libnl  3.3.0
sa.c
1 /*
2  * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
3  *
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * Redistributions of source code must retain the above copyright
10  * notice, this list of conditions and the following disclaimer.
11  *
12  * Redistributions in binary form must reproduce the above copyright
13  * notice, this list of conditions and the following disclaimer in the
14  * documentation and/or other materials provided with the
15  * distribution.
16  *
17  * Neither the name of Texas Instruments Incorporated nor the names of
18  * its contributors may be used to endorse or promote products derived
19  * from this software without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32  *
33  */
34 
35 /**
36  * @ingroup xfrmnl
37  * @defgroup sa Security Association
38  * @brief
39  */
40 
41 #include <netlink-private/netlink.h>
42 #include <netlink/netlink.h>
43 #include <netlink/cache.h>
44 #include <netlink/object.h>
45 #include <netlink/xfrm/sa.h>
46 #include <netlink/xfrm/selector.h>
47 #include <netlink/xfrm/lifetime.h>
48 #include <time.h>
49 
50 /** @cond SKIP */
51 #define XFRM_SA_ATTR_SEL 0x01
52 #define XFRM_SA_ATTR_DADDR 0x02
53 #define XFRM_SA_ATTR_SPI 0x04
54 #define XFRM_SA_ATTR_PROTO 0x08
55 #define XFRM_SA_ATTR_SADDR 0x10
56 #define XFRM_SA_ATTR_LTIME_CFG 0x20
57 #define XFRM_SA_ATTR_LTIME_CUR 0x40
58 #define XFRM_SA_ATTR_STATS 0x80
59 #define XFRM_SA_ATTR_SEQ 0x100
60 #define XFRM_SA_ATTR_REQID 0x200
61 #define XFRM_SA_ATTR_FAMILY 0x400
62 #define XFRM_SA_ATTR_MODE 0x800
63 #define XFRM_SA_ATTR_REPLAY_WIN 0x1000
64 #define XFRM_SA_ATTR_FLAGS 0x2000
65 #define XFRM_SA_ATTR_ALG_AEAD 0x4000
66 #define XFRM_SA_ATTR_ALG_AUTH 0x8000
67 #define XFRM_SA_ATTR_ALG_CRYPT 0x10000
68 #define XFRM_SA_ATTR_ALG_COMP 0x20000
69 #define XFRM_SA_ATTR_ENCAP 0x40000
70 #define XFRM_SA_ATTR_TFCPAD 0x80000
71 #define XFRM_SA_ATTR_COADDR 0x100000
72 #define XFRM_SA_ATTR_MARK 0x200000
73 #define XFRM_SA_ATTR_SECCTX 0x400000
74 #define XFRM_SA_ATTR_REPLAY_MAXAGE 0x800000
75 #define XFRM_SA_ATTR_REPLAY_MAXDIFF 0x1000000
76 #define XFRM_SA_ATTR_REPLAY_STATE 0x2000000
77 #define XFRM_SA_ATTR_EXPIRE 0x4000000
78 
79 static struct nl_cache_ops xfrmnl_sa_ops;
80 static struct nl_object_ops xfrm_sa_obj_ops;
81 /** @endcond */
82 
83 static void xfrm_sa_alloc_data(struct nl_object *c)
84 {
85  struct xfrmnl_sa* sa = nl_object_priv (c);
86 
87  if ((sa->sel = xfrmnl_sel_alloc ()) == NULL)
88  return;
89 
90  if ((sa->lft = xfrmnl_ltime_cfg_alloc ()) == NULL)
91  return;
92 }
93 
94 static void xfrm_sa_free_data(struct nl_object *c)
95 {
96  struct xfrmnl_sa* sa = nl_object_priv (c);
97 
98  if (sa == NULL)
99  return;
100 
101  xfrmnl_sel_put (sa->sel);
102  xfrmnl_ltime_cfg_put (sa->lft);
103  nl_addr_put (sa->id.daddr);
104  nl_addr_put (sa->saddr);
105 
106  if (sa->aead)
107  free (sa->aead);
108  if (sa->auth)
109  free (sa->auth);
110  if (sa->crypt)
111  free (sa->crypt);
112  if (sa->comp)
113  free (sa->comp);
114  if (sa->encap) {
115  if (sa->encap->encap_oa)
116  nl_addr_put(sa->encap->encap_oa);
117  free(sa->encap);
118  }
119  if (sa->coaddr)
120  nl_addr_put (sa->coaddr);
121  if (sa->sec_ctx)
122  free (sa->sec_ctx);
123  if (sa->replay_state_esn)
124  free (sa->replay_state_esn);
125 }
126 
127 static int xfrm_sa_clone(struct nl_object *_dst, struct nl_object *_src)
128 {
129  struct xfrmnl_sa* dst = nl_object_priv(_dst);
130  struct xfrmnl_sa* src = nl_object_priv(_src);
131  uint32_t len = 0;
132 
133  if (src->sel)
134  if ((dst->sel = xfrmnl_sel_clone (src->sel)) == NULL)
135  return -NLE_NOMEM;
136 
137  if (src->lft)
138  if ((dst->lft = xfrmnl_ltime_cfg_clone (src->lft)) == NULL)
139  return -NLE_NOMEM;
140 
141  if (src->id.daddr)
142  if ((dst->id.daddr = nl_addr_clone (src->id.daddr)) == NULL)
143  return -NLE_NOMEM;
144 
145  if (src->saddr)
146  if ((dst->saddr = nl_addr_clone (src->saddr)) == NULL)
147  return -NLE_NOMEM;
148 
149  if (src->aead)
150  {
151  len = sizeof (struct xfrmnl_algo_aead) + ((src->aead->alg_key_len + 7) / 8);
152  if ((dst->aead = calloc (1, len)) == NULL)
153  return -NLE_NOMEM;
154  memcpy ((void *)dst->aead, (void *)src->aead, len);
155  }
156 
157  if (src->auth)
158  {
159  len = sizeof (struct xfrmnl_algo_auth) + ((src->auth->alg_key_len + 7) / 8);
160  if ((dst->auth = calloc (1, len)) == NULL)
161  return -NLE_NOMEM;
162  memcpy ((void *)dst->auth, (void *)src->auth, len);
163  }
164 
165  if (src->crypt)
166  {
167  len = sizeof (struct xfrmnl_algo) + ((src->crypt->alg_key_len + 7) / 8);
168  if ((dst->crypt = calloc (1, len)) == NULL)
169  return -NLE_NOMEM;
170  memcpy ((void *)dst->crypt, (void *)src->crypt, len);
171  }
172 
173  if (src->comp)
174  {
175  len = sizeof (struct xfrmnl_algo) + ((src->comp->alg_key_len + 7) / 8);
176  if ((dst->comp = calloc (1, len)) == NULL)
177  return -NLE_NOMEM;
178  memcpy ((void *)dst->comp, (void *)src->comp, len);
179  }
180 
181  if (src->encap)
182  {
183  len = sizeof (struct xfrmnl_encap_tmpl);
184  if ((dst->encap = calloc (1, len)) == NULL)
185  return -NLE_NOMEM;
186  memcpy ((void *)dst->encap, (void *)src->encap, len);
187  }
188 
189  if (src->coaddr)
190  if ((dst->coaddr = nl_addr_clone (src->coaddr)) == NULL)
191  return -NLE_NOMEM;
192 
193  if (src->sec_ctx)
194  {
195  len = sizeof (*src->sec_ctx) + src->sec_ctx->ctx_len;
196  if ((dst->sec_ctx = calloc (1, len)) == NULL)
197  return -NLE_NOMEM;
198  memcpy ((void *)dst->sec_ctx, (void *)src->sec_ctx, len);
199  }
200 
201  if (src->replay_state_esn)
202  {
203  len = sizeof (struct xfrmnl_replay_state_esn) + (src->replay_state_esn->bmp_len * sizeof (uint32_t));
204  if ((dst->replay_state_esn = calloc (1, len)) == NULL)
205  return -NLE_NOMEM;
206  memcpy ((void *)dst->replay_state_esn, (void *)src->replay_state_esn, len);
207  }
208 
209  return 0;
210 }
211 
212 static uint64_t xfrm_sa_compare(struct nl_object *_a, struct nl_object *_b,
213  uint64_t attrs, int flags)
214 {
215  struct xfrmnl_sa* a = (struct xfrmnl_sa *) _a;
216  struct xfrmnl_sa* b = (struct xfrmnl_sa *) _b;
217  uint64_t diff = 0;
218  int found = 0;
219 
220 #define XFRM_SA_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, XFRM_SA_ATTR_##ATTR, a, b, EXPR)
221  diff |= XFRM_SA_DIFF(SEL, xfrmnl_sel_cmp(a->sel, b->sel));
222  diff |= XFRM_SA_DIFF(DADDR, nl_addr_cmp(a->id.daddr, b->id.daddr));
223  diff |= XFRM_SA_DIFF(SPI, a->id.spi != b->id.spi);
224  diff |= XFRM_SA_DIFF(PROTO, a->id.proto != b->id.proto);
225  diff |= XFRM_SA_DIFF(SADDR, nl_addr_cmp(a->saddr, b->saddr));
226  diff |= XFRM_SA_DIFF(LTIME_CFG, xfrmnl_ltime_cfg_cmp(a->lft, b->lft));
227  diff |= XFRM_SA_DIFF(REQID, a->reqid != b->reqid);
228  diff |= XFRM_SA_DIFF(FAMILY,a->family != b->family);
229  diff |= XFRM_SA_DIFF(MODE,a->mode != b->mode);
230  diff |= XFRM_SA_DIFF(REPLAY_WIN,a->replay_window != b->replay_window);
231  diff |= XFRM_SA_DIFF(FLAGS,a->flags != b->flags);
232  diff |= XFRM_SA_DIFF(ALG_AEAD,(strcmp(a->aead->alg_name, b->aead->alg_name) ||
233  (a->aead->alg_key_len != b->aead->alg_key_len) ||
234  (a->aead->alg_icv_len != b->aead->alg_icv_len) ||
235  memcmp(a->aead->alg_key, b->aead->alg_key,
236  ((a->aead->alg_key_len + 7)/8))));
237  diff |= XFRM_SA_DIFF(ALG_AUTH,(strcmp(a->auth->alg_name, b->auth->alg_name) ||
238  (a->auth->alg_key_len != b->auth->alg_key_len) ||
239  (a->auth->alg_trunc_len != b->auth->alg_trunc_len) ||
240  memcmp(a->auth->alg_key, b->auth->alg_key,
241  ((a->auth->alg_key_len + 7)/8))));
242  diff |= XFRM_SA_DIFF(ALG_CRYPT,(strcmp(a->crypt->alg_name, b->crypt->alg_name) ||
243  (a->crypt->alg_key_len != b->crypt->alg_key_len) ||
244  memcmp(a->crypt->alg_key, b->crypt->alg_key,
245  ((a->crypt->alg_key_len + 7)/8))));
246  diff |= XFRM_SA_DIFF(ALG_COMP,(strcmp(a->comp->alg_name, b->comp->alg_name) ||
247  (a->comp->alg_key_len != b->comp->alg_key_len) ||
248  memcmp(a->comp->alg_key, b->comp->alg_key,
249  ((a->comp->alg_key_len + 7)/8))));
250  diff |= XFRM_SA_DIFF(ENCAP,((a->encap->encap_type != b->encap->encap_type) ||
251  (a->encap->encap_sport != b->encap->encap_sport) ||
252  (a->encap->encap_dport != b->encap->encap_dport) ||
253  nl_addr_cmp(a->encap->encap_oa, b->encap->encap_oa)));
254  diff |= XFRM_SA_DIFF(TFCPAD,a->tfcpad != b->tfcpad);
255  diff |= XFRM_SA_DIFF(COADDR,nl_addr_cmp(a->coaddr, b->coaddr));
256  diff |= XFRM_SA_DIFF(MARK,(a->mark.m != b->mark.m) ||
257  (a->mark.v != b->mark.v));
258  diff |= XFRM_SA_DIFF(SECCTX,((a->sec_ctx->ctx_doi != b->sec_ctx->ctx_doi) ||
259  (a->sec_ctx->ctx_alg != b->sec_ctx->ctx_alg) ||
260  (a->sec_ctx->ctx_len != b->sec_ctx->ctx_len) ||
261  strcmp(a->sec_ctx->ctx, b->sec_ctx->ctx)));
262  diff |= XFRM_SA_DIFF(REPLAY_MAXAGE,a->replay_maxage != b->replay_maxage);
263  diff |= XFRM_SA_DIFF(REPLAY_MAXDIFF,a->replay_maxdiff != b->replay_maxdiff);
264  diff |= XFRM_SA_DIFF(EXPIRE,a->hard != b->hard);
265 
266  /* Compare replay states */
267  found = AVAILABLE_MISMATCH (a, b, XFRM_SA_ATTR_REPLAY_STATE);
268  if (found == 0) // attribute exists in both objects
269  {
270  if (((a->replay_state_esn != NULL) && (b->replay_state_esn == NULL)) ||
271  ((a->replay_state_esn == NULL) && (b->replay_state_esn != NULL)))
272  found |= 1;
273 
274  if (found == 0) // same replay type. compare actual values
275  {
276  if (a->replay_state_esn)
277  {
278  if (a->replay_state_esn->bmp_len != b->replay_state_esn->bmp_len)
279  diff |= 1;
280  else
281  {
282  uint32_t len = sizeof (struct xfrmnl_replay_state_esn) +
283  (a->replay_state_esn->bmp_len * sizeof (uint32_t));
284  diff |= memcmp (a->replay_state_esn, b->replay_state_esn, len);
