]> git.ipfire.org Git - people/ms/strongswan.git/blame - src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
projects / people / ms / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
kernel-netlink: Remove unimplemented XFRM_OFFLOAD_IPV6 flag
[people/ms/strongswan.git] / src / libcharon / plugins / kernel_netlink / kernel_netlink_ipsec.c
CommitLineData
507f26f6 1/*
b32c3ce8 2 * Copyright (C) 2006-2019 Tobias Brunner
469083cc 3 * Copyright (C) 2005-2009 Martin Willi
6abae81f 4 * Copyright (C) 2008-2016 Andreas Steffen
507f26f6
TB		 5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
89da06ac 8 * HSR Hochschule fuer Technik Rapperswil
507f26f6
TB		 9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
507f26f6 19 */
338cc581
AN		 20/*
21 * Copyright (C) 2018 Mellanox Technologies.
22 *
23 * Permission is hereby granted, free of charge, to any person obtaining a copy
24 * of this software and associated documentation files (the "Software"), to deal
25 * in the Software without restriction, including without limitation the rights
26 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
27 * copies of the Software, and to permit persons to whom the Software is
28 * furnished to do so, subject to the following conditions:
29 *
30 * The above copyright notice and this permission notice shall be included in
31 * all copies or substantial portions of the Software.
32 *
33 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
34 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
35 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
36 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
37 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
38 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
39 * THE SOFTWARE.
40 */
507f26f6 41
fc21465c 42#define _GNU_SOURCE
507f26f6
TB		 43#include <sys/types.h>
44#include <sys/socket.h>
338cc581 45#include <sys/ioctl.h>
ea625fab
TB		 46#include <stdint.h>
47#include <linux/ipsec.h>
507f26f6
TB		 48#include <linux/netlink.h>
49#include <linux/rtnetlink.h>
50#include <linux/xfrm.h>
51#include <linux/udp.h>
338cc581
AN		 52#include <linux/ethtool.h>
53#include <linux/sockios.h>
c26e4330 54#include <net/if.h>
507f26f6 55#include <unistd.h>
4a5a5dd2 56#include <time.h>
507f26f6
TB		 57#include <errno.h>
58#include <string.h>
469083cc 59#include <fcntl.h>
fc21465c 60#include <dlfcn.h>
507f26f6
TB		 61
62#include "kernel_netlink_ipsec.h"
63#include "kernel_netlink_shared.h"
64
8394ea2a 65#include <daemon.h>
f05b4272 66#include <utils/debug.h>
eba64cef 67#include <threading/mutex.h>
ebeaac1f 68#include <threading/condvar.h>
87888f99 69#include <collections/array.h>
12642a68
TB		 70#include <collections/hashtable.h>
71#include <collections/linked_list.h>
507f26f6 72
674bc343 73/** Required for Linux 2.6.26 kernel and later */
507f26f6 74#ifndef XFRM_STATE_AF_UNSPEC
674bc343 75#define XFRM_STATE_AF_UNSPEC 32
507f26f6
TB		 76#endif
77
674bc343 78/** From linux/in.h */
4a38687a
MW		 79#ifndef IP_XFRM_POLICY
80#define IP_XFRM_POLICY 17
ea625fab
TB		 81#endif
82
674bc343 83/** Missing on uclibc */
4a38687a
MW		 84#ifndef IPV6_XFRM_POLICY
85#define IPV6_XFRM_POLICY 34
86#endif /*IPV6_XFRM_POLICY*/
addfea95 87
e49abced
TB		 88/* from linux/udp.h */
89#ifndef UDP_ENCAP
90#define UDP_ENCAP 100
91#endif
92
93#ifndef UDP_ENCAP_ESPINUDP
94#define UDP_ENCAP_ESPINUDP 2
95#endif
96
97/* this is not defined on some platforms */
98#ifndef SOL_UDP
99#define SOL_UDP IPPROTO_UDP
100#endif
101
f1675e4e 102/** Base priority for installed policies */
0e9d6c46 103#define PRIO_BASE 200000
507f26f6 104
1087b9ce 105/**
674bc343 106 * Map the limit for bytes and packets to XFRM_INF by default
1087b9ce
TB		 107 */
108#define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
109
aa9a3006
MW		 110/**
111 * Create ORable bitfield of XFRM NL groups
112 */
113#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
114
507f26f6 115/**
674bc343 116 * Returns a pointer to the first rtattr following the nlmsghdr *nlh and the
7daf5226 117 * 'usual' netlink data x like 'struct xfrm_usersa_info'
507f26f6 118 */
674bc343
TB		 119#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \
120 NLMSG_ALIGN(sizeof(x))))
507f26f6 121/**
674bc343 122 * Returns the total size of attached rta data
7daf5226 123 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
507f26f6
TB		 124 */
125#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
126
127typedef struct kernel_algorithm_t kernel_algorithm_t;
128
129/**
e517b4b1 130 * Mapping of IKEv2 kernel identifier to linux crypto API names
507f26f6
TB		 131 */
132struct kernel_algorithm_t {
133 /**
134 * Identifier specified in IKEv2
135 */
e517b4b1 136 int ikev2;
7daf5226 137
507f26f6 138 /**
e517b4b1 139 * Name of the algorithm in linux crypto API
507f26f6 140 */
7085ca68 141 const char *name;
507f26f6
TB		 142};
143
37fbc741
AS		 144ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
145 "XFRM_MSG_NEWSA",
146 "XFRM_MSG_DELSA",
147 "XFRM_MSG_GETSA",
148 "XFRM_MSG_NEWPOLICY",
149 "XFRM_MSG_DELPOLICY",
150 "XFRM_MSG_GETPOLICY",
151 "XFRM_MSG_ALLOCSPI",
152 "XFRM_MSG_ACQUIRE",
153 "XFRM_MSG_EXPIRE",
154 "XFRM_MSG_UPDPOLICY",
155 "XFRM_MSG_UPDSA",
156 "XFRM_MSG_POLEXPIRE",
157 "XFRM_MSG_FLUSHSA",
158 "XFRM_MSG_FLUSHPOLICY",
159 "XFRM_MSG_NEWAE",
160 "XFRM_MSG_GETAE",
161 "XFRM_MSG_REPORT",
162 "XFRM_MSG_MIGRATE",
163 "XFRM_MSG_NEWSADINFO",
164 "XFRM_MSG_GETSADINFO",
165 "XFRM_MSG_NEWSPDINFO",
166 "XFRM_MSG_GETSPDINFO",
167 "XFRM_MSG_MAPPING"
168);
169
e1803a20 170ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_OFFLOAD_DEV,
b74bc438
AS		 171 "XFRMA_UNSPEC",
172 "XFRMA_ALG_AUTH",
173 "XFRMA_ALG_CRYPT",
174 "XFRMA_ALG_COMP",
175 "XFRMA_ENCAP",
176 "XFRMA_TMPL",
177 "XFRMA_SA",
178 "XFRMA_POLICY",
179 "XFRMA_SEC_CTX",
180 "XFRMA_LTIME_VAL",
181 "XFRMA_REPLAY_VAL",
182 "XFRMA_REPLAY_THRESH",
183 "XFRMA_ETIMER_THRESH",
184 "XFRMA_SRCADDR",
185 "XFRMA_COADDR",
186 "XFRMA_LASTUSED",
187 "XFRMA_POLICY_TYPE",
188 "XFRMA_MIGRATE",
189 "XFRMA_ALG_AEAD",
dbfd1a63
TE		 190 "XFRMA_KMADDRESS",
191 "XFRMA_ALG_AUTH_TRUNC",
192 "XFRMA_MARK",
193 "XFRMA_TFCPAD",
194 "XFRMA_REPLAY_ESN_VAL",
e1803a20
TB		 195 "XFRMA_SA_EXTRA_FLAGS",
196 "XFRMA_PROTO",
197 "XFRMA_ADDRESS_FILTER",
198 "XFRMA_PAD",
199 "XFRMA_OFFLOAD_DEV",
b74bc438
AS		 200);
201
507f26f6
TB		 202/**
203 * Algorithms for encryption
204 */
205static kernel_algorithm_t encryption_algs[] = {
89ec5bef
TB		 206/* {ENCR_DES_IV64, "***" }, */
207 {ENCR_DES, "des" },
208 {ENCR_3DES, "des3_ede" },
209/* {ENCR_RC5, "***" }, */
210/* {ENCR_IDEA, "***" }, */
83995109 211 {ENCR_CAST, "cast5" },
89ec5bef
TB		 212 {ENCR_BLOWFISH, "blowfish" },
213/* {ENCR_3IDEA, "***" }, */
214/* {ENCR_DES_IV32, "***" }, */
215 {ENCR_NULL, "cipher_null" },
b9b8a98f 216 {ENCR_AES_CBC, "aes" },
89ec5bef 217 {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
e517b4b1
MW		 218 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
219 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
220 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
221 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
222 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
223 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
71baf5a8 224 {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
247e665a
AS		 225 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
226/* {ENCR_CAMELLIA_CTR, "***" }, */
227/* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
228/* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
229/* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
91a0825c
AS		 230 {ENCR_SERPENT_CBC, "serpent" },
231 {ENCR_TWOFISH_CBC, "twofish" },
405c5dcd 232 {ENCR_CHACHA20_POLY1305, "rfc7539esp(chacha20,poly1305)"},
507f26f6
TB		 233};
234
235/**
236 * Algorithms for integrity protection
237 */
238static kernel_algorithm_t integrity_algs[] = {
89ec5bef 239 {AUTH_HMAC_MD5_96, "md5" },
686cfd4e 240 {AUTH_HMAC_MD5_128, "hmac(md5)" },
e517b4b1 241 {AUTH_HMAC_SHA1_96, "sha1" },
686cfd4e 242 {AUTH_HMAC_SHA1_160, "hmac(sha1)" },
6546482a 243 {AUTH_HMAC_SHA2_256_96, "sha256" },
4b615eda 244 {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
c632aa7b 245 {AUTH_HMAC_SHA2_256_256, "hmac(sha256)" },
6780edc0 246 {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
c632aa7b 247 {AUTH_HMAC_SHA2_384_384, "hmac(sha384)" },
6780edc0 248 {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
c632aa7b 249 {AUTH_HMAC_SHA2_512_512, "hmac(sha512)" },
e517b4b1
MW		 250/* {AUTH_DES_MAC, "***" }, */
251/* {AUTH_KPDK_MD5, "***" }, */
252 {AUTH_AES_XCBC_96, "xcbc(aes)" },
564a1996 253 {AUTH_AES_CMAC_96, "cmac(aes)" },
507f26f6
TB		 254};
255
256/**
257 * Algorithms for IPComp
258 */
259static kernel_algorithm_t compression_algs[] = {
89ec5bef 260/* {IPCOMP_OUI, "***" }, */
e517b4b1
MW		 261 {IPCOMP_DEFLATE, "deflate" },
262 {IPCOMP_LZS, "lzs" },
263 {IPCOMP_LZJH, "lzjh" },
507f26f6
TB		 264};
265
266/**
267 * Look up a kernel algorithm name and its key size
268 */
7085ca68 269static const char* lookup_algorithm(transform_type_t type, int ikev2)
507f26f6 270{
08ad639f 271 kernel_algorithm_t *list;
6ac601f5
MW		 272 int i, count;
273 char *name;
08ad639f
TB		 274
275 switch (type)
276 {
277 case ENCRYPTION_ALGORITHM:
278 list = encryption_algs;
6ac601f5 279 count = countof(encryption_algs);
08ad639f
TB		 280 break;
281 case INTEGRITY_ALGORITHM:
282 list = integrity_algs;
6ac601f5 283 count = countof(integrity_algs);
08ad639f
TB		 284 break;
285 case COMPRESSION_ALGORITHM:
286 list = compression_algs;
6ac601f5 287 count = countof(compression_algs);
08ad639f
TB		 288 break;
289 default:
290 return NULL;
291 }
6ac601f5 292 for (i = 0; i < count; i++)
507f26f6 293 {
6ac601f5 294 if (list[i].ikev2 == ikev2)
507f26f6 295 {
6ac601f5 296 return list[i].name;
507f26f6 297 }
507f26f6 298 }
8394ea2a
TB		 299 if (charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, NULL,
300 &name))
6ac601f5
MW		 301 {
302 return name;
303 }
304 return NULL;
507f26f6
TB		 305}
306
9f49464d
TB		 307typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
308
309/**
310 * Private variables and functions of kernel_netlink class.
311 */
312struct private_kernel_netlink_ipsec_t {
313 /**
674bc343 314 * Public part of the kernel_netlink_t object
9f49464d
TB		 315 */
316 kernel_netlink_ipsec_t public;
317
318 /**
674bc343 319 * Mutex to lock access to installed policies
9f49464d
TB		 320 */
321 mutex_t *mutex;
322
ebeaac1f
TB		 323 /**
324 * Condvar to synchronize access to individual policies
325 */
326 condvar_t *condvar;
327
9f49464d 328 /**
cad259e3 329 * Hash table of installed policies (policy_entry_t)
9f49464d
TB		 330 */
331 hashtable_t *policies;
332
333 /**
334 * Hash table of IPsec SAs using policies (ipsec_sa_t)
335 */
336 hashtable_t *sas;
337
9f49464d
TB		 338 /**
339 * Netlink xfrm socket (IPsec)
340 */
341 netlink_socket_t *socket_xfrm;
342
343 /**
674bc343 344 * Netlink xfrm socket to receive acquire and expire events
9f49464d
TB		 345 */
346 int socket_xfrm_events;
347
348 /**
674bc343 349 * Whether to install routes along policies
9f49464d
TB		 350 */
351 bool install_routes;
352
90e6675a
TB		 353 /**
354 * Whether to set protocol and ports on selector installed with transport
355 * mode IPsec SAs
356 */
357 bool proto_port_transport;
358
8925abbe 359 /**
3000f6aa 360 * Whether to always use UPDATE to install policies
8925abbe
MW		 361 */
362 bool policy_update;
363
87888f99
MW		 364 /**
365 * Installed port based IKE bypass policies, as bypass_t
366 */
367 array_t *bypass;
fc21465c
TB		 368
369 /**
370 * Custom priority calculation function
371 */
372 uint32_t (*get_priority)(kernel_ipsec_policy_id_t *id,
373 kernel_ipsec_manage_policy_t *data);
9f49464d
TB		 374};
375
9f49464d 376typedef struct ipsec_sa_t ipsec_sa_t;
f0ba8ae0
TB		 377
378/**
379 * IPsec SA assigned to a policy.
380 */
9f49464d 381struct ipsec_sa_t {
674bc343 382 /** Source address of this SA */
9f49464d
TB		 383 host_t *src;
384
674bc343 385 /** Destination address of this SA */
9f49464d
TB		 386 host_t *dst;
387
674bc343 388 /** Optional mark */
9f49464d
TB		 389 mark_t mark;
390
b32c3ce8
TB		 391 /** Optional mark */
392 uint32_t if_id;
393
674bc343 394 /** Description of this SA */
9f49464d
TB		 395 ipsec_sa_cfg_t cfg;
396
674bc343 397 /** Reference count for this SA */
9f49464d
TB		 398 refcount_t refcount;
399};
400
401/**
402 * Hash function for ipsec_sa_t objects
403 */
404static u_int ipsec_sa_hash(ipsec_sa_t *sa)
405{
406 return chunk_hash_inc(sa->src->get_address(sa->src),
407 chunk_hash_inc(sa->dst->get_address(sa->dst),
408 chunk_hash_inc(chunk_from_thing(sa->mark),
b32c3ce8
TB		 409 chunk_hash_inc(chunk_from_thing(sa->if_id),
410 chunk_hash(chunk_from_thing(sa->cfg))))));
9f49464d
TB		 411}
412
413/**
414 * Equality function for ipsec_sa_t objects
415 */
416static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
417{
418 return sa->src->ip_equals(sa->src, other_sa->src) &&
419 sa->dst->ip_equals(sa->dst, other_sa->dst) &&
87ed9a5f
TB		 420 sa->mark.value == other_sa->mark.value &&
421 sa->mark.mask == other_sa->mark.mask &&
b32c3ce8 422 sa->if_id == other_sa->if_id &&
87ed9a5f 423 ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg);
9f49464d
TB		 424}
425
426/**
674bc343 427 * Allocate or reference an IPsec SA object
9f49464d
TB		 428 */
429static ipsec_sa_t *ipsec_sa_create(private_kernel_netlink_ipsec_t *this,
430 host_t *src, host_t *dst, mark_t mark,
b32c3ce8 431 uint32_t if_id, ipsec_sa_cfg_t *cfg)
9f49464d
TB		 432{
433 ipsec_sa_t *sa, *found;
434 INIT(sa,
435 .src = src,
436 .dst = dst,
437 .mark = mark,
b32c3ce8 438 .if_id = if_id,
9f49464d
TB		 439 .cfg = *cfg,
440 );
441 found = this->sas->get(this->sas, sa);
442 if (!found)
443 {
444 sa->src = src->clone(src);
445 sa->dst = dst->clone(dst);
446 this->sas->put(this->sas, sa, sa);
447 }
448 else
449 {
450 free(sa);
451 sa = found;
452 }
453 ref_get(&sa->refcount);
454 return sa;
455}
456
457/**
674bc343 458 * Release and destroy an IPsec SA object
9f49464d
TB		 459 */
460static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this,
461 ipsec_sa_t *sa)
462{
463 if (ref_put(&sa->refcount))
464 {
465 this->sas->remove(this->sas, sa);
466 DESTROY_IF(sa->src);
467 DESTROY_IF(sa->dst);
468 free(sa);
469 }
470}
471
472typedef struct policy_sa_t policy_sa_t;
aea3c105 473typedef struct policy_sa_out_t policy_sa_out_t;
9f49464d
TB		 474
475/**
476 * Mapping between a policy and an IPsec SA.
477 */
f0ba8ae0 478struct policy_sa_t {
674bc343 479 /** Priority assigned to the policy when installed with this SA */
b12c53ce 480 uint32_t priority;
f0ba8ae0 481
869f4e90
TB		 482 /** Automatic priority assigned to the policy when installed with this SA */
483 uint32_t auto_priority;
484
674bc343 485 /** Type of the policy */
f0ba8ae0
TB		 486 policy_type_t type;
487
674bc343 488 /** Assigned SA */
9f49464d
TB		 489 ipsec_sa_t *sa;
490};
f0ba8ae0 491
9f49464d 492/**
aea3c105 493 * For outbound policies we also cache the traffic selectors in order to install
9f49464d
TB		 494 * the route.
