2 * Copyright (C) 2006-2009 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 #include <sys/types.h>
22 #include <sys/socket.h>
24 #include <linux/ipsec.h>
25 #include <linux/netlink.h>
26 #include <linux/rtnetlink.h>
27 #include <linux/xfrm.h>
28 #include <linux/udp.h>
35 #include "kernel_netlink_ipsec.h"
36 #include "kernel_netlink_shared.h"
39 #include <threading/thread.h>
40 #include <threading/mutex.h>
41 #include <utils/hashtable.h>
42 #include <processing/jobs/callback_job.h>
43 #include <processing/jobs/acquire_job.h>
44 #include <processing/jobs/migrate_job.h>
45 #include <processing/jobs/rekey_child_sa_job.h>
46 #include <processing/jobs/delete_child_sa_job.h>
47 #include <processing/jobs/update_sa_job.h>
49 /** required for Linux 2.6.26 kernel and later */
50 #ifndef XFRM_STATE_AF_UNSPEC
51 #define XFRM_STATE_AF_UNSPEC 32
54 /** from linux/in.h */
55 #ifndef IP_XFRM_POLICY
56 #define IP_XFRM_POLICY 17
59 /* missing on uclibc */
60 #ifndef IPV6_XFRM_POLICY
61 #define IPV6_XFRM_POLICY 34
62 #endif /*IPV6_XFRM_POLICY*/
64 /** default priority of installed policies */
66 #define PRIO_HIGH 2000
69 * map the limit for bytes and packets to XFRM_INF per default
71 #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
74 * Create ORable bitfield of XFRM NL groups
76 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
79 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
80 * 'usual' netlink data x like 'struct xfrm_usersa_info'
82 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
84 * returns a pointer to the next rtattr following rta.
85 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
87 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
89 * returns the total size of attached rta data
90 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
92 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
94 typedef struct kernel_algorithm_t kernel_algorithm_t
;
97 * Mapping of IKEv2 kernel identifier to linux crypto API names
99 struct kernel_algorithm_t
{
101 * Identifier specified in IKEv2
106 * Name of the algorithm in linux crypto API
111 ENUM(xfrm_msg_names
, XFRM_MSG_NEWSA
, XFRM_MSG_MAPPING
,
115 "XFRM_MSG_NEWPOLICY",
116 "XFRM_MSG_DELPOLICY",
117 "XFRM_MSG_GETPOLICY",
121 "XFRM_MSG_UPDPOLICY",
123 "XFRM_MSG_POLEXPIRE",
125 "XFRM_MSG_FLUSHPOLICY",
130 "XFRM_MSG_NEWSADINFO",
131 "XFRM_MSG_GETSADINFO",
132 "XFRM_MSG_NEWSPDINFO",
133 "XFRM_MSG_GETSPDINFO",
137 ENUM(xfrm_attr_type_names
, XFRMA_UNSPEC
, XFRMA_KMADDRESS
,
149 "XFRMA_REPLAY_THRESH",
150 "XFRMA_ETIMER_THRESH",
160 #define END_OF_LIST -1
163 * Algorithms for encryption
165 static kernel_algorithm_t encryption_algs
[] = {
166 /* {ENCR_DES_IV64, "***" }, */
168 {ENCR_3DES
, "des3_ede" },
169 /* {ENCR_RC5, "***" }, */
170 /* {ENCR_IDEA, "***" }, */
171 {ENCR_CAST
, "cast128" },
172 {ENCR_BLOWFISH
, "blowfish" },
173 /* {ENCR_3IDEA, "***" }, */
174 /* {ENCR_DES_IV32, "***" }, */
175 {ENCR_NULL
, "cipher_null" },
176 {ENCR_AES_CBC
, "aes" },
177 {ENCR_AES_CTR
, "rfc3686(ctr(aes))" },
178 {ENCR_AES_CCM_ICV8
, "rfc4309(ccm(aes))" },
179 {ENCR_AES_CCM_ICV12
, "rfc4309(ccm(aes))" },
180 {ENCR_AES_CCM_ICV16
, "rfc4309(ccm(aes))" },
181 {ENCR_AES_GCM_ICV8
, "rfc4106(gcm(aes))" },
182 {ENCR_AES_GCM_ICV12
, "rfc4106(gcm(aes))" },
183 {ENCR_AES_GCM_ICV16
, "rfc4106(gcm(aes))" },
184 {ENCR_NULL_AUTH_AES_GMAC
, "rfc4543(gcm(aes))" },
185 {ENCR_CAMELLIA_CBC
, "cbc(camellia)" },
186 /* {ENCR_CAMELLIA_CTR, "***" }, */
187 /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
188 /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
189 /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
194 * Algorithms for integrity protection
196 static kernel_algorithm_t integrity_algs
[] = {
197 {AUTH_HMAC_MD5_96
, "md5" },
198 {AUTH_HMAC_SHA1_96
, "sha1" },
199 {AUTH_HMAC_SHA2_256_96
, "sha256" },
200 {AUTH_HMAC_SHA2_256_128
, "hmac(sha256)" },
201 {AUTH_HMAC_SHA2_384_192
, "hmac(sha384)" },
202 {AUTH_HMAC_SHA2_512_256
, "hmac(sha512)" },
203 /* {AUTH_DES_MAC, "***" }, */
204 /* {AUTH_KPDK_MD5, "***" }, */
205 {AUTH_AES_XCBC_96
, "xcbc(aes)" },
210 * Algorithms for IPComp
212 static kernel_algorithm_t compression_algs
[] = {
213 /* {IPCOMP_OUI, "***" }, */
214 {IPCOMP_DEFLATE
, "deflate" },
215 {IPCOMP_LZS
, "lzs" },
216 {IPCOMP_LZJH
, "lzjh" },
221 * Look up a kernel algorithm name and its key size
223 static char* lookup_algorithm(kernel_algorithm_t
*list
, int ikev2
)
225 while (list
->ikev2
!= END_OF_LIST
)
227 if (list
->ikev2
== ikev2
)
236 typedef struct route_entry_t route_entry_t
;
239 * installed routing entry
241 struct route_entry_t
{
242 /** Name of the interface the route is bound to */
245 /** Source ip of the route */
248 /** gateway for this route */
251 /** Destination net */
254 /** Destination net prefixlen */
259 * destroy an route_entry_t object
261 static void route_entry_destroy(route_entry_t
*this)
264 this->src_ip
->destroy(this->src_ip
);
265 DESTROY_IF(this->gateway
);
266 chunk_free(&this->dst_net
);
270 typedef struct policy_entry_t policy_entry_t
;
273 * installed kernel policy.
275 struct policy_entry_t
{
277 /** direction of this policy: in, out, forward */
280 /** parameters of installed policy */
281 struct xfrm_selector sel
;
283 /** associated route installed for this policy */
284 route_entry_t
*route
;
286 /** by how many CHILD_SA's this policy is used */
291 * Hash function for policy_entry_t objects
293 static u_int
policy_hash(policy_entry_t
*key
)
295 chunk_t chunk
= chunk_create((void*)&key
->sel
, sizeof(struct xfrm_selector
));
296 return chunk_hash(chunk
);
300 * Equality function for policy_entry_t objects
302 static bool policy_equals(policy_entry_t
*key
, policy_entry_t
*other_key
)
304 return memeq(&key
->sel
, &other_key
->sel
, sizeof(struct xfrm_selector
)) &&
305 key
->direction
== other_key
->direction
;
308 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t
;
311 * Private variables and functions of kernel_netlink class.
313 struct private_kernel_netlink_ipsec_t
{
315 * Public part of the kernel_netlink_t object.
