libnl  3.2.28
sa.c
1 /*
2  * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
3  *
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * Redistributions of source code must retain the above copyright
10  * notice, this list of conditions and the following disclaimer.
11  *
12  * Redistributions in binary form must reproduce the above copyright
13  * notice, this list of conditions and the following disclaimer in the
14  * documentation and/or other materials provided with the
15  * distribution.
16  *
17  * Neither the name of Texas Instruments Incorporated nor the names of
18  * its contributors may be used to endorse or promote products derived
19  * from this software without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32  *
33  */
34 
35 /**
36  * @ingroup xfrmnl
37  * @defgroup sa Security Association
38  * @brief
39  */
40 
41 #include <netlink-private/netlink.h>
42 #include <netlink/netlink.h>
43 #include <netlink/cache.h>
44 #include <netlink/object.h>
45 #include <netlink/xfrm/selector.h>
46 #include <netlink/xfrm/lifetime.h>
47 #include <time.h>
48 
49 /** @cond SKIP */
50 #define XFRM_SA_ATTR_SEL 0x01
51 #define XFRM_SA_ATTR_DADDR 0x02
52 #define XFRM_SA_ATTR_SPI 0x04
53 #define XFRM_SA_ATTR_PROTO 0x08
54 #define XFRM_SA_ATTR_SADDR 0x10
55 #define XFRM_SA_ATTR_LTIME_CFG 0x20
56 #define XFRM_SA_ATTR_LTIME_CUR 0x40
57 #define XFRM_SA_ATTR_STATS 0x80
58 #define XFRM_SA_ATTR_SEQ 0x100
59 #define XFRM_SA_ATTR_REQID 0x200
60 #define XFRM_SA_ATTR_FAMILY 0x400
61 #define XFRM_SA_ATTR_MODE 0x800
62 #define XFRM_SA_ATTR_REPLAY_WIN 0x1000
63 #define XFRM_SA_ATTR_FLAGS 0x2000
64 #define XFRM_SA_ATTR_ALG_AEAD 0x4000
65 #define XFRM_SA_ATTR_ALG_AUTH 0x8000
66 #define XFRM_SA_ATTR_ALG_CRYPT 0x10000
67 #define XFRM_SA_ATTR_ALG_COMP 0x20000
68 #define XFRM_SA_ATTR_ENCAP 0x40000
69 #define XFRM_SA_ATTR_TFCPAD 0x80000
70 #define XFRM_SA_ATTR_COADDR 0x100000
71 #define XFRM_SA_ATTR_MARK 0x200000
72 #define XFRM_SA_ATTR_SECCTX 0x400000
73 #define XFRM_SA_ATTR_REPLAY_MAXAGE 0x800000
74 #define XFRM_SA_ATTR_REPLAY_MAXDIFF 0x1000000
75 #define XFRM_SA_ATTR_REPLAY_STATE 0x2000000
76 #define XFRM_SA_ATTR_EXPIRE 0x4000000
77 
78 static struct nl_cache_ops xfrmnl_sa_ops;
79 static struct nl_object_ops xfrm_sa_obj_ops;
80 /** @endcond */
81 
82 static void xfrm_sa_alloc_data(struct nl_object *c)
83 {
84  struct xfrmnl_sa* sa = nl_object_priv (c);
85 
86  if ((sa->sel = xfrmnl_sel_alloc ()) == NULL)
87  return;
88 
89  if ((sa->lft = xfrmnl_ltime_cfg_alloc ()) == NULL)
90  return;
91 }
92 
93 static void xfrm_sa_free_data(struct nl_object *c)
94 {
95  struct xfrmnl_sa* sa = nl_object_priv (c);
96 
97  if (sa == NULL)
98  return;
99 
100  xfrmnl_sel_put (sa->sel);
101  xfrmnl_ltime_cfg_put (sa->lft);
102  nl_addr_put (sa->id.daddr);
103  nl_addr_put (sa->saddr);
104 
105  if (sa->aead)
106  free (sa->aead);
107  if (sa->auth)
108  free (sa->auth);
109  if (sa->crypt)
110  free (sa->crypt);
111  if (sa->comp)
112  free (sa->comp);
113  if (sa->encap) {
