libnl  3.5.0
sa.c
1 /* SPDX-License-Identifier: LGPL-2.1-only */
2 /*
3  * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
4  *
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * Redistributions of source code must retain the above copyright
11  * notice, this list of conditions and the following disclaimer.
12  *
13  * Redistributions in binary form must reproduce the above copyright
14  * notice, this list of conditions and the following disclaimer in the
15  * documentation and/or other materials provided with the
16  * distribution.
17  *
18  * Neither the name of Texas Instruments Incorporated nor the names of
19  * its contributors may be used to endorse or promote products derived
20  * from this software without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
24  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
25  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
26  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
27  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
28  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
32  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  *
34  */
35 
36 /**
37  * @ingroup xfrmnl
38  * @defgroup sa Security Association
39  * @brief
40  */
41 
42 #include <netlink-private/netlink.h>
43 #include <netlink/netlink.h>
44 #include <netlink/cache.h>
45 #include <netlink/object.h>
46 #include <netlink/xfrm/sa.h>
47 #include <netlink/xfrm/selector.h>
48 #include <netlink/xfrm/lifetime.h>
49 #include <time.h>
50 
51 #include "netlink-private/utils.h"
52 
53 /** @cond SKIP */
54 #define XFRM_SA_ATTR_SEL 0x01
55 #define XFRM_SA_ATTR_DADDR 0x02
56 #define XFRM_SA_ATTR_SPI 0x04
57 #define XFRM_SA_ATTR_PROTO 0x08
58 #define XFRM_SA_ATTR_SADDR 0x10
59 #define XFRM_SA_ATTR_LTIME_CFG 0x20
60 #define XFRM_SA_ATTR_LTIME_CUR 0x40
61 #define XFRM_SA_ATTR_STATS 0x80
62 #define XFRM_SA_ATTR_SEQ 0x100
63 #define XFRM_SA_ATTR_REQID 0x200
64 #define XFRM_SA_ATTR_FAMILY 0x400
65 #define XFRM_SA_ATTR_MODE 0x800
66 #define XFRM_SA_ATTR_REPLAY_WIN 0x1000
67 #define XFRM_SA_ATTR_FLAGS 0x2000
68 #define XFRM_SA_ATTR_ALG_AEAD 0x4000
69 #define XFRM_SA_ATTR_ALG_AUTH 0x8000
70 #define XFRM_SA_ATTR_ALG_CRYPT 0x10000
71 #define XFRM_SA_ATTR_ALG_COMP 0x20000
72 #define XFRM_SA_ATTR_ENCAP 0x40000
73 #define XFRM_SA_ATTR_TFCPAD 0x80000
74 #define XFRM_SA_ATTR_COADDR 0x100000
75 #define XFRM_SA_ATTR_MARK 0x200000
76 #define XFRM_SA_ATTR_SECCTX 0x400000
77 #define XFRM_SA_ATTR_REPLAY_MAXAGE 0x800000
78 #define XFRM_SA_ATTR_REPLAY_MAXDIFF 0x1000000
79 #define XFRM_SA_ATTR_REPLAY_STATE 0x2000000
80 #define XFRM_SA_ATTR_EXPIRE 0x4000000
81 
82 static struct nl_cache_ops xfrmnl_sa_ops;
83 static struct nl_object_ops xfrm_sa_obj_ops;
84 /** @endcond */
85 
86 static void xfrm_sa_alloc_data(struct nl_object *c)
87 {
88  struct xfrmnl_sa* sa = nl_object_priv (c);
89 
90  if ((sa->sel = xfrmnl_sel_alloc ()) == NULL)
91  return;
92 
93  if ((sa->lft = xfrmnl_ltime_cfg_alloc ()) == NULL)
94  return;
95 }
96 
97 static void xfrm_sa_free_data(struct nl_object *c)
98 {
99  struct xfrmnl_sa* sa = nl_object_priv (c);
100 
101  if (sa == NULL)
102  return;
103 
104  xfrmnl_sel_put (sa->sel);
105  xfrmnl_ltime_cfg_put (sa->lft);
106  nl_addr_put (sa->id.daddr);
107  nl_addr_put (sa->saddr);
108 
109  if (sa->aead)
110  free (sa->aead);
111  if (sa->auth)
112  free (sa->auth);
113  if (sa->crypt)
114  free (sa->crypt);
115  if (sa->comp)
116  free (sa->comp);
117  if (sa->encap) {
118  if (sa->encap->encap_oa)
119  nl_addr_put(sa->encap->encap_oa);
120  free(sa->encap);
121  }
122  if (sa->coaddr)
123  nl_addr_put (sa->coaddr);
124  if (sa->sec_ctx)
125  free (sa->sec_ctx);
126  if (sa->replay_state_esn)
127  free (sa->replay_state_esn);
128 }
129 
130 static int xfrm_sa_clone(struct nl_object *_dst, struct nl_object *_src)
131 {
132  struct xfrmnl_sa* dst = nl_object_priv(_dst);
133  struct xfrmnl_sa* src = nl_object_priv(_src);
134  uint32_t len = 0;
135 
136  if (src->sel)
137  if ((dst->sel = xfrmnl_sel_clone (src->sel)) == NULL)
138  return -NLE_NOMEM;
139 
140  if (src->lft)
141  if ((dst->lft = xfrmnl_ltime_cfg_clone (src->lft)) == NULL)
142  return -NLE_NOMEM;
143 
144  if (src->id.daddr)
145  if ((dst->id.daddr = nl_addr_clone (src->id.daddr)) == NULL)
146  return -NLE_NOMEM;
147 
148  if (src->saddr)
149  if ((dst->saddr = nl_addr_clone (src->saddr)) == NULL)
150  return -NLE_NOMEM;
151 
152  if (src->aead)
153  {
154  len = sizeof (struct xfrmnl_algo_aead) + ((src->aead->alg_key_len + 7) / 8);
155  if ((dst->aead = calloc (1, len)) == NULL)
156  return -NLE_NOMEM;
157  memcpy ((void *)dst->aead, (void *)src->aead, len);
158  }
159 
160  if (src->auth)
161  {
162  len = sizeof (struct xfrmnl_algo_auth) + ((src->auth->alg_key_len + 7) / 8);
163  if ((dst->auth = calloc (1, len)) == NULL)
164  return -NLE_NOMEM;
165  memcpy ((void *)dst->auth, (void *)src->auth, len);
166  }
167 
168  if (src->crypt)
169  {
170  len = sizeof (struct xfrmnl_algo) + ((src->crypt->alg_key_len + 7) / 8);
171  if ((dst->crypt = calloc (1, len)) == NULL)
172  return -NLE_NOMEM;
173  memcpy ((void *)dst->crypt, (void *)src->crypt, len);
174  }
175 
176  if (src->comp)
177  {
178  len = sizeof (struct xfrmnl_algo) + ((src->comp->alg_key_len + 7) / 8);
179  if ((dst->comp = calloc (1, len)) == NULL)
180  return -NLE_NOMEM;
181  memcpy ((void *)dst->comp, (void *)src->comp, len);
182  }
183 
184  if (src->encap)
185  {
186  len = sizeof (struct xfrmnl_encap_tmpl);
187  if ((dst->encap = calloc (1, len)) == NULL)
188  return -NLE_NOMEM;
189  memcpy ((void *)dst->encap, (void *)src->encap, len);
190  }
191 
192  if (src->coaddr)
193  if ((dst->coaddr = nl_addr_clone (src->coaddr)) == NULL)
194  return -NLE_NOMEM;
195 
196  if (src->sec_ctx)
197  {
198  len = sizeof (*src->sec_ctx) + src->sec_ctx->ctx_len;
199  if ((dst->sec_ctx = calloc (1, len)) == NULL)
200  return -NLE_NOMEM;
201  memcpy ((void *)dst->sec_ctx, (void *)src->sec_ctx, len);
202  }
203 
204  if (src->replay_state_esn)
205  {
206  len = sizeof (struct xfrmnl_replay_state_esn) + (src->replay_state_esn->bmp_len * sizeof (uint32_t));
207  if ((dst->replay_state_esn = calloc (1, len)) == NULL)
208  return -NLE_NOMEM;
209  memcpy ((void *)dst->replay_state_esn, (void *)src->replay_state_esn, len);
210  }
211 
212  return 0;
213 }
214 
215 static uint64_t xfrm_sa_compare(struct nl_object *_a, struct nl_object *_b,
216  uint64_t attrs, int flags)
217 {
218  struct xfrmnl_sa* a = (struct xfrmnl_sa *) _a;
219  struct xfrmnl_sa* b = (struct xfrmnl_sa *) _b;
220  uint64_t diff = 0;
221  int found = 0;
222 
223 #define XFRM_SA_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, XFRM_SA_ATTR_##ATTR, a, b, EXPR)
224  diff |= XFRM_SA_DIFF(SEL, xfrmnl_sel_cmp(a->sel, b->sel));
225  diff |= XFRM_SA_DIFF(DADDR, nl_addr_cmp(a->id.daddr, b->id.daddr));
226  diff |= XFRM_SA_DIFF(SPI, a->id.spi != b->id.spi);
227  diff |= XFRM_SA_DIFF(PROTO, a->id.proto != b->id.proto);
228  diff |= XFRM_SA_DIFF(SADDR, nl_addr_cmp(a->saddr, b->saddr));
229  diff |= XFRM_SA_DIFF(LTIME_CFG, xfrmnl_ltime_cfg_cmp(a->lft, b->lft));
230  diff |= XFRM_SA_DIFF(REQID, a->reqid != b->reqid);
231  diff |= XFRM_SA_DIFF(FAMILY,a->family != b->family);
232  diff |= XFRM_SA_DIFF(MODE,a->mode != b->mode);
233  diff |= XFRM_SA_DIFF(REPLAY_WIN,a->replay_window != b->replay_window);
234  diff |= XFRM_SA_DIFF(FLAGS,a->flags != b->flags);
235  diff |= XFRM_SA_DIFF(ALG_AEAD,(strcmp(a->aead->alg_name, b->aead->alg_name) ||
236  (a->aead->alg_key_len != b->aead->alg_key_len) ||
237  (a->aead->alg_icv_len != b->aead->alg_icv_len) ||
238  memcmp(a->aead->alg_key, b->aead->alg_key,
239  ((a->aead->alg_key_len + 7)/8))));
240  diff |= XFRM_SA_DIFF(ALG_AUTH,(strcmp(a->auth->alg_name, b->auth->alg_name) ||
241  (a->auth->alg_key_len != b->auth->alg_key_len) ||
242  (a->auth->alg_trunc_len != b->auth->alg_trunc_len) ||
243  memcmp(a->auth->alg_key, b->auth->alg_key,
244  ((a->auth->alg_key_len + 7)/8))));
245  diff |= XFRM_SA_DIFF(ALG_CRYPT,(strcmp(a->crypt->alg_name, b->crypt->alg_name) ||
246  (a->crypt->alg_key_len != b->crypt->alg_key_len) ||
247  memcmp(a->crypt->alg_key, b->crypt->alg_key,
248  ((a->crypt->alg_key_len + 7)/8))));
249  diff |= XFRM_SA_DIFF(ALG_COMP,(strcmp(a->comp->alg_name, b->comp->alg_name) ||
250  (a->comp->alg_key_len != b->comp->alg_key_len) ||
251  memcmp(a->comp->alg_key, b->comp->alg_key,
252  ((a->comp->alg_key_len + 7)/8))));
253  diff |= XFRM_SA_DIFF(ENCAP,((a->encap->encap_type != b->encap->encap_type) ||
254  (a->encap->encap_sport != b->encap->encap_sport) ||
255  (a->encap->encap_dport != b->encap->encap_dport) ||
256  nl_addr_cmp(a->encap->encap_oa, b->encap->encap_oa)));
257  diff |= XFRM_SA_DIFF(TFCPAD,a->tfcpad != b->tfcpad);
258  diff |= XFRM_SA_DIFF(COADDR,nl_addr_cmp(a->coaddr, b->coaddr));
259  diff |= XFRM_SA_DIFF(MARK,(a->mark.m != b->mark.m) ||
260  (a->mark.v != b->mark.v));
261  diff |= XFRM_SA_DIFF(SECCTX,((a->sec_ctx->ctx_doi != b->sec_ctx->ctx_doi) ||
262  (a->sec_ctx->ctx_alg != b->sec_ctx->ctx_alg) ||
263  (a->sec_ctx->ctx_len != b->sec_ctx->ctx_len) ||
264  strcmp(a->sec_ctx->ctx, b->sec_ctx->ctx)));
265  diff |= XFRM_SA_DIFF(REPLAY_MAXAGE,a->replay_maxage != b->replay_maxage);
266  diff |= XFRM_SA_DIFF(REPLAY_MAXDIFF,a->replay_maxdiff != b->replay_maxdiff);
267  diff |= XFRM_SA_DIFF(EXPIRE,a->hard != b->hard);
268 
269  /* Compare replay states */
270  found = AVAILABLE_MISMATCH (a, b, XFRM_SA_ATTR_REPLAY_STATE);
271  if (found == 0) // attribute exists in both objects
272  {
273  if (((a->replay_state_esn != NULL) && (b->replay_state_esn == NULL)) ||
274  ((a->replay_state_esn == NULL) && (b->replay_state_esn != NULL)))
275  found |= 1;
276 
277  if (found == 0) // same replay type. compare actual values
278  {
279  if (a->replay_state_esn)
280  {
281  if (a->replay_state_esn->bmp_len != b->replay_state_esn->bmp_len)