285  }
286  }
287  else
288  {
289  if ((a->replay_state.oseq != b->replay_state.oseq) ||
290  (a->replay_state.seq != b->replay_state.seq) ||
291  (a->replay_state.bitmap != b->replay_state.bitmap))
292  diff |= 1;
293  }
294  }
295  }
296 #undef XFRM_SA_DIFF
297 
298  return diff;
299 }
300 
301 /**
302  * @name XFRM SA Attribute Translations
303  * @{
304  */
305 static const struct trans_tbl sa_attrs[] = {
306  __ADD(XFRM_SA_ATTR_SEL, selector),
307  __ADD(XFRM_SA_ATTR_DADDR, daddr),
308  __ADD(XFRM_SA_ATTR_SPI, spi),
309  __ADD(XFRM_SA_ATTR_PROTO, proto),
310  __ADD(XFRM_SA_ATTR_SADDR, saddr),
311  __ADD(XFRM_SA_ATTR_LTIME_CFG, lifetime_cfg),
312  __ADD(XFRM_SA_ATTR_LTIME_CUR, lifetime_cur),
313  __ADD(XFRM_SA_ATTR_STATS, stats),
314  __ADD(XFRM_SA_ATTR_SEQ, seqnum),
315  __ADD(XFRM_SA_ATTR_REQID, reqid),
316  __ADD(XFRM_SA_ATTR_FAMILY, family),
317  __ADD(XFRM_SA_ATTR_MODE, mode),
318  __ADD(XFRM_SA_ATTR_REPLAY_WIN, replay_window),
319  __ADD(XFRM_SA_ATTR_FLAGS, flags),
320  __ADD(XFRM_SA_ATTR_ALG_AEAD, alg_aead),
321  __ADD(XFRM_SA_ATTR_ALG_AUTH, alg_auth),
322  __ADD(XFRM_SA_ATTR_ALG_CRYPT, alg_crypto),
323  __ADD(XFRM_SA_ATTR_ALG_COMP, alg_comp),
324  __ADD(XFRM_SA_ATTR_ENCAP, encap),
325  __ADD(XFRM_SA_ATTR_TFCPAD, tfcpad),
326  __ADD(XFRM_SA_ATTR_COADDR, coaddr),
327  __ADD(XFRM_SA_ATTR_MARK, mark),
328  __ADD(XFRM_SA_ATTR_SECCTX, sec_ctx),
329  __ADD(XFRM_SA_ATTR_REPLAY_MAXAGE, replay_maxage),
330  __ADD(XFRM_SA_ATTR_REPLAY_MAXDIFF, replay_maxdiff),
331  __ADD(XFRM_SA_ATTR_REPLAY_STATE, replay_state),
332  __ADD(XFRM_SA_ATTR_EXPIRE, expire),
333 };
334 
335 static char* xfrm_sa_attrs2str(int attrs, char *buf, size_t len)
336 {
337  return __flags2str (attrs, buf, len, sa_attrs, ARRAY_SIZE(sa_attrs));
338 }
339 /** @} */
340 
341 /**
342  * @name XFRM SA Flags Translations
343  * @{
344  */
345 static const struct trans_tbl sa_flags[] = {
346  __ADD(XFRM_STATE_NOECN, no ecn),
347  __ADD(XFRM_STATE_DECAP_DSCP, decap dscp),
348  __ADD(XFRM_STATE_NOPMTUDISC, no pmtu discovery),
349  __ADD(XFRM_STATE_WILDRECV, wild receive),
350  __ADD(XFRM_STATE_ICMP, icmp),
351  __ADD(XFRM_STATE_AF_UNSPEC, unspecified),
352  __ADD(XFRM_STATE_ALIGN4, align4),
353  __ADD(XFRM_STATE_ESN, esn),
354 };
355 
356 char* xfrmnl_sa_flags2str(int flags, char *buf, size_t len)
357 {
358  return __flags2str (flags, buf, len, sa_flags, ARRAY_SIZE(sa_flags));
359 }
360 
361 int xfrmnl_sa_str2flag(const char *name)
362 {
363  return __str2flags (name, sa_flags, ARRAY_SIZE(sa_flags));
364 }
365 /** @} */
366 
367 /**
368  * @name XFRM SA Mode Translations
369  * @{
370  */
371 static const struct trans_tbl sa_modes[] = {
372  __ADD(XFRM_MODE_TRANSPORT, transport),
373  __ADD(XFRM_MODE_TUNNEL, tunnel),
374  __ADD(XFRM_MODE_ROUTEOPTIMIZATION, route optimization),
375  __ADD(XFRM_MODE_IN_TRIGGER, in trigger),
376  __ADD(XFRM_MODE_BEET, beet),
377 };
378 
379 char* xfrmnl_sa_mode2str(int mode, char *buf, size_t len)
380 {
381  return __type2str (mode, buf, len, sa_modes, ARRAY_SIZE(sa_modes));
382 }
383 
384 int xfrmnl_sa_str2mode(const char *name)
385 {
386  return __str2type (name, sa_modes, ARRAY_SIZE(sa_modes));
387 }
388 /** @} */
389 
390 
391 static void xfrm_sa_dump_line(struct nl_object *a, struct nl_dump_params *p)
392 {
393  char dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
394  struct xfrmnl_sa* sa = (struct xfrmnl_sa *) a;
395  char flags[128], mode[128];
396  time_t add_time, use_time;
397  struct tm *add_time_tm, *use_time_tm;
398 
399  nl_dump_line(p, "src %s dst %s family: %s\n", nl_addr2str(sa->saddr, src, sizeof(src)),
400  nl_addr2str(sa->id.daddr, dst, sizeof(dst)),
401  nl_af2str (sa->family, flags, sizeof (flags)));
402 
403  nl_dump_line(p, "\tproto %s spi 0x%x reqid %u\n",
404  nl_ip_proto2str (sa->id.proto, flags, sizeof(flags)),
405  sa->id.spi, sa->reqid);
406 
407  xfrmnl_sa_flags2str(sa->flags, flags, sizeof (flags));
408  xfrmnl_sa_mode2str(sa->mode, mode, sizeof (mode));
409  nl_dump_line(p, "\tmode: %s flags: %s (0x%x) seq: %u replay window: %u\n",
410  mode, flags, sa->flags, sa->seq, sa->replay_window);
411 
412  nl_dump_line(p, "\tlifetime configuration: \n");
413  if (sa->lft->soft_byte_limit == XFRM_INF)
414  sprintf (flags, "INF");
415  else
416  sprintf (flags, "%" PRIu64, sa->lft->soft_byte_limit);
417  if (sa->lft->soft_packet_limit == XFRM_INF)
418  sprintf (mode, "INF");
419  else
420  sprintf (mode, "%" PRIu64, sa->lft->soft_packet_limit);
421  nl_dump_line(p, "\t\tsoft limit: %s (bytes), %s (packets)\n", flags, mode);
422  if (sa->lft->hard_byte_limit == XFRM_INF)
423  sprintf (flags, "INF");
424  else
425  sprintf (flags, "%" PRIu64, sa->lft->hard_byte_limit);
426  if (sa->lft->hard_packet_limit == XFRM_INF)
427  sprintf (mode, "INF");
428  else
429  sprintf (mode, "%" PRIu64, sa->lft->hard_packet_limit);
430  nl_dump_line(p, "\t\thard limit: %s (bytes), %s (packets)\n", flags, mode);
431  nl_dump_line(p, "\t\tsoft add_time: %llu (seconds), soft use_time: %llu (seconds) \n",
432  sa->lft->soft_add_expires_seconds, sa->lft->soft_use_expires_seconds);
433  nl_dump_line(p, "\t\thard add_time: %llu (seconds), hard use_time: %llu (seconds) \n",
434  sa->lft->hard_add_expires_seconds, sa->lft->hard_use_expires_seconds);
435 
436  nl_dump_line(p, "\tlifetime current: \n");
437  nl_dump_line(p, "\t\t%llu bytes, %llu packets\n", sa->curlft.bytes, sa->curlft.packets);
438  if (sa->curlft.add_time != 0)
439  {
440  add_time = sa->curlft.add_time;
441  add_time_tm = gmtime (&add_time);
442  strftime (flags, 128, "%Y-%m-%d %H-%M-%S", add_time_tm);
443  }
444  else
445  {
446  sprintf (flags, "%s", "-");
447  }
448 
449  if (sa->curlft.use_time != 0)
450  {
451  use_time = sa->curlft.use_time;
452  use_time_tm = gmtime (&use_time);
453  strftime (mode, 128, "%Y-%m-%d %H-%M-%S", use_time_tm);
454  }
455  else
456  {
457  sprintf (mode, "%s", "-");
458  }
459  nl_dump_line(p, "\t\tadd_time: %s, use_time: %s\n", flags, mode);
460 
461  if (sa->aead)
462  {
463  nl_dump_line(p, "\tAEAD Algo: \n");
464  nl_dump_line(p, "\t\tName: %s Key len(bits): %u ICV Len(bits): %u\n",
465  sa->aead->alg_name, sa->aead->alg_key_len, sa->aead->alg_icv_len);
466  }
467 
468  if (sa->auth)
469  {
470  nl_dump_line(p, "\tAuth Algo: \n");
471  nl_dump_line(p, "\t\tName: %s Key len(bits): %u Trunc len(bits): %u\n",
472  sa->auth->alg_name, sa->auth->alg_key_len, sa->auth->alg_trunc_len);
473  }
474 
475  if (sa->crypt)
476  {
477  nl_dump_line(p, "\tEncryption Algo: \n");
478  nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
479  sa->crypt->alg_name, sa->crypt->alg_key_len);
480  }
481 
482  if (sa->comp)
483  {
484  nl_dump_line(p, "\tCompression Algo: \n");
485  nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
486  sa->comp->alg_name, sa->comp->alg_key_len);
487  }
488 
489  if (sa->encap)
490  {
491  nl_dump_line(p, "\tEncapsulation template: \n");
492  nl_dump_line(p, "\t\tType: %d Src port: %d Dst port: %d Encap addr: %s\n",
493  sa->encap->encap_type, sa->encap->encap_sport, sa->encap->encap_dport,
494  nl_addr2str (sa->encap->encap_oa, dst, sizeof (dst)));
495  }
496 
497  if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
498  nl_dump_line(p, "\tTFC Pad: %u\n", sa->tfcpad);
499 
500  if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
501  nl_dump_line(p, "\tCO Address: %s\n", nl_addr2str (sa->coaddr, dst, sizeof (dst)));
502 
503  if (sa->ce_mask & XFRM_SA_ATTR_MARK)
504  nl_dump_line(p, "\tMark mask: 0x%x Mark value: 0x%x\n", sa->mark.m, sa->mark.v);
505 
506  if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
507  nl_dump_line(p, "\tDOI: %d Algo: %d Len: %u ctx: %s\n", sa->sec_ctx->ctx_doi,
508  sa->sec_ctx->ctx_alg, sa->sec_ctx->ctx_len, sa->sec_ctx->ctx);
509 
510  nl_dump_line(p, "\treplay info: \n");
511  nl_dump_line(p, "\t\tmax age %u max diff %u \n", sa->replay_maxage, sa->replay_maxdiff);
512 
513  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
514  {
515  nl_dump_line(p, "\treplay state info: \n");
516  if (sa->replay_state_esn)
517  {
518  nl_dump_line(p, "\t\toseq %u seq %u oseq_hi %u seq_hi %u replay window: %u \n",
519  sa->replay_state_esn->oseq, sa->replay_state_esn->seq,
520  sa->replay_state_esn->oseq_hi, sa->replay_state_esn->seq_hi,
521  sa->replay_state_esn->replay_window);
522  }
523  else
524  {
525  nl_dump_line(p, "\t\toseq %u seq %u bitmap: %u \n", sa->replay_state.oseq,
526  sa->replay_state.seq, sa->replay_state.bitmap);
527  }
528  }
529 
530  nl_dump_line(p, "\tselector info: \n");
531  xfrmnl_sel_dump (sa->sel, p);
532 
533  nl_dump_line(p, "\tHard: %d\n", sa->hard);
534 
535  nl_dump(p, "\n");
536 }
537 
538 static void xfrm_sa_dump_stats(struct nl_object *a, struct nl_dump_params *p)
539 {
540  struct xfrmnl_sa* sa = (struct xfrmnl_sa*)a;
541 
542  nl_dump_line(p, "\tstats: \n");
543  nl_dump_line(p, "\t\treplay window: %u replay: %u integrity failed: %u \n",
544  sa->stats.replay_window, sa->stats.replay, sa->stats.integrity_failed);
545 
546  return;
547 }
548 
549 static void xfrm_sa_dump_details(struct nl_object *a, struct nl_dump_params *p)
550 {
551  xfrm_sa_dump_line(a, p);
552  xfrm_sa_dump_stats (a, p);
553 }
554 
555 /**
556  * @name XFRM SA Object Allocation/Freeage
557  * @{
558  */
559 
560 struct xfrmnl_sa* xfrmnl_sa_alloc(void)
561 {
562  return (struct xfrmnl_sa*) nl_object_alloc(&xfrm_sa_obj_ops);
563 }
564 
565 void xfrmnl_sa_put(struct xfrmnl_sa* sa)
566 {
567  nl_object_put((struct nl_object *) sa);
568 }
569 
570 /** @} */
571 
572 /**
573  * @name SA Cache Managament
574  * @{
575  */
576 
577 /**
578  * Build a SA cache including all SAs currently configured in the kernel.
