libnl 3.11.0
sa.c
1/* SPDX-License-Identifier: LGPL-2.1-only */
2/*
3 * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
4 *
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the
16 * distribution.
17 *
18 * Neither the name of Texas Instruments Incorporated nor the names of
19 * its contributors may be used to endorse or promote products derived
20 * from this software without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
24 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
25 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
26 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
27 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
28 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 *
34 */
35
36/**
37 * @ingroup xfrmnl
38 * @defgroup sa Security Association
39 * @brief
40 */
41
42#include "nl-default.h"
43
44#include <time.h>
45
46#include <netlink/netlink.h>
47#include <netlink/cache.h>
48#include <netlink/object.h>
49#include <netlink/xfrm/sa.h>
50#include <netlink/xfrm/selector.h>
51#include <netlink/xfrm/lifetime.h>
52
53#include "nl-xfrm.h"
54#include "nl-priv-dynamic-core/object-api.h"
55#include "nl-priv-dynamic-core/nl-core.h"
56#include "nl-priv-dynamic-core/cache-api.h"
57#include "nl-aux-core/nl-core.h"
58#include "nl-aux-xfrm/nl-xfrm.h"
59
60/** @cond SKIP */
61
62struct xfrmnl_stats {
63 uint32_t replay_window;
64 uint32_t replay;
65 uint32_t integrity_failed;
66};
67
68struct xfrmnl_algo_aead {
69 char alg_name[64];
70 uint32_t alg_key_len; /* in bits */
71 uint32_t alg_icv_len; /* in bits */
72 char alg_key[0];
73};
74
75struct xfrmnl_algo_auth {
76 char alg_name[64];
77 uint32_t alg_key_len; /* in bits */
78 uint32_t alg_trunc_len; /* in bits */
79 char alg_key[0];
80};
81
82struct xfrmnl_algo {
83 char alg_name[64];
84 uint32_t alg_key_len; /* in bits */
85 char alg_key[0];
86};
87
88struct xfrmnl_encap_tmpl {
89 uint16_t encap_type;
90 uint16_t encap_sport;
91 uint16_t encap_dport;
92 struct nl_addr* encap_oa;
93};
94
95struct xfrmnl_user_offload {
96 int ifindex;
97 uint8_t flags;
98};
99
100struct xfrmnl_sa {
101 NLHDR_COMMON
102
103 struct xfrmnl_sel* sel;
104 struct xfrmnl_id id;
105 struct nl_addr* saddr;
106 struct xfrmnl_ltime_cfg* lft;
107 struct xfrmnl_lifetime_cur curlft;
108 struct xfrmnl_stats stats;
109 uint32_t seq;
110 uint32_t reqid;
111 uint16_t family;
112 uint8_t mode; /* XFRM_MODE_xxx */
113 uint8_t replay_window;
114 uint8_t flags;
115 struct xfrmnl_algo_aead* aead;
116 struct xfrmnl_algo_auth* auth;
117 struct xfrmnl_algo* crypt;
118 struct xfrmnl_algo* comp;
119 struct xfrmnl_encap_tmpl* encap;
120 uint32_t tfcpad;
121 struct nl_addr* coaddr;
122 struct xfrmnl_mark mark;
123 struct xfrmnl_user_sec_ctx* sec_ctx;
124 uint32_t replay_maxage;
125 uint32_t replay_maxdiff;
126 struct xfrmnl_replay_state replay_state;
127 struct xfrmnl_replay_state_esn* replay_state_esn;
128 uint8_t hard;
129 struct xfrmnl_user_offload* user_offload;
130};
131
132#define XFRM_SA_ATTR_SEL 0x01
133#define XFRM_SA_ATTR_DADDR 0x02
134#define XFRM_SA_ATTR_SPI 0x04
135#define XFRM_SA_ATTR_PROTO 0x08
136#define XFRM_SA_ATTR_SADDR 0x10
137#define XFRM_SA_ATTR_LTIME_CFG 0x20
138#define XFRM_SA_ATTR_LTIME_CUR 0x40
139#define XFRM_SA_ATTR_STATS 0x80
140#define XFRM_SA_ATTR_SEQ 0x100
141#define XFRM_SA_ATTR_REQID 0x200
142#define XFRM_SA_ATTR_FAMILY 0x400
143#define XFRM_SA_ATTR_MODE 0x800
144#define XFRM_SA_ATTR_REPLAY_WIN 0x1000
145#define XFRM_SA_ATTR_FLAGS 0x2000
146#define XFRM_SA_ATTR_ALG_AEAD 0x4000
147#define XFRM_SA_ATTR_ALG_AUTH 0x8000
148#define XFRM_SA_ATTR_ALG_CRYPT 0x10000
149#define XFRM_SA_ATTR_ALG_COMP 0x20000
150#define XFRM_SA_ATTR_ENCAP 0x40000
151#define XFRM_SA_ATTR_TFCPAD 0x80000
152#define XFRM_SA_ATTR_COADDR 0x100000
153#define XFRM_SA_ATTR_MARK 0x200000
154#define XFRM_SA_ATTR_SECCTX 0x400000
155#define XFRM_SA_ATTR_REPLAY_MAXAGE 0x800000
156#define XFRM_SA_ATTR_REPLAY_MAXDIFF 0x1000000
157#define XFRM_SA_ATTR_REPLAY_STATE 0x2000000
158#define XFRM_SA_ATTR_EXPIRE 0x4000000
159#define XFRM_SA_ATTR_OFFLOAD_DEV 0x8000000
160
161static struct nl_cache_ops xfrmnl_sa_ops;
162static struct nl_object_ops xfrm_sa_obj_ops;
163/** @endcond */
164
165static void xfrm_sa_alloc_data(struct nl_object *c)
166{
167 struct xfrmnl_sa* sa = nl_object_priv (c);
168
169 if ((sa->sel = xfrmnl_sel_alloc ()) == NULL)
170 return;
171
172 if ((sa->lft = xfrmnl_ltime_cfg_alloc ()) == NULL)
173 return;
174}
175
176static void xfrm_sa_free_data(struct nl_object *c)
177{
178 struct xfrmnl_sa* sa = nl_object_priv (c);
179
180 if (sa == NULL)
181 return;
182
183 xfrmnl_sel_put (sa->sel);
184 xfrmnl_ltime_cfg_put (sa->lft);
185 nl_addr_put (sa->id.daddr);
186 nl_addr_put (sa->saddr);
187
188 if (sa->aead)
189 free (sa->aead);
190 if (sa->auth)
191 free (sa->auth);
192 if (sa->crypt)
193 free (sa->crypt);
194 if (sa->comp)
195 free (sa->comp);
196 if (sa->encap) {
197 if (sa->encap->encap_oa)
198 nl_addr_put(sa->encap->encap_oa);
199 free(sa->encap);
200 }
201 if (sa->coaddr)
202 nl_addr_put (sa->coaddr);
203 if (sa->sec_ctx)
204 free (sa->sec_ctx);
205 if (sa->replay_state_esn)
206 free (sa->replay_state_esn);
207 if (sa->user_offload)
208 free(sa->user_offload);
209}
210
211static int xfrm_sa_clone(struct nl_object *_dst, struct nl_object *_src)
212{
213 struct xfrmnl_sa* dst = nl_object_priv(_dst);
214 struct xfrmnl_sa* src = nl_object_priv(_src);
215 uint32_t len = 0;
216
217 dst->sel = NULL;
218 dst->id.daddr = NULL;
219 dst->saddr = NULL;
220 dst->lft = NULL;
221 dst->aead = NULL;
222 dst->auth = NULL;
223 dst->crypt = NULL;
224 dst->comp = NULL;
225 dst->encap = NULL;
226 dst->coaddr = NULL;
227 dst->sec_ctx = NULL;
228 dst->replay_state_esn = NULL;
229 dst->user_offload = NULL;
230
231 if (src->sel)
232 if ((dst->sel = xfrmnl_sel_clone (src->sel)) == NULL)
233 return -NLE_NOMEM;
234
235 if (src->lft)
236 if ((dst->lft = xfrmnl_ltime_cfg_clone (src->lft)) == NULL)
237 return -NLE_NOMEM;
238
239 if (src->id.daddr)
240 if ((dst->id.daddr = nl_addr_clone (src->id.daddr)) == NULL)
241 return -NLE_NOMEM;
242
243 if (src->saddr)
244 if ((dst->saddr = nl_addr_clone (src->saddr)) == NULL)
245 return -NLE_NOMEM;
246
247 if (src->aead) {
248 len = sizeof (struct xfrmnl_algo_aead) + ((src->aead->alg_key_len + 7) / 8);
249 if ((dst->aead = calloc (1, len)) == NULL)
250 return -NLE_NOMEM;
251 memcpy ((void *)dst->aead, (void *)src->aead, len);
252 }
253
254 if (src->auth) {
255 len = sizeof (struct xfrmnl_algo_auth) + ((src->auth->alg_key_len + 7) / 8);
256 if ((dst->auth = calloc (1, len)) == NULL)
257 return -NLE_NOMEM;
258 memcpy ((void *)dst->auth, (void *)src->auth, len);
259 }
260
261 if (src->crypt) {
262 len = sizeof (struct xfrmnl_algo) + ((src->crypt->alg_key_len + 7) / 8);
263 if ((dst->crypt = calloc (1, len)) == NULL)
264 return -NLE_NOMEM;
265 memcpy ((void *)dst->crypt, (void *)src->crypt, len);
266 }
267
268 if (src->comp) {
269 len = sizeof (struct xfrmnl_algo) + ((src->comp->alg_key_len + 7) / 8);
270 if ((dst->comp = calloc (1, len)) == NULL)
271 return -NLE_NOMEM;
272 memcpy ((void *)dst->comp, (void *)src->comp, len);
273 }
274
275 if (src->encap) {
276 len = sizeof (struct xfrmnl_encap_tmpl);
277 if ((dst->encap = calloc (1, len)) == NULL)
278 return -NLE_NOMEM;
279 memcpy ((void *)dst->encap, (void *)src->encap, len);
280 }
281
282 if (src->coaddr)
283 if ((dst->coaddr = nl_addr_clone (src->coaddr)) == NULL)
284 return -NLE_NOMEM;
285
286 if (src->sec_ctx) {
287 len = sizeof (*src->sec_ctx) + src->sec_ctx->ctx_len;
288 if ((dst->sec_ctx = calloc (1, len)) == NULL)
289 return -NLE_NOMEM;
290 memcpy ((void *)dst->sec_ctx, (void *)src->sec_ctx, len);
291 }
292
293 if (src->replay_state_esn) {
294 len = sizeof (struct xfrmnl_replay_state_esn) + (src->replay_state_esn->bmp_len * sizeof (uint32_t));
295 if ((dst->replay_state_esn = calloc (1, len)) == NULL)
296 return -NLE_NOMEM;
297 memcpy ((void *)dst->replay_state_esn, (void *)src->replay_state_esn, len);
298 }
299
300 if (src->user_offload) {
301 dst->user_offload = _nl_memdup_ptr(src->user_offload);
302 if (!dst->user_offload)
303 return -NLE_NOMEM;
304 }
305
306 return 0;
307}
308
309static uint64_t xfrm_sa_compare(struct nl_object *_a, struct nl_object *_b,
310 uint64_t attrs, int flags)
311{
312 struct xfrmnl_sa* a = (struct xfrmnl_sa *) _a;
313 struct xfrmnl_sa* b = (struct xfrmnl_sa *) _b;
314 uint64_t diff = 0;
315 int found = 0;
316
317#define _DIFF(ATTR, EXPR) ATTR_DIFF(attrs, ATTR, a, b, EXPR)
318 diff |= _DIFF(XFRM_SA_ATTR_SEL, xfrmnl_sel_cmp(a->sel, b->sel));
319 diff |= _DIFF(XFRM_SA_ATTR_DADDR,
320 nl_addr_cmp(a->id.daddr, b->id.daddr));
321 diff |= _DIFF(XFRM_SA_ATTR_SPI, a->id.spi != b->id.spi);
322 diff |= _DIFF(XFRM_SA_ATTR_PROTO, a->id.proto != b->id.proto);