495 */
aea3c105 496struct policy_sa_out_t {
674bc343 497 /** Generic interface */
9f49464d 498 policy_sa_t generic;
f0ba8ae0 499
674bc343 500 /** Source traffic selector of this policy */
f0ba8ae0
TB		 501 traffic_selector_t *src_ts;
502
674bc343 503 /** Destination traffic selector of this policy */
f0ba8ae0 504 traffic_selector_t *dst_ts;
9f49464d 505};
f0ba8ae0 506
9f49464d 507/**
c4387e99 508 * Create a policy_sa(_in)_t object
9f49464d
TB		 509 */
510static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
511 policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
512 traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark,
b32c3ce8 513 uint32_t if_id, ipsec_sa_cfg_t *cfg)
9f49464d
TB		 514{
515 policy_sa_t *policy;
f0ba8ae0 516
aea3c105 517 if (dir == POLICY_OUT)
9f49464d 518 {
aea3c105
TB		 519 policy_sa_out_t *out;
520 INIT(out,
9f49464d
TB		 521 .src_ts = src_ts->clone(src_ts),
522 .dst_ts = dst_ts->clone(dst_ts),
523 );
aea3c105 524 policy = &out->generic;
9f49464d
TB		 525 }
526 else
527 {
25d59e9e 528 INIT(policy, .priority = 0);
9f49464d
TB		 529 }
530 policy->type = type;
b32c3ce8 531 policy->sa = ipsec_sa_create(this, src, dst, mark, if_id, cfg);
9f49464d
TB		 532 return policy;
533}
f0ba8ae0 534
9f49464d 535/**
c4387e99 536 * Destroy a policy_sa(_in)_t object
9f49464d 537 */
8a2e4d4a 538static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t dir,
4e9e4372 539 private_kernel_netlink_ipsec_t *this)
f0ba8ae0 540{
8a2e4d4a 541 if (dir == POLICY_OUT)
9f49464d 542 {
aea3c105
TB		 543 policy_sa_out_t *out = (policy_sa_out_t*)policy;
544 out->src_ts->destroy(out->src_ts);
545 out->dst_ts->destroy(out->dst_ts);
9f49464d
TB		 546 }
547 ipsec_sa_destroy(this, policy->sa);
548 free(policy);
f0ba8ae0
TB		 549}
550
8a2e4d4a
TB		 551CALLBACK(policy_sa_destroy_cb, void,
552 policy_sa_t *policy, va_list args)
553{
554 private_kernel_netlink_ipsec_t *this;
555 policy_dir_t dir;
556
557 VA_ARGS_VGET(args, dir, this);
558 policy_sa_destroy(policy, dir, this);
559}
560
507f26f6
TB		 561typedef struct policy_entry_t policy_entry_t;
562
563/**
674bc343 564 * Installed kernel policy.
507f26f6
TB		 565 */
566struct policy_entry_t {
7daf5226 567
674bc343 568 /** Direction of this policy: in, out, forward */
b12c53ce 569 uint8_t direction;
7daf5226 570
674bc343 571 /** Parameters of installed policy */
507f26f6 572 struct xfrm_selector sel;
7daf5226 573
674bc343 574 /** Optional mark */
b12c53ce 575 uint32_t mark;
ee26c537 576
b32c3ce8
TB		 577 /** Optional interface ID */
578 uint32_t if_id;
579
674bc343 580 /** Associated route installed for this policy */
507f26f6 581 route_entry_t *route;
7daf5226 582
674bc343 583 /** List of SAs this policy is used by, ordered by priority */
9f49464d 584 linked_list_t *used_by;
1551d8b1
MW		 585
586 /** reqid for this policy */
b12c53ce 587 uint32_t reqid;
ebeaac1f
TB		 588
589 /** Number of threads waiting to work on this policy */
590 int waiting;
591
592 /** TRUE if a thread is working on this policy */
593 bool working;
507f26f6
TB		 594};
595
674bc343
TB		 596/**
597 * Destroy a policy_entry_t object
598 */
9f49464d
TB		 599static void policy_entry_destroy(private_kernel_netlink_ipsec_t *this,
600 policy_entry_t *policy)
f0ba8ae0 601{
9f49464d 602 if (policy->route)
f0ba8ae0 603 {
9f49464d 604 route_entry_destroy(policy->route);
f0ba8ae0 605 }
9f49464d
TB		 606 if (policy->used_by)
607 {
8a2e4d4a
TB		 608 policy->used_by->invoke_function(policy->used_by, policy_sa_destroy_cb,
609 policy->direction, this);
9f49464d
TB		 610 policy->used_by->destroy(policy->used_by);
611 }
612 free(policy);
f0ba8ae0
TB		 613}
614
3fb404d8
TB		 615/**
616 * Hash function for policy_entry_t objects
617 */
618static u_int policy_hash(policy_entry_t *key)
619{
6ffb8f86 620 chunk_t chunk = chunk_from_thing(key->sel);
b32c3ce8
TB		 621 return chunk_hash_inc(chunk, chunk_hash_inc(chunk_from_thing(key->mark),
622 chunk_hash(chunk_from_thing(key->if_id))));
3fb404d8
TB		 623}
624
625/**
626 * Equality function for policy_entry_t objects
627 */
628static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
629{
6ffb8f86
TB		 630 return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
631 key->mark == other_key->mark &&
b32c3ce8 632 key->if_id == other_key->if_id &&
3fb404d8
TB		 633 key->direction == other_key->direction;
634}
635
d3af3b79
AS		 636/**
637 * Determine number of set bits in 16 bit port mask
638 */
639static inline uint32_t port_mask_bits(uint16_t port_mask)
640{
641 uint32_t bits;
642 uint16_t bit_mask = 0x8000;
643
644 port_mask = ntohs(port_mask);
645
646 for (bits = 0; bits < 16; bits++)
647 {
648 if (!(port_mask & bit_mask))
649 {
650 break;
651 }
652 bit_mask >>= 1;
653 }
654 return bits;
655}
656
fbedc6a4
TB		 657/**
658 * Calculate the priority of a policy
d3af3b79 659 *
0e9d6c46
TB		 660 * bits 0-0: separate trap and regular policies (0..1) 1 bit
661 * bits 1-1: restriction to network interface (0..1) 1 bit
662 * bits 2-7: src + dst port mask bits (2 * 0..16) 6 bits
663 * bits 8-8: restriction to protocol (0..1) 1 bit
664 * bits 9-17: src + dst network mask bits (2 * 0..128) 9 bits
665 * 18 bits
d3af3b79 666 *
0e9d6c46
TB		 667 * smallest value: 000000000 0 000000 0 0: 0, lowest priority = 200'000
668 * largest value : 100000000 1 100000 1 1: 131'459, highst priority = 68'541
fbedc6a4 669 */
d3af3b79
AS		 670static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
671 char *interface)
fbedc6a4 672{
d3af3b79
AS		 673 uint32_t priority = PRIO_BASE, sport_mask_bits, dport_mask_bits;
674
fbedc6a4
TB		 675 switch (prio)
676 {
d7a59f19 677 case POLICY_PRIORITY_FALLBACK:
d3af3b79
AS		 678 priority += PRIO_BASE;
679 /* fall-through to next case */
fbedc6a4 680 case POLICY_PRIORITY_ROUTED:
fbedc6a4 681 case POLICY_PRIORITY_DEFAULT:
d3af3b79
AS		 682 priority += PRIO_BASE;
683 /* fall-through to next case */
f1675e4e 684 case POLICY_PRIORITY_PASS:
fbedc6a4
TB		 685 break;
686 }
d3af3b79
AS		 687 sport_mask_bits = port_mask_bits(policy->sel.sport_mask);
688 dport_mask_bits = port_mask_bits(policy->sel.dport_mask);
689
690 /* calculate priority */
0e9d6c46
TB		 691 priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 512;
692 priority -= policy->sel.proto ? 256 : 0;
693 priority -= (sport_mask_bits + dport_mask_bits) * 4;
694 priority -= (interface != NULL) * 2;
695 priority -= (prio != POLICY_PRIORITY_ROUTED);
d3af3b79 696
fbedc6a4
TB		 697 return priority;
698}
699
d24a74c5 700/**
674bc343 701 * Convert the general ipsec mode to the one defined in xfrm.h
d24a74c5 702 */
b12c53ce 703static uint8_t mode2kernel(ipsec_mode_t mode)
d24a74c5
TB		 704{
705 switch (mode)
706 {
707 case MODE_TRANSPORT:
708 return XFRM_MODE_TRANSPORT;
709 case MODE_TUNNEL:
710 return XFRM_MODE_TUNNEL;
711 case MODE_BEET:
712 return XFRM_MODE_BEET;
713 default:
714 return mode;
715 }
716}
717
507f26f6 718/**
674bc343 719 * Convert a host_t to a struct xfrm_address
507f26f6
TB		 720 */
721static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
722{
723 chunk_t chunk = host->get_address(host);
7daf5226 724 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
507f26f6
TB		 725}
726
aa9a3006 727/**
674bc343 728 * Convert a struct xfrm_address to a host_t
aa9a3006 729 */
b12c53ce 730static host_t* xfrm2host(int family, xfrm_address_t *xfrm, uint16_t port)
aa9a3006
MW		 731{
732 chunk_t chunk;
7daf5226 733
aa9a3006
MW		 734 switch (family)
735 {
736 case AF_INET:
737 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
738 break;
739 case AF_INET6:
740 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
741 break;
742 default:
743 return NULL;
744 }
745 return host_create_from_chunk(family, chunk, ntohs(port));
746}
747
507f26f6 748/**
674bc343 749 * Convert a traffic selector address range to subnet and its mask.
507f26f6 750 */
7daf5226 751static void ts2subnet(traffic_selector_t* ts,
b12c53ce 752 xfrm_address_t *net, uint8_t *mask)
507f26f6 753{
1adaa02b
TB		 754 host_t *net_host;
755 chunk_t net_chunk;
7daf5226 756
1adaa02b
TB		 757 ts->to_subnet(ts, &net_host, mask);
758 net_chunk = net_host->get_address(net_host);
759 memcpy(net, net_chunk.ptr, net_chunk.len);
760 net_host->destroy(net_host);
507f26f6
TB		 761}
762
763/**
674bc343 764 * Convert a traffic selector port range to port/portmask
507f26f6 765 */
7daf5226 766static void ts2ports(traffic_selector_t* ts,
b12c53ce 767 uint16_t *port, uint16_t *mask)
507f26f6 768{
6abae81f
AS		 769 uint16_t from, to, bitmask;
770 int bit;
7daf5226 771
507f26f6
TB		 772 from = ts->get_from_port(ts);
773 to = ts->get_to_port(ts);
7daf5226 774
6abae81f 775 /* Quick check for a single port */
507f26f6
TB		 776 if (from == to)
777 {
778 *port = htons(from);
779 *mask = ~0;
780 }
781 else
782 {
6abae81f 783 /* Compute the port mask for port ranges */
507f26f6 784 *mask = 0;
6abae81f
AS		 785
786 for (bit = 15; bit >= 0; bit--)
787 {
788 bitmask = 1 << bit;
789
790 if ((bitmask & from) != (bitmask & to))
791 {
792 *port = htons(from & *mask);
793 *mask = htons(*mask);
794 return;
795 }
796 *mask |= bitmask;
797 }
507f26f6 798 }
6abae81f 799 return;
507f26f6
TB		 800}
801
802/**
674bc343 803 * Convert a pair of traffic_selectors to an xfrm_selector
507f26f6 804 */
7daf5226 805static struct xfrm_selector ts2selector(traffic_selector_t *src,
c26e4330
AS		 806 traffic_selector_t *dst,
807 char *interface)
507f26f6
TB		 808{
809 struct xfrm_selector sel;
b12c53ce 810 uint16_t port;
507f26f6
TB		 811
812 memset(&sel, 0, sizeof(sel));
813 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
814 /* src or dest proto may be "any" (0), use more restrictive one */
815 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
816 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
817 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
818 ts2ports(dst, &sel.dport, &sel.dport_mask);
819 ts2ports(src, &sel.sport, &sel.sport_mask);
ddc2d3c8
TB		 820 if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
821 (sel.dport || sel.sport))
822 {
7b20ab0a
TB		 823 /* the kernel expects the ICMP type and code in the source and
824 * destination port fields, respectively. */
825 port = ntohs(max(sel.dport, sel.sport));
826 sel.sport = htons(traffic_selector_icmp_type(port));
827 sel.sport_mask = sel.sport ? ~0 : 0;
828 sel.dport = htons(traffic_selector_icmp_code(port));
829 sel.dport_mask = sel.dport ? ~0 : 0;
ddc2d3c8 830 }
c26e4330 831 sel.ifindex = interface ? if_nametoindex(interface) : 0;
507f26f6 832 sel.user = 0;
7daf5226 833
507f26f6
TB		 834 return sel;
835}
836
e526d228 837/**
674bc343 838 * Convert an xfrm_selector to a src|dst traffic_selector
e526d228
AS		 839 */
840static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
841{
70691c31 842 u_char *addr;
b12c53ce
AS		 843 uint8_t prefixlen;
844 uint16_t port = 0;
70691c31 845 host_t *host = NULL;
7daf5226 846
e526d228
AS		 847 if (src)
848 {
70691c31 849 addr = (u_char*)&sel->saddr;
5145ae48 850 prefixlen = sel->prefixlen_s;
70691c31
MW		 851 if (sel->sport_mask)
852 {
406a504c 853 port = ntohs(sel->sport);
70691c31 854 }
e526d228 855 }
70691c31 856 else
e526d228 857 {
70691c31 858 addr = (u_char*)&sel->daddr;
5145ae48 859 prefixlen = sel->prefixlen_d;
70691c31
MW		 860 if (sel->dport_mask)
861 {
406a504c 862 port = ntohs(sel->dport);
70691c31 863 }
e526d228 864 }
406a504c
TB		 865 if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
866 { /* convert ICMP[v6] message type and code as supplied by the kernel in
867 * source and destination ports (both in network order) */
868 port = (sel->sport >> 8) | (sel->dport & 0xff00);
869 port = ntohs(port);
870 }
e526d228 871 /* The Linux 2.6 kernel does not set the selector's family field,
7daf5226 872 * so as a kludge we additionally test the prefix length.