114  if (sa->encap->encap_oa)
115  nl_addr_put(sa->encap->encap_oa);
116  free(sa->encap);
117  }
118  if (sa->coaddr)
119  nl_addr_put (sa->coaddr);
120  if (sa->sec_ctx)
121  free (sa->sec_ctx);
122  if (sa->replay_state_esn)
123  free (sa->replay_state_esn);
124 }
125 
126 static int xfrm_sa_clone(struct nl_object *_dst, struct nl_object *_src)
127 {
128  struct xfrmnl_sa* dst = nl_object_priv(_dst);
129  struct xfrmnl_sa* src = nl_object_priv(_src);
130  uint32_t len = 0;
131 
132  if (src->sel)
133  if ((dst->sel = xfrmnl_sel_clone (src->sel)) == NULL)
134  return -NLE_NOMEM;
135 
136  if (src->lft)
137  if ((dst->lft = xfrmnl_ltime_cfg_clone (src->lft)) == NULL)
138  return -NLE_NOMEM;
139 
140  if (src->id.daddr)
141  if ((dst->id.daddr = nl_addr_clone (src->id.daddr)) == NULL)
142  return -NLE_NOMEM;
143 
144  if (src->saddr)
145  if ((dst->saddr = nl_addr_clone (src->saddr)) == NULL)
146  return -NLE_NOMEM;
147 
148  if (src->aead)
149  {
150  len = sizeof (struct xfrmnl_algo_aead) + ((src->aead->alg_key_len + 7) / 8);
151  if ((dst->aead = calloc (1, len)) == NULL)
152  return -NLE_NOMEM;
153  memcpy ((void *)dst->aead, (void *)src->aead, len);
154  }
155 
156  if (src->auth)
157  {
158  len = sizeof (struct xfrmnl_algo_auth) + ((src->auth->alg_key_len + 7) / 8);
159  if ((dst->auth = calloc (1, len)) == NULL)
160  return -NLE_NOMEM;
161  memcpy ((void *)dst->auth, (void *)src->auth, len);
162  }
163 
164  if (src->crypt)
165  {
166  len = sizeof (struct xfrmnl_algo) + ((src->crypt->alg_key_len + 7) / 8);
167  if ((dst->crypt = calloc (1, len)) == NULL)
168  return -NLE_NOMEM;
169  memcpy ((void *)dst->crypt, (void *)src->crypt, len);
170  }
171 
172  if (src->comp)
173  {
174  len = sizeof (struct xfrmnl_algo) + ((src->comp->alg_key_len + 7) / 8);
175  if ((dst->comp = calloc (1, len)) == NULL)
176  return -NLE_NOMEM;
177  memcpy ((void *)dst->comp, (void *)src->comp, len);
178  }
179 
180  if (src->encap)
181  {
182  len = sizeof (struct xfrmnl_encap_tmpl);
183  if ((dst->encap = calloc (1, len)) == NULL)
184  return -NLE_NOMEM;
185  memcpy ((void *)dst->encap, (void *)src->encap, len);
186  }
187 
188  if (src->coaddr)
189  if ((dst->coaddr = nl_addr_clone (src->coaddr)) == NULL)
190  return -NLE_NOMEM;
191 
192  if (src->sec_ctx)
193  {
194  len = sizeof (struct xfrmnl_sec_ctx) + src->sec_ctx->ctx_len;
195  if ((dst->sec_ctx = calloc (1, len)) == NULL)
196  return -NLE_NOMEM;
197  memcpy ((void *)dst->sec_ctx, (void *)src->sec_ctx, len);
198  }
199 
200  if (src->replay_state_esn)
201  {
202  len = sizeof (struct xfrmnl_replay_state_esn) + (src->replay_state_esn->bmp_len * sizeof (uint32_t));
203  if ((dst->replay_state_esn = calloc (1, len)) == NULL)
204  return -NLE_NOMEM;
205  memcpy ((void *)dst->replay_state_esn, (void *)src->replay_state_esn, len);
206  }
207 
208  return 0;
209 }
210 
211 static uint64_t xfrm_sa_compare(struct nl_object *_a, struct nl_object *_b,
212  uint64_t attrs, int flags)
213 {
214  struct xfrmnl_sa* a = (struct xfrmnl_sa *) _a;