323 diff |= _DIFF(XFRM_SA_ATTR_SADDR, nl_addr_cmp(a->saddr, b->saddr));
324 diff |= _DIFF(XFRM_SA_ATTR_LTIME_CFG,
325 xfrmnl_ltime_cfg_cmp(a->lft, b->lft));
326 diff |= _DIFF(XFRM_SA_ATTR_REQID, a->reqid != b->reqid);
327 diff |= _DIFF(XFRM_SA_ATTR_FAMILY, a->family != b->family);
328 diff |= _DIFF(XFRM_SA_ATTR_MODE, a->mode != b->mode);
329 diff |= _DIFF(XFRM_SA_ATTR_REPLAY_WIN,
330 a->replay_window != b->replay_window);
331 diff |= _DIFF(XFRM_SA_ATTR_FLAGS, a->flags != b->flags);
332 diff |= _DIFF(XFRM_SA_ATTR_ALG_AEAD,
333 (strcmp(a->aead->alg_name, b->aead->alg_name) ||
334 (a->aead->alg_key_len != b->aead->alg_key_len) ||
335 (a->aead->alg_icv_len != b->aead->alg_icv_len) ||
336 memcmp(a->aead->alg_key, b->aead->alg_key,
337 ((a->aead->alg_key_len + 7) / 8))));
338 diff |= _DIFF(XFRM_SA_ATTR_ALG_AUTH,
339 (strcmp(a->auth->alg_name, b->auth->alg_name) ||
340 (a->auth->alg_key_len != b->auth->alg_key_len) ||
341 (a->auth->alg_trunc_len != b->auth->alg_trunc_len) ||
342 memcmp(a->auth->alg_key, b->auth->alg_key,
343 ((a->auth->alg_key_len + 7) / 8))));
344 diff |= _DIFF(XFRM_SA_ATTR_ALG_CRYPT,
345 (strcmp(a->crypt->alg_name, b->crypt->alg_name) ||
346 (a->crypt->alg_key_len != b->crypt->alg_key_len) ||
347 memcmp(a->crypt->alg_key, b->crypt->alg_key,
348 ((a->crypt->alg_key_len + 7) / 8))));
349 diff |= _DIFF(XFRM_SA_ATTR_ALG_COMP,
350 (strcmp(a->comp->alg_name, b->comp->alg_name) ||
351 (a->comp->alg_key_len != b->comp->alg_key_len) ||
352 memcmp(a->comp->alg_key, b->comp->alg_key,
353 ((a->comp->alg_key_len + 7) / 8))));
354 diff |= _DIFF(XFRM_SA_ATTR_ENCAP,
355 ((a->encap->encap_type != b->encap->encap_type) ||
356 (a->encap->encap_sport != b->encap->encap_sport) ||
357 (a->encap->encap_dport != b->encap->encap_dport) ||
358 nl_addr_cmp(a->encap->encap_oa, b->encap->encap_oa)));
359 diff |= _DIFF(XFRM_SA_ATTR_TFCPAD, a->tfcpad != b->tfcpad);
360 diff |= _DIFF(XFRM_SA_ATTR_COADDR, nl_addr_cmp(a->coaddr, b->coaddr));
361 diff |= _DIFF(XFRM_SA_ATTR_MARK,
362 (a->mark.m != b->mark.m) || (a->mark.v != b->mark.v));
363 diff |= _DIFF(XFRM_SA_ATTR_SECCTX,
364 ((a->sec_ctx->ctx_doi != b->sec_ctx->ctx_doi) ||
365 (a->sec_ctx->ctx_alg != b->sec_ctx->ctx_alg) ||
366 (a->sec_ctx->ctx_len != b->sec_ctx->ctx_len) ||
367 strcmp(a->sec_ctx->ctx, b->sec_ctx->ctx)));
368 diff |= _DIFF(XFRM_SA_ATTR_REPLAY_MAXAGE,
369 a->replay_maxage != b->replay_maxage);
370 diff |= _DIFF(XFRM_SA_ATTR_REPLAY_MAXDIFF,
371 a->replay_maxdiff != b->replay_maxdiff);
372 diff |= _DIFF(XFRM_SA_ATTR_EXPIRE, a->hard != b->hard);
373
374 /* Compare replay states */
375 found = AVAILABLE_MISMATCH (a, b, XFRM_SA_ATTR_REPLAY_STATE);
376 if (found == 0) // attribute exists in both objects
377 {
378 if (((a->replay_state_esn != NULL) && (b->replay_state_esn == NULL)) ||
379 ((a->replay_state_esn == NULL) && (b->replay_state_esn != NULL)))
380 found |= 1;
381
382 if (found == 0) // same replay type. compare actual values
383 {
384 if (a->replay_state_esn)
385 {
386 if (a->replay_state_esn->bmp_len != b->replay_state_esn->bmp_len)
387 diff |= 1;
388 else
389 {
390 uint32_t len = sizeof (struct xfrmnl_replay_state_esn) +
391 (a->replay_state_esn->bmp_len * sizeof (uint32_t));
392 diff |= memcmp (a->replay_state_esn, b->replay_state_esn, len);
393 }
394 }
395 else
396 {
397 if ((a->replay_state.oseq != b->replay_state.oseq) ||
398 (a->replay_state.seq != b->replay_state.seq) ||
399 (a->replay_state.bitmap != b->replay_state.bitmap))
400 diff |= 1;
401 }
402 }
403 }
404#undef _DIFF
405
406 return diff;
407}
408
409/**
410 * @name XFRM SA Attribute Translations
411 * @{
412 */
413static const struct trans_tbl sa_attrs[] = {
414 __ADD(XFRM_SA_ATTR_SEL, selector),
415 __ADD(XFRM_SA_ATTR_DADDR, daddr),
416 __ADD(XFRM_SA_ATTR_SPI, spi),
417 __ADD(XFRM_SA_ATTR_PROTO, proto),
418 __ADD(XFRM_SA_ATTR_SADDR, saddr),
419 __ADD(XFRM_SA_ATTR_LTIME_CFG, lifetime_cfg),
420 __ADD(XFRM_SA_ATTR_LTIME_CUR, lifetime_cur),
421 __ADD(XFRM_SA_ATTR_STATS, stats),
422 __ADD(XFRM_SA_ATTR_SEQ, seqnum),
423 __ADD(XFRM_SA_ATTR_REQID, reqid),
424 __ADD(XFRM_SA_ATTR_FAMILY, family),
425 __ADD(XFRM_SA_ATTR_MODE, mode),
426 __ADD(XFRM_SA_ATTR_REPLAY_WIN, replay_window),
427 __ADD(XFRM_SA_ATTR_FLAGS, flags),
428 __ADD(XFRM_SA_ATTR_ALG_AEAD, alg_aead),
429 __ADD(XFRM_SA_ATTR_ALG_AUTH, alg_auth),
430 __ADD(XFRM_SA_ATTR_ALG_CRYPT, alg_crypto),
431 __ADD(XFRM_SA_ATTR_ALG_COMP, alg_comp),
432 __ADD(XFRM_SA_ATTR_ENCAP, encap),
433 __ADD(XFRM_SA_ATTR_TFCPAD, tfcpad),
434 __ADD(XFRM_SA_ATTR_COADDR, coaddr),
435 __ADD(XFRM_SA_ATTR_MARK, mark),
436 __ADD(XFRM_SA_ATTR_SECCTX, sec_ctx),
437 __ADD(XFRM_SA_ATTR_REPLAY_MAXAGE, replay_maxage),
438 __ADD(XFRM_SA_ATTR_REPLAY_MAXDIFF, replay_maxdiff),
439 __ADD(XFRM_SA_ATTR_REPLAY_STATE, replay_state),
440 __ADD(XFRM_SA_ATTR_EXPIRE, expire),
441 __ADD(XFRM_SA_ATTR_OFFLOAD_DEV, user_offload),
442};
443
444static char* xfrm_sa_attrs2str(int attrs, char *buf, size_t len)
445{
446 return __flags2str (attrs, buf, len, sa_attrs, ARRAY_SIZE(sa_attrs));
447}
448/** @} */
449
450/**
451 * @name XFRM SA Flags Translations
452 * @{
453 */
454static const struct trans_tbl sa_flags[] = {
455 __ADD(XFRM_STATE_NOECN, no ecn),
456 __ADD(XFRM_STATE_DECAP_DSCP, decap dscp),
457 __ADD(XFRM_STATE_NOPMTUDISC, no pmtu discovery),
458 __ADD(XFRM_STATE_WILDRECV, wild receive),
459 __ADD(XFRM_STATE_ICMP, icmp),
460 __ADD(XFRM_STATE_AF_UNSPEC, unspecified),
461 __ADD(XFRM_STATE_ALIGN4, align4),
462 __ADD(XFRM_STATE_ESN, esn),
463};
464
465char* xfrmnl_sa_flags2str(int flags, char *buf, size_t len)
466{
467 return __flags2str (flags, buf, len, sa_flags, ARRAY_SIZE(sa_flags));
468}
469
470int xfrmnl_sa_str2flag(const char *name)
471{
472 return __str2flags (name, sa_flags, ARRAY_SIZE(sa_flags));
473}
474/** @} */
475
476/**
477 * @name XFRM SA Mode Translations
478 * @{
479 */
480static const struct trans_tbl sa_modes[] = {
481 __ADD(XFRM_MODE_TRANSPORT, transport),
482 __ADD(XFRM_MODE_TUNNEL, tunnel),
483 __ADD(XFRM_MODE_ROUTEOPTIMIZATION, route optimization),
484 __ADD(XFRM_MODE_IN_TRIGGER, in trigger),
485 __ADD(XFRM_MODE_BEET, beet),
486};
487
488char* xfrmnl_sa_mode2str(int mode, char *buf, size_t len)
489{
490 return __type2str (mode, buf, len, sa_modes, ARRAY_SIZE(sa_modes));
491}
492
493int xfrmnl_sa_str2mode(const char *name)
494{
495 return __str2type (name, sa_modes, ARRAY_SIZE(sa_modes));
496}
497/** @} */
498
499
500static void xfrm_sa_dump_line(struct nl_object *a, struct nl_dump_params *p)
501{
502 char dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
503 struct xfrmnl_sa* sa = (struct xfrmnl_sa *) a;
504 char flags[128], mode[128];
505 time_t add_time, use_time;
506 struct tm *add_time_tm, *use_time_tm;
507 struct tm tm_buf;
508
509 nl_dump_line(p, "src %s dst %s family: %s\n", nl_addr2str(sa->saddr, src, sizeof(src)),
510 nl_addr2str(sa->id.daddr, dst, sizeof(dst)),
511 nl_af2str (sa->family, flags, sizeof (flags)));
512
513 nl_dump_line(p, "\tproto %s spi 0x%x reqid %u\n",
514 nl_ip_proto2str (sa->id.proto, flags, sizeof(flags)),
515 sa->id.spi, sa->reqid);
516
517 xfrmnl_sa_flags2str(sa->flags, flags, sizeof (flags));
518 xfrmnl_sa_mode2str(sa->mode, mode, sizeof (mode));
519 nl_dump_line(p, "\tmode: %s flags: %s (0x%x) seq: %u replay window: %u\n",
520 mode, flags, sa->flags, sa->seq, sa->replay_window);
521
522 nl_dump_line(p, "\tlifetime configuration: \n");
523 if (sa->lft->soft_byte_limit == XFRM_INF)
524 sprintf (flags, "INF");
525 else
526 sprintf (flags, "%" PRIu64, sa->lft->soft_byte_limit);
527 if (sa->lft->soft_packet_limit == XFRM_INF)
528 sprintf (mode, "INF");
529 else
530 sprintf (mode, "%" PRIu64, sa->lft->soft_packet_limit);
531 nl_dump_line(p, "\t\tsoft limit: %s (bytes), %s (packets)\n", flags, mode);
532 if (sa->lft->hard_byte_limit == XFRM_INF)
533 sprintf (flags, "INF");
534 else
535 sprintf (flags, "%" PRIu64, sa->lft->hard_byte_limit);
536 if (sa->lft->hard_packet_limit == XFRM_INF)
537 sprintf (mode, "INF");
538 else
539 sprintf (mode, "%" PRIu64, sa->lft->hard_packet_limit);
540 nl_dump_line(p, "\t\thard limit: %s (bytes), %s (packets)\n", flags,
541 mode);
542 nl_dump_line(
543 p,
544 "\t\tsoft add_time: %llu (seconds), soft use_time: %llu (seconds) \n",
545 (long long unsigned)sa->lft->soft_add_expires_seconds,
546 (long long unsigned)sa->lft->soft_use_expires_seconds);
547 nl_dump_line(
548 p,
549 "\t\thard add_time: %llu (seconds), hard use_time: %llu (seconds) \n",
550 (long long unsigned)sa->lft->hard_add_expires_seconds,
551 (long long unsigned)sa->lft->hard_use_expires_seconds);
552
553 nl_dump_line(p, "\tlifetime current: \n");
554 nl_dump_line(p, "\t\t%llu bytes, %llu packets\n",
555 (long long unsigned)sa->curlft.bytes,
556 (long long unsigned)sa->curlft.packets);
557 if (sa->curlft.add_time != 0)
