![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to kernel_netlink_ipsec.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / kernel_netlink|
Return to kernel_netlink_ipsec.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / plugins / kernel_netlink |
1.1 misho 1: /*
2: * Copyright (C) 2006-2019 Tobias Brunner
3: * Copyright (C) 2005-2009 Martin Willi
4: * Copyright (C) 2008-2016 Andreas Steffen
5: * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6: * Copyright (C) 2006 Daniel Roethlisberger
7: * Copyright (C) 2005 Jan Hutter
8: * HSR Hochschule fuer Technik Rapperswil
9: *
10: * This program is free software; you can redistribute it and/or modify it
11: * under the terms of the GNU General Public License as published by the
12: * Free Software Foundation; either version 2 of the License, or (at your
13: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14: *
15: * This program is distributed in the hope that it will be useful, but
16: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18: * for more details.
19: */
20: /*
21: * Copyright (C) 2018 Mellanox Technologies.
22: *
23: * Permission is hereby granted, free of charge, to any person obtaining a copy
24: * of this software and associated documentation files (the "Software"), to deal
25: * in the Software without restriction, including without limitation the rights
26: * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
27: * copies of the Software, and to permit persons to whom the Software is
28: * furnished to do so, subject to the following conditions:
29: *
30: * The above copyright notice and this permission notice shall be included in
31: * all copies or substantial portions of the Software.
32: *
33: * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
34: * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
35: * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
36: * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
37: * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
38: * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
39: * THE SOFTWARE.
40: */
41:
42: #define _GNU_SOURCE
43: #include <sys/types.h>
44: #include <sys/socket.h>
45: #include <sys/ioctl.h>
46: #include <stdint.h>
47: #include <linux/ipsec.h>
48: #include <linux/netlink.h>
49: #include <linux/rtnetlink.h>
50: #include <linux/xfrm.h>
51: #include <linux/udp.h>
52: #include <linux/ethtool.h>
53: #include <linux/sockios.h>
54: #include <net/if.h>
55: #include <unistd.h>
56: #include <time.h>
57: #include <errno.h>
58: #include <string.h>
59: #include <fcntl.h>
60: #include <dlfcn.h>
61:
62: #include "kernel_netlink_ipsec.h"
63: #include "kernel_netlink_shared.h"
64:
65: #include <daemon.h>
66: #include <utils/debug.h>
67: #include <threading/mutex.h>
68: #include <threading/condvar.h>
69: #include <collections/array.h>
70: #include <collections/hashtable.h>
71: #include <collections/linked_list.h>
72:
73: /** Required for Linux 2.6.26 kernel and later */
74: #ifndef XFRM_STATE_AF_UNSPEC
75: #define XFRM_STATE_AF_UNSPEC 32
76: #endif
77:
78: /** From linux/in.h */
79: #ifndef IP_XFRM_POLICY
80: #define IP_XFRM_POLICY 17
81: #endif
82:
83: /** Missing on uclibc */
84: #ifndef IPV6_XFRM_POLICY
85: #define IPV6_XFRM_POLICY 34
86: #endif /*IPV6_XFRM_POLICY*/
87:
88: /* from linux/udp.h */
89: #ifndef UDP_ENCAP
90: #define UDP_ENCAP 100
91: #endif
92:
93: #ifndef UDP_ENCAP_ESPINUDP
94: #define UDP_ENCAP_ESPINUDP 2
95: #endif
96:
97: /* this is not defined on some platforms */
98: #ifndef SOL_UDP
99: #define SOL_UDP IPPROTO_UDP
100: #endif
101:
102: /** Base priority for installed policies */
103: #define PRIO_BASE 200000
104:
105: /**
106: * Map the limit for bytes and packets to XFRM_INF by default
107: */
108: #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x))
109:
110: /**
111: * Create ORable bitfield of XFRM NL groups
112: */
113: #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
114:
115: /**
116: * Returns a pointer to the first rtattr following the nlmsghdr *nlh and the
117: * 'usual' netlink data x like 'struct xfrm_usersa_info'
118: */
119: #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + \
120: NLMSG_ALIGN(sizeof(x))))
121: /**
122: * Returns the total size of attached rta data
123: * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
124: */
125: #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
126:
127: typedef struct kernel_algorithm_t kernel_algorithm_t;
128:
129: /**
130: * Mapping of IKEv2 kernel identifier to linux crypto API names
131: */
132: struct kernel_algorithm_t {
133: /**
134: * Identifier specified in IKEv2
135: */
136: int ikev2;
137:
138: /**
139: * Name of the algorithm in linux crypto API
140: */
141: const char *name;
142: };
143:
144: ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
145: "XFRM_MSG_NEWSA",
146: "XFRM_MSG_DELSA",
147: "XFRM_MSG_GETSA",
148: "XFRM_MSG_NEWPOLICY",
149: "XFRM_MSG_DELPOLICY",
150: "XFRM_MSG_GETPOLICY",
151: "XFRM_MSG_ALLOCSPI",
152: "XFRM_MSG_ACQUIRE",
153: "XFRM_MSG_EXPIRE",
154: "XFRM_MSG_UPDPOLICY",
155: "XFRM_MSG_UPDSA",
156: "XFRM_MSG_POLEXPIRE",
157: "XFRM_MSG_FLUSHSA",
158: "XFRM_MSG_FLUSHPOLICY",
159: "XFRM_MSG_NEWAE",
160: "XFRM_MSG_GETAE",
161: "XFRM_MSG_REPORT",
162: "XFRM_MSG_MIGRATE",
163: "XFRM_MSG_NEWSADINFO",
164: "XFRM_MSG_GETSADINFO",
165: "XFRM_MSG_NEWSPDINFO",
166: "XFRM_MSG_GETSPDINFO",
167: "XFRM_MSG_MAPPING"
168: );
169:
170: ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_OFFLOAD_DEV,
171: "XFRMA_UNSPEC",
172: "XFRMA_ALG_AUTH",
173: "XFRMA_ALG_CRYPT",
174: "XFRMA_ALG_COMP",
175: "XFRMA_ENCAP",
176: "XFRMA_TMPL",
177: "XFRMA_SA",
178: "XFRMA_POLICY",
179: "XFRMA_SEC_CTX",
180: "XFRMA_LTIME_VAL",
181: "XFRMA_REPLAY_VAL",
182: "XFRMA_REPLAY_THRESH",
183: "XFRMA_ETIMER_THRESH",
184: "XFRMA_SRCADDR",
185: "XFRMA_COADDR",
186: "XFRMA_LASTUSED",
187: "XFRMA_POLICY_TYPE",
188: "XFRMA_MIGRATE",
189: "XFRMA_ALG_AEAD",
190: "XFRMA_KMADDRESS",
191: "XFRMA_ALG_AUTH_TRUNC",
192: "XFRMA_MARK",
193: "XFRMA_TFCPAD",
194: "XFRMA_REPLAY_ESN_VAL",
195: "XFRMA_SA_EXTRA_FLAGS",
196: "XFRMA_PROTO",
197: "XFRMA_ADDRESS_FILTER",
198: "XFRMA_PAD",
199: "XFRMA_OFFLOAD_DEV",
200: );
201:
202: /**
203: * Algorithms for encryption
204: */
205: static kernel_algorithm_t encryption_algs[] = {
206: /* {ENCR_DES_IV64, "***" }, */
207: {ENCR_DES, "des" },
208: {ENCR_3DES, "des3_ede" },
209: /* {ENCR_RC5, "***" }, */
210: /* {ENCR_IDEA, "***" }, */
211: {ENCR_CAST, "cast5" },
212: {ENCR_BLOWFISH, "blowfish" },
213: /* {ENCR_3IDEA, "***" }, */
214: /* {ENCR_DES_IV32, "***" }, */
215: {ENCR_NULL, "cipher_null" },
216: {ENCR_AES_CBC, "aes" },
217: {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
218: {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
219: {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
220: {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
221: {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
222: {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
223: {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
224: {ENCR_NULL_AUTH_AES_GMAC, "rfc4543(gcm(aes))" },
225: {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
226: /* {ENCR_CAMELLIA_CTR, "***" }, */
227: /* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
228: /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
229: /* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
230: {ENCR_SERPENT_CBC, "serpent" },
231: {ENCR_TWOFISH_CBC, "twofish" },
232: {ENCR_CHACHA20_POLY1305, "rfc7539esp(chacha20,poly1305)"},
233: };
234:
235: /**
236: * Algorithms for integrity protection
237: */
238: static kernel_algorithm_t integrity_algs[] = {
239: {AUTH_HMAC_MD5_96, "md5" },
240: {AUTH_HMAC_MD5_128, "hmac(md5)" },
241: {AUTH_HMAC_SHA1_96, "sha1" },
242: {AUTH_HMAC_SHA1_160, "hmac(sha1)" },
243: {AUTH_HMAC_SHA2_256_96, "sha256" },
244: {AUTH_HMAC_SHA2_256_128, "hmac(sha256)" },
245: {AUTH_HMAC_SHA2_384_192, "hmac(sha384)" },
246: {AUTH_HMAC_SHA2_512_256, "hmac(sha512)" },
247: /* {AUTH_DES_MAC, "***" }, */
248: /* {AUTH_KPDK_MD5, "***" }, */
249: {AUTH_AES_XCBC_96, "xcbc(aes)" },
250: {AUTH_AES_CMAC_96, "cmac(aes)" },
251: };
252:
253: /**
254: * Algorithms for IPComp
255: */
256: static kernel_algorithm_t compression_algs[] = {
257: /* {IPCOMP_OUI, "***" }, */
258: {IPCOMP_DEFLATE, "deflate" },
259: {IPCOMP_LZS, "lzs" },
260: {IPCOMP_LZJH, "lzjh" },
261: };
262:
263: /**
264: * Look up a kernel algorithm name and its key size
265: */
266: static const char* lookup_algorithm(transform_type_t type, int ikev2)
267: {
268: kernel_algorithm_t *list;
269: int i, count;
270: char *name;
271:
272: switch (type)
273: {
274: case ENCRYPTION_ALGORITHM:
275: list = encryption_algs;
276: count = countof(encryption_algs);
277: break;
278: case INTEGRITY_ALGORITHM:
279: list = integrity_algs;
280: count = countof(integrity_algs);
281: break;
282: case COMPRESSION_ALGORITHM:
283: list = compression_algs;
284: count = countof(compression_algs);
285: break;
286: default:
287: return NULL;
288: }
289: for (i = 0; i < count; i++)
290: {
291: if (list[i].ikev2 == ikev2)
292: {
293: return list[i].name;
294: }
295: }
296: if (charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, NULL,
297: &name))
298: {
299: return name;
300: }
301: return NULL;
302: }
303:
304: typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
305:
306: /**
307: * Private variables and functions of kernel_netlink class.
308: */
309: struct private_kernel_netlink_ipsec_t {
310: /**
311: * Public part of the kernel_netlink_t object
312: */
313: kernel_netlink_ipsec_t public;
314:
315: /**
316: * Mutex to lock access to installed policies
317: */
318: mutex_t *mutex;
319:
320: /**
321: * Condvar to synchronize access to individual policies
322: */
323: condvar_t *condvar;
324:
325: /**
326: * Hash table of installed policies (policy_entry_t)
327: */
328: hashtable_t *policies;
329:
330: /**
331: * Hash table of IPsec SAs using policies (ipsec_sa_t)
332: */
333: hashtable_t *sas;
334:
335: /**
336: * Netlink xfrm socket (IPsec)
337: */
338: netlink_socket_t *socket_xfrm;
339:
340: /**
341: * Netlink xfrm socket to receive acquire and expire events
342: */
343: int socket_xfrm_events;
344:
345: /**
346: * Whether to install routes along policies
347: */
348: bool install_routes;
349:
350: /**
351: * Whether to set protocol and ports on selector installed with transport
352: * mode IPsec SAs
353: */
354: bool proto_port_transport;
355:
356: /**
357: * Whether to always use UPDATE to install policies
358: */
359: bool policy_update;
360:
361: /**
362: * Installed port based IKE bypass policies, as bypass_t
363: */
364: array_t *bypass;
365:
366: /**
367: * Custom priority calculation function
368: */
369: uint32_t (*get_priority)(kernel_ipsec_policy_id_t *id,
370: kernel_ipsec_manage_policy_t *data);
371: };
372:
373: typedef struct ipsec_sa_t ipsec_sa_t;
374:
375: /**
376: * IPsec SA assigned to a policy.
377: */
378: struct ipsec_sa_t {
379: /** Source address of this SA */
380: host_t *src;
381:
382: /** Destination address of this SA */
383: host_t *dst;
384:
385: /** Optional mark */
386: mark_t mark;
387:
388: /** Optional mark */
389: uint32_t if_id;
390:
391: /** Description of this SA */
392: ipsec_sa_cfg_t cfg;
393:
394: /** Reference count for this SA */
395: refcount_t refcount;
396: };
397:
398: /**
399: * Hash function for ipsec_sa_t objects
400: */
401: static u_int ipsec_sa_hash(ipsec_sa_t *sa)
402: {
403: return chunk_hash_inc(sa->src->get_address(sa->src),
404: chunk_hash_inc(sa->dst->get_address(sa->dst),
405: chunk_hash_inc(chunk_from_thing(sa->mark),
406: chunk_hash_inc(chunk_from_thing(sa->if_id),
407: chunk_hash(chunk_from_thing(sa->cfg))))));
408: }
409:
410: /**
411: * Equality function for ipsec_sa_t objects
412: */
413: static bool ipsec_sa_equals(ipsec_sa_t *sa, ipsec_sa_t *other_sa)
414: {
415: return sa->src->ip_equals(sa->src, other_sa->src) &&
416: sa->dst->ip_equals(sa->dst, other_sa->dst) &&
417: sa->mark.value == other_sa->mark.value &&
418: sa->mark.mask == other_sa->mark.mask &&
419: sa->if_id == other_sa->if_id &&
420: ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg);
421: }
422:
423: /**
424: * Allocate or reference an IPsec SA object
425: */
426: static ipsec_sa_t *ipsec_sa_create(private_kernel_netlink_ipsec_t *this,
427: host_t *src, host_t *dst, mark_t mark,
428: uint32_t if_id, ipsec_sa_cfg_t *cfg)
429: {
430: ipsec_sa_t *sa, *found;
431: INIT(sa,
432: .src = src,
433: .dst = dst,
434: .mark = mark,
435: .if_id = if_id,
436: .cfg = *cfg,
437: );
438: found = this->sas->get(this->sas, sa);
439: if (!found)
440: {
441: sa->src = src->clone(src);
442: sa->dst = dst->clone(dst);
443: this->sas->put(this->sas, sa, sa);
444: }
445: else
446: {
447: free(sa);
448: sa = found;
449: }
450: ref_get(&sa->refcount);
451: return sa;
452: }
453:
454: /**
455: * Release and destroy an IPsec SA object
456: */
457: static void ipsec_sa_destroy(private_kernel_netlink_ipsec_t *this,
458: ipsec_sa_t *sa)
459: {
460: if (ref_put(&sa->refcount))
461: {
462: this->sas->remove(this->sas, sa);
463: DESTROY_IF(sa->src);
464: DESTROY_IF(sa->dst);
465: free(sa);
466: }
467: }
468:
469: typedef struct policy_sa_t policy_sa_t;
470: typedef struct policy_sa_out_t policy_sa_out_t;
471:
472: /**
473: * Mapping between a policy and an IPsec SA.
