libnl  3.6.0
sa.c
1 /* SPDX-License-Identifier: LGPL-2.1-only */
2 /*
3  * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
4  *
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * Redistributions of source code must retain the above copyright
11  * notice, this list of conditions and the following disclaimer.
12  *
13  * Redistributions in binary form must reproduce the above copyright
14  * notice, this list of conditions and the following disclaimer in the
15  * documentation and/or other materials provided with the
16  * distribution.
17  *
18  * Neither the name of Texas Instruments Incorporated nor the names of
19  * its contributors may be used to endorse or promote products derived
20  * from this software without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
24  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
25  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
26  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
27  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
28  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
32  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  *
34  */
35 
36 /**
37  * @ingroup xfrmnl
38  * @defgroup sa Security Association
39  * @brief
40  */
41 
42 #include <netlink-private/netlink.h>
43 #include <netlink/netlink.h>
44 #include <netlink/cache.h>
45 #include <netlink/object.h>
46 #include <netlink/xfrm/sa.h>
47 #include <netlink/xfrm/selector.h>
48 #include <netlink/xfrm/lifetime.h>
49 #include <time.h>
50 
51 #include "netlink-private/utils.h"
52 
53 /** @cond SKIP */
54 #define XFRM_SA_ATTR_SEL 0x01
55 #define XFRM_SA_ATTR_DADDR 0x02
56 #define XFRM_SA_ATTR_SPI 0x04
57 #define XFRM_SA_ATTR_PROTO 0x08
58 #define XFRM_SA_ATTR_SADDR 0x10
59 #define XFRM_SA_ATTR_LTIME_CFG 0x20
60 #define XFRM_SA_ATTR_LTIME_CUR 0x40
61 #define XFRM_SA_ATTR_STATS 0x80
62 #define XFRM_SA_ATTR_SEQ 0x100
63 #define XFRM_SA_ATTR_REQID 0x200
64 #define XFRM_SA_ATTR_FAMILY 0x400
65 #define XFRM_SA_ATTR_MODE 0x800
66 #define XFRM_SA_ATTR_REPLAY_WIN 0x1000
67 #define XFRM_SA_ATTR_FLAGS 0x2000
68 #define XFRM_SA_ATTR_ALG_AEAD 0x4000
69 #define XFRM_SA_ATTR_ALG_AUTH 0x8000
70 #define XFRM_SA_ATTR_ALG_CRYPT 0x10000
71 #define XFRM_SA_ATTR_ALG_COMP 0x20000
72 #define XFRM_SA_ATTR_ENCAP 0x40000
73 #define XFRM_SA_ATTR_TFCPAD 0x80000
74 #define XFRM_SA_ATTR_COADDR 0x100000
75 #define XFRM_SA_ATTR_MARK 0x200000
76 #define XFRM_SA_ATTR_SECCTX 0x400000
77 #define XFRM_SA_ATTR_REPLAY_MAXAGE 0x800000
78 #define XFRM_SA_ATTR_REPLAY_MAXDIFF 0x1000000
79 #define XFRM_SA_ATTR_REPLAY_STATE 0x2000000
80 #define XFRM_SA_ATTR_EXPIRE 0x4000000
81 #define XFRM_SA_ATTR_OFFLOAD_DEV 0x8000000
82 
83 static struct nl_cache_ops xfrmnl_sa_ops;
84 static struct nl_object_ops xfrm_sa_obj_ops;
85 /** @endcond */
86 
87 static void xfrm_sa_alloc_data(struct nl_object *c)
88 {
89  struct xfrmnl_sa* sa = nl_object_priv (c);
90 
91  if ((sa->sel = xfrmnl_sel_alloc ()) == NULL)
92  return;
93 
94  if ((sa->lft = xfrmnl_ltime_cfg_alloc ()) == NULL)
95  return;
96 }
97 
98 static void xfrm_sa_free_data(struct nl_object *c)
99 {
100  struct xfrmnl_sa* sa = nl_object_priv (c);
101 
102  if (sa == NULL)
103  return;
104 
105  xfrmnl_sel_put (sa->sel);
106  xfrmnl_ltime_cfg_put (sa->lft);
107  nl_addr_put (sa->id.daddr);
108  nl_addr_put (sa->saddr);
109 
110  if (sa->aead)
111  free (sa->aead);
112  if (sa->auth)
113  free (sa->auth);
114  if (sa->crypt)
115  free (sa->crypt);
116  if (sa->comp)
117  free (sa->comp);
118  if (sa->encap) {
119  if (sa->encap->encap_oa)
120  nl_addr_put(sa->encap->encap_oa);
121  free(sa->encap);
122  }
123  if (sa->coaddr)
124  nl_addr_put (sa->coaddr);
125  if (sa->sec_ctx)
126  free (sa->sec_ctx);
127  if (sa->replay_state_esn)
128  free (sa->replay_state_esn);
129  if (sa->user_offload)
130  free(sa->user_offload);
131 }
132 
133 static int xfrm_sa_clone(struct nl_object *_dst, struct nl_object *_src)
134 {
135  struct xfrmnl_sa* dst = nl_object_priv(_dst);
136  struct xfrmnl_sa* src = nl_object_priv(_src);
137  uint32_t len = 0;
138 
139  dst->sel = NULL;
140  dst->id.daddr = NULL;
141  dst->saddr = NULL;
142  dst->lft = NULL;
143  dst->aead = NULL;
144  dst->auth = NULL;
145  dst->crypt = NULL;
146  dst->comp = NULL;
147  dst->encap = NULL;
148  dst->coaddr = NULL;
149  dst->sec_ctx = NULL;
150  dst->replay_state_esn = NULL;
151  dst->user_offload = NULL;
152 
153  if (src->sel)
154  if ((dst->sel = xfrmnl_sel_clone (src->sel)) == NULL)
155  return -NLE_NOMEM;
156 
157  if (src->lft)
158  if ((dst->lft = xfrmnl_ltime_cfg_clone (src->lft)) == NULL)
159  return -NLE_NOMEM;
160 
161  if (src->id.daddr)
162  if ((dst->id.daddr = nl_addr_clone (src->id.daddr)) == NULL)
163  return -NLE_NOMEM;
164 
165  if (src->saddr)
166  if ((dst->saddr = nl_addr_clone (src->saddr)) == NULL)
167  return -NLE_NOMEM;
168 
169  if (src->aead) {
170  len = sizeof (struct xfrmnl_algo_aead) + ((src->aead->alg_key_len + 7) / 8);
171  if ((dst->aead = calloc (1, len)) == NULL)
172  return -NLE_NOMEM;
173  memcpy ((void *)dst->aead, (void *)src->aead, len);
174  }
175 
176  if (src->auth) {
177  len = sizeof (struct xfrmnl_algo_auth) + ((src->auth->alg_key_len + 7) / 8);
178  if ((dst->auth = calloc (1, len)) == NULL)
179  return -NLE_NOMEM;
180  memcpy ((void *)dst->auth, (void *)src->auth, len);
181  }
182 
183  if (src->crypt) {
184  len = sizeof (struct xfrmnl_algo) + ((src->crypt->alg_key_len + 7) / 8);
185  if ((dst->crypt = calloc (1, len)) == NULL)
186  return -NLE_NOMEM;
187  memcpy ((void *)dst->crypt, (void *)src->crypt, len);
188  }
189 
190  if (src->comp) {
191  len = sizeof (struct xfrmnl_algo) + ((src->comp->alg_key_len + 7) / 8);
192  if ((dst->comp = calloc (1, len)) == NULL)
193  return -NLE_NOMEM;
194  memcpy ((void *)dst->comp, (void *)src->comp, len);
195  }
196 
197  if (src->encap) {
198  len = sizeof (struct xfrmnl_encap_tmpl);
199  if ((dst->encap = calloc (1, len)) == NULL)
200  return -NLE_NOMEM;
201  memcpy ((void *)dst->encap, (void *)src->encap, len);
202  }
203 
204  if (src->coaddr)
205  if ((dst->coaddr = nl_addr_clone (src->coaddr)) == NULL)
206  return -NLE_NOMEM;
207 
208  if (src->sec_ctx) {
209  len = sizeof (*src->sec_ctx) + src->sec_ctx->ctx_len;
210  if ((dst->sec_ctx = calloc (1, len)) == NULL)
211  return -NLE_NOMEM;
212  memcpy ((void *)dst->sec_ctx, (void *)src->sec_ctx, len);
213  }
214 
215  if (src->replay_state_esn) {
216  len = sizeof (struct xfrmnl_replay_state_esn) + (src->replay_state_esn->bmp_len * sizeof (uint32_t));
217  if ((dst->replay_state_esn = calloc (1, len)) == NULL)
218  return -NLE_NOMEM;
219  memcpy ((void *)dst->replay_state_esn, (void *)src->replay_state_esn, len);
220  }
221 
222  if (src->user_offload) {
223  dst->user_offload = _nl_memdup_ptr(src->user_offload);
224  if (!dst->user_offload)
225  return -NLE_NOMEM;
226  }
227 
228  return 0;
229 }
230 
231 static uint64_t xfrm_sa_compare(struct nl_object *_a, struct nl_object *_b,
232  uint64_t attrs, int flags)
233 {
234  struct xfrmnl_sa* a = (struct xfrmnl_sa *) _a;
235  struct xfrmnl_sa* b = (struct xfrmnl_sa *) _b;
236  uint64_t diff = 0;
237  int found = 0;
238 
239 #define XFRM_SA_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, XFRM_SA_ATTR_##ATTR, a, b, EXPR)
240  diff |= XFRM_SA_DIFF(SEL, xfrmnl_sel_cmp(a->sel, b->sel));
241  diff |= XFRM_SA_DIFF(DADDR, nl_addr_cmp(a->id.daddr, b->id.daddr));
242  diff |= XFRM_SA_DIFF(SPI, a->id.spi != b->id.spi);
243  diff |= XFRM_SA_DIFF(PROTO, a->id.proto != b->id.proto);
244  diff |= XFRM_SA_DIFF(SADDR, nl_addr_cmp(a->saddr, b->saddr));
245  diff |= XFRM_SA_DIFF(LTIME_CFG, xfrmnl_ltime_cfg_cmp(a->lft, b->lft));
246  diff |= XFRM_SA_DIFF(REQID, a->reqid != b->reqid);
247  diff |= XFRM_SA_DIFF(FAMILY,a->family != b->family);
248  diff |= XFRM_SA_DIFF(MODE,a->mode != b->mode);
249  diff |= XFRM_SA_DIFF(REPLAY_WIN,a->replay_window != b->replay_window);
250  diff |= XFRM_SA_DIFF(FLAGS,a->flags != b->flags);
251  diff |= XFRM_SA_DIFF(ALG_AEAD,(strcmp(a->aead->alg_name, b->aead->alg_name) ||
252  (a->aead->alg_key_len != b->aead->alg_key_len) ||
253  (a->aead->alg_icv_len != b->aead->alg_icv_len) ||
254  memcmp(a->aead->alg_key, b->aead->alg_key,
255  ((a->aead->alg_key_len + 7)/8))));
256  diff |= XFRM_SA_DIFF(ALG_AUTH,(strcmp(a->auth->alg_name, b->auth->alg_name) ||
257  (a->auth->alg_key_len != b->auth->alg_key_len) ||
258  (a->auth->alg_trunc_len != b->auth->alg_trunc_len) ||
259  memcmp(a->auth->alg_key, b->auth->alg_key,
260  ((a->auth->alg_key_len + 7)/8))));
261  diff |= XFRM_SA_DIFF(ALG_CRYPT,(strcmp(a->crypt->alg_name, b->crypt->alg_name) ||
262  (a->crypt->alg_key_len != b->crypt->alg_key_len) ||
263  memcmp(a->crypt->alg_key, b->crypt->alg_key,
264  ((a->crypt->alg_key_len + 7)/8))));
265  diff |= XFRM_SA_DIFF(ALG_COMP,(strcmp(a->comp->alg_name, b->comp->alg_name) ||
266  (a->comp->alg_key_len != b->comp->alg_key_len) ||
267  memcmp(a->comp->alg_key, b->comp->alg_key,
268  ((a->comp->alg_key_len + 7)/8))));
269  diff |= XFRM_SA_DIFF(ENCAP,((a->encap->encap_type != b->encap->encap_type) ||
270  (a->encap->encap_sport != b->encap->encap_sport) ||
271  (a->encap->encap_dport != b->encap->encap_dport) ||
272  nl_addr_cmp(a->encap->encap_oa, b->encap->encap_oa)));
273  diff |= XFRM_SA_DIFF(TFCPAD,a->tfcpad != b->tfcpad);
274  diff |= XFRM_SA_DIFF(COADDR,nl_addr_cmp(a->coaddr, b->coaddr));
275  diff |= XFRM_SA_DIFF(MARK,(a->mark.m != b->mark.m) ||
276  (a->mark.v != b->mark.v));
277  diff |= XFRM_SA_DIFF(SECCTX,((a->sec_ctx->ctx_doi != b->sec_ctx->ctx_doi) ||
278  (a->sec_ctx->ctx_alg != b->sec_ctx->ctx_alg) ||
279  (a->sec_ctx->ctx_len != b->sec_ctx->ctx_len) ||
280  strcmp(a->sec_ctx->ctx, b->sec_ctx->ctx)));
281  diff |= XFRM_SA_DIFF(REPLAY_MAXAGE,a->replay_maxage != b->replay_maxage);
282  diff |= XFRM_SA_DIFF(REPLAY_MAXDIFF,a->replay_maxdiff != b->replay_maxdiff);
283  diff |= XFRM_SA_DIFF(EXPIRE,a->hard != b->hard);
284 
285  /* Compare replay states */
286  found = AVAILABLE_MISMATCH (a, b, XFRM_SA_ATTR_REPLAY_STATE);
287  if (found == 0) // attribute exists in both objects
288  {
289  if (((a->replay_state_esn != NULL) && (b->replay_state_esn == NULL)) ||