e526d228 873 */
b74bc438 874 if (sel->family == AF_INET || sel->prefixlen_s == 32)
e526d228 875 {
70691c31 876 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
e526d228 877 }
b74bc438 878 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
e526d228 879 {
70691c31 880 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
b74bc438 881 }
7daf5226 882
70691c31 883 if (host)
b74bc438 884 {
70691c31 885 return traffic_selector_create_from_subnet(host, prefixlen,
a1db77de 886 sel->proto, port, port ?: 65535);
b74bc438 887 }
70691c31 888 return NULL;
e526d228 889}
507f26f6
TB		 890
891/**
674bc343 892 * Process a XFRM_MSG_ACQUIRE from kernel
507f26f6 893 */
674bc343
TB		 894static void process_acquire(private_kernel_netlink_ipsec_t *this,
895 struct nlmsghdr *hdr)
507f26f6 896{
e526d228 897 struct xfrm_user_acquire *acquire;
b74bc438
AS		 898 struct rtattr *rta;
899 size_t rtasize;
674bc343 900 traffic_selector_t *src_ts, *dst_ts;
b12c53ce 901 uint32_t reqid = 0;
674bc343 902 int proto = 0;
7daf5226 903
4c438cf0 904 acquire = NLMSG_DATA(hdr);
b74bc438
AS		 905 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
906 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
907
908 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
e526d228 909
b74bc438 910 while (RTA_OK(rta, rtasize))
507f26f6 911 {
b74bc438
AS		 912 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
913
914 if (rta->rta_type == XFRMA_TMPL)
507f26f6 915 {
e526d228 916 struct xfrm_user_tmpl* tmpl;
b74bc438 917 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
507f26f6
TB		 918 reqid = tmpl->reqid;
919 proto = tmpl->id.proto;
920 }
b74bc438 921 rta = RTA_NEXT(rta, rtasize);
507f26f6
TB		 922 }
923 switch (proto)
924 {
925 case 0:
926 case IPPROTO_ESP:
927 case IPPROTO_AH:
928 break;
929 default:
930 /* acquire for AH/ESP only, not for IPCOMP */
931 return;
932 }
e526d228
AS		 933 src_ts = selector2ts(&acquire->sel, TRUE);
934 dst_ts = selector2ts(&acquire->sel, FALSE);
81f6ec27 935
8394ea2a 936 charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
507f26f6
TB		 937}
938
939/**
674bc343 940 * Process a XFRM_MSG_EXPIRE from kernel
507f26f6 941 */
674bc343
TB		 942static void process_expire(private_kernel_netlink_ipsec_t *this,
943 struct nlmsghdr *hdr)
507f26f6 944{
507f26f6 945 struct xfrm_user_expire *expire;
b12c53ce
AS		 946 uint32_t spi;
947 uint8_t protocol;
f81a9497 948 host_t *dst;
7daf5226 949
4c438cf0 950 expire = NLMSG_DATA(hdr);
9f166d9a 951 protocol = expire->state.id.proto;
507f26f6 952 spi = expire->state.id.spi;
7daf5226 953
507f26f6 954 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
7daf5226 955
f81a9497 956 if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
507f26f6 957 {
f81a9497
MW		 958 dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0);
959 if (dst)
960 {
8394ea2a
TB		 961 charon->kernel->expire(charon->kernel, protocol, spi, dst,
962 expire->hard != 0);
f81a9497
MW		 963 dst->destroy(dst);
964 }
507f26f6 965 }
507f26f6
TB		 966}
967
e526d228 968/**
674bc343 969 * Process a XFRM_MSG_MIGRATE from kernel
e526d228 970 */
674bc343
TB		 971static void process_migrate(private_kernel_netlink_ipsec_t *this,
972 struct nlmsghdr *hdr)
e526d228 973{
674bc343
TB		 974 struct xfrm_userpolicy_id *policy_id;
975 struct rtattr *rta;
976 size_t rtasize;
5145ae48
AS		 977 traffic_selector_t *src_ts, *dst_ts;
978 host_t *local = NULL, *remote = NULL;
979 host_t *old_src = NULL, *old_dst = NULL;
980 host_t *new_src = NULL, *new_dst = NULL;
b12c53ce 981 uint32_t reqid = 0;
ef6d339c 982 policy_dir_t dir;
b74bc438 983
4c438cf0 984 policy_id = NLMSG_DATA(hdr);
b74bc438
AS		 985 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
986 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
987
e526d228 988 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
7daf5226 989
5145ae48
AS		 990 src_ts = selector2ts(&policy_id->sel, TRUE);
991 dst_ts = selector2ts(&policy_id->sel, FALSE);
ef6d339c
AS		 992 dir = (policy_dir_t)policy_id->dir;
993
7a915d62 994 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
b74bc438
AS		 995
996 while (RTA_OK(rta, rtasize))
997 {
5145ae48
AS		 998 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
999 if (rta->rta_type == XFRMA_KMADDRESS)
1000 {
1001 struct xfrm_user_kmaddress *kmaddress;
1002
1003 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
1004 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
1005 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
2c815393 1006 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
bab075b1 1007 }
5145ae48
AS		 1008 else if (rta->rta_type == XFRMA_MIGRATE)
1009 {
1010 struct xfrm_user_migrate *migrate;
5145ae48
AS		 1011
1012 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
1013 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
1014 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
1015 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
1016 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
5145ae48 1017 reqid = migrate->reqid;
9f166d9a 1018 DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}",
674bc343 1019 old_src, old_dst, new_src, new_dst, reqid);
5145ae48
AS		 1020 DESTROY_IF(old_src);
1021 DESTROY_IF(old_dst);
1022 DESTROY_IF(new_src);
1023 DESTROY_IF(new_dst);
1024 }
b74bc438
AS		 1025 rta = RTA_NEXT(rta, rtasize);
1026 }
ef6d339c 1027
7a915d62 1028 if (src_ts && dst_ts && local && remote)
ef6d339c 1029 {
8394ea2a
TB		 1030 charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
1031 local, remote);
ef6d339c
AS		 1032 }
1033 else
1034 {
1035 DESTROY_IF(src_ts);
1036 DESTROY_IF(dst_ts);
1037 DESTROY_IF(local);
bab075b1 1038 DESTROY_IF(remote);
ef6d339c 1039 }
e526d228
AS		 1040}
1041
aa9a3006 1042/**
674bc343 1043 * Process a XFRM_MSG_MAPPING from kernel
aa9a3006
MW		 1044 */
1045static void process_mapping(private_kernel_netlink_ipsec_t *this,
1046 struct nlmsghdr *hdr)
1047{
aa9a3006 1048 struct xfrm_user_mapping *mapping;
b12c53ce 1049 uint32_t spi;
7daf5226 1050
4c438cf0 1051 mapping = NLMSG_DATA(hdr);
aa9a3006 1052 spi = mapping->id.spi;
7daf5226 1053
aa9a3006 1054 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
7daf5226 1055
9f166d9a 1056 if (mapping->id.proto == IPPROTO_ESP)
aa9a3006 1057 {
b125839a
MW		 1058 host_t *dst, *new;
1059
1060 dst = xfrm2host(mapping->id.family, &mapping->id.daddr, 0);
1061 if (dst)
aa9a3006 1062 {
b125839a
MW		 1063 new = xfrm2host(mapping->id.family, &mapping->new_saddr,
1064 mapping->new_sport);
1065 if (new)
1066 {
8394ea2a
TB		 1067 charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst,
1068 new);
b125839a
MW		 1069 new->destroy(new);
1070 }
1071 dst->destroy(dst);
aa9a3006
MW		 1072 }
1073 }
1074}
1075
507f26f6
TB		 1076/**
1077 * Receives events from kernel
1078 */
f4f77d74
MW		 1079static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
1080 watcher_event_t event)
507f26f6 1081{
c5b94b24 1082 char response[netlink_get_buflen()];
507f26f6
TB		 1083 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
1084 struct sockaddr_nl addr;
1085 socklen_t addr_len = sizeof(addr);
4a5a5dd2 1086 int len;
7daf5226 1087
f4f77d74
MW		 1088 len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
1089 MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
507f26f6
TB		 1090 if (len < 0)
1091 {
1092 switch (errno)
1093 {
1094 case EINTR:
1095 /* interrupted, try again */
f4f77d74 1096 return TRUE;
507f26f6
TB		 1097 case EAGAIN:
1098 /* no data ready, select again */
f4f77d74 1099 return TRUE;
507f26f6 1100 default:
a0178fe2
TB		 1101 DBG1(DBG_KNL, "unable to receive from XFRM event socket: %s "
1102 "(%d)", strerror(errno), errno);
507f26f6 1103 sleep(1);
f4f77d74 1104 return TRUE;
507f26f6
TB		 1105 }
1106 }
7daf5226 1107
507f26f6
TB		 1108 if (addr.nl_pid != 0)
1109 { /* not from kernel. not interested, try another one */
f4f77d74 1110 return TRUE;
507f26f6 1111 }
7daf5226 1112
507f26f6
TB		 1113 while (NLMSG_OK(hdr, len))
1114 {
1115 switch (hdr->nlmsg_type)
1116 {
1117 case XFRM_MSG_ACQUIRE:
1118 process_acquire(this, hdr);
1119 break;
1120 case XFRM_MSG_EXPIRE:
1121 process_expire(this, hdr);
1122 break;
e526d228
AS		 1123 case XFRM_MSG_MIGRATE:
1124 process_migrate(this, hdr);
1125 break;
aa9a3006
MW		 1126 case XFRM_MSG_MAPPING:
1127 process_mapping(this, hdr);
1128 break;
507f26f6 1129 default:
a0178fe2
TB		 1130 DBG1(DBG_KNL, "received unknown event from XFRM event "
1131 "socket: %d", hdr->nlmsg_type);
507f26f6
TB		 1132 break;
1133 }
1134 hdr = NLMSG_NEXT(hdr, len);
1135 }
f4f77d74 1136 return TRUE;
507f26f6
TB		 1137}
1138
53e62f5d
MW		 1139METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
1140 private_kernel_netlink_ipsec_t *this)
1141{
2699c838 1142 return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI;
53e62f5d
MW		 1143}
1144
507f26f6
TB		 1145/**
1146 * Get an SPI for a specific protocol from the kernel.
1147 */
1148static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
b12c53ce
AS		 1149 host_t *src, host_t *dst, uint8_t proto, uint32_t min, uint32_t max,
1150 uint32_t *spi)
507f26f6 1151{
21bf86f7 1152 netlink_buf_t request;
507f26f6
TB		 1153 struct nlmsghdr *hdr, *out;
1154 struct xfrm_userspi_info *userspi;
b12c53ce 1155 uint32_t received_spi = 0;
507f26f6 1156 size_t len;
7daf5226 1157
507f26f6 1158 memset(&request, 0, sizeof(request));
7daf5226 1159
0404a29b 1160 hdr = &request.hdr;
507f26f6
TB		 1161 hdr->nlmsg_flags = NLM_F_REQUEST;
1162 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1163 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1164
4c438cf0 1165 userspi = NLMSG_DATA(hdr);
507f26f6
TB		 1166 host2xfrm(src, &userspi->info.saddr);
1167 host2xfrm(dst, &userspi->info.id.daddr);
1168 userspi->info.id.proto = proto;
d24a74c5 1169 userspi->info.mode = XFRM_MODE_TUNNEL;
507f26f6
TB		 1170 userspi->info.family = src->get_family(src);
1171 userspi->min = min;
1172 userspi->max = max;
7daf5226 1173
507f26f6
TB		 1174 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1175 {
1176 hdr = out;
1177 while (NLMSG_OK(hdr, len))
1178 {
1179 switch (hdr->nlmsg_type)
1180 {
1181 case XFRM_MSG_NEWSA:
1182 {
1183 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1184 received_spi = usersa->id.spi;
1185 break;
1186 }
1187 case NLMSG_ERROR:
1188 {
1189 struct nlmsgerr *err = NLMSG_DATA(hdr);
507f26f6
TB		 1190 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1191 strerror(-err->error), -err->error);
1192 break;
1193 }
1194 default:
1195 hdr = NLMSG_NEXT(hdr, len);
1196 continue;
1197 case NLMSG_DONE:
1198 break;
1199 }
1200 break;
1201 }
1202 free(out);
1203 }
7daf5226 1204
507f26f6
TB		 1205 if (received_spi == 0)
1206 {
1207 return FAILED;
1208 }
7daf5226 1209
507f26f6
TB		 1210 *spi = received_spi;
1211 return SUCCESS;
1212}
1213
98ed9c6c
MW		 1214METHOD(kernel_ipsec_t, get_spi, status_t,
1215 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
b12c53ce 1216 uint8_t protocol, uint32_t *spi)
507f26f6 1217{
6d86d0f5
TB		 1218 uint32_t spi_min, spi_max;
1219
1220 spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
1221 KERNEL_SPI_MIN, lib->ns);
1222 spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
1223 KERNEL_SPI_MAX, lib->ns);
1224
1225 if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
1226 max(spi_min, spi_max), spi) != SUCCESS)
507f26f6 1227 {
2a1c9e20 1228 DBG1(DBG_KNL, "unable to get SPI");
507f26f6
TB		 1229 return FAILED;
1230 }
7daf5226 1231
2a1c9e20 1232 DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
507f26f6
TB		 1233 return SUCCESS;
1234}
1235
98ed9c6c
MW		 1236METHOD(kernel_ipsec_t, get_cpi, status_t,
1237 private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
b12c53ce 1238 uint16_t *cpi)
507f26f6 1239{
b12c53ce 1240 uint32_t received_spi = 0;
507f26f6 1241
674bc343 1242 if (get_spi_internal(this, src, dst, IPPROTO_COMP,
2a1c9e20 1243 0x100, 0xEFFF, &received_spi) != SUCCESS)
507f26f6 1244 {
2a1c9e20 1245 DBG1(DBG_KNL, "unable to get CPI");
507f26f6
TB		 1246 return FAILED;
1247 }
7daf5226 1248
b12c53ce 1249 *cpi = htons((uint16_t)ntohl(received_spi));
7daf5226 1250
2a1c9e20 1251 DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
507f26f6
TB		 1252 return SUCCESS;
1253}
1254
25178f45
TB		 1255/**
1256 * Format the mark for debug messages
1257 */
1258static void format_mark(char *buf, int buflen, mark_t mark)
1259{
33d3ffde 1260 if (mark.value | mark.mask)
25178f45
TB		 1261 {
1262 snprintf(buf, buflen, " (mark %u/0x%08x)", mark.value, mark.mask);
1263 }
1264}
1265
0d9f31e1
MW		 1266/**
1267 * Add a XFRM mark to message if required
1268 */
1269static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
1270{
33d3ffde 1271 if (mark.value | mark.mask)
0d9f31e1
MW		 1272 {
1273 struct xfrm_mark *xmrk;
1274
1275 xmrk = netlink_reserve(hdr, buflen, XFRMA_MARK, sizeof(*xmrk));
1276 if (!xmrk)
1277 {
1278 return FALSE;
1279 }
1280 xmrk->v = mark.value;
1281 xmrk->m = mark.mask;
1282 }
1283 return TRUE;
1284}
1285
9cee688f
TB		 1286/**
1287 * Add a uint32 attribute to message
1288 */
1289static bool add_uint32(struct nlmsghdr *hdr, int buflen,
1290 enum xfrm_attr_type_t type, uint32_t value)
1291{
1292 uint32_t *xvalue;
1293
1294 xvalue = netlink_reserve(hdr, buflen, type, sizeof(*xvalue));
1295 if (!xvalue)
1296 {
1297 return FALSE;
1298 }
1299 *xvalue = value;
1300 return TRUE;
1301}
1302
c7f579fa
TB		 1303/* ETHTOOL_GSSET_INFO is available since 2.6.34 and ETH_SS_FEATURES (enum) and
1304 * ETHTOOL_GFEATURES since 2.6.39, so check for the latter */
1305#ifdef ETHTOOL_GFEATURES
1306
c7f579fa
TB		 1307/**
1308 * Global metadata used for IPsec HW offload
1309 */
1310static struct {
a605452c
TE		 1311 /** determined HW offload support */
1312 bool supported;
c7f579fa
TB		 1313 /** bit in feature set */
1314 u_int bit;
1315 /** total number of device feature blocks */
1316 u_int total_blocks;
c7f579fa
TB		 1317} netlink_hw_offload;
1318
338cc581 1319/**
a605452c 1320 * Check if kernel supports HW offload and determine feature flag
338cc581 1321 */
a605452c 1322static void netlink_find_offload_feature(const char *ifname)
338cc581 1323{
ee26f715 1324 struct ethtool_sset_info *sset_info;
338cc581 1325 struct ethtool_gstrings *cmd = NULL;
1c4e134f 1326 struct ifreq ifr = { 0 };
338cc581
AN		 1327 uint32_t sset_len, i;
1328 char *str;
a605452c 1329 int err, query_socket;
338cc581 1330
a605452c
TE		 1331 query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
1332 if (query_socket < 0)
1333 {
1334 return;
1335 }
338cc581 1336
ee26f715
TB		 1337 /* determine number of device features */
1338 INIT_EXTRA(sset_info, sizeof(uint32_t),
1339 .cmd = ETHTOOL_GSSET_INFO,
1340 .sset_mask = 1ULL << ETH_SS_FEATURES,
1341 );
d837d0b3
TB		 1342 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
1343 ifr.ifr_name[IFNAMSIZ-1] = '\0';
ee26f715 1344 ifr.ifr_data = (void*)sset_info;
338cc581 1345
ee26f715
TB		 1346 err = ioctl(query_socket, SIOCETHTOOL, &ifr);
1347 if (err || sset_info->sset_mask != 1ULL << ETH_SS_FEATURES)
338cc581
AN		 1348 {
1349 goto out;
1350 }
1351 sset_len = sset_info->data[0];
1352
ee26f715
TB		 1353 /* retrieve names of device features */
1354 INIT_EXTRA(cmd, ETH_GSTRING_LEN * sset_len,
1355 .cmd = ETHTOOL_GSTRINGS,
1356 .string_set = ETH_SS_FEATURES,
1357 );
d837d0b3
TB		 1358 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
1359 ifr.ifr_name[IFNAMSIZ-1] = '\0';
ee26f715
TB		 1360 ifr.ifr_data = (void*)cmd;
1361
1362 err = ioctl(query_socket, SIOCETHTOOL, &ifr);
338cc581
AN		 1363 if (err)
1364 {
1365 goto out;
1366 }
1367
ee26f715
TB		 1368 /* look for the ESP_HW feature bit */
1369 str = (char*)cmd->data;
338cc581
AN		 1370 for (i = 0; i < cmd->len; i++)
1371 {
ee26f715
TB		 1372 if (strneq(str, "esp-hw-offload", ETH_GSTRING_LEN))
1373 {
a605452c 1374 netlink_hw_offload.supported = TRUE;
ee26f715
TB		 1375 netlink_hw_offload.bit = i;
1376 netlink_hw_offload.total_blocks = (sset_len + 31) / 32;
338cc581 1377 break;
ee26f715 1378 }
338cc581
AN		 1379 str += ETH_GSTRING_LEN;
1380 }
338cc581
AN		 1381
1382out:
ee26f715
TB		 1383 free(sset_info);
1384 free(cmd);
a605452c 1385 close(query_socket);
338cc581
AN		 1386}
1387
1388/**
1389 * Check if interface supported HW offload
1390 */
1391static bool netlink_detect_offload(const char *ifname)
1392{
1393 struct ethtool_gfeatures *cmd;
1394 uint32_t feature_bit;
1c4e134f 1395 struct ifreq ifr = { 0 };
ee26f715 1396 int query_socket;
338cc581 1397 int block;
ee26f715 1398 bool ret = FALSE;
338cc581 1399
a605452c 1400 if (!netlink_hw_offload.supported)
338cc581 1401 {
a605452c 1402 DBG1(DBG_KNL, "HW offload is not supported by kernel");
338cc581
AN		 1403 return FALSE;
1404 }
1405
a605452c
TE		 1406 query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
1407 if (query_socket < 0)
338cc581 1408 {
a605452c 1409 return FALSE;
338cc581
AN		 1410 }
1411
ee26f715
TB		 1412 /* feature is supported by kernel, query device features */
1413 INIT_EXTRA(cmd, sizeof(cmd->features[0]) * netlink_hw_offload.total_blocks,
1414 .cmd = ETHTOOL_GFEATURES,
1415 .size = netlink_hw_offload.total_blocks,
1416 );
d837d0b3
TB		 1417 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
1418 ifr.ifr_name[IFNAMSIZ-1] = '\0';
ee26f715 1419 ifr.ifr_data = (void*)cmd;
338cc581 1420
a605452c 1421 if (!ioctl(query_socket, SIOCETHTOOL, &ifr))
338cc581 1422 {
a605452c
TE		 1423 block = netlink_hw_offload.bit / 32;
1424 feature_bit = 1U << (netlink_hw_offload.bit % 32);
1425 if (cmd->features[block].active & feature_bit)
1426 {
1427 ret = TRUE;
1428 }
338cc581
AN		 1429 }
1430
ee26f715 1431 if (!ret)
338cc581
AN		 1432 {
1433 DBG1(DBG_KNL, "HW offload is not supported by device");
1434 }
a605452c 1435 free(cmd);
ee26f715 1436 close(query_socket);
338cc581
AN		 1437 return ret;
1438}
1439
c7f579fa
TB		 1440#else
1441
a605452c
TE		 1442static void netlink_find_offload_feature(const char *ifname)
1443{
1444}
1445
c7f579fa
TB		 1446static bool netlink_detect_offload(const char *ifname)
1447{
1448 return FALSE;
1449}
1450
1451#endif
1452
338cc581 1453/**
ee26f715
TB		 1454 * There are 3 HW offload configuration values:
1455 * 1. HW_OFFLOAD_NO : Do not configure HW offload.
