Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / 43f1c3c5e9d5b76e4c776bce3e8a80d8f1bd370d / . / server / XfrmController.cpp
blob: ea6f696956e97f97f60086e0d795640bf5ff0f49 [file] [log] [blame]
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]1/*
2 *
3 * Copyright (C) 2017 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18#include <string>
19#include <vector>
20
21#include <ctype.h>
22#include <errno.h>
23#include <fcntl.h>
24#include <getopt.h>
25#include <stdio.h>
26#include <stdlib.h>
27#include <string.h>
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]28
29#define __STDC_FORMAT_MACROS
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]30#include <inttypes.h>
31
32#include <arpa/inet.h>
33#include <netinet/in.h>
34
35#include <sys/socket.h>
36#include <sys/stat.h>
37#include <sys/types.h>
38#include <sys/wait.h>
39
40#include <linux/in.h>
41#include <linux/netlink.h>
42#include <linux/xfrm.h>
43
44#include "android-base/stringprintf.h"
45#include "android-base/strings.h"
46#include "android-base/unique_fd.h"
47#define LOG_TAG "XfrmController"
48#include "NetdConstants.h"
49#include "NetlinkCommands.h"
50#include "ResponseCode.h"
51#include "XfrmController.h"
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]52#include "netdutils/Fd.h"
53#include "netdutils/Slice.h"
54#include "netdutils/Syscalls.h"
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]55#include <cutils/log.h>
56#include <cutils/properties.h>
57#include <logwrap/logwrap.h>
58
59#define VDBG 1 // STOPSHIP if true
60
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]61using android::netdutils::Fd;
62using android::netdutils::Slice;
63using android::netdutils::Status;
64using android::netdutils::StatusOr;
65using android::netdutils::Syscalls;
66
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]67namespace android {
68namespace net {
69
Nathan Harold39b5df42017-08-02 18:45:25 -0700[diff] [blame]70// Exposed for testing
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]71constexpr uint32_t ALGO_MASK_AUTH_ALL = ~0;
Nathan Harold39b5df42017-08-02 18:45:25 -0700[diff] [blame]72// Exposed for testing
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]73constexpr uint32_t ALGO_MASK_CRYPT_ALL = ~0;
Nathan Harold39b5df42017-08-02 18:45:25 -0700[diff] [blame]74// Exposed for testing
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]75constexpr uint8_t REPLAY_WINDOW_SIZE = 4;
76
Nathan Harold39b5df42017-08-02 18:45:25 -0700[diff] [blame]77namespace {
78
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]79constexpr uint32_t RAND_SPI_MIN = 1;
80constexpr uint32_t RAND_SPI_MAX = 0xFFFFFFFE;
81
82constexpr uint32_t INVALID_SPI = 0;
83
84#define XFRM_MSG_TRANS(x) \
85 case x: \
86 return #x;
87
88const char* xfrmMsgTypeToString(uint16_t msg) {
89 switch (msg) {
90 XFRM_MSG_TRANS(XFRM_MSG_NEWSA)
91 XFRM_MSG_TRANS(XFRM_MSG_DELSA)
92 XFRM_MSG_TRANS(XFRM_MSG_GETSA)
93 XFRM_MSG_TRANS(XFRM_MSG_NEWPOLICY)
94 XFRM_MSG_TRANS(XFRM_MSG_DELPOLICY)
95 XFRM_MSG_TRANS(XFRM_MSG_GETPOLICY)
96 XFRM_MSG_TRANS(XFRM_MSG_ALLOCSPI)
97 XFRM_MSG_TRANS(XFRM_MSG_ACQUIRE)
98 XFRM_MSG_TRANS(XFRM_MSG_EXPIRE)
99 XFRM_MSG_TRANS(XFRM_MSG_UPDPOLICY)
100 XFRM_MSG_TRANS(XFRM_MSG_UPDSA)
101 XFRM_MSG_TRANS(XFRM_MSG_POLEXPIRE)