290  ((a->replay_state_esn == NULL) && (b->replay_state_esn != NULL)))
291  found |= 1;
292 
293  if (found == 0) // same replay type. compare actual values
294  {
295  if (a->replay_state_esn)
296  {
297  if (a->replay_state_esn->bmp_len != b->replay_state_esn->bmp_len)
298  diff |= 1;
299  else
300  {
301  uint32_t len = sizeof (struct xfrmnl_replay_state_esn) +
302  (a->replay_state_esn->bmp_len * sizeof (uint32_t));
303  diff |= memcmp (a->replay_state_esn, b->replay_state_esn, len);
304  }
305  }
306  else
307  {
308  if ((a->replay_state.oseq != b->replay_state.oseq) ||
309  (a->replay_state.seq != b->replay_state.seq) ||
310  (a->replay_state.bitmap != b->replay_state.bitmap))
311  diff |= 1;
312  }
313  }
314  }
315 #undef XFRM_SA_DIFF
316 
317  return diff;
318 }
319 
320 /**
321  * @name XFRM SA Attribute Translations
322  * @{
323  */
324 static const struct trans_tbl sa_attrs[] = {
325  __ADD(XFRM_SA_ATTR_SEL, selector),
326  __ADD(XFRM_SA_ATTR_DADDR, daddr),
327  __ADD(XFRM_SA_ATTR_SPI, spi),
328  __ADD(XFRM_SA_ATTR_PROTO, proto),
329  __ADD(XFRM_SA_ATTR_SADDR, saddr),
330  __ADD(XFRM_SA_ATTR_LTIME_CFG, lifetime_cfg),
331  __ADD(XFRM_SA_ATTR_LTIME_CUR, lifetime_cur),
332  __ADD(XFRM_SA_ATTR_STATS, stats),
333  __ADD(XFRM_SA_ATTR_SEQ, seqnum),
334  __ADD(XFRM_SA_ATTR_REQID, reqid),
335  __ADD(XFRM_SA_ATTR_FAMILY, family),
336  __ADD(XFRM_SA_ATTR_MODE, mode),
337  __ADD(XFRM_SA_ATTR_REPLAY_WIN, replay_window),
338  __ADD(XFRM_SA_ATTR_FLAGS, flags),
339  __ADD(XFRM_SA_ATTR_ALG_AEAD, alg_aead),
340  __ADD(XFRM_SA_ATTR_ALG_AUTH, alg_auth),
341  __ADD(XFRM_SA_ATTR_ALG_CRYPT, alg_crypto),
342  __ADD(XFRM_SA_ATTR_ALG_COMP, alg_comp),
343  __ADD(XFRM_SA_ATTR_ENCAP, encap),
344  __ADD(XFRM_SA_ATTR_TFCPAD, tfcpad),
345  __ADD(XFRM_SA_ATTR_COADDR, coaddr),
346  __ADD(XFRM_SA_ATTR_MARK, mark),
347  __ADD(XFRM_SA_ATTR_SECCTX, sec_ctx),
348  __ADD(XFRM_SA_ATTR_REPLAY_MAXAGE, replay_maxage),
349  __ADD(XFRM_SA_ATTR_REPLAY_MAXDIFF, replay_maxdiff),
350  __ADD(XFRM_SA_ATTR_REPLAY_STATE, replay_state),
351  __ADD(XFRM_SA_ATTR_EXPIRE, expire),
352  __ADD(XFRM_SA_ATTR_OFFLOAD_DEV, user_offload),
353 };
354 
355 static char* xfrm_sa_attrs2str(int attrs, char *buf, size_t len)
356 {
357  return __flags2str (attrs, buf, len, sa_attrs, ARRAY_SIZE(sa_attrs));
358 }
359 /** @} */
360 
361 /**
362  * @name XFRM SA Flags Translations
363  * @{
364  */
365 static const struct trans_tbl sa_flags[] = {
366  __ADD(XFRM_STATE_NOECN, no ecn),
367  __ADD(XFRM_STATE_DECAP_DSCP, decap dscp),
368  __ADD(XFRM_STATE_NOPMTUDISC, no pmtu discovery),
369  __ADD(XFRM_STATE_WILDRECV, wild receive),
370  __ADD(XFRM_STATE_ICMP, icmp),
371  __ADD(XFRM_STATE_AF_UNSPEC, unspecified),
372  __ADD(XFRM_STATE_ALIGN4, align4),
373  __ADD(XFRM_STATE_ESN, esn),
374 };
375 
376 char* xfrmnl_sa_flags2str(int flags, char *buf, size_t len)
377 {
378  return __flags2str (flags, buf, len, sa_flags, ARRAY_SIZE(sa_flags));
379 }
380 
381 int xfrmnl_sa_str2flag(const char *name)
382 {
383  return __str2flags (name, sa_flags, ARRAY_SIZE(sa_flags));
384 }
385 /** @} */
386 
387 /**
388  * @name XFRM SA Mode Translations
389  * @{
390  */
391 static const struct trans_tbl sa_modes[] = {
392  __ADD(XFRM_MODE_TRANSPORT, transport),
393  __ADD(XFRM_MODE_TUNNEL, tunnel),
394  __ADD(XFRM_MODE_ROUTEOPTIMIZATION, route optimization),
395  __ADD(XFRM_MODE_IN_TRIGGER, in trigger),
396  __ADD(XFRM_MODE_BEET, beet),
397 };
398 
399 char* xfrmnl_sa_mode2str(int mode, char *buf, size_t len)
400 {
401  return __type2str (mode, buf, len, sa_modes, ARRAY_SIZE(sa_modes));
402 }
403 
404 int xfrmnl_sa_str2mode(const char *name)
405 {
406  return __str2type (name, sa_modes, ARRAY_SIZE(sa_modes));
407 }
408 /** @} */
409 
410 
411 static void xfrm_sa_dump_line(struct nl_object *a, struct nl_dump_params *p)
412 {
413  char dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
414  struct xfrmnl_sa* sa = (struct xfrmnl_sa *) a;
415  char flags[128], mode[128];
416  time_t add_time, use_time;
417  struct tm *add_time_tm, *use_time_tm;
418 
419  nl_dump_line(p, "src %s dst %s family: %s\n", nl_addr2str(sa->saddr, src, sizeof(src)),
420  nl_addr2str(sa->id.daddr, dst, sizeof(dst)),
421  nl_af2str (sa->family, flags, sizeof (flags)));
422 
423  nl_dump_line(p, "\tproto %s spi 0x%x reqid %u\n",
424  nl_ip_proto2str (sa->id.proto, flags, sizeof(flags)),
425  sa->id.spi, sa->reqid);
426 
427  xfrmnl_sa_flags2str(sa->flags, flags, sizeof (flags));
428  xfrmnl_sa_mode2str(sa->mode, mode, sizeof (mode));
429  nl_dump_line(p, "\tmode: %s flags: %s (0x%x) seq: %u replay window: %u\n",
430  mode, flags, sa->flags, sa->seq, sa->replay_window);
431 
432  nl_dump_line(p, "\tlifetime configuration: \n");
433  if (sa->lft->soft_byte_limit == XFRM_INF)
434  sprintf (flags, "INF");
435  else
436  sprintf (flags, "%" PRIu64, sa->lft->soft_byte_limit);
437  if (sa->lft->soft_packet_limit == XFRM_INF)
438  sprintf (mode, "INF");
439  else
440  sprintf (mode, "%" PRIu64, sa->lft->soft_packet_limit);
441  nl_dump_line(p, "\t\tsoft limit: %s (bytes), %s (packets)\n", flags, mode);
442  if (sa->lft->hard_byte_limit == XFRM_INF)
443  sprintf (flags, "INF");
444  else
445  sprintf (flags, "%" PRIu64, sa->lft->hard_byte_limit);
446  if (sa->lft->hard_packet_limit == XFRM_INF)
447  sprintf (mode, "INF");
448  else
449  sprintf (mode, "%" PRIu64, sa->lft->hard_packet_limit);
450  nl_dump_line(p, "\t\thard limit: %s (bytes), %s (packets)\n", flags, mode);
451  nl_dump_line(p, "\t\tsoft add_time: %llu (seconds), soft use_time: %llu (seconds) \n",
452  sa->lft->soft_add_expires_seconds, sa->lft->soft_use_expires_seconds);
453  nl_dump_line(p, "\t\thard add_time: %llu (seconds), hard use_time: %llu (seconds) \n",
454  sa->lft->hard_add_expires_seconds, sa->lft->hard_use_expires_seconds);
455 
456  nl_dump_line(p, "\tlifetime current: \n");
457  nl_dump_line(p, "\t\t%llu bytes, %llu packets\n", sa->curlft.bytes, sa->curlft.packets);
458  if (sa->curlft.add_time != 0)
459  {
460  add_time = sa->curlft.add_time;
461  add_time_tm = gmtime (&add_time);
462  strftime (flags, 128, "%Y-%m-%d %H-%M-%S", add_time_tm);
463  }
464  else
465  {
466  sprintf (flags, "%s", "-");
467  }
468 
469  if (sa->curlft.use_time != 0)
470  {
471  use_time = sa->curlft.use_time;
472  use_time_tm = gmtime (&use_time);
473  strftime (mode, 128, "%Y-%m-%d %H-%M-%S", use_time_tm);
474  }
475  else
476  {
477  sprintf (mode, "%s", "-");
478  }
479  nl_dump_line(p, "\t\tadd_time: %s, use_time: %s\n", flags, mode);
480 
481  if (sa->aead)
482  {
483  nl_dump_line(p, "\tAEAD Algo: \n");
484  nl_dump_line(p, "\t\tName: %s Key len(bits): %u ICV Len(bits): %u\n",
485  sa->aead->alg_name, sa->aead->alg_key_len, sa->aead->alg_icv_len);
486  }
487 
488  if (sa->auth)
489  {
490  nl_dump_line(p, "\tAuth Algo: \n");
491  nl_dump_line(p, "\t\tName: %s Key len(bits): %u Trunc len(bits): %u\n",
492  sa->auth->alg_name, sa->auth->alg_key_len, sa->auth->alg_trunc_len);
493  }
494 
495  if (sa->crypt)
496  {
497  nl_dump_line(p, "\tEncryption Algo: \n");
498  nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
499  sa->crypt->alg_name, sa->crypt->alg_key_len);
500  }
501 
502  if (sa->comp)
503  {
504  nl_dump_line(p, "\tCompression Algo: \n");
505  nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
506  sa->comp->alg_name, sa->comp->alg_key_len);
507  }
508 
509  if (sa->encap)
510  {
511  nl_dump_line(p, "\tEncapsulation template: \n");
512  nl_dump_line(p, "\t\tType: %d Src port: %d Dst port: %d Encap addr: %s\n",
513  sa->encap->encap_type, sa->encap->encap_sport, sa->encap->encap_dport,
514  nl_addr2str (sa->encap->encap_oa, dst, sizeof (dst)));
515  }
516 
517  if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
518  nl_dump_line(p, "\tTFC Pad: %u\n", sa->tfcpad);
519 
520  if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
521  nl_dump_line(p, "\tCO Address: %s\n", nl_addr2str (sa->coaddr, dst, sizeof (dst)));
522 
523  if (sa->ce_mask & XFRM_SA_ATTR_MARK)
524  nl_dump_line(p, "\tMark mask: 0x%x Mark value: 0x%x\n", sa->mark.m, sa->mark.v);
525 
526  if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
527  nl_dump_line(p, "\tDOI: %d Algo: %d Len: %u ctx: %s\n", sa->sec_ctx->ctx_doi,
528  sa->sec_ctx->ctx_alg, sa->sec_ctx->ctx_len, sa->sec_ctx->ctx);
529 
530  nl_dump_line(p, "\treplay info: \n");
531  nl_dump_line(p, "\t\tmax age %u max diff %u \n", sa->replay_maxage, sa->replay_maxdiff);
532 
533  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
534  {
535  nl_dump_line(p, "\treplay state info: \n");
536  if (sa->replay_state_esn)
537  {
538  nl_dump_line(p, "\t\toseq %u seq %u oseq_hi %u seq_hi %u replay window: %u \n",
539  sa->replay_state_esn->oseq, sa->replay_state_esn->seq,
540  sa->replay_state_esn->oseq_hi, sa->replay_state_esn->seq_hi,
541  sa->replay_state_esn->replay_window);
542  }
543  else
544  {
545  nl_dump_line(p, "\t\toseq %u seq %u bitmap: %u \n", sa->replay_state.oseq,
546  sa->replay_state.seq, sa->replay_state.bitmap);
547  }
548  }
549 
550  nl_dump_line(p, "\tselector info: \n");
551  xfrmnl_sel_dump (sa->sel, p);
552 
553  nl_dump_line(p, "\tHard: %d\n", sa->hard);
554 
555  nl_dump(p, "\n");
556 }
557 
558 static void xfrm_sa_dump_stats(struct nl_object *a, struct nl_dump_params *p)
559 {
560  struct xfrmnl_sa* sa = (struct xfrmnl_sa*)a;
561 
562  nl_dump_line(p, "\tstats: \n");
563  nl_dump_line(p, "\t\treplay window: %u replay: %u integrity failed: %u \n",
564  sa->stats.replay_window, sa->stats.replay, sa->stats.integrity_failed);
565 
566  return;
567 }
568 
569 static void xfrm_sa_dump_details(struct nl_object *a, struct nl_dump_params *p)
570 {
571  xfrm_sa_dump_line(a, p);
572  xfrm_sa_dump_stats (a, p);
573 }
574 
575 /**
576  * @name XFRM SA Object Allocation/Freeage
577  * @{
578  */
579 
580 struct xfrmnl_sa* xfrmnl_sa_alloc(void)
581 {
582  return (struct xfrmnl_sa*) nl_object_alloc(&xfrm_sa_obj_ops);
583 }
584 
585 void xfrmnl_sa_put(struct xfrmnl_sa* sa)
586 {
587  nl_object_put((struct nl_object *) sa);
588 }
589 
590 /** @} */
591 
592 /**
593  * @name SA Cache Managament
594  * @{
595  */
596 
597 /**
598  * Build a SA cache including all SAs currently configured in the kernel.