579  * @arg sock Netlink socket.
580  * @arg result Pointer to store resulting cache.
581  *
582  * Allocates a new SA cache, initializes it properly and updates it
583  * to include all SAs currently configured in the kernel.
584  *
585  * @return 0 on success or a negative error code.
586  */
587 int xfrmnl_sa_alloc_cache(struct nl_sock *sock, struct nl_cache **result)
588 {
589  return nl_cache_alloc_and_fill(&xfrmnl_sa_ops, sock, result);
590 }
591 
592 /**
593  * Look up a SA by destination address, SPI, protocol
594  * @arg cache SA cache
595  * @arg daddr destination address of the SA
596  * @arg spi SPI
597  * @arg proto protocol
598  * @return sa handle or NULL if no match was found.
599  */
600 struct xfrmnl_sa* xfrmnl_sa_get(struct nl_cache* cache, struct nl_addr* daddr,
601  unsigned int spi, unsigned int proto)
602 {
603  struct xfrmnl_sa *sa;
604 
605  //nl_list_for_each_entry(sa, &cache->c_items, ce_list) {
606  for (sa = (struct xfrmnl_sa*)nl_cache_get_first (cache);
607  sa != NULL;
608  sa = (struct xfrmnl_sa*)nl_cache_get_next ((struct nl_object*)sa))
609  {
610  if (sa->id.proto == proto &&
611  sa->id.spi == spi &&
612  !nl_addr_cmp(sa->id.daddr, daddr))
613  {
614  nl_object_get((struct nl_object *) sa);
615  return sa;
616  }
617 
618  }
619 
620  return NULL;
621 }
622 
623 
624 /** @} */
625 
626 
627 static struct nla_policy xfrm_sa_policy[XFRMA_MAX+1] = {
628  [XFRMA_SA] = { .minlen = sizeof(struct xfrm_usersa_info)},
629  [XFRMA_ALG_AUTH_TRUNC] = { .minlen = sizeof(struct xfrm_algo_auth)},
630  [XFRMA_ALG_AEAD] = { .minlen = sizeof(struct xfrm_algo_aead) },
631  [XFRMA_ALG_AUTH] = { .minlen = sizeof(struct xfrm_algo) },
632  [XFRMA_ALG_CRYPT] = { .minlen = sizeof(struct xfrm_algo) },
633  [XFRMA_ALG_COMP] = { .minlen = sizeof(struct xfrm_algo) },
634  [XFRMA_ENCAP] = { .minlen = sizeof(struct xfrm_encap_tmpl) },
635  [XFRMA_TMPL] = { .minlen = sizeof(struct xfrm_user_tmpl) },
636  [XFRMA_SEC_CTX] = { .minlen = sizeof(struct xfrm_sec_ctx) },
637  [XFRMA_LTIME_VAL] = { .minlen = sizeof(struct xfrm_lifetime_cur) },
638  [XFRMA_REPLAY_VAL] = { .minlen = sizeof(struct xfrm_replay_state) },
639  [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 },
640  [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 },
641  [XFRMA_SRCADDR] = { .minlen = sizeof(xfrm_address_t) },
642  [XFRMA_COADDR] = { .minlen = sizeof(xfrm_address_t) },
643  [XFRMA_MARK] = { .minlen = sizeof(struct xfrm_mark) },
644  [XFRMA_TFCPAD] = { .type = NLA_U32 },
645  [XFRMA_REPLAY_ESN_VAL] = { .minlen = sizeof(struct xfrm_replay_state_esn) },
646 };
647 
648 static int xfrm_sa_request_update(struct nl_cache *c, struct nl_sock *h)
649 {
650  struct xfrm_id sa_id;
651 
652  memset (&sa_id, 0, sizeof (sa_id));
653  return nl_send_simple (h, XFRM_MSG_GETSA, NLM_F_DUMP,
654  &sa_id, sizeof (sa_id));
655 }
656 
657 int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
658 {
659  struct xfrmnl_sa* sa;
660  struct nlattr *tb[XFRMA_MAX + 1];
661  struct xfrm_usersa_info* sa_info;
662  struct xfrm_user_expire* ue;
663  int len, err;
664  struct nl_addr* addr;
665 
666  sa = xfrmnl_sa_alloc();
667  if (!sa) {
668  err = -NLE_NOMEM;
669  goto errout;
670  }
671 
672  sa->ce_msgtype = n->nlmsg_type;
673  if (n->nlmsg_type == XFRM_MSG_EXPIRE)
674  {
675  ue = nlmsg_data(n);
676  sa_info = &ue->state;
677  sa->hard = ue->hard;
678  sa->ce_mask |= XFRM_SA_ATTR_EXPIRE;
679  }
680  else if (n->nlmsg_type == XFRM_MSG_DELSA)
681  {
682  sa_info = (struct xfrm_usersa_info*)(nlmsg_data(n) + sizeof (struct xfrm_usersa_id) + NLA_HDRLEN);
683  }
684  else
685  {
686  sa_info = nlmsg_data(n);
687  }
688 
689  err = nlmsg_parse(n, sizeof(struct xfrm_usersa_info), tb, XFRMA_MAX, xfrm_sa_policy);
690  if (err < 0)
691  goto errout;
692 
693  if (sa_info->sel.family == AF_INET)
694  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a4, sizeof (sa_info->sel.daddr.a4));
695  else
696  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a6, sizeof (sa_info->sel.daddr.a6));
697  nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_d);
698  xfrmnl_sel_set_daddr (sa->sel, addr);
699  xfrmnl_sel_set_prefixlen_d (sa->sel, sa_info->sel.prefixlen_d);
700 
701  if (sa_info->sel.family == AF_INET)
702  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a4, sizeof (sa_info->sel.saddr.a4));
703  else
704  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a6, sizeof (sa_info->sel.saddr.a6));
705  nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_s);
706  xfrmnl_sel_set_saddr (sa->sel, addr);
707  xfrmnl_sel_set_prefixlen_s (sa->sel, sa_info->sel.prefixlen_s);
708 
709  xfrmnl_sel_set_dport (sa->sel, ntohs(sa_info->sel.dport));
710  xfrmnl_sel_set_dportmask (sa->sel, ntohs(sa_info->sel.dport_mask));
711  xfrmnl_sel_set_sport (sa->sel, ntohs(sa_info->sel.sport));
712  xfrmnl_sel_set_sportmask (sa->sel, ntohs(sa_info->sel.sport_mask));
713  xfrmnl_sel_set_family (sa->sel, sa_info->sel.family);
714  xfrmnl_sel_set_proto (sa->sel, sa_info->sel.proto);
715  xfrmnl_sel_set_ifindex (sa->sel, sa_info->sel.ifindex);
716  xfrmnl_sel_set_userid (sa->sel, sa_info->sel.user);
717  sa->ce_mask |= XFRM_SA_ATTR_SEL;
718 
719  if (sa_info->family == AF_INET)
720  sa->id.daddr = nl_addr_build (sa_info->family, &sa_info->id.daddr.a4, sizeof (sa_info->id.daddr.a4));
721  else
722  sa->id.daddr = nl_addr_build (sa_info->family, &sa_info->id.daddr.a6, sizeof (sa_info->id.daddr.a6));
723  sa->id.spi = ntohl(sa_info->id.spi);
724  sa->id.proto = sa_info->id.proto;
725  sa->ce_mask |= (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO);
726 
727  if (sa_info->family == AF_INET)
728  sa->saddr = nl_addr_build (sa_info->family, &sa_info->saddr.a4, sizeof (sa_info->saddr.a4));
729  else
730  sa->saddr = nl_addr_build (sa_info->family, &sa_info->saddr.a6, sizeof (sa_info->saddr.a6));
731  sa->ce_mask |= XFRM_SA_ATTR_SADDR;
732 
733  sa->lft->soft_byte_limit = sa_info->lft.soft_byte_limit;
734  sa->lft->hard_byte_limit = sa_info->lft.hard_byte_limit;
735  sa->lft->soft_packet_limit = sa_info->lft.soft_packet_limit;
736  sa->lft->hard_packet_limit = sa_info->lft.hard_packet_limit;
737  sa->lft->soft_add_expires_seconds = sa_info->lft.soft_add_expires_seconds;
738  sa->lft->hard_add_expires_seconds = sa_info->lft.hard_add_expires_seconds;
739  sa->lft->soft_use_expires_seconds = sa_info->lft.soft_use_expires_seconds;
740  sa->lft->hard_use_expires_seconds = sa_info->lft.hard_use_expires_seconds;
741  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
742 
743  sa->curlft.bytes = sa_info->curlft.bytes;
744  sa->curlft.packets = sa_info->curlft.packets;
745  sa->curlft.add_time = sa_info->curlft.add_time;
746  sa->curlft.use_time = sa_info->curlft.use_time;
747  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CUR;
748 
749  sa->stats.replay_window = sa_info->stats.replay_window;
750  sa->stats.replay = sa_info->stats.replay;
751  sa->stats.integrity_failed = sa_info->stats.integrity_failed;
752  sa->ce_mask |= XFRM_SA_ATTR_STATS;
753 
754  sa->seq = sa_info->seq;
755  sa->reqid = sa_info->reqid;
756  sa->family = sa_info->family;
757  sa->mode = sa_info->mode;
758  sa->replay_window = sa_info->replay_window;
759  sa->flags = sa_info->flags;
760  sa->ce_mask |= (XFRM_SA_ATTR_SEQ | XFRM_SA_ATTR_REQID |
761  XFRM_SA_ATTR_FAMILY | XFRM_SA_ATTR_MODE |
762  XFRM_SA_ATTR_REPLAY_WIN | XFRM_SA_ATTR_FLAGS);
763 
764  if (tb[XFRMA_ALG_AEAD]) {
765  struct xfrm_algo_aead* aead = nla_data(tb[XFRMA_ALG_AEAD]);
766  len = sizeof (struct xfrmnl_algo_aead) + ((aead->alg_key_len + 7) / 8);
767  if ((sa->aead = calloc (1, len)) == NULL)
768  {
769  err = -NLE_NOMEM;
770  goto errout;
771  }
772  memcpy ((void *)sa->aead, (void *)aead, len);
773  sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
774  }
775 
776  if (tb[XFRMA_ALG_AUTH_TRUNC]) {
777  struct xfrm_algo_auth* auth = nla_data(tb[XFRMA_ALG_AUTH_TRUNC]);
778  len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
779  if ((sa->auth = calloc (1, len)) == NULL)
780  {
781  err = -NLE_NOMEM;
782  goto errout;
783  }
784  memcpy ((void *)sa->auth, (void *)auth, len);
785  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
786  }
787 
788  if (tb[XFRMA_ALG_AUTH] && !sa->auth) {
789  struct xfrm_algo* auth = nla_data(tb[XFRMA_ALG_AUTH]);
790  len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
791  if ((sa->auth = calloc (1, len)) == NULL)
792  {
793  err = -NLE_NOMEM;
794  goto errout;
795  }
796  strcpy(sa->auth->alg_name, auth->alg_name);
797  memcpy(sa->auth->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
798  sa->auth->alg_key_len = auth->alg_key_len;
799  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
800  }
801 
802  if (tb[XFRMA_ALG_CRYPT]) {
803  struct xfrm_algo* crypt = nla_data(tb[XFRMA_ALG_CRYPT]);
804  len = sizeof (struct xfrmnl_algo) + ((crypt->alg_key_len + 7) / 8);
805  if ((sa->crypt = calloc (1, len)) == NULL)
806  {
807  err = -NLE_NOMEM;
808  goto errout;
809  }
810  memcpy ((void *)sa->crypt, (void *)crypt, len);
811  sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
812  }
813 
814  if (tb[XFRMA_ALG_COMP]) {
815  struct xfrm_algo* comp = nla_data(tb[XFRMA_ALG_COMP]);
816  len = sizeof (struct xfrmnl_algo) + ((comp->alg_key_len + 7) / 8);
817  if ((sa->comp = calloc (1, len)) == NULL)
818  {
819  err = -NLE_NOMEM;
820  goto errout;
821  }