215  struct xfrmnl_sa* b = (struct xfrmnl_sa *) _b;
216  uint64_t diff = 0;
217  int found = 0;
218 
219 #define XFRM_SA_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, XFRM_SA_ATTR_##ATTR, a, b, EXPR)
220  diff |= XFRM_SA_DIFF(SEL, xfrmnl_sel_cmp(a->sel, b->sel));
221  diff |= XFRM_SA_DIFF(DADDR, nl_addr_cmp(a->id.daddr, b->id.daddr));
222  diff |= XFRM_SA_DIFF(SPI, a->id.spi != b->id.spi);
223  diff |= XFRM_SA_DIFF(PROTO, a->id.proto != b->id.proto);
224  diff |= XFRM_SA_DIFF(SADDR, nl_addr_cmp(a->saddr, b->saddr));
225  diff |= XFRM_SA_DIFF(LTIME_CFG, xfrmnl_ltime_cfg_cmp(a->lft, b->lft));
226  diff |= XFRM_SA_DIFF(REQID, a->reqid != b->reqid);
227  diff |= XFRM_SA_DIFF(FAMILY,a->family != b->family);
228  diff |= XFRM_SA_DIFF(MODE,a->mode != b->mode);
229  diff |= XFRM_SA_DIFF(REPLAY_WIN,a->replay_window != b->replay_window);
230  diff |= XFRM_SA_DIFF(FLAGS,a->flags != b->flags);
231  diff |= XFRM_SA_DIFF(ALG_AEAD,(strcmp(a->aead->alg_name, b->aead->alg_name) ||
232  (a->aead->alg_key_len != b->aead->alg_key_len) ||
233  (a->aead->alg_icv_len != b->aead->alg_icv_len) ||
234  memcmp(a->aead->alg_key, b->aead->alg_key,
235  ((a->aead->alg_key_len + 7)/8))));
236  diff |= XFRM_SA_DIFF(ALG_AUTH,(strcmp(a->auth->alg_name, b->auth->alg_name) ||
237  (a->auth->alg_key_len != b->auth->alg_key_len) ||
238  (a->auth->alg_trunc_len != b->auth->alg_trunc_len) ||
239  memcmp(a->auth->alg_key, b->auth->alg_key,
240  ((a->auth->alg_key_len + 7)/8))));
241  diff |= XFRM_SA_DIFF(ALG_CRYPT,(strcmp(a->crypt->alg_name, b->crypt->alg_name) ||
242  (a->crypt->alg_key_len != b->crypt->alg_key_len) ||
243  memcmp(a->crypt->alg_key, b->crypt->alg_key,
244  ((a->crypt->alg_key_len + 7)/8))));
245  diff |= XFRM_SA_DIFF(ALG_COMP,(strcmp(a->comp->alg_name, b->comp->alg_name) ||
246  (a->comp->alg_key_len != b->comp->alg_key_len) ||
247  memcmp(a->comp->alg_key, b->comp->alg_key,
248  ((a->comp->alg_key_len + 7)/8))));
249  diff |= XFRM_SA_DIFF(ENCAP,((a->encap->encap_type != b->encap->encap_type) ||
250  (a->encap->encap_sport != b->encap->encap_sport) ||
251  (a->encap->encap_dport != b->encap->encap_dport) ||
252  nl_addr_cmp(a->encap->encap_oa, b->encap->encap_oa)));
253  diff |= XFRM_SA_DIFF(TFCPAD,a->tfcpad != b->tfcpad);
254  diff |= XFRM_SA_DIFF(COADDR,nl_addr_cmp(a->coaddr, b->coaddr));
255  diff |= XFRM_SA_DIFF(MARK,(a->mark.m != b->mark.m) ||
256  (a->mark.v != b->mark.v));
257  diff |= XFRM_SA_DIFF(SECCTX,((a->sec_ctx->ctx_doi != b->sec_ctx->ctx_doi) ||
258  (a->sec_ctx->ctx_alg != b->sec_ctx->ctx_alg) ||
259  (a->sec_ctx->ctx_len != b->sec_ctx->ctx_len) ||
260  (a->sec_ctx->ctx_sid != b->sec_ctx->ctx_sid) ||
261  strcmp(a->sec_ctx->ctx_str, b->sec_ctx->ctx_str)));
262  diff |= XFRM_SA_DIFF(REPLAY_MAXAGE,a->replay_maxage != b->replay_maxage);
263  diff |= XFRM_SA_DIFF(REPLAY_MAXDIFF,a->replay_maxdiff != b->replay_maxdiff);
264  diff |= XFRM_SA_DIFF(EXPIRE,a->hard != b->hard);
265 
266  /* Compare replay states */
267  found = AVAILABLE_MISMATCH (a, b, XFRM_SA_ATTR_REPLAY_STATE);
