+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger

+#include <linux/rtnetlink.h>

+#define BUFFER_SIZE 1024

+/* returns a pointer to the first rtattr following the nlmsghdr *nlh and the 'usual' netlink data x like 'struct xfrm_usersa_info' */

+#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))

+/* returns the total size of attached rta data (after 'usual' netlink data x like 'struct xfrm_usersa_info') */

+#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))

+ status_t (*send_message) (private_kernel_interface_t *this, struct nlmsghdr *request, struct nlmsghdr **response);

+ unsigned char request[BUFFER_SIZE];

+ struct nlmsghdr *response;

+

+ memset(&request, 0, sizeof(request));

+ this->logger->log(this->logger, CONTROL|LEVEL2, "getting spi");

+ struct nlmsghdr *hdr = (struct nlmsghdr*)request;

+ hdr->nlmsg_flags = NLM_F_REQUEST;

+ hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;

+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));

+

+ struct xfrm_userspi_info *userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);

+ userspi->info.saddr = src->get_xfrm_addr(src);

+ userspi->info.id.daddr = dest->get_xfrm_addr(dest);

+ userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;

+ userspi->info.mode = TRUE; /* tunnel mode */

+ userspi->info.reqid = reqid;

+ userspi->info.family = src->get_family(src);

+ userspi->min = 0xc0000000;

+ userspi->max = 0xcFFFFFFF;

+

+ if (this->send_message(this, hdr, &response) != SUCCESS)

+ else if (response->nlmsg_type == NLMSG_ERROR)

+ strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));

+ else if (response->nlmsg_type != XFRM_MSG_NEWSA)

+ else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))

+ *spi = ((struct xfrm_usersa_info*)NLMSG_DATA(response))->id.spi;

+static status_t add_sa(private_kernel_interface_t *this,

+ host_t *me, host_t *other,

+ u_int32_t spi, protocol_id_t protocol,

+ u_int32_t reqid,

+ u_int64_t expire_soft, u_int64_t expire_hard,

+ algorithm_t *enc_alg, algorithm_t *int_alg,

+ prf_plus_t *prf_plus, natt_conf_t *natt,

+ bool replace)

+ unsigned char request[BUFFER_SIZE];

+ struct nlmsghdr *response;

+ size_t key_size;

+ status_t status = SUCCESS;

+ this->logger->log(this->logger, CONTROL|LEVEL2, "adding SA");

+

+ struct nlmsghdr *hdr = (struct nlmsghdr*)request;

+ hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;

+ hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;

+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));

+ struct xfrm_usersa_info *sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);

+ sa->saddr = me->get_xfrm_addr(me);

+ sa->id.daddr = other->get_xfrm_addr(other);

+ sa->id.spi = spi;

+ sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;

+ sa->family = me->get_family(me);

+ sa->mode = TRUE; /* tunnel mode */

+ sa->replay_window = 32;

+ sa->reqid = reqid;

+ sa->lft.soft_byte_limit = XFRM_INF;

+ sa->lft.hard_byte_limit = XFRM_INF;

+ sa->lft.soft_packet_limit = XFRM_INF;

+ sa->lft.hard_packet_limit = XFRM_INF;

+ sa->lft.soft_add_expires_seconds = expire_soft;

+ sa->lft.hard_add_expires_seconds = expire_hard;

+ sa->lft.soft_use_expires_seconds = 0;

+ sa->lft.hard_use_expires_seconds = 0;

+ struct rtattr *rthdr = (struct rtattr*)(request + hdr->nlmsg_len);

+ rthdr->rta_type = XFRMA_ALG_CRYPT;

+

+ rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);

+ hdr->nlmsg_len += rthdr->rta_len;

+ if (hdr->nlmsg_len > sizeof(request))

+

+ struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);

+ algo->alg_key_len = key_size;

+ strcpy(algo->alg_name, alg_name);

+ prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);

+ struct rtattr *rthdr = (struct rtattr*)(request + hdr->nlmsg_len);

+ rthdr->rta_type = XFRMA_ALG_AUTH;

+

+ rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);

+ hdr->nlmsg_len += rthdr->rta_len;

+ if (hdr->nlmsg_len > sizeof(request))

+

+ struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);

+ algo->alg_key_len = key_size;