282  diff |= 1;
283  else
284  {
285  uint32_t len = sizeof (struct xfrmnl_replay_state_esn) +
286  (a->replay_state_esn->bmp_len * sizeof (uint32_t));
287  diff |= memcmp (a->replay_state_esn, b->replay_state_esn, len);
288  }
289  }
290  else
291  {
292  if ((a->replay_state.oseq != b->replay_state.oseq) ||
293  (a->replay_state.seq != b->replay_state.seq) ||
294  (a->replay_state.bitmap != b->replay_state.bitmap))
295  diff |= 1;
296  }
297  }
298  }
299 #undef XFRM_SA_DIFF
300 
301  return diff;
302 }
303 
304 /**
305  * @name XFRM SA Attribute Translations
306  * @{
307  */
308 static const struct trans_tbl sa_attrs[] = {
309  __ADD(XFRM_SA_ATTR_SEL, selector),
310  __ADD(XFRM_SA_ATTR_DADDR, daddr),
311  __ADD(XFRM_SA_ATTR_SPI, spi),
312  __ADD(XFRM_SA_ATTR_PROTO, proto),
313  __ADD(XFRM_SA_ATTR_SADDR, saddr),
314  __ADD(XFRM_SA_ATTR_LTIME_CFG, lifetime_cfg),
315  __ADD(XFRM_SA_ATTR_LTIME_CUR, lifetime_cur),
316  __ADD(XFRM_SA_ATTR_STATS, stats),
317  __ADD(XFRM_SA_ATTR_SEQ, seqnum),
318  __ADD(XFRM_SA_ATTR_REQID, reqid),
319  __ADD(XFRM_SA_ATTR_FAMILY, family),
320  __ADD(XFRM_SA_ATTR_MODE, mode),
321  __ADD(XFRM_SA_ATTR_REPLAY_WIN, replay_window),
322  __ADD(XFRM_SA_ATTR_FLAGS, flags),
323  __ADD(XFRM_SA_ATTR_ALG_AEAD, alg_aead),
324  __ADD(XFRM_SA_ATTR_ALG_AUTH, alg_auth),
325  __ADD(XFRM_SA_ATTR_ALG_CRYPT, alg_crypto),
326  __ADD(XFRM_SA_ATTR_ALG_COMP, alg_comp),
327  __ADD(XFRM_SA_ATTR_ENCAP, encap),
328  __ADD(XFRM_SA_ATTR_TFCPAD, tfcpad),
329  __ADD(XFRM_SA_ATTR_COADDR, coaddr),
330  __ADD(XFRM_SA_ATTR_MARK, mark),
331  __ADD(XFRM_SA_ATTR_SECCTX, sec_ctx),
332  __ADD(XFRM_SA_ATTR_REPLAY_MAXAGE, replay_maxage),
333  __ADD(XFRM_SA_ATTR_REPLAY_MAXDIFF, replay_maxdiff),
334  __ADD(XFRM_SA_ATTR_REPLAY_STATE, replay_state),
335  __ADD(XFRM_SA_ATTR_EXPIRE, expire),
336 };
337 
338 static char* xfrm_sa_attrs2str(int attrs, char *buf, size_t len)
339 {
340  return __flags2str (attrs, buf, len, sa_attrs, ARRAY_SIZE(sa_attrs));
341 }
342 /** @} */
343 
344 /**
345  * @name XFRM SA Flags Translations
346  * @{
347  */
348 static const struct trans_tbl sa_flags[] = {
349  __ADD(XFRM_STATE_NOECN, no ecn),
350  __ADD(XFRM_STATE_DECAP_DSCP, decap dscp),
351  __ADD(XFRM_STATE_NOPMTUDISC, no pmtu discovery),
352  __ADD(XFRM_STATE_WILDRECV, wild receive),
353  __ADD(XFRM_STATE_ICMP, icmp),
354  __ADD(XFRM_STATE_AF_UNSPEC, unspecified),
355  __ADD(XFRM_STATE_ALIGN4, align4),
356  __ADD(XFRM_STATE_ESN, esn),
357 };
358 
359 char* xfrmnl_sa_flags2str(int flags, char *buf, size_t len)
360 {
361  return __flags2str (flags, buf, len, sa_flags, ARRAY_SIZE(sa_flags));
362 }
363 
364 int xfrmnl_sa_str2flag(const char *name)
365 {
366  return __str2flags (name, sa_flags, ARRAY_SIZE(sa_flags));
367 }
368 /** @} */
369 
370 /**
371  * @name XFRM SA Mode Translations
372  * @{
373  */
374 static const struct trans_tbl sa_modes[] = {
375  __ADD(XFRM_MODE_TRANSPORT, transport),
376  __ADD(XFRM_MODE_TUNNEL, tunnel),
377  __ADD(XFRM_MODE_ROUTEOPTIMIZATION, route optimization),
378  __ADD(XFRM_MODE_IN_TRIGGER, in trigger),
379  __ADD(XFRM_MODE_BEET, beet),
380 };
381 
382 char* xfrmnl_sa_mode2str(int mode, char *buf, size_t len)
383 {
384  return __type2str (mode, buf, len, sa_modes, ARRAY_SIZE(sa_modes));
385 }
386 
387 int xfrmnl_sa_str2mode(const char *name)
388 {
389  return __str2type (name, sa_modes, ARRAY_SIZE(sa_modes));
390 }
391 /** @} */
392 
393 
394 static void xfrm_sa_dump_line(struct nl_object *a, struct nl_dump_params *p)
395 {
396  char dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
397  struct xfrmnl_sa* sa = (struct xfrmnl_sa *) a;
398  char flags[128], mode[128];
399  time_t add_time, use_time;
400  struct tm *add_time_tm, *use_time_tm;
401 
402  nl_dump_line(p, "src %s dst %s family: %s\n", nl_addr2str(sa->saddr, src, sizeof(src)),
403  nl_addr2str(sa->id.daddr, dst, sizeof(dst)),
404  nl_af2str (sa->family, flags, sizeof (flags)));
405 
406  nl_dump_line(p, "\tproto %s spi 0x%x reqid %u\n",
407  nl_ip_proto2str (sa->id.proto, flags, sizeof(flags)),
408  sa->id.spi, sa->reqid);
409 
410  xfrmnl_sa_flags2str(sa->flags, flags, sizeof (flags));
411  xfrmnl_sa_mode2str(sa->mode, mode, sizeof (mode));
412  nl_dump_line(p, "\tmode: %s flags: %s (0x%x) seq: %u replay window: %u\n",
413  mode, flags, sa->flags, sa->seq, sa->replay_window);
414 
415  nl_dump_line(p, "\tlifetime configuration: \n");
416  if (sa->lft->soft_byte_limit == XFRM_INF)
417  sprintf (flags, "INF");
418  else
419  sprintf (flags, "%" PRIu64, sa->lft->soft_byte_limit);
420  if (sa->lft->soft_packet_limit == XFRM_INF)
421  sprintf (mode, "INF");
422  else
423  sprintf (mode, "%" PRIu64, sa->lft->soft_packet_limit);
424  nl_dump_line(p, "\t\tsoft limit: %s (bytes), %s (packets)\n", flags, mode);
425  if (sa->lft->hard_byte_limit == XFRM_INF)
426  sprintf (flags, "INF");
427  else
428  sprintf (flags, "%" PRIu64, sa->lft->hard_byte_limit);
429  if (sa->lft->hard_packet_limit == XFRM_INF)
430  sprintf (mode, "INF");
431  else
432  sprintf (mode, "%" PRIu64, sa->lft->hard_packet_limit);
433  nl_dump_line(p, "\t\thard limit: %s (bytes), %s (packets)\n", flags, mode);
434  nl_dump_line(p, "\t\tsoft add_time: %llu (seconds), soft use_time: %llu (seconds) \n",
435  sa->lft->soft_add_expires_seconds, sa->lft->soft_use_expires_seconds);
436  nl_dump_line(p, "\t\thard add_time: %llu (seconds), hard use_time: %llu (seconds) \n",
437  sa->lft->hard_add_expires_seconds, sa->lft->hard_use_expires_seconds);
438 
439  nl_dump_line(p, "\tlifetime current: \n");
440  nl_dump_line(p, "\t\t%llu bytes, %llu packets\n", sa->curlft.bytes, sa->curlft.packets);
441  if (sa->curlft.add_time != 0)
442  {
443  add_time = sa->curlft.add_time;
444  add_time_tm = gmtime (&add_time);
445  strftime (flags, 128, "%Y-%m-%d %H-%M-%S", add_time_tm);
446  }
447  else
448  {
449  sprintf (flags, "%s", "-");
450  }
451 
452  if (sa->curlft.use_time != 0)
453  {
454  use_time = sa->curlft.use_time;
455  use_time_tm = gmtime (&use_time);
456  strftime (mode, 128, "%Y-%m-%d %H-%M-%S", use_time_tm);
457  }
458  else
459  {
460  sprintf (mode, "%s", "-");
461  }
462  nl_dump_line(p, "\t\tadd_time: %s, use_time: %s\n", flags, mode);
463 
464  if (sa->aead)
465  {
466  nl_dump_line(p, "\tAEAD Algo: \n");
467  nl_dump_line(p, "\t\tName: %s Key len(bits): %u ICV Len(bits): %u\n",
468  sa->aead->alg_name, sa->aead->alg_key_len, sa->aead->alg_icv_len);
469  }
470 
471  if (sa->auth)
472  {
473  nl_dump_line(p, "\tAuth Algo: \n");
474  nl_dump_line(p, "\t\tName: %s Key len(bits): %u Trunc len(bits): %u\n",
475  sa->auth->alg_name, sa->auth->alg_key_len, sa->auth->alg_trunc_len);
476  }
477 
478  if (sa->crypt)
479  {
480  nl_dump_line(p, "\tEncryption Algo: \n");
481  nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
482  sa->crypt->alg_name, sa->crypt->alg_key_len);
483  }
484 
485  if (sa->comp)
486  {
487  nl_dump_line(p, "\tCompression Algo: \n");
488  nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
489  sa->comp->alg_name, sa->comp->alg_key_len);
490  }
491 
492  if (sa->encap)
493  {
494  nl_dump_line(p, "\tEncapsulation template: \n");
495  nl_dump_line(p, "\t\tType: %d Src port: %d Dst port: %d Encap addr: %s\n",
496  sa->encap->encap_type, sa->encap->encap_sport, sa->encap->encap_dport,
497  nl_addr2str (sa->encap->encap_oa, dst, sizeof (dst)));
498  }
499 
500  if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
501  nl_dump_line(p, "\tTFC Pad: %u\n", sa->tfcpad);
502 
503  if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
504  nl_dump_line(p, "\tCO Address: %s\n", nl_addr2str (sa->coaddr, dst, sizeof (dst)));
505 
506  if (sa->ce_mask & XFRM_SA_ATTR_MARK)
507  nl_dump_line(p, "\tMark mask: 0x%x Mark value: 0x%x\n", sa->mark.m, sa->mark.v);
508 
509  if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
510  nl_dump_line(p, "\tDOI: %d Algo: %d Len: %u ctx: %s\n", sa->sec_ctx->ctx_doi,
511  sa->sec_ctx->ctx_alg, sa->sec_ctx->ctx_len, sa->sec_ctx->ctx);
512 
513  nl_dump_line(p, "\treplay info: \n");
514  nl_dump_line(p, "\t\tmax age %u max diff %u \n", sa->replay_maxage, sa->replay_maxdiff);
515 
516  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
517  {
518  nl_dump_line(p, "\treplay state info: \n");
519  if (sa->replay_state_esn)
520  {
521  nl_dump_line(p, "\t\toseq %u seq %u oseq_hi %u seq_hi %u replay window: %u \n",
522  sa->replay_state_esn->oseq, sa->replay_state_esn->seq,
523  sa->replay_state_esn->oseq_hi, sa->replay_state_esn->seq_hi,
524  sa->replay_state_esn->replay_window);
525  }
526  else
527  {
528  nl_dump_line(p, "\t\toseq %u seq %u bitmap: %u \n", sa->replay_state.oseq,
529  sa->replay_state.seq, sa->replay_state.bitmap);
530  }
531  }
532 
533  nl_dump_line(p, "\tselector info: \n");
534  xfrmnl_sel_dump (sa->sel, p);
535 
536  nl_dump_line(p, "\tHard: %d\n", sa->hard);
537 
538  nl_dump(p, "\n");
539 }
540 
541 static void xfrm_sa_dump_stats(struct nl_object *a, struct nl_dump_params *p)
542 {
543  struct xfrmnl_sa* sa = (struct xfrmnl_sa*)a;
544 
545  nl_dump_line(p, "\tstats: \n");
546  nl_dump_line(p, "\t\treplay window: %u replay: %u integrity failed: %u \n",
547  sa->stats.replay_window, sa->stats.replay, sa->stats.integrity_failed);
548 
549  return;
550 }
551 
552 static void xfrm_sa_dump_details(struct nl_object *a, struct nl_dump_params *p)
553 {
554  xfrm_sa_dump_line(a, p);
555  xfrm_sa_dump_stats (a, p);
556 }
557 
558 /**
559  * @name XFRM SA Object Allocation/Freeage
560  * @{
561  */
562 
563 struct xfrmnl_sa* xfrmnl_sa_alloc(void)
564 {
565  return (struct xfrmnl_sa*) nl_object_alloc(&xfrm_sa_obj_ops);
566 }
567 
568 void xfrmnl_sa_put(struct xfrmnl_sa* sa)
569 {
570  nl_object_put((struct nl_object *) sa);
571 }
572 
573 /** @} */
574 
575 /**
576  * @name SA Cache Managament
577  * @{
578  */
579 
580 /**
581  * Build a SA cache including all SAs currently configured in the kernel.