558 {
559 add_time = sa->curlft.add_time;
560 add_time_tm = gmtime_r (&add_time, &tm_buf);
561 strftime (flags, 128, "%Y-%m-%d %H-%M-%S", add_time_tm);
562 }
563 else
564 {
565 sprintf (flags, "%s", "-");
566 }
567
568 if (sa->curlft.use_time != 0)
569 {
570 use_time = sa->curlft.use_time;
571 use_time_tm = gmtime_r (&use_time, &tm_buf);
572 strftime (mode, 128, "%Y-%m-%d %H-%M-%S", use_time_tm);
573 }
574 else
575 {
576 sprintf (mode, "%s", "-");
577 }
578 nl_dump_line(p, "\t\tadd_time: %s, use_time: %s\n", flags, mode);
579
580 if (sa->aead)
581 {
582 nl_dump_line(p, "\tAEAD Algo: \n");
583 nl_dump_line(p, "\t\tName: %s Key len(bits): %u ICV Len(bits): %u\n",
584 sa->aead->alg_name, sa->aead->alg_key_len, sa->aead->alg_icv_len);
585 }
586
587 if (sa->auth)
588 {
589 nl_dump_line(p, "\tAuth Algo: \n");
590 nl_dump_line(p, "\t\tName: %s Key len(bits): %u Trunc len(bits): %u\n",
591 sa->auth->alg_name, sa->auth->alg_key_len, sa->auth->alg_trunc_len);
592 }
593
594 if (sa->crypt)
595 {
596 nl_dump_line(p, "\tEncryption Algo: \n");
597 nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
598 sa->crypt->alg_name, sa->crypt->alg_key_len);
599 }
600
601 if (sa->comp)
602 {
603 nl_dump_line(p, "\tCompression Algo: \n");
604 nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
605 sa->comp->alg_name, sa->comp->alg_key_len);
606 }
607
608 if (sa->encap)
609 {
610 nl_dump_line(p, "\tEncapsulation template: \n");
611 nl_dump_line(p, "\t\tType: %d Src port: %d Dst port: %d Encap addr: %s\n",
612 sa->encap->encap_type, sa->encap->encap_sport, sa->encap->encap_dport,
613 nl_addr2str (sa->encap->encap_oa, dst, sizeof (dst)));
614 }
615
616 if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
617 nl_dump_line(p, "\tTFC Pad: %u\n", sa->tfcpad);
618
619 if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
620 nl_dump_line(p, "\tCO Address: %s\n", nl_addr2str (sa->coaddr, dst, sizeof (dst)));
621
622 if (sa->ce_mask & XFRM_SA_ATTR_MARK)
623 nl_dump_line(p, "\tMark mask: 0x%x Mark value: 0x%x\n", sa->mark.m, sa->mark.v);
624
625 if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
626 nl_dump_line(p, "\tDOI: %d Algo: %d Len: %u ctx: %s\n", sa->sec_ctx->ctx_doi,
627 sa->sec_ctx->ctx_alg, sa->sec_ctx->ctx_len, sa->sec_ctx->ctx);
628
629 nl_dump_line(p, "\treplay info: \n");
630 nl_dump_line(p, "\t\tmax age %u max diff %u \n", sa->replay_maxage, sa->replay_maxdiff);
631
632 if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
633 {
634 nl_dump_line(p, "\treplay state info: \n");
635 if (sa->replay_state_esn)
636 {
637 nl_dump_line(p, "\t\toseq %u seq %u oseq_hi %u seq_hi %u replay window: %u \n",
638 sa->replay_state_esn->oseq, sa->replay_state_esn->seq,
639 sa->replay_state_esn->oseq_hi, sa->replay_state_esn->seq_hi,
640 sa->replay_state_esn->replay_window);
641 }
642 else
643 {
644 nl_dump_line(p, "\t\toseq %u seq %u bitmap: %u \n", sa->replay_state.oseq,
645 sa->replay_state.seq, sa->replay_state.bitmap);
646 }
647 }
648
649 nl_dump_line(p, "\tselector info: \n");
650 xfrmnl_sel_dump (sa->sel, p);
651
652 nl_dump_line(p, "\tHard: %d\n", sa->hard);
653
654 nl_dump(p, "\n");
655}
656
657static void xfrm_sa_dump_stats(struct nl_object *a, struct nl_dump_params *p)
658{
659 struct xfrmnl_sa* sa = (struct xfrmnl_sa*)a;
660
661 nl_dump_line(p, "\tstats: \n");
662 nl_dump_line(p, "\t\treplay window: %u replay: %u integrity failed: %u \n",
663 sa->stats.replay_window, sa->stats.replay, sa->stats.integrity_failed);
664
665 return;
666}
667
668static void xfrm_sa_dump_details(struct nl_object *a, struct nl_dump_params *p)
669{
670 xfrm_sa_dump_line(a, p);
671 xfrm_sa_dump_stats (a, p);
672}
673
674/**
675 * @name XFRM SA Object Allocation/Freeage
676 * @{
677 */
678
679struct xfrmnl_sa* xfrmnl_sa_alloc(void)
680{
681 return (struct xfrmnl_sa*) nl_object_alloc(&xfrm_sa_obj_ops);
682}
683
684void xfrmnl_sa_put(struct xfrmnl_sa* sa)
685{
686 nl_object_put((struct nl_object *) sa);
687}
688
689/** @} */
690
691/**
692 * @name SA Cache Managament
693 * @{
694 */
695
696/**
697 * Build a SA cache including all SAs currently configured in the kernel.
698 * @arg sock Netlink socket.
699 * @arg result Pointer to store resulting cache.
700 *
701 * Allocates a new SA cache, initializes it properly and updates it
702 * to include all SAs currently configured in the kernel.
703 *
704 * @return 0 on success or a negative error code.
705 */
706int xfrmnl_sa_alloc_cache(struct nl_sock *sock, struct nl_cache **result)
707{
708 return nl_cache_alloc_and_fill(&xfrmnl_sa_ops, sock, result);
709}
710
711/**
712 * Look up a SA by destination address, SPI, protocol
713 * @arg cache SA cache
714 * @arg daddr destination address of the SA
715 * @arg spi SPI
716 * @arg proto protocol
717 * @return sa handle or NULL if no match was found.
718 */
719struct xfrmnl_sa* xfrmnl_sa_get(struct nl_cache* cache, struct nl_addr* daddr,
720 unsigned int spi, unsigned int proto)
721{
722 struct xfrmnl_sa *sa;
723
724 //nl_list_for_each_entry(sa, &cache->c_items, ce_list) {
725 for (sa = (struct xfrmnl_sa*)nl_cache_get_first (cache);
726 sa != NULL;
727 sa = (struct xfrmnl_sa*)nl_cache_get_next ((struct nl_object*)sa))
728 {
729 if (sa->id.proto == proto &&
730 sa->id.spi == spi &&
731 !nl_addr_cmp(sa->id.daddr, daddr))
732 {
733 nl_object_get((struct nl_object *) sa);
734 return sa;
735 }
736
737 }
738
739 return NULL;
740}
741
742
743/** @} */
744
745
746static struct nla_policy xfrm_sa_policy[XFRMA_MAX+1] = {
747 [XFRMA_SA] = { .minlen = sizeof(struct xfrm_usersa_info)},
748 [XFRMA_ALG_AUTH_TRUNC] = { .minlen = sizeof(struct xfrm_algo_auth)},
749 [XFRMA_ALG_AEAD] = { .minlen = sizeof(struct xfrm_algo_aead) },
750 [XFRMA_ALG_AUTH] = { .minlen = sizeof(struct xfrm_algo) },
751 [XFRMA_ALG_CRYPT] = { .minlen = sizeof(struct xfrm_algo) },
752 [XFRMA_ALG_COMP] = { .minlen = sizeof(struct xfrm_algo) },
753 [XFRMA_ENCAP] = { .minlen = sizeof(struct xfrm_encap_tmpl) },
754 [XFRMA_TMPL] = { .minlen = sizeof(struct xfrm_user_tmpl) },
755 [XFRMA_SEC_CTX] = { .minlen = sizeof(struct xfrm_sec_ctx) },
756 [XFRMA_LTIME_VAL] = { .minlen = sizeof(struct xfrm_lifetime_cur) },
757 [XFRMA_REPLAY_VAL] = { .minlen = sizeof(struct xfrm_replay_state) },
758 [XFRMA_OFFLOAD_DEV] = { .minlen = sizeof(struct xfrm_user_offload) },
759 [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 },
760 [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 },
761 [XFRMA_SRCADDR] = { .minlen = sizeof(xfrm_address_t) },
762 [XFRMA_COADDR] = { .minlen = sizeof(xfrm_address_t) },
763 [XFRMA_MARK] = { .minlen = sizeof(struct xfrm_mark) },
764 [XFRMA_TFCPAD] = { .type = NLA_U32 },
765 [XFRMA_REPLAY_ESN_VAL] = { .minlen = sizeof(struct xfrm_replay_state_esn) },
766};
767
768static int xfrm_sa_request_update(struct nl_cache *c, struct nl_sock *h)
769{
770 return nl_send_simple (h, XFRM_MSG_GETSA, NLM_F_DUMP, NULL, 0);
771}
772
773int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
774{
775 _nl_auto_nl_addr struct nl_addr *addr1 = NULL;
776 _nl_auto_nl_addr struct nl_addr *addr2 = NULL;
777 _nl_auto_xfrmnl_sa struct xfrmnl_sa *sa = NULL;
778 struct nlattr *tb[XFRMA_MAX + 1];
779 struct xfrm_usersa_info* sa_info;
780 struct xfrm_user_expire* ue;
781 int len, err;
782
783 sa = xfrmnl_sa_alloc();
784 if (!sa)
785 return -NLE_NOMEM;
786
787 sa->ce_msgtype = n->nlmsg_type;
788 if (n->nlmsg_type == XFRM_MSG_EXPIRE)
789 {
790 ue = nlmsg_data(n);
791 sa_info = &ue->state;
792 sa->hard = ue->hard;
793 sa->ce_mask |= XFRM_SA_ATTR_EXPIRE;
794 }
795 else if (n->nlmsg_type == XFRM_MSG_DELSA)
796 {
797 sa_info = (struct xfrm_usersa_info*)((char *)nlmsg_data(n) + sizeof (struct xfrm_usersa_id) + NLA_HDRLEN);
798 }
799 else
800 {
801 sa_info = nlmsg_data(n);
802 }
803
804 err = nlmsg_parse(n, sizeof(struct xfrm_usersa_info), tb, XFRMA_MAX, xfrm_sa_policy);
805 if (err < 0)
806 return err;
807
808 if (!(addr1 = _nl_addr_build(sa_info->sel.family, &sa_info->sel.daddr)))
809 return -NLE_NOMEM;
810 nl_addr_set_prefixlen (addr1, sa_info->sel.prefixlen_d);
811 xfrmnl_sel_set_daddr (sa->sel, addr1);
812 xfrmnl_sel_set_prefixlen_d (sa->sel, sa_info->sel.prefixlen_d);
813
814 if (!(addr2 = _nl_addr_build(sa_info->sel.family, &sa_info->sel.saddr)))
815 return -NLE_NOMEM;
816 nl_addr_set_prefixlen (addr2, sa_info->sel.prefixlen_s);
817 xfrmnl_sel_set_saddr (sa->sel, addr2);
818 xfrmnl_sel_set_prefixlen_s (sa->sel, sa_info->sel.prefixlen_s);
819
820 xfrmnl_sel_set_dport (sa->sel, ntohs(sa_info->sel.dport));
821 xfrmnl_sel_set_dportmask (sa->sel, ntohs(sa_info->sel.dport_mask));
822 xfrmnl_sel_set_sport (sa->sel, ntohs(sa_info->sel.sport));
823 xfrmnl_sel_set_sportmask (sa->sel, ntohs(sa_info->sel.sport_mask));
824 xfrmnl_sel_set_family (sa->sel, sa_info->sel.family);