+ strcpy(algo->alg_name, alg_name);

+ prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);

+ /* TODO: add IPComp here */

+ if (natt)

+ {

+ struct rtattr *rthdr = (struct rtattr*)(request + hdr->nlmsg_len);

+

+ rthdr->rta_type = XFRMA_ENCAP;

+ rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));

+

+ hdr->nlmsg_len += rthdr->rta_len;

+ if (hdr->nlmsg_len > sizeof(request))

+ {

+ return FAILED;

+ }

+

+ struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);

+ /* UDP_ENCAP_ESPINUDP, see /usr/src/linux/include/linux/udp.h

+ * we could probably use 3 here (as pluto does) although the

+ * result is eventually the same. */

+ encap->encap_type = 2;

+ encap->encap_sport = ntohs(natt->sport);

+ encap->encap_dport = ntohs(natt->dport);

+ memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));

+ /* encap_oa could probably be derived from the

+ * traffic selectors [rfc4306, p39]. In the netlink kernel implementation

+ * pluto does the same as we do here but it uses encap_oa in the

+ * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates

+ * the kernel ignores it anyway

+ * -> does that mean that NAT-T encap doesn't work in transport mode?

+ * No. The reason the kernel ignores NAT-OA is that it recomputes

+ * (or, rather, just ignores) the checksum. If packets pass

+ * the IPSec checks it marks them "checksum ok" so OA isn't needed. */

+ }

+

+ if (this->send_message(this, hdr, &response) != SUCCESS)

+ else if (response->nlmsg_type != NLMSG_ERROR)

+ else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)

+ this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_NEWSA got an error: %s",

+ strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));

+static status_t update_sa_hosts(

+ private_kernel_interface_t *this,

+ host_t *src, host_t *dst,

+ host_t *new_src, host_t *new_dst,

+ int src_changes, int dst_changes,

+ u_int32_t spi, protocol_id_t protocol)

+ unsigned char request[BUFFER_SIZE];

+ struct nlmsghdr *update, *response;

+

+ this->logger->log(this->logger, CONTROL|LEVEL2, "getting SA");

+

+ struct nlmsghdr *hdr = (struct nlmsghdr*)request;

+ hdr->nlmsg_flags = NLM_F_REQUEST ;

+ hdr->nlmsg_type = XFRM_MSG_GETSA;

+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));

+

+ struct xfrm_usersa_id *sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);

+ sa_id->daddr = dst->get_xfrm_addr(dst);

+ sa_id->spi = spi;

+ sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;

+ sa_id->family = dst->get_family(dst);

+

+ if (this->send_message(this, hdr, &update) != SUCCESS)

+ {

+ this->logger->log(this->logger, ERROR, "netlink communication failed");

+ return FAILED;

+ }

+ else if (update->nlmsg_type == NLMSG_ERROR)

+ {

+ this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_GETSA got an error: %s",

+ strerror(-((struct nlmsgerr*)NLMSG_DATA(update))->error));

+ free(update);

+ return FAILED;

+ }

+ else if (update->nlmsg_type != XFRM_MSG_NEWSA)

+ {

+ this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_GETSA got a unknown reply");

+ free(update);

+ return FAILED;

+ }

+ else if (update->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))

+ {

+ this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_GETSA got an invalid reply");

+ free(update);

+ return FAILED;

+ }

+ this->logger->log(this->logger, CONTROL|LEVEL2, "updating SA");

+ update->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;

+ update->nlmsg_type = XFRM_MSG_UPDSA;

+ struct xfrm_usersa_info *sa = (struct xfrm_usersa_info*)NLMSG_DATA(update);

+ if (src_changes & HOST_DIFF_ADDR)

+ {

+ sa->saddr = new_src->get_xfrm_addr(new_src);

+ }

+

+ if (dst_changes & HOST_DIFF_ADDR)

+ {

+ this->logger->log(this->logger, CONTROL|LEVEL2, "destination address changed! replacing SA");

+

+ update->nlmsg_type = XFRM_MSG_NEWSA;

+ sa->id.daddr = new_dst->get_xfrm_addr(new_dst);

+ }

+ if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)

+ {

+ struct rtattr *rthdr = XFRM_RTA(update, struct xfrm_usersa_info);

