
2486 | ntohl(id->spi), markstr); | |
05e95897 | 2487 | goto failed; |
507f26f6 | 2488 | } |
05e95897 MW |
2489 | |
2490 | status = SUCCESS; | |
2491 | failed: | |
2492 | free(replay); | |
2493 | free(replay_esn); | |
a3c2edb1 | 2494 | free(lifetime); |
f7812f64 | 2495 | memwipe(out, len); |
0404a29b | 2496 | memwipe(&request, sizeof(request)); |
507f26f6 | 2497 | free(out); |
7daf5226 | 2498 | |
05e95897 | 2499 | return status; |
507f26f6 TB |
2500 | } |
2501 | ||
99d23ddf TB |
2502 | METHOD(kernel_ipsec_t, flush_sas, status_t, |
2503 | private_kernel_netlink_ipsec_t *this) | |
2504 | { | |
2505 | netlink_buf_t request; | |
2506 | struct nlmsghdr *hdr; | |
2507 | struct xfrm_usersa_flush *flush; | |
82b5d1c0 | 2508 | struct { |
b12c53ce | 2509 | uint8_t proto; |
82b5d1c0 TB |
2510 | char *name; |
2511 | } protos[] = { | |
2512 | { IPPROTO_AH, "AH" }, | |
2513 | { IPPROTO_ESP, "ESP" }, | |
2514 | { IPPROTO_COMP, "IPComp" }, | |
2515 | }; | |
2516 | int i; | |
99d23ddf TB |
2517 | |
2518 | memset(&request, 0, sizeof(request)); | |
2519 | ||
0404a29b | 2520 | hdr = &request.hdr; |
99d23ddf TB |
2521 | hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
2522 | hdr->nlmsg_type = XFRM_MSG_FLUSHSA; | |
2523 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush)); | |
2524 | ||
4c438cf0 | 2525 | flush = NLMSG_DATA(hdr); |
99d23ddf | 2526 | |
82b5d1c0 | 2527 | for (i = 0; i < countof(protos); i++) |
99d23ddf | 2528 | { |
82b5d1c0 TB |
2529 | DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name); |
2530 | ||
2531 | flush->proto = protos[i].proto; | |
2532 | ||
2533 | if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) | |
2534 | { | |
2535 | DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name); | |
2536 | return FAILED; | |
2537 | } | |
99d23ddf TB |
2538 | } |
2539 | return SUCCESS; | |
2540 | } | |
2541 | ||
ebeaac1f TB |
2542 | /** |
2543 | * Unlock the mutex and signal waiting threads | |
2544 | */ | |
2545 | static void policy_change_done(private_kernel_netlink_ipsec_t *this, | |
2546 | policy_entry_t *policy) | |
2547 | { | |
2548 | policy->working = FALSE; | |
2549 | if (policy->waiting) | |
2550 | { /* don't need to wake threads waiting for other policies */ | |
2551 | this->condvar->broadcast(this->condvar); | |
2552 | } | |
2553 | this->mutex->unlock(this->mutex); | |
2554 | } | |
2555 | ||
e7369a9d TB |
2556 | /** |
2557 | * Install a route for the given policy if enabled and required | |
2558 | */ | |
2559 | static void install_route(private_kernel_netlink_ipsec_t *this, | |
2560 | policy_entry_t *policy, policy_sa_t *mapping, ipsec_sa_t *ipsec) | |
2561 | { | |
aea3c105 | 2562 | policy_sa_out_t *out = (policy_sa_out_t*)mapping; |
e7369a9d TB |
2563 | route_entry_t *route; |
2564 | host_t *iface; | |
2565 | ||
2566 | INIT(route, | |
aea3c105 | 2567 | .prefixlen = policy->sel.prefixlen_d, |
09f4bccf | 2568 | .pass = mapping->type == POLICY_PASS, |
e7369a9d TB |
2569 | ); |
2570 | ||
aea3c105 | 2571 | if (charon->kernel->get_address_by_ts(charon->kernel, out->src_ts, |
b0b6bd24 | 2572 | &route->src_ip, NULL) != SUCCESS) |
e7369a9d | 2573 | { |
b0b6bd24 | 2574 | if (!route->pass) |
e7369a9d | 2575 | { |
b0b6bd24 TB |
2576 | free(route); |
2577 | return; | |
e7369a9d | 2578 | } |
b0b6bd24 TB |
2579 | /* allow blank source IP for passthrough policies */ |
2580 | route->src_ip = host_create_any(policy->sel.family); | |
2581 | } | |
e7369a9d | 2582 | |
b0b6bd24 TB |
2583 | if (!ipsec->dst->is_anyaddr(ipsec->dst)) |
2584 | { | |
2585 | route->gateway = charon->kernel->get_nexthop(charon->kernel, | |
2586 | ipsec->dst, -1, ipsec->src, | |
2587 | &route->if_name); | |
2588 | } | |
2589 | else | |
2590 | { /* for shunt policies */ | |
2591 | iface = xfrm2host(policy->sel.family, &policy->sel.daddr, 0); | |
2592 | route->gateway = charon->kernel->get_nexthop(charon->kernel, | |
2593 | iface, policy->sel.prefixlen_d, | |
2594 | route->src_ip, &route->if_name); | |
2595 | iface->destroy(iface); | |
2596 | } | |
2597 | route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16); | |
2598 | memcpy(route->dst_net.ptr, &policy->sel.daddr, route->dst_net.len); | |
2599 | ||
2600 | /* get the interface to install the route for, if we haven't one yet. | |
2601 | * If we have a local address, use it. Otherwise (for shunt policies) | |
2602 | * use the route's source address. */ | |
2603 | if (!route->if_name) | |
2604 | { | |
2605 | iface = ipsec->src; | |
2606 | if (iface->is_anyaddr(iface)) | |
e7369a9d | 2607 | { |
b0b6bd24 | 2608 | iface = route->src_ip; |
e7369a9d | 2609 | } |
b0b6bd24 | 2610 | if (!charon->kernel->get_interface(charon->kernel, iface, |
e23708bd TB |
2611 | &route->if_name) && |
2612 | !route->pass) | |
2613 | { /* don't require an interface for passthrough policies */ | |
b0b6bd24 TB |
2614 | route_entry_destroy(route); |
2615 | return; | |
e7369a9d | 2616 | } |
b0b6bd24 TB |
2617 | } |
2618 | if (policy->route) | |
2619 | { | |
2620 | route_entry_t *old = policy->route; | |
2621 | if (route_entry_equals(old, route)) | |
e7369a9d | 2622 | { |
b0b6bd24 TB |
2623 | route_entry_destroy(route); |
2624 | return; | |
e7369a9d | 2625 | } |
b0b6bd24 TB |
2626 | /* uninstall previously installed route */ |
2627 | if (charon->kernel->del_route(charon->kernel, old->dst_net, | |
2628 | old->prefixlen, old->gateway, | |
2629 | old->src_ip, old->if_name, | |
2630 | old->pass) != SUCCESS) | |
2631 | { | |
2632 | DBG1(DBG_KNL, "error uninstalling route installed with policy " | |
2633 | "%R === %R %N", out->src_ts, out->dst_ts, policy_dir_names, | |
2634 | policy->direction); | |
2635 | } | |
2636 | route_entry_destroy(old); | |
2637 | policy->route = NULL; | |
e7369a9d | 2638 | } |
b0b6bd24 TB |
2639 | |
2640 | DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", out->dst_ts, | |