825 xfrmnl_sel_set_proto (sa->sel, sa_info->sel.proto);
826 xfrmnl_sel_set_ifindex (sa->sel, sa_info->sel.ifindex);
827 xfrmnl_sel_set_userid (sa->sel, sa_info->sel.user);
828 sa->ce_mask |= XFRM_SA_ATTR_SEL;
829
830 if (!(sa->id.daddr = _nl_addr_build(sa_info->family, &sa_info->id.daddr)))
831 return -NLE_NOMEM;
832 sa->id.spi = ntohl(sa_info->id.spi);
833 sa->id.proto = sa_info->id.proto;
834 sa->ce_mask |= (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO);
835
836 if (!(sa->saddr = _nl_addr_build(sa_info->family, &sa_info->saddr)))
837 return -NLE_NOMEM;
838 sa->ce_mask |= XFRM_SA_ATTR_SADDR;
839
840 sa->lft->soft_byte_limit = sa_info->lft.soft_byte_limit;
841 sa->lft->hard_byte_limit = sa_info->lft.hard_byte_limit;
842 sa->lft->soft_packet_limit = sa_info->lft.soft_packet_limit;
843 sa->lft->hard_packet_limit = sa_info->lft.hard_packet_limit;
844 sa->lft->soft_add_expires_seconds = sa_info->lft.soft_add_expires_seconds;
845 sa->lft->hard_add_expires_seconds = sa_info->lft.hard_add_expires_seconds;
846 sa->lft->soft_use_expires_seconds = sa_info->lft.soft_use_expires_seconds;
847 sa->lft->hard_use_expires_seconds = sa_info->lft.hard_use_expires_seconds;
848 sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
849
850 sa->curlft.bytes = sa_info->curlft.bytes;
851 sa->curlft.packets = sa_info->curlft.packets;
852 sa->curlft.add_time = sa_info->curlft.add_time;
853 sa->curlft.use_time = sa_info->curlft.use_time;
854 sa->ce_mask |= XFRM_SA_ATTR_LTIME_CUR;
855
856 sa->stats.replay_window = sa_info->stats.replay_window;
857 sa->stats.replay = sa_info->stats.replay;
858 sa->stats.integrity_failed = sa_info->stats.integrity_failed;
859 sa->ce_mask |= XFRM_SA_ATTR_STATS;
860
861 sa->seq = sa_info->seq;
862 sa->reqid = sa_info->reqid;
863 sa->family = sa_info->family;
864 sa->mode = sa_info->mode;
865 sa->replay_window = sa_info->replay_window;
866 sa->flags = sa_info->flags;
867 sa->ce_mask |= (XFRM_SA_ATTR_SEQ | XFRM_SA_ATTR_REQID |
868 XFRM_SA_ATTR_FAMILY | XFRM_SA_ATTR_MODE |
869 XFRM_SA_ATTR_REPLAY_WIN | XFRM_SA_ATTR_FLAGS);
870
871 if (tb[XFRMA_ALG_AEAD]) {
872 struct xfrm_algo_aead* aead = nla_data(tb[XFRMA_ALG_AEAD]);
873
874 len = sizeof (struct xfrmnl_algo_aead) + ((aead->alg_key_len + 7) / 8);
875 if ((sa->aead = calloc (1, len)) == NULL)
876 return -NLE_NOMEM;
877 memcpy ((void *)sa->aead, (void *)aead, len);
878 sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
879 }
880
881 if (tb[XFRMA_ALG_AUTH_TRUNC]) {
882 struct xfrm_algo_auth* auth = nla_data(tb[XFRMA_ALG_AUTH_TRUNC]);
883
884 len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
885 if ((sa->auth = calloc (1, len)) == NULL)
886 return -NLE_NOMEM;
887 memcpy ((void *)sa->auth, (void *)auth, len);
888 sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
889 }
890
891 if (tb[XFRMA_ALG_AUTH] && !sa->auth) {
892 struct xfrm_algo* auth = nla_data(tb[XFRMA_ALG_AUTH]);
893
894 len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
895 if ((sa->auth = calloc (1, len)) == NULL)
896 return -NLE_NOMEM;
897 strcpy(sa->auth->alg_name, auth->alg_name);
898 memcpy(sa->auth->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
899 sa->auth->alg_key_len = auth->alg_key_len;
900 sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
901 }
902
903 if (tb[XFRMA_ALG_CRYPT]) {
904 struct xfrm_algo* crypt = nla_data(tb[XFRMA_ALG_CRYPT]);
905
906 len = sizeof (struct xfrmnl_algo) + ((crypt->alg_key_len + 7) / 8);
907 if ((sa->crypt = calloc (1, len)) == NULL)
908 return -NLE_NOMEM;
909 memcpy ((void *)sa->crypt, (void *)crypt, len);
910 sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
911 }
912
913 if (tb[XFRMA_ALG_COMP]) {
914 struct xfrm_algo* comp = nla_data(tb[XFRMA_ALG_COMP]);
915
916 len = sizeof (struct xfrmnl_algo) + ((comp->alg_key_len + 7) / 8);
917 if ((sa->comp = calloc (1, len)) == NULL)
918 return -NLE_NOMEM;
919 memcpy ((void *)sa->comp, (void *)comp, len);
920 sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
921 }
922
923 if (tb[XFRMA_ENCAP]) {
924 struct xfrm_encap_tmpl* encap = nla_data(tb[XFRMA_ENCAP]);
925
926 len = sizeof (struct xfrmnl_encap_tmpl);
927 if ((sa->encap = calloc (1, len)) == NULL)
928 return -NLE_NOMEM;
929 sa->encap->encap_type = encap->encap_type;
930 sa->encap->encap_sport = ntohs(encap->encap_sport);
931 sa->encap->encap_dport = ntohs(encap->encap_dport);
932 if (!(sa->encap->encap_oa = _nl_addr_build(sa_info->family,
933 &encap->encap_oa)))
934 return -NLE_NOMEM;
935 sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
936 }
937
938 if (tb[XFRMA_TFCPAD]) {
939 sa->tfcpad = *(uint32_t*)nla_data(tb[XFRMA_TFCPAD]);
940 sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
941 }
942
943 if (tb[XFRMA_COADDR]) {
944 if (!(sa->coaddr = _nl_addr_build(
945 sa_info->family, nla_data(tb[XFRMA_COADDR]))))
946 return -NLE_NOMEM;
947 sa->ce_mask |= XFRM_SA_ATTR_COADDR;
948 }
949
950 if (tb[XFRMA_MARK]) {
951 struct xfrm_mark* m = nla_data(tb[XFRMA_MARK]);
952
953 sa->mark.m = m->m;
954 sa->mark.v = m->v;
955 sa->ce_mask |= XFRM_SA_ATTR_MARK;
956 }
957
958 if (tb[XFRMA_SEC_CTX]) {
959 struct xfrm_user_sec_ctx* sec_ctx = nla_data(tb[XFRMA_SEC_CTX]);
960
961 len = sizeof (struct xfrmnl_user_sec_ctx) + sec_ctx->ctx_len;
962 if ((sa->sec_ctx = calloc (1, len)) == NULL)
963 return -NLE_NOMEM;
964 memcpy (sa->sec_ctx, sec_ctx, len);
965 sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
966 }
967
968 if (tb[XFRMA_ETIMER_THRESH]) {
969 sa->replay_maxage = *(uint32_t*)nla_data(tb[XFRMA_ETIMER_THRESH]);
970 sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
971 }
972
973 if (tb[XFRMA_REPLAY_THRESH]) {
974 sa->replay_maxdiff = *(uint32_t*)nla_data(tb[XFRMA_REPLAY_THRESH]);
975 sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
976 }
977
978 if (tb[XFRMA_REPLAY_ESN_VAL]) {
979 struct xfrm_replay_state_esn* esn = nla_data (tb[XFRMA_REPLAY_ESN_VAL]);
980
981 len = sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * esn->bmp_len);
982 if ((sa->replay_state_esn = calloc (1, len)) == NULL)
983 return -NLE_NOMEM;
984 memcpy ((void *)sa->replay_state_esn, (void *)esn, len);
985 sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
986 }
987 else if (tb[XFRMA_REPLAY_VAL])
988 {
989 struct xfrm_replay_state* replay_state = nla_data (tb[XFRMA_REPLAY_VAL]);
990 sa->replay_state.oseq = replay_state->oseq;
991 sa->replay_state.seq = replay_state->seq;
992 sa->replay_state.bitmap = replay_state->bitmap;
993 sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
994 sa->replay_state_esn = NULL;
995 }
996
997 if (tb[XFRMA_OFFLOAD_DEV]) {
998 struct xfrm_user_offload *offload;
999
1000 len = sizeof(struct xfrmnl_user_offload);
1001 if ((sa->user_offload = calloc(1, len)) == NULL)
1002 return -NLE_NOMEM;
1003 offload = nla_data(tb[XFRMA_OFFLOAD_DEV]);
1004 sa->user_offload->ifindex = offload->ifindex;
1005 sa->user_offload->flags = offload->flags;
1006 sa->ce_mask |= XFRM_SA_ATTR_OFFLOAD_DEV;
1007 }
1008
1009 *result = _nl_steal_pointer(&sa);
1010 return 0;
1011}
1012
1013static int xfrm_sa_update_cache (struct nl_cache *cache, struct nl_object *obj,
1014 change_func_t change_cb, change_func_v2_t change_cb_v2,
1015 void *data)
1016{
1017 _nl_auto_nl_object struct nl_object* old_sa = NULL;
1018 struct xfrmnl_sa* sa = (struct xfrmnl_sa*)obj;
1019
1020 if (nl_object_get_msgtype (obj) == XFRM_MSG_EXPIRE)
1021 {
1022 /* On hard expiry, the SA gets deleted too from the kernel state without any
1023 * further delete event. On Expire message, we are only updating the cache with
1024 * the SA object's new state. In absence of the explicit delete event, the cache will
1025 * be out of sync with the kernel state. To get around this, expiry messages cache
1026 * operations are handled here (installed with NL_ACT_UNSPEC action) instead of
1027 * in Libnl Cache module. */
1028
1029 /* Do we already have this object in the cache? */
1030 old_sa = nl_cache_search(cache, obj);
1031 if (old_sa)
1032 {
1033 /* Found corresponding SA object in cache. Delete it */
1034 nl_cache_remove (old_sa);
1035 }
1036
1037 /* Handle the expiry event now */
1038 if (sa->hard == 0)
1039 {
1040 /* Soft expiry event: Save the new object to the
1041 * cache and notify application of the expiry event. */
1042 nl_cache_move (cache, obj);
1043
1044 if (old_sa == NULL)
1045 {
1046 /* Application CB present, no previous instance of SA object present.
1047 * Notify application CB as a NEW event */
1048 if (change_cb_v2)
1049 change_cb_v2(cache, NULL, obj, 0, NL_ACT_NEW, data);
1050 else if (change_cb)
1051 change_cb(cache, obj, NL_ACT_NEW, data);
1052 }
1053 else
1054 {
1055 uint64_t diff = 0;
1056 if (change_cb || change_cb_v2)
1057 diff = nl_object_diff64(old_sa, obj);
1058
1059 /* Application CB present, a previous instance of SA object present.