582  * @arg sock Netlink socket.
583  * @arg result Pointer to store resulting cache.
584  *
585  * Allocates a new SA cache, initializes it properly and updates it
586  * to include all SAs currently configured in the kernel.
587  *
588  * @return 0 on success or a negative error code.
589  */
590 int xfrmnl_sa_alloc_cache(struct nl_sock *sock, struct nl_cache **result)
591 {
592  return nl_cache_alloc_and_fill(&xfrmnl_sa_ops, sock, result);
593 }
594 
595 /**
596  * Look up a SA by destination address, SPI, protocol
597  * @arg cache SA cache
598  * @arg daddr destination address of the SA
599  * @arg spi SPI
600  * @arg proto protocol
601  * @return sa handle or NULL if no match was found.
602  */
603 struct xfrmnl_sa* xfrmnl_sa_get(struct nl_cache* cache, struct nl_addr* daddr,
604  unsigned int spi, unsigned int proto)
605 {
606  struct xfrmnl_sa *sa;
607 
608  //nl_list_for_each_entry(sa, &cache->c_items, ce_list) {
609  for (sa = (struct xfrmnl_sa*)nl_cache_get_first (cache);
610  sa != NULL;
611  sa = (struct xfrmnl_sa*)nl_cache_get_next ((struct nl_object*)sa))
612  {
613  if (sa->id.proto == proto &&
614  sa->id.spi == spi &&
615  !nl_addr_cmp(sa->id.daddr, daddr))
616  {
617  nl_object_get((struct nl_object *) sa);
618  return sa;
619  }
620 
621  }
622 
623  return NULL;
624 }
625 
626 
627 /** @} */
628 
629 
630 static struct nla_policy xfrm_sa_policy[XFRMA_MAX+1] = {
631  [XFRMA_SA] = { .minlen = sizeof(struct xfrm_usersa_info)},
632  [XFRMA_ALG_AUTH_TRUNC] = { .minlen = sizeof(struct xfrm_algo_auth)},
633  [XFRMA_ALG_AEAD] = { .minlen = sizeof(struct xfrm_algo_aead) },
634  [XFRMA_ALG_AUTH] = { .minlen = sizeof(struct xfrm_algo) },
635  [XFRMA_ALG_CRYPT] = { .minlen = sizeof(struct xfrm_algo) },
636  [XFRMA_ALG_COMP] = { .minlen = sizeof(struct xfrm_algo) },
637  [XFRMA_ENCAP] = { .minlen = sizeof(struct xfrm_encap_tmpl) },
638  [XFRMA_TMPL] = { .minlen = sizeof(struct xfrm_user_tmpl) },
639  [XFRMA_SEC_CTX] = { .minlen = sizeof(struct xfrm_sec_ctx) },
640  [XFRMA_LTIME_VAL] = { .minlen = sizeof(struct xfrm_lifetime_cur) },
641  [XFRMA_REPLAY_VAL] = { .minlen = sizeof(struct xfrm_replay_state) },
642  [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 },
643  [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 },
644  [XFRMA_SRCADDR] = { .minlen = sizeof(xfrm_address_t) },
645  [XFRMA_COADDR] = { .minlen = sizeof(xfrm_address_t) },
646  [XFRMA_MARK] = { .minlen = sizeof(struct xfrm_mark) },
647  [XFRMA_TFCPAD] = { .type = NLA_U32 },
648  [XFRMA_REPLAY_ESN_VAL] = { .minlen = sizeof(struct xfrm_replay_state_esn) },
649 };
650 
651 static int xfrm_sa_request_update(struct nl_cache *c, struct nl_sock *h)
652 {
653  struct xfrm_id sa_id;
654 
655  memset (&sa_id, 0, sizeof (sa_id));
656  return nl_send_simple (h, XFRM_MSG_GETSA, NLM_F_DUMP,
657  &sa_id, sizeof (sa_id));
658 }
659 
660 int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
661 {
662  struct xfrmnl_sa* sa;
663  struct nlattr *tb[XFRMA_MAX + 1];
664  struct xfrm_usersa_info* sa_info;
665  struct xfrm_user_expire* ue;
666  int len, err;
667  struct nl_addr* addr;
668 
669  sa = xfrmnl_sa_alloc();
670  if (!sa) {
671  err = -NLE_NOMEM;
672  goto errout;
673  }
674 
675  sa->ce_msgtype = n->nlmsg_type;
676  if (n->nlmsg_type == XFRM_MSG_EXPIRE)
677  {
678  ue = nlmsg_data(n);
679  sa_info = &ue->state;
680  sa->hard = ue->hard;
681  sa->ce_mask |= XFRM_SA_ATTR_EXPIRE;
682  }
683  else if (n->nlmsg_type == XFRM_MSG_DELSA)
684  {
685  sa_info = (struct xfrm_usersa_info*)((char *)nlmsg_data(n) + sizeof (struct xfrm_usersa_id) + NLA_HDRLEN);
686  }
687  else
688  {
689  sa_info = nlmsg_data(n);
690  }
691 
692  err = nlmsg_parse(n, sizeof(struct xfrm_usersa_info), tb, XFRMA_MAX, xfrm_sa_policy);
693  if (err < 0)
694  goto errout;
695 
696  if (sa_info->sel.family == AF_INET)
697  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a4, sizeof (sa_info->sel.daddr.a4));
698  else
699  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a6, sizeof (sa_info->sel.daddr.a6));
700  nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_d);
701  xfrmnl_sel_set_daddr (sa->sel, addr);
702  xfrmnl_sel_set_prefixlen_d (sa->sel, sa_info->sel.prefixlen_d);
703 
704  if (sa_info->sel.family == AF_INET)
705  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a4, sizeof (sa_info->sel.saddr.a4));
706  else
707  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a6, sizeof (sa_info->sel.saddr.a6));
708  nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_s);
709  xfrmnl_sel_set_saddr (sa->sel, addr);
710  xfrmnl_sel_set_prefixlen_s (sa->sel, sa_info->sel.prefixlen_s);
711 
712  xfrmnl_sel_set_dport (sa->sel, ntohs(sa_info->sel.dport));
713  xfrmnl_sel_set_dportmask (sa->sel, ntohs(sa_info->sel.dport_mask));
714  xfrmnl_sel_set_sport (sa->sel, ntohs(sa_info->sel.sport));
715  xfrmnl_sel_set_sportmask (sa->sel, ntohs(sa_info->sel.sport_mask));
716  xfrmnl_sel_set_family (sa->sel, sa_info->sel.family);
717  xfrmnl_sel_set_proto (sa->sel, sa_info->sel.proto);
718  xfrmnl_sel_set_ifindex (sa->sel, sa_info->sel.ifindex);
719  xfrmnl_sel_set_userid (sa->sel, sa_info->sel.user);
720  sa->ce_mask |= XFRM_SA_ATTR_SEL;
721 
722  if (sa_info->family == AF_INET)
723  sa->id.daddr = nl_addr_build (sa_info->family, &sa_info->id.daddr.a4, sizeof (sa_info->id.daddr.a4));
724  else
725  sa->id.daddr = nl_addr_build (sa_info->family, &sa_info->id.daddr.a6, sizeof (sa_info->id.daddr.a6));
726  sa->id.spi = ntohl(sa_info->id.spi);
727  sa->id.proto = sa_info->id.proto;
728  sa->ce_mask |= (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO);
729 
730  if (sa_info->family == AF_INET)
731  sa->saddr = nl_addr_build (sa_info->family, &sa_info->saddr.a4, sizeof (sa_info->saddr.a4));
732  else
733  sa->saddr = nl_addr_build (sa_info->family, &sa_info->saddr.a6, sizeof (sa_info->saddr.a6));
734  sa->ce_mask |= XFRM_SA_ATTR_SADDR;
735 
736  sa->lft->soft_byte_limit = sa_info->lft.soft_byte_limit;
737  sa->lft->hard_byte_limit = sa_info->lft.hard_byte_limit;
738  sa->lft->soft_packet_limit = sa_info->lft.soft_packet_limit;
739  sa->lft->hard_packet_limit = sa_info->lft.hard_packet_limit;
740  sa->lft->soft_add_expires_seconds = sa_info->lft.soft_add_expires_seconds;
741  sa->lft->hard_add_expires_seconds = sa_info->lft.hard_add_expires_seconds;
742  sa->lft->soft_use_expires_seconds = sa_info->lft.soft_use_expires_seconds;
743  sa->lft->hard_use_expires_seconds = sa_info->lft.hard_use_expires_seconds;
744  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
745 
746  sa->curlft.bytes = sa_info->curlft.bytes;
747  sa->curlft.packets = sa_info->curlft.packets;
748  sa->curlft.add_time = sa_info->curlft.add_time;
749  sa->curlft.use_time = sa_info->curlft.use_time;
750  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CUR;
751 
752  sa->stats.replay_window = sa_info->stats.replay_window;
753  sa->stats.replay = sa_info->stats.replay;
754  sa->stats.integrity_failed = sa_info->stats.integrity_failed;
755  sa->ce_mask |= XFRM_SA_ATTR_STATS;
756 
757  sa->seq = sa_info->seq;
758  sa->reqid = sa_info->reqid;
759  sa->family = sa_info->family;
760  sa->mode = sa_info->mode;
761  sa->replay_window = sa_info->replay_window;
762  sa->flags = sa_info->flags;
763  sa->ce_mask |= (XFRM_SA_ATTR_SEQ | XFRM_SA_ATTR_REQID |
764  XFRM_SA_ATTR_FAMILY | XFRM_SA_ATTR_MODE |
765  XFRM_SA_ATTR_REPLAY_WIN | XFRM_SA_ATTR_FLAGS);
766 
767  if (tb[XFRMA_ALG_AEAD]) {
768  struct xfrm_algo_aead* aead = nla_data(tb[XFRMA_ALG_AEAD]);
769  len = sizeof (struct xfrmnl_algo_aead) + ((aead->alg_key_len + 7) / 8);
770  if ((sa->aead = calloc (1, len)) == NULL)
771  {
772  err = -NLE_NOMEM;
773  goto errout;
774  }
775  memcpy ((void *)sa->aead, (void *)aead, len);
776  sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
777  }
778 
779  if (tb[XFRMA_ALG_AUTH_TRUNC]) {
780  struct xfrm_algo_auth* auth = nla_data(tb[XFRMA_ALG_AUTH_TRUNC]);
781  len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
782  if ((sa->auth = calloc (1, len)) == NULL)
783  {
784  err = -NLE_NOMEM;
785  goto errout;
786  }
787  memcpy ((void *)sa->auth, (void *)auth, len);
788  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
789  }
790 
791  if (tb[XFRMA_ALG_AUTH] && !sa->auth) {
792  struct xfrm_algo* auth = nla_data(tb[XFRMA_ALG_AUTH]);
793  len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
794  if ((sa->auth = calloc (1, len)) == NULL)
795  {
796  err = -NLE_NOMEM;
797  goto errout;
798  }
799  strcpy(sa->auth->alg_name, auth->alg_name);
800  memcpy(sa->auth->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
801  sa->auth->alg_key_len = auth->alg_key_len;
802  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
803  }
804 
805  if (tb[XFRMA_ALG_CRYPT]) {
806  struct xfrm_algo* crypt = nla_data(tb[XFRMA_ALG_CRYPT]);
807  len = sizeof (struct xfrmnl_algo) + ((crypt->alg_key_len + 7) / 8);
808  if ((sa->crypt = calloc (1, len)) == NULL)
809  {
810  err = -NLE_NOMEM;
811  goto errout;
812  }
813  memcpy ((void *)sa->crypt, (void *)crypt, len);
814  sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
815  }
816 
817  if (tb[XFRMA_ALG_COMP]) {
818  struct xfrm_algo* comp = nla_data(tb[XFRMA_ALG_COMP]);
819  len = sizeof (struct xfrmnl_algo) + ((comp->alg_key_len + 7) / 8);
820  if ((sa->comp = calloc (1, len)) == NULL)
821  {
822  err = -NLE_NOMEM;
823  goto errout;
824  }