338cc581
AN		 1456 * 2. HW_OFFLOAD_YES : Configure HW offload.
1457 * Fail SA addition if offload is not supported.
1458 * 3. HW_OFFLOAD_AUTO : Configure HW offload if supported by the kernel
1459 * and device.
1460 * Do not fail SA addition otherwise.
1461 */
1462static bool config_hw_offload(kernel_ipsec_sa_id_t *id,
ee26f715
TB		 1463 kernel_ipsec_add_sa_t *data, struct nlmsghdr *hdr,
1464 int buflen)
338cc581 1465{
338cc581
AN		 1466 host_t *local = data->inbound ? id->dst : id->src;
1467 struct xfrm_user_offload *offload;
ee26f715 1468 bool hw_offload_yes, ret = FALSE;
338cc581
AN		 1469 char *ifname;
1470
ee26f715 1471 /* do Ipsec configuration without offload */
338cc581
AN		 1472 if (data->hw_offload == HW_OFFLOAD_NO)
1473 {
1474 return TRUE;
1475 }
1476
ee26f715
TB		 1477 hw_offload_yes = (data->hw_offload == HW_OFFLOAD_YES);
1478
338cc581
AN		 1479 if (!charon->kernel->get_interface(charon->kernel, local, &ifname))
1480 {
ee26f715 1481 return !hw_offload_yes;
338cc581
AN		 1482 }
1483
ee26f715
TB		 1484 /* check if interface supports hw_offload */
1485 if (!netlink_detect_offload(ifname))
338cc581 1486 {
ee26f715 1487 ret = !hw_offload_yes;
338cc581
AN		 1488 goto out;
1489 }
1490
ee26f715 1491 /* activate HW offload */
338cc581
AN		 1492 offload = netlink_reserve(hdr, buflen,
1493 XFRMA_OFFLOAD_DEV, sizeof(*offload));
1494 if (!offload)
1495 {
ee26f715 1496 ret = !hw_offload_yes;
338cc581
AN		 1497 goto out;
1498 }
1499 offload->ifindex = if_nametoindex(ifname);
338cc581
AN		 1500 offload->flags |= data->inbound ? XFRM_OFFLOAD_INBOUND : 0;
1501
1502 ret = TRUE;
1503
1504out:
1505 free(ifname);
1506 return ret;
1507}
1508
98ed9c6c 1509METHOD(kernel_ipsec_t, add_sa, status_t,
89da06ac
TB		 1510 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
1511 kernel_ipsec_add_sa_t *data)
507f26f6 1512{
21bf86f7 1513 netlink_buf_t request;
7085ca68
TE		 1514 const char *alg_name;
1515 char markstr[32] = "";
507f26f6
TB		 1516 struct nlmsghdr *hdr;
1517 struct xfrm_usersa_info *sa;
89da06ac
TB		 1518 uint16_t icv_size = 64, ipcomp = data->ipcomp;
1519 ipsec_mode_t mode = data->mode, original_mode = data->mode;
d05d85fe 1520 traffic_selector_t *first_src_ts, *first_dst_ts;
f7812f64 1521 status_t status = FAILED;
7daf5226 1522
ea625fab
TB		 1523 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
1524 * we are in the recursive call below */
89da06ac 1525 if (ipcomp != IPCOMP_NONE && data->cpi != 0)
ea625fab 1526 {
e75f4237 1527 lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
89da06ac
TB		 1528 kernel_ipsec_sa_id_t ipcomp_id = {
1529 .src = id->src,
1530 .dst = id->dst,
1531 .spi = htonl(ntohs(data->cpi)),
1532 .proto = IPPROTO_COMP,
1533 .mark = id->mark,
b32c3ce8 1534 .if_id = id->if_id,
89da06ac
TB		 1535 };
1536 kernel_ipsec_add_sa_t ipcomp_sa = {
1537 .reqid = data->reqid,
1538 .mode = data->mode,
1539 .src_ts = data->src_ts,
1540 .dst_ts = data->dst_ts,
1541 .lifetime = &lft,
1542 .enc_alg = ENCR_UNDEFINED,
1543 .int_alg = AUTH_UNDEFINED,
1544 .tfc = data->tfc,
1545 .ipcomp = data->ipcomp,
1546 .initiator = data->initiator,
1547 .inbound = data->inbound,
1548 .update = data->update,
1549 };
1550 add_sa(this, &ipcomp_id, &ipcomp_sa);
ea625fab 1551 ipcomp = IPCOMP_NONE;
2b2c69e9
MW		 1552 /* use transport mode ESP SA, IPComp uses tunnel mode */
1553 mode = MODE_TRANSPORT;
ea625fab 1554 }
7daf5226 1555
507f26f6 1556 memset(&request, 0, sizeof(request));
25178f45 1557 format_mark(markstr, sizeof(markstr), id->mark);
7daf5226 1558
25178f45
TB		 1559 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}%s",
1560 ntohl(id->spi), data->reqid, markstr);
6e921f20 1561
0404a29b 1562 hdr = &request.hdr;
507f26f6 1563 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
89da06ac 1564 hdr->nlmsg_type = data->update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
507f26f6 1565 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
7daf5226 1566
4c438cf0 1567 sa = NLMSG_DATA(hdr);
89da06ac
TB		 1568 host2xfrm(id->src, &sa->saddr);
1569 host2xfrm(id->dst, &sa->id.daddr);
1570 sa->id.spi = id->spi;
1571 sa->id.proto = id->proto;
1572 sa->family = id->src->get_family(id->src);
d24a74c5 1573 sa->mode = mode2kernel(mode);
dc8b015d
TB		 1574
1575 if (!data->copy_df)
1576 {
1577 sa->flags |= XFRM_STATE_NOPMTUDISC;
1578 }
1579
1580 if (!data->copy_ecn)
1581 {
1582 sa->flags |= XFRM_STATE_NOECN;
1583 }
1584
c993eaf9
TB		 1585 if (data->inbound)
1586 {
1587 switch (data->copy_dscp)
1588 {
1589 case DSCP_COPY_YES:
1590 case DSCP_COPY_IN_ONLY:
1591 sa->flags |= XFRM_STATE_DECAP_DSCP;
1592 break;
1593 default:
1594 break;
1595 }
1596 }
1597 else
1598 {
1599 switch (data->copy_dscp)
1600 {
1601 case DSCP_COPY_IN_ONLY:
1602 case DSCP_COPY_NO:
1603 {
9cee688f
TB		 1604 /* currently the only extra flag */
1605 if (!add_uint32(hdr, sizeof(request), XFRMA_SA_EXTRA_FLAGS,
1606 XFRM_SA_XFLAG_DONT_ENCAP_DSCP))
c993eaf9
TB		 1607 {
1608 goto failed;
1609 }
c993eaf9
TB		 1610 break;
1611 }
1612 default:
1613 break;
1614 }
1615 }
1616
6ec949e0 1617 switch (mode)
507f26f6 1618 {
6ec949e0
MW		 1619 case MODE_TUNNEL:
1620 sa->flags |= XFRM_STATE_AF_UNSPEC;
1621 break;
1622 case MODE_BEET:
19b7f763 1623 case MODE_TRANSPORT:
cc04a6db
TB		 1624 if (original_mode == MODE_TUNNEL)
1625 { /* don't install selectors for switched SAs. because only one
1626 * selector can be installed other traffic would get dropped */
1627 break;
1628 }
89da06ac
TB		 1629 if (data->src_ts->get_first(data->src_ts,
1630 (void**)&first_src_ts) == SUCCESS &&
1631 data->dst_ts->get_first(data->dst_ts,
1632 (void**)&first_dst_ts) == SUCCESS)
6ec949e0 1633 {
c26e4330
AS		 1634 sa->sel = ts2selector(first_src_ts, first_dst_ts,
1635 data->interface);
90e6675a
TB		 1636 if (!this->proto_port_transport)
1637 {
1638 /* don't install proto/port on SA. This would break
1639 * potential secondary SAs for the same address using a
1640 * different prot/port. */
1641 sa->sel.proto = 0;
1642 sa->sel.dport = sa->sel.dport_mask = 0;
1643 sa->sel.sport = sa->sel.sport_mask = 0;
1644 }
6ec949e0
MW		 1645 }
1646 break;
1647 default:
1648 break;
507f26f6 1649 }
965daa1d
TB		 1650 if (id->proto == IPPROTO_AH && sa->family == AF_INET)
1651 { /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte
1652 * alignment that's used by default but is only valid for IPv6 */
1653 sa->flags |= XFRM_STATE_ALIGN4;
1654 }
6ec949e0 1655
89da06ac
TB		 1656 sa->reqid = data->reqid;
1657 sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);
1658 sa->lft.hard_byte_limit = XFRM_LIMIT(data->lifetime->bytes.life);
1659 sa->lft.soft_packet_limit = XFRM_LIMIT(data->lifetime->packets.rekey);
1660 sa->lft.hard_packet_limit = XFRM_LIMIT(data->lifetime->packets.life);
507f26f6 1661 /* we use lifetimes since added, not since used */
89da06ac
TB		 1662 sa->lft.soft_add_expires_seconds = data->lifetime->time.rekey;
1663 sa->lft.hard_add_expires_seconds = data->lifetime->time.life;
507f26f6
TB		 1664 sa->lft.soft_use_expires_seconds = 0;
1665 sa->lft.hard_use_expires_seconds = 0;
7daf5226 1666
89da06ac 1667 switch (data->enc_alg)
507f26f6
TB		 1668 {
1669 case ENCR_UNDEFINED:
1670 /* no encryption */
1671 break;
507f26f6 1672 case ENCR_AES_CCM_ICV16:
507f26f6 1673 case ENCR_AES_GCM_ICV16:
71baf5a8 1674 case ENCR_NULL_AUTH_AES_GMAC:
8ddcac4c 1675 case ENCR_CAMELLIA_CCM_ICV16:
405c5dcd 1676 case ENCR_CHACHA20_POLY1305:
e517b4b1
MW		 1677 icv_size += 32;
1678 /* FALL */
1679 case ENCR_AES_CCM_ICV12:
1680 case ENCR_AES_GCM_ICV12:
8ddcac4c 1681 case ENCR_CAMELLIA_CCM_ICV12:
e517b4b1
MW		 1682 icv_size += 32;
1683 /* FALL */
1684 case ENCR_AES_CCM_ICV8:
1685 case ENCR_AES_GCM_ICV8:
8ddcac4c 1686 case ENCR_CAMELLIA_CCM_ICV8:
507f26f6 1687 {
c5ebd005
AS		 1688 struct xfrm_algo_aead *algo;
1689
89da06ac 1690 alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
507f26f6
TB		 1691 if (alg_name == NULL)
1692 {
1693 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
89da06ac 1694 encryption_algorithm_names, data->enc_alg);
08ad639f 1695 goto failed;
507f26f6
TB		 1696 }
1697 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
89da06ac
TB		 1698 encryption_algorithm_names, data->enc_alg,
1699 data->enc_key.len * 8);
7daf5226 1700
6dfc6339 1701 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AEAD,
89da06ac 1702 sizeof(*algo) + data->enc_key.len);
6dfc6339 1703 if (!algo)
507f26f6 1704 {
f7812f64 1705 goto failed;
507f26f6 1706 }
89da06ac 1707 algo->alg_key_len = data->enc_key.len * 8;
507f26f6 1708 algo->alg_icv_len = icv_size;
bef21bd3
TB		 1709 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1710 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
89da06ac 1711 memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
507f26f6
TB		 1712 break;
1713 }
1714 default:
1715 {
c5ebd005
AS		 1716 struct xfrm_algo *algo;
1717
89da06ac 1718 alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
507f26f6
TB		 1719 if (alg_name == NULL)
1720 {
1721 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
89da06ac 1722 encryption_algorithm_names, data->enc_alg);
f7812f64 1723 goto failed;
507f26f6
TB		 1724 }
1725 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
89da06ac
TB		 1726 encryption_algorithm_names, data->enc_alg,
1727 data->enc_key.len * 8);
7daf5226 1728
6dfc6339 1729 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_CRYPT,
89da06ac 1730 sizeof(*algo) + data->enc_key.len);
6dfc6339 1731 if (!algo)
507f26f6 1732 {
f7812f64 1733 goto failed;
507f26f6 1734 }
89da06ac 1735 algo->alg_key_len = data->enc_key.len * 8;
bef21bd3
TB		 1736 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1737 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
89da06ac 1738 memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
507f26f6
TB		 1739 }
1740 }
7daf5226 1741
89da06ac 1742 if (data->int_alg != AUTH_UNDEFINED)
eebfa73f 1743 {
686cfd4e
TB		 1744 u_int trunc_len = 0;
1745
89da06ac 1746 alg_name = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
507f26f6
TB		 1747 if (alg_name == NULL)
1748 {
7daf5226 1749 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
89da06ac 1750 integrity_algorithm_names, data->int_alg);
f7812f64 1751 goto failed;
507f26f6
TB		 1752 }
1753 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
89da06ac 1754 integrity_algorithm_names, data->int_alg, data->int_key.len * 8);
7daf5226 1755
89da06ac 1756 switch (data->int_alg)
686cfd4e
TB		 1757 {
1758 case AUTH_HMAC_MD5_128:
1759 case AUTH_HMAC_SHA2_256_128:
1760 trunc_len = 128;
1761 break;
1762 case AUTH_HMAC_SHA1_160:
1763 trunc_len = 160;
1764 break;
c632aa7b
MS		 1765 case AUTH_HMAC_SHA2_256_256:
1766 trunc_len = 256;
1767 break;
1768 case AUTH_HMAC_SHA2_384_384:
1769 trunc_len = 384;
1770 break;
1771 case AUTH_HMAC_SHA2_512_512:
1772 trunc_len = 512;
1773 break;
686cfd4e
TB		 1774 default:
1775 break;
1776 }
1777
1778 if (trunc_len)
507f26f6 1779 {
4b615eda
AS		 1780 struct xfrm_algo_auth* algo;
1781
1782 /* the kernel uses SHA256 with 96 bit truncation by default,
686cfd4e 1783 * use specified truncation size supported by newer kernels.
c632aa7b 1784 * also use this for untruncated MD5, SHA1 and SHA2. */
6dfc6339 1785 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC,
89da06ac 1786 sizeof(*algo) + data->int_key.len);
6dfc6339 1787 if (!algo)
4b615eda 1788 {
f7812f64 1789 goto failed;
4b615eda 1790 }
89da06ac 1791 algo->alg_key_len = data->int_key.len * 8;
686cfd4e 1792 algo->alg_trunc_len = trunc_len;
bef21bd3
TB		 1793 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1794 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
89da06ac 1795 memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
507f26f6 1796 }
fc857869 1797 else
4b615eda
AS		 1798 {
1799 struct xfrm_algo* algo;
7daf5226 1800
6dfc6339 1801 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH,
89da06ac 1802 sizeof(*algo) + data->int_key.len);
6dfc6339 1803 if (!algo)
4b615eda 1804 {
f7812f64 1805 goto failed;
4b615eda 1806 }
89da06ac 1807 algo->alg_key_len = data->int_key.len * 8;
bef21bd3
TB		 1808 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1809 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
89da06ac 1810 memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
4b615eda 1811 }
507f26f6 1812 }
7daf5226 1813
507f26f6
TB		 1814 if (ipcomp != IPCOMP_NONE)
1815 {
6dfc6339
MW		 1816 struct xfrm_algo* algo;
1817
08ad639f 1818 alg_name = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
507f26f6
TB		 1819 if (alg_name == NULL)
1820 {
7daf5226 1821 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
507f26f6 1822 ipcomp_transform_names, ipcomp);
f7812f64 1823 goto failed;
507f26f6
TB		 1824 }
1825 DBG2(DBG_KNL, " using compression algorithm %N",
1826 ipcomp_transform_names, ipcomp);
7daf5226 1827
6dfc6339
MW		 1828 algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_COMP,
1829 sizeof(*algo));
1830 if (!algo)
507f26f6 1831 {
f7812f64 1832 goto failed;
507f26f6 1833 }
507f26f6 1834 algo->alg_key_len = 0;
bef21bd3
TB		 1835 strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1836 algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
507f26f6 1837 }
7daf5226 1838
89da06ac 1839 if (data->encap)
507f26f6 1840 {
ee26c537
AS		 1841 struct xfrm_encap_tmpl *tmpl;
1842
6dfc6339
MW		 1843 tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
1844 if (!tmpl)
507f26f6 1845 {
f7812f64 1846 goto failed;
507f26f6 1847 }
507f26f6 1848 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
89da06ac
TB		 1849 tmpl->encap_sport = htons(id->src->get_port(id->src));
1850 tmpl->encap_dport = htons(id->dst->get_port(id->dst));
507f26f6 1851 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
7daf5226 1852 /* encap_oa could probably be derived from the
674bc343
TB		 1853 * traffic selectors [rfc4306, p39]. In the netlink kernel
1854 * implementation pluto does the same as we do here but it uses
1855 * encap_oa in the pfkey implementation.
1856 * BUT as /usr/src/linux/net/key/af_key.c indicates the kernel ignores
1857 * it anyway
507f26f6 1858 * -> does that mean that NAT-T encap doesn't work in transport mode?