599  * @arg sock Netlink socket.
600  * @arg result Pointer to store resulting cache.
601  *
602  * Allocates a new SA cache, initializes it properly and updates it
603  * to include all SAs currently configured in the kernel.
604  *
605  * @return 0 on success or a negative error code.
606  */
607 int xfrmnl_sa_alloc_cache(struct nl_sock *sock, struct nl_cache **result)
608 {
609  return nl_cache_alloc_and_fill(&xfrmnl_sa_ops, sock, result);
610 }
611 
612 /**
613  * Look up a SA by destination address, SPI, protocol
614  * @arg cache SA cache
615  * @arg daddr destination address of the SA
616  * @arg spi SPI
617  * @arg proto protocol
618  * @return sa handle or NULL if no match was found.
619  */
620 struct xfrmnl_sa* xfrmnl_sa_get(struct nl_cache* cache, struct nl_addr* daddr,
621  unsigned int spi, unsigned int proto)
622 {
623  struct xfrmnl_sa *sa;
624 
625  //nl_list_for_each_entry(sa, &cache->c_items, ce_list) {
626  for (sa = (struct xfrmnl_sa*)nl_cache_get_first (cache);
627  sa != NULL;
628  sa = (struct xfrmnl_sa*)nl_cache_get_next ((struct nl_object*)sa))
629  {
630  if (sa->id.proto == proto &&
631  sa->id.spi == spi &&
632  !nl_addr_cmp(sa->id.daddr, daddr))
633  {
634  nl_object_get((struct nl_object *) sa);
635  return sa;
636  }
637 
638  }
639 
640  return NULL;
641 }
642 
643 
644 /** @} */
645 
646 
647 static struct nla_policy xfrm_sa_policy[XFRMA_MAX+1] = {
648  [XFRMA_SA] = { .minlen = sizeof(struct xfrm_usersa_info)},
649  [XFRMA_ALG_AUTH_TRUNC] = { .minlen = sizeof(struct xfrm_algo_auth)},
650  [XFRMA_ALG_AEAD] = { .minlen = sizeof(struct xfrm_algo_aead) },
651  [XFRMA_ALG_AUTH] = { .minlen = sizeof(struct xfrm_algo) },
652  [XFRMA_ALG_CRYPT] = { .minlen = sizeof(struct xfrm_algo) },
653  [XFRMA_ALG_COMP] = { .minlen = sizeof(struct xfrm_algo) },
654  [XFRMA_ENCAP] = { .minlen = sizeof(struct xfrm_encap_tmpl) },
655  [XFRMA_TMPL] = { .minlen = sizeof(struct xfrm_user_tmpl) },
656  [XFRMA_SEC_CTX] = { .minlen = sizeof(struct xfrm_sec_ctx) },
657  [XFRMA_LTIME_VAL] = { .minlen = sizeof(struct xfrm_lifetime_cur) },
658  [XFRMA_REPLAY_VAL] = { .minlen = sizeof(struct xfrm_replay_state) },
659  [XFRMA_OFFLOAD_DEV] = { .minlen = sizeof(struct xfrm_user_offload) },
660  [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 },
661  [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 },
662  [XFRMA_SRCADDR] = { .minlen = sizeof(xfrm_address_t) },
663  [XFRMA_COADDR] = { .minlen = sizeof(xfrm_address_t) },
664  [XFRMA_MARK] = { .minlen = sizeof(struct xfrm_mark) },
665  [XFRMA_TFCPAD] = { .type = NLA_U32 },
666  [XFRMA_REPLAY_ESN_VAL] = { .minlen = sizeof(struct xfrm_replay_state_esn) },
667 };
668 
669 static int xfrm_sa_request_update(struct nl_cache *c, struct nl_sock *h)
670 {
671  return nl_send_simple (h, XFRM_MSG_GETSA, NLM_F_DUMP, NULL, 0);
672 }
673 
674 int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
675 {
676  struct xfrmnl_sa* sa;
677  struct nlattr *tb[XFRMA_MAX + 1];
678  struct xfrm_usersa_info* sa_info;
679  struct xfrm_user_expire* ue;
680  int len, err;
681  struct nl_addr* addr;
682 
683  sa = xfrmnl_sa_alloc();
684  if (!sa) {
685  err = -NLE_NOMEM;
686  goto errout;
687  }
688 
689  sa->ce_msgtype = n->nlmsg_type;
690  if (n->nlmsg_type == XFRM_MSG_EXPIRE)
691  {
692  ue = nlmsg_data(n);
693  sa_info = &ue->state;
694  sa->hard = ue->hard;
695  sa->ce_mask |= XFRM_SA_ATTR_EXPIRE;
696  }
697  else if (n->nlmsg_type == XFRM_MSG_DELSA)
698  {
699  sa_info = (struct xfrm_usersa_info*)((char *)nlmsg_data(n) + sizeof (struct xfrm_usersa_id) + NLA_HDRLEN);
700  }
701  else
702  {
703  sa_info = nlmsg_data(n);
704  }
705 
706  err = nlmsg_parse(n, sizeof(struct xfrm_usersa_info), tb, XFRMA_MAX, xfrm_sa_policy);
707  if (err < 0)
708  goto errout;
709 
710  if (sa_info->sel.family == AF_INET)
711  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a4, sizeof (sa_info->sel.daddr.a4));
712  else
713  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a6, sizeof (sa_info->sel.daddr.a6));
714  nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_d);
715  xfrmnl_sel_set_daddr (sa->sel, addr);
716  xfrmnl_sel_set_prefixlen_d (sa->sel, sa_info->sel.prefixlen_d);
717 
718  if (sa_info->sel.family == AF_INET)
719  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a4, sizeof (sa_info->sel.saddr.a4));
720  else
721  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a6, sizeof (sa_info->sel.saddr.a6));
722  nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_s);
723  xfrmnl_sel_set_saddr (sa->sel, addr);
724  xfrmnl_sel_set_prefixlen_s (sa->sel, sa_info->sel.prefixlen_s);
725 
726  xfrmnl_sel_set_dport (sa->sel, ntohs(sa_info->sel.dport));
727  xfrmnl_sel_set_dportmask (sa->sel, ntohs(sa_info->sel.dport_mask));
728  xfrmnl_sel_set_sport (sa->sel, ntohs(sa_info->sel.sport));
729  xfrmnl_sel_set_sportmask (sa->sel, ntohs(sa_info->sel.sport_mask));
730  xfrmnl_sel_set_family (sa->sel, sa_info->sel.family);
731  xfrmnl_sel_set_proto (sa->sel, sa_info->sel.proto);
732  xfrmnl_sel_set_ifindex (sa->sel, sa_info->sel.ifindex);
733  xfrmnl_sel_set_userid (sa->sel, sa_info->sel.user);
734  sa->ce_mask |= XFRM_SA_ATTR_SEL;
735 
736  if (sa_info->family == AF_INET)
737  sa->id.daddr = nl_addr_build (sa_info->family, &sa_info->id.daddr.a4, sizeof (sa_info->id.daddr.a4));
738  else
739  sa->id.daddr = nl_addr_build (sa_info->family, &sa_info->id.daddr.a6, sizeof (sa_info->id.daddr.a6));
740  sa->id.spi = ntohl(sa_info->id.spi);
741  sa->id.proto = sa_info->id.proto;
742  sa->ce_mask |= (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO);
743 
744  if (sa_info->family == AF_INET)
745  sa->saddr = nl_addr_build (sa_info->family, &sa_info->saddr.a4, sizeof (sa_info->saddr.a4));
746  else
747  sa->saddr = nl_addr_build (sa_info->family, &sa_info->saddr.a6, sizeof (sa_info->saddr.a6));
748  sa->ce_mask |= XFRM_SA_ATTR_SADDR;
749 
750  sa->lft->soft_byte_limit = sa_info->lft.soft_byte_limit;
751  sa->lft->hard_byte_limit = sa_info->lft.hard_byte_limit;
752  sa->lft->soft_packet_limit = sa_info->lft.soft_packet_limit;
753  sa->lft->hard_packet_limit = sa_info->lft.hard_packet_limit;
754  sa->lft->soft_add_expires_seconds = sa_info->lft.soft_add_expires_seconds;
755  sa->lft->hard_add_expires_seconds = sa_info->lft.hard_add_expires_seconds;
756  sa->lft->soft_use_expires_seconds = sa_info->lft.soft_use_expires_seconds;
757  sa->lft->hard_use_expires_seconds = sa_info->lft.hard_use_expires_seconds;
758  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
759 
760  sa->curlft.bytes = sa_info->curlft.bytes;
761  sa->curlft.packets = sa_info->curlft.packets;
762  sa->curlft.add_time = sa_info->curlft.add_time;
763  sa->curlft.use_time = sa_info->curlft.use_time;
764  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CUR;
765 
766  sa->stats.replay_window = sa_info->stats.replay_window;
767  sa->stats.replay = sa_info->stats.replay;
768  sa->stats.integrity_failed = sa_info->stats.integrity_failed;
769  sa->ce_mask |= XFRM_SA_ATTR_STATS;
770 
771  sa->seq = sa_info->seq;
772  sa->reqid = sa_info->reqid;
773  sa->family = sa_info->family;
774  sa->mode = sa_info->mode;
775  sa->replay_window = sa_info->replay_window;
776  sa->flags = sa_info->flags;
777  sa->ce_mask |= (XFRM_SA_ATTR_SEQ | XFRM_SA_ATTR_REQID |
778  XFRM_SA_ATTR_FAMILY | XFRM_SA_ATTR_MODE |
779  XFRM_SA_ATTR_REPLAY_WIN | XFRM_SA_ATTR_FLAGS);
780 
781  if (tb[XFRMA_ALG_AEAD]) {
782  struct xfrm_algo_aead* aead = nla_data(tb[XFRMA_ALG_AEAD]);
783  len = sizeof (struct xfrmnl_algo_aead) + ((aead->alg_key_len + 7) / 8);
784  if ((sa->aead = calloc (1, len)) == NULL)
785  {
786  err = -NLE_NOMEM;
787  goto errout;
788  }
789  memcpy ((void *)sa->aead, (void *)aead, len);
790  sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
791  }
792 
793  if (tb[XFRMA_ALG_AUTH_TRUNC]) {
794  struct xfrm_algo_auth* auth = nla_data(tb[XFRMA_ALG_AUTH_TRUNC]);
795  len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
796  if ((sa->auth = calloc (1, len)) == NULL)
797  {
798  err = -NLE_NOMEM;
799  goto errout;
800  }
801  memcpy ((void *)sa->auth, (void *)auth, len);
802  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
803  }
804 
805  if (tb[XFRMA_ALG_AUTH] && !sa->auth) {
806  struct xfrm_algo* auth = nla_data(tb[XFRMA_ALG_AUTH]);
807  len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
808  if ((sa->auth = calloc (1, len)) == NULL)
809  {
810  err = -NLE_NOMEM;
811  goto errout;
812  }
813  strcpy(sa->auth->alg_name, auth->alg_name);
814  memcpy(sa->auth->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
815  sa->auth->alg_key_len = auth->alg_key_len;
816  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
817  }
818 
819  if (tb[XFRMA_ALG_CRYPT]) {
820  struct xfrm_algo* crypt = nla_data(tb[XFRMA_ALG_CRYPT]);
821  len = sizeof (struct xfrmnl_algo) + ((crypt->alg_key_len + 7) / 8);
822  if ((sa->crypt = calloc (1, len)) == NULL)
823  {
824  err = -NLE_NOMEM;
825  goto errout;
826  }
827  memcpy ((void *)sa->crypt, (void *)crypt, len);
828  sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
829  }
830 
831  if (tb[XFRMA_ALG_COMP]) {
832  struct xfrm_algo* comp = nla_data(tb[XFRMA_ALG_COMP]);
833  len = sizeof (struct xfrmnl_algo) + ((comp->alg_key_len + 7) / 8);
834  if ((sa->comp = calloc (1, len)) == NULL)
835  {
836  err = -NLE_NOMEM;
837  goto errout;
838  }
839  memcpy ((void *)sa->comp, (void *)comp, len);
840  sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
841  }
842 
843  if (tb[XFRMA_ENCAP]) {
844  struct xfrm_encap_tmpl* encap = nla_data(tb[XFRMA_ENCAP]);
845  len = sizeof (struct xfrmnl_encap_tmpl);
846  if ((sa->encap = calloc (1, len)) == NULL)
847  {
848  err = -NLE_NOMEM;
849  goto errout;
850  }
851  sa->encap->encap_type = encap->encap_type;
852  sa->encap->encap_sport = ntohs(encap->encap_sport);
853  sa->encap->encap_dport = ntohs(encap->encap_dport);
854  if (sa_info->family == AF_INET)
855  sa->encap->encap_oa = nl_addr_build (sa_info->family, &encap->encap_oa.a4, sizeof (encap->encap_oa.a4));