825  memcpy ((void *)sa->comp, (void *)comp, len);
826  sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
827  }
828 
829  if (tb[XFRMA_ENCAP]) {
830  struct xfrm_encap_tmpl* encap = nla_data(tb[XFRMA_ENCAP]);
831  len = sizeof (struct xfrmnl_encap_tmpl);
832  if ((sa->encap = calloc (1, len)) == NULL)
833  {
834  err = -NLE_NOMEM;
835  goto errout;
836  }
837  sa->encap->encap_type = encap->encap_type;
838  sa->encap->encap_sport = ntohs(encap->encap_sport);
839  sa->encap->encap_dport = ntohs(encap->encap_dport);
840  if (sa_info->family == AF_INET)
841  sa->encap->encap_oa = nl_addr_build (sa_info->family, &encap->encap_oa.a4, sizeof (encap->encap_oa.a4));
842  else
843  sa->encap->encap_oa = nl_addr_build (sa_info->family, &encap->encap_oa.a6, sizeof (encap->encap_oa.a6));
844  sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
845  }
846 
847  if (tb[XFRMA_TFCPAD]) {
848  sa->tfcpad = *(uint32_t*)nla_data(tb[XFRMA_TFCPAD]);
849  sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
850  }
851 
852  if (tb[XFRMA_COADDR]) {
853  if (sa_info->family == AF_INET)
854  {
855  sa->coaddr = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
856  sizeof (uint32_t));
857  }
858  else
859  {
860  sa->coaddr = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
861  sizeof (uint32_t) * 4);
862  }
863  sa->ce_mask |= XFRM_SA_ATTR_COADDR;
864  }
865 
866  if (tb[XFRMA_MARK]) {
867  struct xfrm_mark* m = nla_data(tb[XFRMA_MARK]);
868  sa->mark.m = m->m;
869  sa->mark.v = m->v;
870  sa->ce_mask |= XFRM_SA_ATTR_MARK;
871  }
872 
873  if (tb[XFRMA_SEC_CTX]) {
874  struct xfrm_user_sec_ctx* sec_ctx = nla_data(tb[XFRMA_SEC_CTX]);
875  len = sizeof (struct xfrmnl_user_sec_ctx) + sec_ctx->ctx_len;
876  if ((sa->sec_ctx = calloc (1, len)) == NULL)
877  {
878  err = -NLE_NOMEM;
879  goto errout;
880  }
881  memcpy (sa->sec_ctx, sec_ctx, len);
882  sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
883  }
884 
885  if (tb[XFRMA_ETIMER_THRESH]) {
886  sa->replay_maxage = *(uint32_t*)nla_data(tb[XFRMA_ETIMER_THRESH]);
887  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
888  }
889 
890  if (tb[XFRMA_REPLAY_THRESH]) {
891  sa->replay_maxdiff = *(uint32_t*)nla_data(tb[XFRMA_REPLAY_THRESH]);
892  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
893  }
894 
895  if (tb[XFRMA_REPLAY_ESN_VAL]) {
896  struct xfrm_replay_state_esn* esn = nla_data (tb[XFRMA_REPLAY_ESN_VAL]);
897  len = sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * esn->bmp_len);
898  if ((sa->replay_state_esn = calloc (1, len)) == NULL)
899  {
900  err = -NLE_NOMEM;
901  goto errout;
902  }
903  memcpy ((void *)sa->replay_state_esn, (void *)esn, len);
904  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
905  }
906  else if (tb[XFRMA_REPLAY_VAL])
907  {
908  struct xfrm_replay_state* replay_state = nla_data (tb[XFRMA_REPLAY_VAL]);
909  sa->replay_state.oseq = replay_state->oseq;
910  sa->replay_state.seq = replay_state->seq;
911  sa->replay_state.bitmap = replay_state->bitmap;
912  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
913  sa->replay_state_esn = NULL;
914  }
915 
916  *result = sa;
917  return 0;
918 
919 errout:
920  xfrmnl_sa_put(sa);
921  return err;
922 }
923 
924 static int xfrm_sa_update_cache (struct nl_cache *cache, struct nl_object *obj,
925  change_func_t change_cb, change_func_v2_t change_cb_v2,
926  void *data)
927 {
928  struct nl_object* old_sa;
929  struct xfrmnl_sa* sa = (struct xfrmnl_sa*)obj;
930 
931  if (nl_object_get_msgtype (obj) == XFRM_MSG_EXPIRE)
932  {
933  /* On hard expiry, the SA gets deleted too from the kernel state without any
934  * further delete event. On Expire message, we are only updating the cache with
935  * the SA object's new state. In absence of the explicit delete event, the cache will
936  * be out of sync with the kernel state. To get around this, expiry messages cache
937  * operations are handled here (installed with NL_ACT_UNSPEC action) instead of
938  * in Libnl Cache module. */
939 
940  /* Do we already have this object in the cache? */
941  old_sa = nl_cache_search(cache, obj);
942  if (old_sa)
943  {
944  /* Found corresponding SA object in cache. Delete it */
945  nl_cache_remove (old_sa);
946  }
947 
948  /* Handle the expiry event now */
949  if (sa->hard == 0)
950  {
951  /* Soft expiry event: Save the new object to the
952  * cache and notify application of the expiry event. */
953  nl_cache_move (cache, obj);
954 
955  if (old_sa == NULL)
956  {
957  /* Application CB present, no previous instance of SA object present.
958  * Notify application CB as a NEW event */
959  if (change_cb_v2)
960  change_cb_v2(cache, NULL, obj, 0, NL_ACT_NEW, data);
961  else if (change_cb)
962  change_cb(cache, obj, NL_ACT_NEW, data);
963  }
964  else if (old_sa)
965  {
966  uint64_t diff = 0;
967  if (change_cb || change_cb_v2)
968  diff = nl_object_diff64(old_sa, obj);
969 
970  /* Application CB present, a previous instance of SA object present.
971  * Notify application CB as a CHANGE1 event */
972  if (diff) {
973  if (change_cb_v2) {
974  change_cb_v2(cache, old_sa, obj, diff, NL_ACT_CHANGE, data);
975  } else if (change_cb)
976  change_cb(cache, obj, NL_ACT_CHANGE, data);
977  }
978  nl_object_put (old_sa);
979  }
980  }
981  else
982  {
983  /* Hard expiry event: Delete the object from the
984  * cache and notify application of the expiry event. */
985  if (change_cb_v2)
986  change_cb_v2(cache, obj, NULL, 0, NL_ACT_DEL, data);
987  else if (change_cb)
988  change_cb (cache, obj, NL_ACT_DEL, data);
989  nl_object_put (old_sa);
990  }
991 
992  /* Done handling expire message */
993  return 0;
994  }
995  else
996  {
997  /* All other messages other than Expire, let the standard Libnl cache
998  * module handle it. */
999  if (change_cb_v2)
1000  return nl_cache_include_v2(cache, obj, change_cb_v2, data);
1001  else
1002  return nl_cache_include (cache, obj, change_cb, data);
1003  }
1004 }
1005 
1006 static int xfrm_sa_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
1007  struct nlmsghdr *n, struct nl_parser_param *pp)
1008 {
1009  struct xfrmnl_sa* sa;
1010  int err;
1011 
1012  if ((err = xfrmnl_sa_parse(n, &sa)) < 0)
1013  return err;
1014 
1015  err = pp->pp_cb((struct nl_object *) sa, pp);
1016 
1017  xfrmnl_sa_put(sa);
1018  return err;
1019 }
1020 
1021 /**
1022  * @name XFRM SA Get
1023  * @{
1024  */
1025 
1026 int xfrmnl_sa_build_get_request(struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct nl_msg **result)
1027 {
1028  struct nl_msg *msg;
1029  struct xfrm_usersa_id sa_id;
1030  struct xfrm_mark mark;
1031 
1032  if (!daddr || !spi)
1033  {
1034  fprintf(stderr, "APPLICATION BUG: %s:%d:%s: A valid destination address, spi must be specified\n",
1035  __FILE__, __LINE__, __func__);
1036  assert(0);
1037  return -NLE_MISSING_ATTR;
1038  }
1039 
1040  memset(&sa_id, 0, sizeof(sa_id));
1041  memcpy (&sa_id.daddr, nl_addr_get_binary_addr (daddr), sizeof (uint8_t) * nl_addr_get_len (daddr));
1042  sa_id.family = nl_addr_get_family (daddr);
1043  sa_id.spi = htonl(spi);
1044  sa_id.proto = protocol;
1045 
1046  if (!(msg = nlmsg_alloc_simple(XFRM_MSG_GETSA, 0)))
1047  return -NLE_NOMEM;
1048 
1049  if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1050  goto nla_put_failure;
1051 
1052  if ((mark_m & mark_v) != 0)
1053  {
1054  memset(&mark, 0, sizeof(struct xfrm_mark));
1055  mark.m = mark_m;
1056  mark.v = mark_v;
1057 
1058  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &mark);
1059  }
1060 
1061  *result = msg;
1062  return 0;
1063 
1064 nla_put_failure:
1065  nlmsg_free(msg);
1066  return -NLE_MSGSIZE;
1067 }
1068 
1069 int xfrmnl_sa_get_kernel(struct nl_sock* sock, struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct xfrmnl_sa** result)
1070 {
1071  struct nl_msg *msg = NULL;
1072  struct nl_object *obj;
1073  int err;
1074 
1075  if ((err = xfrmnl_sa_build_get_request(daddr, spi, protocol, mark_m, mark_v, &msg)) < 0)
1076  return err;
1077 
1078  err = nl_send_auto(sock, msg);
1079  nlmsg_free(msg);
1080  if (err < 0)
1081  return err;
1082 
1083  if ((err = nl_pickup(sock, &xfrm_sa_msg_parser, &obj)) < 0)
1084  return err;
1085 
1086  /* We have used xfrm_sa_msg_parser(), object is definitely a xfrm sa */
1087  *result = (struct xfrmnl_sa *) obj;
1088 
1089  /* If an object has been returned, we also need to wait for the ACK */
1090  if (err == 0 && obj)
1091  nl_wait_for_ack(sock);
1092 
1093  return 0;
1094 }
1095 
1096 /** @} */
1097 
1098 static int build_xfrm_sa_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1099 {
1100  struct nl_msg* msg;
1101  struct xfrm_usersa_info sa_info;
1102  uint32_t len;
1103  struct nl_addr* addr;
1104 
1105  if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1106  !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1107  !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1108  return -NLE_MISSING_ATTR;
1109 
1110  memset ((void*)&sa_info, 0, sizeof (sa_info));
1111  if (tmpl->ce_mask & XFRM_SA_ATTR_SEL)
1112  {
1113  addr = xfrmnl_sel_get_daddr (tmpl->sel);
1114  memcpy ((void*)&sa_info.sel.daddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1115  addr = xfrmnl_sel_get_saddr (tmpl->sel);
1116  memcpy ((void*)&sa_info.sel.saddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1117  sa_info.sel.dport = htons (xfrmnl_sel_get_dport (tmpl->sel));