317 kernel_netlink_ipsec_t
public;
320 * mutex to lock access to various lists
325 * Hash table of installed policies (policy_entry_t)
327 hashtable_t
*policies
;
330 * job receiving netlink events
335 * Netlink xfrm socket (IPsec)
337 netlink_socket_t
*socket_xfrm
;
340 * netlink xfrm socket to receive acquire and expire events
342 int socket_xfrm_events
;
345 * whether to install routes along policies
351 * convert a IKEv2 specific protocol identifier to the kernel one
353 static u_int8_t
proto_ike2kernel(protocol_id_t proto
)
367 * reverse of ike2kernel
369 static protocol_id_t
proto_kernel2ike(u_int8_t proto
)
383 * convert the general ipsec mode to the one defined in xfrm.h
385 static u_int8_t
mode2kernel(ipsec_mode_t mode
)
390 return XFRM_MODE_TRANSPORT
;
392 return XFRM_MODE_TUNNEL
;
394 return XFRM_MODE_BEET
;
401 * convert a host_t to a struct xfrm_address
403 static void host2xfrm(host_t
*host
, xfrm_address_t
*xfrm
)
405 chunk_t chunk
= host
->get_address(host
);
406 memcpy(xfrm
, chunk
.ptr
, min(chunk
.len
, sizeof(xfrm_address_t
)));
410 * convert a struct xfrm_address to a host_t
412 static host_t
* xfrm2host(int family
, xfrm_address_t
*xfrm
, u_int16_t port
)
419 chunk
= chunk_create((u_char
*)&xfrm
->a4
, sizeof(xfrm
->a4
));
422 chunk
= chunk_create((u_char
*)&xfrm
->a6
, sizeof(xfrm
->a6
));
427 return host_create_from_chunk(family
, chunk
, ntohs(port
));
431 * convert a traffic selector address range to subnet and its mask.
433 static void ts2subnet(traffic_selector_t
* ts
,
434 xfrm_address_t
*net
, u_int8_t
*mask
)
439 ts
->to_subnet(ts
, &net_host
, mask
);
440 net_chunk
= net_host
->get_address(net_host
);
441 memcpy(net
, net_chunk
.ptr
, net_chunk
.len
);
442 net_host
->destroy(net_host
);
446 * convert a traffic selector port range to port/portmask
448 static void ts2ports(traffic_selector_t
* ts
,
449 u_int16_t
*port
, u_int16_t
*mask
)
451 /* linux does not seem to accept complex portmasks. Only
452 * any or a specific port is allowed. We set to any, if we have
453 * a port range, or to a specific, if we have one port only.
457 from
= ts
->get_from_port(ts
);
458 to
= ts
->get_to_port(ts
);
473 * convert a pair of traffic_selectors to a xfrm_selector
475 static struct xfrm_selector
ts2selector(traffic_selector_t
*src
,
476 traffic_selector_t
*dst
)
478 struct xfrm_selector sel
;
480 memset(&sel
, 0, sizeof(sel
));
481 sel
.family
= (src
->get_type(src
) == TS_IPV4_ADDR_RANGE
) ? AF_INET
: AF_INET6
;
482 /* src or dest proto may be "any" (0), use more restrictive one */
483 sel
.proto
= max(src
->get_protocol(src
), dst
->get_protocol(dst
));
484 ts2subnet(dst
, &sel
.daddr
, &sel
.prefixlen_d
);
485 ts2subnet(src
, &sel
.saddr
, &sel
.prefixlen_s
);
486 ts2ports(dst
, &sel
.dport
, &sel
.dport_mask
);
487 ts2ports(src
, &sel
.sport
, &sel
.sport_mask
);
495 * convert a xfrm_selector to a src|dst traffic_selector
497 static traffic_selector_t
* selector2ts(struct xfrm_selector
*sel
, bool src
)
506 addr
= (u_char
*)&sel
->saddr
;
507 prefixlen
= sel
->prefixlen_s
;
510 port
= htons(sel
->sport
);
515 addr
= (u_char
*)&sel
->daddr
;
516 prefixlen
= sel
->prefixlen_d
;
519 port
= htons(sel
->dport
);
523 /* The Linux 2.6 kernel does not set the selector's family field,
524 * so as a kludge we additionally test the prefix length.
526 if (sel
->family
== AF_INET
|| sel
->prefixlen_s
== 32)
528 host
= host_create_from_chunk(AF_INET
, chunk_create(addr
, 4), 0);
530 else if (sel
->family
== AF_INET6
|| sel
->prefixlen_s
== 128)
532 host
= host_create_from_chunk(AF_INET6
, chunk_create(addr
, 16), 0);
537 return traffic_selector_create_from_subnet(host
, prefixlen
,
544 * process a XFRM_MSG_ACQUIRE from kernel
546 static void process_acquire(private_kernel_netlink_ipsec_t
*this, struct nlmsghdr
*hdr
)
550 traffic_selector_t
*src_ts
, *dst_ts
;
551 struct xfrm_user_acquire
*acquire
;
556 acquire
= (struct xfrm_user_acquire
*)NLMSG_DATA(hdr
);
557 rta
= XFRM_RTA(hdr
, struct xfrm_user_acquire
);
558 rtasize
= XFRM_PAYLOAD(hdr
, struct xfrm_user_acquire
);
560 DBG2(DBG_KNL
, "received a XFRM_MSG_ACQUIRE");
562 while (RTA_OK(rta
, rtasize
))
564 DBG2(DBG_KNL
, " %N", xfrm_attr_type_names
, rta
->rta_type
);
566 if (rta
->rta_type
== XFRMA_TMPL
)
568 struct xfrm_user_tmpl
* tmpl
;
570 tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rta
);
572 proto
= tmpl
->id
.proto
;
574 rta
= RTA_NEXT(rta
, rtasize
);
583 /* acquire for AH/ESP only, not for IPCOMP */
586 src_ts
= selector2ts(&acquire
->sel
, TRUE
);
587 dst_ts
= selector2ts(&acquire
->sel
, FALSE
);
588 DBG1(DBG_KNL
, "creating acquire job for policy %R === %R with reqid {%u}",
589 src_ts
, dst_ts
, reqid
);
590 job
= (job_t
*)acquire_job_create(reqid
, src_ts
, dst_ts
);
591 charon
->processor
->queue_job(charon
->processor
, job
);
595 * process a XFRM_MSG_EXPIRE from kernel
597 static void process_expire(private_kernel_netlink_ipsec_t
*this, struct nlmsghdr
*hdr
)
600 protocol_id_t protocol
;
601 u_int32_t spi
, reqid
;
602 struct xfrm_user_expire
*expire
;
604 expire
= (struct xfrm_user_expire
*)NLMSG_DATA(hdr
);
605 protocol