856  else
857  sa->encap->encap_oa = nl_addr_build (sa_info->family, &encap->encap_oa.a6, sizeof (encap->encap_oa.a6));
858  sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
859  }
860 
861  if (tb[XFRMA_TFCPAD]) {
862  sa->tfcpad = *(uint32_t*)nla_data(tb[XFRMA_TFCPAD]);
863  sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
864  }
865 
866  if (tb[XFRMA_COADDR]) {
867  if (sa_info->family == AF_INET)
868  {
869  sa->coaddr = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
870  sizeof (uint32_t));
871  }
872  else
873  {
874  sa->coaddr = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
875  sizeof (uint32_t) * 4);
876  }
877  sa->ce_mask |= XFRM_SA_ATTR_COADDR;
878  }
879 
880  if (tb[XFRMA_MARK]) {
881  struct xfrm_mark* m = nla_data(tb[XFRMA_MARK]);
882  sa->mark.m = m->m;
883  sa->mark.v = m->v;
884  sa->ce_mask |= XFRM_SA_ATTR_MARK;
885  }
886 
887  if (tb[XFRMA_SEC_CTX]) {
888  struct xfrm_user_sec_ctx* sec_ctx = nla_data(tb[XFRMA_SEC_CTX]);
889  len = sizeof (struct xfrmnl_user_sec_ctx) + sec_ctx->ctx_len;
890  if ((sa->sec_ctx = calloc (1, len)) == NULL)
891  {
892  err = -NLE_NOMEM;
893  goto errout;
894  }
895  memcpy (sa->sec_ctx, sec_ctx, len);
896  sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
897  }
898 
899  if (tb[XFRMA_ETIMER_THRESH]) {
900  sa->replay_maxage = *(uint32_t*)nla_data(tb[XFRMA_ETIMER_THRESH]);
901  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
902  }
903 
904  if (tb[XFRMA_REPLAY_THRESH]) {
905  sa->replay_maxdiff = *(uint32_t*)nla_data(tb[XFRMA_REPLAY_THRESH]);
906  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
907  }
908 
909  if (tb[XFRMA_REPLAY_ESN_VAL]) {
910  struct xfrm_replay_state_esn* esn = nla_data (tb[XFRMA_REPLAY_ESN_VAL]);
911  len = sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * esn->bmp_len);
912  if ((sa->replay_state_esn = calloc (1, len)) == NULL)
913  {
914  err = -NLE_NOMEM;
915  goto errout;
916  }
917  memcpy ((void *)sa->replay_state_esn, (void *)esn, len);
918  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
919  }
920  else if (tb[XFRMA_REPLAY_VAL])
921  {
922  struct xfrm_replay_state* replay_state = nla_data (tb[XFRMA_REPLAY_VAL]);
923  sa->replay_state.oseq = replay_state->oseq;
924  sa->replay_state.seq = replay_state->seq;
925  sa->replay_state.bitmap = replay_state->bitmap;
926  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
927  sa->replay_state_esn = NULL;
928  }
929 
930  if (tb[XFRMA_OFFLOAD_DEV]) {
931  struct xfrm_user_offload *offload;
932 
933  len = sizeof(struct xfrmnl_user_offload);
934 
935  if ((sa->user_offload = calloc(1, len)) == NULL) {
936  err = -NLE_NOMEM;
937  goto errout;
938  }
939 
940  offload = nla_data(tb[XFRMA_OFFLOAD_DEV]);
941  sa->user_offload->ifindex = offload->ifindex;
942  sa->user_offload->flags = offload->flags;
943  sa->ce_mask |= XFRM_SA_ATTR_OFFLOAD_DEV;
944  }
945 
946  *result = sa;
947  return 0;
948 
949 errout:
950  xfrmnl_sa_put(sa);
951  return err;
952 }
953 
954 static int xfrm_sa_update_cache (struct nl_cache *cache, struct nl_object *obj,
955  change_func_t change_cb, change_func_v2_t change_cb_v2,
956  void *data)
957 {
958  struct nl_object* old_sa;
959  struct xfrmnl_sa* sa = (struct xfrmnl_sa*)obj;
960 
961  if (nl_object_get_msgtype (obj) == XFRM_MSG_EXPIRE)
962  {
963  /* On hard expiry, the SA gets deleted too from the kernel state without any
964  * further delete event. On Expire message, we are only updating the cache with
965  * the SA object's new state. In absence of the explicit delete event, the cache will
966  * be out of sync with the kernel state. To get around this, expiry messages cache
967  * operations are handled here (installed with NL_ACT_UNSPEC action) instead of
968  * in Libnl Cache module. */
969 
970  /* Do we already have this object in the cache? */
971  old_sa = nl_cache_search(cache, obj);
972  if (old_sa)
973  {
974  /* Found corresponding SA object in cache. Delete it */
975  nl_cache_remove (old_sa);
976  }
977 
978  /* Handle the expiry event now */
979  if (sa->hard == 0)
980  {
981  /* Soft expiry event: Save the new object to the
982  * cache and notify application of the expiry event. */
983  nl_cache_move (cache, obj);
984 
985  if (old_sa == NULL)
986  {
987  /* Application CB present, no previous instance of SA object present.
988  * Notify application CB as a NEW event */
989  if (change_cb_v2)
990  change_cb_v2(cache, NULL, obj, 0, NL_ACT_NEW, data);
991  else if (change_cb)
992  change_cb(cache, obj, NL_ACT_NEW, data);
993  }
994  else if (old_sa)
995  {
996  uint64_t diff = 0;
997  if (change_cb || change_cb_v2)
998  diff = nl_object_diff64(old_sa, obj);
999 
1000  /* Application CB present, a previous instance of SA object present.
1001  * Notify application CB as a CHANGE1 event */
1002  if (diff) {
1003  if (change_cb_v2) {
1004  change_cb_v2(cache, old_sa, obj, diff, NL_ACT_CHANGE, data);
1005  } else if (change_cb)
1006  change_cb(cache, obj, NL_ACT_CHANGE, data);
1007  }
1008  nl_object_put (old_sa);
1009  }
1010  }
1011  else
1012  {
1013  /* Hard expiry event: Delete the object from the
1014  * cache and notify application of the expiry event. */
1015  if (change_cb_v2)
1016  change_cb_v2(cache, obj, NULL, 0, NL_ACT_DEL, data);
1017  else if (change_cb)
1018  change_cb (cache, obj, NL_ACT_DEL, data);
1019  nl_object_put (old_sa);
1020  }
1021 
1022  /* Done handling expire message */
1023  return 0;
1024  }
1025  else
1026  {
1027  /* All other messages other than Expire, let the standard Libnl cache
1028  * module handle it. */
1029  if (change_cb_v2)
1030  return nl_cache_include_v2(cache, obj, change_cb_v2, data);
1031  else
1032  return nl_cache_include (cache, obj, change_cb, data);
1033  }
1034 }
1035 
1036 static int xfrm_sa_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
1037  struct nlmsghdr *n, struct nl_parser_param *pp)
1038 {
1039  struct xfrmnl_sa* sa;
1040  int err;
1041 
1042  if ((err = xfrmnl_sa_parse(n, &sa)) < 0)
1043  return err;
1044 
1045  err = pp->pp_cb((struct nl_object *) sa, pp);
1046 
1047  xfrmnl_sa_put(sa);
1048  return err;
1049 }
1050 
1051 /**
1052  * @name XFRM SA Get
1053  * @{
1054  */
1055 
1056 int xfrmnl_sa_build_get_request(struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct nl_msg **result)
1057 {
1058  struct nl_msg *msg;
1059  struct xfrm_usersa_id sa_id;
1060  struct xfrm_mark mark;
1061 
1062  if (!daddr || !spi)
1063  {
1064  fprintf(stderr, "APPLICATION BUG: %s:%d:%s: A valid destination address, spi must be specified\n",
1065  __FILE__, __LINE__, __func__);
1066  assert(0);
1067  return -NLE_MISSING_ATTR;
1068  }
1069 
1070  memset(&sa_id, 0, sizeof(sa_id));
1071  memcpy (&sa_id.daddr, nl_addr_get_binary_addr (daddr), sizeof (uint8_t) * nl_addr_get_len (daddr));
1072  sa_id.family = nl_addr_get_family (daddr);
1073  sa_id.spi = htonl(spi);
1074  sa_id.proto = protocol;
1075 
1076  if (!(msg = nlmsg_alloc_simple(XFRM_MSG_GETSA, 0)))
1077  return -NLE_NOMEM;
1078 
1079  if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1080  goto nla_put_failure;
1081 
1082  if ((mark_m & mark_v) != 0)
1083  {
1084  memset(&mark, 0, sizeof(struct xfrm_mark));
1085  mark.m = mark_m;
1086  mark.v = mark_v;
1087 
1088  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &mark);
1089  }
1090 
1091  *result = msg;
1092  return 0;
1093 
1094 nla_put_failure:
1095  nlmsg_free(msg);
1096  return -NLE_MSGSIZE;
1097 }
1098 
1099 int xfrmnl_sa_get_kernel(struct nl_sock* sock, struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct xfrmnl_sa** result)
1100 {
1101  struct nl_msg *msg = NULL;
1102  struct nl_object *obj;
1103  int err;
1104 
1105  if ((err = xfrmnl_sa_build_get_request(daddr, spi, protocol, mark_m, mark_v, &msg)) < 0)
1106  return err;
1107 
1108  err = nl_send_auto(sock, msg);
1109  nlmsg_free(msg);
1110  if (err < 0)
1111  return err;
1112 
1113  if ((err = nl_pickup(sock, &xfrm_sa_msg_parser, &obj)) < 0)
1114  return err;
1115 
1116  /* We have used xfrm_sa_msg_parser(), object is definitely a xfrm sa */
1117  *result = (struct xfrmnl_sa *) obj;
1118 
1119  /* If an object has been returned, we also need to wait for the ACK */
1120  if (err == 0 && obj)
1121  nl_wait_for_ack(sock);
1122 
1123  return 0;
1124 }
1125 
1126 /** @} */
1127 
1128 static int build_xfrm_sa_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1129 {
1130  struct nl_msg* msg;
1131  struct xfrm_usersa_info sa_info;
1132  uint32_t len;
1133  struct nl_addr* addr;
1134 
1135  if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1136  !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1137  !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1138  return -NLE_MISSING_ATTR;
1139 
1140  memset ((void*)&sa_info, 0, sizeof (sa_info));
1141  if (tmpl->ce_mask & XFRM_SA_ATTR_SEL)
1142  {
1143  addr = xfrmnl_sel_get_daddr (tmpl->sel);
1144  memcpy ((void*)&sa_info.sel.daddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1145  addr = xfrmnl_sel_get_saddr (tmpl->sel);
1146  memcpy ((void*)&sa_info.sel.saddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1147  sa_info.sel.dport = htons (xfrmnl_sel_get_dport (tmpl->sel));
1148  sa_info.sel.dport_mask = htons (xfrmnl_sel_get_dportmask (tmpl->sel));
1149  sa_info.sel.sport = htons (xfrmnl_sel_get_sport (tmpl->sel));
1150  sa_info.sel.sport_mask = htons (xfrmnl_sel_get_sportmask (tmpl->sel));
1151  sa_info.sel.family = xfrmnl_sel_get_family (tmpl->sel);
1152  sa_info.sel.prefixlen_d = xfrmnl_sel_get_prefixlen_d (tmpl->sel);
1153  sa_info.sel.prefixlen_s = xfrmnl_sel_get_prefixlen_s (tmpl->sel);
1154  sa_info.sel.proto = xfrmnl_sel_get_proto (tmpl->sel);
1155  sa_info.sel.ifindex = xfrmnl_sel_get_ifindex (tmpl->sel);
1156  sa_info.sel.user = xfrmnl_sel_get_userid (tmpl->sel);
1157  }
1158 
1159  memcpy (&sa_info.id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1160  sa_info.id.spi = htonl(tmpl->id.spi);