1118  sa_info.sel.dport_mask = htons (xfrmnl_sel_get_dportmask (tmpl->sel));
1119  sa_info.sel.sport = htons (xfrmnl_sel_get_sport (tmpl->sel));
1120  sa_info.sel.sport_mask = htons (xfrmnl_sel_get_sportmask (tmpl->sel));
1121  sa_info.sel.family = xfrmnl_sel_get_family (tmpl->sel);
1122  sa_info.sel.prefixlen_d = xfrmnl_sel_get_prefixlen_d (tmpl->sel);
1123  sa_info.sel.prefixlen_s = xfrmnl_sel_get_prefixlen_s (tmpl->sel);
1124  sa_info.sel.proto = xfrmnl_sel_get_proto (tmpl->sel);
1125  sa_info.sel.ifindex = xfrmnl_sel_get_ifindex (tmpl->sel);
1126  sa_info.sel.user = xfrmnl_sel_get_userid (tmpl->sel);
1127  }
1128 
1129  memcpy (&sa_info.id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1130  sa_info.id.spi = htonl(tmpl->id.spi);
1131  sa_info.id.proto = tmpl->id.proto;
1132 
1133  if (tmpl->ce_mask & XFRM_SA_ATTR_SADDR)
1134  memcpy (&sa_info.saddr, nl_addr_get_binary_addr (tmpl->saddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->saddr));
1135 
1136  if (tmpl->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1137  {
1138  sa_info.lft.soft_byte_limit = xfrmnl_ltime_cfg_get_soft_bytelimit (tmpl->lft);
1139  sa_info.lft.hard_byte_limit = xfrmnl_ltime_cfg_get_hard_bytelimit (tmpl->lft);
1140  sa_info.lft.soft_packet_limit = xfrmnl_ltime_cfg_get_soft_packetlimit (tmpl->lft);
1141  sa_info.lft.hard_packet_limit = xfrmnl_ltime_cfg_get_hard_packetlimit (tmpl->lft);
1142  sa_info.lft.soft_add_expires_seconds = xfrmnl_ltime_cfg_get_soft_addexpires (tmpl->lft);
1143  sa_info.lft.hard_add_expires_seconds = xfrmnl_ltime_cfg_get_hard_addexpires (tmpl->lft);
1144  sa_info.lft.soft_use_expires_seconds = xfrmnl_ltime_cfg_get_soft_useexpires (tmpl->lft);
1145  sa_info.lft.hard_use_expires_seconds = xfrmnl_ltime_cfg_get_hard_useexpires (tmpl->lft);
1146  }
1147 
1148  //Skip current lifetime: cur lifetime can be updated only via AE
1149  //Skip stats: stats cant be updated
1150  //Skip seq: seq cant be updated
1151 
1152  if (tmpl->ce_mask & XFRM_SA_ATTR_REQID)
1153  sa_info.reqid = tmpl->reqid;
1154 
1155  if (tmpl->ce_mask & XFRM_SA_ATTR_FAMILY)
1156  sa_info.family = tmpl->family;
1157 
1158  if (tmpl->ce_mask & XFRM_SA_ATTR_MODE)
1159  sa_info.mode = tmpl->mode;
1160 
1161  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1162  sa_info.replay_window = tmpl->replay_window;
1163 
1164  if (tmpl->ce_mask & XFRM_SA_ATTR_FLAGS)
1165  sa_info.flags = tmpl->flags;
1166 
1167  msg = nlmsg_alloc_simple(cmd, flags);
1168  if (!msg)
1169  return -NLE_NOMEM;
1170 
1171  if (nlmsg_append(msg, &sa_info, sizeof(sa_info), NLMSG_ALIGNTO) < 0)
1172  goto nla_put_failure;
1173 
1174  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AEAD) {
1175  len = sizeof (struct xfrm_algo_aead) + ((tmpl->aead->alg_key_len + 7) / 8);
1176  NLA_PUT (msg, XFRMA_ALG_AEAD, len, tmpl->aead);
1177  }
1178 
1179  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AUTH) {
1180  /* kernel prefers XFRMA_ALG_AUTH_TRUNC over XFRMA_ALG_AUTH, so only
1181  * one of the attributes needs to be present */
1182  if (tmpl->auth->alg_trunc_len) {
1183  len = sizeof (struct xfrm_algo_auth) + ((tmpl->auth->alg_key_len + 7) / 8);
1184  NLA_PUT (msg, XFRMA_ALG_AUTH_TRUNC, len, tmpl->auth);
1185  } else {
1186  struct xfrm_algo *auth;
1187 
1188  len = sizeof (struct xfrm_algo) + ((tmpl->auth->alg_key_len + 7) / 8);
1189  auth = malloc(len);
1190  if (!auth) {
1191  nlmsg_free(msg);
1192  return -NLE_NOMEM;
1193  }
1194 
1195  strncpy(auth->alg_name, tmpl->auth->alg_name, sizeof(auth->alg_name));
1196  auth->alg_name[sizeof(auth->alg_name) - 1] = '\0';
1197  auth->alg_key_len = tmpl->auth->alg_key_len;
1198  memcpy(auth->alg_key, tmpl->auth->alg_key, (tmpl->auth->alg_key_len + 7) / 8);
1199  if (nla_put(msg, XFRMA_ALG_AUTH, len, auth) < 0) {
1200  free(auth);
1201  goto nla_put_failure;
1202  }
1203  free(auth);
1204  }
1205  }
1206 
1207  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_CRYPT) {
1208  len = sizeof (struct xfrm_algo) + ((tmpl->crypt->alg_key_len + 7) / 8);
1209  NLA_PUT (msg, XFRMA_ALG_CRYPT, len, tmpl->crypt);
1210  }
1211 
1212  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_COMP) {
1213  len = sizeof (struct xfrm_algo) + ((tmpl->comp->alg_key_len + 7) / 8);
1214  NLA_PUT (msg, XFRMA_ALG_COMP, len, tmpl->comp);
1215  }
1216 
1217  if (tmpl->ce_mask & XFRM_SA_ATTR_ENCAP) {
1218  struct xfrm_encap_tmpl* encap_tmpl;
1219  struct nlattr* encap_attr;
1220 
1221  len = sizeof (struct xfrm_encap_tmpl);
1222  encap_attr = nla_reserve(msg, XFRMA_ENCAP, len);
1223  if (!encap_attr)
1224  goto nla_put_failure;
1225  encap_tmpl = nla_data (encap_attr);
1226  encap_tmpl->encap_type = tmpl->encap->encap_type;
1227  encap_tmpl->encap_sport = htons (tmpl->encap->encap_sport);
1228  encap_tmpl->encap_dport = htons (tmpl->encap->encap_dport);
1229  memcpy (&encap_tmpl->encap_oa, nl_addr_get_binary_addr (tmpl->encap->encap_oa), sizeof (uint8_t) * nl_addr_get_len (tmpl->encap->encap_oa));
1230  }
1231 
1232  if (tmpl->ce_mask & XFRM_SA_ATTR_TFCPAD) {
1233  NLA_PUT_U32 (msg, XFRMA_TFCPAD, tmpl->tfcpad);
1234  }
1235 
1236  if (tmpl->ce_mask & XFRM_SA_ATTR_COADDR) {
1237  NLA_PUT (msg, XFRMA_COADDR, sizeof (xfrm_address_t), tmpl->coaddr);
1238  }
1239 
1240  if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1241  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1242  }
1243 
1244  if (tmpl->ce_mask & XFRM_SA_ATTR_SECCTX) {
1245  len = sizeof (struct xfrm_sec_ctx) + tmpl->sec_ctx->ctx_len;
1246  NLA_PUT (msg, XFRMA_SEC_CTX, len, tmpl->sec_ctx);
1247  }
1248 
1249  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE) {
1250  NLA_PUT_U32 (msg, XFRMA_ETIMER_THRESH, tmpl->replay_maxage);
1251  }
1252 
1253  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF) {
1254  NLA_PUT_U32 (msg, XFRMA_REPLAY_THRESH, tmpl->replay_maxdiff);
1255  }
1256 
1257  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_STATE) {
1258  if (tmpl->replay_state_esn) {
1259  len = sizeof (struct xfrm_replay_state_esn) + (sizeof (uint32_t) * tmpl->replay_state_esn->bmp_len);
1260  NLA_PUT (msg, XFRMA_REPLAY_ESN_VAL, len, tmpl->replay_state_esn);
1261  }
1262  else {
1263  NLA_PUT (msg, XFRMA_REPLAY_VAL, sizeof (struct xfrm_replay_state), &tmpl->replay_state);
1264  }
1265  }
1266 
1267  *result = msg;
1268  return 0;
1269 
1270 nla_put_failure:
1271  nlmsg_free(msg);
1272  return -NLE_MSGSIZE;
1273 }
1274 
1275 /**
1276  * @name XFRM SA Add
1277  * @{
1278  */
1279 
1280 int xfrmnl_sa_build_add_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1281 {
1282  return build_xfrm_sa_message (tmpl, XFRM_MSG_NEWSA, flags, result);
1283 }
1284 
1285 int xfrmnl_sa_add(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1286 {
1287  int err;
1288  struct nl_msg *msg;
1289 
1290  if ((err = xfrmnl_sa_build_add_request(tmpl, flags, &msg)) < 0)
1291  return err;
1292 
1293  err = nl_send_auto_complete(sk, msg);
1294  nlmsg_free(msg);
1295  if (err < 0)
1296  return err;
1297 
1298  return nl_wait_for_ack(sk);
1299 }
1300 
1301 /**
1302  * @name XFRM SA Update
1303  * @{
1304  */
1305 
1306 int xfrmnl_sa_build_update_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1307 {
1308  return build_xfrm_sa_message (tmpl, XFRM_MSG_UPDSA, flags, result);
1309 }
1310 
1311 int xfrmnl_sa_update(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1312 {
1313  int err;
1314  struct nl_msg *msg;
1315 
1316  if ((err = xfrmnl_sa_build_update_request(tmpl, flags, &msg)) < 0)
1317  return err;
1318 
1319  err = nl_send_auto_complete(sk, msg);
1320  nlmsg_free(msg);
1321  if (err < 0)
1322  return err;
1323 
1324  return nl_wait_for_ack(sk);
1325 }
1326 
1327 /** @} */
1328 
1329 static int build_xfrm_sa_delete_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1330 {
1331  struct nl_msg* msg;
1332  struct xfrm_usersa_id sa_id;
1333 
1334  if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1335  !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1336  !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1337  return -NLE_MISSING_ATTR;
1338 
1339  memcpy (&sa_id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr),
1340  sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1341  sa_id.family = nl_addr_get_family (tmpl->id.daddr);
1342  sa_id.spi = htonl(tmpl->id.spi);
1343  sa_id.proto = tmpl->id.proto;
1344 
1345  msg = nlmsg_alloc_simple(cmd, flags);
1346  if (!msg)
1347  return -NLE_NOMEM;
1348 
1349  if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1350  goto nla_put_failure;
1351 
1352  if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1353  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1354  }
1355 
1356  *result = msg;
1357  return 0;
1358 
1359 nla_put_failure:
1360  nlmsg_free(msg);
1361  return -NLE_MSGSIZE;
1362 }
1363 
1364 /**
1365  * @name XFRM SA Delete
1366  * @{
1367  */
1368 
1369 int xfrmnl_sa_build_delete_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1370 {
1371  return build_xfrm_sa_delete_message (tmpl, XFRM_MSG_DELSA, flags, result);
1372 }
1373 
1374 int xfrmnl_sa_delete(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1375 {
1376  int err;
1377  struct nl_msg *msg;
1378 
1379  if ((err = xfrmnl_sa_build_delete_request(tmpl, flags, &msg)) < 0)
1380  return err;
1381 
1382  err = nl_send_auto_complete(sk, msg);
1383  nlmsg_free(msg);
1384  if (err < 0)
1385  return err;
1386 
1387  return nl_wait_for_ack(sk);
1388 }
1389 
1390 /** @} */