7daf5226 1859 * No. The reason the kernel ignores NAT-OA is that it recomputes
674bc343
TB		 1860 * (or, rather, just ignores) the checksum. If packets pass the IPsec
1861 * checks it marks them "checksum ok" so OA isn't needed. */
507f26f6 1862 }
abc177e0 1863
89da06ac 1864 if (!add_mark(hdr, sizeof(request), id->mark))
ee26c537 1865 {
0d9f31e1 1866 goto failed;
ee26c537
AS		 1867 }
1868
b32c3ce8
TB		 1869 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
1870 {
1871 goto failed;
1872 }
1873
9cee688f
TB		 1874 if (ipcomp == IPCOMP_NONE && (data->mark.value | data->mark.mask))
1875 {
1876 if (!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK,
1877 data->mark.value) ||
1878 !add_uint32(hdr, sizeof(request), XFRMA_SET_MARK_MASK,
1879 data->mark.mask))
1880 {
1881 goto failed;
1882 }
1883 }
1884
89da06ac 1885 if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL)
38a4f196 1886 { /* the kernel supports TFC padding only for tunnel mode ESP SAs */
9cee688f 1887 if (!add_uint32(hdr, sizeof(request), XFRMA_TFCPAD, data->tfc))
d86bb6ef 1888 {
f7812f64 1889 goto failed;
d86bb6ef 1890 }
d86bb6ef
MW		 1891 }
1892
89da06ac 1893 if (id->proto != IPPROTO_COMP)
ee8c89e2 1894 {
40828219
TB		 1895 /* generally, we don't need a replay window for outbound SAs, however,
1896 * when using ESN the kernel rejects the attribute if it is 0 */
1897 if (!data->inbound && data->replay_window)
1898 {
1899 data->replay_window = data->esn ? 1 : 0;
1900 }
89da06ac 1901 if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
ee8c89e2
MW		 1902 {
1903 /* for ESN or larger replay windows we need the new
1904 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
1905 struct xfrm_replay_state_esn *replay;
b12c53ce 1906 uint32_t bmp_size;
ee8c89e2 1907
89da06ac 1908 bmp_size = round_up(data->replay_window, sizeof(uint32_t) * 8) / 8;
6dfc6339 1909 replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
44098fba 1910 sizeof(*replay) + bmp_size);
6dfc6339 1911 if (!replay)
ee8c89e2 1912 {
f7812f64 1913 goto failed;
ee8c89e2 1914 }
ee8c89e2 1915 /* bmp_len contains number uf __u32's */
b12c53ce 1916 replay->bmp_len = bmp_size / sizeof(uint32_t);
89da06ac
TB		 1917 replay->replay_window = data->replay_window;
1918 DBG2(DBG_KNL, " using replay window of %u packets",
1919 data->replay_window);
ee8c89e2 1920
89da06ac 1921 if (data->esn)
ee8c89e2 1922 {
6101ee9b 1923 DBG2(DBG_KNL, " using extended sequence numbers (ESN)");
ee8c89e2
MW		 1924 sa->flags |= XFRM_STATE_ESN;
1925 }
1926 }
1927 else
1928 {
89da06ac
TB		 1929 DBG2(DBG_KNL, " using replay window of %u packets",
1930 data->replay_window);
1931 sa->replay_window = data->replay_window;
ee8c89e2 1932 }
d42948fc 1933
ee26f715 1934 DBG2(DBG_KNL, " HW offload: %N", hw_offload_names, data->hw_offload);
338cc581
AN		 1935 if (!config_hw_offload(id, data, hdr, sizeof(request)))
1936 {
1937 DBG1(DBG_KNL, "failed to configure HW offload");
1938 goto failed;
d42948fc 1939 }
ee8c89e2
MW		 1940 }
1941
d140b3bd
TE		 1942 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
1943 if (status == NOT_FOUND && data->update)
507f26f6 1944 {
d140b3bd
TE		 1945 DBG1(DBG_KNL, "allocated SPI not found anymore, try to add SAD entry");
1946 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1947 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
1948 }
1949
1950 if (status != SUCCESS)
1951 {
1952 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s (%N)", ntohl(id->spi),
1953 markstr, status_names, status);
1954 status = FAILED;
f7812f64 1955 goto failed;
507f26f6 1956 }
f7812f64
MW		 1957
1958 status = SUCCESS;
1959
1960failed:
0404a29b 1961 memwipe(&request, sizeof(request));
f7812f64 1962 return status;
507f26f6
TB		 1963}
1964
1965/**
05e95897
MW		 1966 * Get the ESN replay state (i.e. sequence numbers) of an SA.
1967 *
1968 * Allocates into one the replay state structure we get from the kernel.
507f26f6 1969 */
05e95897 1970static void get_replay_state(private_kernel_netlink_ipsec_t *this,
89da06ac 1971 kernel_ipsec_sa_id_t *sa,
05e95897 1972 struct xfrm_replay_state_esn **replay_esn,
b12c53ce 1973 uint32_t *replay_esn_len,
a3c2edb1
TB		 1974 struct xfrm_replay_state **replay,
1975 struct xfrm_lifetime_cur **lifetime)
507f26f6 1976{
21bf86f7 1977 netlink_buf_t request;
507f26f6
TB		 1978 struct nlmsghdr *hdr, *out = NULL;
1979 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1980 size_t len;
1981 struct rtattr *rta;
1982 size_t rtasize;
7daf5226 1983
507f26f6 1984 memset(&request, 0, sizeof(request));
7daf5226 1985
05e95897 1986 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x",
89da06ac 1987 ntohl(sa->spi));
507f26f6 1988
0404a29b 1989 hdr = &request.hdr;
507f26f6
TB		 1990 hdr->nlmsg_flags = NLM_F_REQUEST;
1991 hdr->nlmsg_type = XFRM_MSG_GETAE;
1992 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
7daf5226 1993
4c438cf0 1994 aevent_id = NLMSG_DATA(hdr);
507f26f6 1995 aevent_id->flags = XFRM_AE_RVAL;
7daf5226 1996
89da06ac
TB		 1997 host2xfrm(sa->dst, &aevent_id->sa_id.daddr);
1998 aevent_id->sa_id.spi = sa->spi;
1999 aevent_id->sa_id.proto = sa->proto;
2000 aevent_id->sa_id.family = sa->dst->get_family(sa->dst);
7daf5226 2001
89da06ac 2002 if (!add_mark(hdr, sizeof(request), sa->mark))
ac24c4d3 2003 {
0d9f31e1 2004 return;
ac24c4d3 2005 }
b32c3ce8
TB		 2006 if (sa->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, sa->if_id))
2007 {
2008 return;
2009 }
ac24c4d3 2010
507f26f6
TB		 2011 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2012 {
2013 hdr = out;
2014 while (NLMSG_OK(hdr, len))
2015 {
2016 switch (hdr->nlmsg_type)
2017 {
2018 case XFRM_MSG_NEWAE:
2019 {
2020 out_aevent = NLMSG_DATA(hdr);
2021 break;
2022 }
2023 case NLMSG_ERROR:
2024 {
2025 struct nlmsgerr *err = NLMSG_DATA(hdr);
674bc343 2026 DBG1(DBG_KNL, "querying replay state from SAD entry "
a0178fe2 2027 "failed: %s (%d)", strerror(-err->error), -err->error);
507f26f6
TB		 2028 break;
2029 }
2030 default:
2031 hdr = NLMSG_NEXT(hdr, len);
2032 continue;
2033 case NLMSG_DONE:
2034 break;
2035 }
2036 break;
2037 }
2038 }
7daf5226 2039
05e95897 2040 if (out_aevent)
507f26f6 2041 {
05e95897
MW		 2042 rta = XFRM_RTA(out, struct xfrm_aevent_id);
2043 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
2044 while (RTA_OK(rta, rtasize))
507f26f6 2045 {
a3c2edb1
TB		 2046 if (rta->rta_type == XFRMA_LTIME_VAL &&
2047 RTA_PAYLOAD(rta) == sizeof(**lifetime))
2048 {
2049 free(*lifetime);
2050 *lifetime = malloc(RTA_PAYLOAD(rta));
2051 memcpy(*lifetime, RTA_DATA(rta), RTA_PAYLOAD(rta));
2052 }
05e95897
MW		 2053 if (rta->rta_type == XFRMA_REPLAY_VAL &&
2054 RTA_PAYLOAD(rta) == sizeof(**replay))
2055 {
a3c2edb1 2056 free(*replay);
05e95897
MW		 2057 *replay = malloc(RTA_PAYLOAD(rta));
2058 memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
05e95897
MW		 2059 }
2060 if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
44098fba 2061 RTA_PAYLOAD(rta) >= sizeof(**replay_esn))
05e95897 2062 {
a3c2edb1 2063 free(*replay_esn);
05e95897 2064 *replay_esn = malloc(RTA_PAYLOAD(rta));
44098fba 2065 *replay_esn_len = RTA_PAYLOAD(rta);
05e95897 2066 memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
05e95897
MW		 2067 }
2068 rta = RTA_NEXT(rta, rtasize);
507f26f6 2069 }
507f26f6 2070 }
507f26f6 2071 free(out);
507f26f6
TB		 2072}
2073
98ed9c6c 2074METHOD(kernel_ipsec_t, query_sa, status_t,
89da06ac
TB		 2075 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
2076 kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
2077 time_t *time)
2ad51539
AS		 2078{
2079 netlink_buf_t request;
2080 struct nlmsghdr *out = NULL, *hdr;
2081 struct xfrm_usersa_id *sa_id;
2082 struct xfrm_usersa_info *sa = NULL;
f7812f64 2083 status_t status = FAILED;
2ad51539 2084 size_t len;
25178f45 2085 char markstr[32] = "";
7daf5226 2086
2ad51539 2087 memset(&request, 0, sizeof(request));
25178f45 2088 format_mark(markstr, sizeof(markstr), id->mark);
2ad51539 2089
25178f45
TB		 2090 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s", ntohl(id->spi),
2091 markstr);
6e921f20 2092
0404a29b 2093 hdr = &request.hdr;
2ad51539
AS		 2094 hdr->nlmsg_flags = NLM_F_REQUEST;
2095 hdr->nlmsg_type = XFRM_MSG_GETSA;
2096 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2097
4c438cf0 2098 sa_id = NLMSG_DATA(hdr);
89da06ac
TB		 2099 host2xfrm(id->dst, &sa_id->daddr);
2100 sa_id->spi = id->spi;
2101 sa_id->proto = id->proto;
2102 sa_id->family = id->dst->get_family(id->dst);
7daf5226 2103
89da06ac 2104 if (!add_mark(hdr, sizeof(request), id->mark))
ee26c537 2105 {
0d9f31e1 2106 return FAILED;
ee26c537 2107 }
b32c3ce8
TB		 2108 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2109 {
2110 return FAILED;
2111 }
ee26c537 2112
2ad51539
AS		 2113 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2114 {
2115 hdr = out;
2116 while (NLMSG_OK(hdr, len))
2117 {
2118 switch (hdr->nlmsg_type)
2119 {
2120 case XFRM_MSG_NEWSA:
2121 {
4c438cf0 2122 sa = NLMSG_DATA(hdr);
2ad51539
AS		 2123 break;
2124 }
2125 case NLMSG_ERROR:
2126 {
2127 struct nlmsgerr *err = NLMSG_DATA(hdr);
ba31fe1f 2128
25178f45
TB		 2129 DBG1(DBG_KNL, "querying SAD entry with SPI %.8x%s failed: "
2130 "%s (%d)", ntohl(id->spi), markstr,
2131 strerror(-err->error), -err->error);
2ad51539
AS		 2132 break;
2133 }
2134 default:
2135 hdr = NLMSG_NEXT(hdr, len);
2136 continue;
2137 case NLMSG_DONE:
2138 break;
2139 }
2140 break;
2141 }
2142 }
7daf5226 2143
2ad51539
AS		 2144 if (sa == NULL)
2145 {
25178f45
TB		 2146 DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x%s",
2147 ntohl(id->spi), markstr);
2ad51539 2148 }
f7812f64
MW		 2149 else
2150 {
7eeeb1c7
MW		 2151 if (bytes)
2152 {
2153 *bytes = sa->curlft.bytes;
2154 }
2155 if (packets)
2156 {
2157 *packets = sa->curlft.packets;
2158 }
5c12700f
MW		 2159 if (time)
2160 { /* curlft contains an "use" time, but that contains a timestamp
2161 * of the first use, not the last. Last use time must be queried
2162 * on the policy on Linux */
2163 *time = 0;
2164 }
f7812f64
MW		 2165 status = SUCCESS;
2166 }
2167 memwipe(out, len);
2ad51539 2168 free(out);
38865ece 2169 return status;
2ad51539 2170}
98ed9c6c
MW		 2171
2172METHOD(kernel_ipsec_t, del_sa, status_t,
89da06ac
TB		 2173 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
2174 kernel_ipsec_del_sa_t *data)
f5812086 2175{
21bf86f7 2176 netlink_buf_t request;
f5812086
MW		 2177 struct nlmsghdr *hdr;
2178 struct xfrm_usersa_id *sa_id;
25178f45 2179 char markstr[32] = "";
7daf5226 2180
f5812086 2181 /* if IPComp was used, we first delete the additional IPComp SA */
89da06ac
TB		 2182 if (data->cpi)
2183 {
2184 kernel_ipsec_sa_id_t ipcomp_id = {
2185 .src = id->src,
2186 .dst = id->dst,
2187 .spi = htonl(ntohs(data->cpi)),
2188 .proto = IPPROTO_COMP,
2189 .mark = id->mark,
2190 };
2191 kernel_ipsec_del_sa_t ipcomp = {};
2192 del_sa(this, &ipcomp_id, &ipcomp);
f5812086 2193 }
7daf5226 2194
f5812086 2195 memset(&request, 0, sizeof(request));
25178f45 2196 format_mark(markstr, sizeof(markstr), id->mark);
7daf5226 2197
25178f45
TB		 2198 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x%s", ntohl(id->spi),
2199 markstr);
6e921f20 2200
0404a29b 2201 hdr = &request.hdr;
f5812086
MW		 2202 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2203 hdr->nlmsg_type = XFRM_MSG_DELSA;
2204 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
7daf5226 2205
4c438cf0 2206 sa_id = NLMSG_DATA(hdr);
89da06ac
TB		 2207 host2xfrm(id->dst, &sa_id->daddr);
2208 sa_id->spi = id->spi;
2209 sa_id->proto = id->proto;
2210 sa_id->family = id->dst->get_family(id->dst);
7daf5226 2211
89da06ac 2212 if (!add_mark(hdr, sizeof(request), id->mark))
ee26c537 2213 {
0d9f31e1 2214 return FAILED;
ee26c537 2215 }
b32c3ce8
TB		 2216 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2217 {
2218 return FAILED;
2219 }
ee26c537 2220
07202a2b 2221 switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr))
ee26c537 2222 {
07202a2b 2223 case SUCCESS:
25178f45
TB		 2224 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x%s",
2225 ntohl(id->spi), markstr);
07202a2b
MW		 2226 return SUCCESS;
2227 case NOT_FOUND:
2228 return NOT_FOUND;
2229 default:
25178f45
TB		 2230 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x%s",
2231 ntohl(id->spi), markstr);
07202a2b 2232 return FAILED;
ee26c537 2233 }
f5812086
MW		 2234}
2235
98ed9c6c 2236METHOD(kernel_ipsec_t, update_sa, status_t,
89da06ac
TB		 2237 private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
2238 kernel_ipsec_update_sa_t *data)
507f26f6 2239{
21bf86f7 2240 netlink_buf_t request;
0b5dfaeb 2241 struct nlmsghdr *hdr, *out_hdr = NULL, *out = NULL;
507f26f6 2242 struct xfrm_usersa_id *sa_id;
0b5dfaeb 2243 struct xfrm_usersa_info *sa;
94163816 2244 size_t len;
507f26f6
TB		 2245 struct rtattr *rta;
2246 size_t rtasize;
48ea6550 2247 struct xfrm_encap_tmpl* encap = NULL;
05e95897
MW		 2248 struct xfrm_replay_state *replay = NULL;
2249 struct xfrm_replay_state_esn *replay_esn = NULL;
a3c2edb1 2250 struct xfrm_lifetime_cur *lifetime = NULL;
b12c53ce 2251 uint32_t replay_esn_len = 0;
89da06ac 2252 kernel_ipsec_del_sa_t del = { 0 };
05e95897 2253 status_t status = FAILED;
a9b9450c 2254 traffic_selector_t *ts;
25178f45 2255 char markstr[32] = "";