1060 * Notify application CB as a CHANGE1 event */
1061 if (diff) {
1062 if (change_cb_v2) {
1063 change_cb_v2(cache, old_sa, obj, diff, NL_ACT_CHANGE, data);
1064 } else if (change_cb)
1065 change_cb(cache, obj, NL_ACT_CHANGE, data);
1066 }
1067 }
1068 }
1069 else
1070 {
1071 /* Hard expiry event: Delete the object from the
1072 * cache and notify application of the expiry event. */
1073 if (change_cb_v2)
1074 change_cb_v2(cache, obj, NULL, 0, NL_ACT_DEL, data);
1075 else if (change_cb)
1076 change_cb (cache, obj, NL_ACT_DEL, data);
1077 }
1078
1079 /* Done handling expire message */
1080 return 0;
1081 }
1082 else
1083 {
1084 /* All other messages other than Expire, let the standard Libnl cache
1085 * module handle it. */
1086 if (change_cb_v2)
1087 return nl_cache_include_v2(cache, obj, change_cb_v2, data);
1088 else
1089 return nl_cache_include (cache, obj, change_cb, data);
1090 }
1091}
1092
1093static int xfrm_sa_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
1094 struct nlmsghdr *n, struct nl_parser_param *pp)
1095{
1096 struct xfrmnl_sa* sa;
1097 int err;
1098
1099 if ((err = xfrmnl_sa_parse(n, &sa)) < 0)
1100 return err;
1101
1102 err = pp->pp_cb((struct nl_object *) sa, pp);
1103
1104 xfrmnl_sa_put(sa);
1105 return err;
1106}
1107
1108/**
1109 * @name XFRM SA Get
1110 * @{
1111 */
1112
1113int xfrmnl_sa_build_get_request(struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct nl_msg **result)
1114{
1115 struct nl_msg *msg;
1116 struct xfrm_usersa_id sa_id;
1117 struct xfrm_mark mark;
1118
1119 if (!daddr || !spi)
1120 {
1121 fprintf(stderr, "APPLICATION BUG: %s:%d:%s: A valid destination address, spi must be specified\n",
1122 __FILE__, __LINE__, __func__);
1123 assert(0);
1124 return -NLE_MISSING_ATTR;
1125 }
1126
1127 memset(&sa_id, 0, sizeof(sa_id));
1128 memcpy (&sa_id.daddr, nl_addr_get_binary_addr (daddr), sizeof (uint8_t) * nl_addr_get_len (daddr));
1129 sa_id.family = nl_addr_get_family (daddr);
1130 sa_id.spi = htonl(spi);
1131 sa_id.proto = protocol;
1132
1133 if (!(msg = nlmsg_alloc_simple(XFRM_MSG_GETSA, 0)))
1134 return -NLE_NOMEM;
1135
1136 if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1137 goto nla_put_failure;
1138
1139 if ((mark_m & mark_v) != 0)
1140 {
1141 memset(&mark, 0, sizeof(struct xfrm_mark));
1142 mark.m = mark_m;
1143 mark.v = mark_v;
1144
1145 NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &mark);
1146 }
1147
1148 *result = msg;
1149 return 0;
1150
1151nla_put_failure:
1152 nlmsg_free(msg);
1153 return -NLE_MSGSIZE;
1154}
1155
1156int xfrmnl_sa_get_kernel(struct nl_sock* sock, struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct xfrmnl_sa** result)
1157{
1158 struct nl_msg *msg = NULL;
1159 struct nl_object *obj;
1160 int err;
1161
1162 if ((err = xfrmnl_sa_build_get_request(daddr, spi, protocol, mark_m, mark_v, &msg)) < 0)
1163 return err;
1164
1165 err = nl_send_auto(sock, msg);
1166 nlmsg_free(msg);
1167 if (err < 0)
1168 return err;
1169
1170 if ((err = nl_pickup(sock, &xfrm_sa_msg_parser, &obj)) < 0)
1171 return err;
1172
1173 /* We have used xfrm_sa_msg_parser(), object is definitely a xfrm sa */
1174 *result = (struct xfrmnl_sa *) obj;
1175
1176 /* If an object has been returned, we also need to wait for the ACK */
1177 if (err == 0 && obj)
1178 nl_wait_for_ack(sock);
1179
1180 return 0;
1181}
1182
1183/** @} */
1184
1185static int build_xfrm_sa_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1186{
1187 struct nl_msg* msg;
1188 struct xfrm_usersa_info sa_info;
1189 uint32_t len;
1190 struct nl_addr* addr;
1191
1192 if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1193 !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1194 !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1195 return -NLE_MISSING_ATTR;
1196
1197 memset ((void*)&sa_info, 0, sizeof (sa_info));
1198 if (tmpl->ce_mask & XFRM_SA_ATTR_SEL)
1199 {
1200 addr = xfrmnl_sel_get_daddr (tmpl->sel);
1201 memcpy ((void*)&sa_info.sel.daddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1202 addr = xfrmnl_sel_get_saddr (tmpl->sel);
1203 memcpy ((void*)&sa_info.sel.saddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1204 sa_info.sel.dport = htons (xfrmnl_sel_get_dport (tmpl->sel));
1205 sa_info.sel.dport_mask = htons (xfrmnl_sel_get_dportmask (tmpl->sel));
1206 sa_info.sel.sport = htons (xfrmnl_sel_get_sport (tmpl->sel));
1207 sa_info.sel.sport_mask = htons (xfrmnl_sel_get_sportmask (tmpl->sel));
1208 sa_info.sel.family = xfrmnl_sel_get_family (tmpl->sel);
1209 sa_info.sel.prefixlen_d = xfrmnl_sel_get_prefixlen_d (tmpl->sel);
1210 sa_info.sel.prefixlen_s = xfrmnl_sel_get_prefixlen_s (tmpl->sel);
1211 sa_info.sel.proto = xfrmnl_sel_get_proto (tmpl->sel);
1212 sa_info.sel.ifindex = xfrmnl_sel_get_ifindex (tmpl->sel);
1213 sa_info.sel.user = xfrmnl_sel_get_userid (tmpl->sel);
1214 }
1215
1216 memcpy (&sa_info.id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1217 sa_info.id.spi = htonl(tmpl->id.spi);
1218 sa_info.id.proto = tmpl->id.proto;
1219
1220 if (tmpl->ce_mask & XFRM_SA_ATTR_SADDR)
1221 memcpy (&sa_info.saddr, nl_addr_get_binary_addr (tmpl->saddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->saddr));
1222
1223 if (tmpl->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1224 {
1225 sa_info.lft.soft_byte_limit = xfrmnl_ltime_cfg_get_soft_bytelimit (tmpl->lft);
1226 sa_info.lft.hard_byte_limit = xfrmnl_ltime_cfg_get_hard_bytelimit (tmpl->lft);
1227 sa_info.lft.soft_packet_limit = xfrmnl_ltime_cfg_get_soft_packetlimit (tmpl->lft);
1228 sa_info.lft.hard_packet_limit = xfrmnl_ltime_cfg_get_hard_packetlimit (tmpl->lft);
1229 sa_info.lft.soft_add_expires_seconds = xfrmnl_ltime_cfg_get_soft_addexpires (tmpl->lft);
1230 sa_info.lft.hard_add_expires_seconds = xfrmnl_ltime_cfg_get_hard_addexpires (tmpl->lft);
1231 sa_info.lft.soft_use_expires_seconds = xfrmnl_ltime_cfg_get_soft_useexpires (tmpl->lft);
1232 sa_info.lft.hard_use_expires_seconds = xfrmnl_ltime_cfg_get_hard_useexpires (tmpl->lft);
1233 }
1234
1235 //Skip current lifetime: cur lifetime can be updated only via AE
1236 //Skip stats: stats cant be updated
1237 //Skip seq: seq cant be updated
1238
1239 if (tmpl->ce_mask & XFRM_SA_ATTR_REQID)
1240 sa_info.reqid = tmpl->reqid;
1241
1242 if (tmpl->ce_mask & XFRM_SA_ATTR_FAMILY)
1243 sa_info.family = tmpl->family;
1244
1245 if (tmpl->ce_mask & XFRM_SA_ATTR_MODE)
1246 sa_info.mode = tmpl->mode;
1247
1248 if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1249 sa_info.replay_window = tmpl->replay_window;
1250
1251 if (tmpl->ce_mask & XFRM_SA_ATTR_FLAGS)
1252 sa_info.flags = tmpl->flags;
1253
1254 msg = nlmsg_alloc_simple(cmd, flags);
1255 if (!msg)
1256 return -NLE_NOMEM;
1257
1258 if (nlmsg_append(msg, &sa_info, sizeof(sa_info), NLMSG_ALIGNTO) < 0)
1259 goto nla_put_failure;
1260
1261 if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AEAD) {
1262 len = sizeof (struct xfrm_algo_aead) + ((tmpl->aead->alg_key_len + 7) / 8);
1263 NLA_PUT (msg, XFRMA_ALG_AEAD, len, tmpl->aead);
1264 }
1265
1266 if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AUTH) {
1267 /* kernel prefers XFRMA_ALG_AUTH_TRUNC over XFRMA_ALG_AUTH, so only
1268 * one of the attributes needs to be present */
1269 if (tmpl->auth->alg_trunc_len) {
1270 len = sizeof (struct xfrm_algo_auth) + ((tmpl->auth->alg_key_len + 7) / 8);
1271 NLA_PUT (msg, XFRMA_ALG_AUTH_TRUNC, len, tmpl->auth);
1272 } else {
1273 struct xfrm_algo *auth;
1274
1275 len = sizeof (struct xfrm_algo) + ((tmpl->auth->alg_key_len + 7) / 8);
1276 auth = malloc(len);
1277 if (!auth) {
1278 nlmsg_free(msg);
1279 return -NLE_NOMEM;
1280 }
1281
1282 _nl_strncpy_assert(auth->alg_name, tmpl->auth->alg_name, sizeof(auth->alg_name));
1283 auth->alg_key_len = tmpl->auth->alg_key_len;
1284 memcpy(auth->alg_key, tmpl->auth->alg_key, (tmpl->auth->alg_key_len + 7) / 8);
1285 if (nla_put(msg, XFRMA_ALG_AUTH, len, auth) < 0) {
1286 free(auth);
1287 goto nla_put_failure;
1288 }
1289 free(auth);
1290 }
1291 }
1292
1293 if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_CRYPT) {
1294 len = sizeof (struct xfrm_algo) + ((tmpl->crypt->alg_key_len + 7) / 8);
1295 NLA_PUT (msg, XFRMA_ALG_CRYPT, len, tmpl->crypt);
1296 }
1297
1298 if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_COMP) {
1299 len = sizeof (struct xfrm_algo) + ((tmpl->comp->alg_key_len + 7) / 8);
1300 NLA_PUT (msg, XFRMA_ALG_COMP, len, tmpl->comp);
1301 }
1302
1303 if (tmpl->ce_mask & XFRM_SA_ATTR_ENCAP) {
1304 struct xfrm_encap_tmpl* encap_tmpl;
1305 struct nlattr* encap_attr;
1306
1307 len = sizeof (struct xfrm_encap_tmpl);
1308 encap_attr = nla_reserve(msg, XFRMA_ENCAP, len);
1309 if (!encap_attr)
1310 goto nla_put_failure;
1311 encap_tmpl = nla_data (encap_attr);
1312 encap_tmpl->encap_type = tmpl->encap->encap_type;
1313 encap_tmpl->encap_sport = htons (tmpl->encap->encap_sport);
1314 encap_tmpl->encap_dport = htons (tmpl->encap->encap_dport);
1315 memcpy (&encap_tmpl->encap_oa, nl_addr_get_binary_addr (tmpl->encap->encap_oa), sizeof (uint8_t) * nl_addr_get_len (tmpl->encap->encap_oa));
1316 }
1317
1318 if (tmpl->ce_mask & XFRM_SA_ATTR_TFCPAD) {
1319 NLA_PUT_U32 (msg, XFRMA_TFCPAD, tmpl->tfcpad);
1320 }
1321
1322 if (tmpl->ce_mask & XFRM_SA_ATTR_COADDR) {
1323 NLA_PUT (msg, XFRMA_COADDR, sizeof (xfrm_address_t), tmpl->coaddr);
1324 }
1325
1326 if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1327 NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1328 }
1329
1330 if (tmpl->ce_mask & XFRM_SA_ATTR_SECCTX) {
1331 len = sizeof (struct xfrm_sec_ctx) + tmpl->sec_ctx->ctx_len;
1332 NLA_PUT (msg, XFRMA_SEC_CTX, len, tmpl->sec_ctx);
1333 }
1334
1335 if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE) {
1336 NLA_PUT_U32 (msg, XFRMA_ETIMER_THRESH, tmpl->replay_maxage);
1337 }
1338
1339 if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF) {
1340 NLA_PUT_U32 (msg, XFRMA_REPLAY_THRESH, tmpl->replay_maxdiff);
1341 }
1342
1343 if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_STATE) {
1344 if (tmpl->replay_state_esn) {
1345 len = sizeof (struct xfrm_replay_state_esn) + (sizeof (uint32_t) * tmpl->replay_state_esn->bmp_len);
1346 NLA_PUT (msg, XFRMA_REPLAY_ESN_VAL, len, tmpl->replay_state_esn);
1347 }
1348 else {
1349 NLA_PUT (msg, XFRMA_REPLAY_VAL, sizeof (struct xfrm_replay_state), &tmpl->replay_state);
1350 }
1351 }
1352
1353 if (tmpl->ce_mask & XFRM_SA_ATTR_OFFLOAD_DEV) {
1354 struct xfrm_user_offload *offload;
1355 struct nlattr *attr;
1356
1357 len = sizeof(struct xfrm_user_offload);
1358 attr = nla_reserve(msg, XFRMA_OFFLOAD_DEV, len);
1359
1360 if (!attr)
1361 goto nla_put_failure;
1362
1363 offload = nla_data(attr);
1364 offload->ifindex = tmpl->user_offload->ifindex;
1365 offload->flags = tmpl->user_offload->flags;
1366 }
1367
1368 *result = msg;
1369 return 0;
1370
1371nla_put_failure:
1372 nlmsg_free(msg);
1373 return -NLE_MSGSIZE;
1374}
1375
1376/**
1377 * @name XFRM SA Add
1378 * @{
1379 */
1380
1381int xfrmnl_sa_build_add_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1382{
1383 return build_xfrm_sa_message (tmpl, XFRM_MSG_NEWSA, flags, result);
1384}
1385
1386int xfrmnl_sa_add(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1387{
1388 int err;
1389 struct nl_msg *msg;
1390
1391 if ((err = xfrmnl_sa_build_add_request(tmpl, flags, &msg)) < 0)
1392 return err;
1393
1394 err = nl_send_auto_complete(sk, msg);
1395 nlmsg_free(msg);
1396 if (err < 0)
1397 return err;
1398
1399 return nl_wait_for_ack(sk);
1400}