2641 | route->gateway, route->src_ip, route->if_name); | |
2642 | switch (charon->kernel->add_route(charon->kernel, route->dst_net, | |
2643 | route->prefixlen, route->gateway, | |
2644 | route->src_ip, route->if_name, | |
2645 | route->pass)) | |
e7369a9d | 2646 | { |
b0b6bd24 TB |
2647 | default: |
2648 | DBG1(DBG_KNL, "unable to install source route for %H", | |
2649 | route->src_ip); | |
2650 | /* FALL */ | |
2651 | case ALREADY_DONE: | |
2652 | /* route exists, do not uninstall */ | |
2653 | route_entry_destroy(route); | |
2654 | break; | |
2655 | case SUCCESS: | |
2656 | /* cache the installed route */ | |
2657 | policy->route = route; | |
2658 | break; | |
e7369a9d TB |
2659 | } |
2660 | } | |
2661 | ||
f0ba8ae0 TB |
2662 | /** |
2663 | * Add or update a policy in the kernel. | |
2664 | * | |
64c4fd0a TE |
2665 | * Note: The mutex has to be locked when entering this function |
2666 | * and is unlocked here in any case. | |
f0ba8ae0 TB |
2667 | */ |
2668 | static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, | |
9f49464d | 2669 | policy_entry_t *policy, policy_sa_t *mapping, bool update) |
507f26f6 | 2670 | { |
21bf86f7 | 2671 | netlink_buf_t request; |
32fbad4e | 2672 | policy_entry_t clone; |
9f49464d | 2673 | ipsec_sa_t *ipsec = mapping->sa; |
507f26f6 TB |
2674 | struct xfrm_userpolicy_info *policy_info; |
2675 | struct nlmsghdr *hdr; | |
dc2fa791 | 2676 | status_t status; |
55be07a1 | 2677 | int i; |
7daf5226 | 2678 | |
32fbad4e TB |
2679 | /* clone the policy so we are able to check it out again later */ |
2680 | memcpy(&clone, policy, sizeof(policy_entry_t)); | |
2681 | ||
507f26f6 | 2682 | memset(&request, 0, sizeof(request)); |
0404a29b | 2683 | hdr = &request.hdr; |
507f26f6 | 2684 | hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
f0ba8ae0 | 2685 | hdr->nlmsg_type = update ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY; |
507f26f6 TB |
2686 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)); |
2687 | ||
4c438cf0 | 2688 | policy_info = NLMSG_DATA(hdr); |
507f26f6 TB |
2689 | policy_info->sel = policy->sel; |
2690 | policy_info->dir = policy->direction; | |
e6f42b07 TB |
2691 | |
2692 | /* calculate priority based on selector size, small size = high prio */ | |
9f49464d TB |
2693 | policy_info->priority = mapping->priority; |
2694 | policy_info->action = mapping->type != POLICY_DROP ? XFRM_POLICY_ALLOW | |
2695 | : XFRM_POLICY_BLOCK; | |
507f26f6 | 2696 | policy_info->share = XFRM_SHARE_ANY; |
7daf5226 | 2697 | |
507f26f6 TB |
2698 | /* policies don't expire */ |
2699 | policy_info->lft.soft_byte_limit = XFRM_INF; | |
2700 | policy_info->lft.soft_packet_limit = XFRM_INF; | |
2701 | policy_info->lft.hard_byte_limit = XFRM_INF; | |
2702 | policy_info->lft.hard_packet_limit = XFRM_INF; | |
2703 | policy_info->lft.soft_add_expires_seconds = 0; | |
2704 | policy_info->lft.hard_add_expires_seconds = 0; | |
2705 | policy_info->lft.soft_use_expires_seconds = 0; | |
2706 | policy_info->lft.hard_use_expires_seconds = 0; | |
7daf5226 | 2707 | |
f7e9e6a3 | 2708 | if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid) |
55be07a1 | 2709 | { |
6dfc6339 | 2710 | struct xfrm_user_tmpl *tmpl; |
749d3ccc | 2711 | struct { |
b12c53ce | 2712 | uint8_t proto; |
2699c838 | 2713 | uint32_t spi; |
749d3ccc TB |
2714 | bool use; |
2715 | } protos[] = { | |
2699c838 TB |
2716 | { IPPROTO_COMP, htonl(ntohs(ipsec->cfg.ipcomp.cpi)), |
2717 | ipsec->cfg.ipcomp.transform != IPCOMP_NONE }, | |
2718 | { IPPROTO_ESP, ipsec->cfg.esp.spi, ipsec->cfg.esp.use }, | |
2719 | { IPPROTO_AH, ipsec->cfg.ah.spi, ipsec->cfg.ah.use }, | |
749d3ccc | 2720 | }; |
9f49464d | 2721 | ipsec_mode_t proto_mode = ipsec->cfg.mode; |
6dfc6339 | 2722 | int count = 0; |
749d3ccc TB |
2723 | |
2724 | for (i = 0; i < countof(protos); i++) | |
55be07a1 | 2725 | { |
6dfc6339 | 2726 | if (protos[i].use) |
749d3ccc | 2727 | { |
6dfc6339 | 2728 | count++; |
749d3ccc | 2729 | } |
6dfc6339 MW |
2730 | } |
2731 | tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_TMPL, | |
2732 | count * sizeof(*tmpl)); | |
2733 | if (!tmpl) | |
2734 | { | |
ebeaac1f | 2735 | policy_change_done(this, policy); |
6dfc6339 MW |
2736 | return FAILED; |
2737 | } | |
7daf5226 | 2738 | |
6dfc6339 MW |
2739 | for (i = 0; i < countof(protos); i++) |
2740 | { | |
2741 | if (!protos[i].use) | |
749d3ccc | 2742 | { |
6dfc6339 | 2743 | continue; |
749d3ccc | 2744 | } |
4aff4452 | 2745 | tmpl->reqid = ipsec->cfg.reqid; |
749d3ccc | 2746 | tmpl->id.proto = protos[i].proto; |
2699c838 TB |
2747 | if (policy->direction == POLICY_OUT) |
2748 | { | |
2749 | tmpl->id.spi = protos[i].spi; | |
2750 | } | |
749d3ccc | 2751 | tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; |
6da26f30 | 2752 | tmpl->mode = mode2kernel(proto_mode); |
749d3ccc | 2753 | tmpl->optional = protos[i].proto == IPPROTO_COMP && |
f0ba8ae0 | 2754 | policy->direction != POLICY_OUT; |
9f49464d | 2755 | tmpl->family = ipsec->src->get_family(ipsec->src); |
749d3ccc | 2756 | |
e4d5e011 | 2757 | if (proto_mode == MODE_TUNNEL || proto_mode == MODE_BEET) |
749d3ccc | 2758 | { /* only for tunnel mode */ |
9f49464d TB |
2759 | host2xfrm(ipsec->src, &tmpl->saddr); |
2760 | host2xfrm(ipsec->dst, &tmpl->id.daddr); | |
749d3ccc | 2761 | } |
55be07a1 | 2762 | |
749d3ccc | 2763 | tmpl++; |
2b2c69e9 | 2764 | |
749d3ccc | 2765 | /* use transport mode for other SAs */ |
6da26f30 | 2766 | proto_mode = MODE_TRANSPORT; |
749d3ccc | 2767 | } |
749d3ccc | 2768 | } |
ee26c537 | 2769 | |
0d9f31e1 | 2770 | if (!add_mark(hdr, sizeof(request), ipsec->mark)) |
ee26c537 | 2771 | { |
ebeaac1f | 2772 | policy_change_done(this, policy); |
0d9f31e1 | 2773 | return FAILED; |
ee26c537 | 2774 | } |
b32c3ce8 TB |
2775 | if (ipsec->if_id && |
