Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 771b800a208a35033b3da132bbd15aa5b2a8fae1 / . / server / XfrmController.cpp
blob: 92dd7578aa0451a1354d128fe3df6ea078b3054c [file] [log] [blame]
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]1/*
2 *
3 * Copyright (C) 2017 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
Nathan Harold1e284452017-10-10 13:31:19 -0700[diff] [blame]18#include <random>
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]19#include <string>
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]20#include <vector>
21
22#include <ctype.h>
23#include <errno.h>
24#include <fcntl.h>
25#include <getopt.h>
26#include <stdio.h>
27#include <stdlib.h>
28#include <string.h>
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]29
30#define __STDC_FORMAT_MACROS
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]31#include <inttypes.h>
32
33#include <arpa/inet.h>
34#include <netinet/in.h>
35
36#include <sys/socket.h>
37#include <sys/stat.h>
38#include <sys/types.h>
39#include <sys/wait.h>
40
41#include <linux/in.h>
42#include <linux/netlink.h>
43#include <linux/xfrm.h>
44
45#include "android-base/stringprintf.h"
46#include "android-base/strings.h"
47#include "android-base/unique_fd.h"
Manojd9c93c22017-10-19 13:40:26 -0700[diff] [blame]48#include <log/log_properties.h>
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]49#define LOG_TAG "XfrmController"
50#include "NetdConstants.h"
51#include "NetlinkCommands.h"
52#include "ResponseCode.h"
53#include "XfrmController.h"
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]54#include "netdutils/Fd.h"
55#include "netdutils/Slice.h"
56#include "netdutils/Syscalls.h"
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]57#include <cutils/log.h>
58#include <cutils/properties.h>
59#include <logwrap/logwrap.h>
60
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]61using android::netdutils::Fd;
62using android::netdutils::Slice;
63using android::netdutils::Status;
64using android::netdutils::StatusOr;
65using android::netdutils::Syscalls;
66
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]67namespace android {
68namespace net {
69
Nathan Harold39b5df42017-08-02 18:45:25 -0700[diff] [blame]70// Exposed for testing
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]71constexpr uint32_t ALGO_MASK_AUTH_ALL = ~0;
Nathan Harold39b5df42017-08-02 18:45:25 -0700[diff] [blame]72// Exposed for testing
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]73constexpr uint32_t ALGO_MASK_CRYPT_ALL = ~0;
Nathan Harold39b5df42017-08-02 18:45:25 -0700[diff] [blame]74// Exposed for testing
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]75constexpr uint32_t ALGO_MASK_AEAD_ALL = ~0;
76// Exposed for testing
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]77constexpr uint8_t REPLAY_WINDOW_SIZE = 4;
78
Nathan Harold39b5df42017-08-02 18:45:25 -0700[diff] [blame]79namespace {
80
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]81constexpr uint32_t RAND_SPI_MIN = 1;
82constexpr uint32_t RAND_SPI_MAX = 0xFFFFFFFE;
83
84constexpr uint32_t INVALID_SPI = 0;
85
86#define XFRM_MSG_TRANS(x) \
87 case x: \
88 return #x;
89
90const char* xfrmMsgTypeToString(uint16_t msg) {
91 switch (msg) {
92 XFRM_MSG_TRANS(XFRM_MSG_NEWSA)
93 XFRM_MSG_TRANS(XFRM_MSG_DELSA)
94 XFRM_MSG_TRANS(XFRM_MSG_GETSA)
95 XFRM_MSG_TRANS(XFRM_MSG_NEWPOLICY)
96 XFRM_MSG_TRANS(XFRM_MSG_DELPOLICY)
97 XFRM_MSG_TRANS(XFRM_MSG_GETPOLICY)
98 XFRM_MSG_TRANS(XFRM_MSG_ALLOCSPI)
99 XFRM_MSG_TRANS(XFRM_MSG_ACQUIRE)
100 XFRM_MSG_TRANS(XFRM_MSG_EXPIRE)
101 XFRM_MSG_TRANS(XFRM_MSG_UPDPOLICY)
102 XFRM_MSG_TRANS(XFRM_MSG_UPDSA)
103 XFRM_MSG_TRANS(XFRM_MSG_POLEXPIRE)
104 XFRM_MSG_TRANS(XFRM_MSG_FLUSHSA)
105 XFRM_MSG_TRANS(XFRM_MSG_FLUSHPOLICY)
106 XFRM_MSG_TRANS(XFRM_MSG_NEWAE)
107 XFRM_MSG_TRANS(XFRM_MSG_GETAE)
108 XFRM_MSG_TRANS(XFRM_MSG_REPORT)
109 XFRM_MSG_TRANS(XFRM_MSG_MIGRATE)
110 XFRM_MSG_TRANS(XFRM_MSG_NEWSADINFO)
111 XFRM_MSG_TRANS(XFRM_MSG_GETSADINFO)
112 XFRM_MSG_TRANS(XFRM_MSG_GETSPDINFO)
113 XFRM_MSG_TRANS(XFRM_MSG_NEWSPDINFO)
114 XFRM_MSG_TRANS(XFRM_MSG_MAPPING)
115 default:
116 return "XFRM_MSG UNKNOWN";
117 }
118}
119
120// actually const but cannot be declared as such for reasons
121uint8_t kPadBytesArray[] = {0, 0, 0};
122void* kPadBytes = static_cast<void*>(kPadBytesArray);
123
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]124#define LOG_HEX(__desc16__, __buf__, __len__) \
Manojd9c93c22017-10-19 13:40:26 -0700[diff] [blame]125 if (__android_log_is_debuggable()) { \
126 do { \
127 logHex(__desc16__, __buf__, __len__); \
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]128 } while (0); \
Manojd9c93c22017-10-19 13:40:26 -0700[diff] [blame]129 }
130
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]131#define LOG_IOV(__iov__) \
Manojd9c93c22017-10-19 13:40:26 -0700[diff] [blame]132 if (__android_log_is_debuggable()) { \
133 do { \
134 logIov(__iov__); \
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]135 } while (0); \
136 }
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]137
138void logHex(const char* desc16, const char* buf, size_t len) {
139 char* printBuf = new char[len * 2 + 1 + 26]; // len->ascii, +newline, +prefix strlen
140 int offset = 0;
141 if (desc16) {
142 sprintf(printBuf, "{%-16s}", desc16);
143 offset += 18; // prefix string length
144 }
145 sprintf(printBuf + offset, "[%4.4u]: ", (len > 9999) ? 9999 : (unsigned)len);
146 offset += 8;
147
148 for (uint32_t j = 0; j < (uint32_t)len; j++) {
149 sprintf(&printBuf[j * 2 + offset], "%0.2x", buf[j]);
150 }
151 ALOGD("%s", printBuf);
152 delete[] printBuf;
153}
154
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]155void logIov(const std::vector<iovec>& iov) {
156 for (const iovec& row : iov) {
157 logHex(0, reinterpret_cast<char*>(row.iov_base), row.iov_len);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]158 }
159}
160
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]161// TODO: Need to consider a way to refer to the sSycalls instance
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]162inline Syscalls& getSyscallInstance() { return netdutils::sSyscalls.get(); }
163
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]164class XfrmSocketImpl : public XfrmSocket {
165private:
166 static constexpr int NLMSG_DEFAULTSIZE = 8192;
167
168 union NetlinkResponse {
169 nlmsghdr hdr;
170 struct _err_ {
171 nlmsghdr hdr;
172 nlmsgerr err;
173 } err;
174
175 struct _buf_ {
176 nlmsghdr hdr;
177 char buf[NLMSG_DEFAULTSIZE];
178 } buf;
179 };
180
181public:
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]182 netdutils::Status open() override {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]183 mSock = openNetlinkSocket(NETLINK_XFRM);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]184 if (mSock < 0) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]185 ALOGW("Could not get a new socket, line=%d", __LINE__);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]186 return netdutils::statusFromErrno(-mSock, "Could not open netlink socket");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]187 }
188
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]189 return netdutils::status::ok;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]190 }
191
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]192 static netdutils::Status validateResponse(NetlinkResponse response, size_t len) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]193 if (len < sizeof(nlmsghdr)) {
194 ALOGW("Invalid response message received over netlink");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]195 return netdutils::statusFromErrno(EBADMSG, "Invalid message");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]196 }
197
198 switch (response.hdr.nlmsg_type) {
199 case NLMSG_NOOP:
200 case NLMSG_DONE:
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]201 return netdutils::status::ok;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]202 case NLMSG_OVERRUN:
203 ALOGD("Netlink request overran kernel buffer");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]204 return netdutils::statusFromErrno(EBADMSG, "Kernel buffer overrun");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]205 case NLMSG_ERROR:
206 if (len < sizeof(NetlinkResponse::_err_)) {
207 ALOGD("Netlink message received malformed error response");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]208 return netdutils::statusFromErrno(EBADMSG, "Malformed error response");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]209 }
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]210 return netdutils::statusFromErrno(
211 -response.err.err.error,
212 "Error netlink message"); // Netlink errors are negative errno.
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]213 case XFRM_MSG_NEWSA:
214 break;
215 }
216
217 if (response.hdr.nlmsg_type < XFRM_MSG_BASE /*== NLMSG_MIN_TYPE*/ ||
218 response.hdr.nlmsg_type > XFRM_MSG_MAX) {
219 ALOGD("Netlink message responded with an out-of-range message ID");
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]220 return netdutils::statusFromErrno(EBADMSG, "Invalid message ID");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]221 }
222
223 // TODO Add more message validation here
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]224 return netdutils::status::ok;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]225 }
226
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]227 netdutils::Status sendMessage(uint16_t nlMsgType, uint16_t nlMsgFlags, uint16_t nlMsgSeqNum,
228 std::vector<iovec>* iovecs) const override {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]229 nlmsghdr nlMsg = {
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]230 .nlmsg_type = nlMsgType,
231 .nlmsg_flags = nlMsgFlags,
232 .nlmsg_seq = nlMsgSeqNum,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]233 };
234
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]235 (*iovecs)[0].iov_base = &nlMsg;
236 (*iovecs)[0].iov_len = NLMSG_HDRLEN;
237 for (const iovec& iov : *iovecs) {
238 nlMsg.nlmsg_len += iov.iov_len;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]239 }
240
241 ALOGD("Sending Netlink XFRM Message: %s", xfrmMsgTypeToString(nlMsgType));
Manojd9c93c22017-10-19 13:40:26 -0700[diff] [blame]242 LOG_IOV(*iovecs);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]243
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]244 StatusOr<size_t> writeResult = getSyscallInstance().writev(mSock, *iovecs);
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]245 if (!isOk(writeResult)) {
246 ALOGE("netlink socket writev failed (%s)", toString(writeResult).c_str());
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]247 return writeResult;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]248 }
249
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]250 if (nlMsg.nlmsg_len != writeResult.value()) {
251 ALOGE("Invalid netlink message length sent %d", static_cast<int>(writeResult.value()));
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]252 return netdutils::statusFromErrno(EBADMSG, "Invalid message length");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]253 }
254
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]255 NetlinkResponse response = {};
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]256
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]257 StatusOr<Slice> readResult =
258 getSyscallInstance().read(Fd(mSock), netdutils::makeSlice(response));
259 if (!isOk(readResult)) {
260 ALOGE("netlink response error (%s)", toString(readResult).c_str());
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]261 return readResult;
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]262 }
263
264 LOG_HEX("netlink msg resp", reinterpret_cast<char*>(readResult.value().base()),
265 readResult.value().size());
266
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]267 Status validateStatus = validateResponse(response, readResult.value().size());
268 if (!isOk(validateStatus)) {
269 ALOGE("netlink response contains error (%s)", toString(validateStatus).c_str());
270 }
271
272 return validateStatus;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]273 }
274};
275
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]276StatusOr<int> convertToXfrmAddr(const std::string& strAddr, xfrm_address_t* xfrmAddr) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]277 if (strAddr.length() == 0) {
278 memset(xfrmAddr, 0, sizeof(*xfrmAddr));
279 return AF_UNSPEC;
280 }
281
282 if (inet_pton(AF_INET6, strAddr.c_str(), reinterpret_cast<void*>(xfrmAddr))) {
283 return AF_INET6;
284 } else if (inet_pton(AF_INET, strAddr.c_str(), reinterpret_cast<void*>(xfrmAddr))) {
285 return AF_INET;
286 } else {
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]287 return netdutils::statusFromErrno(EAFNOSUPPORT, "Invalid address family");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]288 }
289}
290
291void fillXfrmNlaHdr(nlattr* hdr, uint16_t type, uint16_t len) {
292 hdr->nla_type = type;
293 hdr->nla_len = len;
294}
295
296void fillXfrmCurLifetimeDefaults(xfrm_lifetime_cur* cur) {
297 memset(reinterpret_cast<char*>(cur), 0, sizeof(*cur));
298}
299void fillXfrmLifetimeDefaults(xfrm_lifetime_cfg* cfg) {
300 cfg->soft_byte_limit = XFRM_INF;
301 cfg->hard_byte_limit = XFRM_INF;
302 cfg->soft_packet_limit = XFRM_INF;
303 cfg->hard_packet_limit = XFRM_INF;
304}
305
306/*
307 * Allocate SPIs within an (inclusive) range of min-max.