102 XFRM_MSG_TRANS(XFRM_MSG_FLUSHSA)
103 XFRM_MSG_TRANS(XFRM_MSG_FLUSHPOLICY)
104 XFRM_MSG_TRANS(XFRM_MSG_NEWAE)
105 XFRM_MSG_TRANS(XFRM_MSG_GETAE)
106 XFRM_MSG_TRANS(XFRM_MSG_REPORT)
107 XFRM_MSG_TRANS(XFRM_MSG_MIGRATE)
108 XFRM_MSG_TRANS(XFRM_MSG_NEWSADINFO)
109 XFRM_MSG_TRANS(XFRM_MSG_GETSADINFO)
110 XFRM_MSG_TRANS(XFRM_MSG_GETSPDINFO)
111 XFRM_MSG_TRANS(XFRM_MSG_NEWSPDINFO)
112 XFRM_MSG_TRANS(XFRM_MSG_MAPPING)
113 default:
114 return "XFRM_MSG UNKNOWN";
115 }
116}
117
118// actually const but cannot be declared as such for reasons
119uint8_t kPadBytesArray[] = {0, 0, 0};
120void* kPadBytes = static_cast<void*>(kPadBytesArray);
121
122#if VDBG
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]123#define LOG_HEX(__desc16__, __buf__, __len__) \
124 do { \
125 logHex(__desc16__, __buf__, __len__); \
126 } while (0)
127#define LOG_IOV(__iov__, __iov_len__) \
128 do { \
129 logIov(__iov__, __iov_len__); \
130 } while (0)
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]131
132void logHex(const char* desc16, const char* buf, size_t len) {
133 char* printBuf = new char[len * 2 + 1 + 26]; // len->ascii, +newline, +prefix strlen
134 int offset = 0;
135 if (desc16) {
136 sprintf(printBuf, "{%-16s}", desc16);
137 offset += 18; // prefix string length
138 }
139 sprintf(printBuf + offset, "[%4.4u]: ", (len > 9999) ? 9999 : (unsigned)len);
140 offset += 8;
141
142 for (uint32_t j = 0; j < (uint32_t)len; j++) {
143 sprintf(&printBuf[j * 2 + offset], "%0.2x", buf[j]);
144 }
145 ALOGD("%s", printBuf);
146 delete[] printBuf;
147}
148
149void logIov(const iovec* iov, size_t iovLen) {
150 for (uint32_t i = 0; i < (uint32_t)iovLen; i++) {
151 const iovec* row = &iov[i];
152 logHex(0, reinterpret_cast<char*>(row->iov_base), row->iov_len);
153 }
154}
155
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]156inline Syscalls& getSyscallInstance() { return netdutils::sSyscalls.get(); }
157
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]158#else
159#define LOG_HEX(__desc16__, __buf__, __len__)
160#define LOG_IOV(__iov__, __iov_len__)
161#endif
162
163class XfrmSocketImpl : public XfrmSocket {
164private:
165 static constexpr int NLMSG_DEFAULTSIZE = 8192;
166
167 union NetlinkResponse {
168 nlmsghdr hdr;
169 struct _err_ {
170 nlmsghdr hdr;
171 nlmsgerr err;
172 } err;
173
174 struct _buf_ {
175 nlmsghdr hdr;
176 char buf[NLMSG_DEFAULTSIZE];
177 } buf;
178 };
179
180public:
181 virtual bool open() {
182 mSock = openNetlinkSocket(NETLINK_XFRM);
183 if (mSock <= 0) {
184 ALOGW("Could not get a new socket, line=%d", __LINE__);
185 return false;
186 }
187
188 return true;
189 }
190
191 static int validateResponse(NetlinkResponse response, size_t len) {
192 if (len < sizeof(nlmsghdr)) {
193 ALOGW("Invalid response message received over netlink");
194 return -EBADMSG;
195 }
196
197 switch (response.hdr.nlmsg_type) {
198 case NLMSG_NOOP:
199 case NLMSG_DONE:
200 return 0;
201 case NLMSG_OVERRUN:
202 ALOGD("Netlink request overran kernel buffer");
203 return -EBADMSG;
204 case NLMSG_ERROR:
205 if (len < sizeof(NetlinkResponse::_err_)) {
206 ALOGD("Netlink message received malformed error response");
207 return -EBADMSG;
208 }
209 return response.err.err.error; // Netlink errors are negative errno.