7daf5226 2256
ea625fab 2257 /* if IPComp is used, we first update the IPComp SA */
89da06ac
TB		 2258 if (data->cpi)
2259 {
2260 kernel_ipsec_sa_id_t ipcomp_id = {
2261 .src = id->src,
2262 .dst = id->dst,
2263 .spi = htonl(ntohs(data->cpi)),
2264 .proto = IPPROTO_COMP,
2265 .mark = id->mark,
b32c3ce8 2266 .if_id = id->if_id,
89da06ac
TB		 2267 };
2268 kernel_ipsec_update_sa_t ipcomp = {
2269 .new_src = data->new_src,
2270 .new_dst = data->new_dst,
2271 };
2272 update_sa(this, &ipcomp_id, &ipcomp);
ea625fab 2273 }
7daf5226 2274
507f26f6 2275 memset(&request, 0, sizeof(request));
25178f45 2276 format_mark(markstr, sizeof(markstr), id->mark);
7daf5226 2277
25178f45
TB		 2278 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s for update",
2279 ntohl(id->spi), markstr);
7daf5226 2280
507f26f6 2281 /* query the existing SA first */
0404a29b 2282 hdr = &request.hdr;
507f26f6
TB		 2283 hdr->nlmsg_flags = NLM_F_REQUEST;
2284 hdr->nlmsg_type = XFRM_MSG_GETSA;
2285 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
7daf5226 2286
4c438cf0 2287 sa_id = NLMSG_DATA(hdr);
89da06ac
TB		 2288 host2xfrm(id->dst, &sa_id->daddr);
2289 sa_id->spi = id->spi;
2290 sa_id->proto = id->proto;
2291 sa_id->family = id->dst->get_family(id->dst);
7daf5226 2292
89da06ac 2293 if (!add_mark(hdr, sizeof(request), id->mark))
2925aa72 2294 {
0d9f31e1 2295 return FAILED;
2925aa72 2296 }
b32c3ce8
TB		 2297 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2298 {
2299 return FAILED;
2300 }
2925aa72 2301
507f26f6
TB		 2302 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2303 {
2304 hdr = out;
2305 while (NLMSG_OK(hdr, len))
2306 {
2307 switch (hdr->nlmsg_type)
2308 {
2309 case XFRM_MSG_NEWSA:
2310 {
0b5dfaeb 2311 out_hdr = hdr;
507f26f6
TB		 2312 break;
2313 }
2314 case NLMSG_ERROR:
2315 {
2316 struct nlmsgerr *err = NLMSG_DATA(hdr);
2317 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2318 strerror(-err->error), -err->error);
2319 break;
2320 }
2321 default:
2322 hdr = NLMSG_NEXT(hdr, len);
2323 continue;
2324 case NLMSG_DONE:
2325 break;
2326 }
2327 break;
2328 }
2329 }
0b5dfaeb 2330 if (!out_hdr)
507f26f6 2331 {
25178f45
TB		 2332 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
2333 ntohl(id->spi), markstr);
05e95897 2334 goto failed;
507f26f6 2335 }
7daf5226 2336
89da06ac
TB		 2337 get_replay_state(this, id, &replay_esn, &replay_esn_len, &replay,
2338 &lifetime);
7daf5226 2339
ea625fab 2340 /* delete the old SA (without affecting the IPComp SA) */
89da06ac 2341 if (del_sa(this, id, &del) != SUCCESS)
507f26f6 2342 {
25178f45
TB		 2343 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x%s",
2344 ntohl(id->spi), markstr);
05e95897 2345 goto failed;
507f26f6 2346 }
7daf5226 2347
25178f45
TB		 2348 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x%s from %#H..%#H to "
2349 "%#H..%#H", ntohl(id->spi), markstr, id->src, id->dst, data->new_src,
89da06ac 2350 data->new_dst);
507f26f6 2351 /* copy over the SA from out to request */
0404a29b 2352 hdr = &request.hdr;
7daf5226 2353 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
507f26f6
TB		 2354 hdr->nlmsg_type = XFRM_MSG_NEWSA;
2355 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2356 sa = NLMSG_DATA(hdr);
0b5dfaeb 2357 memcpy(sa, NLMSG_DATA(out_hdr), sizeof(struct xfrm_usersa_info));
89da06ac 2358 sa->family = data->new_dst->get_family(data->new_dst);
7daf5226 2359
89da06ac 2360 if (!id->src->ip_equals(id->src, data->new_src))
507f26f6 2361 {
89da06ac 2362 host2xfrm(data->new_src, &sa->saddr);
a9b9450c
TB		 2363
2364 ts = selector2ts(&sa->sel, TRUE);
2365 if (ts && ts->is_host(ts, id->src))
2366 {
2367 ts->set_address(ts, data->new_src);
2368 ts2subnet(ts, &sa->sel.saddr, &sa->sel.prefixlen_s);
2369 }
2370 DESTROY_IF(ts);
507f26f6 2371 }
89da06ac 2372 if (!id->dst->ip_equals(id->dst, data->new_dst))
507f26f6 2373 {
89da06ac 2374 host2xfrm(data->new_dst, &sa->id.daddr);
a9b9450c
TB		 2375
2376 ts = selector2ts(&sa->sel, FALSE);
2377 if (ts && ts->is_host(ts, id->dst))
2378 {
2379 ts->set_address(ts, data->new_dst);
2380 ts2subnet(ts, &sa->sel.daddr, &sa->sel.prefixlen_d);
2381 }
2382 DESTROY_IF(ts);
507f26f6 2383 }
7daf5226 2384
0b5dfaeb
TB		 2385 rta = XFRM_RTA(out_hdr, struct xfrm_usersa_info);
2386 rtasize = XFRM_PAYLOAD(out_hdr, struct xfrm_usersa_info);
6dfc6339 2387 while (RTA_OK(rta, rtasize))
507f26f6
TB		 2388 {
2389 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
89da06ac 2390 if (rta->rta_type != XFRMA_ENCAP || data->new_encap)
507f26f6
TB		 2391 {
2392 if (rta->rta_type == XFRMA_ENCAP)
2393 { /* update encap tmpl */
48ea6550
TB		 2394 encap = RTA_DATA(rta);
2395 encap->encap_sport = ntohs(data->new_src->get_port(data->new_src));
2396 encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
2397 }
2398 if (rta->rta_type == XFRMA_OFFLOAD_DEV)
2399 { /* update offload device */
2400 struct xfrm_user_offload *offload;
2401 host_t *local;
2402 char *ifname;
2403
2404 offload = RTA_DATA(rta);
2405 local = offload->flags & XFRM_OFFLOAD_INBOUND ? data->new_dst
2406 : data->new_src;
2407
2408 if (charon->kernel->get_interface(charon->kernel, local,
2409 &ifname))
2410 {
2411 offload->ifindex = if_nametoindex(ifname);
48ea6550
TB		 2412 free(ifname);
2413 }
7daf5226 2414 }
94163816
MW		 2415 netlink_add_attribute(hdr, rta->rta_type,
2416 chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)),
2417 sizeof(request));
507f26f6
TB		 2418 }
2419 rta = RTA_NEXT(rta, rtasize);
2420 }
7daf5226 2421
48ea6550 2422 if (encap == NULL && data->new_encap)
507f26f6 2423 { /* add tmpl if we are enabling it */
48ea6550
TB		 2424 encap = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP,
2425 sizeof(*encap));
2426 if (!encap)
507f26f6 2427 {
05e95897 2428 goto failed;
507f26f6 2429 }
48ea6550
TB		 2430 encap->encap_type = UDP_ENCAP_ESPINUDP;
2431 encap->encap_sport = ntohs(data->new_src->get_port(data->new_src));
2432 encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
2433 memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
507f26f6 2434 }
7daf5226 2435
05e95897
MW		 2436 if (replay_esn)
2437 {
6dfc6339
MW		 2438 struct xfrm_replay_state_esn *state;
2439
2440 state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
44098fba 2441 replay_esn_len);
6dfc6339 2442 if (!state)
05e95897
MW		 2443 {
2444 goto failed;
2445 }
44098fba 2446 memcpy(state, replay_esn, replay_esn_len);
05e95897
MW		 2447 }
2448 else if (replay)
2449 {
6dfc6339
MW		 2450 struct xfrm_replay_state *state;
2451
2452 state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_VAL,
2453 sizeof(*state));
2454 if (!state)
507f26f6 2455 {
05e95897 2456 goto failed;
507f26f6 2457 }
6dfc6339 2458 memcpy(state, replay, sizeof(*state));
507f26f6 2459 }
05e95897
MW		 2460 else
2461 {
a3c2edb1 2462 DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with "
25178f45 2463 "SPI %.8x%s", ntohl(id->spi), markstr);
a3c2edb1
TB		 2464 }
2465 if (lifetime)
2466 {
2467 struct xfrm_lifetime_cur *state;
2468
2469 state = netlink_reserve(hdr, sizeof(request), XFRMA_LTIME_VAL,
2470 sizeof(*state));
2471 if (!state)
2472 {
2473 goto failed;
2474 }
2475 memcpy(state, lifetime, sizeof(*state));
2476 }
2477 else
2478 {
2479 DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with "
25178f45 2480 "SPI %.8x%s", ntohl(id->spi), markstr);
05e95897 2481 }
abc177e0 2482
507f26f6
TB		 2483 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2484 {
25178f45
TB		 2485 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
2486 ntohl(id->spi), markstr);
05e95897 2487 goto failed;
507f26f6 2488 }
05e95897
MW		 2489
2490 status = SUCCESS;
2491failed:
2492 free(replay);
2493 free(replay_esn);
a3c2edb1 2494 free(lifetime);
f7812f64 2495 memwipe(out, len);
0404a29b 2496 memwipe(&request, sizeof(request));
507f26f6 2497 free(out);
7daf5226 2498
05e95897 2499 return status;
507f26f6
TB		 2500}
2501
99d23ddf
TB		 2502METHOD(kernel_ipsec_t, flush_sas, status_t,
2503 private_kernel_netlink_ipsec_t *this)
2504{
2505 netlink_buf_t request;
2506 struct nlmsghdr *hdr;
2507 struct xfrm_usersa_flush *flush;
82b5d1c0 2508 struct {
b12c53ce 2509 uint8_t proto;
82b5d1c0
TB		 2510 char *name;
2511 } protos[] = {
2512 { IPPROTO_AH, "AH" },
2513 { IPPROTO_ESP, "ESP" },
2514 { IPPROTO_COMP, "IPComp" },
2515 };
2516 int i;
99d23ddf
TB		 2517
2518 memset(&request, 0, sizeof(request));
2519
0404a29b 2520 hdr = &request.hdr;
99d23ddf
TB		 2521 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2522 hdr->nlmsg_type = XFRM_MSG_FLUSHSA;
2523 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush));
2524
4c438cf0 2525 flush = NLMSG_DATA(hdr);
99d23ddf 2526
82b5d1c0 2527 for (i = 0; i < countof(protos); i++)
99d23ddf 2528 {
82b5d1c0
TB		 2529 DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
2530
2531 flush->proto = protos[i].proto;
2532
2533 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2534 {
2535 DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
2536 return FAILED;
2537 }
99d23ddf
TB		 2538 }
2539 return SUCCESS;
2540}
2541
ebeaac1f
TB		 2542/**
2543 * Unlock the mutex and signal waiting threads
2544 */
2545static void policy_change_done(private_kernel_netlink_ipsec_t *this,
2546 policy_entry_t *policy)
2547{
2548 policy->working = FALSE;
2549 if (policy->waiting)
2550 { /* don't need to wake threads waiting for other policies */
2551 this->condvar->broadcast(this->condvar);
2552 }
2553 this->mutex->unlock(this->mutex);
2554}
2555
e7369a9d
TB		 2556/**
2557 * Install a route for the given policy if enabled and required
2558 */
2559static void install_route(private_kernel_netlink_ipsec_t *this,
2560 policy_entry_t *policy, policy_sa_t *mapping, ipsec_sa_t *ipsec)
2561{
aea3c105 2562 policy_sa_out_t *out = (policy_sa_out_t*)mapping;
e7369a9d
TB		 2563 route_entry_t *route;
2564 host_t *iface;
2565
2566 INIT(route,
aea3c105 2567 .prefixlen = policy->sel.prefixlen_d,
09f4bccf 2568 .pass = mapping->type == POLICY_PASS,
e7369a9d
TB		 2569 );
2570
aea3c105 2571 if (charon->kernel->get_address_by_ts(charon->kernel, out->src_ts,
b0b6bd24 2572 &route->src_ip, NULL) != SUCCESS)
e7369a9d 2573 {
b0b6bd24 2574 if (!route->pass)
e7369a9d 2575 {
b0b6bd24
TB		 2576 free(route);
2577 return;
e7369a9d 2578 }
b0b6bd24
TB		 2579 /* allow blank source IP for passthrough policies */
2580 route->src_ip = host_create_any(policy->sel.family);
2581 }
e7369a9d 2582
b0b6bd24
TB		 2583 if (!ipsec->dst->is_anyaddr(ipsec->dst))
2584 {
2585 route->gateway = charon->kernel->get_nexthop(charon->kernel,
2586 ipsec->dst, -1, ipsec->src,
2587 &route->if_name);
2588 }
2589 else
2590 { /* for shunt policies */
2591 iface = xfrm2host(policy->sel.family, &policy->sel.daddr, 0);
2592 route->gateway = charon->kernel->get_nexthop(charon->kernel,
2593 iface, policy->sel.prefixlen_d,
2594 route->src_ip, &route->if_name);
2595 iface->destroy(iface);
2596 }
2597 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2598 memcpy(route->dst_net.ptr, &policy->sel.daddr, route->dst_net.len);
2599
2600 /* get the interface to install the route for, if we haven't one yet.
2601 * If we have a local address, use it. Otherwise (for shunt policies)
2602 * use the route's source address. */
2603 if (!route->if_name)
2604 {
2605 iface = ipsec->src;
2606 if (iface->is_anyaddr(iface))
e7369a9d 2607 {
b0b6bd24 2608 iface = route->src_ip;
e7369a9d 2609 }
b0b6bd24 2610 if (!charon->kernel->get_interface(charon->kernel, iface,
e23708bd
TB		 2611 &route->if_name) &&
2612 !route->pass)
2613 { /* don't require an interface for passthrough policies */
b0b6bd24
TB		 2614 route_entry_destroy(route);
2615 return;
e7369a9d 2616 }
b0b6bd24
TB		 2617 }
2618 if (policy->route)
2619 {
2620 route_entry_t *old = policy->route;
2621 if (route_entry_equals(old, route))
e7369a9d 2622 {
b0b6bd24
TB		 2623 route_entry_destroy(route);
2624 return;
e7369a9d 2625 }
b0b6bd24
TB		 2626 /* uninstall previously installed route */
2627 if (charon->kernel->del_route(charon->kernel, old->dst_net,
2628 old->prefixlen, old->gateway,
2629 old->src_ip, old->if_name,
2630 old->pass) != SUCCESS)
2631 {
2632 DBG1(DBG_KNL, "error uninstalling route installed with policy "
2633 "%R === %R %N", out->src_ts, out->dst_ts, policy_dir_names,
2634 policy->direction);
2635 }
2636 route_entry_destroy(old);
2637 policy->route = NULL;
e7369a9d 2638 }
b0b6bd24
TB		 2639
2640 DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", out->dst_ts,
2641 route->gateway, route->src_ip, route->if_name);
2642 switch (charon->kernel->add_route(charon->kernel, route->dst_net,
2643 route->prefixlen, route->gateway,
2644 route->src_ip, route->if_name,
2645 route->pass))
e7369a9d 2646 {
b0b6bd24
TB		 2647 default:
2648 DBG1(DBG_KNL, "unable to install source route for %H",
2649 route->src_ip);
2650 /* FALL */
2651 case ALREADY_DONE:
2652 /* route exists, do not uninstall */
2653 route_entry_destroy(route);
2654 break;
2655 case SUCCESS:
2656 /* cache the installed route */
2657 policy->route = route;
2658 break;
e7369a9d
TB		 2659 }
2660}
2661
f0ba8ae0
TB		 2662/**
2663 * Add or update a policy in the kernel.
2664 *
64c4fd0a
TE		 2665 * Note: The mutex has to be locked when entering this function
2666 * and is unlocked here in any case.