= proto_kernel2ike(expire
->state
.id
.proto
);
606 spi
= expire
->state
.id
.spi
;
607 reqid
= expire
->state
.reqid
;
609 DBG2(DBG_KNL
, "received a XFRM_MSG_EXPIRE");
611 if (protocol
!= PROTO_ESP
&& protocol
!= PROTO_AH
)
613 DBG2(DBG_KNL
, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
614 "which is not a CHILD_SA", ntohl(spi
), reqid
);
618 DBG1(DBG_KNL
, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
619 expire
->hard
? "delete" : "rekey", protocol_id_names
,
620 protocol
, ntohl(spi
), reqid
);
623 job
= (job_t
*)delete_child_sa_job_create(reqid
, protocol
, spi
);
627 job
= (job_t
*)rekey_child_sa_job_create(reqid
, protocol
, spi
);
629 charon
->processor
->queue_job(charon
->processor
, job
);
633 * process a XFRM_MSG_MIGRATE from kernel
635 static void process_migrate(private_kernel_netlink_ipsec_t
*this, struct nlmsghdr
*hdr
)
637 traffic_selector_t
*src_ts
, *dst_ts
;
638 host_t
*local
= NULL
, *remote
= NULL
;
639 host_t
*old_src
= NULL
, *old_dst
= NULL
;
640 host_t
*new_src
= NULL
, *new_dst
= NULL
;
641 struct xfrm_userpolicy_id
*policy_id
;
648 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
649 rta
= XFRM_RTA(hdr
, struct xfrm_userpolicy_id
);
650 rtasize
= XFRM_PAYLOAD(hdr
, struct xfrm_userpolicy_id
);
652 DBG2(DBG_KNL
, "received a XFRM_MSG_MIGRATE");
654 src_ts
= selector2ts(&policy_id
->sel
, TRUE
);
655 dst_ts
= selector2ts(&policy_id
->sel
, FALSE
);
656 dir
= (policy_dir_t
)policy_id
->dir
;
658 DBG2(DBG_KNL
, " policy: %R === %R %N", src_ts
, dst_ts
, policy_dir_names
);
660 while (RTA_OK(rta
, rtasize
))
662 DBG2(DBG_KNL
, " %N", xfrm_attr_type_names
, rta
->rta_type
);
663 if (rta
->rta_type
== XFRMA_KMADDRESS
)
665 struct xfrm_user_kmaddress
*kmaddress
;
667 kmaddress
= (struct xfrm_user_kmaddress
*)RTA_DATA(rta
);
668 local
= xfrm2host(kmaddress
->family
, &kmaddress
->local
, 0);
669 remote
= xfrm2host(kmaddress
->family
, &kmaddress
->remote
, 0);
670 DBG2(DBG_KNL
, " kmaddress: %H...%H", local
, remote
);
672 else if (rta
->rta_type
== XFRMA_MIGRATE
)
674 struct xfrm_user_migrate
*migrate
;
677 migrate
= (struct xfrm_user_migrate
*)RTA_DATA(rta
);
678 old_src
= xfrm2host(migrate
->old_family
, &migrate
->old_saddr
, 0);
679 old_dst
= xfrm2host(migrate
->old_family
, &migrate
->old_daddr
, 0);
680 new_src
= xfrm2host(migrate
->new_family
, &migrate
->new_saddr
, 0);
681 new_dst
= xfrm2host(migrate
->new_family
, &migrate
->new_daddr
, 0);
682 proto
= proto_kernel2ike(migrate
->proto
);
683 reqid
= migrate
->reqid
;
684 DBG2(DBG_KNL
, " migrate %N %H...%H to %H...%H, reqid {%u}",
685 protocol_id_names
, proto
, old_src
, old_dst
,
686 new_src
, new_dst
, reqid
);
692 rta
= RTA_NEXT(rta
, rtasize
);
695 if (src_ts
&& dst_ts
&& local
&& remote
)
697 DBG1(DBG_KNL
, "creating migrate job for policy %R === %R %N with reqid {%u}",
698 src_ts
, dst_ts
, policy_dir_names
, dir
, reqid
, local
);
699 job
= (job_t
*)migrate_job_create(reqid
, src_ts
, dst_ts
, dir
,
701 charon
->processor
->queue_job(charon
->processor
, job
);
713 * process a XFRM_MSG_MAPPING from kernel
715 static void process_mapping(private_kernel_netlink_ipsec_t
*this,
716 struct nlmsghdr
*hdr
)
719 u_int32_t spi
, reqid
;
720 struct xfrm_user_mapping
*mapping
;
723 mapping
= (struct xfrm_user_mapping
*)NLMSG_DATA(hdr
);
724 spi
= mapping
->id
.spi
;
725 reqid
= mapping
->reqid
;
727 DBG2(DBG_KNL
, "received a XFRM_MSG_MAPPING");
729 if (proto_kernel2ike(mapping
->id
.proto
) == PROTO_ESP
)
731 host
= xfrm2host(mapping
->id
.family
, &mapping
->new_saddr
,
735 DBG1(DBG_KNL
, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
736 "reqid {%u} changed, queuing update job", ntohl(spi
), reqid
);
737 job
= (job_t
*)update_sa_job_create(reqid
, host
);
738 charon
->processor
->queue_job(charon
->processor
, job
);
744 * Receives events from kernel
746 static job_requeue_t
receive_events(private_kernel_netlink_ipsec_t
*this)
749 struct nlmsghdr
*hdr
= (struct nlmsghdr
*)response
;
750 struct sockaddr_nl addr
;
751 socklen_t addr_len
= sizeof(addr
);
755 oldstate
= thread_cancelability(TRUE
);
756 len
= recvfrom(this->socket_xfrm_events
, response
, sizeof(response
), 0,
757 (struct sockaddr
*)&addr
, &addr_len
);
758 thread_cancelability(oldstate
);
765 /* interrupted, try again */
766 return JOB_REQUEUE_DIRECT
;
768 /* no data ready, select again */
769 return JOB_REQUEUE_DIRECT
;
771 DBG1(DBG_KNL
, "unable to receive from xfrm event socket");
773 return JOB_REQUEUE_FAIR
;
777 if (addr
.nl_pid
!= 0)
778 { /* not from kernel. not interested, try another one */
779 return JOB_REQUEUE_DIRECT
;
782 while (NLMSG_OK(hdr
, len
))
784 switch (hdr
->nlmsg_type
)
786 case XFRM_MSG_ACQUIRE
:
787 process_acquire(this, hdr
);
789 case XFRM_MSG_EXPIRE
:
790 process_expire(this, hdr
);
792 case XFRM_MSG_MIGRATE
:
793 process_migrate(this, hdr
);
795 case XFRM_MSG_MAPPING
:
796 process_mapping(this, hdr
);
799 DBG1(DBG_KNL
, "received unknown event from xfrm event socket: %d", hdr
->nlmsg_type
);
802 hdr
= NLMSG_NEXT(hdr
, len
);
804 return JOB_REQUEUE_DIRECT
;
808 * Get an SPI for a specific protocol from the kernel.