210 case XFRM_MSG_NEWSA:
211 break;
212 }
213
214 if (response.hdr.nlmsg_type < XFRM_MSG_BASE /*== NLMSG_MIN_TYPE*/ ||
215 response.hdr.nlmsg_type > XFRM_MSG_MAX) {
216 ALOGD("Netlink message responded with an out-of-range message ID");
217 return -EBADMSG;
218 }
219
220 // TODO Add more message validation here
221 return 0;
222 }
223
224 virtual int sendMessage(uint16_t nlMsgType, uint16_t nlMsgFlags, uint16_t nlMsgSeqNum,
225 iovec* iov, int iovLen) const {
226 nlmsghdr nlMsg = {
227 .nlmsg_type = nlMsgType, .nlmsg_flags = nlMsgFlags, .nlmsg_seq = nlMsgSeqNum,
228 };
229
230 iov[0].iov_base = &nlMsg;
Nathan Harolde2dd4c72017-04-19 11:09:11 -0700[diff] [blame]231 iov[0].iov_len = NLMSG_HDRLEN;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]232 for (int i = 0; i < iovLen; ++i) {
233 nlMsg.nlmsg_len += iov[i].iov_len;
234 }
235
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]236 // TODO: Should use std::vector<iovec> from the beginning, should
237 // replace the iovec array declaration with an iovec vector declaration
238 // in other places of the program.
239 // This line should be removed when the parameter of sendMessage is
240 // changed to use iovev vector.
241 const std::vector<iovec> iovs(iov, iov + iovLen);
242
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]243 ALOGD("Sending Netlink XFRM Message: %s", xfrmMsgTypeToString(nlMsgType));
244 if (VDBG)
245 LOG_IOV(iov, iovLen);
246
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]247 StatusOr<size_t> writeResult = getSyscallInstance().writev(mSock, iovs);
248 if (!isOk(writeResult)) {
249 ALOGE("netlink socket writev failed (%s)", toString(writeResult).c_str());
250 return -writeResult.status().code();
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]251 }
252
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]253 if (nlMsg.nlmsg_len != writeResult.value()) {
254 ALOGE("Invalid netlink message length sent %d", static_cast<int>(writeResult.value()));
255 return -EBADMSG;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]256 }
257
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]258 NetlinkResponse response = {};
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]259
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]260 StatusOr<Slice> readResult =
261 getSyscallInstance().read(Fd(mSock), netdutils::makeSlice(response));
262 if (!isOk(readResult)) {
263 ALOGE("netlink response error (%s)", toString(readResult).c_str());
264 return -readResult.status().code();
265 }
266
267 LOG_HEX("netlink msg resp", reinterpret_cast<char*>(readResult.value().base()),
268 readResult.value().size());
269
270 int retNum = validateResponse(response, readResult.value().size());
271 if (retNum < 0)
272 ALOGE("netlink response contains error (%s)", strerror(-retNum));
273 return retNum;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]274 }
275};
276
277int convertToXfrmAddr(const std::string& strAddr, xfrm_address_t* xfrmAddr) {
278 if (strAddr.length() == 0) {
279 memset(xfrmAddr, 0, sizeof(*xfrmAddr));
280 return AF_UNSPEC;
281 }
282
283 if (inet_pton(AF_INET6, strAddr.c_str(), reinterpret_cast<void*>(xfrmAddr))) {
284 return AF_INET6;
285 } else if (inet_pton(AF_INET, strAddr.c_str(), reinterpret_cast<void*>(xfrmAddr))) {
286 return AF_INET;
287 } else {
288 return -EAFNOSUPPORT;
289 }
290}
291
292void fillXfrmNlaHdr(nlattr* hdr, uint16_t type, uint16_t len) {
293 hdr->nla_type = type;
294 hdr->nla_len = len;
295}
296
297void fillXfrmCurLifetimeDefaults(xfrm_lifetime_cur* cur) {
298 memset(reinterpret_cast<char*>(cur), 0, sizeof(*cur));
299}
300void fillXfrmLifetimeDefaults(xfrm_lifetime_cfg* cfg) {
301 cfg->soft_byte_limit = XFRM_INF;
302 cfg->hard_byte_limit = XFRM_INF;
303 cfg->soft_packet_limit = XFRM_INF;
304 cfg->hard_packet_limit = XFRM_INF;
305}
306
307/*
308 * Allocate SPIs within an (inclusive) range of min-max.
309 * returns 0 (INVALID_SPI) once the entire range has been parsed.