1401
1402/**
1403 * @name XFRM SA Update
1404 * @{
1405 */
1406
1407int xfrmnl_sa_build_update_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1408{
1409 return build_xfrm_sa_message (tmpl, XFRM_MSG_UPDSA, flags, result);
1410}
1411
1412int xfrmnl_sa_update(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1413{
1414 int err;
1415 struct nl_msg *msg;
1416
1417 if ((err = xfrmnl_sa_build_update_request(tmpl, flags, &msg)) < 0)
1418 return err;
1419
1420 err = nl_send_auto_complete(sk, msg);
1421 nlmsg_free(msg);
1422 if (err < 0)
1423 return err;
1424
1425 return nl_wait_for_ack(sk);
1426}
1427
1428/** @} */
1429
1430static int build_xfrm_sa_delete_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1431{
1432 struct nl_msg* msg;
1433 struct xfrm_usersa_id sa_id;
1434
1435 if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1436 !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1437 !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1438 return -NLE_MISSING_ATTR;
1439
1440 memset(&sa_id, 0, sizeof(struct xfrm_usersa_id));
1441 memcpy (&sa_id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr),
1442 sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1443 sa_id.family = nl_addr_get_family (tmpl->id.daddr);
1444 sa_id.spi = htonl(tmpl->id.spi);
1445 sa_id.proto = tmpl->id.proto;
1446
1447 msg = nlmsg_alloc_simple(cmd, flags);
1448 if (!msg)
1449 return -NLE_NOMEM;
1450
1451 if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1452 goto nla_put_failure;
1453
1454 if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1455 NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1456 }
1457
1458 *result = msg;
1459 return 0;
1460
1461nla_put_failure:
1462 nlmsg_free(msg);
1463 return -NLE_MSGSIZE;
1464}
1465
1466/**
1467 * @name XFRM SA Delete
1468 * @{
1469 */
1470
1471int xfrmnl_sa_build_delete_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1472{
1473 return build_xfrm_sa_delete_message (tmpl, XFRM_MSG_DELSA, flags, result);
1474}
1475
1476int xfrmnl_sa_delete(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1477{
1478 int err;
1479 struct nl_msg *msg;
1480
1481 if ((err = xfrmnl_sa_build_delete_request(tmpl, flags, &msg)) < 0)
1482 return err;
1483
1484 err = nl_send_auto_complete(sk, msg);
1485 nlmsg_free(msg);
1486 if (err < 0)
1487 return err;
1488
1489 return nl_wait_for_ack(sk);
1490}
1491
1492/** @} */
1493
1494
1495/**
1496 * @name Attributes
1497 * @{
1498 */
1499
1500struct xfrmnl_sel* xfrmnl_sa_get_sel (struct xfrmnl_sa* sa)
1501{
1502 if (sa->ce_mask & XFRM_SA_ATTR_SEL)
1503 return sa->sel;
1504 else
1505 return NULL;
1506}
1507
1508int xfrmnl_sa_set_sel (struct xfrmnl_sa* sa, struct xfrmnl_sel* sel)
1509{
1510 /* Release any previously held selector object from the SA */
1511 if (sa->sel)
1512 xfrmnl_sel_put (sa->sel);
1513
1514 /* Increment ref count on new selector and save it in the SA */
1515 xfrmnl_sel_get (sel);
1516 sa->sel = sel;
1517 sa->ce_mask |= XFRM_SA_ATTR_SEL;
1518
1519 return 0;
1520}
1521
1522static inline int __assign_addr(struct xfrmnl_sa* sa, struct nl_addr **pos,
1523 struct nl_addr *new, int flag, int nocheck)
1524{
1525 if (!nocheck)
1526 {
1527 if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1528 {
1529 if (nl_addr_get_family (new) != sa->family)
1530 return -NLE_AF_MISMATCH;
1531 }
1532 }
1533
1534 if (*pos)
1535 nl_addr_put(*pos);
1536
1537 nl_addr_get(new);
1538 *pos = new;
1539
1540 sa->ce_mask |= flag;
1541
1542 return 0;
1543}
1544
1545
1546struct nl_addr* xfrmnl_sa_get_daddr (struct xfrmnl_sa* sa)
1547{
1548 if (sa->ce_mask & XFRM_SA_ATTR_DADDR)
1549 return sa->id.daddr;
1550 else
1551 return NULL;
1552}
1553
1554int xfrmnl_sa_set_daddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1555{
1556 return __assign_addr(sa, &sa->id.daddr, addr, XFRM_SA_ATTR_DADDR, 0);
1557}
1558
1559int xfrmnl_sa_get_spi (struct xfrmnl_sa* sa)
1560{
1561 if (sa->ce_mask & XFRM_SA_ATTR_SPI)
1562 return sa->id.spi;
1563 else
1564 return -1;
1565}
1566
1567int xfrmnl_sa_set_spi (struct xfrmnl_sa* sa, unsigned int spi)
1568{
1569 sa->id.spi = spi;
1570 sa->ce_mask |= XFRM_SA_ATTR_SPI;
1571
1572 return 0;
1573}
1574
1575int xfrmnl_sa_get_proto (struct xfrmnl_sa* sa)
1576{
1577 if (sa->ce_mask & XFRM_SA_ATTR_PROTO)
1578 return sa->id.proto;
1579 else
1580 return -1;
1581}
1582
1583int xfrmnl_sa_set_proto (struct xfrmnl_sa* sa, unsigned int protocol)
1584{
1585 sa->id.proto = protocol;
1586 sa->ce_mask |= XFRM_SA_ATTR_PROTO;
1587
1588 return 0;
1589}
1590
1591struct nl_addr* xfrmnl_sa_get_saddr (struct xfrmnl_sa* sa)
1592{
1593 if (sa->ce_mask & XFRM_SA_ATTR_SADDR)
1594 return sa->saddr;
1595 else
1596 return NULL;
1597}
1598
1599int xfrmnl_sa_set_saddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1600{
1601 return __assign_addr(sa, &sa->saddr, addr, XFRM_SA_ATTR_SADDR, 1);
1602}
1603
1604struct xfrmnl_ltime_cfg* xfrmnl_sa_get_lifetime_cfg (struct xfrmnl_sa* sa)
1605{
1606 if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1607 return sa->lft;
1608 else
1609 return NULL;
1610}
1611
1612int xfrmnl_sa_set_lifetime_cfg (struct xfrmnl_sa* sa, struct xfrmnl_ltime_cfg* ltime)
1613{
1614 /* Release any previously held lifetime cfg object from the SA */
1615 if (sa->lft)
1616 xfrmnl_ltime_cfg_put (sa->lft);
1617
1618 /* Increment ref count on new lifetime object and save it in the SA */
1619 xfrmnl_ltime_cfg_get (ltime);
1620 sa->lft = ltime;
1621 sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
1622
1623 return 0;
1624}
1625
1626int xfrmnl_sa_get_curlifetime (struct xfrmnl_sa* sa, unsigned long long int* curr_bytes,
1627 unsigned long long int* curr_packets, unsigned long long int* curr_add_time, unsigned long long int* curr_use_time)
1628{
1629 if (sa == NULL || curr_bytes == NULL || curr_packets == NULL || curr_add_time == NULL || curr_use_time == NULL)
1630 return -1;
1631
1632 if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CUR)
1633 {
1634 *curr_bytes = sa->curlft.bytes;
1635 *curr_packets = sa->curlft.packets;
1636 *curr_add_time = sa->curlft.add_time;
1637 *curr_use_time = sa->curlft.use_time;
1638 }
1639 else
1640 return -1;
1641
1642 return 0;
1643}
1644
1645int xfrmnl_sa_get_stats (struct xfrmnl_sa* sa, unsigned long long int* replay_window,
1646 unsigned long long int* replay, unsigned long long int* integrity_failed)
1647{
1648 if (sa == NULL || replay_window == NULL || replay == NULL || integrity_failed == NULL)
1649 return -1;
1650
1651 if (sa->ce_mask & XFRM_SA_ATTR_STATS)
1652 {
1653 *replay_window = sa->stats.replay_window;
1654 *replay = sa->stats.replay;
1655 *integrity_failed = sa->stats.integrity_failed;
1656 }
1657 else
1658 return -1;
1659
1660 return 0;
1661}
1662
1663int xfrmnl_sa_get_seq (struct xfrmnl_sa* sa)
1664{
1665 if (sa->ce_mask & XFRM_SA_ATTR_SEQ)
1666 return sa->seq;
1667 else
1668 return -1;
1669}
1670
1671int xfrmnl_sa_get_reqid (struct xfrmnl_sa* sa)
1672{
1673 if (sa->ce_mask & XFRM_SA_ATTR_REQID)
1674 return sa->reqid;
1675 else
1676 return -1;
1677}
1678
1679int xfrmnl_sa_set_reqid (struct xfrmnl_sa* sa, unsigned int reqid)
1680{
1681 sa->reqid = reqid;
1682 sa->ce_mask |= XFRM_SA_ATTR_REQID;
1683
1684 return 0;
1685}
1686
1687int xfrmnl_sa_get_family (struct xfrmnl_sa* sa)
1688{
1689 if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1690 return sa->family;
1691 else
1692 return -1;
1693}
1694
1695int xfrmnl_sa_set_family (struct xfrmnl_sa* sa, unsigned int family)
1696{
1697 sa->family = family;
1698 sa->ce_mask |= XFRM_SA_ATTR_FAMILY;
1699
1700 return 0;
1701}
1702
1703int xfrmnl_sa_get_mode (struct xfrmnl_sa* sa)
1704{
1705 if (sa->ce_mask & XFRM_SA_ATTR_MODE)
1706 return sa->mode;
1707 else
1708 return -1;
1709}
1710
1711int xfrmnl_sa_set_mode (struct xfrmnl_sa* sa, unsigned int mode)
1712{
1713 sa->mode = mode;
1714 sa->ce_mask |= XFRM_SA_ATTR_MODE;
1715
1716 return 0;
1717}
1718
1719int xfrmnl_sa_get_replay_window (struct xfrmnl_sa* sa)
1720{
1721 if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1722 return sa->replay_window;
1723 else
1724 return -1;
1725}
1726
1727int xfrmnl_sa_set_replay_window (struct xfrmnl_sa* sa, unsigned int replay_window)
1728{
1729 sa->replay_window = replay_window;
1730 sa->ce_mask |= XFRM_SA_ATTR_REPLAY_WIN;
1731
1732 return 0;
1733}
1734
1735int xfrmnl_sa_get_flags (struct xfrmnl_sa* sa)
1736{
1737 if (sa->ce_mask & XFRM_SA_ATTR_FLAGS)
1738 return sa->flags;
1739 else
1740 return -1;
1741}
1742
1743int xfrmnl_sa_set_flags (struct xfrmnl_sa* sa, unsigned int flags)
1744{
1745 sa->flags = flags;
1746 sa->ce_mask |= XFRM_SA_ATTR_FLAGS;
1747
1748 return 0;
1749}
1750
1751/**
1752 * Get the aead-params
1753 * @arg sa the xfrmnl_sa object
1754 * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1755 * @arg key_len an optional output value for the key length in bits.
1756 * @arg icv_len an optional output value for the alt-icv-len.
1757 * @arg key an optional buffer large enough for the key. It must contain at least
1758 * ((@key_len + 7) / 8) bytes.
1759 *
1760 * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1761 * call xfrmnl_sa_get_aead_params() without @key argument to query only the required buffer size.
1762 * This modified API is available in all versions of libnl3 that support the capability
1763 * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1764 *
1765 * @return 0 on success or a negative error code.
1766 */
1767int xfrmnl_sa_get_aead_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* icv_len, char* key)
1768{
1769 if (sa->ce_mask & XFRM_SA_ATTR_ALG_AEAD)
1770 {
1771 if (alg_name)
1772 strcpy (alg_name, sa->aead->alg_name);
1773 if (key_len)
1774 *key_len = sa->aead->alg_key_len;
1775 if (icv_len)
1776 *icv_len = sa->aead->alg_icv_len;
1777 if (key)
1778 memcpy (key, sa->aead->alg_key, ((sa->aead->alg_key_len + 7)/8));
1779 }
1780 else
1781 return -1;
1782
1783 return 0;
1784}
1785
1786int xfrmnl_sa_set_aead_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int icv_len, const char* key)
1787{
1788 _nl_auto_free struct xfrmnl_algo_aead *b = NULL;
1789 size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1790 uint32_t newlen = sizeof (struct xfrmnl_algo_aead) + keysize;
1791
1792 /* Free up the old key and allocate memory to hold new key */
1793 if (strlen (alg_name) >= sizeof (sa->aead->alg_name))
1794 return -1;
1795 if (!(b = calloc (1, newlen)))
1796 return -1;
1797
1798 strcpy (b->alg_name, alg_name);
1799 b->alg_key_len = key_len;
1800 b->alg_icv_len = icv_len;
1801 memcpy (b->alg_key, key, keysize);
1802
1803 free (sa->aead);
1804 sa->aead = _nl_steal_pointer (&b);
1805 sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
1806 return 0;
1807}
1808
1809/**
1810 * Get the auth-params
1811 * @arg sa the xfrmnl_sa object
1812 * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1813 * @arg key_len an optional output value for the key length in bits.
1814 * @arg trunc_len an optional output value for the alg-trunc-len.
1815 * @arg key an optional buffer large enough for the key. It must contain at least
1816 * ((@key_len + 7) / 8) bytes.
1817 *
1818 * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1819 * call xfrmnl_sa_get_auth_params() without @key argument to query only the required buffer size.
1820 * This modified API is available in all versions of libnl3 that support the capability
1821 * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1822 *
1823 * @return 0 on success or a negative error code.