1161  sa_info.id.proto = tmpl->id.proto;
1162 
1163  if (tmpl->ce_mask & XFRM_SA_ATTR_SADDR)
1164  memcpy (&sa_info.saddr, nl_addr_get_binary_addr (tmpl->saddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->saddr));
1165 
1166  if (tmpl->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1167  {
1168  sa_info.lft.soft_byte_limit = xfrmnl_ltime_cfg_get_soft_bytelimit (tmpl->lft);
1169  sa_info.lft.hard_byte_limit = xfrmnl_ltime_cfg_get_hard_bytelimit (tmpl->lft);
1170  sa_info.lft.soft_packet_limit = xfrmnl_ltime_cfg_get_soft_packetlimit (tmpl->lft);
1171  sa_info.lft.hard_packet_limit = xfrmnl_ltime_cfg_get_hard_packetlimit (tmpl->lft);
1172  sa_info.lft.soft_add_expires_seconds = xfrmnl_ltime_cfg_get_soft_addexpires (tmpl->lft);
1173  sa_info.lft.hard_add_expires_seconds = xfrmnl_ltime_cfg_get_hard_addexpires (tmpl->lft);
1174  sa_info.lft.soft_use_expires_seconds = xfrmnl_ltime_cfg_get_soft_useexpires (tmpl->lft);
1175  sa_info.lft.hard_use_expires_seconds = xfrmnl_ltime_cfg_get_hard_useexpires (tmpl->lft);
1176  }
1177 
1178  //Skip current lifetime: cur lifetime can be updated only via AE
1179  //Skip stats: stats cant be updated
1180  //Skip seq: seq cant be updated
1181 
1182  if (tmpl->ce_mask & XFRM_SA_ATTR_REQID)
1183  sa_info.reqid = tmpl->reqid;
1184 
1185  if (tmpl->ce_mask & XFRM_SA_ATTR_FAMILY)
1186  sa_info.family = tmpl->family;
1187 
1188  if (tmpl->ce_mask & XFRM_SA_ATTR_MODE)
1189  sa_info.mode = tmpl->mode;
1190 
1191  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1192  sa_info.replay_window = tmpl->replay_window;
1193 
1194  if (tmpl->ce_mask & XFRM_SA_ATTR_FLAGS)
1195  sa_info.flags = tmpl->flags;
1196 
1197  msg = nlmsg_alloc_simple(cmd, flags);
1198  if (!msg)
1199  return -NLE_NOMEM;
1200 
1201  if (nlmsg_append(msg, &sa_info, sizeof(sa_info), NLMSG_ALIGNTO) < 0)
1202  goto nla_put_failure;
1203 
1204  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AEAD) {
1205  len = sizeof (struct xfrm_algo_aead) + ((tmpl->aead->alg_key_len + 7) / 8);
1206  NLA_PUT (msg, XFRMA_ALG_AEAD, len, tmpl->aead);
1207  }
1208 
1209  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AUTH) {
1210  /* kernel prefers XFRMA_ALG_AUTH_TRUNC over XFRMA_ALG_AUTH, so only
1211  * one of the attributes needs to be present */
1212  if (tmpl->auth->alg_trunc_len) {
1213  len = sizeof (struct xfrm_algo_auth) + ((tmpl->auth->alg_key_len + 7) / 8);
1214  NLA_PUT (msg, XFRMA_ALG_AUTH_TRUNC, len, tmpl->auth);
1215  } else {
1216  struct xfrm_algo *auth;
1217 
1218  len = sizeof (struct xfrm_algo) + ((tmpl->auth->alg_key_len + 7) / 8);
1219  auth = malloc(len);
1220  if (!auth) {
1221  nlmsg_free(msg);
1222  return -NLE_NOMEM;
1223  }
1224 
1225  _nl_strncpy_assert(auth->alg_name, tmpl->auth->alg_name, sizeof(auth->alg_name));
1226  auth->alg_key_len = tmpl->auth->alg_key_len;
1227  memcpy(auth->alg_key, tmpl->auth->alg_key, (tmpl->auth->alg_key_len + 7) / 8);
1228  if (nla_put(msg, XFRMA_ALG_AUTH, len, auth) < 0) {
1229  free(auth);
1230  goto nla_put_failure;
1231  }
1232  free(auth);
1233  }
1234  }
1235 
1236  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_CRYPT) {
1237  len = sizeof (struct xfrm_algo) + ((tmpl->crypt->alg_key_len + 7) / 8);
1238  NLA_PUT (msg, XFRMA_ALG_CRYPT, len, tmpl->crypt);
1239  }
1240 
1241  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_COMP) {
1242  len = sizeof (struct xfrm_algo) + ((tmpl->comp->alg_key_len + 7) / 8);
1243  NLA_PUT (msg, XFRMA_ALG_COMP, len, tmpl->comp);
1244  }
1245 
1246  if (tmpl->ce_mask & XFRM_SA_ATTR_ENCAP) {
1247  struct xfrm_encap_tmpl* encap_tmpl;
1248  struct nlattr* encap_attr;
1249 
1250  len = sizeof (struct xfrm_encap_tmpl);
1251  encap_attr = nla_reserve(msg, XFRMA_ENCAP, len);
1252  if (!encap_attr)
1253  goto nla_put_failure;
1254  encap_tmpl = nla_data (encap_attr);
1255  encap_tmpl->encap_type = tmpl->encap->encap_type;
1256  encap_tmpl->encap_sport = htons (tmpl->encap->encap_sport);
1257  encap_tmpl->encap_dport = htons (tmpl->encap->encap_dport);
1258  memcpy (&encap_tmpl->encap_oa, nl_addr_get_binary_addr (tmpl->encap->encap_oa), sizeof (uint8_t) * nl_addr_get_len (tmpl->encap->encap_oa));
1259  }
1260 
1261  if (tmpl->ce_mask & XFRM_SA_ATTR_TFCPAD) {
1262  NLA_PUT_U32 (msg, XFRMA_TFCPAD, tmpl->tfcpad);
1263  }
1264 
1265  if (tmpl->ce_mask & XFRM_SA_ATTR_COADDR) {
1266  NLA_PUT (msg, XFRMA_COADDR, sizeof (xfrm_address_t), tmpl->coaddr);
1267  }
1268 
1269  if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1270  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1271  }
1272 
1273  if (tmpl->ce_mask & XFRM_SA_ATTR_SECCTX) {
1274  len = sizeof (struct xfrm_sec_ctx) + tmpl->sec_ctx->ctx_len;
1275  NLA_PUT (msg, XFRMA_SEC_CTX, len, tmpl->sec_ctx);
1276  }
1277 
1278  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE) {
1279  NLA_PUT_U32 (msg, XFRMA_ETIMER_THRESH, tmpl->replay_maxage);
1280  }
1281 
1282  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF) {
1283  NLA_PUT_U32 (msg, XFRMA_REPLAY_THRESH, tmpl->replay_maxdiff);
1284  }
1285 
1286  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_STATE) {
1287  if (tmpl->replay_state_esn) {
1288  len = sizeof (struct xfrm_replay_state_esn) + (sizeof (uint32_t) * tmpl->replay_state_esn->bmp_len);
1289  NLA_PUT (msg, XFRMA_REPLAY_ESN_VAL, len, tmpl->replay_state_esn);
1290  }
1291  else {
1292  NLA_PUT (msg, XFRMA_REPLAY_VAL, sizeof (struct xfrm_replay_state), &tmpl->replay_state);
1293  }
1294  }
1295 
1296  if (tmpl->ce_mask & XFRM_SA_ATTR_OFFLOAD_DEV) {
1297  struct xfrm_user_offload *offload;
1298  struct nlattr *attr;
1299 
1300  len = sizeof(struct xfrm_user_offload);
1301  attr = nla_reserve(msg, XFRMA_OFFLOAD_DEV, len);
1302 
1303  if (!attr)
1304  goto nla_put_failure;
1305 
1306  offload = nla_data(attr);
1307  offload->ifindex = tmpl->user_offload->ifindex;
1308  offload->flags = tmpl->user_offload->flags;
1309  }
1310 
1311  *result = msg;
1312  return 0;
1313 
1314 nla_put_failure:
1315  nlmsg_free(msg);
1316  return -NLE_MSGSIZE;
1317 }
1318 
1319 /**
1320  * @name XFRM SA Add
1321  * @{
1322  */
1323 
1324 int xfrmnl_sa_build_add_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1325 {
1326  return build_xfrm_sa_message (tmpl, XFRM_MSG_NEWSA, flags, result);
1327 }
1328 
1329 int xfrmnl_sa_add(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1330 {
1331  int err;
1332  struct nl_msg *msg;
1333 
1334  if ((err = xfrmnl_sa_build_add_request(tmpl, flags, &msg)) < 0)
1335  return err;
1336 
1337  err = nl_send_auto_complete(sk, msg);
1338  nlmsg_free(msg);
1339  if (err < 0)
1340  return err;
1341 
1342  return nl_wait_for_ack(sk);
1343 }
1344 
1345 /**
1346  * @name XFRM SA Update
1347  * @{
1348  */
1349 
1350 int xfrmnl_sa_build_update_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1351 {
1352  return build_xfrm_sa_message (tmpl, XFRM_MSG_UPDSA, flags, result);
1353 }
1354 
1355 int xfrmnl_sa_update(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1356 {
1357  int err;
1358  struct nl_msg *msg;
1359 
1360  if ((err = xfrmnl_sa_build_update_request(tmpl, flags, &msg)) < 0)
1361  return err;
1362 
1363  err = nl_send_auto_complete(sk, msg);
1364  nlmsg_free(msg);
1365  if (err < 0)
1366  return err;
1367 
1368  return nl_wait_for_ack(sk);
1369 }
1370 
1371 /** @} */
1372 
1373 static int build_xfrm_sa_delete_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1374 {
1375  struct nl_msg* msg;
1376  struct xfrm_usersa_id sa_id;
1377 
1378  if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1379  !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1380  !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1381  return -NLE_MISSING_ATTR;
1382 
1383  memset(&sa_id, 0, sizeof(struct xfrm_usersa_id));
1384  memcpy (&sa_id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr),
1385  sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1386  sa_id.family = nl_addr_get_family (tmpl->id.daddr);
1387  sa_id.spi = htonl(tmpl->id.spi);
1388  sa_id.proto = tmpl->id.proto;
1389 
1390  msg = nlmsg_alloc_simple(cmd, flags);
1391  if (!msg)
1392  return -NLE_NOMEM;
1393 
1394  if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1395  goto nla_put_failure;
1396 
1397  if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1398  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1399  }
1400 
1401  *result = msg;
1402  return 0;
1403 
1404 nla_put_failure:
1405  nlmsg_free(msg);
1406  return -NLE_MSGSIZE;
1407 }
1408 
1409 /**
1410  * @name XFRM SA Delete
1411  * @{
1412  */
1413 
1414 int xfrmnl_sa_build_delete_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1415 {
1416  return build_xfrm_sa_delete_message (tmpl, XFRM_MSG_DELSA, flags, result);
1417 }
1418 
1419 int xfrmnl_sa_delete(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1420 {
1421  int err;
1422  struct nl_msg *msg;
1423 
1424  if ((err = xfrmnl_sa_build_delete_request(tmpl, flags, &msg)) < 0)
1425  return err;
1426 
1427  err = nl_send_auto_complete(sk, msg);
1428  nlmsg_free(msg);
1429  if (err < 0)
1430  return err;
1431 
1432  return nl_wait_for_ack(sk);
1433 }
1434 
1435 /** @} */
1436 
1437 
1438 /**
1439  * @name Attributes
1440  * @{
1441  */
1442 
1443 struct xfrmnl_sel* xfrmnl_sa_get_sel (struct xfrmnl_sa* sa)
1444 {
1445  if (sa->ce_mask & XFRM_SA_ATTR_SEL)
1446  return sa->sel;
1447  else
1448  return NULL;
1449 }
1450 
1451 int xfrmnl_sa_set_sel (struct xfrmnl_sa* sa, struct xfrmnl_sel* sel)
1452 {
1453  /* Release any previously held selector object from the SA */
1454  if (sa->sel)
1455  xfrmnl_sel_put (sa->sel);
1456 
1457  /* Increment ref count on new selector and save it in the SA */
1458  xfrmnl_sel_get (sel);
1459  sa->sel = sel;
1460  sa->ce_mask |= XFRM_SA_ATTR_SEL;
1461 
1462  return 0;
1463 }
1464 
1465 static inline int __assign_addr(struct xfrmnl_sa* sa, struct nl_addr **pos,
1466  struct nl_addr *new, int flag, int nocheck)
1467 {
1468  if (!nocheck)
1469  {
1470  if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1471  {