822  memcpy ((void *)sa->comp, (void *)comp, len);
823  sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
824  }
825 
826  if (tb[XFRMA_ENCAP]) {
827  struct xfrm_encap_tmpl* encap = nla_data(tb[XFRMA_ENCAP]);
828  len = sizeof (struct xfrmnl_encap_tmpl);
829  if ((sa->encap = calloc (1, len)) == NULL)
830  {
831  err = -NLE_NOMEM;
832  goto errout;
833  }
834  sa->encap->encap_type = encap->encap_type;
835  sa->encap->encap_sport = ntohs(encap->encap_sport);
836  sa->encap->encap_dport = ntohs(encap->encap_dport);
837  if (sa_info->family == AF_INET)
838  sa->encap->encap_oa = nl_addr_build (sa_info->family, &encap->encap_oa.a4, sizeof (encap->encap_oa.a4));
839  else
840  sa->encap->encap_oa = nl_addr_build (sa_info->family, &encap->encap_oa.a6, sizeof (encap->encap_oa.a6));
841  sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
842  }
843 
844  if (tb[XFRMA_TFCPAD]) {
845  sa->tfcpad = *(uint32_t*)nla_data(tb[XFRMA_TFCPAD]);
846  sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
847  }
848 
849  if (tb[XFRMA_COADDR]) {
850  if (sa_info->family == AF_INET)
851  {
852  sa->coaddr = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
853  sizeof (uint32_t));
854  }
855  else
856  {
857  sa->coaddr = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
858  sizeof (uint32_t) * 4);
859  }
860  sa->ce_mask |= XFRM_SA_ATTR_COADDR;
861  }
862 
863  if (tb[XFRMA_MARK]) {
864  struct xfrm_mark* m = nla_data(tb[XFRMA_MARK]);
865  sa->mark.m = m->m;
866  sa->mark.v = m->v;
867  sa->ce_mask |= XFRM_SA_ATTR_MARK;
868  }
869 
870  if (tb[XFRMA_SEC_CTX]) {
871  struct xfrm_user_sec_ctx* sec_ctx = nla_data(tb[XFRMA_SEC_CTX]);
872  len = sizeof (struct xfrmnl_user_sec_ctx) + sec_ctx->ctx_len;
873  if ((sa->sec_ctx = calloc (1, len)) == NULL)
874  {
875  err = -NLE_NOMEM;
876  goto errout;
877  }
878  memcpy (sa->sec_ctx, sec_ctx, len);
879  sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
880  }
881 
882  if (tb[XFRMA_ETIMER_THRESH]) {
883  sa->replay_maxage = *(uint32_t*)nla_data(tb[XFRMA_ETIMER_THRESH]);
884  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
885  }
886 
887  if (tb[XFRMA_REPLAY_THRESH]) {
888  sa->replay_maxdiff = *(uint32_t*)nla_data(tb[XFRMA_REPLAY_THRESH]);
889  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
890  }
891 
892  if (tb[XFRMA_REPLAY_ESN_VAL]) {
893  struct xfrm_replay_state_esn* esn = nla_data (tb[XFRMA_REPLAY_ESN_VAL]);
894  len = sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * esn->bmp_len);
895  if ((sa->replay_state_esn = calloc (1, len)) == NULL)
896  {
897  err = -NLE_NOMEM;
898  goto errout;
899  }
900  memcpy ((void *)sa->replay_state_esn, (void *)esn, len);
901  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
902  }
903  else if (tb[XFRMA_REPLAY_VAL])
904  {
905  struct xfrm_replay_state* replay_state = nla_data (tb[XFRMA_REPLAY_VAL]);
906  sa->replay_state.oseq = replay_state->oseq;
907  sa->replay_state.seq = replay_state->seq;
908  sa->replay_state.bitmap = replay_state->bitmap;
909  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
910  sa->replay_state_esn = NULL;
911  }
912 
913  *result = sa;
914  return 0;
915 
916 errout:
917  xfrmnl_sa_put(sa);
918  return err;
919 }
920 
921 static int xfrm_sa_update_cache (struct nl_cache *cache, struct nl_object *obj,
922  change_func_t change_cb, change_func_v2_t change_cb_v2,
923  void *data)
924 {
925  struct nl_object* old_sa;
926  struct xfrmnl_sa* sa = (struct xfrmnl_sa*)obj;
927 
928  if (nl_object_get_msgtype (obj) == XFRM_MSG_EXPIRE)
929  {
930  /* On hard expiry, the SA gets deleted too from the kernel state without any
931  * further delete event. On Expire message, we are only updating the cache with
932  * the SA object's new state. In absence of the explicit delete event, the cache will
933  * be out of sync with the kernel state. To get around this, expiry messages cache
934  * operations are handled here (installed with NL_ACT_UNSPEC action) instead of
935  * in Libnl Cache module. */
936 
937  /* Do we already have this object in the cache? */
938  old_sa = nl_cache_search(cache, obj);
939  if (old_sa)
940  {
941  /* Found corresponding SA object in cache. Delete it */
942  nl_cache_remove (old_sa);
943  }
944 
945  /* Handle the expiry event now */
946  if (sa->hard == 0)
947  {
948  /* Soft expiry event: Save the new object to the
949  * cache and notify application of the expiry event. */
950  nl_cache_move (cache, obj);
951 
952  if (old_sa == NULL)
953  {
954  /* Application CB present, no previous instance of SA object present.
955  * Notify application CB as a NEW event */
956  if (change_cb_v2)
957  change_cb_v2(cache, NULL, obj, 0, NL_ACT_NEW, data);
958  else if (change_cb)
959  change_cb(cache, obj, NL_ACT_NEW, data);
960  }
961  else if (old_sa)
962  {
963  uint64_t diff = 0;
964  if (change_cb || change_cb_v2)
965  diff = nl_object_diff64(old_sa, obj);
966 
967  /* Application CB present, a previous instance of SA object present.
968  * Notify application CB as a CHANGE1 event */
969  if (diff) {
970  if (change_cb_v2) {
971  change_cb_v2(cache, old_sa, obj, diff, NL_ACT_CHANGE, data);
972  } else if (change_cb)
973  change_cb(cache, obj, NL_ACT_CHANGE, data);
974  }
975  nl_object_put (old_sa);
976  }
977  }
978  else
979  {
980  /* Hard expiry event: Delete the object from the
981  * cache and notify application of the expiry event. */
982  if (change_cb_v2)
983  change_cb_v2(cache, obj, NULL, 0, NL_ACT_DEL, data);
984  else if (change_cb)
985  change_cb (cache, obj, NL_ACT_DEL, data);
986  nl_object_put (old_sa);
987  }
988 
989  /* Done handling expire message */
990  return 0;
991  }
992  else
993  {
994  /* All other messages other than Expire, let the standard Libnl cache
995  * module handle it. */
996  if (change_cb_v2)
997  return nl_cache_include_v2(cache, obj, change_cb_v2, data);
998  else
999  return nl_cache_include (cache, obj, change_cb, data);
1000  }
1001 }
1002 
1003 static int xfrm_sa_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
1004  struct nlmsghdr *n, struct nl_parser_param *pp)
1005 {
1006  struct xfrmnl_sa* sa;
1007  int err;
1008 
1009  if ((err = xfrmnl_sa_parse(n, &sa)) < 0)
1010  return err;
1011 
1012  err = pp->pp_cb((struct nl_object *) sa, pp);
1013 
1014  xfrmnl_sa_put(sa);
1015  return err;
1016 }
1017 
1018 /**
1019  * @name XFRM SA Get
1020  * @{
1021  */
1022 
1023 int xfrmnl_sa_build_get_request(struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct nl_msg **result)
1024 {
1025  struct nl_msg *msg;
1026  struct xfrm_usersa_id sa_id;
1027  struct xfrm_mark mark;
1028 
1029  if (!daddr || !spi)
1030  {
1031  fprintf(stderr, "APPLICATION BUG: %s:%d:%s: A valid destination address, spi must be specified\n",
1032  __FILE__, __LINE__, __PRETTY_FUNCTION__);
1033  assert(0);
1034  return -NLE_MISSING_ATTR;
1035  }
1036 
1037  memset(&sa_id, 0, sizeof(sa_id));
1038  memcpy (&sa_id.daddr, nl_addr_get_binary_addr (daddr), sizeof (uint8_t) * nl_addr_get_len (daddr));
1039  sa_id.family = nl_addr_get_family (daddr);
1040  sa_id.spi = htonl(spi);
1041  sa_id.proto = protocol;
1042 
1043  if (!(msg = nlmsg_alloc_simple(XFRM_MSG_GETSA, 0)))
1044  return -NLE_NOMEM;
1045 
1046  if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1047  goto nla_put_failure;
1048 
1049  if ((mark_m & mark_v) != 0)
1050  {
1051  memset(&mark, 0, sizeof(struct xfrm_mark));
1052  mark.m = mark_m;
1053  mark.v = mark_v;
1054 
1055  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &mark);
1056  }
1057 
1058  *result = msg;
1059  return 0;
1060 
1061 nla_put_failure:
1062  nlmsg_free(msg);
1063  return -NLE_MSGSIZE;
1064 }
1065 
1066 int xfrmnl_sa_get_kernel(struct nl_sock* sock, struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct xfrmnl_sa** result)
1067 {
1068  struct nl_msg *msg = NULL;
1069  struct nl_object *obj;
1070  int err;
1071 
1072  if ((err = xfrmnl_sa_build_get_request(daddr, spi, protocol, mark_m, mark_v, &msg)) < 0)
1073  return err;
1074 
1075  err = nl_send_auto(sock, msg);
1076  nlmsg_free(msg);
1077  if (err < 0)
1078  return err;
1079 
1080  if ((err = nl_pickup(sock, &xfrm_sa_msg_parser, &obj)) < 0)
1081  return err;
1082 
1083  /* We have used xfrm_sa_msg_parser(), object is definitely a xfrm sa */
1084  *result = (struct xfrmnl_sa *) obj;
1085 
1086  /* If an object has been returned, we also need to wait for the ACK */
1087  if (err == 0 && obj)
1088  nl_wait_for_ack(sock);
1089 
1090  return 0;
1091 }
1092 
1093 /** @} */
1094 
1095 static int build_xfrm_sa_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1096 {
1097  struct nl_msg* msg;
1098  struct xfrm_usersa_info sa_info;
1099  uint32_t len;
1100  struct nl_addr* addr;
1101 
1102  if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1103  !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1104  !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1105  return -NLE_MISSING_ATTR;
1106 
1107  memset ((void*)&sa_info, 0, sizeof (sa_info));
1108  if (tmpl->ce_mask & XFRM_SA_ATTR_SEL)
1109  {
1110  addr = xfrmnl_sel_get_daddr (tmpl->sel);
1111  memcpy ((void*)&sa_info.sel.daddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1112  addr = xfrmnl_sel_get_saddr (tmpl->sel);
1113  memcpy ((void*)&sa_info.sel.saddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1114  sa_info.sel.dport = htons (xfrmnl_sel_get_dport (tmpl->sel));