474: */
475: struct policy_sa_t {
476: /** Priority assigned to the policy when installed with this SA */
477: uint32_t priority;
478:
479: /** Automatic priority assigned to the policy when installed with this SA */
480: uint32_t auto_priority;
481:
482: /** Type of the policy */
483: policy_type_t type;
484:
485: /** Assigned SA */
486: ipsec_sa_t *sa;
487: };
488:
489: /**
490: * For outbound policies we also cache the traffic selectors in order to install
491: * the route.
492: */
493: struct policy_sa_out_t {
494: /** Generic interface */
495: policy_sa_t generic;
496:
497: /** Source traffic selector of this policy */
498: traffic_selector_t *src_ts;
499:
500: /** Destination traffic selector of this policy */
501: traffic_selector_t *dst_ts;
502: };
503:
504: /**
505: * Create a policy_sa(_in)_t object
506: */
507: static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this,
508: policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst,
509: traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark,
510: uint32_t if_id, ipsec_sa_cfg_t *cfg)
511: {
512: policy_sa_t *policy;
513:
514: if (dir == POLICY_OUT)
515: {
516: policy_sa_out_t *out;
517: INIT(out,
518: .src_ts = src_ts->clone(src_ts),
519: .dst_ts = dst_ts->clone(dst_ts),
520: );
521: policy = &out->generic;
522: }
523: else
524: {
525: INIT(policy, .priority = 0);
526: }
527: policy->type = type;
528: policy->sa = ipsec_sa_create(this, src, dst, mark, if_id, cfg);
529: return policy;
530: }
531:
532: /**
533: * Destroy a policy_sa(_in)_t object
534: */
535: static void policy_sa_destroy(policy_sa_t *policy, policy_dir_t dir,
536: private_kernel_netlink_ipsec_t *this)
537: {
538: if (dir == POLICY_OUT)
539: {
540: policy_sa_out_t *out = (policy_sa_out_t*)policy;
541: out->src_ts->destroy(out->src_ts);
542: out->dst_ts->destroy(out->dst_ts);
543: }
544: ipsec_sa_destroy(this, policy->sa);
545: free(policy);
546: }
547:
548: CALLBACK(policy_sa_destroy_cb, void,
549: policy_sa_t *policy, va_list args)
550: {
551: private_kernel_netlink_ipsec_t *this;
552: policy_dir_t dir;
553:
554: VA_ARGS_VGET(args, dir, this);
555: policy_sa_destroy(policy, dir, this);
556: }
557:
558: typedef struct policy_entry_t policy_entry_t;
559:
560: /**
561: * Installed kernel policy.
562: */
563: struct policy_entry_t {
564:
565: /** Direction of this policy: in, out, forward */
566: uint8_t direction;
567:
568: /** Parameters of installed policy */
569: struct xfrm_selector sel;
570:
571: /** Optional mark */
572: uint32_t mark;
573:
574: /** Optional interface ID */
575: uint32_t if_id;
576:
577: /** Associated route installed for this policy */
578: route_entry_t *route;
579:
580: /** List of SAs this policy is used by, ordered by priority */
581: linked_list_t *used_by;
582:
583: /** reqid for this policy */
584: uint32_t reqid;
585:
586: /** Number of threads waiting to work on this policy */
587: int waiting;
588:
589: /** TRUE if a thread is working on this policy */
590: bool working;
591: };
592:
593: /**
594: * Destroy a policy_entry_t object
595: */
596: static void policy_entry_destroy(private_kernel_netlink_ipsec_t *this,
597: policy_entry_t *policy)
598: {
599: if (policy->route)
600: {
601: route_entry_destroy(policy->route);
602: }
603: if (policy->used_by)
604: {
605: policy->used_by->invoke_function(policy->used_by, policy_sa_destroy_cb,
606: policy->direction, this);
607: policy->used_by->destroy(policy->used_by);
608: }
609: free(policy);
610: }
611:
612: /**
613: * Hash function for policy_entry_t objects
614: */
615: static u_int policy_hash(policy_entry_t *key)
616: {
617: chunk_t chunk = chunk_from_thing(key->sel);
618: return chunk_hash_inc(chunk, chunk_hash_inc(chunk_from_thing(key->mark),
619: chunk_hash(chunk_from_thing(key->if_id))));
620: }
621:
622: /**
623: * Equality function for policy_entry_t objects
624: */
625: static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
626: {
627: return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
628: key->mark == other_key->mark &&
629: key->if_id == other_key->if_id &&
630: key->direction == other_key->direction;
631: }
632:
633: /**
634: * Determine number of set bits in 16 bit port mask
635: */
636: static inline uint32_t port_mask_bits(uint16_t port_mask)
637: {
638: uint32_t bits;
639: uint16_t bit_mask = 0x8000;
640:
641: port_mask = ntohs(port_mask);
642:
643: for (bits = 0; bits < 16; bits++)
644: {
645: if (!(port_mask & bit_mask))
646: {
647: break;
648: }
649: bit_mask >>= 1;
650: }
651: return bits;
652: }
653:
654: /**
655: * Calculate the priority of a policy
656: *
657: * bits 0-0: separate trap and regular policies (0..1) 1 bit
658: * bits 1-1: restriction to network interface (0..1) 1 bit
659: * bits 2-7: src + dst port mask bits (2 * 0..16) 6 bits
660: * bits 8-8: restriction to protocol (0..1) 1 bit
661: * bits 9-17: src + dst network mask bits (2 * 0..128) 9 bits
662: * 18 bits
663: *
664: * smallest value: 000000000 0 000000 0 0: 0, lowest priority = 200'000
665: * largest value : 100000000 1 100000 1 1: 131'459, highst priority = 68'541
666: */
667: static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
668: char *interface)
669: {
670: uint32_t priority = PRIO_BASE, sport_mask_bits, dport_mask_bits;
671:
672: switch (prio)
673: {
674: case POLICY_PRIORITY_FALLBACK:
675: priority += PRIO_BASE;
676: /* fall-through to next case */
677: case POLICY_PRIORITY_ROUTED:
678: case POLICY_PRIORITY_DEFAULT:
679: priority += PRIO_BASE;
680: /* fall-through to next case */
681: case POLICY_PRIORITY_PASS:
682: break;
683: }
684: sport_mask_bits = port_mask_bits(policy->sel.sport_mask);
685: dport_mask_bits = port_mask_bits(policy->sel.dport_mask);
686:
687: /* calculate priority */
688: priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 512;
689: priority -= policy->sel.proto ? 256 : 0;
690: priority -= (sport_mask_bits + dport_mask_bits) * 4;
691: priority -= (interface != NULL) * 2;
692: priority -= (prio != POLICY_PRIORITY_ROUTED);
693:
694: return priority;
695: }
696:
697: /**
698: * Convert the general ipsec mode to the one defined in xfrm.h
699: */
700: static uint8_t mode2kernel(ipsec_mode_t mode)
701: {
702: switch (mode)
703: {
704: case MODE_TRANSPORT:
705: return XFRM_MODE_TRANSPORT;
706: case MODE_TUNNEL:
707: return XFRM_MODE_TUNNEL;
708: case MODE_BEET:
709: return XFRM_MODE_BEET;
710: default:
711: return mode;
712: }
713: }
714:
715: /**
716: * Convert a host_t to a struct xfrm_address
717: */
718: static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
719: {
720: chunk_t chunk = host->get_address(host);
721: memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
722: }
723:
724: /**
725: * Convert a struct xfrm_address to a host_t
726: */
727: static host_t* xfrm2host(int family, xfrm_address_t *xfrm, uint16_t port)
728: {
729: chunk_t chunk;
730:
731: switch (family)
732: {
733: case AF_INET:
734: chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
735: break;
736: case AF_INET6:
737: chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
738: break;
739: default:
740: return NULL;
741: }
742: return host_create_from_chunk(family, chunk, ntohs(port));
743: }
744:
745: /**
746: * Convert a traffic selector address range to subnet and its mask.
747: */
748: static void ts2subnet(traffic_selector_t* ts,
749: xfrm_address_t *net, uint8_t *mask)
750: {
751: host_t *net_host;
752: chunk_t net_chunk;
753:
754: ts->to_subnet(ts, &net_host, mask);
755: net_chunk = net_host->get_address(net_host);
756: memcpy(net, net_chunk.ptr, net_chunk.len);
757: net_host->destroy(net_host);
758: }
759:
760: /**
761: * Convert a traffic selector port range to port/portmask
762: */
763: static void ts2ports(traffic_selector_t* ts,
764: uint16_t *port, uint16_t *mask)
765: {
766: uint16_t from, to, bitmask;
767: int bit;
768:
769: from = ts->get_from_port(ts);
770: to = ts->get_to_port(ts);
771:
772: /* Quick check for a single port */
773: if (from == to)
774: {
775: *port = htons(from);
776: *mask = ~0;
777: }
778: else
779: {
780: /* Compute the port mask for port ranges */
781: *mask = 0;
782:
783: for (bit = 15; bit >= 0; bit--)
784: {
785: bitmask = 1 << bit;
786:
787: if ((bitmask & from) != (bitmask & to))
788: {
789: *port = htons(from & *mask);
790: *mask = htons(*mask);
791: return;
792: }
793: *mask |= bitmask;
794: }
795: }
796: return;
797: }
798:
799: /**
800: * Convert a pair of traffic_selectors to an xfrm_selector
801: */
802: static struct xfrm_selector ts2selector(traffic_selector_t *src,
803: traffic_selector_t *dst,
804: char *interface)
805: {
806: struct xfrm_selector sel;
807: uint16_t port;
808:
809: memset(&sel, 0, sizeof(sel));
810: sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
811: /* src or dest proto may be "any" (0), use more restrictive one */
812: sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
813: ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
814: ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
815: ts2ports(dst, &sel.dport, &sel.dport_mask);
816: ts2ports(src, &sel.sport, &sel.sport_mask);
817: if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
818: (sel.dport || sel.sport))
819: {
820: /* the kernel expects the ICMP type and code in the source and
821: * destination port fields, respectively. */
822: port = ntohs(max(sel.dport, sel.sport));
823: sel.sport = htons(traffic_selector_icmp_type(port));
824: sel.sport_mask = sel.sport ? ~0 : 0;
825: sel.dport = htons(traffic_selector_icmp_code(port));
826: sel.dport_mask = sel.dport ? ~0 : 0;
827: }
828: sel.ifindex = interface ? if_nametoindex(interface) : 0;
829: sel.user = 0;
830:
831: return sel;
832: }
833:
834: /**
835: * Convert an xfrm_selector to a src|dst traffic_selector
836: */
837: static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
838: {
839: u_char *addr;
840: uint8_t prefixlen;
841: uint16_t port = 0;
842: host_t *host = NULL;
843:
844: if (src)
845: {
846: addr = (u_char*)&sel->saddr;
847: prefixlen = sel->prefixlen_s;
848: if (sel->sport_mask)
849: {
850: port = ntohs(sel->sport);
851: }
852: }
853: else
854: {
855: addr = (u_char*)&sel->daddr;
856: prefixlen = sel->prefixlen_d;
857: if (sel->dport_mask)
858: {
859: port = ntohs(sel->dport);
860: }
861: }
862: if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
863: { /* convert ICMP[v6] message type and code as supplied by the kernel in
864: * source and destination ports (both in network order) */
865: port = (sel->sport >> 8) | (sel->dport & 0xff00);
866: port = ntohs(port);
867: }
868: /* The Linux 2.6 kernel does not set the selector's family field,
869: * so as a kludge we additionally test the prefix length.