310 */
311class RandomSpi {
312public:
313 RandomSpi(int min, int max) : mMin(min) {
314 time_t t;
315 srand((unsigned int)time(&t));
316 // TODO: more random random
317 mNext = rand();
318 mSize = max - min + 1;
319 mCount = mSize;
320 }
321
322 uint32_t next() {
323 if (!mCount)
324 return 0;
325 mCount--;
326 return (mNext++ % mSize) + mMin;
327 }
328
329private:
330 uint32_t mNext;
331 uint32_t mSize;
332 uint32_t mMin;
333 uint32_t mCount;
334};
335
336} // namespace
337
338//
339// Begin XfrmController Impl
340//
341//
342XfrmController::XfrmController(void) {}
343
344int XfrmController::ipSecAllocateSpi(int32_t transformId, int32_t direction,
345 const std::string& localAddress,
346 const std::string& remoteAddress, int32_t inSpi,
347 int32_t* outSpi) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]348 ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__);
349 ALOGD("transformId=%d", transformId);
350 ALOGD("direction=%d", direction);
351 ALOGD("localAddress=%s", localAddress.c_str());
352 ALOGD("remoteAddress=%s", remoteAddress.c_str());
353 ALOGD("inSpi=%0.8x", inSpi);
354
355 XfrmSaInfo saInfo{};
356 int ret;
357
358 if ((ret = fillXfrmSaId(direction, localAddress, remoteAddress, INVALID_SPI, &saInfo)) < 0) {
359 return ret;
360 }
361
362 XfrmSocketImpl sock;
363 if (!sock.open()) {
364 ALOGD("Sock open failed for XFRM, line=%d", __LINE__);
365 return -1; // TODO: return right error; for whatever reason the sock
366 // failed to open
367 }
368
369 int minSpi = RAND_SPI_MIN, maxSpi = RAND_SPI_MAX;
370
371 if (inSpi)
372 minSpi = maxSpi = inSpi;
373 ret = allocateSpi(saInfo, minSpi, maxSpi, reinterpret_cast<uint32_t*>(outSpi), sock);
374 if (ret < 0) {
375 ALOGD("Failed to Allocate an SPI, line=%d", __LINE__);
376 *outSpi = INVALID_SPI;
377 }
378
379 return ret;
380}
381
382int XfrmController::ipSecAddSecurityAssociation(
383 int32_t transformId, int32_t mode, int32_t direction, const std::string& localAddress,
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]384 const std::string& remoteAddress, int64_t underlyingNetworkHandle, int32_t spi,
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]385 const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits,
386 const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits,
ludiec836052017-05-20 14:17:05 -0700[diff] [blame]387 int32_t encapType, int32_t encapLocalPort, int32_t encapRemotePort) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]388 android::RWLock::AutoWLock lock(mLock);
389
390 ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__);
391 ALOGD("transformId=%d", transformId);
392 ALOGD("mode=%d", mode);
393 ALOGD("direction=%d", direction);
394 ALOGD("localAddress=%s", localAddress.c_str());
395 ALOGD("remoteAddress=%s", remoteAddress.c_str());
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]396 ALOGD("underlyingNetworkHandle=%" PRIx64, underlyingNetworkHandle);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]397 ALOGD("spi=%0.8x", spi);
398 ALOGD("authAlgo=%s", authAlgo.c_str());
399 ALOGD("authTruncBits=%d", authTruncBits);
400 ALOGD("cryptAlgo=%s", cryptAlgo.c_str());
401 ALOGD("cryptTruncBits=%d,", cryptTruncBits);
402 ALOGD("encapType=%d", encapType);
403 ALOGD("encapLocalPort=%d", encapLocalPort);
404 ALOGD("encapRemotePort=%d", encapRemotePort);
405
406 XfrmSaInfo saInfo{};
407 int ret;
408
409 if ((ret = fillXfrmSaId(direction, localAddress, remoteAddress, spi, &saInfo)) < 0) {
410 return ret;
411 }
412
413 saInfo.transformId = transformId;
414
415 // STOPSHIP : range check the key lengths to prevent puncturing and overflow
416 saInfo.auth = XfrmAlgo{
417 .name = authAlgo, .key = authKey, .truncLenBits = static_cast<uint16_t>(authTruncBits)};
418
419 saInfo.crypt = XfrmAlgo{
420 .name = cryptAlgo, .key = cryptKey, .truncLenBits = static_cast<uint16_t>(cryptTruncBits)};
421
422 saInfo.direction = static_cast<XfrmDirection>(direction);