2776 | !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, ipsec->if_id)) | |
2777 | { | |
2778 | policy_change_done(this, policy); | |
2779 | return FAILED; | |
2780 | } | |
f0ba8ae0 | 2781 | this->mutex->unlock(this->mutex); |
7daf5226 | 2782 | |
dc2fa791 TB |
2783 | status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); |
2784 | if (status == ALREADY_DONE && !update) | |
2785 | { | |
2786 | DBG1(DBG_KNL, "policy already exists, try to update it"); | |
2787 | hdr->nlmsg_type = XFRM_MSG_UPDPOLICY; | |
2788 | status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); | |
2789 | } | |
ebeaac1f TB |
2790 | |
2791 | this->mutex->lock(this->mutex); | |
dc2fa791 | 2792 | if (status != SUCCESS) |
507f26f6 | 2793 | { |
ebeaac1f | 2794 | policy_change_done(this, policy); |
507f26f6 TB |
2795 | return FAILED; |
2796 | } | |
507f26f6 | 2797 | /* install a route, if: |
aea3c105 | 2798 | * - this is an outbound policy (to just get one for each child) |
507f26f6 | 2799 | * - routing is not disabled via strongswan.conf |
e7369a9d | 2800 | * - the selector is not for a specific protocol/port |
801a5d31 | 2801 | * - no XFRM interface ID is configured |
e7369a9d | 2802 | * - we are in tunnel/BEET mode or install a bypass policy |
507f26f6 | 2803 | */ |
aea3c105 | 2804 | if (policy->direction == POLICY_OUT && this->install_routes && |
801a5d31 TB |
2805 | !policy->sel.proto && !policy->sel.dport && !policy->sel.sport && |
2806 | !policy->if_id) | |
507f26f6 | 2807 | { |
e7369a9d TB |
2808 | if (mapping->type == POLICY_PASS || |
2809 | (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT)) | |
507f26f6 | 2810 | { |
e7369a9d | 2811 | install_route(this, policy, mapping, ipsec); |
507f26f6 TB |
2812 | } |
2813 | } | |
ebeaac1f | 2814 | policy_change_done(this, policy); |
507f26f6 TB |
2815 | return SUCCESS; |
2816 | } | |
2817 | ||
f0ba8ae0 | 2818 | METHOD(kernel_ipsec_t, add_policy, status_t, |
89da06ac TB |
2819 | private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id, |
2820 | kernel_ipsec_manage_policy_t *data) | |
f0ba8ae0 TB |
2821 | { |
2822 | policy_entry_t *policy, *current; | |
2823 | policy_sa_t *assigned_sa, *current_sa; | |
2824 | enumerator_t *enumerator; | |
2825 | bool found = FALSE, update = TRUE; | |
25178f45 | 2826 | char markstr[32] = ""; |
471b9076 TB |
2827 | uint32_t cur_priority = 0; |
2828 | int use_count; | |
f0ba8ae0 TB |
2829 | |
2830 | /* create a policy */ | |
2831 | INIT(policy, | |
c26e4330 | 2832 | .sel = ts2selector(id->src_ts, id->dst_ts, id->interface), |
89da06ac | 2833 | .mark = id->mark.value & id->mark.mask, |
b32c3ce8 | 2834 | .if_id = id->if_id, |
89da06ac TB |
2835 | .direction = id->dir, |
2836 | .reqid = data->sa->reqid, | |
f0ba8ae0 | 2837 | ); |
25178f45 | 2838 | format_mark(markstr, sizeof(markstr), id->mark); |
f0ba8ae0 TB |
2839 | |
2840 | /* find the policy, which matches EXACTLY */ | |
2841 | this->mutex->lock(this->mutex); | |
2842 | current = this->policies->get(this->policies, policy); | |
2843 | if (current) | |
2844 | { | |
89da06ac TB |
2845 | if (current->reqid && data->sa->reqid && |
2846 | current->reqid != data->sa->reqid) | |
1551d8b1 | 2847 | { |
25178f45 TB |
2848 | DBG1(DBG_CFG, "unable to install policy %R === %R %N%s for reqid " |
2849 | "%u, the same policy for reqid %u exists", | |
2850 | id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr, | |
2851 | data->sa->reqid, current->reqid); | |
1551d8b1 MW |
2852 | policy_entry_destroy(this, policy); |
2853 | this->mutex->unlock(this->mutex); | |
2854 | return INVALID_STATE; | |
2855 | } | |
f0ba8ae0 | 2856 | /* use existing policy */ |
25178f45 TB |
2857 | DBG2(DBG_KNL, "policy %R === %R %N%s already exists, increasing " |
2858 | "refcount", id->src_ts, id->dst_ts, policy_dir_names, id->dir, | |
2859 | markstr); | |
9f49464d | 2860 | policy_entry_destroy(this, policy); |
f0ba8ae0 TB |
2861 | policy = current; |
2862 | found = TRUE; | |
ebeaac1f TB |
2863 | |
2864 | policy->waiting++; | |
2865 | while (policy->working) | |
2866 | { | |
2867 | this->condvar->wait(this->condvar, this->mutex); | |
2868 | } | |
2869 | policy->waiting--; | |
2870 | policy->working = TRUE; | |
f0ba8ae0 TB |
2871 | } |
2872 | else | |
9f49464d TB |
2873 | { /* use the new one, if we have no such policy */ |
2874 | policy->used_by = linked_list_create(); | |
f0ba8ae0 TB |
2875 | this->policies->put(this->policies, policy, policy); |
2876 | } | |
2877 | ||
2878 | /* cache the assigned IPsec SA */ | |
89da06ac | 2879 | assigned_sa = policy_sa_create(this, id->dir, data->type, data->src, |
b32c3ce8 TB |
2880 | data->dst, id->src_ts, id->dst_ts, id->mark, |
2881 | id->if_id, data->sa); | |
869f4e90 | 2882 | assigned_sa->auto_priority = get_priority(policy, data->prio, id->interface); |
fc21465c TB |
2883 | assigned_sa->priority = this->get_priority ? this->get_priority(id, data) |
2884 | : data->manual_prio; | |
2885 | assigned_sa->priority = assigned_sa->priority ?: assigned_sa->auto_priority; | |
f0ba8ae0 | 2886 | |
e2658390 TB |
2887 | /* insert the SA according to its priority */ |
2888 | enumerator = policy->used_by->create_enumerator(policy->used_by); | |
2889 | while (enumerator->enumerate(enumerator, (void**)¤t_sa)) | |
2890 | { | |
83312ee5 TB |
2891 | if (current_sa->priority > assigned_sa->priority) |
2892 | { | |
2893 | break; | |
2894 | } | |
869f4e90 | 2895 | if (current_sa->priority == assigned_sa->priority) |
f0ba8ae0 | 2896 | { |
869f4e90 TB |
2897 | /* in case of equal manual prios order SAs by automatic priority */ |
2898 | if (current_sa->auto_priority > assigned_sa->auto_priority) | |
2899 | { | |
2900 | break; | |
2901 | } | |
2902 | /* prefer SAs with a reqid over those without */ | |
2903 | if (current_sa->auto_priority == assigned_sa->auto_priority && | |