870: */
871: if (sel->family == AF_INET || sel->prefixlen_s == 32)
872: {
873: host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
874: }
875: else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
876: {
877: host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
878: }
879:
880: if (host)
881: {
882: return traffic_selector_create_from_subnet(host, prefixlen,
883: sel->proto, port, port ?: 65535);
884: }
885: return NULL;
886: }
887:
888: /**
889: * Process a XFRM_MSG_ACQUIRE from kernel
890: */
891: static void process_acquire(private_kernel_netlink_ipsec_t *this,
892: struct nlmsghdr *hdr)
893: {
894: struct xfrm_user_acquire *acquire;
895: struct rtattr *rta;
896: size_t rtasize;
897: traffic_selector_t *src_ts, *dst_ts;
898: uint32_t reqid = 0;
899: int proto = 0;
900:
901: acquire = NLMSG_DATA(hdr);
902: rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
903: rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
904:
905: DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
906:
907: while (RTA_OK(rta, rtasize))
908: {
909: DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
910:
911: if (rta->rta_type == XFRMA_TMPL)
912: {
913: struct xfrm_user_tmpl* tmpl;
914: tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
915: reqid = tmpl->reqid;
916: proto = tmpl->id.proto;
917: }
918: rta = RTA_NEXT(rta, rtasize);
919: }
920: switch (proto)
921: {
922: case 0:
923: case IPPROTO_ESP:
924: case IPPROTO_AH:
925: break;
926: default:
927: /* acquire for AH/ESP only, not for IPCOMP */
928: return;
929: }
930: src_ts = selector2ts(&acquire->sel, TRUE);
931: dst_ts = selector2ts(&acquire->sel, FALSE);
932:
933: charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
934: }
935:
936: /**
937: * Process a XFRM_MSG_EXPIRE from kernel
938: */
939: static void process_expire(private_kernel_netlink_ipsec_t *this,
940: struct nlmsghdr *hdr)
941: {
942: struct xfrm_user_expire *expire;
943: uint32_t spi;
944: uint8_t protocol;
945: host_t *dst;
946:
947: expire = NLMSG_DATA(hdr);
948: protocol = expire->state.id.proto;
949: spi = expire->state.id.spi;
950:
951: DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
952:
953: if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
954: {
955: dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0);
956: if (dst)
957: {
958: charon->kernel->expire(charon->kernel, protocol, spi, dst,
959: expire->hard != 0);
960: dst->destroy(dst);
961: }
962: }
963: }
964:
965: /**
966: * Process a XFRM_MSG_MIGRATE from kernel
967: */
968: static void process_migrate(private_kernel_netlink_ipsec_t *this,
969: struct nlmsghdr *hdr)
970: {
971: struct xfrm_userpolicy_id *policy_id;
972: struct rtattr *rta;
973: size_t rtasize;
974: traffic_selector_t *src_ts, *dst_ts;
975: host_t *local = NULL, *remote = NULL;
976: host_t *old_src = NULL, *old_dst = NULL;
977: host_t *new_src = NULL, *new_dst = NULL;
978: uint32_t reqid = 0;
979: policy_dir_t dir;
980:
981: policy_id = NLMSG_DATA(hdr);
982: rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
983: rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
984:
985: DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
986:
987: src_ts = selector2ts(&policy_id->sel, TRUE);
988: dst_ts = selector2ts(&policy_id->sel, FALSE);
989: dir = (policy_dir_t)policy_id->dir;
990:
991: DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
992:
993: while (RTA_OK(rta, rtasize))
994: {
995: DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
996: if (rta->rta_type == XFRMA_KMADDRESS)
997: {
998: struct xfrm_user_kmaddress *kmaddress;
999:
1000: kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
1001: local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
1002: remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
1003: DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
1004: }
1005: else if (rta->rta_type == XFRMA_MIGRATE)
1006: {
1007: struct xfrm_user_migrate *migrate;
1008:
1009: migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
1010: old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
1011: old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
1012: new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
1013: new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
1014: reqid = migrate->reqid;
1015: DBG2(DBG_KNL, " migrate %H...%H to %H...%H, reqid {%u}",
1016: old_src, old_dst, new_src, new_dst, reqid);
1017: DESTROY_IF(old_src);
1018: DESTROY_IF(old_dst);
1019: DESTROY_IF(new_src);
1020: DESTROY_IF(new_dst);
1021: }
1022: rta = RTA_NEXT(rta, rtasize);
1023: }
1024:
1025: if (src_ts && dst_ts && local && remote)
1026: {
1027: charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
1028: local, remote);
1029: }
1030: else
1031: {
1032: DESTROY_IF(src_ts);
1033: DESTROY_IF(dst_ts);
1034: DESTROY_IF(local);
1035: DESTROY_IF(remote);
1036: }
1037: }
1038:
1039: /**
1040: * Process a XFRM_MSG_MAPPING from kernel
1041: */
1042: static void process_mapping(private_kernel_netlink_ipsec_t *this,
1043: struct nlmsghdr *hdr)
1044: {
1045: struct xfrm_user_mapping *mapping;
1046: uint32_t spi;
1047:
1048: mapping = NLMSG_DATA(hdr);
1049: spi = mapping->id.spi;
1050:
1051: DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
1052:
1053: if (mapping->id.proto == IPPROTO_ESP)
1054: {
1055: host_t *dst, *new;
1056:
1057: dst = xfrm2host(mapping->id.family, &mapping->id.daddr, 0);
1058: if (dst)
1059: {
1060: new = xfrm2host(mapping->id.family, &mapping->new_saddr,
1061: mapping->new_sport);
1062: if (new)
1063: {
1064: charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst,
1065: new);
1066: new->destroy(new);
1067: }
1068: dst->destroy(dst);
1069: }
1070: }
1071: }
1072:
1073: /**
1074: * Receives events from kernel
1075: */
1076: static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd,
1077: watcher_event_t event)
1078: {
1079: char response[netlink_get_buflen()];
1080: struct nlmsghdr *hdr = (struct nlmsghdr*)response;
1081: struct sockaddr_nl addr;
1082: socklen_t addr_len = sizeof(addr);
1083: int len;
1084:
1085: len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
1086: MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len);
1087: if (len < 0)
1088: {
1089: switch (errno)
1090: {
1091: case EINTR:
1092: /* interrupted, try again */
1093: return TRUE;
1094: case EAGAIN:
1095: /* no data ready, select again */
1096: return TRUE;
1097: default:
1098: DBG1(DBG_KNL, "unable to receive from XFRM event socket: %s "
1099: "(%d)", strerror(errno), errno);
1100: sleep(1);
1101: return TRUE;
1102: }
1103: }
1104:
1105: if (addr.nl_pid != 0)
1106: { /* not from kernel. not interested, try another one */
1107: return TRUE;
1108: }
1109:
1110: while (NLMSG_OK(hdr, len))
1111: {
1112: switch (hdr->nlmsg_type)
1113: {
1114: case XFRM_MSG_ACQUIRE:
1115: process_acquire(this, hdr);
1116: break;
1117: case XFRM_MSG_EXPIRE:
1118: process_expire(this, hdr);
1119: break;
1120: case XFRM_MSG_MIGRATE:
1121: process_migrate(this, hdr);
1122: break;
1123: case XFRM_MSG_MAPPING:
1124: process_mapping(this, hdr);
1125: break;
1126: default:
1127: DBG1(DBG_KNL, "received unknown event from XFRM event "
1128: "socket: %d", hdr->nlmsg_type);
1129: break;
1130: }
1131: hdr = NLMSG_NEXT(hdr, len);
1132: }
1133: return TRUE;
1134: }
1135:
1136: METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
1137: private_kernel_netlink_ipsec_t *this)
1138: {
1139: return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI;
1140: }
1141:
1142: /**
1143: * Get an SPI for a specific protocol from the kernel.
1144: */
1145: static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
1146: host_t *src, host_t *dst, uint8_t proto, uint32_t min, uint32_t max,
1147: uint32_t *spi)
1148: {
1149: netlink_buf_t request;
1150: struct nlmsghdr *hdr, *out;
1151: struct xfrm_userspi_info *userspi;
1152: uint32_t received_spi = 0;
1153: size_t len;
1154:
1155: memset(&request, 0, sizeof(request));
1156:
1157: hdr = &request.hdr;
1158: hdr->nlmsg_flags = NLM_F_REQUEST;
1159: hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
1160: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
1161:
1162: userspi = NLMSG_DATA(hdr);
1163: host2xfrm(src, &userspi->info.saddr);
1164: host2xfrm(dst, &userspi->info.id.daddr);
1165: userspi->info.id.proto = proto;
1166: userspi->info.mode = XFRM_MODE_TUNNEL;
1167: userspi->info.family = src->get_family(src);
1168: userspi->min = min;
1169: userspi->max = max;
1170:
1171: if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1172: {
1173: hdr = out;
1174: while (NLMSG_OK(hdr, len))
1175: {
1176: switch (hdr->nlmsg_type)
1177: {
1178: case XFRM_MSG_NEWSA:
1179: {
1180: struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
1181: received_spi = usersa->id.spi;
1182: break;
1183: }
1184: case NLMSG_ERROR:
1185: {
1186: struct nlmsgerr *err = NLMSG_DATA(hdr);
1187: DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
1188: strerror(-err->error), -err->error);
1189: break;
1190: }
1191: default:
1192: hdr = NLMSG_NEXT(hdr, len);
1193: continue;
1194: case NLMSG_DONE:
1195: break;
1196: }
1197: break;
1198: }
1199: free(out);
1200: }
1201:
1202: if (received_spi == 0)
1203: {
1204: return FAILED;
1205: }
1206:
1207: *spi = received_spi;
1208: return SUCCESS;
1209: }
1210:
1211: METHOD(kernel_ipsec_t, get_spi, status_t,
1212: private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1213: uint8_t protocol, uint32_t *spi)
1214: {
1215: uint32_t spi_min, spi_max;
1216:
1217: spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
1218: KERNEL_SPI_MIN, lib->ns);
1219: spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
1220: KERNEL_SPI_MAX, lib->ns);
1221:
1222: if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
1223: max(spi_min, spi_max), spi) != SUCCESS)
1224: {
1225: DBG1(DBG_KNL, "unable to get SPI");
1226: return FAILED;
1227: }
1228:
1229: DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
1230: return SUCCESS;
1231: }
1232:
1233: METHOD(kernel_ipsec_t, get_cpi, status_t,
1234: private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
1235: uint16_t *cpi)
1236: {
1237: uint32_t received_spi = 0;
1238:
1239: if (get_spi_internal(this, src, dst, IPPROTO_COMP,
1240: 0x100, 0xEFFF, &received_spi) != SUCCESS)
1241: {
1242: DBG1(DBG_KNL, "unable to get CPI");
1243: return FAILED;
1244: }
1245:
1246: *cpi = htons((uint16_t)ntohl(received_spi));
1247:
1248: DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
1249: return SUCCESS;
1250: }
1251:
1252: /**
1253: * Format the mark for debug messages
1254: */
1255: static void format_mark(char *buf, int buflen, mark_t mark)
1256: {
1257: if (mark.value | mark.mask)
1258: {
1259: snprintf(buf, buflen, " (mark %u/0x%08x)", mark.value, mark.mask);
1260: }
1261: }
1262:
1263: /**
1264: * Add a XFRM mark to message if required
1265: */
1266: static bool add_mark(struct nlmsghdr *hdr, int buflen, mark_t mark)
1267: {
1268: if (mark.value | mark.mask)
1269: {
1270: struct xfrm_mark *xmrk;
1271:
1272: xmrk = netlink_reserve(hdr, buflen, XFRMA_MARK, sizeof(*xmrk));
1273: if (!xmrk)
1274: {
1275: return FALSE;
1276: }
1277: xmrk->v = mark.value;
1278: xmrk->m = mark.mask;
1279: }
1280: return TRUE;
1281: }
1282:
1283: /**
1284: * Add a uint32 attribute to message
1285: */
1286: static bool add_uint32(struct nlmsghdr *hdr, int buflen,
1287: enum xfrm_attr_type_t type, uint32_t value)
1288: {
1289: uint32_t *xvalue;
1290:
1291: xvalue = netlink_reserve(hdr, buflen, type, sizeof(*xvalue));
1292: if (!xvalue)
1293: {
1294: return FALSE;
1295: }
1296: *xvalue = value;
1297: return TRUE;
1298: }
1299:
1300: /* ETHTOOL_GSSET_INFO is available since 2.6.34 and ETH_SS_FEATURES (enum) and
1301: * ETHTOOL_GFEATURES since 2.6.39, so check for the latter */
1302: #ifdef ETHTOOL_GFEATURES
1303:
1304: /**
1305: * Global metadata used for IPsec HW offload
1306: */
1307: static struct {
1308: /** determined HW offload support */
1309: bool supported;
1310: /** bit in feature set */
1311: u_int bit;
1312: /** total number of device feature blocks */
1313: u_int total_blocks;
1314: } netlink_hw_offload;
1315:
1316: /**
1317: * Check if kernel supports HW offload and determine feature flag
1318: */
1319: static void netlink_find_offload_feature(const char *ifname)
1320: {
1321: struct ethtool_sset_info *sset_info;
1322: struct ethtool_gstrings *cmd = NULL;
1323: struct ifreq ifr;
1324: uint32_t sset_len, i;
1325: char *str;
1326: int err, query_socket;
1327:
1328: query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
1329: if (query_socket < 0)
1330: {
1331: return;
1332: }
1333:
1334: /* determine number of device features */
1335: INIT_EXTRA(sset_info, sizeof(uint32_t),
1336: .cmd = ETHTOOL_GSSET_INFO,
1337: .sset_mask = 1ULL << ETH_SS_FEATURES,
1338: );
1339: strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
1340: ifr.ifr_name[IFNAMSIZ-1] = '\0';
1341: ifr.ifr_data = (void*)sset_info;
1342:
1343: err = ioctl(query_socket, SIOCETHTOOL, &ifr);
1344: if (err || sset_info->sset_mask != 1ULL << ETH_SS_FEATURES)
1345: {
1346: goto out;
1347: }
1348: sset_len = sset_info->data[0];
1349:
1350: /* retrieve names of device features */
1351: INIT_EXTRA(cmd, ETH_GSTRING_LEN * sset_len,
1352: .cmd = ETHTOOL_GSTRINGS,
1353: .string_set = ETH_SS_FEATURES,
1354: );
1355: strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
1356: ifr.ifr_name[IFNAMSIZ-1] = '\0';
1357: ifr.ifr_data = (void*)cmd;
1358:
1359: err = ioctl(query_socket, SIOCETHTOOL, &ifr);
1360: if (err)
1361: {
1362: goto out;
1363: }
1364:
1365: /* look for the ESP_HW feature bit */
1366: str = (char*)cmd->data;
1367: for (i = 0; i < cmd->len; i++)
1368: {
1369: if (strneq(str, "esp-hw-offload", ETH_GSTRING_LEN))
1370: {
1371: netlink_hw_offload.supported = TRUE;
1372: netlink_hw_offload.bit = i;
1373: netlink_hw_offload.total_blocks = (sset_len + 31) / 32;
1374: break;
1375: }
1376: str += ETH_GSTRING_LEN;
1377: }
1378:
1379: out:
1380: free(sset_info);
1381: free(cmd);
1382: close(query_socket);
1383: }
1384:
1385: /**
1386: * Check if interface supported HW offload
1387: */
1388: static bool netlink_detect_offload(const char *ifname)
1389: {
1390: struct ethtool_gfeatures *cmd;
1391: uint32_t feature_bit;
1392: struct ifreq ifr;
1393: int query_socket;
1394: int block;
1395: bool ret = FALSE;
1396:
1397: if (!netlink_hw_offload.supported)
1398: {
1399: DBG1(DBG_KNL, "HW offload is not supported by kernel");
1400: return FALSE;
1401: }
1402:
1403: query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
1404: if (query_socket < 0)
1405: {
1406: return FALSE;
1407: }
1408:
1409: /* feature is supported by kernel, query device features */
1410: INIT_EXTRA(cmd, sizeof(cmd->features[0]) * netlink_hw_offload.total_blocks,
1411: .cmd = ETHTOOL_GFEATURES,
1412: .size = netlink_hw_offload.total_blocks,
1413: );
1414: strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
1415: ifr.ifr_name[IFNAMSIZ-1] = '\0';
1416: ifr.ifr_data = (void*)cmd;
1417:
1418: if (!ioctl(query_socket, SIOCETHTOOL, &ifr))
1419: {
1420: block = netlink_hw_offload.bit / 32;
1421: feature_bit = 1U << (netlink_hw_offload.bit % 32);
1422: if (cmd->features[block].active & feature_bit)
1423: {
1424: ret = TRUE;
1425: }
1426: }
1427:
1428: if (!ret)
1429: {
1430: DBG1(DBG_KNL, "HW offload is not supported by device");
1431: }
1432: free(cmd);
1433: close(query_socket);
1434: return ret;
1435: }
1436:
1437: #else
1438:
1439: static void netlink_find_offload_feature(const char *ifname)
1440: {
1441: }
1442:
1443: static bool netlink_detect_offload(const char *ifname)
1444: {
1445: return FALSE;
1446: }
1447:
1448: #endif
1449:
1450: /**
1451: * There are 3 HW offload configuration values:
1452: * 1. HW_OFFLOAD_NO : Do not configure HW offload.
1453: * 2. HW_OFFLOAD_YES : Configure HW offload.
1454: * Fail SA addition if offload is not supported.
1455: * 3. HW_OFFLOAD_AUTO : Configure HW offload if supported by the kernel
1456: * and device.
1457: * Do not fail SA addition otherwise.