1391 
1392 
1393 /**
1394  * @name Attributes
1395  * @{
1396  */
1397 
1398 struct xfrmnl_sel* xfrmnl_sa_get_sel (struct xfrmnl_sa* sa)
1399 {
1400  if (sa->ce_mask & XFRM_SA_ATTR_SEL)
1401  return sa->sel;
1402  else
1403  return NULL;
1404 }
1405 
1406 int xfrmnl_sa_set_sel (struct xfrmnl_sa* sa, struct xfrmnl_sel* sel)
1407 {
1408  /* Release any previously held selector object from the SA */
1409  if (sa->sel)
1410  xfrmnl_sel_put (sa->sel);
1411 
1412  /* Increment ref count on new selector and save it in the SA */
1413  xfrmnl_sel_get (sel);
1414  sa->sel = sel;
1415  sa->ce_mask |= XFRM_SA_ATTR_SEL;
1416 
1417  return 0;
1418 }
1419 
1420 static inline int __assign_addr(struct xfrmnl_sa* sa, struct nl_addr **pos,
1421  struct nl_addr *new, int flag, int nocheck)
1422 {
1423  if (!nocheck)
1424  {
1425  if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1426  {
1427  if (nl_addr_get_family (new) != sa->family)
1428  return -NLE_AF_MISMATCH;
1429  }
1430  }
1431 
1432  if (*pos)
1433  nl_addr_put(*pos);
1434 
1435  nl_addr_get(new);
1436  *pos = new;
1437 
1438  sa->ce_mask |= flag;
1439 
1440  return 0;
1441 }
1442 
1443 
1444 struct nl_addr* xfrmnl_sa_get_daddr (struct xfrmnl_sa* sa)
1445 {
1446  if (sa->ce_mask & XFRM_SA_ATTR_DADDR)
1447  return sa->id.daddr;
1448  else
1449  return NULL;
1450 }
1451 
1452 int xfrmnl_sa_set_daddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1453 {
1454  return __assign_addr(sa, &sa->id.daddr, addr, XFRM_SA_ATTR_DADDR, 0);
1455 }
1456 
1457 int xfrmnl_sa_get_spi (struct xfrmnl_sa* sa)
1458 {
1459  if (sa->ce_mask & XFRM_SA_ATTR_SPI)
1460  return sa->id.spi;
1461  else
1462  return -1;
1463 }
1464 
1465 int xfrmnl_sa_set_spi (struct xfrmnl_sa* sa, unsigned int spi)
1466 {
1467  sa->id.spi = spi;
1468  sa->ce_mask |= XFRM_SA_ATTR_SPI;
1469 
1470  return 0;
1471 }
1472 
1473 int xfrmnl_sa_get_proto (struct xfrmnl_sa* sa)
1474 {
1475  if (sa->ce_mask & XFRM_SA_ATTR_PROTO)
1476  return sa->id.proto;
1477  else
1478  return -1;
1479 }
1480 
1481 int xfrmnl_sa_set_proto (struct xfrmnl_sa* sa, unsigned int protocol)
1482 {
1483  sa->id.proto = protocol;
1484  sa->ce_mask |= XFRM_SA_ATTR_PROTO;
1485 
1486  return 0;
1487 }
1488 
1489 struct nl_addr* xfrmnl_sa_get_saddr (struct xfrmnl_sa* sa)
1490 {
1491  if (sa->ce_mask & XFRM_SA_ATTR_SADDR)
1492  return sa->saddr;
1493  else
1494  return NULL;
1495 }
1496 
1497 int xfrmnl_sa_set_saddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1498 {
1499  return __assign_addr(sa, &sa->saddr, addr, XFRM_SA_ATTR_SADDR, 1);
1500 }
1501 
1502 struct xfrmnl_ltime_cfg* xfrmnl_sa_get_lifetime_cfg (struct xfrmnl_sa* sa)
1503 {
1504  if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1505  return sa->lft;
1506  else
1507  return NULL;
1508 }
1509 
1510 int xfrmnl_sa_set_lifetime_cfg (struct xfrmnl_sa* sa, struct xfrmnl_ltime_cfg* ltime)
1511 {
1512  /* Release any previously held lifetime cfg object from the SA */
1513  if (sa->lft)
1514  xfrmnl_ltime_cfg_put (sa->lft);
1515 
1516  /* Increment ref count on new lifetime object and save it in the SA */
1517  xfrmnl_ltime_cfg_get (ltime);
1518  sa->lft = ltime;
1519  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
1520 
1521  return 0;
1522 }
1523 
1524 int xfrmnl_sa_get_curlifetime (struct xfrmnl_sa* sa, unsigned long long int* curr_bytes,
1525  unsigned long long int* curr_packets, unsigned long long int* curr_add_time, unsigned long long int* curr_use_time)
1526 {
1527  if (sa == NULL || curr_bytes == NULL || curr_packets == NULL || curr_add_time == NULL || curr_use_time == NULL)
1528  return -1;
1529 
1530  if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CUR)
1531  {
1532  *curr_bytes = sa->curlft.bytes;
1533  *curr_packets = sa->curlft.packets;
1534  *curr_add_time = sa->curlft.add_time;
1535  *curr_use_time = sa->curlft.use_time;
1536  }
1537  else
1538  return -1;
1539 
1540  return 0;
1541 }
1542 
1543 int xfrmnl_sa_get_stats (struct xfrmnl_sa* sa, unsigned long long int* replay_window,
1544  unsigned long long int* replay, unsigned long long int* integrity_failed)
1545 {
1546  if (sa == NULL || replay_window == NULL || replay == NULL || integrity_failed == NULL)
1547  return -1;
1548 
1549  if (sa->ce_mask & XFRM_SA_ATTR_STATS)
1550  {
1551  *replay_window = sa->stats.replay_window;
1552  *replay = sa->stats.replay;
1553  *integrity_failed = sa->stats.integrity_failed;
1554  }
1555  else
1556  return -1;
1557 
1558  return 0;
1559 }
1560 
1561 int xfrmnl_sa_get_seq (struct xfrmnl_sa* sa)
1562 {
1563  if (sa->ce_mask & XFRM_SA_ATTR_SEQ)
1564  return sa->seq;
1565  else
1566  return -1;
1567 }
1568 
1569 int xfrmnl_sa_get_reqid (struct xfrmnl_sa* sa)
1570 {
1571  if (sa->ce_mask & XFRM_SA_ATTR_REQID)
1572  return sa->reqid;
1573  else
1574  return -1;
1575 }
1576 
1577 int xfrmnl_sa_set_reqid (struct xfrmnl_sa* sa, unsigned int reqid)
1578 {
1579  sa->reqid = reqid;
1580  sa->ce_mask |= XFRM_SA_ATTR_REQID;
1581 
1582  return 0;
1583 }
1584 
1585 int xfrmnl_sa_get_family (struct xfrmnl_sa* sa)
1586 {
1587  if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1588  return sa->family;
1589  else
1590  return -1;
1591 }
1592 
1593 int xfrmnl_sa_set_family (struct xfrmnl_sa* sa, unsigned int family)
1594 {
1595  sa->family = family;
1596  sa->ce_mask |= XFRM_SA_ATTR_FAMILY;
1597 
1598  return 0;
1599 }
1600 
1601 int xfrmnl_sa_get_mode (struct xfrmnl_sa* sa)
1602 {
1603  if (sa->ce_mask & XFRM_SA_ATTR_MODE)
1604  return sa->mode;
1605  else
1606  return -1;
1607 }
1608 
1609 int xfrmnl_sa_set_mode (struct xfrmnl_sa* sa, unsigned int mode)
1610 {
1611  sa->mode = mode;
1612  sa->ce_mask |= XFRM_SA_ATTR_MODE;
1613 
1614  return 0;
1615 }
1616 
1617 int xfrmnl_sa_get_replay_window (struct xfrmnl_sa* sa)
1618 {
1619  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1620  return sa->replay_window;
1621  else
1622  return -1;
1623 }
1624 
1625 int xfrmnl_sa_set_replay_window (struct xfrmnl_sa* sa, unsigned int replay_window)
1626 {
1627  sa->replay_window = replay_window;
1628  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_WIN;
1629 
1630  return 0;
1631 }
1632 
1633 int xfrmnl_sa_get_flags (struct xfrmnl_sa* sa)
1634 {
1635  if (sa->ce_mask & XFRM_SA_ATTR_FLAGS)
1636  return sa->flags;
1637  else
1638  return -1;
1639 }
1640 
1641 int xfrmnl_sa_set_flags (struct xfrmnl_sa* sa, unsigned int flags)
1642 {
1643  sa->flags = flags;
1644  sa->ce_mask |= XFRM_SA_ATTR_FLAGS;
1645 
1646  return 0;
1647 }
1648 
1649 /**
1650  * Get the aead-params
1651  * @arg sa the xfrmnl_sa object
1652  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1653  * @arg key_len an optional output value for the key length in bits.
1654  * @arg icv_len an optional output value for the alt-icv-len.
1655  * @arg key an optional buffer large enough for the key. It must contain at least
1656  * ((@key_len + 7) / 8) bytes.
1657  *
1658  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1659  * call xfrmnl_sa_get_aead_params() without @key argument to query only the required buffer size.
1660  * This modified API is available in all versions of libnl3 that support the capability
1661  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1662  *
1663  * @return 0 on success or a negative error code.
1664  */
1665 int xfrmnl_sa_get_aead_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* icv_len, char* key)
1666 {
1667  if (sa->ce_mask & XFRM_SA_ATTR_ALG_AEAD)
1668  {
1669  if (alg_name)
1670  strcpy (alg_name, sa->aead->alg_name);
1671  if (key_len)
1672  *key_len = sa->aead->alg_key_len;
1673  if (icv_len)
1674  *icv_len = sa->aead->alg_icv_len;
1675  if (key)
1676  memcpy (key, sa->aead->alg_key, ((sa->aead->alg_key_len + 7)/8));
1677  }
1678  else
1679  return -1;
1680 
1681  return 0;
1682 }
1683 
1684 int xfrmnl_sa_set_aead_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int icv_len, const char* key)
1685 {
1686  _nl_auto_free struct xfrmnl_algo_aead *b = NULL;
1687  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1688  uint32_t newlen = sizeof (struct xfrmnl_algo_aead) + keysize;
1689 
1690  /* Free up the old key and allocate memory to hold new key */
1691  if (strlen (alg_name) >= sizeof (sa->aead->alg_name))
1692  return -1;
1693  if (!(b = calloc (1, newlen)))
1694  return -1;
1695 
1696  strcpy (b->alg_name, alg_name);
1697  b->alg_key_len = key_len;
1698  b->alg_icv_len = icv_len;
1699  memcpy (b->alg_key, key, keysize);
1700 
1701  free (sa->aead);
1702  sa->aead = _nl_steal_pointer (&b);
1703  sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
1704  return 0;
1705 }
1706 
1707 /**
1708  * Get the auth-params
1709  * @arg sa the xfrmnl_sa object
1710  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1711  * @arg key_len an optional output value for the key length in bits.
1712  * @arg trunc_len an optional output value for the alg-trunc-len.
1713  * @arg key an optional buffer large enough for the key. It must contain at least
1714  * ((@key_len + 7) / 8) bytes.
1715  *
1716  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1717  * call xfrmnl_sa_get_auth_params() without @key argument to query only the required buffer size.
1718  * This modified API is available in all versions of libnl3 that support the capability
1719  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1720  *
1721  * @return 0 on success or a negative error code.