2904 | (!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid)) | |
2905 | { | |
2906 | break; | |
2907 | } | |
f0ba8ae0 | 2908 | } |
471b9076 TB |
2909 | if (update) |
2910 | { | |
2911 | cur_priority = current_sa->priority; | |
2912 | update = FALSE; | |
2913 | } | |
f0ba8ae0 | 2914 | } |
869f4e90 | 2915 | policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa); |
e2658390 | 2916 | enumerator->destroy(enumerator); |
f0ba8ae0 | 2917 | |
471b9076 | 2918 | use_count = policy->used_by->get_count(policy->used_by); |
f0ba8ae0 | 2919 | if (!update) |
00574270 TB |
2920 | { /* we don't update the policy if the priority is lower than that of |
2921 | * the currently installed one */ | |
ebeaac1f | 2922 | policy_change_done(this, policy); |
6606393b | 2923 | DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, " |
471b9076 TB |
2924 | "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names, |
2925 | id->dir, markstr, cur_priority, use_count); | |
f0ba8ae0 TB |
2926 | return SUCCESS; |
2927 | } | |
175d78df | 2928 | policy->reqid = assigned_sa->sa->cfg.reqid; |
f0ba8ae0 | 2929 | |
8925abbe MW |
2930 | if (this->policy_update) |
2931 | { | |
2932 | found = TRUE; | |
2933 | } | |
2934 | ||
471b9076 TB |
2935 | DBG2(DBG_KNL, "%s policy %R === %R %N%s [priority %u, refcount %d]", |
2936 | found ? "updating" : "adding", id->src_ts, id->dst_ts, | |
2937 | policy_dir_names, id->dir, markstr, assigned_sa->priority, use_count); | |
f0ba8ae0 TB |
2938 | |
2939 | if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS) | |
2940 | { | |
25178f45 | 2941 | DBG1(DBG_KNL, "unable to %s policy %R === %R %N%s", |
89da06ac | 2942 | found ? "update" : "add", id->src_ts, id->dst_ts, |
25178f45 | 2943 | policy_dir_names, id->dir, markstr); |
f0ba8ae0 TB |
2944 | return FAILED; |
2945 | } | |
2946 | return SUCCESS; | |
2947 | } | |
2948 | ||
98ed9c6c | 2949 | METHOD(kernel_ipsec_t, query_policy, status_t, |
89da06ac TB |
2950 | private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id, |
2951 | kernel_ipsec_query_policy_t *data, time_t *use_time) | |
507f26f6 | 2952 | { |
21bf86f7 | 2953 | netlink_buf_t request; |
507f26f6 TB |
2954 | struct nlmsghdr *out = NULL, *hdr; |
2955 | struct xfrm_userpolicy_id *policy_id; | |
2956 | struct xfrm_userpolicy_info *policy = NULL; | |
2957 | size_t len; | |
25178f45 | 2958 | char markstr[32] = ""; |
7daf5226 | 2959 | |
507f26f6 | 2960 | memset(&request, 0, sizeof(request)); |
25178f45 | 2961 | format_mark(markstr, sizeof(markstr), id->mark); |
7daf5226 | 2962 | |
25178f45 TB |
2963 | DBG2(DBG_KNL, "querying policy %R === %R %N%s", id->src_ts, id->dst_ts, |
2964 | policy_dir_names, id->dir, markstr); | |
6e921f20 | 2965 | |
0404a29b | 2966 | hdr = &request.hdr; |
507f26f6 TB |
2967 | hdr->nlmsg_flags = NLM_F_REQUEST; |
2968 | hdr->nlmsg_type = XFRM_MSG_GETPOLICY; | |
2969 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); | |
2970 | ||
4c438cf0 | 2971 | policy_id = NLMSG_DATA(hdr); |
c26e4330 | 2972 | policy_id->sel = ts2selector(id->src_ts, id->dst_ts, id->interface); |
89da06ac | 2973 | policy_id->dir = id->dir; |
7daf5226 | 2974 | |
89da06ac | 2975 | if (!add_mark(hdr, sizeof(request), id->mark)) |
ee26c537 | 2976 | { |
0d9f31e1 | 2977 | return FAILED; |
ee26c537 | 2978 | } |
b32c3ce8 TB |
2979 | if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id)) |
2980 | { | |
2981 | return FAILED; | |
2982 | } | |
ee26c537 | 2983 | |
507f26f6 TB |
2984 | if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) |
2985 | { | |
2986 | hdr = out; | |
2987 | while (NLMSG_OK(hdr, len)) | |
2988 | { | |
2989 | switch (hdr->nlmsg_type) | |
2990 | { | |
2991 | case XFRM_MSG_NEWPOLICY: | |
2992 | { | |
4c438cf0 | 2993 | policy = NLMSG_DATA(hdr); |
507f26f6 TB |
2994 | break; |
2995 | } | |
2996 | case NLMSG_ERROR: | |
2997 | { | |
2998 | struct nlmsgerr *err = NLMSG_DATA(hdr); | |
2999 | DBG1(DBG_KNL, "querying policy failed: %s (%d)", | |
89da06ac | 3000 | strerror(-err->error), -err->error); |
507f26f6 TB |
3001 | break; |
3002 | } | |
3003 | default: | |
3004 | hdr = NLMSG_NEXT(hdr, len); | |
3005 | continue; | |
3006 | case NLMSG_DONE: | |
3007 | break; | |
3008 | } | |
3009 | break; | |
3010 | } | |
3011 | } | |
7daf5226 | 3012 | |
507f26f6 TB |
3013 | if (policy == NULL) |
3014 | { | |
25178f45 TB |
3015 | DBG2(DBG_KNL, "unable to query policy %R === %R %N%s", id->src_ts, |
3016 | id->dst_ts, policy_dir_names, id->dir, markstr); | |
507f26f6 TB |
3017 | free(out); |
3018 | return FAILED; | |
3019 | } | |
7daf5226 | 3020 | |
6180a558 MW |
3021 | if (policy->curlft.use_time) |
3022 | { | |
3023 | /* we need the monotonic time, but the kernel returns system time. */ | |
3024 | *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time); | |
3025 | } | |
3026 | else | |
3027 | { | |
3028 | *use_time = 0; | |
3029 | } | |
7daf5226 | 3030 | |
507f26f6 TB |
3031 | free(out); |
3032 | return SUCCESS; | |
3033 | } | |
3034 | ||
98ed9c6c | 3035 | METHOD(kernel_ipsec_t, del_policy, status_t, |
89da06ac TB |
3036 | private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id, |
3037 | kernel_ipsec_manage_policy_t *data) | |
507f26f6 | 3038 | { |
c225f9b5 TB |
3039 | policy_entry_t *current, policy; |
3040 | enumerator_t *enumerator; | |
9f49464d | 3041 | policy_sa_t *mapping; |
21bf86f7 | 3042 | netlink_buf_t request; |
507f26f6 TB |
3043 | struct nlmsghdr *hdr; |
3044 | struct xfrm_userpolicy_id *policy_id; | |
c225f9b5 | 3045 | bool is_installed = TRUE; |
471b9076 | 3046 | uint32_t priority, auto_priority, cur_priority; |
33400876 | 3047 | ipsec_sa_t assigned_sa = { |
89da06ac TB |
3048 | .src = data->src, |
3049 | .dst = data->dst, | |
3050 | .mark = id->mark, | |
b32c3ce8 | 3051 | .if_id = id->if_id, |
89da06ac | 3052 | .cfg = *data->sa, |
33400876 | 3053 | }; |
25178f45 | 3054 | char markstr[32] = ""; |