1458: */
1459: static bool config_hw_offload(kernel_ipsec_sa_id_t *id,
1460: kernel_ipsec_add_sa_t *data, struct nlmsghdr *hdr,
1461: int buflen)
1462: {
1463: host_t *local = data->inbound ? id->dst : id->src;
1464: struct xfrm_user_offload *offload;
1465: bool hw_offload_yes, ret = FALSE;
1466: char *ifname;
1467:
1468: /* do Ipsec configuration without offload */
1469: if (data->hw_offload == HW_OFFLOAD_NO)
1470: {
1471: return TRUE;
1472: }
1473:
1474: hw_offload_yes = (data->hw_offload == HW_OFFLOAD_YES);
1475:
1476: if (!charon->kernel->get_interface(charon->kernel, local, &ifname))
1477: {
1478: return !hw_offload_yes;
1479: }
1480:
1481: /* check if interface supports hw_offload */
1482: if (!netlink_detect_offload(ifname))
1483: {
1484: ret = !hw_offload_yes;
1485: goto out;
1486: }
1487:
1488: /* activate HW offload */
1489: offload = netlink_reserve(hdr, buflen,
1490: XFRMA_OFFLOAD_DEV, sizeof(*offload));
1491: if (!offload)
1492: {
1493: ret = !hw_offload_yes;
1494: goto out;
1495: }
1496: offload->ifindex = if_nametoindex(ifname);
1497: if (local->get_family(local) == AF_INET6)
1498: {
1499: offload->flags |= XFRM_OFFLOAD_IPV6;
1500: }
1501: offload->flags |= data->inbound ? XFRM_OFFLOAD_INBOUND : 0;
1502:
1503: ret = TRUE;
1504:
1505: out:
1506: free(ifname);
1507: return ret;
1508: }
1509:
1510: METHOD(kernel_ipsec_t, add_sa, status_t,
1511: private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
1512: kernel_ipsec_add_sa_t *data)
1513: {
1514: netlink_buf_t request;
1515: const char *alg_name;
1516: char markstr[32] = "";
1517: struct nlmsghdr *hdr;
1518: struct xfrm_usersa_info *sa;
1519: uint16_t icv_size = 64, ipcomp = data->ipcomp;
1520: ipsec_mode_t mode = data->mode, original_mode = data->mode;
1521: traffic_selector_t *first_src_ts, *first_dst_ts;
1522: status_t status = FAILED;
1523:
1524: /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
1525: * we are in the recursive call below */
1526: if (ipcomp != IPCOMP_NONE && data->cpi != 0)
1527: {
1528: lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}};
1529: kernel_ipsec_sa_id_t ipcomp_id = {
1530: .src = id->src,
1531: .dst = id->dst,
1532: .spi = htonl(ntohs(data->cpi)),
1533: .proto = IPPROTO_COMP,
1534: .mark = id->mark,
1535: .if_id = id->if_id,
1536: };
1537: kernel_ipsec_add_sa_t ipcomp_sa = {
1538: .reqid = data->reqid,
1539: .mode = data->mode,
1540: .src_ts = data->src_ts,
1541: .dst_ts = data->dst_ts,
1542: .lifetime = &lft,
1543: .enc_alg = ENCR_UNDEFINED,
1544: .int_alg = AUTH_UNDEFINED,
1545: .tfc = data->tfc,
1546: .ipcomp = data->ipcomp,
1547: .initiator = data->initiator,
1548: .inbound = data->inbound,
1549: .update = data->update,
1550: };
1551: add_sa(this, &ipcomp_id, &ipcomp_sa);
1552: ipcomp = IPCOMP_NONE;
1553: /* use transport mode ESP SA, IPComp uses tunnel mode */
1554: mode = MODE_TRANSPORT;
1555: }
1556:
1557: memset(&request, 0, sizeof(request));
1558: format_mark(markstr, sizeof(markstr), id->mark);
1559:
1560: DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}%s",
1561: ntohl(id->spi), data->reqid, markstr);
1562:
1563: hdr = &request.hdr;
1564: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1565: hdr->nlmsg_type = data->update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
1566: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1567:
1568: sa = NLMSG_DATA(hdr);
1569: host2xfrm(id->src, &sa->saddr);
1570: host2xfrm(id->dst, &sa->id.daddr);
1571: sa->id.spi = id->spi;
1572: sa->id.proto = id->proto;
1573: sa->family = id->src->get_family(id->src);
1574: sa->mode = mode2kernel(mode);
1575:
1576: if (!data->copy_df)
1577: {
1578: sa->flags |= XFRM_STATE_NOPMTUDISC;
1579: }
1580:
1581: if (!data->copy_ecn)
1582: {
1583: sa->flags |= XFRM_STATE_NOECN;
1584: }
1585:
1586: if (data->inbound)
1587: {
1588: switch (data->copy_dscp)
1589: {
1590: case DSCP_COPY_YES:
1591: case DSCP_COPY_IN_ONLY:
1592: sa->flags |= XFRM_STATE_DECAP_DSCP;
1593: break;
1594: default:
1595: break;
1596: }
1597: }
1598: else
1599: {
1600: switch (data->copy_dscp)
1601: {
1602: case DSCP_COPY_IN_ONLY:
1603: case DSCP_COPY_NO:
1604: {
1605: /* currently the only extra flag */
1606: if (!add_uint32(hdr, sizeof(request), XFRMA_SA_EXTRA_FLAGS,
1607: XFRM_SA_XFLAG_DONT_ENCAP_DSCP))
1608: {
1609: goto failed;
1610: }
1611: break;
1612: }
1613: default:
1614: break;
1615: }
1616: }
1617:
1618: switch (mode)
1619: {
1620: case MODE_TUNNEL:
1621: sa->flags |= XFRM_STATE_AF_UNSPEC;
1622: break;
1623: case MODE_BEET:
1624: case MODE_TRANSPORT:
1625: if (original_mode == MODE_TUNNEL)
1626: { /* don't install selectors for switched SAs. because only one
1627: * selector can be installed other traffic would get dropped */
1628: break;
1629: }
1630: if (data->src_ts->get_first(data->src_ts,
1631: (void**)&first_src_ts) == SUCCESS &&
1632: data->dst_ts->get_first(data->dst_ts,
1633: (void**)&first_dst_ts) == SUCCESS)
1634: {
1635: sa->sel = ts2selector(first_src_ts, first_dst_ts,
1636: data->interface);
1637: if (!this->proto_port_transport)
1638: {
1639: /* don't install proto/port on SA. This would break
1640: * potential secondary SAs for the same address using a
1641: * different prot/port. */
1642: sa->sel.proto = 0;
1643: sa->sel.dport = sa->sel.dport_mask = 0;
1644: sa->sel.sport = sa->sel.sport_mask = 0;
1645: }
1646: }
1647: break;
1648: default:
1649: break;
1650: }
1651: if (id->proto == IPPROTO_AH && sa->family == AF_INET)
1652: { /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte
1653: * alignment that's used by default but is only valid for IPv6 */
1654: sa->flags |= XFRM_STATE_ALIGN4;
1655: }
1656:
1657: sa->reqid = data->reqid;
1658: sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);
1659: sa->lft.hard_byte_limit = XFRM_LIMIT(data->lifetime->bytes.life);
1660: sa->lft.soft_packet_limit = XFRM_LIMIT(data->lifetime->packets.rekey);
1661: sa->lft.hard_packet_limit = XFRM_LIMIT(data->lifetime->packets.life);
1662: /* we use lifetimes since added, not since used */
1663: sa->lft.soft_add_expires_seconds = data->lifetime->time.rekey;
1664: sa->lft.hard_add_expires_seconds = data->lifetime->time.life;
1665: sa->lft.soft_use_expires_seconds = 0;
1666: sa->lft.hard_use_expires_seconds = 0;
1667:
1668: switch (data->enc_alg)
1669: {
1670: case ENCR_UNDEFINED:
1671: /* no encryption */
1672: break;
1673: case ENCR_AES_CCM_ICV16:
1674: case ENCR_AES_GCM_ICV16:
1675: case ENCR_NULL_AUTH_AES_GMAC:
1676: case ENCR_CAMELLIA_CCM_ICV16:
1677: case ENCR_CHACHA20_POLY1305:
1678: icv_size += 32;
1679: /* FALL */
1680: case ENCR_AES_CCM_ICV12:
1681: case ENCR_AES_GCM_ICV12:
1682: case ENCR_CAMELLIA_CCM_ICV12:
1683: icv_size += 32;
1684: /* FALL */
1685: case ENCR_AES_CCM_ICV8:
1686: case ENCR_AES_GCM_ICV8:
1687: case ENCR_CAMELLIA_CCM_ICV8:
1688: {
1689: struct xfrm_algo_aead *algo;
1690:
1691: alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
1692: if (alg_name == NULL)
1693: {
1694: DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1695: encryption_algorithm_names, data->enc_alg);
1696: goto failed;
1697: }
1698: DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1699: encryption_algorithm_names, data->enc_alg,
1700: data->enc_key.len * 8);
1701:
1702: algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AEAD,
1703: sizeof(*algo) + data->enc_key.len);
1704: if (!algo)
1705: {
1706: goto failed;
1707: }
1708: algo->alg_key_len = data->enc_key.len * 8;
1709: algo->alg_icv_len = icv_size;
1710: strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1711: algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1712: memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
1713: break;
1714: }
1715: default:
1716: {
1717: struct xfrm_algo *algo;
1718:
1719: alg_name = lookup_algorithm(ENCRYPTION_ALGORITHM, data->enc_alg);
1720: if (alg_name == NULL)
1721: {
1722: DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1723: encryption_algorithm_names, data->enc_alg);
1724: goto failed;
1725: }
1726: DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1727: encryption_algorithm_names, data->enc_alg,
1728: data->enc_key.len * 8);
1729:
1730: algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_CRYPT,
1731: sizeof(*algo) + data->enc_key.len);
1732: if (!algo)
1733: {
1734: goto failed;
1735: }
1736: algo->alg_key_len = data->enc_key.len * 8;
1737: strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1738: algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1739: memcpy(algo->alg_key, data->enc_key.ptr, data->enc_key.len);
1740: }
1741: }
1742:
1743: if (data->int_alg != AUTH_UNDEFINED)
1744: {
1745: u_int trunc_len = 0;
1746:
1747: alg_name = lookup_algorithm(INTEGRITY_ALGORITHM, data->int_alg);
1748: if (alg_name == NULL)
1749: {
1750: DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1751: integrity_algorithm_names, data->int_alg);
1752: goto failed;
1753: }
1754: DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1755: integrity_algorithm_names, data->int_alg, data->int_key.len * 8);
1756:
1757: switch (data->int_alg)
1758: {
1759: case AUTH_HMAC_MD5_128:
1760: case AUTH_HMAC_SHA2_256_128:
1761: trunc_len = 128;
1762: break;
1763: case AUTH_HMAC_SHA1_160:
1764: trunc_len = 160;
1765: break;
1766: default:
1767: break;
1768: }
1769:
1770: if (trunc_len)
1771: {
1772: struct xfrm_algo_auth* algo;
1773:
1774: /* the kernel uses SHA256 with 96 bit truncation by default,
1775: * use specified truncation size supported by newer kernels.
1776: * also use this for untruncated MD5 and SHA1. */
1777: algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH_TRUNC,
1778: sizeof(*algo) + data->int_key.len);
1779: if (!algo)
1780: {
1781: goto failed;
1782: }
1783: algo->alg_key_len = data->int_key.len * 8;
1784: algo->alg_trunc_len = trunc_len;
1785: strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1786: algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1787: memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
1788: }
1789: else
1790: {
1791: struct xfrm_algo* algo;
1792:
1793: algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_AUTH,
1794: sizeof(*algo) + data->int_key.len);
1795: if (!algo)
1796: {
1797: goto failed;
1798: }
1799: algo->alg_key_len = data->int_key.len * 8;
1800: strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1801: algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1802: memcpy(algo->alg_key, data->int_key.ptr, data->int_key.len);
1803: }
1804: }
1805:
1806: if (ipcomp != IPCOMP_NONE)
1807: {
1808: struct xfrm_algo* algo;
1809:
1810: alg_name = lookup_algorithm(COMPRESSION_ALGORITHM, ipcomp);
1811: if (alg_name == NULL)
1812: {
1813: DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1814: ipcomp_transform_names, ipcomp);
1815: goto failed;
1816: }
1817: DBG2(DBG_KNL, " using compression algorithm %N",
1818: ipcomp_transform_names, ipcomp);
1819:
1820: algo = netlink_reserve(hdr, sizeof(request), XFRMA_ALG_COMP,
1821: sizeof(*algo));
1822: if (!algo)
1823: {
1824: goto failed;
1825: }
1826: algo->alg_key_len = 0;
1827: strncpy(algo->alg_name, alg_name, sizeof(algo->alg_name));
1828: algo->alg_name[sizeof(algo->alg_name) - 1] = '\0';
1829: }
1830:
1831: if (data->encap)
1832: {
1833: struct xfrm_encap_tmpl *tmpl;
1834:
1835: tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP, sizeof(*tmpl));
1836: if (!tmpl)
1837: {
1838: goto failed;
1839: }
1840: tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1841: tmpl->encap_sport = htons(id->src->get_port(id->src));
1842: tmpl->encap_dport = htons(id->dst->get_port(id->dst));
1843: memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1844: /* encap_oa could probably be derived from the
1845: * traffic selectors [rfc4306, p39]. In the netlink kernel
1846: * implementation pluto does the same as we do here but it uses
1847: * encap_oa in the pfkey implementation.
1848: * BUT as /usr/src/linux/net/key/af_key.c indicates the kernel ignores
1849: * it anyway
1850: * -> does that mean that NAT-T encap doesn't work in transport mode?
1851: * No. The reason the kernel ignores NAT-OA is that it recomputes
1852: * (or, rather, just ignores) the checksum. If packets pass the IPsec
1853: * checks it marks them "checksum ok" so OA isn't needed. */
1854: }
1855:
1856: if (!add_mark(hdr, sizeof(request), id->mark))
1857: {
1858: goto failed;
1859: }
1860:
1861: if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
1862: {
1863: goto failed;
1864: }
1865:
1866: if (ipcomp == IPCOMP_NONE && (data->mark.value | data->mark.mask))
1867: {
1868: if (!add_uint32(hdr, sizeof(request), XFRMA_SET_MARK,
1869: data->mark.value) ||
1870: !add_uint32(hdr, sizeof(request), XFRMA_SET_MARK_MASK,
1871: data->mark.mask))
1872: {
1873: goto failed;
1874: }
1875: }
1876:
1877: if (data->tfc && id->proto == IPPROTO_ESP && mode == MODE_TUNNEL)
1878: { /* the kernel supports TFC padding only for tunnel mode ESP SAs */
1879: if (!add_uint32(hdr, sizeof(request), XFRMA_TFCPAD, data->tfc))
1880: {
1881: goto failed;
1882: }
1883: }
1884:
1885: if (id->proto != IPPROTO_COMP)
1886: {
1887: /* generally, we don't need a replay window for outbound SAs, however,
1888: * when using ESN the kernel rejects the attribute if it is 0 */
1889: if (!data->inbound && data->replay_window)
1890: {
1891: data->replay_window = data->esn ? 1 : 0;
1892: }
1893: if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
1894: {
1895: /* for ESN or larger replay windows we need the new
1896: * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
1897: struct xfrm_replay_state_esn *replay;
1898: uint32_t bmp_size;
1899:
1900: bmp_size = round_up(data->replay_window, sizeof(uint32_t) * 8) / 8;
1901: replay = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
1902: sizeof(*replay) + bmp_size);
1903: if (!replay)
1904: {
1905: goto failed;
1906: }
1907: /* bmp_len contains number uf __u32's */
1908: replay->bmp_len = bmp_size / sizeof(uint32_t);
1909: replay->replay_window = data->replay_window;
1910: DBG2(DBG_KNL, " using replay window of %u packets",
1911: data->replay_window);
1912:
1913: if (data->esn)
1914: {
1915: DBG2(DBG_KNL, " using extended sequence numbers (ESN)");
1916: sa->flags |= XFRM_STATE_ESN;
1917: }
1918: }
1919: else
1920: {
1921: DBG2(DBG_KNL, " using replay window of %u packets",
1922: data->replay_window);
1923: sa->replay_window = data->replay_window;
1924: }
1925:
1926: DBG2(DBG_KNL, " HW offload: %N", hw_offload_names, data->hw_offload);
1927: if (!config_hw_offload(id, data, hdr, sizeof(request)))
1928: {
1929: DBG1(DBG_KNL, "failed to configure HW offload");
1930: goto failed;
1931: }
1932: }
1933:
1934: status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
1935: if (status == NOT_FOUND && data->update)
1936: {
1937: DBG1(DBG_KNL, "allocated SPI not found anymore, try to add SAD entry");
1938: hdr->nlmsg_type = XFRM_MSG_NEWSA;
1939: status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
1940: }
1941:
1942: if (status != SUCCESS)
1943: {
1944: DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x%s (%N)", ntohl(id->spi),
1945: markstr, status_names, status);
1946: status = FAILED;
1947: goto failed;
1948: }
1949:
1950: status = SUCCESS;
1951:
1952: failed:
1953: memwipe(&request, sizeof(request));
1954: return status;
1955: }
1956:
1957: /**
1958: * Get the ESN replay state (i.e. sequence numbers) of an SA.