1722  */
1723 int xfrmnl_sa_get_auth_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* trunc_len, char* key)
1724 {
1725  if (sa->ce_mask & XFRM_SA_ATTR_ALG_AUTH)
1726  {
1727  if (alg_name)
1728  strcpy (alg_name, sa->auth->alg_name);
1729  if (key_len)
1730  *key_len = sa->auth->alg_key_len;
1731  if (trunc_len)
1732  *trunc_len = sa->auth->alg_trunc_len;
1733  if (key)
1734  memcpy (key, sa->auth->alg_key, (sa->auth->alg_key_len + 7)/8);
1735  }
1736  else
1737  return -1;
1738 
1739  return 0;
1740 }
1741 
1742 int xfrmnl_sa_set_auth_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int trunc_len, const char* key)
1743 {
1744  _nl_auto_free struct xfrmnl_algo_auth *b = NULL;
1745  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1746  uint32_t newlen = sizeof (struct xfrmnl_algo_auth) + keysize;
1747 
1748  if (strlen (alg_name) >= sizeof (sa->auth->alg_name))
1749  return -1;
1750  if (!(b = calloc (1, newlen)))
1751  return -1;
1752 
1753  strcpy (b->alg_name, alg_name);
1754  b->alg_key_len = key_len;
1755  b->alg_trunc_len = trunc_len;
1756  memcpy (b->alg_key, key, keysize);
1757 
1758  free (sa->auth);
1759  sa->auth = _nl_steal_pointer (&b);
1760  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
1761  return 0;
1762 }
1763 
1764 /**
1765  * Get the crypto-params
1766  * @arg sa the xfrmnl_sa object
1767  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1768  * @arg key_len an optional output value for the key length in bits.
1769  * @arg key an optional buffer large enough for the key. It must contain at least
1770  * ((@key_len + 7) / 8) bytes.
1771  *
1772  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1773  * call xfrmnl_sa_get_crypto_params() without @key argument to query only the required buffer size.
1774  * This modified API is available in all versions of libnl3 that support the capability
1775  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1776  *
1777  * @return 0 on success or a negative error code.
1778  */
1779 int xfrmnl_sa_get_crypto_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1780 {
1781  if (sa->ce_mask & XFRM_SA_ATTR_ALG_CRYPT)
1782  {
1783  if (alg_name)
1784  strcpy (alg_name, sa->crypt->alg_name);
1785  if (key_len)
1786  *key_len = sa->crypt->alg_key_len;
1787  if (key)
1788  memcpy (key, sa->crypt->alg_key, ((sa->crypt->alg_key_len + 7)/8));
1789  }
1790  else
1791  return -1;
1792 
1793  return 0;
1794 }
1795 
1796 int xfrmnl_sa_set_crypto_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1797 {
1798  _nl_auto_free struct xfrmnl_algo *b = NULL;
1799  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1800  uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1801 
1802  if (strlen (alg_name) >= sizeof (sa->crypt->alg_name))
1803  return -1;
1804  if (!(b = calloc (1, newlen)))
1805  return -1;
1806 
1807  strcpy (b->alg_name, alg_name);
1808  b->alg_key_len = key_len;
1809  memcpy (b->alg_key, key, keysize);
1810 
1811  free(sa->crypt);
1812  sa->crypt = _nl_steal_pointer(&b);
1813  sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
1814  return 0;
1815 }
1816 
1817 /**
1818  * Get the comp-params
1819  * @arg sa the xfrmnl_sa object
1820  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1821  * @arg key_len an optional output value for the key length in bits.
1822  * @arg key an optional buffer large enough for the key. It must contain at least
1823  * ((@key_len + 7) / 8) bytes.
1824  *
1825  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1826  * call xfrmnl_sa_get_comp_params() without @key argument to query only the required buffer size.
1827  * This modified API is available in all versions of libnl3 that support the capability
1828  * @def NL_CAPABILITY_XFRM_SA_KEY_SIZE (@see nl_has_capability for further information).
1829  *
1830  * @return 0 on success or a negative error code.
1831  */
1832 int xfrmnl_sa_get_comp_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1833 {
1834  if (sa->ce_mask & XFRM_SA_ATTR_ALG_COMP)
1835  {
1836  if (alg_name)
1837  strcpy (alg_name, sa->comp->alg_name);
1838  if (key_len)
1839  *key_len = sa->comp->alg_key_len;
1840  if (key)
1841  memcpy (key, sa->comp->alg_key, ((sa->comp->alg_key_len + 7)/8));
1842  }
1843  else
1844  return -1;
1845 
1846  return 0;
1847 }
1848 
1849 int xfrmnl_sa_set_comp_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1850 {
1851  _nl_auto_free struct xfrmnl_algo *b = NULL;
1852  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1853  uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1854 
1855  if (strlen (alg_name) >= sizeof (sa->comp->alg_name))
1856  return -1;
1857  if (!(b = calloc (1, newlen)))
1858  return -1;
1859 
1860  strcpy (b->alg_name, alg_name);
1861  b->alg_key_len = key_len;
1862  memcpy (b->alg_key, key, keysize);
1863 
1864  free(sa->comp);
1865  sa->comp = _nl_steal_pointer(&b);
1866  sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
1867  return 0;
1868 }
1869 
1870 int xfrmnl_sa_get_encap_tmpl (struct xfrmnl_sa* sa, unsigned int* encap_type, unsigned int* encap_sport, unsigned int* encap_dport, struct nl_addr** encap_oa)
1871 {
1872  if (sa->ce_mask & XFRM_SA_ATTR_ENCAP)
1873  {
1874  *encap_type = sa->encap->encap_type;
1875  *encap_sport = sa->encap->encap_sport;
1876  *encap_dport = sa->encap->encap_dport;
1877  *encap_oa = nl_addr_clone (sa->encap->encap_oa);
1878  }
1879  else
1880  return -1;
1881 
1882  return 0;
1883 }
1884 
1885 int xfrmnl_sa_set_encap_tmpl (struct xfrmnl_sa* sa, unsigned int encap_type, unsigned int encap_sport, unsigned int encap_dport, struct nl_addr* encap_oa)
1886 {
1887  if (sa->encap) {
1888  /* Free up the old encap OA */
1889  if (sa->encap->encap_oa)
1890  nl_addr_put(sa->encap->encap_oa);
1891  memset(sa->encap, 0, sizeof (*sa->encap));
1892  } else if ((sa->encap = calloc(1, sizeof(*sa->encap))) == NULL)
1893  return -1;
1894 
1895  /* Save the new info */
1896  sa->encap->encap_type = encap_type;
1897  sa->encap->encap_sport = encap_sport;
1898  sa->encap->encap_dport = encap_dport;
1899  nl_addr_get (encap_oa);
1900  sa->encap->encap_oa = encap_oa;
1901 
1902  sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
1903 
1904  return 0;
1905 }
1906 
1907 int xfrmnl_sa_get_tfcpad (struct xfrmnl_sa* sa)
1908 {
1909  if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
1910  return sa->tfcpad;
1911  else
1912  return -1;
1913 }
1914 
1915 int xfrmnl_sa_set_tfcpad (struct xfrmnl_sa* sa, unsigned int tfcpad)
1916 {
1917  sa->tfcpad = tfcpad;
1918  sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
1919 
1920  return 0;
1921 }
1922 
1923 struct nl_addr* xfrmnl_sa_get_coaddr (struct xfrmnl_sa* sa)
1924 {
1925  if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
1926  return sa->coaddr;
1927  else
1928  return NULL;
1929 }
1930 
1931 int xfrmnl_sa_set_coaddr (struct xfrmnl_sa* sa, struct nl_addr* coaddr)
1932 {
1933  /* Free up the old coaddr */
1934  if (sa->coaddr)
1935  nl_addr_put (sa->coaddr);
1936 
1937  /* Save the new info */
1938  nl_addr_get (coaddr);
1939  sa->coaddr = coaddr;
1940 
1941  sa->ce_mask |= XFRM_SA_ATTR_COADDR;
1942 
1943  return 0;
1944 }
1945 
1946 int xfrmnl_sa_get_mark (struct xfrmnl_sa* sa, unsigned int* mark_mask, unsigned int* mark_value)
1947 {
1948  if (mark_mask == NULL || mark_value == NULL)
1949  return -1;
1950 
1951  if (sa->ce_mask & XFRM_SA_ATTR_MARK)
1952  {
1953  *mark_mask = sa->mark.m;
1954  *mark_value = sa->mark.v;
1955 
1956  return 0;
1957  }
1958  else
1959  return -1;
1960 }
1961 
1962 int xfrmnl_sa_set_mark (struct xfrmnl_sa* sa, unsigned int value, unsigned int mask)
1963 {
1964  sa->mark.v = value;
1965  sa->mark.m = mask;
1966  sa->ce_mask |= XFRM_SA_ATTR_MARK;
1967 
1968  return 0;
1969 }
1970 
1971 /**
1972  * Get the security context.
1973  *
1974  * @arg sa The xfrmnl_sa object.
1975  * @arg doi An optional output value for the security context domain of interpretation.
1976  * @arg alg An optional output value for the security context algorithm.
1977  * @arg len An optional output value for the security context length, including the
1978  * terminating null byte ('\0').
1979  * @arg sid Unused parameter.
1980  * @arg ctx_str An optional buffer large enough for the security context string. It must
1981  * contain at least @len bytes.
1982  *
1983  * Warning: you must ensure that @ctx_str is large enough. If you don't know the length before-hand,
1984  * call xfrmnl_sa_get_sec_ctx() without @ctx_str argument to query only the required buffer size.
1985  * This modified API is available in all versions of libnl3 that support the capability
1986  * @def NL_CAPABILITY_XFRM_SEC_CTX_LEN (@see nl_has_capability for further information).
1987  *
1988  * @return 0 on success or a negative error code.
1989  */
1990 int xfrmnl_sa_get_sec_ctx (struct xfrmnl_sa* sa, unsigned int* doi, unsigned int* alg,
1991  unsigned int* len, unsigned int* sid, char* ctx_str)
1992 {
1993  if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
1994  {
1995  if (doi)
1996  *doi = sa->sec_ctx->ctx_doi;
1997  if (alg)
1998  *alg = sa->sec_ctx->ctx_alg;
1999  if (len)
2000  *len = sa->sec_ctx->ctx_len;
2001  if (ctx_str)
2002  memcpy (ctx_str, sa->sec_ctx->ctx, sa->sec_ctx->ctx_len);
2003  }
2004  else
2005  return -1;
2006 
2007  return 0;
2008 }
2009 
2010 /**
2011  * Set the security context.
2012  *
2013  * @arg sa The xfrmnl_sa object.
2014  * @arg doi Parameter for the security context domain of interpretation.
2015  * @arg alg Parameter for the security context algorithm.
2016  * @arg len Parameter for the length of the security context string containing
2017  * the terminating null byte ('\0').
2018  * @arg sid Unused parameter.
2019  * @arg ctx_str Buffer containing the security context string.
2020  *
2021  * @return 0 on success or a negative error code.