810 static status_t
get_spi_internal(private_kernel_netlink_ipsec_t
*this,
811 host_t
*src
, host_t
*dst
, u_int8_t proto
, u_int32_t min
, u_int32_t max
,
812 u_int32_t reqid
, u_int32_t
*spi
)
814 netlink_buf_t request
;
815 struct nlmsghdr
*hdr
, *out
;
816 struct xfrm_userspi_info
*userspi
;
817 u_int32_t received_spi
= 0;
820 memset(&request
, 0, sizeof(request
));
822 hdr
= (struct nlmsghdr
*)request
;
823 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
824 hdr
->nlmsg_type
= XFRM_MSG_ALLOCSPI
;
825 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userspi_info
));
827 userspi
= (struct xfrm_userspi_info
*)NLMSG_DATA(hdr
);
828 host2xfrm(src
, &userspi
->info
.saddr
);
829 host2xfrm(dst
, &userspi
->info
.id
.daddr
);
830 userspi
->info
.id
.proto
= proto
;
831 userspi
->info
.mode
= XFRM_MODE_TUNNEL
;
832 userspi
->info
.reqid
= reqid
;
833 userspi
->info
.family
= src
->get_family(src
);
837 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
840 while (NLMSG_OK(hdr
, len
))
842 switch (hdr
->nlmsg_type
)
846 struct xfrm_usersa_info
* usersa
= NLMSG_DATA(hdr
);
847 received_spi
= usersa
->id
.spi
;
852 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
854 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
855 strerror(-err
->error
), -err
->error
);
859 hdr
= NLMSG_NEXT(hdr
, len
);
869 if (received_spi
== 0)
878 METHOD(kernel_ipsec_t
, get_spi
, status_t
,
879 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
880 protocol_id_t protocol
, u_int32_t reqid
, u_int32_t
*spi
)
882 DBG2(DBG_KNL
, "getting SPI for reqid {%u}", reqid
);
884 if (get_spi_internal(this, src
, dst
, proto_ike2kernel(protocol
),
885 0xc0000000, 0xcFFFFFFF, reqid
, spi
) != SUCCESS
)
887 DBG1(DBG_KNL
, "unable to get SPI for reqid {%u}", reqid
);
891 DBG2(DBG_KNL
, "got SPI %.8x for reqid {%u}", ntohl(*spi
), reqid
);
896 METHOD(kernel_ipsec_t
, get_cpi
, status_t
,
897 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
898 u_int32_t reqid
, u_int16_t
*cpi
)
900 u_int32_t received_spi
= 0;
902 DBG2(DBG_KNL
, "getting CPI for reqid {%u}", reqid
);
904 if (get_spi_internal(this, src
, dst
,
905 IPPROTO_COMP
, 0x100, 0xEFFF, reqid
, &received_spi
) != SUCCESS
)
907 DBG1(DBG_KNL
, "unable to get CPI for reqid {%u}", reqid
);
911 *cpi
= htons((u_int16_t
)ntohl(received_spi
));
913 DBG2(DBG_KNL
, "got CPI %.4x for reqid {%u}", ntohs(*cpi
), reqid
);
918 METHOD(kernel_ipsec_t
, add_sa
, status_t
,
919 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
920 u_int32_t spi
, protocol_id_t protocol
, u_int32_t reqid
,
921 lifetime_cfg_t
*lifetime
, u_int16_t enc_alg
, chunk_t enc_key
,
922 u_int16_t int_alg
, chunk_t int_key
, ipsec_mode_t mode
, u_int16_t ipcomp
,
923 u_int16_t cpi
, bool encap
, bool inbound
, traffic_selector_t
* src_ts
,
924 traffic_selector_t
* dst_ts
)
926 netlink_buf_t request
;
928 struct nlmsghdr
*hdr
;
929 struct xfrm_usersa_info
*sa
;
930 u_int16_t icv_size
= 64;
932 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
933 * we are in the recursive call below */
934 if (ipcomp
!= IPCOMP_NONE
&& cpi
!= 0)
936 lifetime_cfg_t lft
= {{0,0,0},{0,0,0},{0,0,0}};
937 add_sa(this, src
, dst
, htonl(ntohs(cpi
)), IPPROTO_COMP
, reqid
, &lft
,
938 ENCR_UNDEFINED
, chunk_empty
, AUTH_UNDEFINED
, chunk_empty
,
939 mode
, ipcomp
, 0, FALSE
, inbound
, NULL
, NULL
);
940 ipcomp
= IPCOMP_NONE
;
941 /* use transport mode ESP SA, IPComp uses tunnel mode */
942 mode
= MODE_TRANSPORT
;
945 memset(&request
, 0, sizeof(request
));
947 DBG2(DBG_KNL
, "adding SAD entry with SPI %.8x and reqid {%u}",
950 hdr
= (struct nlmsghdr
*)request
;
951 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
952 hdr
->nlmsg_type
= inbound
? XFRM_MSG_UPDSA
: XFRM_MSG_NEWSA
;
953 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
955 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
956 host2xfrm(src
, &sa
->saddr
);
957 host2xfrm(dst
, &sa
->id
.daddr
);
959 sa
->id
.proto
= proto_ike2kernel(protocol
);
960 sa
->family
= src
->get_family(src
);
961 sa
->mode
= mode2kernel(mode
);
965 sa
->flags
|= XFRM_STATE_AF_UNSPEC
;
970 sa
->sel
= ts2selector(src_ts
, dst_ts
);
977 sa
->replay_window
= (protocol
== IPPROTO_COMP
) ? 0 : 32;
979 sa
->lft
.soft_byte_limit
= XFRM_LIMIT(lifetime
->bytes
.rekey
);
980 sa
->lft
.hard_byte_limit
= XFRM_LIMIT(lifetime
->bytes
.life
);
981 sa
->lft
.soft_packet_limit
= XFRM_LIMIT(lifetime
->packets
.rekey
);
982 sa
->lft
.hard_packet_limit
= XFRM_LIMIT(lifetime
->packets
.life
);
983 /* we use lifetimes since added, not since used */
984 sa
->lft
.soft_add_expires_seconds
= lifetime
->time
.rekey
;
985 sa
->lft
.hard_add_expires_seconds
= lifetime
->time
.life
;
986 sa
->lft
.soft_use_expires_seconds
= 0;
987 sa
->lft
.hard_use_expires_seconds
= 0;
989 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_usersa_info
);
996 case ENCR_AES_CCM_ICV16
:
997 case ENCR_AES_GCM_ICV16
:
998 case ENCR_NULL_AUTH_AES_GMAC
:
999 case ENCR_CAMELLIA_CCM_ICV16
:
1002 case ENCR_AES_CCM_ICV12
:
1003 case ENCR_AES_GCM_ICV12
:
1004 case ENCR_CAMELLIA_CCM_ICV12
:
1007 case ENCR_AES_CCM_ICV8
:
1008 case ENCR_AES_GCM_ICV8
:
1009 case ENCR_CAMELLIA_CCM_ICV8
:
1011 struct xfrm_algo_aead
*algo
;
1013 alg_name
= lookup_algorithm(encryption_algs
, enc_alg
);
1014 if (alg_name
== NULL
)
1016 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1017 encryption_algorithm_names
, enc_alg
);
1020 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1021 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
1023 rthdr
->rta_type
= XFRMA_ALG_AEAD
;
1024 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo_aead
) + enc_key
.len
);
1025 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1026 if (hdr
->nlmsg_len
> sizeof(request
))
1031 algo
= (struct xfrm_algo_aead
*)RTA_DATA(rthdr
);
1032 algo
->alg_key_len
= enc_key
.len
* 8;
1033 algo
->alg_icv_len
= icv_size
;
1034 strcpy(algo
->alg_name
, alg_name
);
1035 memcpy(algo
->alg_key
, enc_key
.ptr
, enc_key
.len
);
1037 rthdr
= XFRM_RTA_NEXT(rthdr
);
1042 struct xfrm_algo
*algo
;
1044 alg_name
= lookup_algorithm(encryption_algs
, enc_alg
);
1045 if (alg_name
== NULL
)
1047 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1048 encryption_algorithm_names
, enc_alg
);
1051 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1052 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
1054 rthdr
->rta_type
= XFRMA_ALG_CRYPT
;