1959: *
1960: * Allocates into one the replay state structure we get from the kernel.
1961: */
1962: static void get_replay_state(private_kernel_netlink_ipsec_t *this,
1963: kernel_ipsec_sa_id_t *sa,
1964: struct xfrm_replay_state_esn **replay_esn,
1965: uint32_t *replay_esn_len,
1966: struct xfrm_replay_state **replay,
1967: struct xfrm_lifetime_cur **lifetime)
1968: {
1969: netlink_buf_t request;
1970: struct nlmsghdr *hdr, *out = NULL;
1971: struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1972: size_t len;
1973: struct rtattr *rta;
1974: size_t rtasize;
1975:
1976: memset(&request, 0, sizeof(request));
1977:
1978: DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x",
1979: ntohl(sa->spi));
1980:
1981: hdr = &request.hdr;
1982: hdr->nlmsg_flags = NLM_F_REQUEST;
1983: hdr->nlmsg_type = XFRM_MSG_GETAE;
1984: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1985:
1986: aevent_id = NLMSG_DATA(hdr);
1987: aevent_id->flags = XFRM_AE_RVAL;
1988:
1989: host2xfrm(sa->dst, &aevent_id->sa_id.daddr);
1990: aevent_id->sa_id.spi = sa->spi;
1991: aevent_id->sa_id.proto = sa->proto;
1992: aevent_id->sa_id.family = sa->dst->get_family(sa->dst);
1993:
1994: if (!add_mark(hdr, sizeof(request), sa->mark))
1995: {
1996: return;
1997: }
1998: if (sa->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, sa->if_id))
1999: {
2000: return;
2001: }
2002:
2003: if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2004: {
2005: hdr = out;
2006: while (NLMSG_OK(hdr, len))
2007: {
2008: switch (hdr->nlmsg_type)
2009: {
2010: case XFRM_MSG_NEWAE:
2011: {
2012: out_aevent = NLMSG_DATA(hdr);
2013: break;
2014: }
2015: case NLMSG_ERROR:
2016: {
2017: struct nlmsgerr *err = NLMSG_DATA(hdr);
2018: DBG1(DBG_KNL, "querying replay state from SAD entry "
2019: "failed: %s (%d)", strerror(-err->error), -err->error);
2020: break;
2021: }
2022: default:
2023: hdr = NLMSG_NEXT(hdr, len);
2024: continue;
2025: case NLMSG_DONE:
2026: break;
2027: }
2028: break;
2029: }
2030: }
2031:
2032: if (out_aevent)
2033: {
2034: rta = XFRM_RTA(out, struct xfrm_aevent_id);
2035: rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
2036: while (RTA_OK(rta, rtasize))
2037: {
2038: if (rta->rta_type == XFRMA_LTIME_VAL &&
2039: RTA_PAYLOAD(rta) == sizeof(**lifetime))
2040: {
2041: free(*lifetime);
2042: *lifetime = malloc(RTA_PAYLOAD(rta));
2043: memcpy(*lifetime, RTA_DATA(rta), RTA_PAYLOAD(rta));
2044: }
2045: if (rta->rta_type == XFRMA_REPLAY_VAL &&
2046: RTA_PAYLOAD(rta) == sizeof(**replay))
2047: {
2048: free(*replay);
2049: *replay = malloc(RTA_PAYLOAD(rta));
2050: memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
2051: }
2052: if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
2053: RTA_PAYLOAD(rta) >= sizeof(**replay_esn))
2054: {
2055: free(*replay_esn);
2056: *replay_esn = malloc(RTA_PAYLOAD(rta));
2057: *replay_esn_len = RTA_PAYLOAD(rta);
2058: memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
2059: }
2060: rta = RTA_NEXT(rta, rtasize);
2061: }
2062: }
2063: free(out);
2064: }
2065:
2066: METHOD(kernel_ipsec_t, query_sa, status_t,
2067: private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
2068: kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
2069: time_t *time)
2070: {
2071: netlink_buf_t request;
2072: struct nlmsghdr *out = NULL, *hdr;
2073: struct xfrm_usersa_id *sa_id;
2074: struct xfrm_usersa_info *sa = NULL;
2075: status_t status = FAILED;
2076: size_t len;
2077: char markstr[32] = "";
2078:
2079: memset(&request, 0, sizeof(request));
2080: format_mark(markstr, sizeof(markstr), id->mark);
2081:
2082: DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s", ntohl(id->spi),
2083: markstr);
2084:
2085: hdr = &request.hdr;
2086: hdr->nlmsg_flags = NLM_F_REQUEST;
2087: hdr->nlmsg_type = XFRM_MSG_GETSA;
2088: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2089:
2090: sa_id = NLMSG_DATA(hdr);
2091: host2xfrm(id->dst, &sa_id->daddr);
2092: sa_id->spi = id->spi;
2093: sa_id->proto = id->proto;
2094: sa_id->family = id->dst->get_family(id->dst);
2095:
2096: if (!add_mark(hdr, sizeof(request), id->mark))
2097: {
2098: return FAILED;
2099: }
2100: if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2101: {
2102: return FAILED;
2103: }
2104:
2105: if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2106: {
2107: hdr = out;
2108: while (NLMSG_OK(hdr, len))
2109: {
2110: switch (hdr->nlmsg_type)
2111: {
2112: case XFRM_MSG_NEWSA:
2113: {
2114: sa = NLMSG_DATA(hdr);
2115: break;
2116: }
2117: case NLMSG_ERROR:
2118: {
2119: struct nlmsgerr *err = NLMSG_DATA(hdr);
2120:
2121: DBG1(DBG_KNL, "querying SAD entry with SPI %.8x%s failed: "
2122: "%s (%d)", ntohl(id->spi), markstr,
2123: strerror(-err->error), -err->error);
2124: break;
2125: }
2126: default:
2127: hdr = NLMSG_NEXT(hdr, len);
2128: continue;
2129: case NLMSG_DONE:
2130: break;
2131: }
2132: break;
2133: }
2134: }
2135:
2136: if (sa == NULL)
2137: {
2138: DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x%s",
2139: ntohl(id->spi), markstr);
2140: }
2141: else
2142: {
2143: if (bytes)
2144: {
2145: *bytes = sa->curlft.bytes;
2146: }
2147: if (packets)
2148: {
2149: *packets = sa->curlft.packets;
2150: }
2151: if (time)
2152: { /* curlft contains an "use" time, but that contains a timestamp
2153: * of the first use, not the last. Last use time must be queried
2154: * on the policy on Linux */
2155: *time = 0;
2156: }
2157: status = SUCCESS;
2158: }
2159: memwipe(out, len);
2160: free(out);
2161: return status;
2162: }
2163:
2164: METHOD(kernel_ipsec_t, del_sa, status_t,
2165: private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
2166: kernel_ipsec_del_sa_t *data)
2167: {
2168: netlink_buf_t request;
2169: struct nlmsghdr *hdr;
2170: struct xfrm_usersa_id *sa_id;
2171: char markstr[32] = "";
2172:
2173: /* if IPComp was used, we first delete the additional IPComp SA */
2174: if (data->cpi)
2175: {
2176: kernel_ipsec_sa_id_t ipcomp_id = {
2177: .src = id->src,
2178: .dst = id->dst,
2179: .spi = htonl(ntohs(data->cpi)),
2180: .proto = IPPROTO_COMP,
2181: .mark = id->mark,
2182: };
2183: kernel_ipsec_del_sa_t ipcomp = {};
2184: del_sa(this, &ipcomp_id, &ipcomp);
2185: }
2186:
2187: memset(&request, 0, sizeof(request));
2188: format_mark(markstr, sizeof(markstr), id->mark);
2189:
2190: DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x%s", ntohl(id->spi),
2191: markstr);
2192:
2193: hdr = &request.hdr;
2194: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2195: hdr->nlmsg_type = XFRM_MSG_DELSA;
2196: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2197:
2198: sa_id = NLMSG_DATA(hdr);
2199: host2xfrm(id->dst, &sa_id->daddr);
2200: sa_id->spi = id->spi;
2201: sa_id->proto = id->proto;
2202: sa_id->family = id->dst->get_family(id->dst);
2203:
2204: if (!add_mark(hdr, sizeof(request), id->mark))
2205: {
2206: return FAILED;
2207: }
2208: if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2209: {
2210: return FAILED;
2211: }
2212:
2213: switch (this->socket_xfrm->send_ack(this->socket_xfrm, hdr))
2214: {
2215: case SUCCESS:
2216: DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x%s",
2217: ntohl(id->spi), markstr);
2218: return SUCCESS;
2219: case NOT_FOUND:
2220: return NOT_FOUND;
2221: default:
2222: DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x%s",
2223: ntohl(id->spi), markstr);
2224: return FAILED;
2225: }
2226: }
2227:
2228: METHOD(kernel_ipsec_t, update_sa, status_t,
2229: private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id,
2230: kernel_ipsec_update_sa_t *data)
2231: {
2232: netlink_buf_t request;
2233: struct nlmsghdr *hdr, *out_hdr = NULL, *out = NULL;
2234: struct xfrm_usersa_id *sa_id;
2235: struct xfrm_usersa_info *sa;
2236: size_t len;
2237: struct rtattr *rta;
2238: size_t rtasize;
2239: struct xfrm_encap_tmpl* encap = NULL;
2240: struct xfrm_replay_state *replay = NULL;
2241: struct xfrm_replay_state_esn *replay_esn = NULL;
2242: struct xfrm_lifetime_cur *lifetime = NULL;
2243: uint32_t replay_esn_len = 0;
2244: kernel_ipsec_del_sa_t del = { 0 };
2245: status_t status = FAILED;
2246: traffic_selector_t *ts;
2247: char markstr[32] = "";
2248:
2249: /* if IPComp is used, we first update the IPComp SA */
2250: if (data->cpi)
2251: {
2252: kernel_ipsec_sa_id_t ipcomp_id = {
2253: .src = id->src,
2254: .dst = id->dst,
2255: .spi = htonl(ntohs(data->cpi)),
2256: .proto = IPPROTO_COMP,
2257: .mark = id->mark,
2258: .if_id = id->if_id,
2259: };
2260: kernel_ipsec_update_sa_t ipcomp = {
2261: .new_src = data->new_src,
2262: .new_dst = data->new_dst,
2263: };
2264: update_sa(this, &ipcomp_id, &ipcomp);
2265: }
2266:
2267: memset(&request, 0, sizeof(request));
2268: format_mark(markstr, sizeof(markstr), id->mark);
2269:
2270: DBG2(DBG_KNL, "querying SAD entry with SPI %.8x%s for update",
2271: ntohl(id->spi), markstr);
2272:
2273: /* query the existing SA first */
2274: hdr = &request.hdr;
2275: hdr->nlmsg_flags = NLM_F_REQUEST;
2276: hdr->nlmsg_type = XFRM_MSG_GETSA;
2277: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
2278:
2279: sa_id = NLMSG_DATA(hdr);
2280: host2xfrm(id->dst, &sa_id->daddr);
2281: sa_id->spi = id->spi;
2282: sa_id->proto = id->proto;
2283: sa_id->family = id->dst->get_family(id->dst);
2284:
2285: if (!add_mark(hdr, sizeof(request), id->mark))
2286: {
2287: return FAILED;
2288: }
2289: if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2290: {
2291: return FAILED;
2292: }
2293:
2294: if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2295: {
2296: hdr = out;
2297: while (NLMSG_OK(hdr, len))
2298: {
2299: switch (hdr->nlmsg_type)
2300: {
2301: case XFRM_MSG_NEWSA:
2302: {
2303: out_hdr = hdr;
2304: break;
2305: }
2306: case NLMSG_ERROR:
2307: {
2308: struct nlmsgerr *err = NLMSG_DATA(hdr);
2309: DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
2310: strerror(-err->error), -err->error);
2311: break;
2312: }
2313: default:
2314: hdr = NLMSG_NEXT(hdr, len);
2315: continue;
2316: case NLMSG_DONE:
2317: break;
2318: }
2319: break;
2320: }
2321: }
2322: if (!out_hdr)
2323: {
2324: DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
2325: ntohl(id->spi), markstr);
2326: goto failed;
2327: }
2328:
2329: get_replay_state(this, id, &replay_esn, &replay_esn_len, &replay,
2330: &lifetime);
2331:
2332: /* delete the old SA (without affecting the IPComp SA) */
2333: if (del_sa(this, id, &del) != SUCCESS)
2334: {
2335: DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x%s",
2336: ntohl(id->spi), markstr);
2337: goto failed;
2338: }
2339:
2340: DBG2(DBG_KNL, "updating SAD entry with SPI %.8x%s from %#H..%#H to "
2341: "%#H..%#H", ntohl(id->spi), markstr, id->src, id->dst, data->new_src,
2342: data->new_dst);
2343: /* copy over the SA from out to request */
2344: hdr = &request.hdr;
2345: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2346: hdr->nlmsg_type = XFRM_MSG_NEWSA;
2347: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
2348: sa = NLMSG_DATA(hdr);
2349: memcpy(sa, NLMSG_DATA(out_hdr), sizeof(struct xfrm_usersa_info));
2350: sa->family = data->new_dst->get_family(data->new_dst);
2351:
2352: if (!id->src->ip_equals(id->src, data->new_src))
2353: {
2354: host2xfrm(data->new_src, &sa->saddr);
2355:
2356: ts = selector2ts(&sa->sel, TRUE);
2357: if (ts && ts->is_host(ts, id->src))
2358: {
2359: ts->set_address(ts, data->new_src);
2360: ts2subnet(ts, &sa->sel.saddr, &sa->sel.prefixlen_s);
2361: }
2362: DESTROY_IF(ts);
2363: }
2364: if (!id->dst->ip_equals(id->dst, data->new_dst))
2365: {
2366: host2xfrm(data->new_dst, &sa->id.daddr);
2367:
2368: ts = selector2ts(&sa->sel, FALSE);
2369: if (ts && ts->is_host(ts, id->dst))
2370: {
2371: ts->set_address(ts, data->new_dst);
2372: ts2subnet(ts, &sa->sel.daddr, &sa->sel.prefixlen_d);
2373: }
2374: DESTROY_IF(ts);
2375: }
2376:
2377: rta = XFRM_RTA(out_hdr, struct xfrm_usersa_info);
2378: rtasize = XFRM_PAYLOAD(out_hdr, struct xfrm_usersa_info);
2379: while (RTA_OK(rta, rtasize))
2380: {
2381: /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
2382: if (rta->rta_type != XFRMA_ENCAP || data->new_encap)
2383: {
2384: if (rta->rta_type == XFRMA_ENCAP)
2385: { /* update encap tmpl */
2386: encap = RTA_DATA(rta);
2387: encap->encap_sport = ntohs(data->new_src->get_port(data->new_src));
2388: encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
2389: }
2390: if (rta->rta_type == XFRMA_OFFLOAD_DEV)
2391: { /* update offload device */
2392: struct xfrm_user_offload *offload;
2393: host_t *local;
2394: char *ifname;
2395:
2396: offload = RTA_DATA(rta);
2397: local = offload->flags & XFRM_OFFLOAD_INBOUND ? data->new_dst
2398: : data->new_src;
2399:
2400: if (charon->kernel->get_interface(charon->kernel, local,
2401: &ifname))
2402: {
2403: offload->ifindex = if_nametoindex(ifname);
2404: if (local->get_family(local) == AF_INET6)