268  if (found == 0) // attribute exists in both objects
269  {
270  if (((a->replay_state_esn != NULL) && (b->replay_state_esn == NULL)) ||
271  ((a->replay_state_esn == NULL) && (b->replay_state_esn != NULL)))
272  found |= 1;
273 
274  if (found == 0) // same replay type. compare actual values
275  {
276  if (a->replay_state_esn)
277  {
278  if (a->replay_state_esn->bmp_len != b->replay_state_esn->bmp_len)
279  diff |= 1;
280  else
281  {
282  uint32_t len = sizeof (struct xfrmnl_replay_state_esn) +
283  (a->replay_state_esn->bmp_len * sizeof (uint32_t));
284  diff |= memcmp (a->replay_state_esn, b->replay_state_esn, len);
285  }
286  }
287  else
288  {
289  if ((a->replay_state.oseq != b->replay_state.oseq) ||
290  (a->replay_state.seq != b->replay_state.seq) ||
291  (a->replay_state.bitmap != b->replay_state.bitmap))
292  diff |= 1;
293  }
294  }
295  }
296 #undef XFRM_SA_DIFF
297 
298  return diff;
299 }
300 
301 /**
302  * @name XFRM SA Attribute Translations
303  * @{
304  */
305 static const struct trans_tbl sa_attrs[] = {
306  __ADD(XFRM_SA_ATTR_SEL, selector),
307  __ADD(XFRM_SA_ATTR_DADDR, daddr),
308  __ADD(XFRM_SA_ATTR_SPI, spi),
309  __ADD(XFRM_SA_ATTR_PROTO, proto),
310  __ADD(XFRM_SA_ATTR_SADDR, saddr),
311  __ADD(XFRM_SA_ATTR_LTIME_CFG, lifetime_cfg),
312  __ADD(XFRM_SA_ATTR_LTIME_CUR, lifetime_cur),
313  __ADD(XFRM_SA_ATTR_STATS, stats),
314  __ADD(XFRM_SA_ATTR_SEQ, seqnum),
315  __ADD(XFRM_SA_ATTR_REQID, reqid),
316  __ADD(XFRM_SA_ATTR_FAMILY, family),
317  __ADD(XFRM_SA_ATTR_MODE, mode),
318  __ADD(XFRM_SA_ATTR_REPLAY_WIN, replay_window),
319  __ADD(XFRM_SA_ATTR_FLAGS, flags),
320  __ADD(XFRM_SA_ATTR_ALG_AEAD, alg_aead),
321  __ADD(XFRM_SA_ATTR_ALG_AUTH, alg_auth),
322  __ADD(XFRM_SA_ATTR_ALG_CRYPT, alg_crypto),
323  __ADD(XFRM_SA_ATTR_ALG_COMP, alg_comp),
324  __ADD(XFRM_SA_ATTR_ENCAP, encap),
325  __ADD(XFRM_SA_ATTR_TFCPAD, tfcpad),
326  __ADD(XFRM_SA_ATTR_COADDR, coaddr),
327  __ADD(XFRM_SA_ATTR_MARK, mark),
328  __ADD(XFRM_SA_ATTR_SECCTX, sec_ctx),
329  __ADD(XFRM_SA_ATTR_REPLAY_MAXAGE, replay_maxage),
330  __ADD(XFRM_SA_ATTR_REPLAY_MAXDIFF, replay_maxdiff),
331  __ADD(XFRM_SA_ATTR_REPLAY_STATE, replay_state),
332  __ADD(XFRM_SA_ATTR_EXPIRE, expire),
333 };
334 
335 static char* xfrm_sa_attrs2str(int attrs, char *buf, size_t len)
336 {
337  return __flags2str (attrs, buf, len, sa_attrs, ARRAY_SIZE(sa_attrs));
338 }
339 /** @} */
340 
341 /**
342  * @name XFRM SA Flags Translations
343  * @{
344  */
345 static const struct trans_tbl sa_flags[] = {
346  __ADD(XFRM_STATE_NOECN, no ecn),
347  __ADD(XFRM_STATE_DECAP_DSCP, decap dscp),
348  __ADD(XFRM_STATE_NOPMTUDISC, no pmtu discovery),
349  __ADD(XFRM_STATE_WILDRECV, wild receive),
350  __ADD(XFRM_STATE_ICMP, icmp),
351  __ADD(XFRM_STATE_AF_UNSPEC, unspecified),
352  __ADD(XFRM_STATE_ALIGN4, align4),
353  __ADD(XFRM_STATE_ESN, esn),
354 };
355 
356 char* xfrmnl_sa_flags2str(int flags, char *buf, size_t len)
357 {
358  return __flags2str (flags, buf, len, sa_flags, ARRAY_SIZE(sa_flags));