1824 */
1825int xfrmnl_sa_get_auth_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* trunc_len, char* key)
1826{
1827 if (!(sa->ce_mask & XFRM_SA_ATTR_ALG_AUTH))
1828 return -NLE_MISSING_ATTR;
1829
1830 if (alg_name)
1831 strcpy(alg_name, sa->auth->alg_name);
1832 if (key_len)
1833 *key_len = sa->auth->alg_key_len;
1834 if (trunc_len)
1835 *trunc_len = sa->auth->alg_trunc_len;
1836 if (key)
1837 memcpy(key, sa->auth->alg_key, (sa->auth->alg_key_len + 7) / 8);
1838 return 0;
1839}
1840
1841int xfrmnl_sa_set_auth_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int trunc_len, const char* key)
1842{
1843 _nl_auto_free struct xfrmnl_algo_auth *b = NULL;
1844 size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1845 uint32_t newlen = sizeof (struct xfrmnl_algo_auth) + keysize;
1846
1847 if (strlen (alg_name) >= sizeof (sa->auth->alg_name))
1848 return -1;
1849 if (!(b = calloc (1, newlen)))
1850 return -1;
1851
1852 strcpy (b->alg_name, alg_name);
1853 b->alg_key_len = key_len;
1854 b->alg_trunc_len = trunc_len;
1855 memcpy (b->alg_key, key, keysize);
1856
1857 free (sa->auth);
1858 sa->auth = _nl_steal_pointer (&b);
1859 sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
1860 return 0;
1861}
1862
1863/**
1864 * Get the crypto-params
1865 * @arg sa the xfrmnl_sa object
1866 * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1867 * @arg key_len an optional output value for the key length in bits.
1868 * @arg key an optional buffer large enough for the key. It must contain at least
1869 * ((@key_len + 7) / 8) bytes.
1870 *
1871 * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1872 * call xfrmnl_sa_get_crypto_params() without @key argument to query only the required buffer size.
1873 * This modified API is available in all versions of libnl3 that support the capability
1874 * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1875 *
1876 * @return 0 on success or a negative error code.
1877 */
1878int xfrmnl_sa_get_crypto_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1879{
1880 if (sa->ce_mask & XFRM_SA_ATTR_ALG_CRYPT)
1881 {
1882 if (alg_name)
1883 strcpy (alg_name, sa->crypt->alg_name);
1884 if (key_len)
1885 *key_len = sa->crypt->alg_key_len;
1886 if (key)
1887 memcpy (key, sa->crypt->alg_key, ((sa->crypt->alg_key_len + 7)/8));
1888 }
1889 else
1890 return -1;
1891
1892 return 0;
1893}
1894
1895int xfrmnl_sa_set_crypto_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1896{
1897 _nl_auto_free struct xfrmnl_algo *b = NULL;
1898 size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1899 uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1900
1901 if (strlen (alg_name) >= sizeof (sa->crypt->alg_name))
1902 return -1;
1903 if (!(b = calloc (1, newlen)))
1904 return -1;
1905
1906 strcpy (b->alg_name, alg_name);
1907 b->alg_key_len = key_len;
1908 memcpy (b->alg_key, key, keysize);
1909
1910 free(sa->crypt);
1911 sa->crypt = _nl_steal_pointer(&b);
1912 sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
1913 return 0;
1914}
1915
1916/**
1917 * Get the comp-params
1918 * @arg sa the xfrmnl_sa object
1919 * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1920 * @arg key_len an optional output value for the key length in bits.
1921 * @arg key an optional buffer large enough for the key. It must contain at least
1922 * ((@key_len + 7) / 8) bytes.
1923 *
1924 * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1925 * call xfrmnl_sa_get_comp_params() without @key argument to query only the required buffer size.
1926 * This modified API is available in all versions of libnl3 that support the capability
1927 * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1928 *
1929 * @return 0 on success or a negative error code.
1930 */
1931int xfrmnl_sa_get_comp_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1932{
1933 if (sa->ce_mask & XFRM_SA_ATTR_ALG_COMP)
1934 {
1935 if (alg_name)
1936 strcpy (alg_name, sa->comp->alg_name);
1937 if (key_len)
1938 *key_len = sa->comp->alg_key_len;
1939 if (key)
1940 memcpy (key, sa->comp->alg_key, ((sa->comp->alg_key_len + 7)/8));
1941 }
1942 else
1943 return -1;
1944
1945 return 0;
1946}
1947
1948int xfrmnl_sa_set_comp_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1949{
1950 _nl_auto_free struct xfrmnl_algo *b = NULL;
1951 size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1952 uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1953
1954 if (strlen (alg_name) >= sizeof (sa->comp->alg_name))
1955 return -1;
1956 if (!(b = calloc (1, newlen)))
1957 return -1;
1958
1959 strcpy (b->alg_name, alg_name);
1960 b->alg_key_len = key_len;
1961 memcpy (b->alg_key, key, keysize);
1962
1963 free(sa->comp);
1964 sa->comp = _nl_steal_pointer(&b);
1965 sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
1966 return 0;
1967}
1968
1969int xfrmnl_sa_get_encap_tmpl (struct xfrmnl_sa* sa, unsigned int* encap_type, unsigned int* encap_sport, unsigned int* encap_dport, struct nl_addr** encap_oa)
1970{
1971 if (sa->ce_mask & XFRM_SA_ATTR_ENCAP)
1972 {
1973 *encap_type = sa->encap->encap_type;
1974 *encap_sport = sa->encap->encap_sport;
1975 *encap_dport = sa->encap->encap_dport;
1976 *encap_oa = nl_addr_clone (sa->encap->encap_oa);
1977 }
1978 else
1979 return -1;
1980
1981 return 0;
1982}
1983
1984int xfrmnl_sa_set_encap_tmpl (struct xfrmnl_sa* sa, unsigned int encap_type, unsigned int encap_sport, unsigned int encap_dport, struct nl_addr* encap_oa)
1985{
1986 if (sa->encap) {
1987 /* Free up the old encap OA */
1988 if (sa->encap->encap_oa)
1989 nl_addr_put(sa->encap->encap_oa);
1990 memset(sa->encap, 0, sizeof (*sa->encap));
1991 } else if ((sa->encap = calloc(1, sizeof(*sa->encap))) == NULL)
1992 return -1;
1993
1994 /* Save the new info */
1995 sa->encap->encap_type = encap_type;
1996 sa->encap->encap_sport = encap_sport;
1997 sa->encap->encap_dport = encap_dport;
1998 nl_addr_get (encap_oa);
1999 sa->encap->encap_oa = encap_oa;
2000
2001 sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
2002
2003 return 0;
2004}
2005
2006int xfrmnl_sa_get_tfcpad (struct xfrmnl_sa* sa)
2007{
2008 if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
2009 return sa->tfcpad;
2010 else
2011 return -1;
2012}
2013
2014int xfrmnl_sa_set_tfcpad (struct xfrmnl_sa* sa, unsigned int tfcpad)
2015{
2016 sa->tfcpad = tfcpad;
2017 sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
2018
2019 return 0;
2020}
2021
2022struct nl_addr* xfrmnl_sa_get_coaddr (struct xfrmnl_sa* sa)
2023{
2024 if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
2025 return sa->coaddr;
2026 else
2027 return NULL;
2028}
2029
2030int xfrmnl_sa_set_coaddr (struct xfrmnl_sa* sa, struct nl_addr* coaddr)
2031{
2032 /* Free up the old coaddr */
2033 if (sa->coaddr)
2034 nl_addr_put (sa->coaddr);
2035
2036 /* Save the new info */
2037 nl_addr_get (coaddr);
2038 sa->coaddr = coaddr;
2039
2040 sa->ce_mask |= XFRM_SA_ATTR_COADDR;
2041
2042 return 0;
2043}
2044
2045int xfrmnl_sa_get_mark (struct xfrmnl_sa* sa, unsigned int* mark_mask, unsigned int* mark_value)
2046{
2047 if (mark_mask == NULL || mark_value == NULL)
2048 return -1;
2049
2050 if (sa->ce_mask & XFRM_SA_ATTR_MARK)
2051 {
2052 *mark_mask = sa->mark.m;
2053 *mark_value = sa->mark.v;
2054
2055 return 0;
2056 }
2057 else
2058 return -1;
2059}
2060
2061int xfrmnl_sa_set_mark (struct xfrmnl_sa* sa, unsigned int value, unsigned int mask)
2062{
2063 sa->mark.v = value;
2064 sa->mark.m = mask;
2065 sa->ce_mask |= XFRM_SA_ATTR_MARK;
2066
2067 return 0;
2068}
2069
2070/**
2071 * Get the security context.
2072 *
2073 * @arg sa The xfrmnl_sa object.
2074 * @arg doi An optional output value for the security context domain of interpretation.
2075 * @arg alg An optional output value for the security context algorithm.
2076 * @arg len An optional output value for the security context length, including the
2077 * terminating null byte ('\0').
2078 * @arg sid Unused parameter.
2079 * @arg ctx_str An optional buffer large enough for the security context string. It must
2080 * contain at least @len bytes.
2081 *
2082 * Warning: you must ensure that @ctx_str is large enough. If you don't know the length before-hand,
2083 * call xfrmnl_sa_get_sec_ctx() without @ctx_str argument to query only the required buffer size.
2084 * This modified API is available in all versions of libnl3 that support the capability
2085 * @def NL_CAPABILITY_XFRM_SEC_CTX_LEN (@see nl_has_capability for further information).
2086 *
2087 * @return 0 on success or a negative error code.
2088 */
2089int xfrmnl_sa_get_sec_ctx (struct xfrmnl_sa* sa, unsigned int* doi, unsigned int* alg,
2090 unsigned int* len, unsigned int* sid, char* ctx_str)
2091{
2092 if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
2093 {
2094 if (doi)
2095 *doi = sa->sec_ctx->ctx_doi;
2096 if (alg)
2097 *alg = sa->sec_ctx->ctx_alg;
2098 if (len)
2099 *len = sa->sec_ctx->ctx_len;
2100 if (ctx_str)
2101 memcpy (ctx_str, sa->sec_ctx->ctx, sa->sec_ctx->ctx_len);
2102 }
2103 else
2104 return -1;
2105
2106 return 0;
2107}
2108
2109/**
2110 * Set the security context.
2111 *
2112 * @arg sa The xfrmnl_sa object.
2113 * @arg doi Parameter for the security context domain of interpretation.
2114 * @arg alg Parameter for the security context algorithm.
2115 * @arg len Parameter for the length of the security context string containing
2116 * the terminating null byte ('\0').
2117 * @arg sid Unused parameter.
2118 * @arg ctx_str Buffer containing the security context string.
2119 *
2120 * @return 0 on success or a negative error code.
2121 */
2122int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int alg, unsigned int len,
2123 unsigned int sid, const char* ctx_str)
2124{
2125 _nl_auto_free struct xfrmnl_user_sec_ctx *b = NULL;
2126
2127 if (!(b = calloc(1, sizeof (struct xfrmnl_user_sec_ctx) + 1 + len)))
2128 return -1;
2129
2130 b->len = sizeof(struct xfrmnl_user_sec_ctx) + len;
2131 b->exttype = XFRMA_SEC_CTX;
2132 b->ctx_alg = alg;
2133 b->ctx_doi = doi;
2134 b->ctx_len = len;
2135 memcpy (b->ctx, ctx_str, len);
2136 b->ctx[len] = '\0';
2137
2138 free(sa->sec_ctx);
2139 sa->sec_ctx = _nl_steal_pointer(&b);
2140 sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
2141 return 0;
2142}
2143
2144
2145int xfrmnl_sa_get_replay_maxage (struct xfrmnl_sa* sa)
2146{
2147 if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE)
2148 return sa->replay_maxage;
2149 else
2150 return -1;
2151}
2152
2153int xfrmnl_sa_set_replay_maxage (struct xfrmnl_sa* sa, unsigned int replay_maxage)
2154{
2155 sa->replay_maxage = replay_maxage;
2156 sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
2157
2158 return 0;
2159}
2160
2161int xfrmnl_sa_get_replay_maxdiff (struct xfrmnl_sa* sa)
2162{
2163 if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF)
2164 return sa->replay_maxdiff;
2165 else
2166 return -1;
2167}
2168
2169int xfrmnl_sa_set_replay_maxdiff (struct xfrmnl_sa* sa, unsigned int replay_maxdiff)
2170{
2171 sa->replay_maxdiff = replay_maxdiff;
2172 sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
2173
2174 return 0;
2175}
2176
2177int xfrmnl_sa_get_replay_state (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* bmp)
2178{
2179 if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2180 {
2181 if (sa->replay_state_esn == NULL)
2182 {
2183 *oseq = sa->replay_state.oseq;
2184 *seq = sa->replay_state.seq;
2185 *bmp = sa->replay_state.bitmap;
2186
2187 return 0;
2188 }
2189 else
2190 {
2191 return -1;
2192 }
2193 }
2194 else
2195 return -1;
2196}
2197
2198int xfrmnl_sa_set_replay_state (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq, unsigned int bitmap)
2199{
2200 sa->replay_state.oseq = oseq;
2201 sa->replay_state.seq = seq;
2202 sa->replay_state.bitmap = bitmap;
2203 sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2204
2205 return 0;
2206}
2207
2208int xfrmnl_sa_get_replay_state_esn (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* oseq_hi,
2209 unsigned int* seq_hi, unsigned int* replay_window, unsigned int* bmp_len, unsigned int* bmp)
2210{
2211 if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2212 {
2213 if (sa->replay_state_esn)
2214 {
2215 *oseq = sa->replay_state_esn->oseq;
2216 *seq = sa->replay_state_esn->seq;
2217 *oseq_hi= sa->replay_state_esn->oseq_hi;
2218 *seq_hi = sa->replay_state_esn->seq_hi;
2219 *replay_window = sa->replay_state_esn->replay_window;
2220 *bmp_len = sa->replay_state_esn->bmp_len; // In number of 32 bit words
2221 memcpy (bmp, sa->replay_state_esn->bmp, sa->replay_state_esn->bmp_len * sizeof (uint32_t));
2222
2223 return 0;
2224 }
2225 else
2226 {
2227 return -1;
2228 }
2229 }
2230 else
2231 return -1;
2232}
2233
2234int xfrmnl_sa_set_replay_state_esn (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq,
2235 unsigned int oseq_hi, unsigned int seq_hi, unsigned int replay_window,
2236 unsigned int bmp_len, unsigned int* bmp)
2237{
2238 _nl_auto_free struct xfrmnl_replay_state_esn *b = NULL;
2239
2240 if (!(b = calloc (1, sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * bmp_len))))
2241 return -1;
2242
2243 b->oseq = oseq;
2244 b->seq = seq;
2245 b->oseq_hi = oseq_hi;
2246 b->seq_hi = seq_hi;
2247 b->replay_window = replay_window;
2248 b->bmp_len = bmp_len; // In number of 32 bit words
2249 memcpy (b->bmp, bmp, bmp_len * sizeof (uint32_t));
2250
2251 free(sa->replay_state_esn);
2252 sa->replay_state_esn = _nl_steal_pointer(&b);
2253 sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2254 return 0;
2255}
2256
2257
2258/**
2259 * Get interface id and flags from xfrm_user_offload.