+ size_t rtsize = XFRM_PAYLOAD(update, struct xfrm_usersa_info);

+ while (RTA_OK(rthdr, rtsize))

+ {

+ if (rthdr->rta_type == XFRMA_ENCAP)

+ {

+ struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);

+ encap->encap_sport = ntohs(new_src->get_port(new_src));

+ encap->encap_dport = ntohs(new_dst->get_port(new_dst));

+ break;

+ }

+ rthdr = RTA_NEXT(rthdr, rtsize);

+ }

+ }

+ if (this->send_message(this, update, &response) != SUCCESS)

+ {

+ this->logger->log(this->logger, ERROR, "netlink communication failed");

+ free(update);

+ return FAILED;

+ }

+ else if (response->nlmsg_type != NLMSG_ERROR)

+ {

+ this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_XXXSA not acknowledged");

+ status = FAILED;

+ }

+ else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)

+ {

+ this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_XXXSA got an error: %s",

+ strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));

+ status = FAILED;

+ }

+ else if (dst_changes & HOST_DIFF_ADDR)

+ {

+ this->logger->log(this->logger, CONTROL|LEVEL2, "deleting old SA");

+ status = this->public.del_sa(&this->public, dst, spi, protocol);

+ }

+

+ free(update);

+ free(response);

+ return status;

+}

+static status_t del_sa( private_kernel_interface_t *this,

+ host_t *dst,

+ u_int32_t spi,

+ protocol_id_t protocol)

+{

+ unsigned char request[BUFFER_SIZE];

+ struct nlmsghdr *response;

+

+ memset(&request, 0, sizeof(request));

+ status_t status = SUCCESS;

+

+ this->logger->log(this->logger, CONTROL|LEVEL2, "deleting SA");

+

+ struct nlmsghdr *hdr = (struct nlmsghdr*)request;

+ hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;

+ hdr->nlmsg_type = XFRM_MSG_DELSA;

+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));

+

+ struct xfrm_usersa_id *sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);

+ sa_id->daddr = dst->get_xfrm_addr(dst);

+ sa_id->spi = spi;

+ sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;

+ sa_id->family = dst->get_family(dst);

+

+ if (this->send_message(this, hdr, &response) != SUCCESS)

+ else if (response->nlmsg_type != NLMSG_ERROR)

+ else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)

+ this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_DELSA got an error: %s",

+ strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));

+ unsigned char request[BUFFER_SIZE];

+ struct nlmsghdr *response;

+

+ memset(&request, 0, sizeof(request));

+ this->logger->log(this->logger, CONTROL|LEVEL2, "adding policy");

+

+ struct nlmsghdr *hdr = (struct nlmsghdr*)request;

+ hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;

+ hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;

+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));

+

+ struct xfrm_userpolicy_info *policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);

+

+ policy->sel.sport = htons(src->get_port(src));

+ policy->sel.sport_mask = (policy->sel.sport) ? ~0 : 0;

+ policy->sel.saddr = src->get_xfrm_addr(src);

+ policy->sel.prefixlen_s = src_hostbits;

+ policy->sel.dport = htons(dst->get_port(dst));

+ policy->sel.dport_mask = (policy->sel.dport) ? ~0 : 0;

+ policy->sel.daddr = dst->get_xfrm_addr(dst);

+ policy->sel.prefixlen_d = dst_hostbits;

+

+ policy->sel.proto = upper_proto;

+ policy->sel.family = src->get_family(src);

+

+ policy->dir = direction;

+ policy->priority = SPD_PRIORITY;

+ policy->action = XFRM_POLICY_ALLOW;

+ policy->share = XFRM_SHARE_ANY;

+ policy->lft.soft_byte_limit = XFRM_INF;

+ policy->lft.soft_packet_limit = XFRM_INF;

+ policy->lft.hard_byte_limit = XFRM_INF;

+ policy->lft.hard_packet_limit = XFRM_INF;

+ policy->lft.soft_add_expires_seconds = 0;

+ policy->lft.hard_add_expires_seconds = 0;

+ policy->lft.soft_use_expires_seconds = 0;

+ policy->lft.hard_use_expires_seconds = 0;

+

+ struct rtattr *rthdr = (struct rtattr*)(request + hdr->nlmsg_len);

+ rthdr->rta_type = XFRMA_TMPL;