1472  if (nl_addr_get_family (new) != sa->family)
1473  return -NLE_AF_MISMATCH;
1474  }
1475  }
1476 
1477  if (*pos)
1478  nl_addr_put(*pos);
1479 
1480  nl_addr_get(new);
1481  *pos = new;
1482 
1483  sa->ce_mask |= flag;
1484 
1485  return 0;
1486 }
1487 
1488 
1489 struct nl_addr* xfrmnl_sa_get_daddr (struct xfrmnl_sa* sa)
1490 {
1491  if (sa->ce_mask & XFRM_SA_ATTR_DADDR)
1492  return sa->id.daddr;
1493  else
1494  return NULL;
1495 }
1496 
1497 int xfrmnl_sa_set_daddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1498 {
1499  return __assign_addr(sa, &sa->id.daddr, addr, XFRM_SA_ATTR_DADDR, 0);
1500 }
1501 
1502 int xfrmnl_sa_get_spi (struct xfrmnl_sa* sa)
1503 {
1504  if (sa->ce_mask & XFRM_SA_ATTR_SPI)
1505  return sa->id.spi;
1506  else
1507  return -1;
1508 }
1509 
1510 int xfrmnl_sa_set_spi (struct xfrmnl_sa* sa, unsigned int spi)
1511 {
1512  sa->id.spi = spi;
1513  sa->ce_mask |= XFRM_SA_ATTR_SPI;
1514 
1515  return 0;
1516 }
1517 
1518 int xfrmnl_sa_get_proto (struct xfrmnl_sa* sa)
1519 {
1520  if (sa->ce_mask & XFRM_SA_ATTR_PROTO)
1521  return sa->id.proto;
1522  else
1523  return -1;
1524 }
1525 
1526 int xfrmnl_sa_set_proto (struct xfrmnl_sa* sa, unsigned int protocol)
1527 {
1528  sa->id.proto = protocol;
1529  sa->ce_mask |= XFRM_SA_ATTR_PROTO;
1530 
1531  return 0;
1532 }
1533 
1534 struct nl_addr* xfrmnl_sa_get_saddr (struct xfrmnl_sa* sa)
1535 {
1536  if (sa->ce_mask & XFRM_SA_ATTR_SADDR)
1537  return sa->saddr;
1538  else
1539  return NULL;
1540 }
1541 
1542 int xfrmnl_sa_set_saddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1543 {
1544  return __assign_addr(sa, &sa->saddr, addr, XFRM_SA_ATTR_SADDR, 1);
1545 }
1546 
1547 struct xfrmnl_ltime_cfg* xfrmnl_sa_get_lifetime_cfg (struct xfrmnl_sa* sa)
1548 {
1549  if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1550  return sa->lft;
1551  else
1552  return NULL;
1553 }
1554 
1555 int xfrmnl_sa_set_lifetime_cfg (struct xfrmnl_sa* sa, struct xfrmnl_ltime_cfg* ltime)
1556 {
1557  /* Release any previously held lifetime cfg object from the SA */
1558  if (sa->lft)
1559  xfrmnl_ltime_cfg_put (sa->lft);
1560 
1561  /* Increment ref count on new lifetime object and save it in the SA */
1562  xfrmnl_ltime_cfg_get (ltime);
1563  sa->lft = ltime;
1564  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
1565 
1566  return 0;
1567 }
1568 
1569 int xfrmnl_sa_get_curlifetime (struct xfrmnl_sa* sa, unsigned long long int* curr_bytes,
1570  unsigned long long int* curr_packets, unsigned long long int* curr_add_time, unsigned long long int* curr_use_time)
1571 {
1572  if (sa == NULL || curr_bytes == NULL || curr_packets == NULL || curr_add_time == NULL || curr_use_time == NULL)
1573  return -1;
1574 
1575  if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CUR)
1576  {
1577  *curr_bytes = sa->curlft.bytes;
1578  *curr_packets = sa->curlft.packets;
1579  *curr_add_time = sa->curlft.add_time;
1580  *curr_use_time = sa->curlft.use_time;
1581  }
1582  else
1583  return -1;
1584 
1585  return 0;
1586 }
1587 
1588 int xfrmnl_sa_get_stats (struct xfrmnl_sa* sa, unsigned long long int* replay_window,
1589  unsigned long long int* replay, unsigned long long int* integrity_failed)
1590 {
1591  if (sa == NULL || replay_window == NULL || replay == NULL || integrity_failed == NULL)
1592  return -1;
1593 
1594  if (sa->ce_mask & XFRM_SA_ATTR_STATS)
1595  {
1596  *replay_window = sa->stats.replay_window;
1597  *replay = sa->stats.replay;
1598  *integrity_failed = sa->stats.integrity_failed;
1599  }
1600  else
1601  return -1;
1602 
1603  return 0;
1604 }
1605 
1606 int xfrmnl_sa_get_seq (struct xfrmnl_sa* sa)
1607 {
1608  if (sa->ce_mask & XFRM_SA_ATTR_SEQ)
1609  return sa->seq;
1610  else
1611  return -1;
1612 }
1613 
1614 int xfrmnl_sa_get_reqid (struct xfrmnl_sa* sa)
1615 {
1616  if (sa->ce_mask & XFRM_SA_ATTR_REQID)
1617  return sa->reqid;
1618  else
1619  return -1;
1620 }
1621 
1622 int xfrmnl_sa_set_reqid (struct xfrmnl_sa* sa, unsigned int reqid)
1623 {
1624  sa->reqid = reqid;
1625  sa->ce_mask |= XFRM_SA_ATTR_REQID;
1626 
1627  return 0;
1628 }
1629 
1630 int xfrmnl_sa_get_family (struct xfrmnl_sa* sa)
1631 {
1632  if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1633  return sa->family;
1634  else
1635  return -1;
1636 }
1637 
1638 int xfrmnl_sa_set_family (struct xfrmnl_sa* sa, unsigned int family)
1639 {
1640  sa->family = family;
1641  sa->ce_mask |= XFRM_SA_ATTR_FAMILY;
1642 
1643  return 0;
1644 }
1645 
1646 int xfrmnl_sa_get_mode (struct xfrmnl_sa* sa)
1647 {
1648  if (sa->ce_mask & XFRM_SA_ATTR_MODE)
1649  return sa->mode;
1650  else
1651  return -1;
1652 }
1653 
1654 int xfrmnl_sa_set_mode (struct xfrmnl_sa* sa, unsigned int mode)
1655 {
1656  sa->mode = mode;
1657  sa->ce_mask |= XFRM_SA_ATTR_MODE;
1658 
1659  return 0;
1660 }
1661 
1662 int xfrmnl_sa_get_replay_window (struct xfrmnl_sa* sa)
1663 {
1664  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1665  return sa->replay_window;
1666  else
1667  return -1;
1668 }
1669 
1670 int xfrmnl_sa_set_replay_window (struct xfrmnl_sa* sa, unsigned int replay_window)
1671 {
1672  sa->replay_window = replay_window;
1673  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_WIN;
1674 
1675  return 0;
1676 }
1677 
1678 int xfrmnl_sa_get_flags (struct xfrmnl_sa* sa)
1679 {
1680  if (sa->ce_mask & XFRM_SA_ATTR_FLAGS)
1681  return sa->flags;
1682  else
1683  return -1;
1684 }
1685 
1686 int xfrmnl_sa_set_flags (struct xfrmnl_sa* sa, unsigned int flags)
1687 {
1688  sa->flags = flags;
1689  sa->ce_mask |= XFRM_SA_ATTR_FLAGS;
1690 
1691  return 0;
1692 }
1693 
1694 /**
1695  * Get the aead-params
1696  * @arg sa the xfrmnl_sa object
1697  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1698  * @arg key_len an optional output value for the key length in bits.
1699  * @arg icv_len an optional output value for the alt-icv-len.
1700  * @arg key an optional buffer large enough for the key. It must contain at least
1701  * ((@key_len + 7) / 8) bytes.
1702  *
1703  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1704  * call xfrmnl_sa_get_aead_params() without @key argument to query only the required buffer size.
1705  * This modified API is available in all versions of libnl3 that support the capability
1706  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1707  *
1708  * @return 0 on success or a negative error code.
1709  */
1710 int xfrmnl_sa_get_aead_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* icv_len, char* key)
1711 {
1712  if (sa->ce_mask & XFRM_SA_ATTR_ALG_AEAD)
1713  {
1714  if (alg_name)
1715  strcpy (alg_name, sa->aead->alg_name);
1716  if (key_len)
1717  *key_len = sa->aead->alg_key_len;
1718  if (icv_len)
1719  *icv_len = sa->aead->alg_icv_len;
1720  if (key)
1721  memcpy (key, sa->aead->alg_key, ((sa->aead->alg_key_len + 7)/8));
1722  }
1723  else
1724  return -1;
1725 
1726  return 0;
1727 }
1728 
1729 int xfrmnl_sa_set_aead_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int icv_len, const char* key)
1730 {
1731  _nl_auto_free struct xfrmnl_algo_aead *b = NULL;
1732  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1733  uint32_t newlen = sizeof (struct xfrmnl_algo_aead) + keysize;
1734 
1735  /* Free up the old key and allocate memory to hold new key */
1736  if (strlen (alg_name) >= sizeof (sa->aead->alg_name))
1737  return -1;
1738  if (!(b = calloc (1, newlen)))
1739  return -1;
1740 
1741  strcpy (b->alg_name, alg_name);
1742  b->alg_key_len = key_len;
1743  b->alg_icv_len = icv_len;
1744  memcpy (b->alg_key, key, keysize);
1745 
1746  free (sa->aead);
1747  sa->aead = _nl_steal_pointer (&b);
1748  sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
1749  return 0;
1750 }
1751 
1752 /**
1753  * Get the auth-params
1754  * @arg sa the xfrmnl_sa object
1755  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1756  * @arg key_len an optional output value for the key length in bits.
1757  * @arg trunc_len an optional output value for the alg-trunc-len.
1758  * @arg key an optional buffer large enough for the key. It must contain at least
1759  * ((@key_len + 7) / 8) bytes.
1760  *
1761  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1762  * call xfrmnl_sa_get_auth_params() without @key argument to query only the required buffer size.
1763  * This modified API is available in all versions of libnl3 that support the capability
1764  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1765  *
1766  * @return 0 on success or a negative error code.
1767  */
1768 int xfrmnl_sa_get_auth_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* trunc_len, char* key)
1769 {
1770  if (sa->ce_mask & XFRM_SA_ATTR_ALG_AUTH)
1771  {
1772  if (alg_name)
1773  strcpy (alg_name, sa->auth->alg_name);
1774  if (key_len)
1775  *key_len = sa->auth->alg_key_len;
1776  if (trunc_len)
1777  *trunc_len = sa->auth->alg_trunc_len;
1778  if (key)
1779  memcpy (key, sa->auth->alg_key, (sa->auth->alg_key_len + 7)/8);
1780  }
1781  else
1782  return -1;
1783 
1784  return 0;
1785 }
1786 
1787 int xfrmnl_sa_set_auth_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int trunc_len, const char* key)
1788 {
1789  _nl_auto_free struct xfrmnl_algo_auth *b = NULL;
1790  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1791  uint32_t newlen = sizeof (struct xfrmnl_algo_auth) + keysize;
1792 
1793  if (strlen (alg_name) >= sizeof (sa->auth->alg_name))
1794  return -1;
1795  if (!(b = calloc (1, newlen)))
1796  return -1;
1797 
1798  strcpy (b->alg_name, alg_name);
1799  b->alg_key_len = key_len;
1800  b->alg_trunc_len = trunc_len;
1801  memcpy (b->alg_key, key, keysize);
1802 
1803  free (sa->auth);
1804  sa->auth = _nl_steal_pointer (&b);
1805  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
1806  return 0;
1807 }
1808 
1809 /**
1810  * Get the crypto-params
1811  * @arg sa the xfrmnl_sa object
1812  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1813  * @arg key_len an optional output value for the key length in bits.