2260 *
2261 * @arg sa The xfrmnl_sa object.
2262 * @arg ifindex An optional output value for the offload interface index.
2263 * @arg flags An optional output value for the offload flags.
2264 *
2265 * @return 0 on success or a negative error code.
2266 */
2267int xfrmnl_sa_get_user_offload(struct xfrmnl_sa *sa, int *ifindex, uint8_t *flags)
2268{
2269 int ret = -1;
2270
2271 if (sa->ce_mask & XFRM_SA_ATTR_OFFLOAD_DEV && sa->user_offload) {
2272 if (ifindex)
2273 *ifindex = sa->user_offload->ifindex;
2274 if (flags)
2275 *flags = sa->user_offload->flags;
2276 ret = 0;
2277 }
2278
2279 return ret;
2280}
2281
2282
2283/**
2284 * Set interface id and flags for xfrm_user_offload.
2285 *
2286 * @arg sa The xfrmnl_sa object.
2287 * @arg ifindex Id of the offload interface.
2288 * @arg flags Offload flags for the state.
2289 *
2290 * @return 0 on success or a negative error code.
2291 */
2292int xfrmnl_sa_set_user_offload(struct xfrmnl_sa *sa, int ifindex, uint8_t flags)
2293{
2294 _nl_auto_free struct xfrmnl_user_offload *b = NULL;
2295
2296 if (!(b = calloc(1, sizeof(*b))))
2297 return -1;
2298
2299 b->ifindex = ifindex;
2300 b->flags = flags;
2301
2302 free(sa->user_offload);
2303 sa->user_offload = _nl_steal_pointer(&b);
2304 sa->ce_mask |= XFRM_SA_ATTR_OFFLOAD_DEV;
2305
2306 return 0;
2307}
2308
2309int xfrmnl_sa_is_hardexpiry_reached (struct xfrmnl_sa* sa)
2310{
2311 if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2312 return (sa->hard > 0 ? 1: 0);
2313 else
2314 return 0;
2315}
2316
2317int xfrmnl_sa_is_expiry_reached (struct xfrmnl_sa* sa)
2318{
2319 if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2320 return 1;
2321 else
2322 return 0;
2323}
2324
2325/** @} */
2326
2327static struct nl_object_ops xfrm_sa_obj_ops = {
2328 .oo_name = "xfrm/sa",
2329 .oo_size = sizeof(struct xfrmnl_sa),
2330 .oo_constructor = xfrm_sa_alloc_data,
2331 .oo_free_data = xfrm_sa_free_data,
2332 .oo_clone = xfrm_sa_clone,
2333 .oo_dump = {
2334 [NL_DUMP_LINE] = xfrm_sa_dump_line,
2335 [NL_DUMP_DETAILS] = xfrm_sa_dump_details,
2336 [NL_DUMP_STATS] = xfrm_sa_dump_stats,
2337 },
2338 .oo_compare = xfrm_sa_compare,
2339 .oo_attrs2str = xfrm_sa_attrs2str,
2340 .oo_id_attrs = (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO),
2341};
2342
2343static struct nl_af_group xfrm_sa_groups[] = {
2344 { AF_UNSPEC, XFRMNLGRP_SA },
2345 { AF_UNSPEC, XFRMNLGRP_EXPIRE },
2346 { END_OF_GROUP_LIST },
2347};
2348
2349static struct nl_cache_ops xfrmnl_sa_ops = {
2350 .co_name = "xfrm/sa",
2351 .co_hdrsize = sizeof(struct xfrm_usersa_info),
2352 .co_msgtypes = {
2353 { XFRM_MSG_NEWSA, NL_ACT_NEW, "new" },
2354 { XFRM_MSG_DELSA, NL_ACT_DEL, "del" },
2355 { XFRM_MSG_GETSA, NL_ACT_GET, "get" },
2356 { XFRM_MSG_EXPIRE, NL_ACT_UNSPEC, "expire"},
2357 { XFRM_MSG_UPDSA, NL_ACT_NEW, "update"},
2358 END_OF_MSGTYPES_LIST,
2359 },
2360 .co_protocol = NETLINK_XFRM,
2361 .co_groups = xfrm_sa_groups,
2362 .co_request_update = xfrm_sa_request_update,
2363 .co_msg_parser = xfrm_sa_msg_parser,
2364 .co_obj_ops = &xfrm_sa_obj_ops,
2365 .co_include_event = &xfrm_sa_update_cache
2366};
2367
2368/**
2369 * @name XFRM SA Cache Managament
2370 * @{
2371 */
2372
2373static void _nl_init xfrm_sa_init(void)
2374{
2375 nl_cache_mngt_register(&xfrmnl_sa_ops);
2376}
2377
2378static void _nl_exit xfrm_sa_exit(void)
2379{
2380 nl_cache_mngt_unregister(&xfrmnl_sa_ops);
2381}
2382
2383/** @} */
int xfrmnl_sel_cmp(struct xfrmnl_sel *a, struct xfrmnl_sel *b)
Compares two selector objects.
Definition selector.c:180
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_alloc()
Allocate new lifetime config object.
Definition lifetime.c:79
int xfrmnl_ltime_cfg_cmp(struct xfrmnl_ltime_cfg *a, struct xfrmnl_ltime_cfg *b)
Compares two lifetime config objects.
Definition lifetime.c:159
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_clone(struct xfrmnl_ltime_cfg *ltime)
Clone existing lifetime config object.
Definition lifetime.c:98
struct xfrmnl_sel * xfrmnl_sel_alloc()
Allocate new selector object.
Definition selector.c:96
struct xfrmnl_sel * xfrmnl_sel_clone(struct xfrmnl_sel *sel)
Clone existing selector object.
Definition selector.c:115
void nl_addr_set_prefixlen(struct nl_addr *addr, int prefixlen)
Set the prefix length of an abstract address.
Definition addr.c:967
struct nl_addr * nl_addr_get(struct nl_addr *addr)
Increase the reference counter of an abstract address.
Definition addr.c:525
void * nl_addr_get_binary_addr(const struct nl_addr *addr)
Get binary address of abstract address object.
Definition addr.c:943
int nl_addr_cmp(const struct nl_addr *a, const struct nl_addr *b)
Compare abstract addresses.
Definition addr.c:587
struct nl_addr * nl_addr_clone(const struct nl_addr *addr)
Clone existing abstract address object.
Definition addr.c:495
int nl_addr_get_family(const struct nl_addr *addr)
Return address family.
Definition addr.c:895
char * nl_addr2str(const struct nl_addr *addr, char *buf, size_t size)
Convert abstract address object to character string.
Definition addr.c:1001
unsigned int nl_addr_get_len(const struct nl_addr *addr)
Get length of binary address of abstract address object.
Definition addr.c:955
void nl_addr_put(struct nl_addr *addr)
Decrease the reference counter of an abstract address.
Definition addr.c:541
void * nla_data(const struct nlattr *nla)
Return pointer to the payload section.
Definition attr.c:119
#define NLA_PUT(msg, attrtype, attrlen, data)
Add unspecific attribute to netlink message.
Definition attr.h:166
#define NLA_PUT_U32(msg, attrtype, value)
Add 32 bit integer attribute to netlink message.
Definition attr.h:237
int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data)
Add a unspecific attribute to netlink message.
Definition attr.c:505
struct nlattr * nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
Reserve space for a attribute.
Definition attr.c:461
@ NLA_U32
32 bit integer
Definition attr.h:37
int nl_cache_mngt_unregister(struct nl_cache_ops *ops)
Unregister a set of cache operations.
Definition cache_mngt.c:287
int nl_cache_mngt_register(struct nl_cache_ops *ops)
Register a set of cache operations.
Definition cache_mngt.c:252
struct nl_object * nl_cache_search(struct nl_cache *cache, struct nl_object *needle)
Search object in cache.
Definition cache.c:1106
struct nl_object * nl_cache_get_next(struct nl_object *obj)
Return the next element in the cache.
Definition cache.c:146
void nl_cache_remove(struct nl_object *obj)
Remove object from cache.
Definition cache.c:552
int nl_cache_alloc_and_fill(struct nl_cache_ops *ops, struct nl_sock *sock, struct nl_cache **result)
Allocate new cache and fill it.
Definition cache.c:234
struct nl_object * nl_cache_get_first(struct nl_cache *cache)
Return the first element in the cache.
Definition cache.c:120
int nl_cache_move(struct nl_cache *cache, struct nl_object *obj)
Move object from one cache to another.
Definition cache.c:524
struct nl_msg * nlmsg_alloc_simple(int nlmsgtype, int flags)
Allocate a new netlink message.
Definition msg.c:352
void * nlmsg_data(const struct nlmsghdr *nlh)
Return pointer to message payload.
Definition msg.c:108
void nlmsg_free(struct nl_msg *msg)
Release a reference from an netlink message.
Definition msg.c:572
int nlmsg_parse(struct nlmsghdr *nlh, int hdrlen, struct nlattr *tb[], int maxtype, const struct nla_policy *policy)
parse attributes of a netlink message
Definition msg.c:219
int nlmsg_append(struct nl_msg *n, void *data, size_t len, int pad)
Append data to tail of a netlink message.
Definition msg.c:456
int nl_object_get_msgtype(const struct nl_object *obj)
Return the netlink message type the object was derived from.
Definition object.c:539
uint64_t nl_object_diff64(struct nl_object *a, struct nl_object *b)
Compute bitmask representing difference in attribute values.
Definition object.c:371
void nl_object_put(struct nl_object *obj)
Release a reference from an object.
Definition object.c:221
void nl_object_get(struct nl_object *obj)
Acquire a reference on a object.
Definition object.c:210
struct nl_object * nl_object_alloc(struct nl_object_ops *ops)
Allocate a new object of kind specified by the operations handle.
Definition object.c:55
int nl_send_auto(struct nl_sock *sk, struct nl_msg *msg)
Finalize and transmit Netlink message.
Definition nl.c:515
int nl_send_auto_complete(struct nl_sock *sk, struct nl_msg *msg)
Definition nl.c:1247
int nl_pickup(struct nl_sock *sk, int(*parser)(struct nl_cache_ops *, struct sockaddr_nl *, struct nlmsghdr *, struct nl_parser_param *), struct nl_object **result)
Pickup netlink answer, parse is and return object.
Definition nl.c:1178
int nl_wait_for_ack(struct nl_sock *sk)
Wait for ACK.
Definition nl.c:1112
int nl_send_simple(struct nl_sock *sk, int type, int flags, void *buf, size_t size)
Construct and transmit a Netlink message.
Definition nl.c:579
void nl_dump(struct nl_dump_params *params, const char *fmt,...)
Dump a formatted character string.
Definition utils.c:1015
@ NL_DUMP_STATS
Dump all attributes including statistics.
Definition types.h:22
@ NL_DUMP_LINE
Dump object briefly on one line.
Definition types.h:20
@ NL_DUMP_DETAILS
Dump all attributes but no statistics.
Definition types.h:21
Dumping parameters.
Definition types.h:32
Attribute validation policy.
Definition attr.h:66
uint16_t minlen
Minimal length of payload required.
Definition attr.h:71
uint16_t type
Type of attribute or NLA_UNSPEC.
Definition attr.h:68