1055 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + enc_key
.len
);
1056 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1057 if (hdr
->nlmsg_len
> sizeof(request
))
1062 algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1063 algo
->alg_key_len
= enc_key
.len
* 8;
1064 strcpy(algo
->alg_name
, alg_name
);
1065 memcpy(algo
->alg_key
, enc_key
.ptr
, enc_key
.len
);
1067 rthdr
= XFRM_RTA_NEXT(rthdr
);
1071 if (int_alg
!= AUTH_UNDEFINED
)
1073 alg_name
= lookup_algorithm(integrity_algs
, int_alg
);
1074 if (alg_name
== NULL
)
1076 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1077 integrity_algorithm_names
, int_alg
);
1080 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
1081 integrity_algorithm_names
, int_alg
, int_key
.len
* 8);
1083 if (int_alg
== AUTH_HMAC_SHA2_256_128
)
1085 struct xfrm_algo_auth
* algo
;
1087 /* the kernel uses SHA256 with 96 bit truncation by default,
1088 * use specified truncation size supported by newer kernels */
1089 rthdr
->rta_type
= XFRMA_ALG_AUTH_TRUNC
;
1090 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo_auth
) + int_key
.len
);
1092 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1093 if (hdr
->nlmsg_len
> sizeof(request
))
1098 algo
= (struct xfrm_algo_auth
*)RTA_DATA(rthdr
);
1099 algo
->alg_key_len
= int_key
.len
* 8;
1100 algo
->alg_trunc_len
= 128;
1101 strcpy(algo
->alg_name
, alg_name
);
1102 memcpy(algo
->alg_key
, int_key
.ptr
, int_key
.len
);
1106 struct xfrm_algo
* algo
;
1108 rthdr
->rta_type
= XFRMA_ALG_AUTH
;
1109 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
) + int_key
.len
);
1111 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1112 if (hdr
->nlmsg_len
> sizeof(request
))
1117 algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1118 algo
->alg_key_len
= int_key
.len
* 8;
1119 strcpy(algo
->alg_name
, alg_name
);
1120 memcpy(algo
->alg_key
, int_key
.ptr
, int_key
.len
);
1122 rthdr
= XFRM_RTA_NEXT(rthdr
);
1125 if (ipcomp
!= IPCOMP_NONE
)
1127 rthdr
->rta_type
= XFRMA_ALG_COMP
;
1128 alg_name
= lookup_algorithm(compression_algs
, ipcomp
);
1129 if (alg_name
== NULL
)
1131 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1132 ipcomp_transform_names
, ipcomp
);
1135 DBG2(DBG_KNL
, " using compression algorithm %N",
1136 ipcomp_transform_names
, ipcomp
);
1138 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_algo
));
1139 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1140 if (hdr
->nlmsg_len
> sizeof(request
))
1145 struct xfrm_algo
* algo
= (struct xfrm_algo
*)RTA_DATA(rthdr
);
1146 algo
->alg_key_len
= 0;
1147 strcpy(algo
->alg_name
, alg_name
);
1149 rthdr
= XFRM_RTA_NEXT(rthdr
);
1154 rthdr
->rta_type
= XFRMA_ENCAP
;
1155 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_encap_tmpl
));
1157 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1158 if (hdr
->nlmsg_len
> sizeof(request
))
1163 struct xfrm_encap_tmpl
* tmpl
= (struct xfrm_encap_tmpl
*)RTA_DATA(rthdr
);
1164 tmpl
->encap_type
= UDP_ENCAP_ESPINUDP
;
1165 tmpl
->encap_sport
= htons(src
->get_port(src
));
1166 tmpl
->encap_dport
= htons(dst
->get_port(dst
));
1167 memset(&tmpl
->encap_oa
, 0, sizeof (xfrm_address_t
));
1168 /* encap_oa could probably be derived from the
1169 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1170 * pluto does the same as we do here but it uses encap_oa in the
1171 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1172 * the kernel ignores it anyway
1173 * -> does that mean that NAT-T encap doesn't work in transport mode?
1174 * No. The reason the kernel ignores NAT-OA is that it recomputes
1175 * (or, rather, just ignores) the checksum. If packets pass
1176 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1177 rthdr
= XFRM_RTA_NEXT(rthdr
);
1180 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1182 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x", ntohl(spi
));
1189 * Get the replay state (i.e. sequence numbers) of an SA.
1191 static status_t
get_replay_state(private_kernel_netlink_ipsec_t
*this,
1192 u_int32_t spi
, protocol_id_t protocol
, host_t
*dst
,
1193 struct xfrm_replay_state
*replay
)
1195 netlink_buf_t request
;
1196 struct nlmsghdr
*hdr
, *out
= NULL
;
1197 struct xfrm_aevent_id
*out_aevent
= NULL
, *aevent_id
;
1202 memset(&request
, 0, sizeof(request
));
1204 DBG2(DBG_KNL
, "querying replay state from SAD entry with SPI %.8x", ntohl(spi
));
1206 hdr
= (struct nlmsghdr
*)request
;
1207 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1208 hdr
->nlmsg_type
= XFRM_MSG_GETAE
;
1209 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_aevent_id
));
1211 aevent_id
= (struct xfrm_aevent_id
*)NLMSG_DATA(hdr
);
1212 aevent_id
->flags
= XFRM_AE_RVAL
;
1214 host2xfrm(dst
, &aevent_id
->sa_id
.daddr
);
1215 aevent_id
->sa_id
.spi
= spi
;
1216 aevent_id
->sa_id
.proto
= proto_ike2kernel(protocol
);
1217 aevent_id
->sa_id
.family
= dst
->get_family(dst
);
1219 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1222 while (NLMSG_OK(hdr
, len
))
1224 switch (hdr
->nlmsg_type
)
1226 case XFRM_MSG_NEWAE
:
1228 out_aevent
= NLMSG_DATA(hdr
);
1233 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1234 DBG1(DBG_KNL
, "querying replay state from SAD entry failed: %s (%d)",
1235 strerror(-err
->error
), -err
->error
);
1239 hdr
= NLMSG_NEXT(hdr
, len
);
1248 if (out_aevent
== NULL
)
1250 DBG1(DBG_KNL
, "unable to query replay state from SAD entry with SPI %.8x",
1256 rta
= XFRM_RTA(out
, struct xfrm_aevent_id
);
1257 rtasize
= XFRM_PAYLOAD(out
, struct xfrm_aevent_id
);
1258 while(RTA_OK(rta
, rtasize
))
1260 if (rta
->rta_type
== XFRMA_REPLAY_VAL
&&
1261 RTA_PAYLOAD(rta
) == sizeof(struct xfrm_replay_state
))
1263 memcpy(replay
, RTA_DATA(rta
), RTA_PAYLOAD(rta
));
1267 rta
= RTA_NEXT(rta
, rtasize
);
1270 DBG1(DBG_KNL
, "unable to query replay state from SAD entry with SPI %.8x",
1276 METHOD(kernel_ipsec_t
, query_sa
, status_t
,
1277 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1278 u_int32_t spi
, protocol_id_t protocol
, u_int64_t
*bytes
)
1280 netlink_buf_t request
;
1281 struct nlmsghdr
*out
= NULL
, *hdr
;
1282 struct xfrm_usersa_id
*sa_id
;
1283 struct xfrm_usersa_info
*sa
= NULL
;
1286 memset(&request
, 0, sizeof(request
));
1288 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x", ntohl(spi
));
1290 hdr
= (struct nlmsghdr
*)request
;