423
424 switch (static_cast<XfrmMode>(mode)) {
425 case XfrmMode::TRANSPORT:
426 case XfrmMode::TUNNEL:
427 saInfo.mode = static_cast<XfrmMode>(mode);
428 break;
429 default:
430 return -EINVAL;
431 }
432
433 XfrmSocketImpl sock;
434 if (!sock.open()) {
435 ALOGD("Sock open failed for XFRM, line=%d", __LINE__);
436 return -1; // TODO: return right error; for whatever reason the sock
437 // failed to open
438 }
439
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]440 switch (static_cast<XfrmEncapType>(encapType)) {
441 case XfrmEncapType::ESPINUDP:
442 case XfrmEncapType::ESPINUDP_NON_IKE:
443 if (saInfo.addrFamily != AF_INET) {
444 return -EAFNOSUPPORT;
445 }
446 switch (saInfo.direction) {
447 case XfrmDirection::IN:
448 saInfo.encap.srcPort = encapRemotePort;
449 saInfo.encap.dstPort = encapLocalPort;
450 break;
451 case XfrmDirection::OUT:
452 saInfo.encap.srcPort = encapLocalPort;
453 saInfo.encap.dstPort = encapRemotePort;
454 break;
455 default:
456 return -EINVAL;
457 }
458 // fall through
459 case XfrmEncapType::NONE:
460 saInfo.encap.type = static_cast<XfrmEncapType>(encapType);
461 break;
462 default:
463 return -EINVAL;
464 }
465
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]466 ret = createTransportModeSecurityAssociation(saInfo, sock);
467 if (ret < 0) {
468 ALOGD("Failed creating a Security Association, line=%d", __LINE__);
469 return ret; // something went wrong creating the SA
470 }
471
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]472 return 0;
473}
474
475int XfrmController::ipSecDeleteSecurityAssociation(int32_t transformId, int32_t direction,
476 const std::string& localAddress,
477 const std::string& remoteAddress, int32_t spi) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]478 ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__);
479 ALOGD("transformId=%d", transformId);
480 ALOGD("direction=%d", direction);
481 ALOGD("localAddress=%s", localAddress.c_str());
482 ALOGD("remoteAddress=%s", remoteAddress.c_str());
483 ALOGD("spi=%0.8x", spi);
484
485 XfrmSaId saId;
486 int ret;
487
488 if ((ret = fillXfrmSaId(direction, localAddress, remoteAddress, spi, &saId)) < 0) {
489 return ret;
490 }
491
492 XfrmSocketImpl sock;
493 if (!sock.open()) {
494 ALOGD("Sock open failed for XFRM, line=%d", __LINE__);
495 return -1; // TODO: return right error; for whatever reason the sock
496 // failed to open
497 }
498
499 ret = deleteSecurityAssociation(saId, sock);
500 if (ret < 0) {
501 ALOGD("Failed to delete Security Association, line=%d", __LINE__);
502 return ret; // something went wrong deleting the SA
503 }
504
505 return ret;
506}
507
508int XfrmController::fillXfrmSaId(int32_t direction, const std::string& localAddress,
509 const std::string& remoteAddress, int32_t spi, XfrmSaId* xfrmId) {
510 xfrm_address_t localXfrmAddr{}, remoteXfrmAddr{};
511
512 int addrFamilyLocal, addrFamilyRemote;
513 addrFamilyRemote = convertToXfrmAddr(remoteAddress, &remoteXfrmAddr);
514 addrFamilyLocal = convertToXfrmAddr(localAddress, &localXfrmAddr);
515 if (addrFamilyRemote < 0 || addrFamilyLocal < 0) {
516 return -EINVAL;
517 }
518
519 if (addrFamilyRemote == AF_UNSPEC ||
520 (addrFamilyLocal != AF_UNSPEC && addrFamilyLocal != addrFamilyRemote)) {
521 ALOGD("Invalid or Mismatched Address Families, %d != %d, line=%d", addrFamilyLocal,
522 addrFamilyRemote, __LINE__);
523 return -EINVAL;
524 }
525
526 xfrmId->addrFamily = addrFamilyRemote;
527
528 xfrmId->spi = htonl(spi);
529
530 switch (static_cast<XfrmDirection>(direction)) {
531 case XfrmDirection::IN:
532 xfrmId->dstAddr = localXfrmAddr;
533 xfrmId->srcAddr = remoteXfrmAddr;
534 break;
535
536 case XfrmDirection::OUT:
537 xfrmId->dstAddr = remoteXfrmAddr;
538 xfrmId->srcAddr = localXfrmAddr;
539 break;
540
541 default:
542 ALOGD("Invalid XFRM direction, line=%d", __LINE__);
543 // Invalid direction for Transport mode transform: time to bail