359 }
360 
361 int xfrmnl_sa_str2flag(const char *name)
362 {
363  return __str2flags (name, sa_flags, ARRAY_SIZE(sa_flags));
364 }
365 /** @} */
366 
367 /**
368  * @name XFRM SA Mode Translations
369  * @{
370  */
371 static const struct trans_tbl sa_modes[] = {
372  __ADD(XFRM_MODE_TRANSPORT, transport),
373  __ADD(XFRM_MODE_TUNNEL, tunnel),
374  __ADD(XFRM_MODE_ROUTEOPTIMIZATION, route optimization),
375  __ADD(XFRM_MODE_IN_TRIGGER, in trigger),
376  __ADD(XFRM_MODE_BEET, beet),
377 };
378 
379 char* xfrmnl_sa_mode2str(int mode, char *buf, size_t len)
380 {
381  return __type2str (mode, buf, len, sa_modes, ARRAY_SIZE(sa_modes));
382 }
383 
384 int xfrmnl_sa_str2mode(const char *name)
385 {
386  return __str2type (name, sa_modes, ARRAY_SIZE(sa_modes));
387 }
388 /** @} */
389 
390 
391 static void xfrm_sa_dump_line(struct nl_object *a, struct nl_dump_params *p)
392 {
393  char dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
394  struct xfrmnl_sa* sa = (struct xfrmnl_sa *) a;
395  char flags[128], mode[128];
396  time_t add_time, use_time;
397  struct tm *add_time_tm, *use_time_tm;
398 
399  nl_dump_line(p, "src %s dst %s family: %s\n", nl_addr2str(sa->saddr, src, sizeof(src)),
400  nl_addr2str(sa->id.daddr, dst, sizeof(dst)),
401  nl_af2str (sa->family, flags, sizeof (flags)));
402 
403  nl_dump_line(p, "\tproto %s spi 0x%x reqid %u\n",
404  nl_ip_proto2str (sa->id.proto, flags, sizeof(flags)),
405  sa->id.spi, sa->reqid);
406 
407  xfrmnl_sa_flags2str(sa->flags, flags, sizeof (flags));
408  xfrmnl_sa_mode2str(sa->mode, mode, sizeof (mode));
409  nl_dump_line(p, "\tmode: %s flags: %s (0x%x) seq: %u replay window: %u\n",
410  mode, flags, sa->flags, sa->seq, sa->replay_window);
411 
412  nl_dump_line(p, "\tlifetime configuration: \n");
413  if (sa->lft->soft_byte_limit == XFRM_INF)
414  sprintf (flags, "INF");
415  else
416  sprintf (flags, "%" PRIu64, sa->lft->soft_byte_limit);
417  if (sa->lft->soft_packet_limit == XFRM_INF)
418  sprintf (mode, "INF");
419  else
420  sprintf (mode, "%" PRIu64, sa->lft->soft_packet_limit);
421  nl_dump_line(p, "\t\tsoft limit: %s (bytes), %s (packets)\n", flags, mode);
422  if (sa->lft->hard_byte_limit == XFRM_INF)
423  sprintf (flags, "INF");
424  else
425  sprintf (flags, "%" PRIu64, sa->lft->hard_byte_limit);
426  if (sa->lft->hard_packet_limit == XFRM_INF)
427  sprintf (mode, "INF");
428  else
429  sprintf (mode, "%" PRIu64, sa->lft->hard_packet_limit);
430  nl_dump_line(p, "\t\thard limit: %s (bytes), %s (packets)\n", flags, mode);
431  nl_dump_line(p, "\t\tsoft add_time: %llu (seconds), soft use_time: %llu (seconds) \n",
432  sa->lft->soft_add_expires_seconds, sa->lft->soft_use_expires_seconds);
433  nl_dump_line(p, "\t\thard add_time: %llu (seconds), hard use_time: %llu (seconds) \n",
434  sa->lft->hard_add_expires_seconds, sa->lft->hard_use_expires_seconds);
435 
436  nl_dump_line(p, "\tlifetime current: \n");
437  nl_dump_line(p, "\t\t%llu bytes, %llu packets\n", sa->curlft.bytes, sa->curlft.packets);