1115  sa_info.sel.dport_mask = htons (xfrmnl_sel_get_dportmask (tmpl->sel));
1116  sa_info.sel.sport = htons (xfrmnl_sel_get_sport (tmpl->sel));
1117  sa_info.sel.sport_mask = htons (xfrmnl_sel_get_sportmask (tmpl->sel));
1118  sa_info.sel.family = xfrmnl_sel_get_family (tmpl->sel);
1119  sa_info.sel.prefixlen_d = xfrmnl_sel_get_prefixlen_d (tmpl->sel);
1120  sa_info.sel.prefixlen_s = xfrmnl_sel_get_prefixlen_s (tmpl->sel);
1121  sa_info.sel.proto = xfrmnl_sel_get_proto (tmpl->sel);
1122  sa_info.sel.ifindex = xfrmnl_sel_get_ifindex (tmpl->sel);
1123  sa_info.sel.user = xfrmnl_sel_get_userid (tmpl->sel);
1124  }
1125 
1126  memcpy (&sa_info.id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1127  sa_info.id.spi = htonl(tmpl->id.spi);
1128  sa_info.id.proto = tmpl->id.proto;
1129 
1130  if (tmpl->ce_mask & XFRM_SA_ATTR_SADDR)
1131  memcpy (&sa_info.saddr, nl_addr_get_binary_addr (tmpl->saddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->saddr));
1132 
1133  if (tmpl->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1134  {
1135  sa_info.lft.soft_byte_limit = xfrmnl_ltime_cfg_get_soft_bytelimit (tmpl->lft);
1136  sa_info.lft.hard_byte_limit = xfrmnl_ltime_cfg_get_hard_bytelimit (tmpl->lft);
1137  sa_info.lft.soft_packet_limit = xfrmnl_ltime_cfg_get_soft_packetlimit (tmpl->lft);
1138  sa_info.lft.hard_packet_limit = xfrmnl_ltime_cfg_get_hard_packetlimit (tmpl->lft);
1139  sa_info.lft.soft_add_expires_seconds = xfrmnl_ltime_cfg_get_soft_addexpires (tmpl->lft);
1140  sa_info.lft.hard_add_expires_seconds = xfrmnl_ltime_cfg_get_hard_addexpires (tmpl->lft);
1141  sa_info.lft.soft_use_expires_seconds = xfrmnl_ltime_cfg_get_soft_useexpires (tmpl->lft);
1142  sa_info.lft.hard_use_expires_seconds = xfrmnl_ltime_cfg_get_hard_useexpires (tmpl->lft);
1143  }
1144 
1145  //Skip current lifetime: cur lifetime can be updated only via AE
1146  //Skip stats: stats cant be updated
1147  //Skip seq: seq cant be updated
1148 
1149  if (tmpl->ce_mask & XFRM_SA_ATTR_REQID)
1150  sa_info.reqid = tmpl->reqid;
1151 
1152  if (tmpl->ce_mask & XFRM_SA_ATTR_FAMILY)
1153  sa_info.family = tmpl->family;
1154 
1155  if (tmpl->ce_mask & XFRM_SA_ATTR_MODE)
1156  sa_info.mode = tmpl->mode;
1157 
1158  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1159  sa_info.replay_window = tmpl->replay_window;
1160 
1161  if (tmpl->ce_mask & XFRM_SA_ATTR_FLAGS)
1162  sa_info.flags = tmpl->flags;
1163 
1164  msg = nlmsg_alloc_simple(cmd, flags);
1165  if (!msg)
1166  return -NLE_NOMEM;
1167 
1168  if (nlmsg_append(msg, &sa_info, sizeof(sa_info), NLMSG_ALIGNTO) < 0)
1169  goto nla_put_failure;
1170 
1171  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AEAD) {
1172  len = sizeof (struct xfrm_algo_aead) + ((tmpl->aead->alg_key_len + 7) / 8);
1173  NLA_PUT (msg, XFRMA_ALG_AEAD, len, tmpl->aead);
1174  }
1175 
1176  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AUTH) {
1177  /* kernel prefers XFRMA_ALG_AUTH_TRUNC over XFRMA_ALG_AUTH, so only
1178  * one of the attributes needs to be present */
1179  if (tmpl->auth->alg_trunc_len) {
1180  len = sizeof (struct xfrm_algo_auth) + ((tmpl->auth->alg_key_len + 7) / 8);
1181  NLA_PUT (msg, XFRMA_ALG_AUTH_TRUNC, len, tmpl->auth);
1182  } else {
1183  struct xfrm_algo *auth;
1184 
1185  len = sizeof (struct xfrm_algo) + ((tmpl->auth->alg_key_len + 7) / 8);
1186  auth = malloc(len);
1187  if (!auth) {
1188  nlmsg_free(msg);
1189  return -NLE_NOMEM;
1190  }
1191 
1192  strncpy(auth->alg_name, tmpl->auth->alg_name, sizeof(auth->alg_name));
1193  auth->alg_key_len = tmpl->auth->alg_key_len;
1194  memcpy(auth->alg_key, tmpl->auth->alg_key, (tmpl->auth->alg_key_len + 7) / 8);
1195  if (nla_put(msg, XFRMA_ALG_AUTH, len, auth) < 0) {
1196  free(auth);
1197  goto nla_put_failure;
1198  }
1199  free(auth);
1200  }
1201  }
1202 
1203  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_CRYPT) {
1204  len = sizeof (struct xfrm_algo) + ((tmpl->crypt->alg_key_len + 7) / 8);
1205  NLA_PUT (msg, XFRMA_ALG_CRYPT, len, tmpl->crypt);
1206  }
1207 
1208  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_COMP) {
1209  len = sizeof (struct xfrm_algo) + ((tmpl->comp->alg_key_len + 7) / 8);
1210  NLA_PUT (msg, XFRMA_ALG_COMP, len, tmpl->comp);
1211  }
1212 
1213  if (tmpl->ce_mask & XFRM_SA_ATTR_ENCAP) {
1214  struct xfrm_encap_tmpl* encap_tmpl;
1215  struct nlattr* encap_attr;
1216 
1217  len = sizeof (struct xfrm_encap_tmpl);
1218  encap_attr = nla_reserve(msg, XFRMA_ENCAP, len);
1219  if (!encap_attr)
1220  goto nla_put_failure;
1221  encap_tmpl = nla_data (encap_attr);
1222  encap_tmpl->encap_type = tmpl->encap->encap_type;
1223  encap_tmpl->encap_sport = htons (tmpl->encap->encap_sport);
1224  encap_tmpl->encap_dport = htons (tmpl->encap->encap_dport);
1225  memcpy (&encap_tmpl->encap_oa, nl_addr_get_binary_addr (tmpl->encap->encap_oa), sizeof (uint8_t) * nl_addr_get_len (tmpl->encap->encap_oa));
1226  }
1227 
1228  if (tmpl->ce_mask & XFRM_SA_ATTR_TFCPAD) {
1229  NLA_PUT_U32 (msg, XFRMA_TFCPAD, tmpl->tfcpad);
1230  }
1231 
1232  if (tmpl->ce_mask & XFRM_SA_ATTR_COADDR) {
1233  NLA_PUT (msg, XFRMA_COADDR, sizeof (xfrm_address_t), tmpl->coaddr);
1234  }
1235 
1236  if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1237  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1238  }
1239 
1240  if (tmpl->ce_mask & XFRM_SA_ATTR_SECCTX) {
1241  len = sizeof (struct xfrm_sec_ctx) + tmpl->sec_ctx->ctx_len;
1242  NLA_PUT (msg, XFRMA_SEC_CTX, len, tmpl->sec_ctx);
1243  }
1244 
1245  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE) {
1246  NLA_PUT_U32 (msg, XFRMA_ETIMER_THRESH, tmpl->replay_maxage);
1247  }
1248 
1249  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF) {
1250  NLA_PUT_U32 (msg, XFRMA_REPLAY_THRESH, tmpl->replay_maxdiff);
1251  }
1252 
1253  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_STATE) {
1254  if (tmpl->replay_state_esn) {
1255  len = sizeof (struct xfrm_replay_state_esn) + (sizeof (uint32_t) * tmpl->replay_state_esn->bmp_len);
1256  NLA_PUT (msg, XFRMA_REPLAY_ESN_VAL, len, tmpl->replay_state_esn);
1257  }
1258  else {
1259  NLA_PUT (msg, XFRMA_REPLAY_VAL, sizeof (struct xfrm_replay_state), &tmpl->replay_state);
1260  }
1261  }
1262 
1263  *result = msg;
1264  return 0;
1265 
1266 nla_put_failure:
1267  nlmsg_free(msg);
1268  return -NLE_MSGSIZE;
1269 }
1270 
1271 /**
1272  * @name XFRM SA Add
1273  * @{
1274  */
1275 
1276 int xfrmnl_sa_build_add_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1277 {
1278  return build_xfrm_sa_message (tmpl, XFRM_MSG_NEWSA, flags, result);
1279 }
1280 
1281 int xfrmnl_sa_add(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1282 {
1283  int err;
1284  struct nl_msg *msg;
1285 
1286  if ((err = xfrmnl_sa_build_add_request(tmpl, flags, &msg)) < 0)
1287  return err;
1288 
1289  err = nl_send_auto_complete(sk, msg);
1290  nlmsg_free(msg);
1291  if (err < 0)
1292  return err;
1293 
1294  return nl_wait_for_ack(sk);
1295 }
1296 
1297 /**
1298  * @name XFRM SA Update
1299  * @{
1300  */
1301 
1302 int xfrmnl_sa_build_update_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1303 {
1304  return build_xfrm_sa_message (tmpl, XFRM_MSG_UPDSA, flags, result);
1305 }
1306 
1307 int xfrmnl_sa_update(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1308 {
1309  int err;
1310  struct nl_msg *msg;
1311 
1312  if ((err = xfrmnl_sa_build_update_request(tmpl, flags, &msg)) < 0)
1313  return err;
1314 
1315  err = nl_send_auto_complete(sk, msg);
1316  nlmsg_free(msg);
1317  if (err < 0)
1318  return err;
1319 
1320  return nl_wait_for_ack(sk);
1321 }
1322 
1323 /** @} */
1324 
1325 static int build_xfrm_sa_delete_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1326 {
1327  struct nl_msg* msg;
1328  struct xfrm_usersa_id sa_id;
1329 
1330  if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1331  !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1332  !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1333  return -NLE_MISSING_ATTR;
1334 
1335  memcpy (&sa_id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr),
1336  sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1337  sa_id.family = nl_addr_get_family (tmpl->id.daddr);
1338  sa_id.spi = htonl(tmpl->id.spi);
1339  sa_id.proto = tmpl->id.proto;
1340 
1341  msg = nlmsg_alloc_simple(cmd, flags);
1342  if (!msg)
1343  return -NLE_NOMEM;
1344 
1345  if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1346  goto nla_put_failure;
1347 
1348  if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1349  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1350  }
1351 
1352  *result = msg;
1353  return 0;
1354 
1355 nla_put_failure:
1356  nlmsg_free(msg);
1357  return -NLE_MSGSIZE;
1358 }
1359 
1360 /**
1361  * @name XFRM SA Delete
1362  * @{
1363  */
1364 
1365 int xfrmnl_sa_build_delete_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1366 {
1367  return build_xfrm_sa_delete_message (tmpl, XFRM_MSG_DELSA, flags, result);
1368 }
1369 
1370 int xfrmnl_sa_delete(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1371 {
1372  int err;
1373  struct nl_msg *msg;
1374 
1375  if ((err = xfrmnl_sa_build_delete_request(tmpl, flags, &msg)) < 0)
1376  return err;
1377 
1378  err = nl_send_auto_complete(sk, msg);
1379  nlmsg_free(msg);
1380  if (err < 0)
1381  return err;
1382 
1383  return nl_wait_for_ack(sk);
1384 }
1385 
1386 /** @} */