544 return -EINVAL;
545 }
546 return 0;
547}
548
549int XfrmController::ipSecApplyTransportModeTransform(const android::base::unique_fd& socket,
550 int32_t transformId, int32_t direction,
551 const std::string& localAddress,
552 const std::string& remoteAddress,
553 int32_t spi) {
554 ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__);
555 ALOGD("transformId=%d", transformId);
556 ALOGD("direction=%d", direction);
557 ALOGD("localAddress=%s", localAddress.c_str());
558 ALOGD("remoteAddress=%s", remoteAddress.c_str());
559 ALOGD("spi=%0.8x", spi);
560
561 struct sockaddr_storage saddr;
562
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]563 int err;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]564
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]565 StatusOr<sockaddr_storage> ret = getSyscallInstance().getsockname<sockaddr_storage>(Fd(socket));
566 if (!isOk(ret)) {
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]567 ALOGE("Failed to get socket info in %s", __FUNCTION__);
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]568 return -ret.status().code();
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]569 }
570
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]571 saddr = ret.value();
572
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]573 XfrmSaInfo saInfo{};
574 saInfo.transformId = transformId;
575 saInfo.direction = static_cast<XfrmDirection>(direction);
576 saInfo.spi = spi;
577
578 if ((err = fillXfrmSaId(direction, localAddress, remoteAddress, spi, &saInfo)) < 0) {
579 ALOGE("Couldn't build SA ID %s", __FUNCTION__);
580 return -err;
581 }
582
583 if (saInfo.addrFamily != saddr.ss_family) {
584 ALOGE("Transform address family(%d) differs from socket address "
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]585 "family(%d)!",
586 saInfo.addrFamily, saddr.ss_family);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]587 return -EINVAL;
588 }
589
590 struct {
591 xfrm_userpolicy_info info;
592 xfrm_user_tmpl tmpl;
593 } policy{};
594
595 fillTransportModeUserSpInfo(saInfo, &policy.info);
596 fillUserTemplate(saInfo, &policy.tmpl);
597
598 LOG_HEX("XfrmUserPolicy", reinterpret_cast<char*>(&policy), sizeof(policy));
599
600 int sockOpt, sockLayer;
601 switch (saInfo.addrFamily) {
602 case AF_INET:
603 sockOpt = IP_XFRM_POLICY;
604 sockLayer = SOL_IP;
605 break;
606 case AF_INET6:
607 sockOpt = IPV6_XFRM_POLICY;
608 sockLayer = SOL_IPV6;
609 break;
610 default:
611 return -EAFNOSUPPORT;
612 }
613
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]614 Status status = getSyscallInstance().setsockopt(Fd(socket), sockLayer, sockOpt, policy);
615 if (!isOk(status)) {
616 ALOGE("Error setting socket option for XFRM! (%s)", toString(status).c_str());
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]617 }
ludi4072ff22017-06-15 08:56:52 -0700[diff] [blame]618 return -status.code();
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]619}
620
621int XfrmController::ipSecRemoveTransportModeTransform(const android::base::unique_fd& socket) {
622 (void)socket;
623 return 0;
624}
625
626void XfrmController::fillTransportModeSelector(const XfrmSaInfo& record, xfrm_selector* selector) {
627 selector->family = record.addrFamily;
628 selector->proto = AF_UNSPEC; // TODO: do we need to match the protocol? it's
629 // possible via the socket
630 selector->ifindex = record.netId; // TODO : still need to sort this out
631}
632
633int XfrmController::createTransportModeSecurityAssociation(const XfrmSaInfo& record,
634 const XfrmSocket& sock) {
635 xfrm_usersa_info usersa{};
636 nlattr_algo_crypt crypt{};
637 nlattr_algo_auth auth{};
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]638 nlattr_encap_tmpl encap{};
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]639
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]640 enum {