f0ba8ae0
TB		 2667 */
2668static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
9f49464d 2669 policy_entry_t *policy, policy_sa_t *mapping, bool update)
507f26f6 2670{
21bf86f7 2671 netlink_buf_t request;
32fbad4e 2672 policy_entry_t clone;
9f49464d 2673 ipsec_sa_t *ipsec = mapping->sa;
507f26f6
TB		 2674 struct xfrm_userpolicy_info *policy_info;
2675 struct nlmsghdr *hdr;
dc2fa791 2676 status_t status;
55be07a1 2677 int i;
7daf5226 2678
32fbad4e
TB		 2679 /* clone the policy so we are able to check it out again later */
2680 memcpy(&clone, policy, sizeof(policy_entry_t));
2681
507f26f6 2682 memset(&request, 0, sizeof(request));
0404a29b 2683 hdr = &request.hdr;
507f26f6 2684 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
f0ba8ae0 2685 hdr->nlmsg_type = update ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
507f26f6
TB		 2686 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2687
4c438cf0 2688 policy_info = NLMSG_DATA(hdr);
507f26f6
TB		 2689 policy_info->sel = policy->sel;
2690 policy_info->dir = policy->direction;
e6f42b07
TB		 2691
2692 /* calculate priority based on selector size, small size = high prio */
9f49464d
TB		 2693 policy_info->priority = mapping->priority;
2694 policy_info->action = mapping->type != POLICY_DROP ? XFRM_POLICY_ALLOW
2695 : XFRM_POLICY_BLOCK;
507f26f6 2696 policy_info->share = XFRM_SHARE_ANY;
7daf5226 2697
507f26f6
TB		 2698 /* policies don't expire */
2699 policy_info->lft.soft_byte_limit = XFRM_INF;
2700 policy_info->lft.soft_packet_limit = XFRM_INF;
2701 policy_info->lft.hard_byte_limit = XFRM_INF;
2702 policy_info->lft.hard_packet_limit = XFRM_INF;
2703 policy_info->lft.soft_add_expires_seconds = 0;
2704 policy_info->lft.hard_add_expires_seconds = 0;
2705 policy_info->lft.soft_use_expires_seconds = 0;
2706 policy_info->lft.hard_use_expires_seconds = 0;
7daf5226 2707
f7e9e6a3 2708 if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid)
55be07a1 2709 {
6dfc6339 2710 struct xfrm_user_tmpl *tmpl;
749d3ccc 2711 struct {
b12c53ce 2712 uint8_t proto;
2699c838 2713 uint32_t spi;
749d3ccc
TB		 2714 bool use;
2715 } protos[] = {
2699c838
TB		 2716 { IPPROTO_COMP, htonl(ntohs(ipsec->cfg.ipcomp.cpi)),
2717 ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
2718 { IPPROTO_ESP, ipsec->cfg.esp.spi, ipsec->cfg.esp.use },
2719 { IPPROTO_AH, ipsec->cfg.ah.spi, ipsec->cfg.ah.use },
749d3ccc 2720 };
9f49464d 2721 ipsec_mode_t proto_mode = ipsec->cfg.mode;
6dfc6339 2722 int count = 0;
749d3ccc
TB		 2723
2724 for (i = 0; i < countof(protos); i++)
55be07a1 2725 {
6dfc6339 2726 if (protos[i].use)
749d3ccc 2727 {
6dfc6339 2728 count++;
749d3ccc 2729 }
6dfc6339
MW		 2730 }
2731 tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_TMPL,
2732 count * sizeof(*tmpl));
2733 if (!tmpl)
2734 {
ebeaac1f 2735 policy_change_done(this, policy);
6dfc6339
MW		 2736 return FAILED;
2737 }
7daf5226 2738
6dfc6339
MW		 2739 for (i = 0; i < countof(protos); i++)
2740 {
2741 if (!protos[i].use)
749d3ccc 2742 {
6dfc6339 2743 continue;
749d3ccc 2744 }
4aff4452 2745 tmpl->reqid = ipsec->cfg.reqid;
749d3ccc 2746 tmpl->id.proto = protos[i].proto;
2699c838
TB		 2747 if (policy->direction == POLICY_OUT)
2748 {
2749 tmpl->id.spi = protos[i].spi;
2750 }
749d3ccc 2751 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
6da26f30 2752 tmpl->mode = mode2kernel(proto_mode);
749d3ccc 2753 tmpl->optional = protos[i].proto == IPPROTO_COMP &&
f0ba8ae0 2754 policy->direction != POLICY_OUT;
9f49464d 2755 tmpl->family = ipsec->src->get_family(ipsec->src);
749d3ccc 2756
e4d5e011 2757 if (proto_mode == MODE_TUNNEL || proto_mode == MODE_BEET)
749d3ccc 2758 { /* only for tunnel mode */
9f49464d
TB		 2759 host2xfrm(ipsec->src, &tmpl->saddr);
2760 host2xfrm(ipsec->dst, &tmpl->id.daddr);
749d3ccc 2761 }
55be07a1 2762
749d3ccc 2763 tmpl++;
2b2c69e9 2764
749d3ccc 2765 /* use transport mode for other SAs */
6da26f30 2766 proto_mode = MODE_TRANSPORT;
749d3ccc 2767 }
749d3ccc 2768 }
ee26c537 2769
0d9f31e1 2770 if (!add_mark(hdr, sizeof(request), ipsec->mark))
ee26c537 2771 {
ebeaac1f 2772 policy_change_done(this, policy);
0d9f31e1 2773 return FAILED;
ee26c537 2774 }
b32c3ce8
TB		 2775 if (ipsec->if_id &&
2776 !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, ipsec->if_id))
2777 {
2778 policy_change_done(this, policy);
2779 return FAILED;
2780 }
f0ba8ae0 2781 this->mutex->unlock(this->mutex);
7daf5226 2782
dc2fa791
TB		 2783 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
2784 if (status == ALREADY_DONE && !update)
2785 {
2786 DBG1(DBG_KNL, "policy already exists, try to update it");
2787 hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2788 status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
2789 }
ebeaac1f
TB		 2790
2791 this->mutex->lock(this->mutex);
dc2fa791 2792 if (status != SUCCESS)
507f26f6 2793 {
ebeaac1f 2794 policy_change_done(this, policy);
507f26f6
TB		 2795 return FAILED;
2796 }
507f26f6 2797 /* install a route, if:
aea3c105 2798 * - this is an outbound policy (to just get one for each child)
507f26f6 2799 * - routing is not disabled via strongswan.conf
e7369a9d 2800 * - the selector is not for a specific protocol/port
801a5d31 2801 * - no XFRM interface ID is configured
e7369a9d 2802 * - we are in tunnel/BEET mode or install a bypass policy
507f26f6 2803 */
aea3c105 2804 if (policy->direction == POLICY_OUT && this->install_routes &&
801a5d31
TB		 2805 !policy->sel.proto && !policy->sel.dport && !policy->sel.sport &&
2806 !policy->if_id)
507f26f6 2807 {
e7369a9d
TB		 2808 if (mapping->type == POLICY_PASS ||
2809 (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
507f26f6 2810 {
e7369a9d 2811 install_route(this, policy, mapping, ipsec);
507f26f6
TB		 2812 }
2813 }
ebeaac1f 2814 policy_change_done(this, policy);
507f26f6
TB		 2815 return SUCCESS;
2816}
2817
f0ba8ae0 2818METHOD(kernel_ipsec_t, add_policy, status_t,
89da06ac
TB		 2819 private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
2820 kernel_ipsec_manage_policy_t *data)
f0ba8ae0
TB		 2821{
2822 policy_entry_t *policy, *current;
2823 policy_sa_t *assigned_sa, *current_sa;
2824 enumerator_t *enumerator;
2825 bool found = FALSE, update = TRUE;
25178f45 2826 char markstr[32] = "";
471b9076
TB		 2827 uint32_t cur_priority = 0;
2828 int use_count;
f0ba8ae0
TB		 2829
2830 /* create a policy */
2831 INIT(policy,
c26e4330 2832 .sel = ts2selector(id->src_ts, id->dst_ts, id->interface),
89da06ac 2833 .mark = id->mark.value & id->mark.mask,
b32c3ce8 2834 .if_id = id->if_id,
89da06ac
TB		 2835 .direction = id->dir,
2836 .reqid = data->sa->reqid,
f0ba8ae0 2837 );
25178f45 2838 format_mark(markstr, sizeof(markstr), id->mark);
f0ba8ae0
TB		 2839
2840 /* find the policy, which matches EXACTLY */
2841 this->mutex->lock(this->mutex);
2842 current = this->policies->get(this->policies, policy);
2843 if (current)
2844 {
89da06ac
TB		 2845 if (current->reqid && data->sa->reqid &&
2846 current->reqid != data->sa->reqid)
1551d8b1 2847 {
25178f45
TB		 2848 DBG1(DBG_CFG, "unable to install policy %R === %R %N%s for reqid "
2849 "%u, the same policy for reqid %u exists",
2850 id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr,
2851 data->sa->reqid, current->reqid);
1551d8b1
MW		 2852 policy_entry_destroy(this, policy);
2853 this->mutex->unlock(this->mutex);
2854 return INVALID_STATE;
2855 }
f0ba8ae0 2856 /* use existing policy */
25178f45
TB		 2857 DBG2(DBG_KNL, "policy %R === %R %N%s already exists, increasing "
2858 "refcount", id->src_ts, id->dst_ts, policy_dir_names, id->dir,
2859 markstr);
9f49464d 2860 policy_entry_destroy(this, policy);
f0ba8ae0
TB		 2861 policy = current;
2862 found = TRUE;
ebeaac1f
TB		 2863
2864 policy->waiting++;
2865 while (policy->working)
2866 {
2867 this->condvar->wait(this->condvar, this->mutex);
2868 }
2869 policy->waiting--;
2870 policy->working = TRUE;
f0ba8ae0
TB		 2871 }
2872 else
9f49464d
TB		 2873 { /* use the new one, if we have no such policy */
2874 policy->used_by = linked_list_create();
f0ba8ae0
TB		 2875 this->policies->put(this->policies, policy, policy);
2876 }
2877
2878 /* cache the assigned IPsec SA */
89da06ac 2879 assigned_sa = policy_sa_create(this, id->dir, data->type, data->src,
b32c3ce8
TB		 2880 data->dst, id->src_ts, id->dst_ts, id->mark,
2881 id->if_id, data->sa);
869f4e90 2882 assigned_sa->auto_priority = get_priority(policy, data->prio, id->interface);
fc21465c
TB		 2883 assigned_sa->priority = this->get_priority ? this->get_priority(id, data)
2884 : data->manual_prio;
2885 assigned_sa->priority = assigned_sa->priority ?: assigned_sa->auto_priority;
f0ba8ae0 2886
e2658390
TB		 2887 /* insert the SA according to its priority */
2888 enumerator = policy->used_by->create_enumerator(policy->used_by);
2889 while (enumerator->enumerate(enumerator, (void**)&current_sa))
2890 {
83312ee5
TB		 2891 if (current_sa->priority > assigned_sa->priority)
2892 {
2893 break;
2894 }
869f4e90 2895 if (current_sa->priority == assigned_sa->priority)
f0ba8ae0 2896 {
869f4e90
TB		 2897 /* in case of equal manual prios order SAs by automatic priority */
2898 if (current_sa->auto_priority > assigned_sa->auto_priority)
2899 {
2900 break;
2901 }
2902 /* prefer SAs with a reqid over those without */
2903 if (current_sa->auto_priority == assigned_sa->auto_priority &&
2904 (!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
2905 {
2906 break;
2907 }
f0ba8ae0 2908 }
471b9076
TB		 2909 if (update)
2910 {
2911 cur_priority = current_sa->priority;
2912 update = FALSE;
2913 }
f0ba8ae0 2914 }
869f4e90 2915 policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
e2658390 2916 enumerator->destroy(enumerator);
f0ba8ae0 2917
471b9076 2918 use_count = policy->used_by->get_count(policy->used_by);
f0ba8ae0 2919 if (!update)
00574270
TB		 2920 { /* we don't update the policy if the priority is lower than that of
2921 * the currently installed one */
ebeaac1f 2922 policy_change_done(this, policy);
6606393b 2923 DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, "
471b9076
TB		 2924 "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
2925 id->dir, markstr, cur_priority, use_count);
f0ba8ae0
TB		 2926 return SUCCESS;
2927 }
175d78df 2928 policy->reqid = assigned_sa->sa->cfg.reqid;
f0ba8ae0 2929
8925abbe
MW		 2930 if (this->policy_update)
2931 {
2932 found = TRUE;
2933 }
2934
471b9076
TB		 2935 DBG2(DBG_KNL, "%s policy %R === %R %N%s [priority %u, refcount %d]",
2936 found ? "updating" : "adding", id->src_ts, id->dst_ts,
2937 policy_dir_names, id->dir, markstr, assigned_sa->priority, use_count);
f0ba8ae0
TB		 2938
2939 if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2940 {
25178f45 2941 DBG1(DBG_KNL, "unable to %s policy %R === %R %N%s",
89da06ac 2942 found ? "update" : "add", id->src_ts, id->dst_ts,
25178f45 2943 policy_dir_names, id->dir, markstr);
f0ba8ae0
TB		 2944 return FAILED;
2945 }
2946 return SUCCESS;
2947}
2948
98ed9c6c 2949METHOD(kernel_ipsec_t, query_policy, status_t,
89da06ac
TB		 2950 private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
2951 kernel_ipsec_query_policy_t *data, time_t *use_time)
507f26f6 2952{
21bf86f7 2953 netlink_buf_t request;
507f26f6
TB		 2954 struct nlmsghdr *out = NULL, *hdr;
2955 struct xfrm_userpolicy_id *policy_id;
2956 struct xfrm_userpolicy_info *policy = NULL;
2957 size_t len;
25178f45 2958 char markstr[32] = "";
7daf5226 2959
507f26f6 2960 memset(&request, 0, sizeof(request));
25178f45 2961 format_mark(markstr, sizeof(markstr), id->mark);
7daf5226 2962
25178f45
TB		 2963 DBG2(DBG_KNL, "querying policy %R === %R %N%s", id->src_ts, id->dst_ts,
2964 policy_dir_names, id->dir, markstr);
6e921f20 2965
0404a29b 2966 hdr = &request.hdr;
507f26f6
TB		 2967 hdr->nlmsg_flags = NLM_F_REQUEST;
2968 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2969 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2970
4c438cf0 2971 policy_id = NLMSG_DATA(hdr);
c26e4330 2972 policy_id->sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
89da06ac 2973 policy_id->dir = id->dir;
7daf5226 2974
89da06ac 2975 if (!add_mark(hdr, sizeof(request), id->mark))
ee26c537 2976 {
0d9f31e1 2977 return FAILED;
ee26c537 2978 }
b32c3ce8
TB		 2979 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2980 {
2981 return FAILED;
2982 }
ee26c537 2983
507f26f6
TB		 2984 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2985 {
2986 hdr = out;
2987 while (NLMSG_OK(hdr, len))
2988 {
2989 switch (hdr->nlmsg_type)
2990 {
2991 case XFRM_MSG_NEWPOLICY:
2992 {
4c438cf0 2993 policy = NLMSG_DATA(hdr);
507f26f6
TB		 2994 break;
2995 }
2996 case NLMSG_ERROR:
2997 {
2998 struct nlmsgerr *err = NLMSG_DATA(hdr);
2999 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
89da06ac 3000 strerror(-err->error), -err->error);
507f26f6
TB		 3001 break;
3002 }
3003 default:
3004 hdr = NLMSG_NEXT(hdr, len);
3005 continue;
3006 case NLMSG_DONE:
3007 break;
3008 }
3009 break;
3010 }
3011 }
7daf5226 3012
507f26f6
TB		 3013 if (policy == NULL)
3014 {
25178f45
TB		 3015 DBG2(DBG_KNL, "unable to query policy %R === %R %N%s", id->src_ts,
3016 id->dst_ts, policy_dir_names, id->dir, markstr);
507f26f6
TB		 3017 free(out);
3018 return FAILED;
3019 }
7daf5226 3020
6180a558
MW		 3021 if (policy->curlft.use_time)
3022 {
3023 /* we need the monotonic time, but the kernel returns system time. */
3024 *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
3025 }
3026 else
3027 {
3028 *use_time = 0;
3029 }
7daf5226 3030
507f26f6
TB		 3031 free(out);
3032 return SUCCESS;
3033}
3034
98ed9c6c 3035METHOD(kernel_ipsec_t, del_policy, status_t,
89da06ac
TB		 3036 private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
3037 kernel_ipsec_manage_policy_t *data)
507f26f6 3038{
c225f9b5
TB		 3039 policy_entry_t *current, policy;
3040 enumerator_t *enumerator;
9f49464d 3041 policy_sa_t *mapping;
21bf86f7 3042 netlink_buf_t request;
507f26f6
TB		 3043 struct nlmsghdr *hdr;
3044 struct xfrm_userpolicy_id *policy_id;
c225f9b5 3045 bool is_installed = TRUE;
471b9076 3046 uint32_t priority, auto_priority, cur_priority;
33400876 3047 ipsec_sa_t assigned_sa = {
89da06ac
TB		 3048 .src = data->src,
3049 .dst = data->dst,
3050 .mark = id->mark,
b32c3ce8 3051 .if_id = id->if_id,
89da06ac 3052 .cfg = *data->sa,
33400876 3053 };
25178f45 3054 char markstr[32] = "";
471b9076 3055 int use_count;
ebeaac1f 3056 status_t status = SUCCESS;
7daf5226 3057
25178f45
TB		 3058 format_mark(markstr, sizeof(markstr), id->mark);
3059
3060 DBG2(DBG_KNL, "deleting policy %R === %R %N%s", id->src_ts, id->dst_ts,
3061 policy_dir_names, id->dir, markstr);
7daf5226 3062
507f26f6
TB		 3063 /* create a policy */
3064 memset(&policy, 0, sizeof(policy_entry_t));
c26e4330 3065 policy.sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
89da06ac 3066 policy.mark = id->mark.value & id->mark.mask;
b32c3ce8 3067 policy.if_id = id->if_id;
89da06ac 3068 policy.direction = id->dir;
7daf5226 3069
507f26f6 3070 /* find the policy */
3ac5a0db 3071 this->mutex->lock(this->mutex);
3fb404d8 3072 current = this->policies->get(this->policies, &policy);
4aff4452 3073 if (!current)
507f26f6 3074 {
25178f45
TB		 3075 DBG1(DBG_KNL, "deleting policy %R === %R %N%s failed, not found",
3076 id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr);
c225f9b5
TB		 3077 this->mutex->unlock(this->mutex);
3078 return NOT_FOUND;
3079 }
ebeaac1f
TB		 3080 current->waiting++;
3081 while (current->working)
3082 {
3083 this->condvar->wait(this->condvar, this->mutex);
3084 }
3085 current->working = TRUE;
3086 current->waiting--;
f0ba8ae0 3087
e2658390 3088 /* remove mapping to SA by reqid and priority */
869f4e90 3089 auto_priority = get_priority(current, data->prio,id->interface);
fc21465c
TB		 3090 priority = this->get_priority ? this->get_priority(id, data)
3091 : data->manual_prio;
3092 priority = priority ?: auto_priority;
d3af3b79 3093
e2658390
TB		 3094 enumerator = current->used_by->create_enumerator(current->used_by);
3095 while (enumerator->enumerate(enumerator, (void**)&mapping))
3096 {
869f4e90
TB		 3097 if (priority == mapping->priority &&
3098 auto_priority == mapping->auto_priority &&
3099 data->type == mapping->type &&
33400876 3100 ipsec_sa_equals(mapping->sa, &assigned_sa))
c225f9b5 3101 {
e2658390 3102 current->used_by->remove_at(current->used_by, enumerator);
8a2e4d4a 3103 policy_sa_destroy(mapping, id->dir, this);
e2658390 3104 break;
c225f9b5 3105 }
471b9076
TB		 3106 if (is_installed)
3107 {
3108 cur_priority = mapping->priority;
3109 is_installed = FALSE;
3110 }
c225f9b5 3111 }
e2658390 3112 enumerator->destroy(enumerator);
f0ba8ae0 3113
471b9076
TB		 3114 use_count = current->used_by->get_count(current->used_by);
3115 if (use_count > 0)
c225f9b5
TB		 3116 { /* policy is used by more SAs, keep in kernel */
3117 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
3118 if (!is_installed)
3119 { /* no need to update as the policy was not installed for this SA */
ebeaac1f 3120 policy_change_done(this, current);
471b9076
TB		 3121 DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, "