308 * returns 0 (INVALID_SPI) once the entire range has been parsed.
309 */
310class RandomSpi {
311public:
312 RandomSpi(int min, int max) : mMin(min) {
Nathan Harold1e284452017-10-10 13:31:19 -0700[diff] [blame]313 // Re-seeding should be safe because the seed itself is
314 // sufficiently random and we don't need secure random
315 std::mt19937 rnd = std::mt19937(std::random_device()());
316 mNext = std::uniform_int_distribution<>(1, INT_MAX)(rnd);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]317 mSize = max - min + 1;
318 mCount = mSize;
319 }
320
321 uint32_t next() {
322 if (!mCount)
323 return 0;
324 mCount--;
325 return (mNext++ % mSize) + mMin;
326 }
327
328private:
329 uint32_t mNext;
330 uint32_t mSize;
331 uint32_t mMin;
332 uint32_t mCount;
333};
334
335} // namespace
336
337//
338// Begin XfrmController Impl
339//
340//
341XfrmController::XfrmController(void) {}
342
Benedict Wongb2daefb2017-12-06 22:05:46 -0800[diff] [blame]343netdutils::Status XfrmController::ipSecSetEncapSocketOwner(const android::base::unique_fd& socket,
344 int newUid, uid_t callerUid) {
345 ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__);
346
347 const int fd = socket.get();
348 struct stat info;
349 if (fstat(fd, &info)) {
350 return netdutils::statusFromErrno(errno, "Failed to stat socket file descriptor");
351 }
352 if (info.st_uid != callerUid) {
353 return netdutils::statusFromErrno(EPERM, "fchown disabled for non-owner calls");
354 }
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]355 if (S_ISSOCK(info.st_mode) == 0) {
Benedict Wongb2daefb2017-12-06 22:05:46 -0800[diff] [blame]356 return netdutils::statusFromErrno(EINVAL, "File descriptor was not a socket");
357 }
358
359 int optval;
360 socklen_t optlen;
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]361 netdutils::Status status =
362 getSyscallInstance().getsockopt(Fd(socket), IPPROTO_UDP, UDP_ENCAP, &optval, &optlen);
Benedict Wongb2daefb2017-12-06 22:05:46 -0800[diff] [blame]363 if (status != netdutils::status::ok) {
364 return status;
365 }
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]366 if (optval != UDP_ENCAP_ESPINUDP && optval != UDP_ENCAP_ESPINUDP_NON_IKE) {
Benedict Wongb2daefb2017-12-06 22:05:46 -0800[diff] [blame]367 return netdutils::statusFromErrno(EINVAL, "Socket did not have UDP-encap sockopt set");
368 }
369 if (fchown(fd, newUid, -1)) {
370 return netdutils::statusFromErrno(errno, "Failed to fchown socket file descriptor");
371 }
372
373 return netdutils::status::ok;
374}
375
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]376netdutils::Status XfrmController::ipSecAllocateSpi(int32_t transformId,
377 const std::string& sourceAddress,
378 const std::string& destinationAddress,
379 int32_t inSpi, int32_t* outSpi) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]380 ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__);
381 ALOGD("transformId=%d", transformId);
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]382 ALOGD("sourceAddress=%s", sourceAddress.c_str());
383 ALOGD("destinationAddress=%s", destinationAddress.c_str());
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]384 ALOGD("inSpi=%0.8x", inSpi);
385
386 XfrmSaInfo saInfo{};
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]387 netdutils::Status ret =
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]388 fillXfrmId(sourceAddress, destinationAddress, INVALID_SPI, transformId, &saInfo);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]389 if (!isOk(ret)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]390 return ret;
391 }
392
393 XfrmSocketImpl sock;
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]394 netdutils::Status socketStatus = sock.open();
395 if (!isOk(socketStatus)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]396 ALOGD("Sock open failed for XFRM, line=%d", __LINE__);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]397 return socketStatus;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]398 }
399
400 int minSpi = RAND_SPI_MIN, maxSpi = RAND_SPI_MAX;
401
402 if (inSpi)
403 minSpi = maxSpi = inSpi;
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]404
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]405 ret = allocateSpi(saInfo, minSpi, maxSpi, reinterpret_cast<uint32_t*>(outSpi), sock);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]406 if (!isOk(ret)) {
407 // TODO: May want to return a new Status with a modified status string
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]408 ALOGD("Failed to Allocate an SPI, line=%d", __LINE__);
409 *outSpi = INVALID_SPI;
410 }
411
412 return ret;
413}
414
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]415netdutils::Status XfrmController::ipSecAddSecurityAssociation(
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]416 int32_t transformId, int32_t mode, const std::string& sourceAddress,
417 const std::string& destinationAddress, int64_t underlyingNetworkHandle, int32_t spi,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]418 const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits,
419 const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits,
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]420 const std::string& aeadAlgo, const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]421 int32_t encapType, int32_t encapLocalPort, int32_t encapRemotePort) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]422 ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__);
423 ALOGD("transformId=%d", transformId);
424 ALOGD("mode=%d", mode);
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]425 ALOGD("sourceAddress=%s", sourceAddress.c_str());
426 ALOGD("destinationAddress=%s", destinationAddress.c_str());
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]427 ALOGD("underlyingNetworkHandle=%" PRIx64, underlyingNetworkHandle);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]428 ALOGD("spi=%0.8x", spi);
429 ALOGD("authAlgo=%s", authAlgo.c_str());
430 ALOGD("authTruncBits=%d", authTruncBits);
431 ALOGD("cryptAlgo=%s", cryptAlgo.c_str());
432 ALOGD("cryptTruncBits=%d,", cryptTruncBits);
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]433 ALOGD("aeadAlgo=%s", aeadAlgo.c_str());
434 ALOGD("aeadIcvBits=%d,", aeadIcvBits);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]435 ALOGD("encapType=%d", encapType);
436 ALOGD("encapLocalPort=%d", encapLocalPort);
437 ALOGD("encapRemotePort=%d", encapRemotePort);
438
439 XfrmSaInfo saInfo{};
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]440 netdutils::Status ret =