438  if (sa->curlft.add_time != 0)
439  {
440  add_time = sa->curlft.add_time;
441  add_time_tm = gmtime (&add_time);
442  strftime (flags, 128, "%Y-%m-%d %H-%M-%S", add_time_tm);
443  }
444  else
445  {
446  sprintf (flags, "%s", "-");
447  }
448 
449  if (sa->curlft.use_time != 0)
450  {
451  use_time = sa->curlft.use_time;
452  use_time_tm = gmtime (&use_time);
453  strftime (mode, 128, "%Y-%m-%d %H-%M-%S", use_time_tm);
454  }
455  else
456  {
457  sprintf (mode, "%s", "-");
458  }
459  nl_dump_line(p, "\t\tadd_time: %s, use_time: %s\n", flags, mode);
460 
461  if (sa->aead)
462  {
463  nl_dump_line(p, "\tAEAD Algo: \n");
464  nl_dump_line(p, "\t\tName: %s Key len(bits): %u ICV Len(bits): %u\n",
465  sa->aead->alg_name, sa->aead->alg_key_len, sa->aead->alg_icv_len);
466  }
467 
468  if (sa->auth)
469  {
470  nl_dump_line(p, "\tAuth Algo: \n");
471  nl_dump_line(p, "\t\tName: %s Key len(bits): %u Trunc len(bits): %u\n",
472  sa->auth->alg_name, sa->auth->alg_key_len, sa->auth->alg_trunc_len);
473  }
474 
475  if (sa->crypt)
476  {
477  nl_dump_line(p, "\tEncryption Algo: \n");
478  nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
479  sa->crypt->alg_name, sa->crypt->alg_key_len);
480  }
481 
482  if (sa->comp)
483  {
484  nl_dump_line(p, "\tCompression Algo: \n");
485  nl_dump_line(p, "\t\tName: %s Key len(bits): %u\n",
486  sa->comp->alg_name, sa->comp->alg_key_len);
487  }
488 
489  if (sa->encap)
490  {
491  nl_dump_line(p, "\tEncapsulation template: \n");
492  nl_dump_line(p, "\t\tType: %d Src port: %d Dst port: %d Encap addr: %s\n",
493  sa->encap->encap_type, sa->encap->encap_sport, sa->encap->encap_dport,
494  nl_addr2str (sa->encap->encap_oa, dst, sizeof (dst)));
495  }
496 
497  if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
498  nl_dump_line(p, "\tTFC Pad: %u\n", sa->tfcpad);
499 
500  if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
501  nl_dump_line(p, "\tCO Address: %s\n", nl_addr2str (sa->coaddr, dst, sizeof (dst)));
502 
503  if (sa->ce_mask & XFRM_SA_ATTR_MARK)
504  nl_dump_line(p, "\tMark mask: 0x%x Mark value: 0x%x\n", sa->mark.m, sa->mark.v);
505 
506  if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
507  nl_dump_line(p, "\tDOI: %d Algo: %d Len: %u SID: %u ctx: %s\n", sa->sec_ctx->ctx_doi,
508  sa->sec_ctx->ctx_alg, sa->sec_ctx->ctx_len, sa->sec_ctx->ctx_sid, sa->sec_ctx->ctx_str);
509 
510  nl_dump_line(p, "\treplay info: \n");
511  nl_dump_line(p, "\t\tmax age %u max diff %u \n", sa->replay_maxage, sa->replay_maxdiff);
512 
513  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
514  {
515  nl_dump_line(p, "\treplay state info: \n");
516  if (sa->replay_state_esn)
517  {
518  nl_dump_line(p, "\t\toseq %u seq %u oseq_hi %u seq_hi %u replay window: %u \n",
519  sa->replay_state_esn->oseq, sa->replay_state_esn->seq,
520  sa->replay_state_esn->oseq_hi, sa->replay_state_esn->seq_hi,
521  sa->replay_state_esn->replay_window);
522  }
523  else
524  {