1814  * @arg key an optional buffer large enough for the key. It must contain at least
1815  * ((@key_len + 7) / 8) bytes.
1816  *
1817  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1818  * call xfrmnl_sa_get_crypto_params() without @key argument to query only the required buffer size.
1819  * This modified API is available in all versions of libnl3 that support the capability
1820  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1821  *
1822  * @return 0 on success or a negative error code.
1823  */
1824 int xfrmnl_sa_get_crypto_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1825 {
1826  if (sa->ce_mask & XFRM_SA_ATTR_ALG_CRYPT)
1827  {
1828  if (alg_name)
1829  strcpy (alg_name, sa->crypt->alg_name);
1830  if (key_len)
1831  *key_len = sa->crypt->alg_key_len;
1832  if (key)
1833  memcpy (key, sa->crypt->alg_key, ((sa->crypt->alg_key_len + 7)/8));
1834  }
1835  else
1836  return -1;
1837 
1838  return 0;
1839 }
1840 
1841 int xfrmnl_sa_set_crypto_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1842 {
1843  _nl_auto_free struct xfrmnl_algo *b = NULL;
1844  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1845  uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1846 
1847  if (strlen (alg_name) >= sizeof (sa->crypt->alg_name))
1848  return -1;
1849  if (!(b = calloc (1, newlen)))
1850  return -1;
1851 
1852  strcpy (b->alg_name, alg_name);
1853  b->alg_key_len = key_len;
1854  memcpy (b->alg_key, key, keysize);
1855 
1856  free(sa->crypt);
1857  sa->crypt = _nl_steal_pointer(&b);
1858  sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
1859  return 0;
1860 }
1861 
1862 /**
1863  * Get the comp-params
1864  * @arg sa the xfrmnl_sa object
1865  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1866  * @arg key_len an optional output value for the key length in bits.
1867  * @arg key an optional buffer large enough for the key. It must contain at least
1868  * ((@key_len + 7) / 8) bytes.
1869  *
1870  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1871  * call xfrmnl_sa_get_comp_params() without @key argument to query only the required buffer size.
1872  * This modified API is available in all versions of libnl3 that support the capability
1873  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1874  *
1875  * @return 0 on success or a negative error code.
1876  */
1877 int xfrmnl_sa_get_comp_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1878 {
1879  if (sa->ce_mask & XFRM_SA_ATTR_ALG_COMP)
1880  {
1881  if (alg_name)
1882  strcpy (alg_name, sa->comp->alg_name);
1883  if (key_len)
1884  *key_len = sa->comp->alg_key_len;
1885  if (key)
1886  memcpy (key, sa->comp->alg_key, ((sa->comp->alg_key_len + 7)/8));
1887  }
1888  else
1889  return -1;
1890 
1891  return 0;
1892 }
1893 
1894 int xfrmnl_sa_set_comp_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1895 {
1896  _nl_auto_free struct xfrmnl_algo *b = NULL;
1897  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1898  uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1899 
1900  if (strlen (alg_name) >= sizeof (sa->comp->alg_name))
1901  return -1;
1902  if (!(b = calloc (1, newlen)))
1903  return -1;
1904 
1905  strcpy (b->alg_name, alg_name);
1906  b->alg_key_len = key_len;
1907  memcpy (b->alg_key, key, keysize);
1908 
1909  free(sa->comp);
1910  sa->comp = _nl_steal_pointer(&b);
1911  sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
1912  return 0;
1913 }
1914 
1915 int xfrmnl_sa_get_encap_tmpl (struct xfrmnl_sa* sa, unsigned int* encap_type, unsigned int* encap_sport, unsigned int* encap_dport, struct nl_addr** encap_oa)
1916 {
1917  if (sa->ce_mask & XFRM_SA_ATTR_ENCAP)
1918  {
1919  *encap_type = sa->encap->encap_type;
1920  *encap_sport = sa->encap->encap_sport;
1921  *encap_dport = sa->encap->encap_dport;
1922  *encap_oa = nl_addr_clone (sa->encap->encap_oa);
1923  }
1924  else
1925  return -1;
1926 
1927  return 0;
1928 }
1929 
1930 int xfrmnl_sa_set_encap_tmpl (struct xfrmnl_sa* sa, unsigned int encap_type, unsigned int encap_sport, unsigned int encap_dport, struct nl_addr* encap_oa)
1931 {
1932  if (sa->encap) {
1933  /* Free up the old encap OA */
1934  if (sa->encap->encap_oa)
1935  nl_addr_put(sa->encap->encap_oa);
1936  memset(sa->encap, 0, sizeof (*sa->encap));
1937  } else if ((sa->encap = calloc(1, sizeof(*sa->encap))) == NULL)
1938  return -1;
1939 
1940  /* Save the new info */
1941  sa->encap->encap_type = encap_type;
1942  sa->encap->encap_sport = encap_sport;
1943  sa->encap->encap_dport = encap_dport;
1944  nl_addr_get (encap_oa);
1945  sa->encap->encap_oa = encap_oa;
1946 
1947  sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
1948 
1949  return 0;
1950 }
1951 
1952 int xfrmnl_sa_get_tfcpad (struct xfrmnl_sa* sa)
1953 {
1954  if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
1955  return sa->tfcpad;
1956  else
1957  return -1;
1958 }
1959 
1960 int xfrmnl_sa_set_tfcpad (struct xfrmnl_sa* sa, unsigned int tfcpad)
1961 {
1962  sa->tfcpad = tfcpad;
1963  sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
1964 
1965  return 0;
1966 }
1967 
1968 struct nl_addr* xfrmnl_sa_get_coaddr (struct xfrmnl_sa* sa)
1969 {
1970  if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
1971  return sa->coaddr;
1972  else
1973  return NULL;
1974 }
1975 
1976 int xfrmnl_sa_set_coaddr (struct xfrmnl_sa* sa, struct nl_addr* coaddr)
1977 {
1978  /* Free up the old coaddr */
1979  if (sa->coaddr)
1980  nl_addr_put (sa->coaddr);
1981 
1982  /* Save the new info */
1983  nl_addr_get (coaddr);
1984  sa->coaddr = coaddr;
1985 
1986  sa->ce_mask |= XFRM_SA_ATTR_COADDR;
1987 
1988  return 0;
1989 }
1990 
1991 int xfrmnl_sa_get_mark (struct xfrmnl_sa* sa, unsigned int* mark_mask, unsigned int* mark_value)
1992 {
1993  if (mark_mask == NULL || mark_value == NULL)
1994  return -1;
1995 
1996  if (sa->ce_mask & XFRM_SA_ATTR_MARK)
1997  {
1998  *mark_mask = sa->mark.m;
1999  *mark_value = sa->mark.v;
2000 
2001  return 0;
2002  }
2003  else
2004  return -1;
2005 }
2006 
2007 int xfrmnl_sa_set_mark (struct xfrmnl_sa* sa, unsigned int value, unsigned int mask)
2008 {
2009  sa->mark.v = value;
2010  sa->mark.m = mask;
2011  sa->ce_mask |= XFRM_SA_ATTR_MARK;
2012 
2013  return 0;
2014 }
2015 
2016 /**
2017  * Get the security context.
2018  *
2019  * @arg sa The xfrmnl_sa object.
2020  * @arg doi An optional output value for the security context domain of interpretation.
2021  * @arg alg An optional output value for the security context algorithm.
2022  * @arg len An optional output value for the security context length, including the
2023  * terminating null byte ('\0').
2024  * @arg sid Unused parameter.
2025  * @arg ctx_str An optional buffer large enough for the security context string. It must
2026  * contain at least @len bytes.
2027  *
2028  * Warning: you must ensure that @ctx_str is large enough. If you don't know the length before-hand,
2029  * call xfrmnl_sa_get_sec_ctx() without @ctx_str argument to query only the required buffer size.
2030  * This modified API is available in all versions of libnl3 that support the capability
2031  * @def NL_CAPABILITY_XFRM_SEC_CTX_LEN (@see nl_has_capability for further information).
2032  *
2033  * @return 0 on success or a negative error code.
2034  */
2035 int xfrmnl_sa_get_sec_ctx (struct xfrmnl_sa* sa, unsigned int* doi, unsigned int* alg,
2036  unsigned int* len, unsigned int* sid, char* ctx_str)
2037 {
2038  if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
2039  {
2040  if (doi)
2041  *doi = sa->sec_ctx->ctx_doi;
2042  if (alg)
2043  *alg = sa->sec_ctx->ctx_alg;
2044  if (len)
2045  *len = sa->sec_ctx->ctx_len;
2046  if (ctx_str)
2047  memcpy (ctx_str, sa->sec_ctx->ctx, sa->sec_ctx->ctx_len);
2048  }
2049  else
2050  return -1;
2051 
2052  return 0;
2053 }
2054 
2055 /**
2056  * Set the security context.
2057  *
2058  * @arg sa The xfrmnl_sa object.
2059  * @arg doi Parameter for the security context domain of interpretation.
2060  * @arg alg Parameter for the security context algorithm.
2061  * @arg len Parameter for the length of the security context string containing
2062  * the terminating null byte ('\0').
2063  * @arg sid Unused parameter.
2064  * @arg ctx_str Buffer containing the security context string.
2065  *
2066  * @return 0 on success or a negative error code.
2067  */
2068 int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int alg, unsigned int len,
2069  unsigned int sid, const char* ctx_str)
2070 {
2071  _nl_auto_free struct xfrmnl_user_sec_ctx *b = NULL;
2072 
2073  if (!(b = calloc(1, sizeof (struct xfrmnl_user_sec_ctx) + 1 + len)))
2074  return -1;
2075 
2076  b->len = sizeof(struct xfrmnl_user_sec_ctx) + len;
2077  b->exttype = XFRMA_SEC_CTX;
2078  b->ctx_alg = alg;
2079  b->ctx_doi = doi;
2080  b->ctx_len = len;
2081  memcpy (b->ctx, ctx_str, len);
2082  b->ctx[len] = '\0';
2083 
2084  free(sa->sec_ctx);
2085  sa->sec_ctx = _nl_steal_pointer(&b);
2086  sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
2087  return 0;
2088 }
2089 
2090 
2091 int xfrmnl_sa_get_replay_maxage (struct xfrmnl_sa* sa)
2092 {
2093  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE)
2094  return sa->replay_maxage;
2095  else
2096  return -1;
2097 }
2098 
2099 int xfrmnl_sa_set_replay_maxage (struct xfrmnl_sa* sa, unsigned int replay_maxage)
2100 {
2101  sa->replay_maxage = replay_maxage;
2102  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
2103 
2104  return 0;
2105 }
2106 
2107 int xfrmnl_sa_get_replay_maxdiff (struct xfrmnl_sa* sa)
2108 {
2109  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF)
2110  return sa->replay_maxdiff;
2111  else
2112  return -1;
2113 }
2114 
2115 int xfrmnl_sa_set_replay_maxdiff (struct xfrmnl_sa* sa, unsigned int replay_maxdiff)
2116 {
2117  sa->replay_maxdiff = replay_maxdiff;
2118  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
2119 
2120  return 0;
2121 }
2122 
2123 int xfrmnl_sa_get_replay_state (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* bmp)
2124 {
2125  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2126  {
2127  if (sa->replay_state_esn == NULL)
2128  {
2129  *oseq = sa->replay_state.oseq;
2130  *seq = sa->replay_state.seq;
2131  *bmp = sa->replay_state.bitmap;
2132 
2133  return 0;
2134  }
2135  else
2136  {
2137  return -1;
2138  }
2139  }
2140  else
2141  return -1;
2142 }
2143 
2144 int xfrmnl_sa_set_replay_state (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq, unsigned int bitmap)
2145 {
2146  sa->replay_state.oseq = oseq;
2147  sa->replay_state.seq = seq;
2148  sa->replay_state.bitmap = bitmap;
2149  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2150 
2151  return 0;
2152 }
2153 
2154 int xfrmnl_sa_get_replay_state_esn (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* oseq_hi,
2155  unsigned int* seq_hi, unsigned int* replay_window, unsigned int* bmp_len, unsigned int* bmp)
2156 {
2157  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2158  {
2159  if (sa->replay_state_esn)
2160  {
2161  *oseq = sa->replay_state_esn->oseq;
2162  *seq = sa->replay_state_esn->seq;
2163  *oseq_hi= sa->replay_state_esn->oseq_hi;
2164  *seq_hi = sa->replay_state_esn->seq_hi;
2165  *replay_window = sa->replay_state_esn->replay_window;
2166  *bmp_len = sa->replay_state_esn->bmp_len; // In number of 32 bit words
2167  memcpy (bmp, sa->replay_state_esn->bmp, sa->replay_state_esn->bmp_len * sizeof (uint32_t));
2168 
2169  return 0;
2170  }
2171  else
2172  {
2173  return -1;
2174  }
2175  }
2176  else
2177  return -1;
2178 }
2179 
2180 int xfrmnl_sa_set_replay_state_esn (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq,
2181  unsigned int oseq_hi, unsigned int seq_hi, unsigned int replay_window,
2182  unsigned int bmp_len, unsigned int* bmp)
2183 {
2184  _nl_auto_free struct xfrmnl_replay_state_esn *b = NULL;
2185 
2186  if (!(b = calloc (1, sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * bmp_len))))
2187  return -1;
2188 
2189  b->oseq = oseq;
2190  b->seq = seq;
2191  b->oseq_hi = oseq_hi;
2192  b->seq_hi = seq_hi;
2193  b->replay_window = replay_window;
2194  b->bmp_len = bmp_len; // In number of 32 bit words
2195  memcpy (b->bmp, bmp, bmp_len * sizeof (uint32_t));
2196 
2197  free(sa->replay_state_esn);
2198  sa->replay_state_esn = _nl_steal_pointer(&b);
2199  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2200  return 0;
2201 }
2202 
2203 
2204 /**
2205  * Get interface id and flags from xfrm_user_offload.