471b9076 | 3055 | int use_count; |
ebeaac1f | 3056 | status_t status = SUCCESS; |
7daf5226 | 3057 | |
25178f45 TB |
3058 | format_mark(markstr, sizeof(markstr), id->mark); |
3059 | ||
3060 | DBG2(DBG_KNL, "deleting policy %R === %R %N%s", id->src_ts, id->dst_ts, | |
3061 | policy_dir_names, id->dir, markstr); | |
7daf5226 | 3062 | |
507f26f6 TB |
3063 | /* create a policy */ |
3064 | memset(&policy, 0, sizeof(policy_entry_t)); | |
c26e4330 | 3065 | policy.sel = ts2selector(id->src_ts, id->dst_ts, id->interface); |
89da06ac | 3066 | policy.mark = id->mark.value & id->mark.mask; |
b32c3ce8 | 3067 | policy.if_id = id->if_id; |
89da06ac | 3068 | policy.direction = id->dir; |
7daf5226 | 3069 | |
507f26f6 | 3070 | /* find the policy */ |
3ac5a0db | 3071 | this->mutex->lock(this->mutex); |
3fb404d8 | 3072 | current = this->policies->get(this->policies, &policy); |
4aff4452 | 3073 | if (!current) |
507f26f6 | 3074 | { |
25178f45 TB |
3075 | DBG1(DBG_KNL, "deleting policy %R === %R %N%s failed, not found", |
3076 | id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr); | |
c225f9b5 TB |
3077 | this->mutex->unlock(this->mutex); |
3078 | return NOT_FOUND; | |
3079 | } | |
ebeaac1f TB |
3080 | current->waiting++; |
3081 | while (current->working) | |
3082 | { | |
3083 | this->condvar->wait(this->condvar, this->mutex); | |
3084 | } | |
3085 | current->working = TRUE; | |
3086 | current->waiting--; | |
f0ba8ae0 | 3087 | |
e2658390 | 3088 | /* remove mapping to SA by reqid and priority */ |
869f4e90 | 3089 | auto_priority = get_priority(current, data->prio,id->interface); |
fc21465c TB |
3090 | priority = this->get_priority ? this->get_priority(id, data) |
3091 | : data->manual_prio; | |
3092 | priority = priority ?: auto_priority; | |
d3af3b79 | 3093 | |
e2658390 TB |
3094 | enumerator = current->used_by->create_enumerator(current->used_by); |
3095 | while (enumerator->enumerate(enumerator, (void**)&mapping)) | |
3096 | { | |
869f4e90 TB |
3097 | if (priority == mapping->priority && |
3098 | auto_priority == mapping->auto_priority && | |
3099 | data->type == mapping->type && | |
33400876 | 3100 | ipsec_sa_equals(mapping->sa, &assigned_sa)) |
c225f9b5 | 3101 | { |
e2658390 | 3102 | current->used_by->remove_at(current->used_by, enumerator); |
8a2e4d4a | 3103 | policy_sa_destroy(mapping, id->dir, this); |
e2658390 | 3104 | break; |
c225f9b5 | 3105 | } |
471b9076 TB |
3106 | if (is_installed) |
3107 | { | |
3108 | cur_priority = mapping->priority; | |
3109 | is_installed = FALSE; | |
3110 | } | |
c225f9b5 | 3111 | } |
e2658390 | 3112 | enumerator->destroy(enumerator); |
f0ba8ae0 | 3113 | |
471b9076 TB |
3114 | use_count = current->used_by->get_count(current->used_by); |
3115 | if (use_count > 0) | |
c225f9b5 TB |
3116 | { /* policy is used by more SAs, keep in kernel */ |
3117 | DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); | |
3118 | if (!is_installed) | |
3119 | { /* no need to update as the policy was not installed for this SA */ | |
ebeaac1f | 3120 | policy_change_done(this, current); |
471b9076 TB |
3121 | DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, " |
3122 | "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names, | |
3123 | id->dir, markstr, cur_priority, use_count); | |
3fb404d8 | 3124 | return SUCCESS; |
507f26f6 | 3125 | } |
471b9076 | 3126 | current->used_by->get_first(current->used_by, (void**)&mapping); |
175d78df | 3127 | current->reqid = mapping->sa->cfg.reqid; |
f0ba8ae0 | 3128 | |
471b9076 TB |
3129 | DBG2(DBG_KNL, "updating policy %R === %R %N%s [priority %u, " |
3130 | "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names, id->dir, | |
3131 | markstr, mapping->priority, use_count); | |
c225f9b5 | 3132 | |
9f49464d | 3133 | if (add_policy_internal(this, current, mapping, TRUE) != SUCCESS) |
c225f9b5 | 3134 | { |
25178f45 TB |
3135 | DBG1(DBG_KNL, "unable to update policy %R === %R %N%s", |
3136 | id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr); | |
c225f9b5 TB |
3137 | return FAILED; |
3138 | } | |
3139 | return SUCCESS; | |
507f26f6 | 3140 | } |
7daf5226 | 3141 | |
507f26f6 | 3142 | memset(&request, 0, sizeof(request)); |
7daf5226 | 3143 | |
0404a29b | 3144 | hdr = &request.hdr; |
507f26f6 TB |
3145 | hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
3146 | hdr->nlmsg_type = XFRM_MSG_DELPOLICY; | |
3147 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); | |
3148 | ||
4c438cf0 | 3149 | policy_id = NLMSG_DATA(hdr); |
c225f9b5 | 3150 | policy_id->sel = current->sel; |
89da06ac | 3151 | policy_id->dir = id->dir; |
7daf5226 | 3152 | |
89da06ac | 3153 | if (!add_mark(hdr, sizeof(request), id->mark)) |
ee26c537 | 3154 | { |
ebeaac1f | 3155 | policy_change_done(this, current); |
0d9f31e1 | 3156 | return FAILED; |
ee26c537 | 3157 | } |
b32c3ce8 TB |
3158 | if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id)) |
3159 | { | |
3160 | policy_change_done(this, current); | |
3161 | return FAILED; | |
3162 | } | |
ee26c537 | 3163 | |
c225f9b5 | 3164 | if (current->route) |
f0ba8ae0 | 3165 | { |
c225f9b5 | 3166 | route_entry_t *route = current->route; |
8394ea2a TB |
3167 | if (charon->kernel->del_route(charon->kernel, route->dst_net, |
3168 | route->prefixlen, route->gateway, | |
09f4bccf NK |
3169 | route->src_ip, route->if_name, |
3170 | route->pass) != SUCCESS) | |
f0ba8ae0 | 3171 | { |
89da06ac | 3172 | DBG1(DBG_KNL, "error uninstalling route installed with policy " |
25178f45 TB |
3173 | "%R === %R %N%s", id->src_ts, id->dst_ts, policy_dir_names, |
3174 | id->dir, markstr); | |
f0ba8ae0 TB |
3175 | } |
3176 | } | |
c225f9b5 TB |
3177 | this->mutex->unlock(this->mutex); |
3178 | ||
507f26f6 TB |
3179 | if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) |
3180 | { | |
25178f45 TB |