525  nl_dump_line(p, "\t\toseq %u seq %u bitmap: %u \n", sa->replay_state.oseq,
526  sa->replay_state.seq, sa->replay_state.bitmap);
527  }
528  }
529 
530  nl_dump_line(p, "\tselector info: \n");
531  xfrmnl_sel_dump (sa->sel, p);
532 
533  nl_dump_line(p, "\tHard: %d\n", sa->hard);
534 
535  nl_dump(p, "\n");
536 }
537 
538 static void xfrm_sa_dump_stats(struct nl_object *a, struct nl_dump_params *p)
539 {
540  struct xfrmnl_sa* sa = (struct xfrmnl_sa*)a;
541 
542  nl_dump_line(p, "\tstats: \n");
543  nl_dump_line(p, "\t\treplay window: %u replay: %u integrity failed: %u \n",
544  sa->stats.replay_window, sa->stats.replay, sa->stats.integrity_failed);
545 
546  return;
547 }
548 
549 static void xfrm_sa_dump_details(struct nl_object *a, struct nl_dump_params *p)
550 {
551  xfrm_sa_dump_line(a, p);
552  xfrm_sa_dump_stats (a, p);
553 }
554 
555 /**
556  * @name XFRM SA Object Allocation/Freeage
557  * @{
558  */
559 
560 struct xfrmnl_sa* xfrmnl_sa_alloc(void)
561 {
562  return (struct xfrmnl_sa*) nl_object_alloc(&xfrm_sa_obj_ops);
563 }
564 
565 void xfrmnl_sa_put(struct xfrmnl_sa* sa)
566 {
567  nl_object_put((struct nl_object *) sa);
568 }
569 
570 /** @} */
571 
572 /**
573  * @name SA Cache Managament
574  * @{
575  */
576 
577 /**
578  * Build a SA cache including all SAs currently configured in the kernel.
579  * @arg sock Netlink socket.
580  * @arg result Pointer to store resulting cache.
581  *
582  * Allocates a new SA cache, initializes it properly and updates it
583  * to include all SAs currently configured in the kernel.
584  *
585  * @return 0 on success or a negative error code.
586  */
587 int xfrmnl_sa_alloc_cache(struct nl_sock *sock, struct nl_cache **result)
588 {
589  return nl_cache_alloc_and_fill(&xfrmnl_sa_ops, sock, result);
590 }
591 
592 /**
593  * Look up a SA by destination address, SPI, protocol
594  * @arg cache SA cache
595  * @arg daddr destination address of the SA
596  * @arg spi SPI
597  * @arg proto protocol
598  * @return sa handle or NULL if no match was found.
599  */
600 struct xfrmnl_sa* xfrmnl_sa_get(struct nl_cache* cache, struct nl_addr* daddr,
601  unsigned int spi, unsigned int proto)
602 {
603  struct xfrmnl_sa *sa;
604 
605  //nl_list_for_each_entry(sa, &cache->c_items, ce_list) {
606  for (sa = (struct xfrmnl_sa*)nl_cache_get_first (cache);
607  sa != NULL;
608  sa = (struct xfrmnl_sa*)nl_cache_get_next ((struct nl_object*)sa))
609  {
610  if (sa->id.proto == proto &&
611  sa->id.spi == spi &&
612  !nl_addr_cmp(sa->id.daddr, daddr))
613  {
614  nl_object_get((struct nl_object *) sa);
615  return sa;
616  }
617 
618  }
619 
620  return NULL;
621 }
622 
623 
624 /** @} */
625 
626 
627 static struct nla_policy xfrm_sa_policy[XFRMA_MAX+1] = {
628  [XFRMA_SA] = { .minlen = sizeof(struct xfrm_usersa_info)},
629  [XFRMA_ALG_AUTH_TRUNC] = { .minlen = sizeof(struct xfrm_algo_auth)},
630  [XFRMA_ALG_AEAD] = { .minlen = sizeof(struct xfrm_algo_aead) },
631  [XFRMA_ALG_AUTH] = { .minlen = sizeof(struct xfrm_algo) },