2022  */
2023 int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int alg, unsigned int len,
2024  unsigned int sid, const char* ctx_str)
2025 {
2026  _nl_auto_free struct xfrmnl_user_sec_ctx *b = NULL;
2027 
2028  if (!(b = calloc(1, sizeof (struct xfrmnl_user_sec_ctx) + 1 + len)))
2029  return -1;
2030 
2031  b->len = sizeof(struct xfrmnl_user_sec_ctx) + len;
2032  b->exttype = XFRMA_SEC_CTX;
2033  b->ctx_alg = alg;
2034  b->ctx_doi = doi;
2035  b->ctx_len = len;
2036  memcpy (b->ctx, ctx_str, len);
2037  b->ctx[len] = '\0';
2038 
2039  free(sa->sec_ctx);
2040  sa->sec_ctx = _nl_steal_pointer(&b);
2041  sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
2042  return 0;
2043 }
2044 
2045 
2046 int xfrmnl_sa_get_replay_maxage (struct xfrmnl_sa* sa)
2047 {
2048  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE)
2049  return sa->replay_maxage;
2050  else
2051  return -1;
2052 }
2053 
2054 int xfrmnl_sa_set_replay_maxage (struct xfrmnl_sa* sa, unsigned int replay_maxage)
2055 {
2056  sa->replay_maxage = replay_maxage;
2057  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
2058 
2059  return 0;
2060 }
2061 
2062 int xfrmnl_sa_get_replay_maxdiff (struct xfrmnl_sa* sa)
2063 {
2064  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF)
2065  return sa->replay_maxdiff;
2066  else
2067  return -1;
2068 }
2069 
2070 int xfrmnl_sa_set_replay_maxdiff (struct xfrmnl_sa* sa, unsigned int replay_maxdiff)
2071 {
2072  sa->replay_maxdiff = replay_maxdiff;
2073  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
2074 
2075  return 0;
2076 }
2077 
2078 int xfrmnl_sa_get_replay_state (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* bmp)
2079 {
2080  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2081  {
2082  if (sa->replay_state_esn == NULL)
2083  {
2084  *oseq = sa->replay_state.oseq;
2085  *seq = sa->replay_state.seq;
2086  *bmp = sa->replay_state.bitmap;
2087 
2088  return 0;
2089  }
2090  else
2091  {
2092  return -1;
2093  }
2094  }
2095  else
2096  return -1;
2097 }
2098 
2099 int xfrmnl_sa_set_replay_state (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq, unsigned int bitmap)
2100 {
2101  sa->replay_state.oseq = oseq;
2102  sa->replay_state.seq = seq;
2103  sa->replay_state.bitmap = bitmap;
2104  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2105 
2106  return 0;
2107 }
2108 
2109 int xfrmnl_sa_get_replay_state_esn (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* oseq_hi,
2110  unsigned int* seq_hi, unsigned int* replay_window, unsigned int* bmp_len, unsigned int* bmp)
2111 {
2112  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2113  {
2114  if (sa->replay_state_esn)
2115  {
2116  *oseq = sa->replay_state_esn->oseq;
2117  *seq = sa->replay_state_esn->seq;
2118  *oseq_hi= sa->replay_state_esn->oseq_hi;
2119  *seq_hi = sa->replay_state_esn->seq_hi;
2120  *replay_window = sa->replay_state_esn->replay_window;
2121  *bmp_len = sa->replay_state_esn->bmp_len; // In number of 32 bit words
2122  memcpy (bmp, sa->replay_state_esn->bmp, sa->replay_state_esn->bmp_len * sizeof (uint32_t));
2123 
2124  return 0;
2125  }
2126  else
2127  {
2128  return -1;
2129  }
2130  }
2131  else
2132  return -1;
2133 }
2134 
2135 int xfrmnl_sa_set_replay_state_esn (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq,
2136  unsigned int oseq_hi, unsigned int seq_hi, unsigned int replay_window,
2137  unsigned int bmp_len, unsigned int* bmp)
2138 {
2139  _nl_auto_free struct xfrmnl_replay_state_esn *b = NULL;
2140 
2141  if (!(b = calloc (1, sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * bmp_len))))
2142  return -1;
2143 
2144  b->oseq = oseq;
2145  b->seq = seq;
2146  b->oseq_hi = oseq_hi;
2147  b->seq_hi = seq_hi;
2148  b->replay_window = replay_window;
2149  b->bmp_len = bmp_len; // In number of 32 bit words
2150  memcpy (b->bmp, bmp, bmp_len * sizeof (uint32_t));
2151 
2152  free(sa->replay_state_esn);
2153  sa->replay_state_esn = _nl_steal_pointer(&b);
2154  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2155  return 0;
2156 }
2157 
2158 
2159 int xfrmnl_sa_is_hardexpiry_reached (struct xfrmnl_sa* sa)
2160 {
2161  if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2162  return (sa->hard > 0 ? 1: 0);
2163  else
2164  return 0;
2165 }
2166 
2167 int xfrmnl_sa_is_expiry_reached (struct xfrmnl_sa* sa)
2168 {
2169  if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2170  return 1;
2171  else
2172  return 0;
2173 }
2174 
2175 /** @} */
2176 
2177 static struct nl_object_ops xfrm_sa_obj_ops = {
2178  .oo_name = "xfrm/sa",
2179  .oo_size = sizeof(struct xfrmnl_sa),
2180  .oo_constructor = xfrm_sa_alloc_data,
2181  .oo_free_data = xfrm_sa_free_data,
2182  .oo_clone = xfrm_sa_clone,
2183  .oo_dump = {
2184  [NL_DUMP_LINE] = xfrm_sa_dump_line,
2185  [NL_DUMP_DETAILS] = xfrm_sa_dump_details,
2186  [NL_DUMP_STATS] = xfrm_sa_dump_stats,
2187  },
2188  .oo_compare = xfrm_sa_compare,
2189  .oo_attrs2str = xfrm_sa_attrs2str,
2190  .oo_id_attrs = (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO),
2191 };
2192 
2193 static struct nl_af_group xfrm_sa_groups[] = {
2194  { AF_UNSPEC, XFRMNLGRP_SA },
2195  { AF_UNSPEC, XFRMNLGRP_EXPIRE },
2196  { END_OF_GROUP_LIST },
2197 };
2198 
2199 static struct nl_cache_ops xfrmnl_sa_ops = {
2200  .co_name = "xfrm/sa",
2201  .co_hdrsize = sizeof(struct xfrm_usersa_info),
2202  .co_msgtypes = {
2203  { XFRM_MSG_NEWSA, NL_ACT_NEW, "new" },
2204  { XFRM_MSG_DELSA, NL_ACT_DEL, "del" },
2205  { XFRM_MSG_GETSA, NL_ACT_GET, "get" },
2206  { XFRM_MSG_EXPIRE, NL_ACT_UNSPEC, "expire"},
2207  { XFRM_MSG_UPDSA, NL_ACT_NEW, "update"},
2208  END_OF_MSGTYPES_LIST,
2209  },
2210  .co_protocol = NETLINK_XFRM,
2211  .co_groups = xfrm_sa_groups,
2212  .co_request_update = xfrm_sa_request_update,
2213  .co_msg_parser = xfrm_sa_msg_parser,
2214  .co_obj_ops = &xfrm_sa_obj_ops,
2215  .co_include_event = &xfrm_sa_update_cache
2216 };
2217 
2218 /**
2219  * @name XFRM SA Cache Managament
2220  * @{
2221  */
2222 
2223 static void __attribute__ ((constructor)) xfrm_sa_init(void)
2224 {
2225  nl_cache_mngt_register(&xfrmnl_sa_ops);
2226 }
2227 
2228 static void __attribute__ ((destructor)) xfrm_sa_exit(void)
2229 {
2230  nl_cache_mngt_unregister(&xfrmnl_sa_ops);
2231 }
2232 
2233 /** @} */
int nl_send_auto_complete(struct nl_sock *sk, struct nl_msg *msg)
Definition: nl.c:1248
struct nl_addr * nl_addr_clone(const struct nl_addr *addr)
Clone existing abstract address object.
Definition: addr.c:494
Dump object briefly on one line.
Definition: types.h:22
void nl_addr_set_prefixlen(struct nl_addr *addr, int prefixlen)
Set the prefix length of an abstract address.
Definition: addr.c:966
void nlmsg_free(struct nl_msg *msg)
Release a reference from an netlink message.
Definition: msg.c:565
int nlmsg_parse(struct nlmsghdr *nlh, int hdrlen, struct nlattr *tb[], int maxtype, const struct nla_policy *policy)
parse attributes of a netlink message
Definition: msg.c:215
int nl_addr_cmp(const struct nl_addr *a, const struct nl_addr *b)
Compare abstract addresses.
Definition: addr.c:586
void * nlmsg_data(const struct nlmsghdr *nlh)
Return pointer to message payload.
Definition: msg.c:107
struct nl_object * nl_object_alloc(struct nl_object_ops *ops)
Allocate a new object of kind specified by the operations handle.
Definition: object.c:55
int nl_cache_mngt_unregister(struct nl_cache_ops *ops)
Unregister a set of cache operations.
Definition: cache_mngt.c:288
Attribute validation policy.
Definition: attr.h:69
void nl_object_get(struct nl_object *obj)
Acquire a reference on a object.
Definition: object.c:205
struct nl_addr * nl_addr_build(int family, const void *buf, size_t size)
Allocate abstract address based on a binary address.
Definition: addr.c:218
int nl_pickup(struct nl_sock *sk, int(*parser)(struct nl_cache_ops *, struct sockaddr_nl *, struct nlmsghdr *, struct nl_parser_param *), struct nl_object **result)
Pickup netlink answer, parse is and return object.
Definition: nl.c:1179
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_clone(struct xfrmnl_ltime_cfg *ltime)
Clone existing lifetime config object.
Definition: lifetime.c:95
struct nlattr * nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
Reserve space for a attribute.
Definition: attr.c:457
struct nl_addr * nl_addr_get(struct nl_addr *addr)
Increase the reference counter of an abstract address.
Definition: addr.c:524
Dump all attributes but no statistics.
Definition: types.h:23
uint64_t nl_object_diff64(struct nl_object *a, struct nl_object *b)
Compute bitmask representing difference in attribute values.
Definition: object.c:362
int nl_cache_mngt_register(struct nl_cache_ops *ops)
Register a set of cache operations.
Definition: cache_mngt.c:253
struct nl_object * nl_cache_search(struct nl_cache *cache, struct nl_object *needle)
Search object in cache.
Definition: cache.c:1114
#define NLA_PUT(msg, attrtype, attrlen, data)
Add unspecific attribute to netlink message.
Definition: attr.h:165
int nl_object_get_msgtype(const struct nl_object *obj)
Return the netlink message type the object was derived from.
Definition: object.c:530
void nl_cache_remove(struct nl_object *obj)
Remove object from cache.
Definition: cache.c:552
void * nla_data(const struct nlattr *nla)
Return pointer to the payload section.
Definition: attr.c:121
int xfrmnl_sel_cmp(struct xfrmnl_sel *a, struct xfrmnl_sel *b)
Compares two selector objects.
Definition: selector.c:162
#define NLA_PUT_U32(msg, attrtype, value)
Add 32 bit integer attribute to netlink message.
Definition: attr.h:236
uint16_t minlen
Minimal length of payload required.
Definition: attr.h:74
int nl_send_simple(struct nl_sock *sk, int type, int flags, void *buf, size_t size)
Construct and transmit a Netlink message.
Definition: nl.c:581
struct nl_object * nl_cache_get_next(struct nl_object *obj)
Return the next element in the cache.
Definition: cache.c:146
int nlmsg_append(struct nl_msg *n, void *data, size_t len, int pad)
Append data to tail of a netlink message.
Definition: msg.c:449
int nl_wait_for_ack(struct nl_sock *sk)
Wait for ACK.
Definition: nl.c:1113
void nl_object_put(struct nl_object *obj)
Release a reference from an object.
Definition: object.c:216
int nl_cache_move(struct nl_cache *cache, struct nl_object *obj)
Move object from one cache to another.
Definition: cache.c:524
void nl_addr_put(struct nl_addr *addr)
Decrease the reference counter of an abstract address.
Definition: addr.c:540
struct nl_msg * nlmsg_alloc_simple(int nlmsgtype, int flags)
Allocate a new netlink message.
Definition: msg.c:348
struct xfrmnl_sel * xfrmnl_sel_alloc()
Allocate new selector object.
Definition: selector.c:78
32 bit integer
Definition: attr.h:43
struct xfrmnl_sel * xfrmnl_sel_clone(struct xfrmnl_sel *sel)
Clone existing selector object.
Definition: selector.c:97
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_alloc()
Allocate new lifetime config object.
Definition: lifetime.c:76
Dumping parameters.
Definition: types.h:33
int xfrmnl_ltime_cfg_cmp(struct xfrmnl_ltime_cfg *a, struct xfrmnl_ltime_cfg *b)
Compares two lifetime config objects.
Definition: lifetime.c:156
void nl_dump(struct nl_dump_params *params, const char *fmt,...)
Dump a formatted character string.
Definition: utils.c:962
int nl_send_auto(struct nl_sock *sk, struct nl_msg *msg)
Finalize and transmit Netlink message.
Definition: nl.c:517
int nla_put(struct nl_msg *msg, int attrtype, int datalen, const void *data)
Add a unspecific attribute to netlink message.
Definition: attr.c:501
unsigned int nl_addr_get_len(const struct nl_addr *addr)
Get length of binary address of abstract address object.
Definition: addr.c:954
Dump all attributes including statistics.
Definition: types.h:24
struct nl_object * nl_cache_get_first(struct nl_cache *cache)
Return the first element in the cache.
Definition: cache.c:120
void * nl_addr_get_binary_addr(const struct nl_addr *addr)
Get binary address of abstract address object.
Definition: addr.c:942
int nl_cache_alloc_and_fill(struct nl_cache_ops *ops, struct nl_sock *sock, struct nl_cache **result)
Allocate new cache and fill it.
Definition: cache.c:234
char * nl_addr2str(const struct nl_addr *addr, char *buf, size_t size)
Convert abstract address object to character string.
Definition: addr.c:1000
int nl_addr_get_family(const struct nl_addr *addr)
Return address family.
Definition: addr.c:894