3181 | DBG1(DBG_KNL, "unable to delete policy %R === %R %N%s", id->src_ts, |
3182 | id->dst_ts, policy_dir_names, id->dir, markstr); | |
ebeaac1f | 3183 | status = FAILED; |
507f26f6 | 3184 | } |
ebeaac1f TB |
3185 | |
3186 | this->mutex->lock(this->mutex); | |
3187 | if (!current->waiting) | |
3188 | { /* only if no other thread still needs the policy */ | |
3189 | this->policies->remove(this->policies, current); | |
3190 | policy_entry_destroy(this, current); | |
3191 | this->mutex->unlock(this->mutex); | |
3192 | } | |
3193 | else | |
3194 | { | |
3195 | policy_change_done(this, current); | |
3196 | } | |
3197 | return status; | |
507f26f6 TB |
3198 | } |
3199 | ||
99d23ddf TB |
3200 | METHOD(kernel_ipsec_t, flush_policies, status_t, |
3201 | private_kernel_netlink_ipsec_t *this) | |
3202 | { | |
3203 | netlink_buf_t request; | |
3204 | struct nlmsghdr *hdr; | |
3205 | ||
3206 | memset(&request, 0, sizeof(request)); | |
3207 | ||
3208 | DBG2(DBG_KNL, "flushing all policies from SPD"); | |
3209 | ||
0404a29b | 3210 | hdr = &request.hdr; |
99d23ddf TB |
3211 | hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; |
3212 | hdr->nlmsg_type = XFRM_MSG_FLUSHPOLICY; | |
3213 | hdr->nlmsg_len = NLMSG_LENGTH(0); /* no data associated */ | |
3214 | ||
3215 | /* by adding an rtattr of type XFRMA_POLICY_TYPE we could restrict this | |
3216 | * to main or sub policies (default is main) */ | |
3217 | ||
3218 | if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) | |
3219 | { | |
3220 | DBG1(DBG_KNL, "unable to flush SPD entries"); | |
3221 | return FAILED; | |
3222 | } | |
3223 | return SUCCESS; | |
3224 | } | |
3225 | ||
87888f99 MW |
3226 | /** |
3227 | * Bypass socket using a per-socket policy | |
3228 | */ | |
3229 | static bool add_socket_bypass(private_kernel_netlink_ipsec_t *this, | |
3230 | int fd, int family) | |
54f81859 MW |
3231 | { |
3232 | struct xfrm_userpolicy_info policy; | |
3233 | u_int sol, ipsec_policy; | |
3234 | ||
3235 | switch (family) | |
3236 | { | |
3237 | case AF_INET: | |
3238 | sol = SOL_IP; | |
3239 | ipsec_policy = IP_XFRM_POLICY; | |
3240 | break; | |
3241 | case AF_INET6: | |
3242 | sol = SOL_IPV6; | |
3243 | ipsec_policy = IPV6_XFRM_POLICY; | |
3244 | break; | |
3245 | default: | |
3246 | return FALSE; | |
3247 | } | |
3248 | ||
3249 | memset(&policy, 0, sizeof(policy)); | |
3250 | policy.action = XFRM_POLICY_ALLOW; | |
3251 | policy.sel.family = family; | |
3252 | ||
3253 | policy.dir = XFRM_POLICY_OUT; | |
3254 | if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) | |
3255 | { | |
a0178fe2 TB |
3256 | DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)", |
3257 | strerror(errno), errno); | |
54f81859 MW |
3258 | return FALSE; |
3259 | } | |
3260 | policy.dir = XFRM_POLICY_IN; | |
3261 | if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) | |
3262 | { | |
a0178fe2 TB |
3263 | DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)", |
3264 | strerror(errno), errno); | |
54f81859 MW |
3265 | return FALSE; |
3266 | } | |
3267 | return TRUE; | |
3268 | } | |
3269 | ||
87888f99 MW |
3270 | /** |
3271 | * Port based IKE bypass policy | |
3272 | */ | |
3273 | typedef struct { | |
3274 | /** address family */ | |
3275 | int family; | |
3276 | /** layer 4 protocol */ | |
3277 | int proto; | |
3278 | /** port number, network order */ | |
b12c53ce | 3279 | uint16_t port; |
87888f99 MW |
3280 | } bypass_t; |
3281 | ||
3282 | /** | |
3283 | * Add or remove a bypass policy from/to kernel | |
3284 | */ | |
3285 | static bool manage_bypass(private_kernel_netlink_ipsec_t *this, | |
3286 | int type, policy_dir_t dir, bypass_t *bypass) | |
3287 | { | |
3288 | netlink_buf_t request; | |
3289 | struct xfrm_selector *sel; | |
3290 | struct nlmsghdr *hdr; | |
3291 | ||
3292 | memset(&request, 0, sizeof(request)); | |
3293 | hdr = &request.hdr; | |
3294 | hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; | |
3295 | hdr->nlmsg_type = type; | |
3296 | ||
3297 | if (type == XFRM_MSG_NEWPOLICY) | |
3298 | { | |
3299 | struct xfrm_userpolicy_info *policy; | |
3300 | ||
3301 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)); | |
3302 | ||
3303 | policy = NLMSG_DATA(hdr); | |
3304 | policy->dir = dir; | |
3305 | policy->priority = 32; | |
3306 | policy->action = XFRM_POLICY_ALLOW; | |
3307 | policy->share = XFRM_SHARE_ANY; | |
3308 | ||
3309 | policy->lft.soft_byte_limit = XFRM_INF; | |
3310 | policy->lft.soft_packet_limit = XFRM_INF; | |
3311 | policy->lft.hard_byte_limit = XFRM_INF; | |
3312 | policy->lft.hard_packet_limit = XFRM_INF; | |
3313 | ||
3314 | sel = &policy->sel; | |
3315 | } | |
3316 | else /* XFRM_MSG_DELPOLICY */ | |
3317 | { | |
3318 | struct xfrm_userpolicy_id *policy; | |
3319 | ||
3320 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); | |
3321 | ||
3322 | policy = NLMSG_DATA(hdr); | |
3323 | policy->dir = dir; | |
3324 | ||
3325 | sel = &policy->sel; | |
3326 | } | |
3327 | ||
3328 | sel->family = bypass->family; | |
3329 | sel->proto = bypass->proto; | |
3330 | if (dir == POLICY_IN) | |
3331 | { | |
3332 | sel->dport = bypass->port; | |
3333 | sel->dport_mask = 0xffff; | |
3334 | } | |
3335 | else | |
3336 | { | |
3337 | sel->sport = bypass->port; | |
3338 | sel->sport_mask = 0xffff; | |
3339 | } | |
3340 | return this->socket_xfrm->send_ack(this->socket_xfrm, hdr) == SUCCESS; | |
3341 | } | |
3342 | ||
3343 | /** | |
3344 | * Bypass socket using a port-based bypass policy | |
3345 | */ | |
3346 | static bool add_port_bypass(private_kernel_netlink_ipsec_t *this, | |
3347 | int fd, int family) | |
3348 | { | |
3349 | union { | |
3350 | struct sockaddr sa; | |
3351 | struct sockaddr_in in; | |
3352 | struct sockaddr_in6 in6; | |
3353 | } saddr; | |
3354 | socklen_t len; | |
3355 | bypass_t bypass = { | |
3356 | .family = family, | |
3357 | }; | |