641 NLMSG_HDR,
642 USERSA,
643 USERSA_PAD,
644 CRYPT,
645 CRYPT_PAD,
646 AUTH,
647 AUTH_PAD,
648 ENCAP,
649 ENCAP_PAD,
650 iovLen
651 };
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]652
653 iovec iov[] = {
654 {NULL, 0}, // reserved for the eventual addition of a NLMSG_HDR
655 {&usersa, 0}, // main usersa_info struct
656 {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
657 {&crypt, 0}, // adjust size if crypt algo is present
658 {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
659 {&auth, 0}, // adjust size if auth algo is present
660 {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]661 {&encap, 0}, // adjust size if auth algo is present
662 {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]663 };
664
665 int len;
666 len = iov[USERSA].iov_len = fillUserSaInfo(record, &usersa);
667 iov[USERSA_PAD].iov_len = NLMSG_ALIGN(len) - len;
668
669 len = iov[CRYPT].iov_len = fillNlAttrXfrmAlgoEnc(record.crypt, &crypt);
670 iov[CRYPT_PAD].iov_len = NLA_ALIGN(len) - len;
671
672 len = iov[AUTH].iov_len = fillNlAttrXfrmAlgoAuth(record.auth, &auth);
673 iov[AUTH_PAD].iov_len = NLA_ALIGN(len) - len;
674
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]675 len = iov[ENCAP].iov_len = fillNlAttrXfrmEncapTmpl(record, &encap);
676 iov[ENCAP_PAD].iov_len = NLA_ALIGN(len) - len;
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]677 return sock.sendMessage(XFRM_MSG_UPDSA, NETLINK_REQUEST_FLAGS, 0, iov, iovLen);
678}
679
680int XfrmController::fillNlAttrXfrmAlgoEnc(const XfrmAlgo& inAlgo, nlattr_algo_crypt* algo) {
681 int len = NLA_HDRLEN + sizeof(xfrm_algo);
682 strncpy(algo->crypt.alg_name, inAlgo.name.c_str(), sizeof(algo->crypt.alg_name));
683 algo->crypt.alg_key_len = inAlgo.key.size() * 8; // bits
684 memcpy(algo->key, &inAlgo.key[0], inAlgo.key.size()); // FIXME :safety checks
685 len += inAlgo.key.size();
686 fillXfrmNlaHdr(&algo->hdr, XFRMA_ALG_CRYPT, len);
687 return len;
688}
689
690int XfrmController::fillNlAttrXfrmAlgoAuth(const XfrmAlgo& inAlgo, nlattr_algo_auth* algo) {
691 int len = NLA_HDRLEN + sizeof(xfrm_algo_auth);
692 strncpy(algo->auth.alg_name, inAlgo.name.c_str(), sizeof(algo->auth.alg_name));
693 algo->auth.alg_key_len = inAlgo.key.size() * 8; // bits
694
695 // This is the extra field for ALG_AUTH_TRUNC
696 algo->auth.alg_trunc_len = inAlgo.truncLenBits;
697
698 memcpy(algo->key, &inAlgo.key[0], inAlgo.key.size()); // FIXME :safety checks
699 len += inAlgo.key.size();
700
701 fillXfrmNlaHdr(&algo->hdr, XFRMA_ALG_AUTH_TRUNC, len);
702 return len;
703}
704
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]705int XfrmController::fillNlAttrXfrmEncapTmpl(const XfrmSaInfo& record, nlattr_encap_tmpl* tmpl) {
706 if (record.encap.type == XfrmEncapType::NONE) {
707 return 0;
708 }
709
710 int len = NLA_HDRLEN + sizeof(xfrm_encap_tmpl);
711 tmpl->tmpl.encap_type = static_cast<uint16_t>(record.encap.type);
712 tmpl->tmpl.encap_sport = htons(record.encap.srcPort);
713 tmpl->tmpl.encap_dport = htons(record.encap.dstPort);
714 fillXfrmNlaHdr(&tmpl->hdr, XFRMA_ENCAP, len);
715 return len;
716}
717
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]718int XfrmController::fillUserSaInfo(const XfrmSaInfo& record, xfrm_usersa_info* usersa) {
719 fillTransportModeSelector(record, &usersa->sel);
720
721 usersa->id.proto = IPPROTO_ESP;
722 usersa->id.spi = record.spi;
723 usersa->id.daddr = record.dstAddr;
724
725 usersa->saddr = record.srcAddr;
726
727 fillXfrmLifetimeDefaults(&usersa->lft);
728 fillXfrmCurLifetimeDefaults(&usersa->curlft);
729 memset(&usersa->stats, 0, sizeof(usersa->stats)); // leave stats zeroed out
730 usersa->reqid = record.transformId;
731 usersa->family = record.addrFamily;
732 usersa->mode = static_cast<uint8_t>(record.mode);
733 usersa->replay_window = REPLAY_WINDOW_SIZE;
734 usersa->flags = 0; // TODO: should we actually set flags, XFRM_SA_XFLAG_DONT_ENCAP_DSCP?