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]441 fillXfrmId(sourceAddress, destinationAddress, spi, transformId, &saInfo);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]442 if (!isOk(ret)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]443 return ret;
444 }
445
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]446 saInfo.auth = XfrmAlgo{
447 .name = authAlgo, .key = authKey, .truncLenBits = static_cast<uint16_t>(authTruncBits)};
448
449 saInfo.crypt = XfrmAlgo{
450 .name = cryptAlgo, .key = cryptKey, .truncLenBits = static_cast<uint16_t>(cryptTruncBits)};
451
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]452 saInfo.aead = XfrmAlgo{
453 .name = aeadAlgo, .key = aeadKey, .truncLenBits = static_cast<uint16_t>(aeadIcvBits)};
454
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]455 switch (static_cast<XfrmMode>(mode)) {
456 case XfrmMode::TRANSPORT:
457 case XfrmMode::TUNNEL:
458 saInfo.mode = static_cast<XfrmMode>(mode);
459 break;
460 default:
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]461 return netdutils::statusFromErrno(EINVAL, "Invalid xfrm mode");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]462 }
463
464 XfrmSocketImpl sock;
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]465 netdutils::Status socketStatus = sock.open();
466 if (!isOk(socketStatus)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]467 ALOGD("Sock open failed for XFRM, line=%d", __LINE__);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]468 return socketStatus;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]469 }
470
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]471 switch (static_cast<XfrmEncapType>(encapType)) {
472 case XfrmEncapType::ESPINUDP:
473 case XfrmEncapType::ESPINUDP_NON_IKE:
474 if (saInfo.addrFamily != AF_INET) {
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]475 return netdutils::statusFromErrno(EAFNOSUPPORT, "IPv6 encap not supported");
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]476 }
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]477 // The ports are not used on input SAs, so this is OK to be wrong when
478 // direction is ultimately input.
479 saInfo.encap.srcPort = encapLocalPort;
480 saInfo.encap.dstPort = encapRemotePort;
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]481 // fall through
482 case XfrmEncapType::NONE:
483 saInfo.encap.type = static_cast<XfrmEncapType>(encapType);
484 break;
485 default:
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]486 return netdutils::statusFromErrno(EINVAL, "Invalid encap type");
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]487 }
488
Di Lu0e16b5e2018-01-12 10:37:53 -0800[diff] [blame]489 ret = updateSecurityAssociation(saInfo, sock);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]490 if (!isOk(ret)) {
Di Lu0e16b5e2018-01-12 10:37:53 -0800[diff] [blame]491 ALOGD("Failed updating a Security Association, line=%d", __LINE__);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]492 }
493
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]494 return ret;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]495}
496
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]497netdutils::Status
498XfrmController::ipSecDeleteSecurityAssociation(int32_t transformId,
499 const std::string& sourceAddress,
500 const std::string& destinationAddress, int32_t spi) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]501 ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__);
502 ALOGD("transformId=%d", transformId);
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]503 ALOGD("sourceAddress=%s", sourceAddress.c_str());
504 ALOGD("destinationAddress=%s", destinationAddress.c_str());
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]505 ALOGD("spi=%0.8x", spi);
506
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]507 XfrmId saId{};
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]508 netdutils::Status ret = fillXfrmId(sourceAddress, destinationAddress, spi, transformId, &saId);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]509 if (!isOk(ret)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]510 return ret;
511 }
512
513 XfrmSocketImpl sock;
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]514 netdutils::Status socketStatus = sock.open();
515 if (!isOk(socketStatus)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]516 ALOGD("Sock open failed for XFRM, line=%d", __LINE__);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]517 return socketStatus;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]518 }
519
520 ret = deleteSecurityAssociation(saId, sock);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]521 if (!isOk(ret)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]522 ALOGD("Failed to delete Security Association, line=%d", __LINE__);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]523 }
524
525 return ret;
526}
527
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]528netdutils::Status XfrmController::fillXfrmId(const std::string& sourceAddress,
529 const std::string& destinationAddress, int32_t spi,
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]530 int32_t transformId, XfrmId* xfrmId) {
531 // Fill the straightforward fields first
532 xfrmId->transformId = transformId;
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]533 xfrmId->spi = htonl(spi);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]534
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]535 // Use the addresses to determine the address family and do validation
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]536 xfrm_address_t sourceXfrmAddr{}, destXfrmAddr{};
537 StatusOr<int> sourceFamily, destFamily;
538 sourceFamily = convertToXfrmAddr(sourceAddress, &sourceXfrmAddr);
539 destFamily = convertToXfrmAddr(destinationAddress, &destXfrmAddr);
540 if (!isOk(sourceFamily) || !isOk(destFamily)) {
541 return netdutils::statusFromErrno(EINVAL, "Invalid address " + sourceAddress + "/" +
542 destinationAddress);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]543 }
544
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]545 if (destFamily.value() == AF_UNSPEC ||
546 (sourceFamily.value() != AF_UNSPEC && sourceFamily.value() != destFamily.value())) {
547 ALOGD("Invalid or Mismatched Address Families, %d != %d, line=%d", sourceFamily.value(),
548 destFamily.value(), __LINE__);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]549 return netdutils::statusFromErrno(EINVAL, "Invalid or mismatched address families");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]550 }