3358 | ||
3359 | len = sizeof(saddr); | |
3360 | if (getsockname(fd, &saddr.sa, &len) != 0) | |
3361 | { | |
3362 | return FALSE; | |
3363 | } | |
3065081c | 3364 | #ifdef SO_PROTOCOL /* since 2.6.32 */ |
87888f99 MW |
3365 | len = sizeof(bypass.proto); |
3366 | if (getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &bypass.proto, &len) != 0) | |
3065081c MW |
3367 | #endif |
3368 | { /* assume UDP if SO_PROTOCOL not supported */ | |
3369 | bypass.proto = IPPROTO_UDP; | |
87888f99 MW |
3370 | } |
3371 | switch (family) | |
3372 | { | |
3373 | case AF_INET: | |
3374 | bypass.port = saddr.in.sin_port; | |
3375 | break; | |
3376 | case AF_INET6: | |
3377 | bypass.port = saddr.in6.sin6_port; | |
3378 | break; | |
3379 | default: | |
3380 | return FALSE; | |
3381 | } | |
3382 | ||
3383 | if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, &bypass)) | |
3384 | { | |
3385 | return FALSE; | |
3386 | } | |
3387 | if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, &bypass)) | |
3388 | { | |
3389 | manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, &bypass); | |
3390 | return FALSE; | |
3391 | } | |
3392 | array_insert(this->bypass, ARRAY_TAIL, &bypass); | |
3393 | ||
3394 | return TRUE; | |
3395 | } | |
3396 | ||
3397 | /** | |
3398 | * Remove installed port based bypass policy | |
3399 | */ | |
3400 | static void remove_port_bypass(bypass_t *bypass, int idx, | |
3401 | private_kernel_netlink_ipsec_t *this) | |
3402 | { | |
3403 | manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass); | |
3404 | manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass); | |
3405 | } | |
3406 | ||
3407 | METHOD(kernel_ipsec_t, bypass_socket, bool, | |
3408 | private_kernel_netlink_ipsec_t *this, int fd, int family) | |
3409 | { | |
3410 | if (lib->settings->get_bool(lib->settings, | |
3411 | "%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns)) | |
3412 | { | |
3413 | return add_port_bypass(this, fd, family); | |
3414 | } | |
3415 | return add_socket_bypass(this, fd, family); | |
3416 | } | |
3417 | ||
e49abced | 3418 | METHOD(kernel_ipsec_t, enable_udp_decap, bool, |
b12c53ce | 3419 | private_kernel_netlink_ipsec_t *this, int fd, int family, uint16_t port) |
e49abced TB |
3420 | { |
3421 | int type = UDP_ENCAP_ESPINUDP; | |
3422 | ||
3423 | if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0) | |
3424 | { | |
3425 | DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno)); | |
3426 | return FALSE; | |
3427 | } | |
3428 | return TRUE; | |
3429 | } | |
3430 | ||
98ed9c6c MW |
3431 | METHOD(kernel_ipsec_t, destroy, void, |
3432 | private_kernel_netlink_ipsec_t *this) | |
507f26f6 | 3433 | { |
3fb404d8 TB |
3434 | enumerator_t *enumerator; |
3435 | policy_entry_t *policy; | |
7daf5226 | 3436 | |
87888f99 MW |
3437 | array_destroy_function(this->bypass, |
3438 | (array_callback_t)remove_port_bypass, this); | |
d6a27ec6 MW |
3439 | if (this->socket_xfrm_events > 0) |
3440 | { | |
f4f77d74 | 3441 | lib->watcher->remove(lib->watcher, this->socket_xfrm_events); |
d6a27ec6 MW |
3442 | close(this->socket_xfrm_events); |
3443 | } | |
3444 | DESTROY_IF(this->socket_xfrm); | |
3fb404d8 | 3445 | enumerator = this->policies->create_enumerator(this->policies); |
19e0010f | 3446 | while (enumerator->enumerate(enumerator, &policy, &policy)) |
3fb404d8 | 3447 | { |
9f49464d | 3448 | policy_entry_destroy(this, policy); |
3fb404d8 TB |
3449 | } |
3450 | enumerator->destroy(enumerator); | |
507f26f6 | 3451 | this->policies->destroy(this->policies); |
9f49464d | 3452 | this->sas->destroy(this->sas); |
ebeaac1f | 3453 | this->condvar->destroy(this->condvar); |
3ac5a0db | 3454 | this->mutex->destroy(this->mutex); |
507f26f6 TB |
3455 | free(this); |
3456 | } | |
3457 | ||
ac9759a5 TB |
3458 | /** |
3459 | * Get the currently configured SPD hashing thresholds for an address family | |
3460 | */ | |
3461 | static bool get_spd_hash_thresh(private_kernel_netlink_ipsec_t *this, | |
3462 | int type, uint8_t *lbits, uint8_t *rbits) | |
3463 | { | |
3464 | netlink_buf_t request; | |
3465 | struct nlmsghdr *hdr, *out; | |
3466 | struct xfrmu_spdhthresh *thresh; | |
3467 | struct rtattr *rta; | |
3468 | size_t len, rtasize; | |
3469 | bool success = FALSE; | |
3470 | ||
3471 | memset(&request, 0, sizeof(request)); | |
3472 | ||
3473 | hdr = &request.hdr; | |
3474 | hdr->nlmsg_flags = NLM_F_REQUEST; | |
3475 | hdr->nlmsg_type = XFRM_MSG_GETSPDINFO; | |
3476 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t)); | |
3477 | ||
3478 | if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) | |
3479 | { | |
3480 | hdr = out; | |
3481 | while (NLMSG_OK(hdr, len)) | |
3482 | { | |
3483 | switch (hdr->nlmsg_type) | |
3484 | { | |
3485 | case XFRM_MSG_NEWSPDINFO: | |
3486 | { | |
3487 | rta = XFRM_RTA(hdr, uint32_t); | |
3488 | rtasize = XFRM_PAYLOAD(hdr, uint32_t); | |
3489 | while (RTA_OK(rta, rtasize)) | |
3490 | { | |
3491 | if (rta->rta_type == type && | |
3492 | RTA_PAYLOAD(rta) == sizeof(*thresh)) | |
3493 | { | |
3494 | thresh = RTA_DATA(rta); | |
3495 | *lbits = thresh->lbits; | |
3496 | *rbits = thresh->rbits; | |
3497 | success = TRUE; | |
3498 | break; | |
3499 | } | |
3500 | rta = RTA_NEXT(rta, rtasize); | |
3501 | } | |
3502 | break; | |
3503 | } | |
3504 | case NLMSG_ERROR: | |
3505 | { | |
3506 | struct nlmsgerr *err = NLMSG_DATA(hdr); | |
3507 | DBG1(DBG_KNL, "getting SPD hash threshold failed: %s (%d)", | |
3508 | strerror(-err->error), -err->error); | |
3509 | break; | |
3510 | } | |
3511 | default: | |
3512 | hdr = NLMSG_NEXT(hdr, len); | |
3513 | continue; | |
3514 | case NLMSG_DONE: | |
3515 | break; | |
3516 | } | |
3517 | break; | |
3518 | } | |
3519 | free(out); | |
3520 | } | |
3521 | return success; | |
3522 | } | |
3523 | ||
3524 | /** | |