+

+ rthdr->rta_len = sizeof(struct xfrm_user_tmpl);

+ rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);

+

+ hdr->nlmsg_len += rthdr->rta_len;

+ if (hdr->nlmsg_len > sizeof(request))

+ {

+ return FAILED;

+ }

+

+ struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);

+ tmpl->reqid = reqid;

+ tmpl->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;

+ tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;

+ tmpl->mode = TRUE;

+

+ tmpl->saddr = me->get_xfrm_addr(me);

+ tmpl->id.daddr = other->get_xfrm_addr(other);

+

+ if (this->send_message(this, hdr, &response) != SUCCESS)

+ else if (response->nlmsg_type != NLMSG_ERROR)

+ else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)

+ this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_NEWPOLICY got an error: %s",

+ strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));

+ unsigned char request[BUFFER_SIZE];

+ struct nlmsghdr *response;

+ status_t status = SUCCESS;

+ this->logger->log(this->logger, CONTROL|LEVEL2, "deleting policy");

+

+ struct nlmsghdr *hdr = (struct nlmsghdr*)request;

+ hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;

+ hdr->nlmsg_type = XFRM_MSG_DELPOLICY;

+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));

+ struct xfrm_userpolicy_id *policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);

+ policy_id->sel.sport = htons(src->get_port(src));

+ policy_id->sel.sport_mask = (policy_id->sel.sport) ? ~0 : 0;

+ policy_id->sel.saddr = src->get_xfrm_addr(src);

+ policy_id->sel.prefixlen_s = src_hostbits;

+ policy_id->sel.dport = htons(dst->get_port(dst));

+ policy_id->sel.dport_mask = (policy_id->sel.dport) ? ~0 : 0;

+ policy_id->sel.daddr = dst->get_xfrm_addr(dst);

+ policy_id->sel.prefixlen_d = dst_hostbits;

+

+ policy_id->sel.proto = upper_proto;

+ policy_id->sel.family = src->get_family(src);

+

+ policy_id->dir = direction;

+

+ if (this->send_message(this, hdr, &response) != SUCCESS)

+ else if (response->nlmsg_type != NLMSG_ERROR)

+ else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)

+ this->logger->log(this->logger, ERROR, "netlink request XFRM_MSG_DELPOLICY got an error: %s",

+ strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));

+static status_t send_message(private_kernel_interface_t *this, struct nlmsghdr *request, struct nlmsghdr **response)

+ request->nlmsg_seq = ++this->seq;

+ request->nlmsg_pid = 0;

+ length = sendto(this->socket,(void *)request, request->nlmsg_len, 0, (struct sockaddr *)&addr, sizeof(addr));

+ else if (length != request->nlmsg_len)

+ struct nlmsghdr *listed_response;

+ if (listed_response->nlmsg_seq == request->nlmsg_seq)

+ iterator->remove(iterator);

+ unsigned char response[BUFFER_SIZE];

+ struct nlmsghdr *hdr, *listed_response;

+ if (!NLMSG_OK((struct nlmsghdr *)response, length))

+ hdr = (struct nlmsghdr*)response;

+ if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE)

+ else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE)

+ struct xfrm_user_expire *expire;

+ expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);

+ this->logger->log(this->logger, CONTROL|LEVEL0,

+ "creating %s job for CHILD_SA with reqid %d",

+ expire->hard ? "delete" : "rekey",

+ expire->state.reqid);

+ if (expire->hard)

+ expire->state.reqid);

+ expire->state.reqid);

+ expire->state.reqid);

+ expire->state.reqid);

+ /* NLMSG_ERROR is sent back for acknowledge (or on error), an

+ * XFRM_MSG_NEWSA is returned when we alloc spis and when

+ * updating SAs.

+ else if (hdr->nlmsg_type == NLMSG_ERROR ||

+ hdr->nlmsg_type == XFRM_MSG_NEWSA)

+ listed_response = malloc(hdr->nlmsg_len);

+ memcpy(listed_response, &response, hdr->nlmsg_len);

+ this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,bool))add_sa;

+ this->public.update_sa_hosts = (status_t(*)(kernel_interface_t*,host_t*,host_t*,host_t*,host_t*,int,int,u_int32_t,protocol_id_t))update_sa_hosts;

+