2405: {
2406: offload->flags |= XFRM_OFFLOAD_IPV6;
2407: }
2408: else
2409: {
2410: offload->flags &= ~XFRM_OFFLOAD_IPV6;
2411: }
2412: free(ifname);
2413: }
2414: }
2415: netlink_add_attribute(hdr, rta->rta_type,
2416: chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)),
2417: sizeof(request));
2418: }
2419: rta = RTA_NEXT(rta, rtasize);
2420: }
2421:
2422: if (encap == NULL && data->new_encap)
2423: { /* add tmpl if we are enabling it */
2424: encap = netlink_reserve(hdr, sizeof(request), XFRMA_ENCAP,
2425: sizeof(*encap));
2426: if (!encap)
2427: {
2428: goto failed;
2429: }
2430: encap->encap_type = UDP_ENCAP_ESPINUDP;
2431: encap->encap_sport = ntohs(data->new_src->get_port(data->new_src));
2432: encap->encap_dport = ntohs(data->new_dst->get_port(data->new_dst));
2433: memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
2434: }
2435:
2436: if (replay_esn)
2437: {
2438: struct xfrm_replay_state_esn *state;
2439:
2440: state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_ESN_VAL,
2441: replay_esn_len);
2442: if (!state)
2443: {
2444: goto failed;
2445: }
2446: memcpy(state, replay_esn, replay_esn_len);
2447: }
2448: else if (replay)
2449: {
2450: struct xfrm_replay_state *state;
2451:
2452: state = netlink_reserve(hdr, sizeof(request), XFRMA_REPLAY_VAL,
2453: sizeof(*state));
2454: if (!state)
2455: {
2456: goto failed;
2457: }
2458: memcpy(state, replay, sizeof(*state));
2459: }
2460: else
2461: {
2462: DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with "
2463: "SPI %.8x%s", ntohl(id->spi), markstr);
2464: }
2465: if (lifetime)
2466: {
2467: struct xfrm_lifetime_cur *state;
2468:
2469: state = netlink_reserve(hdr, sizeof(request), XFRMA_LTIME_VAL,
2470: sizeof(*state));
2471: if (!state)
2472: {
2473: goto failed;
2474: }
2475: memcpy(state, lifetime, sizeof(*state));
2476: }
2477: else
2478: {
2479: DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with "
2480: "SPI %.8x%s", ntohl(id->spi), markstr);
2481: }
2482:
2483: if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2484: {
2485: DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x%s",
2486: ntohl(id->spi), markstr);
2487: goto failed;
2488: }
2489:
2490: status = SUCCESS;
2491: failed:
2492: free(replay);
2493: free(replay_esn);
2494: free(lifetime);
2495: memwipe(out, len);
2496: memwipe(&request, sizeof(request));
2497: free(out);
2498:
2499: return status;
2500: }
2501:
2502: METHOD(kernel_ipsec_t, flush_sas, status_t,
2503: private_kernel_netlink_ipsec_t *this)
2504: {
2505: netlink_buf_t request;
2506: struct nlmsghdr *hdr;
2507: struct xfrm_usersa_flush *flush;
2508: struct {
2509: uint8_t proto;
2510: char *name;
2511: } protos[] = {
2512: { IPPROTO_AH, "AH" },
2513: { IPPROTO_ESP, "ESP" },
2514: { IPPROTO_COMP, "IPComp" },
2515: };
2516: int i;
2517:
2518: memset(&request, 0, sizeof(request));
2519:
2520: hdr = &request.hdr;
2521: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2522: hdr->nlmsg_type = XFRM_MSG_FLUSHSA;
2523: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_flush));
2524:
2525: flush = NLMSG_DATA(hdr);
2526:
2527: for (i = 0; i < countof(protos); i++)
2528: {
2529: DBG2(DBG_KNL, "flushing all %s SAD entries", protos[i].name);
2530:
2531: flush->proto = protos[i].proto;
2532:
2533: if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
2534: {
2535: DBG1(DBG_KNL, "unable to flush %s SAD entries", protos[i].name);
2536: return FAILED;
2537: }
2538: }
2539: return SUCCESS;
2540: }
2541:
2542: /**
2543: * Unlock the mutex and signal waiting threads
2544: */
2545: static void policy_change_done(private_kernel_netlink_ipsec_t *this,
2546: policy_entry_t *policy)
2547: {
2548: policy->working = FALSE;
2549: if (policy->waiting)
2550: { /* don't need to wake threads waiting for other policies */
2551: this->condvar->broadcast(this->condvar);
2552: }
2553: this->mutex->unlock(this->mutex);
2554: }
2555:
2556: /**
2557: * Install a route for the given policy if enabled and required
2558: */
2559: static void install_route(private_kernel_netlink_ipsec_t *this,
2560: policy_entry_t *policy, policy_sa_t *mapping, ipsec_sa_t *ipsec)
2561: {
2562: policy_sa_out_t *out = (policy_sa_out_t*)mapping;
2563: route_entry_t *route;
2564: host_t *iface;
2565:
2566: INIT(route,
2567: .prefixlen = policy->sel.prefixlen_d,
2568: .pass = mapping->type == POLICY_PASS,
2569: );
2570:
2571: if (charon->kernel->get_address_by_ts(charon->kernel, out->src_ts,
2572: &route->src_ip, NULL) != SUCCESS)
2573: {
2574: if (!route->pass)
2575: {
2576: free(route);
2577: return;
2578: }
2579: /* allow blank source IP for passthrough policies */
2580: route->src_ip = host_create_any(policy->sel.family);
2581: }
2582:
2583: if (!ipsec->dst->is_anyaddr(ipsec->dst))
2584: {
2585: route->gateway = charon->kernel->get_nexthop(charon->kernel,
2586: ipsec->dst, -1, ipsec->src,
2587: &route->if_name);
2588: }
2589: else
2590: { /* for shunt policies */
2591: iface = xfrm2host(policy->sel.family, &policy->sel.daddr, 0);
2592: route->gateway = charon->kernel->get_nexthop(charon->kernel,
2593: iface, policy->sel.prefixlen_d,
2594: route->src_ip, &route->if_name);
2595: iface->destroy(iface);
2596: }
2597: route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
2598: memcpy(route->dst_net.ptr, &policy->sel.daddr, route->dst_net.len);
2599:
2600: /* get the interface to install the route for, if we haven't one yet.
2601: * If we have a local address, use it. Otherwise (for shunt policies)
2602: * use the route's source address. */
2603: if (!route->if_name)
2604: {
2605: iface = ipsec->src;
2606: if (iface->is_anyaddr(iface))
2607: {
2608: iface = route->src_ip;
2609: }
2610: if (!charon->kernel->get_interface(charon->kernel, iface,
2611: &route->if_name) &&
2612: !route->pass)
2613: { /* don't require an interface for passthrough policies */
2614: route_entry_destroy(route);
2615: return;
2616: }
2617: }
2618: if (policy->route)
2619: {
2620: route_entry_t *old = policy->route;
2621: if (route_entry_equals(old, route))
2622: {
2623: route_entry_destroy(route);
2624: return;
2625: }
2626: /* uninstall previously installed route */
2627: if (charon->kernel->del_route(charon->kernel, old->dst_net,
2628: old->prefixlen, old->gateway,
2629: old->src_ip, old->if_name,
2630: old->pass) != SUCCESS)
2631: {
2632: DBG1(DBG_KNL, "error uninstalling route installed with policy "
2633: "%R === %R %N", out->src_ts, out->dst_ts, policy_dir_names,
2634: policy->direction);
2635: }
2636: route_entry_destroy(old);
2637: policy->route = NULL;
2638: }
2639:
2640: DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", out->dst_ts,
2641: route->gateway, route->src_ip, route->if_name);
2642: switch (charon->kernel->add_route(charon->kernel, route->dst_net,
2643: route->prefixlen, route->gateway,
2644: route->src_ip, route->if_name,
2645: route->pass))
2646: {
2647: default:
2648: DBG1(DBG_KNL, "unable to install source route for %H",
2649: route->src_ip);
2650: /* FALL */
2651: case ALREADY_DONE:
2652: /* route exists, do not uninstall */
2653: route_entry_destroy(route);
2654: break;
2655: case SUCCESS:
2656: /* cache the installed route */
2657: policy->route = route;
2658: break;
2659: }
2660: }
2661:
2662: /**
2663: * Add or update a policy in the kernel.
2664: *
2665: * Note: The mutex has to be locked when entering this function
2666: * and is unlocked here in any case.
2667: */
2668: static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
2669: policy_entry_t *policy, policy_sa_t *mapping, bool update)
2670: {
2671: netlink_buf_t request;
2672: policy_entry_t clone;
2673: ipsec_sa_t *ipsec = mapping->sa;
2674: struct xfrm_userpolicy_info *policy_info;
2675: struct nlmsghdr *hdr;
2676: status_t status;
2677: int i;
2678:
2679: /* clone the policy so we are able to check it out again later */
2680: memcpy(&clone, policy, sizeof(policy_entry_t));
2681:
2682: memset(&request, 0, sizeof(request));
2683: hdr = &request.hdr;
2684: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
2685: hdr->nlmsg_type = update ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
2686: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
2687:
2688: policy_info = NLMSG_DATA(hdr);
2689: policy_info->sel = policy->sel;
2690: policy_info->dir = policy->direction;
2691:
2692: /* calculate priority based on selector size, small size = high prio */
2693: policy_info->priority = mapping->priority;
2694: policy_info->action = mapping->type != POLICY_DROP ? XFRM_POLICY_ALLOW
2695: : XFRM_POLICY_BLOCK;
2696: policy_info->share = XFRM_SHARE_ANY;
2697:
2698: /* policies don't expire */
2699: policy_info->lft.soft_byte_limit = XFRM_INF;
2700: policy_info->lft.soft_packet_limit = XFRM_INF;
2701: policy_info->lft.hard_byte_limit = XFRM_INF;
2702: policy_info->lft.hard_packet_limit = XFRM_INF;
2703: policy_info->lft.soft_add_expires_seconds = 0;
2704: policy_info->lft.hard_add_expires_seconds = 0;
2705: policy_info->lft.soft_use_expires_seconds = 0;
2706: policy_info->lft.hard_use_expires_seconds = 0;
2707:
2708: if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid)
2709: {
2710: struct xfrm_user_tmpl *tmpl;
2711: struct {
2712: uint8_t proto;
2713: uint32_t spi;
2714: bool use;
2715: } protos[] = {
2716: { IPPROTO_COMP, htonl(ntohs(ipsec->cfg.ipcomp.cpi)),
2717: ipsec->cfg.ipcomp.transform != IPCOMP_NONE },
2718: { IPPROTO_ESP, ipsec->cfg.esp.spi, ipsec->cfg.esp.use },
2719: { IPPROTO_AH, ipsec->cfg.ah.spi, ipsec->cfg.ah.use },
2720: };
2721: ipsec_mode_t proto_mode = ipsec->cfg.mode;
2722: int count = 0;
2723:
2724: for (i = 0; i < countof(protos); i++)
2725: {
2726: if (protos[i].use)
2727: {
2728: count++;
2729: }
2730: }
2731: tmpl = netlink_reserve(hdr, sizeof(request), XFRMA_TMPL,
2732: count * sizeof(*tmpl));
2733: if (!tmpl)
2734: {
2735: policy_change_done(this, policy);
2736: return FAILED;
2737: }
2738:
2739: for (i = 0; i < countof(protos); i++)
2740: {
2741: if (!protos[i].use)
2742: {
2743: continue;
2744: }
2745: tmpl->reqid = ipsec->cfg.reqid;
2746: tmpl->id.proto = protos[i].proto;
2747: if (policy->direction == POLICY_OUT)
2748: {
2749: tmpl->id.spi = protos[i].spi;
2750: }
2751: tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
2752: tmpl->mode = mode2kernel(proto_mode);
2753: tmpl->optional = protos[i].proto == IPPROTO_COMP &&
2754: policy->direction != POLICY_OUT;
2755: tmpl->family = ipsec->src->get_family(ipsec->src);
2756:
2757: if (proto_mode == MODE_TUNNEL || proto_mode == MODE_BEET)
2758: { /* only for tunnel mode */
2759: host2xfrm(ipsec->src, &tmpl->saddr);
2760: host2xfrm(ipsec->dst, &tmpl->id.daddr);
2761: }
2762:
2763: tmpl++;
2764:
2765: /* use transport mode for other SAs */
2766: proto_mode = MODE_TRANSPORT;
2767: }
2768: }
2769:
2770: if (!add_mark(hdr, sizeof(request), ipsec->mark))
2771: {
2772: policy_change_done(this, policy);
2773: return FAILED;
2774: }
2775: if (ipsec->if_id &&
2776: !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, ipsec->if_id))
2777: {
2778: policy_change_done(this, policy);
2779: return FAILED;
2780: }
2781: this->mutex->unlock(this->mutex);
2782:
2783: status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
2784: if (status == ALREADY_DONE && !update)
2785: {
2786: DBG1(DBG_KNL, "policy already exists, try to update it");
2787: hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
2788: status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
2789: }
2790:
2791: this->mutex->lock(this->mutex);
2792: if (status != SUCCESS)
2793: {
2794: policy_change_done(this, policy);
2795: return FAILED;
2796: }
2797: /* install a route, if:
2798: * - this is an outbound policy (to just get one for each child)
2799: * - routing is not disabled via strongswan.conf
2800: * - the selector is not for a specific protocol/port
2801: * - no XFRM interface ID is configured
2802: * - we are in tunnel/BEET mode or install a bypass policy
2803: */
2804: if (policy->direction == POLICY_OUT && this->install_routes &&
2805: !policy->sel.proto && !policy->sel.dport && !policy->sel.sport &&
2806: !policy->if_id)
2807: {
2808: if (mapping->type == POLICY_PASS ||
2809: (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
2810: {
2811: install_route(this, policy, mapping, ipsec);
2812: }
2813: }
2814: policy_change_done(this, policy);
2815: return SUCCESS;
2816: }
2817:
2818: METHOD(kernel_ipsec_t, add_policy, status_t,
2819: private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
2820: kernel_ipsec_manage_policy_t *data)
2821: {
2822: policy_entry_t *policy, *current;
2823: policy_sa_t *assigned_sa, *current_sa;
2824: enumerator_t *enumerator;
2825: bool found = FALSE, update = TRUE;
2826: char markstr[32] = "";
2827: uint32_t cur_priority = 0;
2828: int use_count;
2829:
2830: /* create a policy */
2831: INIT(policy,
2832: .sel = ts2selector(id->src_ts, id->dst_ts, id->interface),
2833: .mark = id->mark.value & id->mark.mask,
2834: .if_id = id->if_id,
2835: .direction = id->dir,
2836: .reqid = data->sa->reqid,
2837: );
2838: format_mark(markstr, sizeof(markstr), id->mark);
2839:
2840: /* find the policy, which matches EXACTLY */
2841: this->mutex->lock(this->mutex);
2842: current = this->policies->get(this->policies, policy);
2843: if (current)
2844: {
2845: if (current->reqid && data->sa->reqid &&
2846: current->reqid != data->sa->reqid)
2847: {
2848: DBG1(DBG_CFG, "unable to install policy %R === %R %N%s for reqid "
2849: "%u, the same policy for reqid %u exists",
2850: id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr,
2851: data->sa->reqid, current->reqid);
2852: policy_entry_destroy(this, policy);
2853: this->mutex->unlock(this->mutex);
2854: return INVALID_STATE;
2855: }
2856: /* use existing policy */
2857: DBG2(DBG_KNL, "policy %R === %R %N%s already exists, increasing "
2858: "refcount", id->src_ts, id->dst_ts, policy_dir_names, id->dir,
2859: markstr);
2860: policy_entry_destroy(this, policy);
2861: policy = current;
2862: found = TRUE;
2863:
2864: policy->waiting++;
2865: while (policy->working)
2866: {
2867: this->condvar->wait(this->condvar, this->mutex);
2868: }
2869: policy->waiting--;
2870: policy->working = TRUE;
2871: }
2872: else
2873: { /* use the new one, if we have no such policy */
2874: policy->used_by = linked_list_create();
2875: this->policies->put(this->policies, policy, policy);
2876: }
2877:
2878: /* cache the assigned IPsec SA */
2879: assigned_sa = policy_sa_create(this, id->dir, data->type, data->src,
2880: data->dst, id->src_ts, id->dst_ts, id->mark,
2881: id->if_id, data->sa);
2882: assigned_sa->auto_priority = get_priority(policy, data->prio, id->interface);
2883: assigned_sa->priority = this->get_priority ? this->get_priority(id, data)
2884: : data->manual_prio;
2885: assigned_sa->priority = assigned_sa->priority ?: assigned_sa->auto_priority;
2886:
2887: /* insert the SA according to its priority */
2888: enumerator = policy->used_by->create_enumerator(policy->used_by);
2889: while (enumerator->enumerate(enumerator, (void**)¤t_sa))
2890: {
2891: if (current_sa->priority > assigned_sa->priority)
2892: {
2893: break;
2894: }
2895: if (current_sa->priority == assigned_sa->priority)
2896: {
2897: /* in case of equal manual prios order SAs by automatic priority */
2898: if (current_sa->auto_priority > assigned_sa->auto_priority)
2899: {
2900: break;
2901: }
2902: /* prefer SAs with a reqid over those without */
2903: if (current_sa->auto_priority == assigned_sa->auto_priority &&
2904: (!current_sa->sa->cfg.reqid || assigned_sa->sa->cfg.reqid))
2905: {
2906: break;
2907: }
2908: }
2909: if (update)
2910: {
2911: cur_priority = current_sa->priority;
2912: update = FALSE;
2913: }
2914: }
2915: policy->used_by->insert_before(policy->used_by, enumerator, assigned_sa);
2916: enumerator->destroy(enumerator);
2917:
2918: use_count = policy->used_by->get_count(policy->used_by);
2919: if (!update)
2920: { /* we don't update the policy if the priority is lower than that of
2921: * the currently installed one */
2922: policy_change_done(this, policy);
2923: DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, "
2924: "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
2925: id->dir, markstr, cur_priority, use_count);
2926: return SUCCESS;
2927: }
2928: policy->reqid = assigned_sa->sa->cfg.reqid;
2929:
2930: if (this->policy_update)
2931: {
2932: found = TRUE;
2933: }
2934:
2935: DBG2(DBG_KNL, "%s policy %R === %R %N%s [priority %u, refcount %d]",
2936: found ? "updating" : "adding", id->src_ts, id->dst_ts,
2937: policy_dir_names, id->dir, markstr, assigned_sa->priority, use_count);
2938:
2939: if (add_policy_internal(this, policy, assigned_sa, found) != SUCCESS)
2940: {
2941: DBG1(DBG_KNL, "unable to %s policy %R === %R %N%s",
2942: found ? "update" : "add", id->src_ts, id->dst_ts,
2943: policy_dir_names, id->dir, markstr);
2944: return FAILED;
2945: }
2946: return SUCCESS;
2947: }
2948:
2949: METHOD(kernel_ipsec_t, query_policy, status_t,
2950: private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
2951: kernel_ipsec_query_policy_t *data, time_t *use_time)
2952: {
2953: netlink_buf_t request;
2954: struct nlmsghdr *out = NULL, *hdr;
2955: struct xfrm_userpolicy_id *policy_id;
2956: struct xfrm_userpolicy_info *policy = NULL;
2957: size_t len;
2958: char markstr[32] = "";
2959:
2960: memset(&request, 0, sizeof(request));
2961: format_mark(markstr, sizeof(markstr), id->mark);
2962:
2963: DBG2(DBG_KNL, "querying policy %R === %R %N%s", id->src_ts, id->dst_ts,
2964: policy_dir_names, id->dir, markstr);
2965:
2966: hdr = &request.hdr;
2967: hdr->nlmsg_flags = NLM_F_REQUEST;
2968: hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
2969: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
2970:
2971: policy_id = NLMSG_DATA(hdr);
2972: policy_id->sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
2973: policy_id->dir = id->dir;
2974:
2975: if (!add_mark(hdr, sizeof(request), id->mark))
2976: {
2977: return FAILED;
2978: }
2979: if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
2980: {
2981: return FAILED;
2982: }
2983:
2984: if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
2985: {
2986: hdr = out;
2987: while (NLMSG_OK(hdr, len))
2988: {
2989: switch (hdr->nlmsg_type)
2990: {
2991: case XFRM_MSG_NEWPOLICY:
2992: {
2993: policy = NLMSG_DATA(hdr);
2994: break;
2995: }
2996: case NLMSG_ERROR:
2997: {
2998: struct nlmsgerr *err = NLMSG_DATA(hdr);
2999: DBG1(DBG_KNL, "querying policy failed: %s (%d)",
3000: strerror(-err->error), -err->error);
3001: break;
3002: }
3003: default:
3004: hdr = NLMSG_NEXT(hdr, len);
3005: continue;
3006: case NLMSG_DONE:
3007: break;
3008: }
3009: break;
3010: }
3011: }
3012:
3013: if (policy == NULL)
3014: {
3015: DBG2(DBG_KNL, "unable to query policy %R === %R %N%s", id->src_ts,
3016: id->dst_ts, policy_dir_names, id->dir, markstr);
3017: free(out);
3018: return FAILED;
3019: }
3020:
3021: if (policy->curlft.use_time)
3022: {
3023: /* we need the monotonic time, but the kernel returns system time. */
3024: *use_time = time_monotonic(NULL) - (time(NULL) - policy->curlft.use_time);
3025: }
3026: else
3027: {
3028: *use_time = 0;
3029: }
3030:
3031: free(out);
3032: return SUCCESS;
3033: }
3034:
3035: METHOD(kernel_ipsec_t, del_policy, status_t,
3036: private_kernel_netlink_ipsec_t *this, kernel_ipsec_policy_id_t *id,
3037: kernel_ipsec_manage_policy_t *data)
3038: {
3039: policy_entry_t *current, policy;
3040: enumerator_t *enumerator;
3041: policy_sa_t *mapping;
3042: netlink_buf_t request;
3043: struct nlmsghdr *hdr;
3044: struct xfrm_userpolicy_id *policy_id;
3045: bool is_installed = TRUE;
3046: uint32_t priority, auto_priority, cur_priority;
3047: ipsec_sa_t assigned_sa = {
3048: .src = data->src,
3049: .dst = data->dst,
3050: .mark = id->mark,
3051: .if_id = id->if_id,
3052: .cfg = *data->sa,
3053: };
3054: char markstr[32] = "";
3055: int use_count;
3056: status_t status = SUCCESS;
3057:
3058: format_mark(markstr, sizeof(markstr), id->mark);
3059:
3060: DBG2(DBG_KNL, "deleting policy %R === %R %N%s", id->src_ts, id->dst_ts,
3061: policy_dir_names, id->dir, markstr);
3062:
3063: /* create a policy */
3064: memset(&policy, 0, sizeof(policy_entry_t));
3065: policy.sel = ts2selector(id->src_ts, id->dst_ts, id->interface);
3066: policy.mark = id->mark.value & id->mark.mask;
3067: policy.if_id = id->if_id;
3068: policy.direction = id->dir;
3069:
3070: /* find the policy */
3071: this->mutex->lock(this->mutex);
3072: current = this->policies->get(this->policies, &policy);
3073: if (!current)
3074: {
3075: DBG1(DBG_KNL, "deleting policy %R === %R %N%s failed, not found",
3076: id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr);
3077: this->mutex->unlock(this->mutex);
3078: return NOT_FOUND;
3079: }
3080: current->waiting++;
3081: while (current->working)
3082: {
3083: this->condvar->wait(this->condvar, this->mutex);
3084: }
3085: current->working = TRUE;
3086: current->waiting--;
3087:
3088: /* remove mapping to SA by reqid and priority */
3089: auto_priority = get_priority(current, data->prio,id->interface);
3090: priority = this->get_priority ? this->get_priority(id, data)
3091: : data->manual_prio;
3092: priority = priority ?: auto_priority;
3093:
3094: enumerator = current->used_by->create_enumerator(current->used_by);
3095: while (enumerator->enumerate(enumerator, (void**)&mapping))
3096: {
3097: if (priority == mapping->priority &&
3098: auto_priority == mapping->auto_priority &&
3099: data->type == mapping->type &&
3100: ipsec_sa_equals(mapping->sa, &assigned_sa))
3101: {
3102: current->used_by->remove_at(current->used_by, enumerator);
3103: policy_sa_destroy(mapping, id->dir, this);
3104: break;
3105: }
3106: if (is_installed)
3107: {
3108: cur_priority = mapping->priority;
3109: is_installed = FALSE;
3110: }
3111: }
3112: enumerator->destroy(enumerator);
3113:
3114: use_count = current->used_by->get_count(current->used_by);
3115: if (use_count > 0)
3116: { /* policy is used by more SAs, keep in kernel */
3117: DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
3118: if (!is_installed)
3119: { /* no need to update as the policy was not installed for this SA */
3120: policy_change_done(this, current);
3121: DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, "
3122: "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
3123: id->dir, markstr, cur_priority, use_count);
3124: return SUCCESS;
3125: }
3126: current->used_by->get_first(current->used_by, (void**)&mapping);
3127: current->reqid = mapping->sa->cfg.reqid;
3128:
3129: DBG2(DBG_KNL, "updating policy %R === %R %N%s [priority %u, "
3130: "refcount %d]", id->src_ts, id->dst_ts, policy_dir_names, id->dir,
3131: markstr, mapping->priority, use_count);
3132:
3133: if (add_policy_internal(this, current, mapping, TRUE) != SUCCESS)
3134: {
3135: DBG1(DBG_KNL, "unable to update policy %R === %R %N%s",
3136: id->src_ts, id->dst_ts, policy_dir_names, id->dir, markstr);
3137: return FAILED;
3138: }
3139: return SUCCESS;
3140: }
3141:
3142: memset(&request, 0, sizeof(request));
3143:
3144: hdr = &request.hdr;
3145: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
3146: hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
3147: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
3148:
3149: policy_id = NLMSG_DATA(hdr);
3150: policy_id->sel = current->sel;
3151: policy_id->dir = id->dir;
3152:
3153: if (!add_mark(hdr, sizeof(request), id->mark))
3154: {
3155: policy_change_done(this, current);
3156: return FAILED;
3157: }
3158: if (id->if_id && !add_uint32(hdr, sizeof(request), XFRMA_IF_ID, id->if_id))
3159: {
3160: policy_change_done(this, current);
3161: return FAILED;
3162: }
3163:
3164: if (current->route)
3165: {
3166: route_entry_t *route = current->route;
3167: if (charon->kernel->del_route(charon->kernel, route->dst_net,
3168: route->prefixlen, route->gateway,
3169: route->src_ip, route->if_name,
3170: route->pass) != SUCCESS)
3171: {
3172: DBG1(DBG_KNL, "error uninstalling route installed with policy "
3173: "%R === %R %N%s", id->src_ts, id->dst_ts, policy_dir_names,
3174: id->dir, markstr);
3175: }
3176: }
3177: this->mutex->unlock(this->mutex);
3178:
3179: if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
3180: {
3181: DBG1(DBG_KNL, "unable to delete policy %R === %R %N%s", id->src_ts,
3182: id->dst_ts, policy_dir_names, id->dir, markstr);
3183: status = FAILED;
3184: }
3185:
3186: this->mutex->lock(this->mutex);
3187: if (!current->waiting)
3188: { /* only if no other thread still needs the policy */
3189: this->policies->remove(this->policies, current);
3190: policy_entry_destroy(this, current);
3191: this->mutex->unlock(this->mutex);
3192: }
3193: else
3194: {
3195: policy_change_done(this, current);
3196: }
3197: return status;
3198: }
3199:
3200: METHOD(kernel_ipsec_t, flush_policies, status_t,
3201: private_kernel_netlink_ipsec_t *this)
3202: {
3203: netlink_buf_t request;
3204: struct nlmsghdr *hdr;
3205:
3206: memset(&request, 0, sizeof(request));
3207:
3208: DBG2(DBG_KNL, "flushing all policies from SPD");
3209:
3210: hdr = &request.hdr;
3211: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
3212: hdr->nlmsg_type = XFRM_MSG_FLUSHPOLICY;
3213: hdr->nlmsg_len = NLMSG_LENGTH(0); /* no data associated */
3214:
3215: /* by adding an rtattr of type XFRMA_POLICY_TYPE we could restrict this
3216: * to main or sub policies (default is main) */
3217:
3218: if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
3219: {
3220: DBG1(DBG_KNL, "unable to flush SPD entries");
3221: return FAILED;
3222: }
3223: return SUCCESS;