3525 | * Configure SPD hashing threshold for an address family | |
3526 | */ | |
3527 | static void setup_spd_hash_thresh(private_kernel_netlink_ipsec_t *this, | |
3528 | char *key, int type, uint8_t def) | |
3529 | { | |
3530 | struct xfrmu_spdhthresh *thresh; | |
3531 | struct nlmsghdr *hdr; | |
3532 | netlink_buf_t request; | |
3533 | uint8_t lbits, rbits; | |
3534 | ||
3535 | if (!get_spd_hash_thresh(this, type, &lbits, &rbits)) | |
3536 | { | |
3537 | return; | |
3538 | } | |
3539 | memset(&request, 0, sizeof(request)); | |
3540 | ||
3541 | hdr = &request.hdr; | |
3542 | hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; | |
3543 | hdr->nlmsg_type = XFRM_MSG_NEWSPDINFO; | |
3544 | hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t)); | |
3545 | ||
3546 | thresh = netlink_reserve(hdr, sizeof(request), type, sizeof(*thresh)); | |
3547 | thresh->lbits = lib->settings->get_int(lib->settings, | |
3548 | "%s.plugins.kernel-netlink.spdh_thresh.%s.lbits", | |
3549 | def, lib->ns, key); | |
3550 | thresh->rbits = lib->settings->get_int(lib->settings, | |
3551 | "%s.plugins.kernel-netlink.spdh_thresh.%s.rbits", | |
3552 | def, lib->ns, key); | |
3553 | if (thresh->lbits != lbits || thresh->rbits != rbits) | |
3554 | { | |
3555 | if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) | |
3556 | { | |
3557 | DBG1(DBG_KNL, "setting SPD hash threshold failed"); | |
3558 | } | |
3559 | } | |
3560 | } | |
3561 | ||
507f26f6 TB |
3562 | /* |
3563 | * Described in header. | |
3564 | */ | |
3565 | kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() | |
3566 | { | |
98ed9c6c | 3567 | private_kernel_netlink_ipsec_t *this; |
05ca5655 | 3568 | bool register_for_events = TRUE; |
7daf5226 | 3569 | |
98ed9c6c | 3570 | INIT(this, |
ba31fe1f MW |
3571 | .public = { |
3572 | .interface = { | |
53e62f5d | 3573 | .get_features = _get_features, |
ba31fe1f MW |
3574 | .get_spi = _get_spi, |
3575 | .get_cpi = _get_cpi, | |
3576 | .add_sa = _add_sa, | |
3577 | .update_sa = _update_sa, | |
3578 | .query_sa = _query_sa, | |
3579 | .del_sa = _del_sa, | |
99d23ddf | 3580 | .flush_sas = _flush_sas, |
ba31fe1f MW |
3581 | .add_policy = _add_policy, |
3582 | .query_policy = _query_policy, | |
3583 | .del_policy = _del_policy, | |
99d23ddf | 3584 | .flush_policies = _flush_policies, |
ba31fe1f | 3585 | .bypass_socket = _bypass_socket, |
e49abced | 3586 | .enable_udp_decap = _enable_udp_decap, |
ba31fe1f MW |
3587 | .destroy = _destroy, |
3588 | }, | |
98ed9c6c MW |
3589 | }, |
3590 | .policies = hashtable_create((hashtable_hash_t)policy_hash, | |
3591 | (hashtable_equals_t)policy_equals, 32), | |
9f49464d TB |
3592 | .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash, |
3593 | (hashtable_equals_t)ipsec_sa_equals, 32), | |
87888f99 | 3594 | .bypass = array_create(sizeof(bypass_t), 0), |
98ed9c6c | 3595 | .mutex = mutex_create(MUTEX_TYPE_DEFAULT), |
ebeaac1f | 3596 | .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), |
fc21465c TB |
3597 | .get_priority = dlsym(RTLD_DEFAULT, |
3598 | "kernel_netlink_get_priority_custom"), | |
8925abbe MW |
3599 | .policy_update = lib->settings->get_bool(lib->settings, |
3600 | "%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns), | |
98ed9c6c | 3601 | .install_routes = lib->settings->get_bool(lib->settings, |
d347a130 | 3602 | "%s.install_routes", TRUE, lib->ns), |
90e6675a TB |
3603 | .proto_port_transport = lib->settings->get_bool(lib->settings, |
3604 | "%s.plugins.kernel-netlink.set_proto_port_transport_sa", | |
3605 | FALSE, lib->ns), | |
98ed9c6c | 3606 | ); |
7daf5226 | 3607 | |
d347a130 | 3608 | if (streq(lib->ns, "starter")) |
05ca5655 TB |
3609 | { /* starter has no threads, so we do not register for kernel events */ |
3610 | register_for_events = FALSE; | |
3611 | } | |
b8bf01dd | 3612 | |
6c58fabe MW |
3613 | this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names, |
3614 | lib->settings->get_bool(lib->settings, | |
3615 | "%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns)); | |
d6a27ec6 MW |
3616 | if (!this->socket_xfrm) |
3617 | { | |
3618 | destroy(this); | |
3619 | return NULL; | |
3620 | } | |
7daf5226 | 3621 | |
ac9759a5 TB |
3622 | setup_spd_hash_thresh(this, "ipv4", XFRMA_SPD_IPV4_HTHRESH, 32); |
3623 | setup_spd_hash_thresh(this, "ipv6", XFRMA_SPD_IPV6_HTHRESH, 128); | |
3624 | ||
05ca5655 | 3625 | if (register_for_events) |
507f26f6 | 3626 | { |
05ca5655 TB |
3627 | struct sockaddr_nl addr; |
3628 | ||
3629 | memset(&addr, 0, sizeof(addr)); | |
3630 | addr.nl_family = AF_NETLINK; | |
3631 | ||
3632 | /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */ | |
3633 | this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); | |
3634 | if (this->socket_xfrm_events <= 0) | |
3635 | { | |
a0178fe2 TB |
3636 | DBG1(DBG_KNL, "unable to create XFRM event socket: %s (%d)", |
3637 | strerror(errno), errno); | |
05ca5655 TB |
3638 | destroy(this); |
3639 | return NULL; | |
3640 | } | |
3641 | addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | | |
3642 | XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING); | |
3643 | if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr))) | |
3644 | { | |
a0178fe2 TB |
3645 | DBG1(DBG_KNL, "unable to bind XFRM event socket: %s (%d)", |
3646 | strerror(errno), errno); | |
05ca5655 TB |
3647 | destroy(this); |
3648 | return NULL; | |
3649 | } | |
f4f77d74 MW |
3650 | lib->watcher->add(lib->watcher, this->socket_xfrm_events, WATCHER_READ, |
3651 | (watcher_cb_t)receive_events, this); | |
507f26f6 | 3652 | } |
7daf5226 | 3653 | |
a605452c | 3654 | netlink_find_offload_feature(lib->settings->get_str(lib->settings, |
a3166c81 TB |
3655 | "%s.plugins.kernel-netlink.hw_offload_feature_interface", |
3656 | "lo", lib->ns)); | |
a605452c | 3657 | |
507f26f6 TB |
3658 | return &this->public; |
3659 | } |