1291 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1292 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1293 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1295 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1296 host2xfrm(dst
, &sa_id
->daddr
);
1298 sa_id
->proto
= proto_ike2kernel(protocol
);
1299 sa_id
->family
= dst
->get_family(dst
);
1301 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1304 while (NLMSG_OK(hdr
, len
))
1306 switch (hdr
->nlmsg_type
)
1308 case XFRM_MSG_NEWSA
:
1310 sa
= (struct xfrm_usersa_info
*)NLMSG_DATA(hdr
);
1315 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1316 DBG1(DBG_KNL
, "querying SAD entry with SPI %.8x failed: %s (%d)",
1317 ntohl(spi
), strerror(-err
->error
), -err
->error
);
1321 hdr
= NLMSG_NEXT(hdr
, len
);
1332 DBG2(DBG_KNL
, "unable to query SAD entry with SPI %.8x", ntohl(spi
));
1336 *bytes
= sa
->curlft
.bytes
;
1342 METHOD(kernel_ipsec_t
, del_sa
, status_t
,
1343 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1344 u_int32_t spi
, protocol_id_t protocol
, u_int16_t cpi
)
1346 netlink_buf_t request
;
1347 struct nlmsghdr
*hdr
;
1348 struct xfrm_usersa_id
*sa_id
;
1350 /* if IPComp was used, we first delete the additional IPComp SA */
1353 del_sa(this, src
, dst
, htonl(ntohs(cpi
)), IPPROTO_COMP
, 0);
1356 memset(&request
, 0, sizeof(request
));
1358 DBG2(DBG_KNL
, "deleting SAD entry with SPI %.8x", ntohl(spi
));
1360 hdr
= (struct nlmsghdr
*)request
;
1361 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1362 hdr
->nlmsg_type
= XFRM_MSG_DELSA
;
1363 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1365 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1366 host2xfrm(dst
, &sa_id
->daddr
);
1368 sa_id
->proto
= proto_ike2kernel(protocol
);
1369 sa_id
->family
= dst
->get_family(dst
);
1371 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1373 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x", ntohl(spi
));
1376 DBG2(DBG_KNL
, "deleted SAD entry with SPI %.8x", ntohl(spi
));
1380 METHOD(kernel_ipsec_t
, update_sa
, status_t
,
1381 private_kernel_netlink_ipsec_t
*this, u_int32_t spi
, protocol_id_t protocol
,
1382 u_int16_t cpi
, host_t
*src
, host_t
*dst
, host_t
*new_src
, host_t
*new_dst
,
1383 bool old_encap
, bool new_encap
)
1385 netlink_buf_t request
;
1387 struct nlmsghdr
*hdr
, *out
= NULL
;
1388 struct xfrm_usersa_id
*sa_id
;
1389 struct xfrm_usersa_info
*out_sa
= NULL
, *sa
;
1393 struct xfrm_encap_tmpl
* tmpl
= NULL
;
1394 bool got_replay_state
= FALSE
;
1395 struct xfrm_replay_state replay
;
1397 /* if IPComp is used, we first update the IPComp SA */
1400 update_sa(this, htonl(ntohs(cpi
)), IPPROTO_COMP
, 0,
1401 src
, dst
, new_src
, new_dst
, FALSE
, FALSE
);
1404 memset(&request
, 0, sizeof(request
));
1406 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x for update", ntohl(spi
));
1408 /* query the existing SA first */
1409 hdr
= (struct nlmsghdr
*)request
;
1410 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1411 hdr
->nlmsg_type
= XFRM_MSG_GETSA
;
1412 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_id
));
1414 sa_id
= (struct xfrm_usersa_id
*)NLMSG_DATA(hdr
);
1415 host2xfrm(dst
, &sa_id
->daddr
);
1417 sa_id
->proto
= proto_ike2kernel(protocol
);
1418 sa_id
->family
= dst
->get_family(dst
);
1420 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1423 while (NLMSG_OK(hdr
, len
))
1425 switch (hdr
->nlmsg_type
)
1427 case XFRM_MSG_NEWSA
:
1429 out_sa
= NLMSG_DATA(hdr
);
1434 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1435 DBG1(DBG_KNL
, "querying SAD entry failed: %s (%d)",
1436 strerror(-err
->error
), -err
->error
);
1440 hdr
= NLMSG_NEXT(hdr
, len
);
1450 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1455 /* try to get the replay state */
1456 if (get_replay_state(this, spi
, protocol
, dst
, &replay
) == SUCCESS
)
1458 got_replay_state
= TRUE
;
1461 /* delete the old SA (without affecting the IPComp SA) */
1462 if (del_sa(this, src
, dst
, spi
, protocol
, 0) != SUCCESS
)
1464 DBG1(DBG_KNL
, "unable to delete old SAD entry with SPI %.8x", ntohl(spi
));
1469 DBG2(DBG_KNL
, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1470 ntohl(spi
), src
, dst
, new_src
, new_dst
);
1471 /* copy over the SA from out to request */
1472 hdr
= (struct nlmsghdr
*)request
;
1473 memcpy(hdr
, out
, min(out
->nlmsg_len
, sizeof(request
)));
1474 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1475 hdr
->nlmsg_type
= XFRM_MSG_NEWSA
;
1476 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_usersa_info
));
1477 sa
= NLMSG_DATA(hdr
);
1478 sa
->family
= new_dst
->get_family(new_dst
);
1480 if (!src
->ip_equals(src
, new_src
))
1482 host2xfrm(new_src
, &sa
->saddr
);
1484 if (!dst
->ip_equals(dst
, new_dst
))
1486 host2xfrm(new_dst
, &sa
->id
.daddr
);
1489 rta
= XFRM_RTA(out
, struct xfrm_usersa_info
);
1490 rtasize
= XFRM_PAYLOAD(out
, struct xfrm_usersa_info
);
1491 pos
= (u_char
*)XFRM_RTA(hdr
, struct xfrm_usersa_info
);
1492 while(RTA_OK(rta
, rtasize
))
1494 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1495 if (rta
->rta_type
!= XFRMA_ENCAP
|| new_encap
)
1497 if (rta
->rta_type
== XFRMA_ENCAP
)
1498 { /* update encap tmpl */
1499 tmpl
= (struct xfrm_encap_tmpl
*)RTA_DATA(rta
);
1500 tmpl
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1501 tmpl
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1503 memcpy(pos
, rta
, rta
->rta_len
);
1504 pos
+= RTA_ALIGN(rta
->rta_len
);
1505 hdr
->nlmsg_len
+= RTA_ALIGN(rta
->rta_len
);
1507 rta
= RTA_NEXT(rta
, rtasize
);
1510 rta
= (struct rtattr
*)pos
;
1511 if (tmpl
== NULL
&& new_encap
)
1512 { /* add tmpl if we are enabling it */
1513 rta
->rta_type
= XFRMA_ENCAP
;
1514 rta
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_encap_tmpl
));
1516 hdr
->nlmsg_len
+= rta
->rta_len
;
1517 if (hdr
->nlmsg_len
> sizeof(request
))
1522 tmpl
= (struct xfrm_encap_tmpl
*)RTA_DATA(rta
);
1523 tmpl
->encap_type
= UDP_ENCAP_ESPINUDP
;
1524 tmpl
->encap_sport
= ntohs(new_src
->get_port(new_src
));
1525 tmpl
->encap_dport
= ntohs(new_dst
->get_port(new_dst
));
1526 memset(&tmpl
->encap_oa
, 0, sizeof (xfrm_address_t
));
1528 rta
= XFRM_RTA_NEXT(rta
);
1531 if (got_replay_state
)
1532 { /* copy the replay data if available */
1533 rta
->rta_type
= XFRMA_REPLAY_VAL
;
1534 rta
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_replay_state
));
1536 hdr
->nlmsg_len
+= rta
->rta_len
;
1537 if (hdr
->nlmsg_len
> sizeof(request
))
1541 memcpy(RTA_DATA(rta
), &replay