551
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]552 xfrmId->addrFamily = destFamily.value();
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]553
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]554 xfrmId->dstAddr = destXfrmAddr;
555 xfrmId->srcAddr = sourceXfrmAddr;
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]556 return netdutils::status::ok;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]557}
558
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]559netdutils::Status XfrmController::ipSecApplyTransportModeTransform(
560 const android::base::unique_fd& socket, int32_t transformId, int32_t direction,
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]561 const std::string& sourceAddress, const std::string& destinationAddress, int32_t spi) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]562 ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__);
563 ALOGD("transformId=%d", transformId);
564 ALOGD("direction=%d", direction);
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]565 ALOGD("sourceAddress=%s", sourceAddress.c_str());
566 ALOGD("destinationAddress=%s", destinationAddress.c_str());
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]567 ALOGD("spi=%0.8x", spi);
568
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]569 StatusOr<sockaddr_storage> ret = getSyscallInstance().getsockname<sockaddr_storage>(Fd(socket));
570 if (!isOk(ret)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]571 ALOGE("Failed to get socket info in %s", __FUNCTION__);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]572 return ret;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]573 }
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]574 struct sockaddr_storage saddr = ret.value();
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]575
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]576 XfrmSaInfo saInfo{};
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]577 netdutils::Status status =
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]578 fillXfrmId(sourceAddress, destinationAddress, spi, transformId, &saInfo);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]579 if (!isOk(status)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]580 ALOGE("Couldn't build SA ID %s", __FUNCTION__);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]581 return status;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]582 }
583
manojboopathi26f42922017-12-14 10:51:57 -0800[diff] [blame]584 if (saddr.ss_family == AF_INET && saInfo.addrFamily != AF_INET) {
585 ALOGE("IPV4 socket address family(%d) should match IPV4 Transform "
586 "address family(%d)!",
587 saddr.ss_family, saInfo.addrFamily);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]588 return netdutils::statusFromErrno(EINVAL, "Mismatched address family");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]589 }
590
591 struct {
592 xfrm_userpolicy_info info;
593 xfrm_user_tmpl tmpl;
594 } policy{};
595
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]596 fillTransportModeUserSpInfo(saInfo, static_cast<XfrmDirection>(direction), &policy.info);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]597 fillUserTemplate(saInfo, &policy.tmpl);
598
599 LOG_HEX("XfrmUserPolicy", reinterpret_cast<char*>(&policy), sizeof(policy));
600
601 int sockOpt, sockLayer;
manojboopathi26f42922017-12-14 10:51:57 -0800[diff] [blame]602 switch (saddr.ss_family) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]603 case AF_INET:
604 sockOpt = IP_XFRM_POLICY;
605 sockLayer = SOL_IP;
606 break;
607 case AF_INET6:
608 sockOpt = IPV6_XFRM_POLICY;
609 sockLayer = SOL_IPV6;
610 break;
611 default:
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]612 return netdutils::statusFromErrno(EAFNOSUPPORT, "Invalid address family");
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]613 }
614
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]615 status = getSyscallInstance().setsockopt(Fd(socket), sockLayer, sockOpt, policy);
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]616 if (!isOk(status)) {
617 ALOGE("Error setting socket option for XFRM! (%s)", toString(status).c_str());
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]618 }
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]619
620 return status;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]621}
622
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]623netdutils::Status
624XfrmController::ipSecRemoveTransportModeTransform(const android::base::unique_fd& socket) {
ludi87991632017-10-30 15:28:11 -0700[diff] [blame]625 ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__);
626
627 StatusOr<sockaddr_storage> ret = getSyscallInstance().getsockname<sockaddr_storage>(Fd(socket));
628 if (!isOk(ret)) {
629 ALOGE("Failed to get socket info in %s! (%s)", __FUNCTION__, toString(ret).c_str());
630 return ret;
631 }
632
633 int sockOpt, sockLayer;
634 switch (ret.value().ss_family) {
635 case AF_INET:
636 sockOpt = IP_XFRM_POLICY;
637 sockLayer = SOL_IP;
638 break;
639 case AF_INET6:
640 sockOpt = IPV6_XFRM_POLICY;
641 sockLayer = SOL_IPV6;
642 break;
643 default:
644 return netdutils::statusFromErrno(EAFNOSUPPORT, "Invalid address family");
645 }
646
647 // Kernel will delete the security policy on this socket for both direction
648 // if optval is set to NULL and optlen is set to 0.
649 netdutils::Status status =
650 getSyscallInstance().setsockopt(Fd(socket), sockLayer, sockOpt, NULL, 0);
651 if (!isOk(status)) {
652 ALOGE("Error removing socket option for XFRM! (%s)", toString(status).c_str());
653 }
654
655 return status;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]656}
657
ludi771b8002017-11-20 15:09:05 -0800[diff] [blame^]658netdutils::Status XfrmController::ipSecAddSecurityPolicy(int32_t transformId, int32_t direction,
659 const std::string& localAddress,
660 const std::string& remoteAddress,
661 int32_t spi) {
662 return processSecurityPolicy(transformId, direction, localAddress, remoteAddress, spi,
663 XFRM_MSG_NEWPOLICY);
664}
665
666netdutils::Status XfrmController::ipSecUpdateSecurityPolicy(int32_t transformId, int32_t direction,
667 const std::string& localAddress,
668 const std::string& remoteAddress,
669 int32_t spi) {
670 return processSecurityPolicy(transformId, direction, localAddress, remoteAddress, spi,
671 XFRM_MSG_UPDPOLICY);
672}
673
674netdutils::Status XfrmController::ipSecDeleteSecurityPolicy(int32_t transformId, int32_t direction,