3122 "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
3123 id->dir, markstr, cur_priority, use_count);
3fb404d8 3124 return SUCCESS;
507f26f6 3125 }
471b9076 3126 current->used_by->get_first(current->used_by, (void**)&mapping);
175d78df 3127 current->reqid = mapping->sa->cfg.reqid;
f0ba8ae0 3128
471b9076
TB		 3129 DBG2(DBG_KNL, "updating policy %R === %R %N%s [priority %u, "
3130 "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names, id->dir,
3131 markstr, mapping->priority, use_count);
c225f9b5 3132
9f49464d 3133 if (add_policy_internal(this, current, mapping, TRUE) != SUCCESS)
c225f9b5 3134 {
25178f45
TB		 3135 DBG1(DBG_KNL, "unable to update policy %R === %R %N%s",
3136 id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr);
c225f9b5
TB		 3137 return FAILED;
3138 }
3139 return SUCCESS;
507f26f6 3140 }
7daf5226 3141
507f26f6 3142 memset(&request, 0, sizeof(request));
7daf5226 3143
0404a29b 3144 hdr = &request.hdr;
507f26f6
TB		 3145 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
3146 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
3147 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
3148
4c438cf0 3149 policy_id = NLMSG_DATA(hdr);
c225f9b5 3150 policy_id->sel = current->sel;
89da06ac 3151 policy_id->dir = id->dir;
7daf5226 3152
89da06ac 3153 if (!add_mark(hdr, sizeof(request), id->mark))
ee26c537 3154 {
ebeaac1f 3155 policy_change_done(this, current);
0d9f31e1 3156 return FAILED;
ee26c537 3157 }
b32c3ce8
TB		 3158 if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
3159 {
3160 policy_change_done(this, current);
3161 return FAILED;
3162 }
ee26c537 3163
c225f9b5 3164 if (current->route)
f0ba8ae0 3165 {
c225f9b5 3166 route_entry_t *route = current->route;
8394ea2a
TB		 3167 if (charon->kernel->del_route(charon->kernel, route->dst_net,
3168 route->prefixlen, route->gateway,
09f4bccf
NK		 3169 route->src_ip, route->if_name,
3170 route->pass) != SUCCESS)
f0ba8ae0 3171 {
89da06ac 3172 DBG1(DBG_KNL, "error uninstalling route installed with policy "
25178f45
TB		 3173 "%R === %R %N%s", id->src_ts, id->dst_ts, policy_dir_names,
3174 id->dir, markstr);
f0ba8ae0
TB		 3175 }
3176 }
c225f9b5
TB		 3177 this->mutex->unlock(this->mutex);
3178
507f26f6
TB		 3179 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
3180 {
25178f45
TB		 3181 DBG1(DBG_KNL, "unable to delete policy %R === %R %N%s", id->src_ts,
3182 id->dst_ts, policy_dir_names, id->dir, markstr);
ebeaac1f 3183 status = FAILED;
507f26f6 3184 }
ebeaac1f
TB		 3185
3186 this->mutex->lock(this->mutex);
3187 if (!current->waiting)
3188 { /* only if no other thread still needs the policy */
3189 this->policies->remove(this->policies, current);
3190 policy_entry_destroy(this, current);
3191 this->mutex->unlock(this->mutex);
3192 }
3193 else
3194 {
3195 policy_change_done(this, current);
3196 }
3197 return status;
507f26f6
TB		 3198}
3199
99d23ddf
TB		 3200METHOD(kernel_ipsec_t, flush_policies, status_t,
3201 private_kernel_netlink_ipsec_t *this)
3202{
3203 netlink_buf_t request;
3204 struct nlmsghdr *hdr;
3205
3206 memset(&request, 0, sizeof(request));
3207
3208 DBG2(DBG_KNL, "flushing all policies from SPD");
3209
0404a29b 3210 hdr = &request.hdr;
99d23ddf
TB		 3211 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
3212 hdr->nlmsg_type = XFRM_MSG_FLUSHPOLICY;
3213 hdr->nlmsg_len = NLMSG_LENGTH(0); /* no data associated */
3214
3215 /* by adding an rtattr of type XFRMA_POLICY_TYPE we could restrict this
3216 * to main or sub policies (default is main) */
3217
3218 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
3219 {
3220 DBG1(DBG_KNL, "unable to flush SPD entries");
3221 return FAILED;
3222 }
3223 return SUCCESS;
3224}
3225
87888f99
MW		 3226/**
3227 * Bypass socket using a per-socket policy
3228 */
3229static bool add_socket_bypass(private_kernel_netlink_ipsec_t *this,
3230 int fd, int family)
54f81859
MW		 3231{
3232 struct xfrm_userpolicy_info policy;
3233 u_int sol, ipsec_policy;
3234
3235 switch (family)
3236 {
3237 case AF_INET:
3238 sol = SOL_IP;
3239 ipsec_policy = IP_XFRM_POLICY;
3240 break;
3241 case AF_INET6:
3242 sol = SOL_IPV6;
3243 ipsec_policy = IPV6_XFRM_POLICY;
3244 break;
3245 default:
3246 return FALSE;
3247 }
3248
3249 memset(&policy, 0, sizeof(policy));
3250 policy.action = XFRM_POLICY_ALLOW;
3251 policy.sel.family = family;
3252
3253 policy.dir = XFRM_POLICY_OUT;
3254 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
3255 {
a0178fe2
TB		 3256 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)",
3257 strerror(errno), errno);
54f81859
MW		 3258 return FALSE;
3259 }
3260 policy.dir = XFRM_POLICY_IN;
3261 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
3262 {
a0178fe2
TB		 3263 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)",
3264 strerror(errno), errno);
54f81859
MW		 3265 return FALSE;
3266 }
3267 return TRUE;
3268}
3269
87888f99
MW		 3270/**
3271 * Port based IKE bypass policy
3272 */
3273typedef struct {
3274 /** address family */
3275 int family;
3276 /** layer 4 protocol */
3277 int proto;
3278 /** port number, network order */
b12c53ce 3279 uint16_t port;
87888f99
MW		 3280} bypass_t;
3281
3282/**
3283 * Add or remove a bypass policy from/to kernel
3284 */
3285static bool manage_bypass(private_kernel_netlink_ipsec_t *this,
3286 int type, policy_dir_t dir, bypass_t *bypass)
3287{
3288 netlink_buf_t request;
3289 struct xfrm_selector *sel;
3290 struct nlmsghdr *hdr;
3291
3292 memset(&request, 0, sizeof(request));
3293 hdr = &request.hdr;
3294 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
3295 hdr->nlmsg_type = type;
3296
3297 if (type == XFRM_MSG_NEWPOLICY)
3298 {
3299 struct xfrm_userpolicy_info *policy;
3300
3301 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
3302
3303 policy = NLMSG_DATA(hdr);
3304 policy->dir = dir;
3305 policy->priority = 32;
3306 policy->action = XFRM_POLICY_ALLOW;
3307 policy->share = XFRM_SHARE_ANY;
3308
3309 policy->lft.soft_byte_limit = XFRM_INF;
3310 policy->lft.soft_packet_limit = XFRM_INF;
3311 policy->lft.hard_byte_limit = XFRM_INF;
3312 policy->lft.hard_packet_limit = XFRM_INF;
3313
3314 sel = &policy->sel;
3315 }
3316 else /* XFRM_MSG_DELPOLICY */
3317 {
3318 struct xfrm_userpolicy_id *policy;
3319
3320 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
3321
3322 policy = NLMSG_DATA(hdr);
3323 policy->dir = dir;
3324
3325 sel = &policy->sel;
3326 }
3327
3328 sel->family = bypass->family;
3329 sel->proto = bypass->proto;
3330 if (dir == POLICY_IN)
3331 {
3332 sel->dport = bypass->port;
3333 sel->dport_mask = 0xffff;
3334 }
3335 else
3336 {
3337 sel->sport = bypass->port;
3338 sel->sport_mask = 0xffff;
3339 }
3340 return this->socket_xfrm->send_ack(this->socket_xfrm, hdr) == SUCCESS;
3341}
3342
3343/**
3344 * Bypass socket using a port-based bypass policy
3345 */
3346static bool add_port_bypass(private_kernel_netlink_ipsec_t *this,
3347 int fd, int family)
3348{
3349 union {
3350 struct sockaddr sa;
3351 struct sockaddr_in in;
3352 struct sockaddr_in6 in6;
3353 } saddr;
3354 socklen_t len;
3355 bypass_t bypass = {
3356 .family = family,
3357 };
3358
3359 len = sizeof(saddr);
3360 if (getsockname(fd, &saddr.sa, &len) != 0)
3361 {
3362 return FALSE;
3363 }
3065081c 3364#ifdef SO_PROTOCOL /* since 2.6.32 */
87888f99
MW		 3365 len = sizeof(bypass.proto);
3366 if (getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &bypass.proto, &len) != 0)
3065081c
MW		 3367#endif
3368 { /* assume UDP if SO_PROTOCOL not supported */
3369 bypass.proto = IPPROTO_UDP;
87888f99
MW		 3370 }
3371 switch (family)
3372 {
3373 case AF_INET:
3374 bypass.port = saddr.in.sin_port;
3375 break;
3376 case AF_INET6:
3377 bypass.port = saddr.in6.sin6_port;
3378 break;
3379 default:
3380 return FALSE;
3381 }
3382
3383 if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, &bypass))
3384 {
3385 return FALSE;
3386 }
3387 if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, &bypass))
3388 {
3389 manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, &bypass);
3390 return FALSE;
3391 }
3392 array_insert(this->bypass, ARRAY_TAIL, &bypass);
3393
3394 return TRUE;
3395}
3396
3397/**
3398 * Remove installed port based bypass policy
3399 */
3400static void remove_port_bypass(bypass_t *bypass, int idx,
3401 private_kernel_netlink_ipsec_t *this)
3402{
3403 manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass);
3404 manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass);
3405}
3406
3407METHOD(kernel_ipsec_t, bypass_socket, bool,
3408 private_kernel_netlink_ipsec_t *this, int fd, int family)
3409{
3410 if (lib->settings->get_bool(lib->settings,
3411 "%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns))
3412 {
3413 return add_port_bypass(this, fd, family);
3414 }
3415 return add_socket_bypass(this, fd, family);
3416}
3417
e49abced 3418METHOD(kernel_ipsec_t, enable_udp_decap, bool,
b12c53ce 3419 private_kernel_netlink_ipsec_t *this, int fd, int family, uint16_t port)
e49abced
TB		 3420{
3421 int type = UDP_ENCAP_ESPINUDP;
3422
3423 if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
3424 {
3425 DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
3426 return FALSE;
3427 }
3428 return TRUE;
3429}
3430
98ed9c6c
MW		 3431METHOD(kernel_ipsec_t, destroy, void,
3432 private_kernel_netlink_ipsec_t *this)
507f26f6 3433{
3fb404d8
TB		 3434 enumerator_t *enumerator;
3435 policy_entry_t *policy;
7daf5226 3436
87888f99
MW		 3437 array_destroy_function(this->bypass,
3438 (array_callback_t)remove_port_bypass, this);
d6a27ec6
MW		 3439 if (this->socket_xfrm_events > 0)
3440 {
f4f77d74 3441 lib->watcher->remove(lib->watcher, this->socket_xfrm_events);
d6a27ec6
MW		 3442 close(this->socket_xfrm_events);
3443 }
3444 DESTROY_IF(this->socket_xfrm);
3fb404d8 3445 enumerator = this->policies->create_enumerator(this->policies);
19e0010f 3446 while (enumerator->enumerate(enumerator, &policy, &policy))
3fb404d8 3447 {
9f49464d 3448 policy_entry_destroy(this, policy);
3fb404d8
TB		 3449 }
3450 enumerator->destroy(enumerator);
507f26f6 3451 this->policies->destroy(this->policies);
9f49464d 3452 this->sas->destroy(this->sas);
ebeaac1f 3453 this->condvar->destroy(this->condvar);
3ac5a0db 3454 this->mutex->destroy(this->mutex);
507f26f6
TB		 3455 free(this);
3456}
3457
ac9759a5
TB		 3458/**
3459 * Get the currently configured SPD hashing thresholds for an address family
3460 */
3461static bool get_spd_hash_thresh(private_kernel_netlink_ipsec_t *this,
3462 int type, uint8_t *lbits, uint8_t *rbits)
3463{
3464 netlink_buf_t request;
3465 struct nlmsghdr *hdr, *out;
3466 struct xfrmu_spdhthresh *thresh;
3467 struct rtattr *rta;
3468 size_t len, rtasize;
3469 bool success = FALSE;
3470
3471 memset(&request, 0, sizeof(request));
3472
3473 hdr = &request.hdr;
3474 hdr->nlmsg_flags = NLM_F_REQUEST;
3475 hdr->nlmsg_type = XFRM_MSG_GETSPDINFO;
3476 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t));
3477
3478 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
3479 {
3480 hdr = out;
3481 while (NLMSG_OK(hdr, len))
3482 {
3483 switch (hdr->nlmsg_type)
3484 {
3485 case XFRM_MSG_NEWSPDINFO:
3486 {
3487 rta = XFRM_RTA(hdr, uint32_t);
3488 rtasize = XFRM_PAYLOAD(hdr, uint32_t);
3489 while (RTA_OK(rta, rtasize))
3490 {
3491 if (rta->rta_type == type &&
3492 RTA_PAYLOAD(rta) == sizeof(*thresh))
3493 {
3494 thresh = RTA_DATA(rta);
3495 *lbits = thresh->lbits;
3496 *rbits = thresh->rbits;
3497 success = TRUE;
3498 break;
3499 }
3500 rta = RTA_NEXT(rta, rtasize);
3501 }
3502 break;
3503 }
3504 case NLMSG_ERROR:
3505 {
3506 struct nlmsgerr *err = NLMSG_DATA(hdr);
3507 DBG1(DBG_KNL, "getting SPD hash threshold failed: %s (%d)",
3508 strerror(-err->error), -err->error);
3509 break;
3510 }
3511 default:
3512 hdr = NLMSG_NEXT(hdr, len);
3513 continue;
3514 case NLMSG_DONE:
3515 break;
3516 }
3517 break;
3518 }
3519 free(out);
3520 }
3521 return success;
3522}
3523
3524/**
3525 * Configure SPD hashing threshold for an address family
3526 */
3527static void setup_spd_hash_thresh(private_kernel_netlink_ipsec_t *this,
3528 char *key, int type, uint8_t def)
3529{
3530 struct xfrmu_spdhthresh *thresh;
3531 struct nlmsghdr *hdr;
3532 netlink_buf_t request;
3533 uint8_t lbits, rbits;
3534
3535 if (!get_spd_hash_thresh(this, type, &lbits, &rbits))
3536 {
3537 return;
3538 }
3539 memset(&request, 0, sizeof(request));
3540
3541 hdr = &request.hdr;
3542 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
3543 hdr->nlmsg_type = XFRM_MSG_NEWSPDINFO;
3544 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t));
3545
3546 thresh = netlink_reserve(hdr, sizeof(request), type, sizeof(*thresh));
3547 thresh->lbits = lib->settings->get_int(lib->settings,
3548 "%s.plugins.kernel-netlink.spdh_thresh.%s.lbits",
3549 def, lib->ns, key);
3550 thresh->rbits = lib->settings->get_int(lib->settings,
3551 "%s.plugins.kernel-netlink.spdh_thresh.%s.rbits",
3552 def, lib->ns, key);
3553 if (thresh->lbits != lbits || thresh->rbits != rbits)
3554 {
3555 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
3556 {
3557 DBG1(DBG_KNL, "setting SPD hash threshold failed");
3558 }
3559 }
3560}
3561
507f26f6
TB		 3562/*
3563 * Described in header.
3564 */
3565kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
3566{
98ed9c6c 3567 private_kernel_netlink_ipsec_t *this;
05ca5655 3568 bool register_for_events = TRUE;
7daf5226 3569
98ed9c6c 3570 INIT(this,
ba31fe1f
MW		 3571 .public = {
3572 .interface = {
53e62f5d 3573 .get_features = _get_features,
ba31fe1f
MW		 3574 .get_spi = _get_spi,
3575 .get_cpi = _get_cpi,
3576 .add_sa = _add_sa,
3577 .update_sa = _update_sa,
3578 .query_sa = _query_sa,
3579 .del_sa = _del_sa,
99d23ddf 3580 .flush_sas = _flush_sas,
ba31fe1f
MW		 3581 .add_policy = _add_policy,
3582 .query_policy = _query_policy,
3583 .del_policy = _del_policy,
99d23ddf 3584 .flush_policies = _flush_policies,
ba31fe1f 3585 .bypass_socket = _bypass_socket,
e49abced 3586 .enable_udp_decap = _enable_udp_decap,
ba31fe1f
MW		 3587 .destroy = _destroy,
3588 },
98ed9c6c
MW		 3589 },
3590 .policies = hashtable_create((hashtable_hash_t)policy_hash,
3591 (hashtable_equals_t)policy_equals, 32),
9f49464d
TB		 3592 .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
3593 (hashtable_equals_t)ipsec_sa_equals, 32),
87888f99 3594 .bypass = array_create(sizeof(bypass_t), 0),
98ed9c6c 3595 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
ebeaac1f 3596 .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
fc21465c
TB		 3597 .get_priority = dlsym(RTLD_DEFAULT,
3598 "kernel_netlink_get_priority_custom"),
8925abbe
MW		 3599 .policy_update = lib->settings->get_bool(lib->settings,
3600 "%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
98ed9c6c 3601 .install_routes = lib->settings->get_bool(lib->settings,
d347a130 3602 "%s.install_routes", TRUE, lib->ns),
90e6675a
TB		 3603 .proto_port_transport = lib->settings->get_bool(lib->settings,
3604 "%s.plugins.kernel-netlink.set_proto_port_transport_sa",
3605 FALSE, lib->ns),
98ed9c6c 3606 );
7daf5226 3607
d347a130 3608 if (streq(lib->ns, "starter"))
05ca5655
TB		 3609 { /* starter has no threads, so we do not register for kernel events */
3610 register_for_events = FALSE;
3611 }
b8bf01dd 3612
6c58fabe
MW		 3613 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names,
3614 lib->settings->get_bool(lib->settings,
3615 "%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns));
d6a27ec6
MW		 3616 if (!this->socket_xfrm)
3617 {
3618 destroy(this);
3619 return NULL;
3620 }
7daf5226 3621
ac9759a5
TB		 3622 setup_spd_hash_thresh(this, "ipv4", XFRMA_SPD_IPV4_HTHRESH, 32);
3623 setup_spd_hash_thresh(this, "ipv6", XFRMA_SPD_IPV6_HTHRESH, 128);
3624
05ca5655 3625 if (register_for_events)
507f26f6 3626 {
05ca5655
TB		 3627 struct sockaddr_nl addr;
3628
3629 memset(&addr, 0, sizeof(addr));
3630 addr.nl_family = AF_NETLINK;
3631
3632 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
3633 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
3634 if (this->socket_xfrm_events <= 0)
3635 {
a0178fe2
TB		 3636 DBG1(DBG_KNL, "unable to create XFRM event socket: %s (%d)",
3637 strerror(errno), errno);
05ca5655
TB		 3638 destroy(this);
3639 return NULL;
3640 }
3641 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
3642 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
3643 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
3644 {
a0178fe2
TB		 3645 DBG1(DBG_KNL, "unable to bind XFRM event socket: %s (%d)",
3646 strerror(errno), errno);
05ca5655
TB		 3647 destroy(this);
3648 return NULL;
3649 }
f4f77d74
MW		 3650 lib->watcher->add(lib->watcher, this->socket_xfrm_events, WATCHER_READ,
3651 (watcher_cb_t)receive_events, this);
507f26f6 3652 }
7daf5226 3653
a605452c 3654 netlink_find_offload_feature(lib->settings->get_str(lib->settings,
a3166c81
TB		 3655 "%s.plugins.kernel-netlink.hw_offload_feature_interface",
3656 "lo", lib->ns));
a605452c 3657
507f26f6
TB		 3658 return &this->public;
3659}
Michael's strongswan development tree