735 return sizeof(*usersa);
736}
737
738int XfrmController::fillUserSaId(const XfrmSaId& record, xfrm_usersa_id* said) {
739 said->daddr = record.dstAddr;
740 said->spi = record.spi;
741 said->family = record.addrFamily;
742 said->proto = IPPROTO_ESP;
743
744 return sizeof(*said);
745}
746
747int XfrmController::deleteSecurityAssociation(const XfrmSaId& record, const XfrmSocket& sock) {
748 xfrm_usersa_id said{};
749
750 enum { NLMSG_HDR, USERSAID, USERSAID_PAD, iovLen };
751
752 iovec iov[] = {
753 {NULL, 0}, // reserved for the eventual addition of a NLMSG_HDR
754 {&said, 0}, // main usersa_info struct
755 {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
756 };
757
758 int len;
759 len = iov[USERSAID].iov_len = fillUserSaId(record, &said);
760 iov[USERSAID_PAD].iov_len = NLMSG_ALIGN(len) - len;
761
762 return sock.sendMessage(XFRM_MSG_DELSA, NETLINK_REQUEST_FLAGS, 0, iov, iovLen);
763}
764
765int XfrmController::allocateSpi(const XfrmSaInfo& record, uint32_t minSpi, uint32_t maxSpi,
766 uint32_t* outSpi, const XfrmSocket& sock) {
767 xfrm_userspi_info spiInfo{};
768
769 enum { NLMSG_HDR, USERSAID, USERSAID_PAD, iovLen };
770
771 iovec iov[] = {
772 {NULL, 0}, // reserved for the eventual addition of a NLMSG_HDR
773 {&spiInfo, 0}, // main userspi_info struct
774 {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
775 };
776
777 int len;
778 if (fillUserSaInfo(record, &spiInfo.info) == 0) {
779 ALOGE("Failed to fill transport SA Info");
780 }
781
782 len = iov[USERSAID].iov_len = sizeof(spiInfo);
783 iov[USERSAID_PAD].iov_len = NLMSG_ALIGN(len) - len;
784
785 RandomSpi spiGen = RandomSpi(minSpi, maxSpi);
786 int spi, ret;
787 while ((spi = spiGen.next()) != INVALID_SPI) {
788 spiInfo.min = spi;
789 spiInfo.max = spi;
790 ret = sock.sendMessage(XFRM_MSG_ALLOCSPI, NETLINK_REQUEST_FLAGS, 0, iov, iovLen);
791
792 /* If the SPI is in use, we'll get ENOENT */
793 if (ret == -ENOENT)
794 continue;
795
796 if (ret == 0) {
797 *outSpi = spi;
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]798 ALOGD("Allocated an SPI: %x", *outSpi);
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]799 } else {
800 *outSpi = INVALID_SPI;
801 ALOGE("SPI Allocation Failed with error %d", ret);
802 }
803
804 return ret;
805 }
806
807 // Should always be -ENOENT if we get here
808 return ret;
809}
810
811int XfrmController::fillTransportModeUserSpInfo(const XfrmSaInfo& record,
812 xfrm_userpolicy_info* usersp) {
813 fillTransportModeSelector(record, &usersp->sel);
814 fillXfrmLifetimeDefaults(&usersp->lft);
815 fillXfrmCurLifetimeDefaults(&usersp->curlft);
Nathan Harold420ceac2017-04-05 19:36:59 -0700[diff] [blame]816 /* if (index) index & 0x3 == dir -- must be true
817 * xfrm_user.c:verify_newpolicy_info() */
Nathan Harold1a371532017-01-30 12:30:48 -0800[diff] [blame]818 usersp->index = 0;
819 usersp->dir = static_cast<uint8_t>(record.direction);
820 usersp->action = XFRM_POLICY_ALLOW;
821 usersp->flags = XFRM_POLICY_LOCALOK;
822 usersp->share = XFRM_SHARE_UNIQUE;
823 return sizeof(*usersp);
824}
825
826int XfrmController::fillUserTemplate(const XfrmSaInfo& record, xfrm_user_tmpl* tmpl) {
827 tmpl->id.daddr = record.dstAddr;
828 tmpl->id.spi = record.spi;
829 tmpl->id.proto = IPPROTO_ESP;
830
831 tmpl->family = record.addrFamily;
832 tmpl->saddr = record.srcAddr;
833 tmpl->reqid = record.transformId;
834 tmpl->mode = static_cast<uint8_t>(record.mode);
835 tmpl->share = XFRM_SHARE_UNIQUE;
836 tmpl->optional = 0; // if this is true, then a failed state lookup will be considered OK:
837 // http://lxr.free-electrons.com/source/net/xfrm/xfrm_policy.c#L1492
838 tmpl->aalgos = ALGO_MASK_AUTH_ALL; // TODO: if there's a bitmask somewhere of
839 // algos, we should find it and apply it.
840 // I can't find one.
841 tmpl->ealgos = ALGO_MASK_CRYPT_ALL; // TODO: if there's a bitmask somewhere...
842 return 0;
843}
844
845} // namespace net
846} // namespace android