675 const std::string& localAddress,
676 const std::string& remoteAddress) {
677 return processSecurityPolicy(transformId, direction, localAddress, remoteAddress, 0,
678 XFRM_MSG_DELPOLICY);
679}
680
681netdutils::Status XfrmController::processSecurityPolicy(int32_t transformId, int32_t direction,
682 const std::string& localAddress,
683 const std::string& remoteAddress,
684 int32_t spi, int32_t msgType) {
685 ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__);
686 ALOGD("transformId=%d", transformId);
687 ALOGD("direction=%d", direction);
688 ALOGD("localAddress=%s", localAddress.c_str());
689 ALOGD("remoteAddress=%s", remoteAddress.c_str());
690 ALOGD("spi=%0.8x", spi);
691 ALOGD("msgType=%d", msgType);
692
693 XfrmSaInfo saInfo{};
694 saInfo.mode = XfrmMode::TUNNEL;
695
696 XfrmSocketImpl sock;
697 RETURN_IF_NOT_OK(sock.open());
698
699 RETURN_IF_NOT_OK(fillXfrmId(localAddress, remoteAddress, spi, transformId, &saInfo));
700
701 if (msgType == XFRM_MSG_DELPOLICY) {
702 return deleteTunnelModeSecurityPolicy(saInfo, sock, static_cast<XfrmDirection>(direction));
703 } else {
704 return updateTunnelModeSecurityPolicy(saInfo, sock, static_cast<XfrmDirection>(direction),
705 msgType);
706 }
707}
708
709void XfrmController::fillXfrmSelector(const XfrmSaInfo& record, xfrm_selector* selector) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]710 selector->family = record.addrFamily;
711 selector->proto = AF_UNSPEC; // TODO: do we need to match the protocol? it's
712 // possible via the socket
713 selector->ifindex = record.netId; // TODO : still need to sort this out
714}
715
Di Lu0e16b5e2018-01-12 10:37:53 -0800[diff] [blame]716netdutils::Status XfrmController::updateSecurityAssociation(const XfrmSaInfo& record,
manojboopathi4d2d6f12017-12-06 11:11:31 -0800[diff] [blame]717 const XfrmSocket& sock) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]718 xfrm_usersa_info usersa{};
719 nlattr_algo_crypt crypt{};
720 nlattr_algo_auth auth{};
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]721 nlattr_algo_aead aead{};
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]722 nlattr_encap_tmpl encap{};
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]723
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]724 enum {
725 NLMSG_HDR,
726 USERSA,
727 USERSA_PAD,
728 CRYPT,
729 CRYPT_PAD,
730 AUTH,
731 AUTH_PAD,
732 AEAD,
733 AEAD_PAD,
734 ENCAP,
735 ENCAP_PAD
736 };
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]737
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]738 std::vector<iovec> iov = {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]739 {NULL, 0}, // reserved for the eventual addition of a NLMSG_HDR
740 {&usersa, 0}, // main usersa_info struct
741 {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
742 {&crypt, 0}, // adjust size if crypt algo is present
743 {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
744 {&auth, 0}, // adjust size if auth algo is present
745 {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]746 {&aead, 0}, // adjust size if aead algo is present
747 {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
748 {&encap, 0}, // adjust size if encapsulating
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]749 {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]750 };
751
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]752 if (!record.aead.name.empty() && (!record.auth.name.empty() || !record.crypt.name.empty())) {
753 return netdutils::statusFromErrno(EINVAL, "Invalid xfrm algo selection; AEAD is mutually "
754 "exclusive with both Authentication and "
755 "Encryption");
756 }
757
Benedict Wong4f60ee12017-10-10 12:27:25 -0700[diff] [blame]758 if (record.aead.key.size() > MAX_KEY_LENGTH || record.auth.key.size() > MAX_KEY_LENGTH ||
759 record.crypt.key.size() > MAX_KEY_LENGTH) {
760 return netdutils::statusFromErrno(EINVAL, "Key length invalid; exceeds MAX_KEY_LENGTH");
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]761 }
762
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]763 int len;
764 len = iov[USERSA].iov_len = fillUserSaInfo(record, &usersa);
765 iov[USERSA_PAD].iov_len = NLMSG_ALIGN(len) - len;
766
767 len = iov[CRYPT].iov_len = fillNlAttrXfrmAlgoEnc(record.crypt, &crypt);
768 iov[CRYPT_PAD].iov_len = NLA_ALIGN(len) - len;
769
770 len = iov[AUTH].iov_len = fillNlAttrXfrmAlgoAuth(record.auth, &auth);
771 iov[AUTH_PAD].iov_len = NLA_ALIGN(len) - len;
772
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]773 len = iov[AEAD].iov_len = fillNlAttrXfrmAlgoAead(record.aead, &aead);
774 iov[AEAD_PAD].iov_len = NLA_ALIGN(len) - len;
775
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]776 len = iov[ENCAP].iov_len = fillNlAttrXfrmEncapTmpl(record, &encap);
777 iov[ENCAP_PAD].iov_len = NLA_ALIGN(len) - len;
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]778 return sock.sendMessage(XFRM_MSG_UPDSA, NETLINK_REQUEST_FLAGS, 0, &iov);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]779}
780
781int XfrmController::fillNlAttrXfrmAlgoEnc(const XfrmAlgo& inAlgo, nlattr_algo_crypt* algo) {
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]782 if (inAlgo.name.empty()) { // Do not fill anything if algorithm not provided
783 return 0;
784 }
785
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]786 int len = NLA_HDRLEN + sizeof(xfrm_algo);
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]787 // Kernel always changes last char to null terminator; no safety checks needed.
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]788 strncpy(algo->crypt.alg_name, inAlgo.name.c_str(), sizeof(algo->crypt.alg_name));
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]789 algo->crypt.alg_key_len = inAlgo.key.size() * 8; // bits
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]790 memcpy(algo->key, &inAlgo.key[0], inAlgo.key.size());
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]791 len += inAlgo.key.size();
792 fillXfrmNlaHdr(&algo->hdr, XFRMA_ALG_CRYPT, len);
793 return len;
794}
795
796int XfrmController::fillNlAttrXfrmAlgoAuth(const XfrmAlgo& inAlgo, nlattr_algo_auth* algo) {
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]797 if (inAlgo.name.empty()) { // Do not fill anything if algorithm not provided
798 return 0;
799 }
800
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]801 int len = NLA_HDRLEN + sizeof(xfrm_algo_auth);
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]802 // Kernel always changes last char to null terminator; no safety checks needed.