1387 
1388 
1389 /**
1390  * @name Attributes
1391  * @{
1392  */
1393 
1394 struct xfrmnl_sel* xfrmnl_sa_get_sel (struct xfrmnl_sa* sa)
1395 {
1396  if (sa->ce_mask & XFRM_SA_ATTR_SEL)
1397  return sa->sel;
1398  else
1399  return NULL;
1400 }
1401 
1402 int xfrmnl_sa_set_sel (struct xfrmnl_sa* sa, struct xfrmnl_sel* sel)
1403 {
1404  /* Release any previously held selector object from the SA */
1405  if (sa->sel)
1406  xfrmnl_sel_put (sa->sel);
1407 
1408  /* Increment ref count on new selector and save it in the SA */
1409  xfrmnl_sel_get (sel);
1410  sa->sel = sel;
1411  sa->ce_mask |= XFRM_SA_ATTR_SEL;
1412 
1413  return 0;
1414 }
1415 
1416 static inline int __assign_addr(struct xfrmnl_sa* sa, struct nl_addr **pos,
1417  struct nl_addr *new, int flag, int nocheck)
1418 {
1419  if (!nocheck)
1420  {
1421  if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1422  {
1423  if (nl_addr_get_family (new) != sa->family)
1424  return -NLE_AF_MISMATCH;
1425  }
1426  }
1427 
1428  if (*pos)
1429  nl_addr_put(*pos);
1430 
1431  nl_addr_get(new);
1432  *pos = new;
1433 
1434  sa->ce_mask |= flag;
1435 
1436  return 0;
1437 }
1438 
1439 
1440 struct nl_addr* xfrmnl_sa_get_daddr (struct xfrmnl_sa* sa)
1441 {
1442  if (sa->ce_mask & XFRM_SA_ATTR_DADDR)
1443  return sa->id.daddr;
1444  else
1445  return NULL;
1446 }
1447 
1448 int xfrmnl_sa_set_daddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1449 {
1450  return __assign_addr(sa, &sa->id.daddr, addr, XFRM_SA_ATTR_DADDR, 0);
1451 }
1452 
1453 int xfrmnl_sa_get_spi (struct xfrmnl_sa* sa)
1454 {
1455  if (sa->ce_mask & XFRM_SA_ATTR_SPI)
1456  return sa->id.spi;
1457  else
1458  return -1;
1459 }
1460 
1461 int xfrmnl_sa_set_spi (struct xfrmnl_sa* sa, unsigned int spi)
1462 {
1463  sa->id.spi = spi;
1464  sa->ce_mask |= XFRM_SA_ATTR_SPI;
1465 
1466  return 0;
1467 }
1468 
1469 int xfrmnl_sa_get_proto (struct xfrmnl_sa* sa)
1470 {
1471  if (sa->ce_mask & XFRM_SA_ATTR_PROTO)
1472  return sa->id.proto;
1473  else
1474  return -1;
1475 }
1476 
1477 int xfrmnl_sa_set_proto (struct xfrmnl_sa* sa, unsigned int protocol)
1478 {
1479  sa->id.proto = protocol;
1480  sa->ce_mask |= XFRM_SA_ATTR_PROTO;
1481 
1482  return 0;
1483 }
1484 
1485 struct nl_addr* xfrmnl_sa_get_saddr (struct xfrmnl_sa* sa)
1486 {
1487  if (sa->ce_mask & XFRM_SA_ATTR_SADDR)
1488  return sa->saddr;
1489  else
1490  return NULL;
1491 }
1492 
1493 int xfrmnl_sa_set_saddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1494 {
1495  return __assign_addr(sa, &sa->saddr, addr, XFRM_SA_ATTR_SADDR, 1);
1496 }
1497 
1498 struct xfrmnl_ltime_cfg* xfrmnl_sa_get_lifetime_cfg (struct xfrmnl_sa* sa)
1499 {
1500  if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1501  return sa->lft;
1502  else
1503  return NULL;
1504 }
1505 
1506 int xfrmnl_sa_set_lifetime_cfg (struct xfrmnl_sa* sa, struct xfrmnl_ltime_cfg* ltime)
1507 {
1508  /* Release any previously held lifetime cfg object from the SA */
1509  if (sa->lft)
1510  xfrmnl_ltime_cfg_put (sa->lft);
1511 
1512  /* Increment ref count on new lifetime object and save it in the SA */
1513  xfrmnl_ltime_cfg_get (ltime);
1514  sa->lft = ltime;
1515  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
1516 
1517  return 0;
1518 }
1519 
1520 int xfrmnl_sa_get_curlifetime (struct xfrmnl_sa* sa, unsigned long long int* curr_bytes,
1521  unsigned long long int* curr_packets, unsigned long long int* curr_add_time, unsigned long long int* curr_use_time)
1522 {
1523  if (sa == NULL || curr_bytes == NULL || curr_packets == NULL || curr_add_time == NULL || curr_use_time == NULL)
1524  return -1;
1525 
1526  if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CUR)
1527  {
1528  *curr_bytes = sa->curlft.bytes;
1529  *curr_packets = sa->curlft.packets;
1530  *curr_add_time = sa->curlft.add_time;
1531  *curr_use_time = sa->curlft.use_time;
1532  }
1533  else
1534  return -1;
1535 
1536  return 0;
1537 }
1538 
1539 int xfrmnl_sa_get_stats (struct xfrmnl_sa* sa, unsigned long long int* replay_window,
1540  unsigned long long int* replay, unsigned long long int* integrity_failed)
1541 {
1542  if (sa == NULL || replay_window == NULL || replay == NULL || integrity_failed == NULL)
1543  return -1;
1544 
1545  if (sa->ce_mask & XFRM_SA_ATTR_STATS)
1546  {
1547  *replay_window = sa->stats.replay_window;
1548  *replay = sa->stats.replay;
1549  *integrity_failed = sa->stats.integrity_failed;
1550  }
1551  else
1552  return -1;
1553 
1554  return 0;
1555 }
1556 
1557 int xfrmnl_sa_get_seq (struct xfrmnl_sa* sa)
1558 {
1559  if (sa->ce_mask & XFRM_SA_ATTR_SEQ)
1560  return sa->seq;
1561  else
1562  return -1;
1563 }
1564 
1565 int xfrmnl_sa_get_reqid (struct xfrmnl_sa* sa)
1566 {
1567  if (sa->ce_mask & XFRM_SA_ATTR_REQID)
1568  return sa->reqid;
1569  else
1570  return -1;
1571 }
1572 
1573 int xfrmnl_sa_set_reqid (struct xfrmnl_sa* sa, unsigned int reqid)
1574 {
1575  sa->reqid = reqid;
1576  sa->ce_mask |= XFRM_SA_ATTR_REQID;
1577 
1578  return 0;
1579 }
1580 
1581 int xfrmnl_sa_get_family (struct xfrmnl_sa* sa)
1582 {
1583  if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1584  return sa->family;
1585  else
1586  return -1;
1587 }
1588 
1589 int xfrmnl_sa_set_family (struct xfrmnl_sa* sa, unsigned int family)
1590 {
1591  sa->family = family;
1592  sa->ce_mask |= XFRM_SA_ATTR_FAMILY;
1593 
1594  return 0;
1595 }
1596 
1597 int xfrmnl_sa_get_mode (struct xfrmnl_sa* sa)
1598 {
1599  if (sa->ce_mask & XFRM_SA_ATTR_MODE)
1600  return sa->mode;
1601  else
1602  return -1;
1603 }
1604 
1605 int xfrmnl_sa_set_mode (struct xfrmnl_sa* sa, unsigned int mode)
1606 {
1607  sa->mode = mode;
1608  sa->ce_mask |= XFRM_SA_ATTR_MODE;
1609 
1610  return 0;
1611 }
1612 
1613 int xfrmnl_sa_get_replay_window (struct xfrmnl_sa* sa)
1614 {
1615  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1616  return sa->replay_window;
1617  else
1618  return -1;
1619 }
1620 
1621 int xfrmnl_sa_set_replay_window (struct xfrmnl_sa* sa, unsigned int replay_window)
1622 {
1623  sa->replay_window = replay_window;
1624  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_WIN;
1625 
1626  return 0;
1627 }
1628 
1629 int xfrmnl_sa_get_flags (struct xfrmnl_sa* sa)
1630 {
1631  if (sa->ce_mask & XFRM_SA_ATTR_FLAGS)
1632  return sa->flags;
1633  else
1634  return -1;
1635 }
1636 
1637 int xfrmnl_sa_set_flags (struct xfrmnl_sa* sa, unsigned int flags)
1638 {
1639  sa->flags = flags;
1640  sa->ce_mask |= XFRM_SA_ATTR_FLAGS;
1641 
1642  return 0;
1643 }
1644 
1645 /**
1646  * Get the aead-params
1647  * @arg sa the xfrmnl_sa object
1648  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1649  * @arg key_len an optional output value for the key length in bits.
1650  * @arg icv_len an optional output value for the alt-icv-len.
1651  * @arg key an optional buffer large enough for the key. It must contain at least
1652  * ((@key_len + 7) / 8) bytes.
1653  *
1654  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1655  * call xfrmnl_sa_get_aead_params() without @key argument to query only the required buffer size.
1656  * This modified API is available in all versions of libnl3 that support the capability
1657  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1658  *
1659  * @return 0 on success or a negative error code.
1660  */
1661 int xfrmnl_sa_get_aead_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* icv_len, char* key)
1662 {
1663  if (sa->ce_mask & XFRM_SA_ATTR_ALG_AEAD)
1664  {
1665  if (alg_name)
1666  strcpy (alg_name, sa->aead->alg_name);
1667  if (key_len)
1668  *key_len = sa->aead->alg_key_len;
1669  if (icv_len)
1670  *icv_len = sa->aead->alg_icv_len;
1671  if (key)
1672  memcpy (key, sa->aead->alg_key, ((sa->aead->alg_key_len + 7)/8));
1673  }
1674  else
1675  return -1;
1676 
1677  return 0;
1678 }
1679 
1680 int xfrmnl_sa_set_aead_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int icv_len, const char* key)
1681 {
1682  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1683  uint32_t newlen = sizeof (struct xfrmnl_algo_aead) + keysize;
1684 
1685  /* Free up the old key and allocate memory to hold new key */
1686  if (sa->aead)
1687  free (sa->aead);
1688  if (strlen (alg_name) >= sizeof (sa->aead->alg_name) || (sa->aead = calloc (1, newlen)) == NULL)
1689  return -1;
1690 
1691  /* Save the new info */
1692  strcpy (sa->aead->alg_name, alg_name);
1693  sa->aead->alg_key_len = key_len;
1694  sa->aead->alg_icv_len = icv_len;
1695  memcpy (sa->aead->alg_key, key, keysize);
1696 
1697  sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
1698 
1699  return 0;
1700 }
1701 
1702 /**
1703  * Get the auth-params
1704  * @arg sa the xfrmnl_sa object
1705  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1706  * @arg key_len an optional output value for the key length in bits.
1707  * @arg trunc_len an optional output value for the alg-trunc-len.
1708  * @arg key an optional buffer large enough for the key. It must contain at least
1709  * ((@key_len + 7) / 8) bytes.
1710  *
1711  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1712  * call xfrmnl_sa_get_auth_params() without @key argument to query only the required buffer size.
1713  * This modified API is available in all versions of libnl3 that support the capability
1714  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1715  *
1716  * @return 0 on success or a negative error code.