2206  *
2207  * @arg sa The xfrmnl_sa object.
2208  * @arg ifindex An optional output value for the offload interface index.
2209  * @arg flags An optional output value for the offload flags.
2210  *
2211  * @return 0 on success or a negative error code.
2212  */
2213 int xfrmnl_sa_get_user_offload(struct xfrmnl_sa *sa, int *ifindex, uint8_t *flags)
2214 {
2215  int ret = -1;
2216 
2217  if (sa->ce_mask & XFRM_SA_ATTR_OFFLOAD_DEV && sa->user_offload) {
2218  if (ifindex)
2219  *ifindex = sa->user_offload->ifindex;
2220  if (flags)
2221  *flags = sa->user_offload->flags;
2222  ret = 0;
2223  }
2224 
2225  return ret;
2226 }
2227 
2228 
2229 /**
2230  * Set interface id and flags for xfrm_user_offload.
2231  *
2232  * @arg sa The xfrmnl_sa object.
2233  * @arg ifindex Id of the offload interface.
2234  * @arg flags Offload flags for the state.
2235  *
2236  * @return 0 on success or a negative error code.
2237  */
2238 int xfrmnl_sa_set_user_offload(struct xfrmnl_sa *sa, int ifindex, uint8_t flags)
2239 {
2240  _nl_auto_free struct xfrmnl_user_offload *b = NULL;
2241 
2242  if (!(b = calloc(1, sizeof(*b))))
2243  return -1;
2244 
2245  b->ifindex = ifindex;
2246  b->flags = flags;
2247 
2248  free(sa->user_offload);
2249  sa->user_offload = _nl_steal_pointer(&b);
2250  sa->ce_mask |= XFRM_SA_ATTR_OFFLOAD_DEV;
2251 
2252  return 0;
2253 }
2254 
2255 int xfrmnl_sa_is_hardexpiry_reached (struct xfrmnl_sa* sa)
2256 {
2257  if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2258  return (sa->hard > 0 ? 1: 0);
2259  else
2260  return 0;
2261 }
2262 
2263 int xfrmnl_sa_is_expiry_reached (struct xfrmnl_sa* sa)
2264 {
2265  if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2266  return 1;
2267  else
2268  return 0;
2269 }
2270 
2271 /** @} */
2272 
2273 static struct nl_object_ops xfrm_sa_obj_ops = {
2274  .oo_name = "xfrm/sa",
2275  .oo_size = sizeof(struct xfrmnl_sa),
2276  .oo_constructor = xfrm_sa_alloc_data,
2277  .oo_free_data = xfrm_sa_free_data,
2278  .oo_clone = xfrm_sa_clone,
2279  .oo_dump = {
2280  [NL_DUMP_LINE] = xfrm_sa_dump_line,
2281  [NL_DUMP_DETAILS] = xfrm_sa_dump_details,
2282  [NL_DUMP_STATS] = xfrm_sa_dump_stats,
2283  },
2284  .oo_compare = xfrm_sa_compare,
2285  .oo_attrs2str = xfrm_sa_attrs2str,
2286  .oo_id_attrs = (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO),
2287 };
2288 
2289 static struct nl_af_group xfrm_sa_groups[] = {
2290  { AF_UNSPEC, XFRMNLGRP_SA },
2291  { AF_UNSPEC, XFRMNLGRP_EXPIRE },
2292  { END_OF_GROUP_LIST },
2293 };
2294 
2295 static struct nl_cache_ops xfrmnl_sa_ops = {
2296  .co_name = "xfrm/sa",
2297  .co_hdrsize = sizeof(struct xfrm_usersa_info),
2298  .co_msgtypes = {
2299  { XFRM_MSG_NEWSA, NL_ACT_NEW, "new" },
2300  { XFRM_MSG_DELSA, NL_ACT_DEL, "del" },
2301  { XFRM_MSG_GETSA, NL_ACT_GET, "get" },
2302  { XFRM_MSG_EXPIRE, NL_ACT_UNSPEC, "expire"},
2303  { XFRM_MSG_UPDSA, NL_ACT_NEW, "update"},
2304  END_OF_MSGTYPES_LIST,
2305  },
2306  .co_protocol = NETLINK_XFRM,
2307  .co_groups = xfrm_sa_groups,
2308  .co_request_update = xfrm_sa_request_update,
2309  .co_msg_parser = xfrm_sa_msg_parser,
2310  .co_obj_ops = &xfrm_sa_obj_ops,
2311  .co_include_event = &xfrm_sa_update_cache
2312 };
2313 
2314 /**
2315  * @name XFRM SA Cache Managament
2316  * @{
2317  */
2318 
2319 static void __attribute__ ((constructor)) xfrm_sa_init(void)
2320 {
2321  nl_cache_mngt_register(&xfrmnl_sa_ops);
2322 }
2323 
2324 static void __attribute__ ((destructor)) xfrm_sa_exit(void)
2325 {
2326  nl_cache_mngt_unregister(&xfrmnl_sa_ops);
2327 }
2328 
2329 /** @} */
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_alloc()
Allocate new lifetime config object.
Definition: lifetime.c:76
int xfrmnl_sel_cmp(struct xfrmnl_sel *a, struct xfrmnl_sel *b)
Compares two selector objects.
Definition: selector.c:162
int xfrmnl_ltime_cfg_cmp(struct xfrmnl_ltime_cfg *a, struct xfrmnl_ltime_cfg *b)
Compares two lifetime config objects.
Definition: lifetime.c:156
struct xfrmnl_sel * xfrmnl_sel_alloc()
Allocate new selector object.
Definition: selector.c:78
struct xfrmnl_sel * xfrmnl_sel_clone(struct xfrmnl_sel *sel)
Clone existing selector object.
Definition: selector.c:97
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_clone(struct xfrmnl_ltime_cfg *ltime)
Clone existing lifetime config object.
Definition: lifetime.c:95
void * nl_addr_get_binary_addr(const struct nl_addr *addr)
Get binary address of abstract address object.
Definition: addr.c:935
char * nl_addr2str(const struct nl_addr *addr, char *buf, size_t size)
Convert abstract address object to character string.
Definition: addr.c:993
void nl_addr_set_prefixlen(struct nl_addr *addr, int prefixlen)
Set the prefix length of an abstract address.
Definition: addr.c:959
int nl_addr_cmp(const struct nl_addr *a, const struct nl_addr *b)
Compare abstract addresses.
Definition: addr.c:579
struct nl_addr * nl_addr_build(int family, const void *buf, size_t size)
Allocate abstract address based on a binary address.
Definition: addr.c:211
int nl_addr_get_family(const struct nl_addr *addr)
Return address family.
Definition: addr.c:887
struct nl_addr * nl_addr_clone(const struct nl_addr *addr)
Clone existing abstract address object.
Definition: addr.c:487
struct nl_addr * nl_addr_get(struct nl_addr *addr)
Increase the reference counter of an abstract address.
Definition: addr.c:517
unsigned int nl_addr_get_len(const struct nl_addr *addr)
Get length of binary address of abstract address object.
Definition: addr.c:947
void nl_addr_put(struct nl_addr *addr)
Decrease the reference counter of an abstract address.
Definition: addr.c:533
struct nlattr * nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
Reserve space for a attribute.
Definition: attr.c:449
#define NLA_PUT(msg, attrtype, attrlen, data)
Add unspecific attribute to netlink message.
Definition: attr.h:159
#define NLA_PUT_U32(msg, attrtype, value)
Add 32 bit integer attribute to netlink message.
Definition: attr.h:230
int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data)
Add a unspecific attribute to netlink message.
Definition: attr.c:493
void * nla_data(const struct nlattr *nla)
Return pointer to the payload section.
Definition: attr.c:114
@ NLA_U32
32 bit integer
Definition: attr.h:37
int nl_cache_mngt_unregister(struct nl_cache_ops *ops)
Unregister a set of cache operations.
Definition: cache_mngt.c:281
int nl_cache_mngt_register(struct nl_cache_ops *ops)
Register a set of cache operations.
Definition: cache_mngt.c:246
struct nl_object * nl_cache_get_next(struct nl_object *obj)
Return the next element in the cache.
Definition: cache.c:140
struct nl_object * nl_cache_get_first(struct nl_cache *cache)
Return the first element in the cache.
Definition: cache.c:114
struct nl_object * nl_cache_search(struct nl_cache *cache, struct nl_object *needle)
Search object in cache.
Definition: cache.c:1108
void nl_cache_remove(struct nl_object *obj)
Remove object from cache.
Definition: cache.c:546
int nl_cache_alloc_and_fill(struct nl_cache_ops *ops, struct nl_sock *sock, struct nl_cache **result)
Allocate new cache and fill it.
Definition: cache.c:228
int nl_cache_move(struct nl_cache *cache, struct nl_object *obj)
Move object from one cache to another.
Definition: cache.c:518
struct nl_msg * nlmsg_alloc_simple(int nlmsgtype, int flags)
Allocate a new netlink message.
Definition: msg.c:341
void nlmsg_free(struct nl_msg *msg)
Release a reference from an netlink message.
Definition: msg.c:558
int nlmsg_parse(struct nlmsghdr *nlh, int hdrlen, struct nlattr *tb[], int maxtype, const struct nla_policy *policy)
parse attributes of a netlink message
Definition: msg.c:208
int nlmsg_append(struct nl_msg *n, void *data, size_t len, int pad)
Append data to tail of a netlink message.
Definition: msg.c:442
void * nlmsg_data(const struct nlmsghdr *nlh)
Return pointer to message payload.
Definition: msg.c:100
int nl_object_get_msgtype(const struct nl_object *obj)
Return the netlink message type the object was derived from.
Definition: object.c:532
uint64_t nl_object_diff64(struct nl_object *a, struct nl_object *b)
Compute bitmask representing difference in attribute values.
Definition: object.c:364
void nl_object_put(struct nl_object *obj)
Release a reference from an object.
Definition: object.c:214
struct nl_object * nl_object_alloc(struct nl_object_ops *ops)
Allocate a new object of kind specified by the operations handle.
Definition: object.c:48
void nl_object_get(struct nl_object *obj)
Acquire a reference on a object.
Definition: object.c:203
int nl_send_auto(struct nl_sock *sk, struct nl_msg *msg)
Finalize and transmit Netlink message.
Definition: nl.c:510
int nl_send_auto_complete(struct nl_sock *sk, struct nl_msg *msg)
Definition: nl.c:1241
int nl_pickup(struct nl_sock *sk, int(*parser)(struct nl_cache_ops *, struct sockaddr_nl *, struct nlmsghdr *, struct nl_parser_param *), struct nl_object **result)
Pickup netlink answer, parse is and return object.
Definition: nl.c:1172
int nl_wait_for_ack(struct nl_sock *sk)
Wait for ACK.
Definition: nl.c:1106
int nl_send_simple(struct nl_sock *sk, int type, int flags, void *buf, size_t size)
Construct and transmit a Netlink message.
Definition: nl.c:574
void nl_dump(struct nl_dump_params *params, const char *fmt,...)
Dump a formatted character string.
Definition: utils.c:955
@ NL_DUMP_STATS
Dump all attributes including statistics.
Definition: types.h:18
@ NL_DUMP_LINE
Dump object briefly on one line.
Definition: types.h:16
@ NL_DUMP_DETAILS
Dump all attributes but no statistics.
Definition: types.h:17
Dumping parameters.
Definition: types.h:28
Attribute validation policy.
Definition: attr.h:63
uint16_t minlen
Minimal length of payload required.
Definition: attr.h:68