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]803 strncpy(algo->auth.alg_name, inAlgo.name.c_str(), sizeof(algo->auth.alg_name));
804 algo->auth.alg_key_len = inAlgo.key.size() * 8; // bits
805
806 // This is the extra field for ALG_AUTH_TRUNC
807 algo->auth.alg_trunc_len = inAlgo.truncLenBits;
808
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]809 memcpy(algo->key, &inAlgo.key[0], inAlgo.key.size());
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]810 len += inAlgo.key.size();
811
812 fillXfrmNlaHdr(&algo->hdr, XFRMA_ALG_AUTH_TRUNC, len);
813 return len;
814}
815
Benedict Wongbe65b432017-08-22 21:43:14 -0700[diff] [blame]816int XfrmController::fillNlAttrXfrmAlgoAead(const XfrmAlgo& inAlgo, nlattr_algo_aead* algo) {
817 if (inAlgo.name.empty()) { // Do not fill anything if algorithm not provided
818 return 0;
819 }
820
821 int len = NLA_HDRLEN + sizeof(xfrm_algo_aead);
822 // Kernel always changes last char to null terminator; no safety checks needed.
823 strncpy(algo->aead.alg_name, inAlgo.name.c_str(), sizeof(algo->aead.alg_name));
824 algo->aead.alg_key_len = inAlgo.key.size() * 8; // bits
825
826 // This is the extra field for ALG_AEAD. ICV length is the same as truncation length
827 // for any AEAD algorithm.
828 algo->aead.alg_icv_len = inAlgo.truncLenBits;
829
830 memcpy(algo->key, &inAlgo.key[0], inAlgo.key.size());
831 len += inAlgo.key.size();
832
833 fillXfrmNlaHdr(&algo->hdr, XFRMA_ALG_AEAD, len);
834 return len;
835}
836
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]837int XfrmController::fillNlAttrXfrmEncapTmpl(const XfrmSaInfo& record, nlattr_encap_tmpl* tmpl) {
838 if (record.encap.type == XfrmEncapType::NONE) {
839 return 0;
840 }
841
842 int len = NLA_HDRLEN + sizeof(xfrm_encap_tmpl);
843 tmpl->tmpl.encap_type = static_cast<uint16_t>(record.encap.type);
844 tmpl->tmpl.encap_sport = htons(record.encap.srcPort);
845 tmpl->tmpl.encap_dport = htons(record.encap.dstPort);
846 fillXfrmNlaHdr(&tmpl->hdr, XFRMA_ENCAP, len);
847 return len;
848}
849
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]850int XfrmController::fillUserSaInfo(const XfrmSaInfo& record, xfrm_usersa_info* usersa) {
ludi771b8002017-11-20 15:09:05 -0800[diff] [blame^]851 fillXfrmSelector(record, &usersa->sel);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]852
853 usersa->id.proto = IPPROTO_ESP;
854 usersa->id.spi = record.spi;
855 usersa->id.daddr = record.dstAddr;
856
857 usersa->saddr = record.srcAddr;
858
859 fillXfrmLifetimeDefaults(&usersa->lft);
860 fillXfrmCurLifetimeDefaults(&usersa->curlft);
861 memset(&usersa->stats, 0, sizeof(usersa->stats)); // leave stats zeroed out
862 usersa->reqid = record.transformId;
863 usersa->family = record.addrFamily;
864 usersa->mode = static_cast<uint8_t>(record.mode);
865 usersa->replay_window = REPLAY_WINDOW_SIZE;
manojboopathi4d2d6f12017-12-06 11:11:31 -0800[diff] [blame]866
867 if (record.mode == XfrmMode::TRANSPORT) {
868 usersa->flags = 0; // TODO: should we actually set flags, XFRM_SA_XFLAG_DONT_ENCAP_DSCP?
869 } else {
870 usersa->flags = XFRM_STATE_AF_UNSPEC;
871 }
872
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]873 return sizeof(*usersa);
874}
875
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]876int XfrmController::fillUserSaId(const XfrmId& record, xfrm_usersa_id* said) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]877 said->daddr = record.dstAddr;
878 said->spi = record.spi;
879 said->family = record.addrFamily;
880 said->proto = IPPROTO_ESP;
881
882 return sizeof(*said);
883}
884
Nathan Harold7441c692017-12-12 21:25:01 -0800[diff] [blame]885netdutils::Status XfrmController::deleteSecurityAssociation(const XfrmId& record,
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]886 const XfrmSocket& sock) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]887 xfrm_usersa_id said{};
888
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]889 enum { NLMSG_HDR, USERSAID, USERSAID_PAD };
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]890
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]891 std::vector<iovec> iov = {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]892 {NULL, 0}, // reserved for the eventual addition of a NLMSG_HDR
893 {&said, 0}, // main usersa_info struct
894 {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
895 };
896
897 int len;
898 len = iov[USERSAID].iov_len = fillUserSaId(record, &said);
899 iov[USERSAID_PAD].iov_len = NLMSG_ALIGN(len) - len;
900
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]901 return sock.sendMessage(XFRM_MSG_DELSA, NETLINK_REQUEST_FLAGS, 0, &iov);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]902}
903
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]904netdutils::Status XfrmController::allocateSpi(const XfrmSaInfo& record, uint32_t minSpi,
905 uint32_t maxSpi, uint32_t* outSpi,
906 const XfrmSocket& sock) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]907 xfrm_userspi_info spiInfo{};
908
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]909 enum { NLMSG_HDR, USERSAID, USERSAID_PAD };
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]910
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]911 std::vector<iovec> iov = {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]912 {NULL, 0}, // reserved for the eventual addition of a NLMSG_HDR
913 {&spiInfo, 0}, // main userspi_info struct
914 {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
915 };
916
917 int len;
918 if (fillUserSaInfo(record, &spiInfo.info) == 0) {
919 ALOGE("Failed to fill transport SA Info");
920 }
921
922 len = iov[USERSAID].iov_len = sizeof(spiInfo);
923 iov[USERSAID_PAD].iov_len = NLMSG_ALIGN(len) - len;
924
925 RandomSpi spiGen = RandomSpi(minSpi, maxSpi);
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]926 int spi;