1717  */
1718 int xfrmnl_sa_get_auth_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* trunc_len, char* key)
1719 {
1720  if (sa->ce_mask & XFRM_SA_ATTR_ALG_AUTH)
1721  {
1722  if (alg_name)
1723  strcpy (alg_name, sa->auth->alg_name);
1724  if (key_len)
1725  *key_len = sa->auth->alg_key_len;
1726  if (trunc_len)
1727  *trunc_len = sa->auth->alg_trunc_len;
1728  if (key)
1729  memcpy (key, sa->auth->alg_key, (sa->auth->alg_key_len + 7)/8);
1730  }
1731  else
1732  return -1;
1733 
1734  return 0;
1735 }
1736 
1737 int xfrmnl_sa_set_auth_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int trunc_len, const char* key)
1738 {
1739  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1740  uint32_t newlen = sizeof (struct xfrmnl_algo_auth) + keysize;
1741 
1742  /* Free up the old auth data and allocate new one */
1743  if (sa->auth)
1744  free (sa->auth);
1745  if (strlen (alg_name) >= sizeof (sa->auth->alg_name) || (sa->auth = calloc (1, newlen)) == NULL)
1746  return -1;
1747 
1748  /* Save the new info */
1749  strcpy (sa->auth->alg_name, alg_name);
1750  sa->auth->alg_key_len = key_len;
1751  sa->auth->alg_trunc_len = trunc_len;
1752  memcpy (sa->auth->alg_key, key, keysize);
1753 
1754  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
1755 
1756  return 0;
1757 }
1758 
1759 /**
1760  * Get the crypto-params
1761  * @arg sa the xfrmnl_sa object
1762  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1763  * @arg key_len an optional output value for the key length in bits.
1764  * @arg key an optional buffer large enough for the key. It must contain at least
1765  * ((@key_len + 7) / 8) bytes.
1766  *
1767  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1768  * call xfrmnl_sa_get_crypto_params() without @key argument to query only the required buffer size.
1769  * This modified API is available in all versions of libnl3 that support the capability
1770  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1771  *
1772  * @return 0 on success or a negative error code.
1773  */
1774 int xfrmnl_sa_get_crypto_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1775 {
1776  if (sa->ce_mask & XFRM_SA_ATTR_ALG_CRYPT)
1777  {
1778  if (alg_name)
1779  strcpy (alg_name, sa->crypt->alg_name);
1780  if (key_len)
1781  *key_len = sa->crypt->alg_key_len;
1782  if (key)
1783  memcpy (key, sa->crypt->alg_key, ((sa->crypt->alg_key_len + 7)/8));
1784  }
1785  else
1786  return -1;
1787 
1788  return 0;
1789 }
1790 
1791 int xfrmnl_sa_set_crypto_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1792 {
1793  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1794  uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1795 
1796  /* Free up the old crypto and allocate new one */
1797  if (sa->crypt)
1798  free (sa->crypt);
1799  if (strlen (alg_name) >= sizeof (sa->crypt->alg_name) || (sa->crypt = calloc (1, newlen)) == NULL)
1800  return -1;
1801 
1802  /* Save the new info */
1803  strcpy (sa->crypt->alg_name, alg_name);
1804  sa->crypt->alg_key_len = key_len;
1805  memcpy (sa->crypt->alg_key, key, keysize);
1806 
1807  sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
1808 
1809  return 0;
1810 }
1811 
1812 /**
1813  * Get the comp-params
1814  * @arg sa the xfrmnl_sa object
1815  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1816  * @arg key_len an optional output value for the key length in bits.
1817  * @arg key an optional buffer large enough for the key. It must contain at least
1818  * ((@key_len + 7) / 8) bytes.
1819  *
1820  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1821  * call xfrmnl_sa_get_comp_params() without @key argument to query only the required buffer size.
1822  * This modified API is available in all versions of libnl3 that support the capability
1823  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1824  *
1825  * @return 0 on success or a negative error code.
1826  */
1827 int xfrmnl_sa_get_comp_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1828 {
1829  if (sa->ce_mask & XFRM_SA_ATTR_ALG_COMP)
1830  {
1831  if (alg_name)
1832  strcpy (alg_name, sa->comp->alg_name);
1833  if (key_len)
1834  *key_len = sa->comp->alg_key_len;
1835  if (key)
1836  memcpy (key, sa->comp->alg_key, ((sa->comp->alg_key_len + 7)/8));
1837  }
1838  else
1839  return -1;
1840 
1841  return 0;
1842 }
1843 
1844 int xfrmnl_sa_set_comp_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1845 {
1846  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1847  uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1848 
1849  /* Free up the old compression algo params and allocate new one */
1850  if (sa->comp)
1851  free (sa->comp);
1852  if (strlen (alg_name) >= sizeof (sa->comp->alg_name) || (sa->comp = calloc (1, newlen)) == NULL)
1853  return -1;
1854 
1855  /* Save the new info */
1856  strcpy (sa->comp->alg_name, alg_name);
1857  sa->comp->alg_key_len = key_len;
1858  memcpy (sa->comp->alg_key, key, keysize);
1859 
1860  sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
1861 
1862  return 0;
1863 }
1864 
1865 int xfrmnl_sa_get_encap_tmpl (struct xfrmnl_sa* sa, unsigned int* encap_type, unsigned int* encap_sport, unsigned int* encap_dport, struct nl_addr** encap_oa)
1866 {
1867  if (sa->ce_mask & XFRM_SA_ATTR_ENCAP)
1868  {
1869  *encap_type = sa->encap->encap_type;
1870  *encap_sport = sa->encap->encap_sport;
1871  *encap_dport = sa->encap->encap_dport;
1872  *encap_oa = nl_addr_clone (sa->encap->encap_oa);
1873  }
1874  else
1875  return -1;
1876 
1877  return 0;
1878 }
1879 
1880 int xfrmnl_sa_set_encap_tmpl (struct xfrmnl_sa* sa, unsigned int encap_type, unsigned int encap_sport, unsigned int encap_dport, struct nl_addr* encap_oa)
1881 {
1882  if (sa->encap) {
1883  /* Free up the old encap OA */
1884  if (sa->encap->encap_oa)
1885  nl_addr_put(sa->encap->encap_oa);
1886  memset(sa->encap, 0, sizeof (*sa->encap));
1887  } else if ((sa->encap = calloc(1, sizeof(*sa->encap))) == NULL)
1888  return -1;
1889 
1890  /* Save the new info */
1891  sa->encap->encap_type = encap_type;
1892  sa->encap->encap_sport = encap_sport;
1893  sa->encap->encap_dport = encap_dport;
1894  nl_addr_get (encap_oa);
1895  sa->encap->encap_oa = encap_oa;
1896 
1897  sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
1898 
1899  return 0;
1900 }
1901 
1902 int xfrmnl_sa_get_tfcpad (struct xfrmnl_sa* sa)
1903 {
1904  if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
1905  return sa->tfcpad;
1906  else
1907  return -1;
1908 }
1909 
1910 int xfrmnl_sa_set_tfcpad (struct xfrmnl_sa* sa, unsigned int tfcpad)
1911 {
1912  sa->tfcpad = tfcpad;
1913  sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
1914 
1915  return 0;
1916 }
1917 
1918 struct nl_addr* xfrmnl_sa_get_coaddr (struct xfrmnl_sa* sa)
1919 {
1920  if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
1921  return sa->coaddr;
1922  else
1923  return NULL;
1924 }
1925 
1926 int xfrmnl_sa_set_coaddr (struct xfrmnl_sa* sa, struct nl_addr* coaddr)
1927 {
1928  /* Free up the old coaddr */
1929  if (sa->coaddr)
1930  nl_addr_put (sa->coaddr);
1931 
1932  /* Save the new info */
1933  nl_addr_get (coaddr);
1934  sa->coaddr = coaddr;
1935 
1936  sa->ce_mask |= XFRM_SA_ATTR_COADDR;
1937 
1938  return 0;
1939 }
1940 
1941 int xfrmnl_sa_get_mark (struct xfrmnl_sa* sa, unsigned int* mark_mask, unsigned int* mark_value)
1942 {
1943  if (mark_mask == NULL || mark_value == NULL)
1944  return -1;
1945 
1946  if (sa->ce_mask & XFRM_SA_ATTR_MARK)
1947  {
1948  *mark_mask = sa->mark.m;
1949  *mark_value = sa->mark.v;
1950 
1951  return 0;
1952  }
1953  else
1954  return -1;
1955 }
1956 
1957 int xfrmnl_sa_set_mark (struct xfrmnl_sa* sa, unsigned int value, unsigned int mask)
1958 {
1959  sa->mark.v = value;
1960  sa->mark.m = mask;
1961  sa->ce_mask |= XFRM_SA_ATTR_MARK;
1962 
1963  return 0;
1964 }
1965 
1966 /**
1967  * Get the security context.
1968  *
1969  * @arg sa The xfrmnl_sa object.
1970  * @arg doi An optional output value for the security context domain of interpretation.
1971  * @arg alg An optional output value for the security context algorithm.
1972  * @arg len An optional output value for the security context length, including the
1973  * terminating null byte ('\0').
1974  * @arg sid Unused parameter.
1975  * @arg ctx_str An optional buffer large enough for the security context string. It must
1976  * contain at least @len bytes.
1977  *
1978  * Warning: you must ensure that @ctx_str is large enough. If you don't know the length before-hand,
1979  * call xfrmnl_sa_get_sec_ctx() without @ctx_str argument to query only the required buffer size.
1980  * This modified API is available in all versions of libnl3 that support the capability
1981  * @def NL_CAPABILITY_XFRM_SEC_CTX_LEN (@see nl_has_capability for further information).
1982  *
1983  * @return 0 on success or a negative error code.
1984  */
1985 int xfrmnl_sa_get_sec_ctx (struct xfrmnl_sa* sa, unsigned int* doi, unsigned int* alg,
1986  unsigned int* len, unsigned int* sid, char* ctx_str)
1987 {
1988  if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
1989  {
1990  if (doi)
1991  *doi = sa->sec_ctx->ctx_doi;
1992  if (alg)
1993  *alg = sa->sec_ctx->ctx_alg;
1994  if (len)
1995  *len = sa->sec_ctx->ctx_len;
1996  if (ctx_str)
1997  memcpy (ctx_str, sa->sec_ctx->ctx, sa->sec_ctx->ctx_len);
1998  }
1999  else
2000  return -1;
2001 
2002  return 0;
2003 }
2004 
2005 /**
2006  * Set the security context.
2007  *
2008  * @arg sa The xfrmnl_sa object.
2009  * @arg doi Parameter for the security context domain of interpretation.
2010  * @arg alg Parameter for the security context algorithm.
2011  * @arg len Parameter for the length of the security context string containing
2012  * the terminating null byte ('\0').
2013  * @arg sid Unused parameter.
2014  * @arg ctx_str Buffer containing the security context string.
2015  *
2016  * @return 0 on success or a negative error code.