, sizeof(replay
));
1543 rta
= XFRM_RTA_NEXT(rta
);
1546 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1548 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1557 METHOD(kernel_ipsec_t
, add_policy
, status_t
,
1558 private_kernel_netlink_ipsec_t
*this, host_t
*src
, host_t
*dst
,
1559 traffic_selector_t
*src_ts
, traffic_selector_t
*dst_ts
,
1560 policy_dir_t direction
, u_int32_t spi
, protocol_id_t protocol
,
1561 u_int32_t reqid
, ipsec_mode_t mode
, u_int16_t ipcomp
, u_int16_t cpi
,
1564 policy_entry_t
*current
, *policy
;
1566 netlink_buf_t request
;
1567 struct xfrm_userpolicy_info
*policy_info
;
1568 struct nlmsghdr
*hdr
;
1570 /* create a policy */
1571 policy
= malloc_thing(policy_entry_t
);
1572 memset(policy
, 0, sizeof(policy_entry_t
));
1573 policy
->sel
= ts2selector(src_ts
, dst_ts
);
1574 policy
->direction
= direction
;
1576 /* find the policy, which matches EXACTLY */
1577 this->mutex
->lock(this->mutex
);
1578 current
= this->policies
->get(this->policies
, policy
);
1581 /* use existing policy */
1582 current
->refcount
++;
1583 DBG2(DBG_KNL
, "policy %R === %R %N already exists, increasing "
1584 "refcount", src_ts
, dst_ts
,
1585 policy_dir_names
, direction
);
1591 { /* apply the new one, if we have no such policy */
1592 this->policies
->put(this->policies
, policy
, policy
);
1593 policy
->refcount
= 1;
1596 DBG2(DBG_KNL
, "adding policy %R === %R %N", src_ts
, dst_ts
,
1597 policy_dir_names
, direction
);
1599 memset(&request
, 0, sizeof(request
));
1600 hdr
= (struct nlmsghdr
*)request
;
1601 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1602 hdr
->nlmsg_type
= found
? XFRM_MSG_UPDPOLICY
: XFRM_MSG_NEWPOLICY
;
1603 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info
));
1605 policy_info
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
1606 policy_info
->sel
= policy
->sel
;
1607 policy_info
->dir
= policy
->direction
;
1608 /* calculate priority based on source selector size, small size = high prio */
1609 policy_info
->priority
= routed
? PRIO_LOW
: PRIO_HIGH
;
1610 policy_info
->priority
-= policy
->sel
.prefixlen_s
* 10;
1611 policy_info
->priority
-= policy
->sel
.proto
? 2 : 0;
1612 policy_info
->priority
-= policy
->sel
.sport_mask
? 1 : 0;
1613 policy_info
->action
= XFRM_POLICY_ALLOW
;
1614 policy_info
->share
= XFRM_SHARE_ANY
;
1615 this->mutex
->unlock(this->mutex
);
1617 /* policies don't expire */
1618 policy_info
->lft
.soft_byte_limit
= XFRM_INF
;
1619 policy_info
->lft
.soft_packet_limit
= XFRM_INF
;
1620 policy_info
->lft
.hard_byte_limit
= XFRM_INF
;
1621 policy_info
->lft
.hard_packet_limit
= XFRM_INF
;
1622 policy_info
->lft
.soft_add_expires_seconds
= 0;
1623 policy_info
->lft
.hard_add_expires_seconds
= 0;
1624 policy_info
->lft
.soft_use_expires_seconds
= 0;
1625 policy_info
->lft
.hard_use_expires_seconds
= 0;
1627 struct rtattr
*rthdr
= XFRM_RTA(hdr
, struct xfrm_userpolicy_info
);
1628 rthdr
->rta_type
= XFRMA_TMPL
;
1629 rthdr
->rta_len
= RTA_LENGTH(sizeof(struct xfrm_user_tmpl
));
1631 hdr
->nlmsg_len
+= rthdr
->rta_len
;
1632 if (hdr
->nlmsg_len
> sizeof(request
))
1637 struct xfrm_user_tmpl
*tmpl
= (struct xfrm_user_tmpl
*)RTA_DATA(rthdr
);
1639 if (ipcomp
!= IPCOMP_NONE
)
1641 tmpl
->reqid
= reqid
;
1642 tmpl
->id
.proto
= IPPROTO_COMP
;
1643 tmpl
->aalgos
= tmpl
->ealgos
= tmpl
->calgos
= ~0;
1644 tmpl
->mode
= mode2kernel(mode
);
1645 tmpl
->optional
= direction
!= POLICY_OUT
;
1646 tmpl
->family
= src
->get_family(src
);
1648 host2xfrm(src
, &tmpl
->saddr
);
1649 host2xfrm(dst
, &tmpl
->id
.daddr
);
1651 /* add an additional xfrm_user_tmpl */
1652 rthdr
->rta_len
+= RTA_LENGTH(sizeof(struct xfrm_user_tmpl
));
1653 hdr
->nlmsg_len
+= RTA_LENGTH(sizeof(struct xfrm_user_tmpl
));
1654 if (hdr
->nlmsg_len
> sizeof(request
))
1661 /* use transport mode for ESP if we have a tunnel mode IPcomp SA */
1662 mode
= MODE_TRANSPORT
;
1666 /* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
1667 host2xfrm(src
, &tmpl
->saddr
);
1668 host2xfrm(dst
, &tmpl
->id
.daddr
);
1671 tmpl
->reqid
= reqid
;
1672 tmpl
->id
.proto
= proto_ike2kernel(protocol
);
1673 tmpl
->aalgos
= tmpl
->ealgos
= tmpl
->calgos
= ~0;
1674 tmpl
->mode
= mode2kernel(mode
);
1675 tmpl
->family
= src
->get_family(src
);
1677 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1679 DBG1(DBG_KNL
, "unable to add policy %R === %R %N", src_ts
, dst_ts
,
1680 policy_dir_names
, direction
);
1684 /* install a route, if:
1685 * - we are NOT updating a policy
1686 * - this is a forward policy (to just get one for each child)
1687 * - we are in tunnel/BEET mode
1688 * - routing is not disabled via strongswan.conf
1690 if (policy
->route
== NULL
&& direction
== POLICY_FWD
&&
1691 mode
!= MODE_TRANSPORT
&& this->install_routes
)
1693 route_entry_t
*route
= malloc_thing(route_entry_t
);
1695 if (charon
->kernel_interface
->get_address_by_ts(charon
->kernel_interface
,
1696 dst_ts
, &route
->src_ip
) == SUCCESS
)
1698 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1699 route
->gateway
= charon
->kernel_interface
->get_nexthop(
1700 charon
->kernel_interface
, src
);
1701 /* install route via outgoing interface */
1702 route
->if_name
= charon
->kernel_interface
->get_interface(
1703 charon
->kernel_interface
, dst
);
1704 route
->dst_net
= chunk_alloc(policy
->sel
.family
== AF_INET
? 4 : 16);
1705 memcpy(route
->dst_net
.ptr
, &policy
->sel
.saddr
, route
->dst_net
.len
);
1706 route
->prefixlen
= policy
->sel
.prefixlen_s
;
1710 switch (charon
->kernel_interface
->add_route(
1711 charon
->kernel_interface
, route
->dst_net
,
1712 route
->prefixlen
, route
->gateway
,
1713 route
->src_ip
, route
->if_name
))
1716 DBG1(DBG_KNL
, "unable to install source route for %H",
1720 /* route exists, do not uninstall */
1721 route_entry_destroy(route
);
1724 /* cache the installed route */
1725 policy
->route
= route
;
1731 route_entry_destroy(route
);
1742 METHOD(kernel_ipsec_t
, query_policy
, status_t
,
1743 private_kernel_netlink_ipsec_t
*this, traffic_selector_t
*src_ts
,
1744 traffic_selector_t
*dst_ts
, policy_dir_t direction
, u_int32_t
*use_time
)
1746 netlink_buf_t request
;
1747 struct nlmsghdr
*out
= NULL
, *hdr
;
1748 struct xfrm_userpolicy_id
*policy_id
;
1749 struct xfrm_userpolicy_info
*policy
= NULL
;
1752 memset(&request
, 0, sizeof(request
));
1754 DBG2(DBG_KNL
, "querying policy %R === %R %N", src_ts
, dst_ts
,
1755 policy_dir_names