927 netdutils::Status ret;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]928 while ((spi = spiGen.next()) != INVALID_SPI) {
929 spiInfo.min = spi;
930 spiInfo.max = spi;
ludie51e3862017-08-15 19:28:12 -0700[diff] [blame]931 ret = sock.sendMessage(XFRM_MSG_ALLOCSPI, NETLINK_REQUEST_FLAGS, 0, &iov);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]932
933 /* If the SPI is in use, we'll get ENOENT */
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]934 if (netdutils::equalToErrno(ret, ENOENT))
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]935 continue;
936
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]937 if (isOk(ret)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]938 *outSpi = spi;
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]939 ALOGD("Allocated an SPI: %x", *outSpi);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]940 } else {
941 *outSpi = INVALID_SPI;
ludi6e8eccd2017-08-14 14:40:37 -0700[diff] [blame]942 ALOGE("SPI Allocation Failed with error %d", ret.code());
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]943 }
944
945 return ret;
946 }
947
948 // Should always be -ENOENT if we get here
949 return ret;
950}
951
ludi771b8002017-11-20 15:09:05 -0800[diff] [blame^]952netdutils::Status XfrmController::updateTunnelModeSecurityPolicy(const XfrmSaInfo& record,
953 const XfrmSocket& sock,
954 XfrmDirection direction,
955 uint16_t msgType) {
956 xfrm_userpolicy_info userpolicy{};
957 nlattr_user_tmpl usertmpl{};
958
959 enum {
960 NLMSG_HDR,
961 USERPOLICY,
962 USERPOLICY_PAD,
963 USERTMPL,
964 USERTMPL_PAD,
965 };
966
967 std::vector<iovec> iov = {
968 {NULL, 0}, // reserved for the eventual addition of a NLMSG_HDR
969 {&userpolicy, 0}, // main xfrm_userpolicy_info struct
970 {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
971 {&usertmpl, 0}, // adjust size if xfrm_user_tmpl struct is present
972 {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
973 };
974
975 int len;
976 len = iov[USERPOLICY].iov_len = fillTransportModeUserSpInfo(record, direction, &userpolicy);
977 iov[USERPOLICY_PAD].iov_len = NLMSG_ALIGN(len) - len;
978
979 len = iov[USERTMPL].iov_len = fillNlAttrUserTemplate(record, &usertmpl);
980 iov[USERTMPL_PAD].iov_len = NLA_ALIGN(len) - len;
981
982 return sock.sendMessage(msgType, NETLINK_REQUEST_FLAGS, 0, &iov);
983}
984
985netdutils::Status XfrmController::deleteTunnelModeSecurityPolicy(const XfrmSaInfo& record,
986 const XfrmSocket& sock,
987 XfrmDirection direction) {
988 xfrm_userpolicy_id policyid{};
989
990 enum {
991 NLMSG_HDR,
992 USERPOLICYID,
993 USERPOLICYID_PAD,
994 };
995
996 std::vector<iovec> iov = {
997 {NULL, 0}, // reserved for the eventual addition of a NLMSG_HDR
998 {&policyid, 0}, // main xfrm_userpolicy_id struct
999 {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
1000 };
1001
1002 int len = iov[USERPOLICYID].iov_len = fillUserPolicyId(record, direction, &policyid);
1003 iov[USERPOLICYID_PAD].iov_len = NLMSG_ALIGN(len) - len;
1004
1005 return sock.sendMessage(XFRM_MSG_DELPOLICY, NETLINK_REQUEST_FLAGS, 0, &iov);
1006}
1007
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]1008int XfrmController::fillTransportModeUserSpInfo(const XfrmSaInfo& record, XfrmDirection direction,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]1009 xfrm_userpolicy_info* usersp) {
ludi771b8002017-11-20 15:09:05 -0800[diff] [blame^]1010 fillXfrmSelector(record, &usersp->sel);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]1011 fillXfrmLifetimeDefaults(&usersp->lft);
1012 fillXfrmCurLifetimeDefaults(&usersp->curlft);
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]1013 /* if (index) index & 0x3 == dir -- must be true
1014 * xfrm_user.c:verify_newpolicy_info() */
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]1015 usersp->index = 0;
Nathan Haroldda54f122018-01-09 16:42:57 -0800[diff] [blame]1016 usersp->dir = static_cast<uint8_t>(direction);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]1017 usersp->action = XFRM_POLICY_ALLOW;
1018 usersp->flags = XFRM_POLICY_LOCALOK;
1019 usersp->share = XFRM_SHARE_UNIQUE;
1020 return sizeof(*usersp);
1021}
1022
1023int XfrmController::fillUserTemplate(const XfrmSaInfo& record, xfrm_user_tmpl* tmpl) {
1024 tmpl->id.daddr = record.dstAddr;
1025 tmpl->id.spi = record.spi;
1026 tmpl->id.proto = IPPROTO_ESP;
1027
1028 tmpl->family = record.addrFamily;
1029 tmpl->saddr = record.srcAddr;
1030 tmpl->reqid = record.transformId;
1031 tmpl->mode = static_cast<uint8_t>(record.mode);
1032 tmpl->share = XFRM_SHARE_UNIQUE;
1033 tmpl->optional = 0; // if this is true, then a failed state lookup will be considered OK:
1034 // http://lxr.free-electrons.com/source/net/xfrm/xfrm_policy.c#L1492
1035 tmpl->aalgos = ALGO_MASK_AUTH_ALL; // TODO: if there's a bitmask somewhere of
1036 // algos, we should find it and apply it.
1037 // I can't find one.
1038 tmpl->ealgos = ALGO_MASK_CRYPT_ALL; // TODO: if there's a bitmask somewhere...
ludi771b8002017-11-20 15:09:05 -0800[diff] [blame^]1039 return sizeof(xfrm_user_tmpl*);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]1040}
1041
ludi771b8002017-11-20 15:09:05 -0800[diff] [blame^]1042int XfrmController::fillNlAttrUserTemplate(const XfrmSaInfo& record, nlattr_user_tmpl* tmpl) {
1043 fillUserTemplate(record, &tmpl->tmpl);
1044
1045 int len = NLA_HDRLEN + sizeof(xfrm_user_tmpl);
1046 fillXfrmNlaHdr(&tmpl->hdr, XFRMA_TMPL, len);
1047 return len;
1048}
1049
1050int XfrmController::fillUserPolicyId(const XfrmSaInfo& record, XfrmDirection direction,
1051 xfrm_userpolicy_id* usersp) {
1052 // For DELPOLICY, when index is absent, selector is needed to match the policy
1053 fillXfrmSelector(record, &usersp->sel);
1054 usersp->dir = static_cast<uint8_t>(direction);
1055 return sizeof(*usersp);
1056}
1057
1058
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]1059} // namespace net
1060} // namespace android