2017  */
2018 int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int alg, unsigned int len,
2019  unsigned int sid, const char* ctx_str)
2020 {
2021  /* Free up the old context string and allocate new one */
2022  if (sa->sec_ctx)
2023  free (sa->sec_ctx);
2024  if ((sa->sec_ctx = calloc(1, sizeof (struct xfrmnl_user_sec_ctx) + 1 + len)) == NULL)
2025  return -1;
2026 
2027  /* Save the new info */
2028  sa->sec_ctx->len = sizeof(struct xfrmnl_user_sec_ctx) + len;
2029  sa->sec_ctx->exttype = XFRMA_SEC_CTX;
2030  sa->sec_ctx->ctx_alg = alg;
2031  sa->sec_ctx->ctx_doi = doi;
2032  sa->sec_ctx->ctx_len = len;
2033  memcpy (sa->sec_ctx->ctx, ctx_str, len);
2034  sa->sec_ctx->ctx[len] = '\0';
2035 
2036  sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
2037 
2038  return 0;
2039 }
2040 
2041 
2042 int xfrmnl_sa_get_replay_maxage (struct xfrmnl_sa* sa)
2043 {
2044  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE)
2045  return sa->replay_maxage;
2046  else
2047  return -1;
2048 }
2049 
2050 int xfrmnl_sa_set_replay_maxage (struct xfrmnl_sa* sa, unsigned int replay_maxage)
2051 {
2052  sa->replay_maxage = replay_maxage;
2053  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
2054 
2055  return 0;
2056 }
2057 
2058 int xfrmnl_sa_get_replay_maxdiff (struct xfrmnl_sa* sa)
2059 {
2060  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF)
2061  return sa->replay_maxdiff;
2062  else
2063  return -1;
2064 }
2065 
2066 int xfrmnl_sa_set_replay_maxdiff (struct xfrmnl_sa* sa, unsigned int replay_maxdiff)
2067 {
2068  sa->replay_maxdiff = replay_maxdiff;
2069  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
2070 
2071  return 0;
2072 }
2073 
2074 int xfrmnl_sa_get_replay_state (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* bmp)
2075 {
2076  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2077  {
2078  if (sa->replay_state_esn == NULL)
2079  {
2080  *oseq = sa->replay_state.oseq;
2081  *seq = sa->replay_state.seq;
2082  *bmp = sa->replay_state.bitmap;
2083 
2084  return 0;
2085  }
2086  else
2087  {
2088  return -1;
2089  }
2090  }
2091  else
2092  return -1;
2093 }
2094 
2095 int xfrmnl_sa_set_replay_state (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq, unsigned int bitmap)
2096 {
2097  sa->replay_state.oseq = oseq;
2098  sa->replay_state.seq = seq;
2099  sa->replay_state.bitmap = bitmap;
2100  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2101 
2102  return 0;
2103 }
2104 
2105 int xfrmnl_sa_get_replay_state_esn (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* oseq_hi,
2106  unsigned int* seq_hi, unsigned int* replay_window, unsigned int* bmp_len, unsigned int* bmp)
2107 {
2108  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2109  {
2110  if (sa->replay_state_esn)
2111  {
2112  *oseq = sa->replay_state_esn->oseq;
2113  *seq = sa->replay_state_esn->seq;
2114  *oseq_hi= sa->replay_state_esn->oseq_hi;
2115  *seq_hi = sa->replay_state_esn->seq_hi;
2116  *replay_window = sa->replay_state_esn->replay_window;
2117  *bmp_len = sa->replay_state_esn->bmp_len; // In number of 32 bit words
2118  memcpy (bmp, sa->replay_state_esn->bmp, sa->replay_state_esn->bmp_len * sizeof (uint32_t));
2119 
2120  return 0;
2121  }
2122  else
2123  {
2124  return -1;
2125  }
2126  }
2127  else
2128  return -1;
2129 }
2130 
2131 int xfrmnl_sa_set_replay_state_esn (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq,
2132  unsigned int oseq_hi, unsigned int seq_hi, unsigned int replay_window,
2133  unsigned int bmp_len, unsigned int* bmp)
2134 {
2135  /* Free the old replay state and allocate space to hold new one */
2136  if (sa->replay_state_esn)
2137  free (sa->replay_state_esn);
2138 
2139  if ((sa->replay_state_esn = calloc (1, sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * bmp_len))) == NULL)
2140  return -1;
2141  sa->replay_state_esn->oseq = oseq;
2142  sa->replay_state_esn->seq = seq;
2143  sa->replay_state_esn->oseq_hi = oseq_hi;
2144  sa->replay_state_esn->seq_hi = seq_hi;
2145  sa->replay_state_esn->replay_window = replay_window;
2146  sa->replay_state_esn->bmp_len = bmp_len; // In number of 32 bit words
2147  memcpy (sa->replay_state_esn->bmp, bmp, bmp_len * sizeof (uint32_t));
2148  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2149 
2150  return 0;
2151 }
2152 
2153 
2154 int xfrmnl_sa_is_hardexpiry_reached (struct xfrmnl_sa* sa)
2155 {
2156  if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2157  return (sa->hard > 0 ? 1: 0);
2158  else
2159  return 0;
2160 }
2161 
2162 int xfrmnl_sa_is_expiry_reached (struct xfrmnl_sa* sa)
2163 {
2164  if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2165  return 1;
2166  else
2167  return 0;
2168 }
2169 
2170 /** @} */
2171 
2172 static struct nl_object_ops xfrm_sa_obj_ops = {
2173  .oo_name = "xfrm/sa",
2174  .oo_size = sizeof(struct xfrmnl_sa),
2175  .oo_constructor = xfrm_sa_alloc_data,
2176  .oo_free_data = xfrm_sa_free_data,
2177  .oo_clone = xfrm_sa_clone,
2178  .oo_dump = {
2179  [NL_DUMP_LINE] = xfrm_sa_dump_line,
2180  [NL_DUMP_DETAILS] = xfrm_sa_dump_details,
2181  [NL_DUMP_STATS] = xfrm_sa_dump_stats,
2182  },
2183  .oo_compare = xfrm_sa_compare,
2184  .oo_attrs2str = xfrm_sa_attrs2str,
2185  .oo_id_attrs = (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO),
2186 };
2187 
2188 static struct nl_af_group xfrm_sa_groups[] = {
2189  { AF_UNSPEC, XFRMNLGRP_SA },
2190  { AF_UNSPEC, XFRMNLGRP_EXPIRE },
2191  { END_OF_GROUP_LIST },
2192 };
2193 
2194 static struct nl_cache_ops xfrmnl_sa_ops = {
2195  .co_name = "xfrm/sa",
2196  .co_hdrsize = sizeof(struct xfrm_usersa_info),
2197  .co_msgtypes = {
2198  { XFRM_MSG_NEWSA, NL_ACT_NEW, "new" },
2199  { XFRM_MSG_DELSA, NL_ACT_DEL, "del" },
2200  { XFRM_MSG_GETSA, NL_ACT_GET, "get" },
2201  { XFRM_MSG_EXPIRE, NL_ACT_UNSPEC, "expire"},
2202  { XFRM_MSG_UPDSA, NL_ACT_NEW, "update"},
2203  END_OF_MSGTYPES_LIST,
2204  },
2205  .co_protocol = NETLINK_XFRM,
2206  .co_groups = xfrm_sa_groups,
2207  .co_request_update = xfrm_sa_request_update,
2208  .co_msg_parser = xfrm_sa_msg_parser,
2209  .co_obj_ops = &xfrm_sa_obj_ops,
2210  .co_include_event = &xfrm_sa_update_cache
2211 };
2212 
2213 /**
2214  * @name XFRM SA Cache Managament
2215  * @{
2216  */
2217 
2218 static void __attribute__ ((constructor)) xfrm_sa_init(void)
2219 {
2220  nl_cache_mngt_register(&xfrmnl_sa_ops);
2221 }
2222 
2223 static void __attribute__ ((destructor)) xfrm_sa_exit(void)
2224 {
2225  nl_cache_mngt_unregister(&xfrmnl_sa_ops);
2226 }
2227 
2228 /** @} */
int nl_send_auto_complete(struct nl_sock *sk, struct nl_msg *msg)
Definition: nl.c:1247
struct nl_addr * nl_addr_clone(const struct nl_addr *addr)
Clone existing abstract address object.
Definition: addr.c:471
Dump object briefly on one line.
Definition: types.h:22
void nl_addr_set_prefixlen(struct nl_addr *addr, int prefixlen)
Set the prefix length of an abstract address.
Definition: addr.c:929
void nlmsg_free(struct nl_msg *msg)
Release a reference from an netlink message.
Definition: msg.c:562
int nl_addr_cmp(const struct nl_addr *a, const struct nl_addr *b)
Compare abstract addresses.
Definition: addr.c:563
void * nlmsg_data(const struct nlmsghdr *nlh)
Return pointer to message payload.
Definition: msg.c:106
struct nl_object * nl_object_alloc(struct nl_object_ops *ops)
Allocate a new object of kind specified by the operations handle.
Definition: object.c:54
int nl_cache_mngt_unregister(struct nl_cache_ops *ops)
Unregister a set of cache operations.
Definition: cache_mngt.c:287
Attribute validation policy.
Definition: attr.h:69
void nl_object_get(struct nl_object *obj)
Acquire a reference on a object.
Definition: object.c:204
struct nl_addr * nl_addr_build(int family, const void *buf, size_t size)
Allocate abstract address based on a binary address.
Definition: addr.c:216
int nl_pickup(struct nl_sock *sk, int(*parser)(struct nl_cache_ops *, struct sockaddr_nl *, struct nlmsghdr *, struct nl_parser_param *), struct nl_object **result)
Pickup netlink answer, parse is and return object.
Definition: nl.c:1178
int nlmsg_parse(struct nlmsghdr *nlh, int hdrlen, struct nlattr *tb[], int maxtype, struct nla_policy *policy)
parse attributes of a netlink message
Definition: msg.c:214
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_clone(struct xfrmnl_ltime_cfg *ltime)
Clone existing lifetime config object.
Definition: lifetime.c:94
struct nlattr * nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
Reserve space for a attribute.
Definition: attr.c:456
struct nl_addr * nl_addr_get(struct nl_addr *addr)
Increase the reference counter of an abstract address.
Definition: addr.c:501
Dump all attributes but no statistics.
Definition: types.h:23
uint64_t nl_object_diff64(struct nl_object *a, struct nl_object *b)
Compute bitmask representing difference in attribute values.
Definition: object.c:361
int nl_cache_mngt_register(struct nl_cache_ops *ops)
Register a set of cache operations.
Definition: cache_mngt.c:252
struct nl_object * nl_cache_search(struct nl_cache *cache, struct nl_object *needle)
Search object in cache.
Definition: cache.c:1113
#define NLA_PUT(msg, attrtype, attrlen, data)
Add unspecific attribute to netlink message.
Definition: attr.h:164
int nl_object_get_msgtype(const struct nl_object *obj)
Return the netlink message type the object was derived from.
Definition: object.c:529
void nl_cache_remove(struct nl_object *obj)
Remove object from cache.
Definition: cache.c:551
void * nla_data(const struct nlattr *nla)
Return pointer to the payload section.
Definition: attr.c:120
int xfrmnl_sel_cmp(struct xfrmnl_sel *a, struct xfrmnl_sel *b)
Compares two selector objects.
Definition: selector.c:161
#define NLA_PUT_U32(msg, attrtype, value)
Add 32 bit integer attribute to netlink message.
Definition: attr.h:235
uint16_t minlen
Minimal length of payload required.
Definition: attr.h:74
int nl_send_simple(struct nl_sock *sk, int type, int flags, void *buf, size_t size)
Construct and transmit a Netlink message.
Definition: nl.c:580
struct nl_object * nl_cache_get_next(struct nl_object *obj)
Return the next element in the cache.
Definition: cache.c:145
int nlmsg_append(struct nl_msg *n, void *data, size_t len, int pad)
Append data to tail of a netlink message.
Definition: msg.c:446
int nl_wait_for_ack(struct nl_sock *sk)
Wait for ACK.
Definition: nl.c:1112
void nl_object_put(struct nl_object *obj)
Release a reference from an object.
Definition: object.c:215
int nl_cache_move(struct nl_cache *cache, struct nl_object *obj)
Move object from one cache to another.
Definition: cache.c:523
void nl_addr_put(struct nl_addr *addr)
Decrease the reference counter of an abstract address.
Definition: addr.c:517
struct nl_msg * nlmsg_alloc_simple(int nlmsgtype, int flags)
Allocate a new netlink message.
Definition: msg.c:347
struct xfrmnl_sel * xfrmnl_sel_alloc()
Allocate new selector object.
Definition: selector.c:77
32 bit integer
Definition: attr.h:43
struct xfrmnl_sel * xfrmnl_sel_clone(struct xfrmnl_sel *sel)
Clone existing selector object.
Definition: selector.c:96
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_alloc()
Allocate new lifetime config object.
Definition: lifetime.c:75
Dumping parameters.
Definition: types.h:33
int xfrmnl_ltime_cfg_cmp(struct xfrmnl_ltime_cfg *a, struct xfrmnl_ltime_cfg *b)
Compares two lifetime config objects.
Definition: lifetime.c:155
void nl_dump(struct nl_dump_params *params, const char *fmt,...)
Dump a formatted character string.
Definition: utils.c:961
int nl_send_auto(struct nl_sock *sk, struct nl_msg *msg)
Finalize and transmit Netlink message.
Definition: nl.c:516
int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data)
Add a unspecific attribute to netlink message.
Definition: attr.c:500
unsigned int nl_addr_get_len(const struct nl_addr *addr)
Get length of binary address of abstract address object.
Definition: addr.c:917
Dump all attributes including statistics.
Definition: types.h:24
struct nl_object * nl_cache_get_first(struct nl_cache *cache)
Return the first element in the cache.
Definition: cache.c:119
void * nl_addr_get_binary_addr(const struct nl_addr *addr)
Get binary address of abstract address object.
Definition: addr.c:905
int nl_cache_alloc_and_fill(struct nl_cache_ops *ops, struct nl_sock *sock, struct nl_cache **result)
Allocate new cache and fill it.
Definition: cache.c:233
char * nl_addr2str(const struct nl_addr *addr, char *buf, size_t size)
Convert abstract address object to character string.
Definition: addr.c:963
int nl_addr_get_family(const struct nl_addr *addr)
Return address family.
Definition: addr.c:857