, direction
);
1757 hdr
= (struct nlmsghdr
*)request
;
1758 hdr
->nlmsg_flags
= NLM_F_REQUEST
;
1759 hdr
->nlmsg_type
= XFRM_MSG_GETPOLICY
;
1760 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
1762 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
1763 policy_id
->sel
= ts2selector(src_ts
, dst_ts
);
1764 policy_id
->dir
= direction
;
1766 if (this->socket_xfrm
->send(this->socket_xfrm
, hdr
, &out
, &len
) == SUCCESS
)
1769 while (NLMSG_OK(hdr
, len
))
1771 switch (hdr
->nlmsg_type
)
1773 case XFRM_MSG_NEWPOLICY
:
1775 policy
= (struct xfrm_userpolicy_info
*)NLMSG_DATA(hdr
);
1780 struct nlmsgerr
*err
= NLMSG_DATA(hdr
);
1781 DBG1(DBG_KNL
, "querying policy failed: %s (%d)",
1782 strerror(-err
->error
), -err
->error
);
1786 hdr
= NLMSG_NEXT(hdr
, len
);
1797 DBG2(DBG_KNL
, "unable to query policy %R === %R %N", src_ts
, dst_ts
,
1798 policy_dir_names
, direction
);
1803 if (policy
->curlft
.use_time
)
1805 /* we need the monotonic time, but the kernel returns system time. */
1806 *use_time
= time_monotonic(NULL
) - (time(NULL
) - policy
->curlft
.use_time
);
1817 METHOD(kernel_ipsec_t
, del_policy
, status_t
,
1818 private_kernel_netlink_ipsec_t
*this, traffic_selector_t
*src_ts
,
1819 traffic_selector_t
*dst_ts
, policy_dir_t direction
, bool unrouted
)
1821 policy_entry_t
*current
, policy
, *to_delete
= NULL
;
1822 route_entry_t
*route
;
1823 netlink_buf_t request
;
1824 struct nlmsghdr
*hdr
;
1825 struct xfrm_userpolicy_id
*policy_id
;
1827 DBG2(DBG_KNL
, "deleting policy %R === %R %N", src_ts
, dst_ts
,
1828 policy_dir_names
, direction
);
1830 /* create a policy */
1831 memset(&policy
, 0, sizeof(policy_entry_t
));
1832 policy
.sel
= ts2selector(src_ts
, dst_ts
);
1833 policy
.direction
= direction
;
1835 /* find the policy */
1836 this->mutex
->lock(this->mutex
);
1837 current
= this->policies
->get(this->policies
, &policy
);
1840 to_delete
= current
;
1841 if (--to_delete
->refcount
> 0)
1843 /* is used by more SAs, keep in kernel */
1844 DBG2(DBG_KNL
, "policy still used by another CHILD_SA, not removed");
1845 this->mutex
->unlock(this->mutex
);
1848 /* remove if last reference */
1849 this->policies
->remove(this->policies
, to_delete
);
1851 this->mutex
->unlock(this->mutex
);
1854 DBG1(DBG_KNL
, "deleting policy %R === %R %N failed, not found", src_ts
,
1855 dst_ts
, policy_dir_names
, direction
);
1859 memset(&request
, 0, sizeof(request
));
1861 hdr
= (struct nlmsghdr
*)request
;
1862 hdr
->nlmsg_flags
= NLM_F_REQUEST
| NLM_F_ACK
;
1863 hdr
->nlmsg_type
= XFRM_MSG_DELPOLICY
;
1864 hdr
->nlmsg_len
= NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id
));
1866 policy_id
= (struct xfrm_userpolicy_id
*)NLMSG_DATA(hdr
);
1867 policy_id
->sel
= to_delete
->sel
;
1868 policy_id
->dir
= direction
;
1870 route
= to_delete
->route
;
1873 if (this->socket_xfrm
->send_ack(this->socket_xfrm
, hdr
) != SUCCESS
)
1875 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N", src_ts
, dst_ts
,
1876 policy_dir_names
, direction
);
1882 if (charon
->kernel_interface
->del_route(charon
->kernel_interface
,
1883 route
->dst_net
, route
->prefixlen
, route
->gateway
,
1884 route
->src_ip
, route
->if_name
) != SUCCESS
)
1886 DBG1(DBG_KNL
, "error uninstalling route installed with "
1887 "policy %R === %R %N", src_ts
, dst_ts
,
1888 policy_dir_names
, direction
);
1890 route_entry_destroy(route
);
1895 METHOD(kernel_ipsec_t
, bypass_socket
, bool,
1896 private_kernel_netlink_ipsec_t
*this, int fd
, int family
)
1898 struct xfrm_userpolicy_info policy
;
1899 u_int sol
, ipsec_policy
;
1905 ipsec_policy
= IP_XFRM_POLICY
;
1909 ipsec_policy
= IPV6_XFRM_POLICY
;
1915 memset(&policy
, 0, sizeof(policy
));
1916 policy
.action
= XFRM_POLICY_ALLOW
;
1917 policy
.sel
.family
= family
;
1919 policy
.dir
= XFRM_POLICY_OUT
;
1920 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
1922 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
1926 policy
.dir
= XFRM_POLICY_IN
;
1927 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
1929 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
1936 METHOD(kernel_ipsec_t
, destroy
, void,
1937 private_kernel_netlink_ipsec_t
*this)
1939 enumerator_t
*enumerator
;
1940 policy_entry_t
*policy
;
1944 this->job
->cancel(this->job
);
1946 if (this->socket_xfrm_events
> 0)
1948 close(this->socket_xfrm_events
);
1950 DESTROY_IF(this->socket_xfrm
);
1951 enumerator
= this->policies
->create_enumerator(this->policies
);
1952 while (enumerator
->enumerate(enumerator
, &policy
, &policy
))
1956 enumerator
->destroy(enumerator
);
1957 this->policies
->destroy(this->policies
);
1958 this->mutex
->destroy(this->mutex
);
1963 * Described in header.
1965 kernel_netlink_ipsec_t
*kernel_netlink_ipsec_create()
1967 private_kernel_netlink_ipsec_t
*this;
1968 struct sockaddr_nl addr
;
1972 .public.interface
= {
1973 .get_spi
= _get_spi
,
1974 .get_cpi
= _get_cpi
,
1976 .update_sa
= _update_sa
,
1977 .query_sa
= _query_sa
,
1979 .add_policy
= _add_policy
,
1980 .query_policy
= _query_policy
,
1981 .del_policy
= _del_policy
,
1982 .bypass_socket
= _bypass_socket
,
1983 .destroy
= _destroy
,
1985 .policies
= hashtable_create((hashtable_hash_t
)policy_hash
,
1986 (hashtable_equals_t
)policy_equals
, 32),
1987 .mutex
= mutex_create(MUTEX_TYPE_DEFAULT
),
1988 .install_routes
= lib
->settings
->get_bool(lib
->settings
,
1989 "charon.install_routes", TRUE
),
1992 /* disable lifetimes for allocated SPIs in kernel */
1993 fd
= open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY
);
1996 ignore_result(write(fd
, "165", 3));
2000 this->socket_xfrm
= netlink_socket_create(NETLINK_XFRM
);
2001 if (!this->socket_xfrm
)
2007 memset(&addr
, 0, sizeof(addr
));
2008 addr
.nl_family
= AF_NETLINK
;
2010 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
2011 this->socket_xfrm_events
= socket(AF_NETLINK
, SOCK_RAW
, NETLINK_XFRM
);
2012 if (this->socket_xfrm_events
<= 0)
2014 DBG1(DBG_KNL
, "unable to create XFRM event socket");
2018 addr
.nl_groups
= XFRMNLGRP(ACQUIRE
) | XFRMNLGRP(EXPIRE
) |
2019 XFRMNLGRP(MIGRATE
) | XFRMNLGRP(MAPPING
);
2020 if (bind(this->socket_xfrm_events
, (struct sockaddr
*)&addr
, sizeof(addr
)))
2022 DBG1(DBG_KNL
, "unable to bind XFRM event socket");
2026 this->job
= callback_job_create((callback_job_cb_t
)receive_events
,
2028 charon
->processor
->queue_job(charon
->processor
, (job_t
*)this->job
);
2030 return &this->public;