3224: }
3225:
3226: /**
3227: * Bypass socket using a per-socket policy
3228: */
3229: static bool add_socket_bypass(private_kernel_netlink_ipsec_t *this,
3230: int fd, int family)
3231: {
3232: struct xfrm_userpolicy_info policy;
3233: u_int sol, ipsec_policy;
3234:
3235: switch (family)
3236: {
3237: case AF_INET:
3238: sol = SOL_IP;
3239: ipsec_policy = IP_XFRM_POLICY;
3240: break;
3241: case AF_INET6:
3242: sol = SOL_IPV6;
3243: ipsec_policy = IPV6_XFRM_POLICY;
3244: break;
3245: default:
3246: return FALSE;
3247: }
3248:
3249: memset(&policy, 0, sizeof(policy));
3250: policy.action = XFRM_POLICY_ALLOW;
3251: policy.sel.family = family;
3252:
3253: policy.dir = XFRM_POLICY_OUT;
3254: if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
3255: {
3256: DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)",
3257: strerror(errno), errno);
3258: return FALSE;
3259: }
3260: policy.dir = XFRM_POLICY_IN;
3261: if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
3262: {
3263: DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s (%d)",
3264: strerror(errno), errno);
3265: return FALSE;
3266: }
3267: return TRUE;
3268: }
3269:
3270: /**
3271: * Port based IKE bypass policy
3272: */
3273: typedef struct {
3274: /** address family */
3275: int family;
3276: /** layer 4 protocol */
3277: int proto;
3278: /** port number, network order */
3279: uint16_t port;
3280: } bypass_t;
3281:
3282: /**
3283: * Add or remove a bypass policy from/to kernel
3284: */
3285: static bool manage_bypass(private_kernel_netlink_ipsec_t *this,
3286: int type, policy_dir_t dir, bypass_t *bypass)
3287: {
3288: netlink_buf_t request;
3289: struct xfrm_selector *sel;
3290: struct nlmsghdr *hdr;
3291:
3292: memset(&request, 0, sizeof(request));
3293: hdr = &request.hdr;
3294: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
3295: hdr->nlmsg_type = type;
3296:
3297: if (type == XFRM_MSG_NEWPOLICY)
3298: {
3299: struct xfrm_userpolicy_info *policy;
3300:
3301: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
3302:
3303: policy = NLMSG_DATA(hdr);
3304: policy->dir = dir;
3305: policy->priority = 32;
3306: policy->action = XFRM_POLICY_ALLOW;
3307: policy->share = XFRM_SHARE_ANY;
3308:
3309: policy->lft.soft_byte_limit = XFRM_INF;
3310: policy->lft.soft_packet_limit = XFRM_INF;
3311: policy->lft.hard_byte_limit = XFRM_INF;
3312: policy->lft.hard_packet_limit = XFRM_INF;
3313:
3314: sel = &policy->sel;
3315: }
3316: else /* XFRM_MSG_DELPOLICY */
3317: {
3318: struct xfrm_userpolicy_id *policy;
3319:
3320: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
3321:
3322: policy = NLMSG_DATA(hdr);
3323: policy->dir = dir;
3324:
3325: sel = &policy->sel;
3326: }
3327:
3328: sel->family = bypass->family;
3329: sel->proto = bypass->proto;
3330: if (dir == POLICY_IN)
3331: {
3332: sel->dport = bypass->port;
3333: sel->dport_mask = 0xffff;
3334: }
3335: else
3336: {
3337: sel->sport = bypass->port;
3338: sel->sport_mask = 0xffff;
3339: }
3340: return this->socket_xfrm->send_ack(this->socket_xfrm, hdr) == SUCCESS;
3341: }
3342:
3343: /**
3344: * Bypass socket using a port-based bypass policy
3345: */
3346: static bool add_port_bypass(private_kernel_netlink_ipsec_t *this,
3347: int fd, int family)
3348: {
3349: union {
3350: struct sockaddr sa;
3351: struct sockaddr_in in;
3352: struct sockaddr_in6 in6;
3353: } saddr;
3354: socklen_t len;
3355: bypass_t bypass = {
3356: .family = family,
3357: };
3358:
3359: len = sizeof(saddr);
3360: if (getsockname(fd, &saddr.sa, &len) != 0)
3361: {
3362: return FALSE;
3363: }
3364: #ifdef SO_PROTOCOL /* since 2.6.32 */
3365: len = sizeof(bypass.proto);
3366: if (getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &bypass.proto, &len) != 0)
3367: #endif
3368: { /* assume UDP if SO_PROTOCOL not supported */
3369: bypass.proto = IPPROTO_UDP;
3370: }
3371: switch (family)
3372: {
3373: case AF_INET:
3374: bypass.port = saddr.in.sin_port;
3375: break;
3376: case AF_INET6:
3377: bypass.port = saddr.in6.sin6_port;
3378: break;
3379: default:
3380: return FALSE;
3381: }
3382:
3383: if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, &bypass))
3384: {
3385: return FALSE;
3386: }
3387: if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, &bypass))
3388: {
3389: manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, &bypass);
3390: return FALSE;
3391: }
3392: array_insert(this->bypass, ARRAY_TAIL, &bypass);
3393:
3394: return TRUE;
3395: }
3396:
3397: /**
3398: * Remove installed port based bypass policy
3399: */
3400: static void remove_port_bypass(bypass_t *bypass, int idx,
3401: private_kernel_netlink_ipsec_t *this)
3402: {
3403: manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass);
3404: manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass);
3405: }
3406:
3407: METHOD(kernel_ipsec_t, bypass_socket, bool,
3408: private_kernel_netlink_ipsec_t *this, int fd, int family)
3409: {
3410: if (lib->settings->get_bool(lib->settings,
3411: "%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns))
3412: {
3413: return add_port_bypass(this, fd, family);
3414: }
3415: return add_socket_bypass(this, fd, family);
3416: }
3417:
3418: METHOD(kernel_ipsec_t, enable_udp_decap, bool,
3419: private_kernel_netlink_ipsec_t *this, int fd, int family, uint16_t port)
3420: {
3421: int type = UDP_ENCAP_ESPINUDP;
3422:
3423: if (setsockopt(fd, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
3424: {
3425: DBG1(DBG_KNL, "unable to set UDP_ENCAP: %s", strerror(errno));
3426: return FALSE;
3427: }
3428: return TRUE;
3429: }
3430:
3431: METHOD(kernel_ipsec_t, destroy, void,
3432: private_kernel_netlink_ipsec_t *this)
3433: {
3434: enumerator_t *enumerator;
3435: policy_entry_t *policy;
3436:
3437: array_destroy_function(this->bypass,
3438: (array_callback_t)remove_port_bypass, this);
3439: if (this->socket_xfrm_events > 0)
3440: {
3441: lib->watcher->remove(lib->watcher, this->socket_xfrm_events);
3442: close(this->socket_xfrm_events);
3443: }
3444: DESTROY_IF(this->socket_xfrm);
3445: enumerator = this->policies->create_enumerator(this->policies);
3446: while (enumerator->enumerate(enumerator, &policy, &policy))
3447: {
3448: policy_entry_destroy(this, policy);
3449: }
3450: enumerator->destroy(enumerator);
3451: this->policies->destroy(this->policies);
3452: this->sas->destroy(this->sas);
3453: this->condvar->destroy(this->condvar);
3454: this->mutex->destroy(this->mutex);
3455: free(this);
3456: }
3457:
3458: /**
3459: * Get the currently configured SPD hashing thresholds for an address family
3460: */
3461: static bool get_spd_hash_thresh(private_kernel_netlink_ipsec_t *this,
3462: int type, uint8_t *lbits, uint8_t *rbits)
3463: {
3464: netlink_buf_t request;
3465: struct nlmsghdr *hdr, *out;
3466: struct xfrmu_spdhthresh *thresh;
3467: struct rtattr *rta;
3468: size_t len, rtasize;
3469: bool success = FALSE;
3470:
3471: memset(&request, 0, sizeof(request));
3472:
3473: hdr = &request.hdr;
3474: hdr->nlmsg_flags = NLM_F_REQUEST;
3475: hdr->nlmsg_type = XFRM_MSG_GETSPDINFO;
3476: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t));
3477:
3478: if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
3479: {
3480: hdr = out;
3481: while (NLMSG_OK(hdr, len))
3482: {
3483: switch (hdr->nlmsg_type)
3484: {
3485: case XFRM_MSG_NEWSPDINFO:
3486: {
3487: rta = XFRM_RTA(hdr, uint32_t);
3488: rtasize = XFRM_PAYLOAD(hdr, uint32_t);
3489: while (RTA_OK(rta, rtasize))
3490: {
3491: if (rta->rta_type == type &&
3492: RTA_PAYLOAD(rta) == sizeof(*thresh))
3493: {
3494: thresh = RTA_DATA(rta);
3495: *lbits = thresh->lbits;
3496: *rbits = thresh->rbits;
3497: success = TRUE;
3498: break;
3499: }
3500: rta = RTA_NEXT(rta, rtasize);
3501: }
3502: break;
3503: }
3504: case NLMSG_ERROR:
3505: {
3506: struct nlmsgerr *err = NLMSG_DATA(hdr);
3507: DBG1(DBG_KNL, "getting SPD hash threshold failed: %s (%d)",
3508: strerror(-err->error), -err->error);
3509: break;
3510: }
3511: default:
3512: hdr = NLMSG_NEXT(hdr, len);
3513: continue;
3514: case NLMSG_DONE:
3515: break;
3516: }
3517: break;
3518: }
3519: free(out);
3520: }
3521: return success;
3522: }
3523:
3524: /**
3525: * Configure SPD hashing threshold for an address family
3526: */
3527: static void setup_spd_hash_thresh(private_kernel_netlink_ipsec_t *this,
3528: char *key, int type, uint8_t def)
3529: {
3530: struct xfrmu_spdhthresh *thresh;
3531: struct nlmsghdr *hdr;
3532: netlink_buf_t request;
3533: uint8_t lbits, rbits;
3534:
3535: if (!get_spd_hash_thresh(this, type, &lbits, &rbits))
3536: {
3537: return;
3538: }
3539: memset(&request, 0, sizeof(request));
3540:
3541: hdr = &request.hdr;
3542: hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
3543: hdr->nlmsg_type = XFRM_MSG_NEWSPDINFO;
3544: hdr->nlmsg_len = NLMSG_LENGTH(sizeof(uint32_t));
3545:
3546: thresh = netlink_reserve(hdr, sizeof(request), type, sizeof(*thresh));
3547: thresh->lbits = lib->settings->get_int(lib->settings,
3548: "%s.plugins.kernel-netlink.spdh_thresh.%s.lbits",
3549: def, lib->ns, key);
3550: thresh->rbits = lib->settings->get_int(lib->settings,
3551: "%s.plugins.kernel-netlink.spdh_thresh.%s.rbits",
3552: def, lib->ns, key);
3553: if (thresh->lbits != lbits || thresh->rbits != rbits)
3554: {
3555: if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
3556: {
3557: DBG1(DBG_KNL, "setting SPD hash threshold failed");
3558: }
3559: }
3560: }
3561:
3562: /*
3563: * Described in header.
3564: */
3565: kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
3566: {
3567: private_kernel_netlink_ipsec_t *this;
3568: bool register_for_events = TRUE;
3569:
3570: INIT(this,
3571: .public = {
3572: .interface = {
3573: .get_features = _get_features,
3574: .get_spi = _get_spi,
3575: .get_cpi = _get_cpi,
3576: .add_sa = _add_sa,
3577: .update_sa = _update_sa,
3578: .query_sa = _query_sa,
3579: .del_sa = _del_sa,
3580: .flush_sas = _flush_sas,
3581: .add_policy = _add_policy,
3582: .query_policy = _query_policy,
3583: .del_policy = _del_policy,
3584: .flush_policies = _flush_policies,
3585: .bypass_socket = _bypass_socket,
3586: .enable_udp_decap = _enable_udp_decap,
3587: .destroy = _destroy,
3588: },
3589: },
3590: .policies = hashtable_create((hashtable_hash_t)policy_hash,
3591: (hashtable_equals_t)policy_equals, 32),
3592: .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
3593: (hashtable_equals_t)ipsec_sa_equals, 32),
3594: .bypass = array_create(sizeof(bypass_t), 0),
3595: .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
3596: .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
3597: .get_priority = dlsym(RTLD_DEFAULT,
3598: "kernel_netlink_get_priority_custom"),
3599: .policy_update = lib->settings->get_bool(lib->settings,
3600: "%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
3601: .install_routes = lib->settings->get_bool(lib->settings,
3602: "%s.install_routes", TRUE, lib->ns),
3603: .proto_port_transport = lib->settings->get_bool(lib->settings,
3604: "%s.plugins.kernel-netlink.set_proto_port_transport_sa",
3605: FALSE, lib->ns),
3606: );
3607:
3608: if (streq(lib->ns, "starter"))
3609: { /* starter has no threads, so we do not register for kernel events */
3610: register_for_events = FALSE;
3611: }
3612:
3613: this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names,
3614: lib->settings->get_bool(lib->settings,
3615: "%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns));
3616: if (!this->socket_xfrm)
3617: {
3618: destroy(this);
3619: return NULL;
3620: }
3621:
3622: setup_spd_hash_thresh(this, "ipv4", XFRMA_SPD_IPV4_HTHRESH, 32);
3623: setup_spd_hash_thresh(this, "ipv6", XFRMA_SPD_IPV6_HTHRESH, 128);
3624:
3625: if (register_for_events)
3626: {
3627: struct sockaddr_nl addr;
3628:
3629: memset(&addr, 0, sizeof(addr));
3630: addr.nl_family = AF_NETLINK;
3631:
3632: /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
3633: this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
3634: if (this->socket_xfrm_events <= 0)
3635: {
3636: DBG1(DBG_KNL, "unable to create XFRM event socket: %s (%d)",
3637: strerror(errno), errno);
3638: destroy(this);
3639: return NULL;
3640: }
3641: addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
3642: XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
3643: if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
3644: {
3645: DBG1(DBG_KNL, "unable to bind XFRM event socket: %s (%d)",
3646: strerror(errno), errno);
3647: destroy(this);
3648: return NULL;
3649: }
3650: lib->watcher->add(lib->watcher, this->socket_xfrm_events, WATCHER_READ,
3651: (watcher_cb_t)receive_events, this);
3652: }
3653:
3654: netlink_find_offload_feature(lib->settings->get_str(lib->settings,
3655: "%s.plugins.kernel-netlink.hw_offload_feature_interface",
3656: "lo", lib->ns));
3657:
3658: return &this->public;
3659: }