632  [XFRMA_ALG_CRYPT] = { .minlen = sizeof(struct xfrm_algo) },
633  [XFRMA_ALG_COMP] = { .minlen = sizeof(struct xfrm_algo) },
634  [XFRMA_ENCAP] = { .minlen = sizeof(struct xfrm_encap_tmpl) },
635  [XFRMA_TMPL] = { .minlen = sizeof(struct xfrm_user_tmpl) },
636  [XFRMA_SEC_CTX] = { .minlen = sizeof(struct xfrm_sec_ctx) },
637  [XFRMA_LTIME_VAL] = { .minlen = sizeof(struct xfrm_lifetime_cur) },
638  [XFRMA_REPLAY_VAL] = { .minlen = sizeof(struct xfrm_replay_state) },
639  [XFRMA_REPLAY_THRESH] = { .type = NLA_U32 },
640  [XFRMA_ETIMER_THRESH] = { .type = NLA_U32 },
641  [XFRMA_SRCADDR] = { .minlen = sizeof(xfrm_address_t) },
642  [XFRMA_COADDR] = { .minlen = sizeof(xfrm_address_t) },
643  [XFRMA_MARK] = { .minlen = sizeof(struct xfrm_mark) },
644  [XFRMA_TFCPAD] = { .type = NLA_U32 },
645  [XFRMA_REPLAY_ESN_VAL] = { .minlen = sizeof(struct xfrm_replay_state_esn) },
646 };
647 
648 static int xfrm_sa_request_update(struct nl_cache *c, struct nl_sock *h)
649 {
650  struct xfrm_id sa_id;
651 
652  memset (&sa_id, 0, sizeof (sa_id));
653  return nl_send_simple (h, XFRM_MSG_GETSA, NLM_F_DUMP,
654  &sa_id, sizeof (sa_id));
655 }
656 
657 int xfrmnl_sa_parse(struct nlmsghdr *n, struct xfrmnl_sa **result)
658 {
659  struct xfrmnl_sa* sa;
660  struct nlattr *tb[XFRMA_MAX + 1];
661  struct xfrm_usersa_info* sa_info;
662  struct xfrm_user_expire* ue;
663  int len, err;
664  struct nl_addr* addr;
665 
666  sa = xfrmnl_sa_alloc();
667  if (!sa) {
668  err = -NLE_NOMEM;
669  goto errout;
670  }
671 
672  sa->ce_msgtype = n->nlmsg_type;
673  if (n->nlmsg_type == XFRM_MSG_EXPIRE)
674  {
675  ue = nlmsg_data(n);
676  sa_info = &ue->state;
677  sa->hard = ue->hard;
678  sa->ce_mask |= XFRM_SA_ATTR_EXPIRE;
679  }
680  else if (n->nlmsg_type == XFRM_MSG_DELSA)
681  {
682  sa_info = (struct xfrm_usersa_info*)(nlmsg_data(n) + sizeof (struct xfrm_usersa_id) + NLA_HDRLEN);
683  }
684  else
685  {
686  sa_info = nlmsg_data(n);
687  }
688 
689  err = nlmsg_parse(n, sizeof(struct xfrm_usersa_info), tb, XFRMA_MAX, xfrm_sa_policy);
690  if (err < 0)
691  goto errout;
692 
693  if (sa_info->sel.family == AF_INET)
694  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a4, sizeof (sa_info->sel.daddr.a4));
695  else
696  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.daddr.a6, sizeof (sa_info->sel.daddr.a6));
697  nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_d);
698  xfrmnl_sel_set_daddr (sa->sel, addr);
699  xfrmnl_sel_set_prefixlen_d (sa->sel, sa_info->sel.prefixlen_d);
700 
701  if (sa_info->sel.family == AF_INET)
702  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a4, sizeof (sa_info->sel.saddr.a4));
703  else
704  addr = nl_addr_build (sa_info->sel.family, &sa_info->sel.saddr.a6, sizeof (sa_info->sel.saddr.a6));
705  nl_addr_set_prefixlen (addr, sa_info->sel.prefixlen_s);
706  xfrmnl_sel_set_saddr (sa->sel, addr);
707  xfrmnl_sel_set_prefixlen_s (sa->sel, sa_info->sel.prefixlen_s);
708 
709  xfrmnl_sel_set_dport (sa->sel, ntohs(sa_info->sel.dport));
710  xfrmnl_sel_set_dportmask (sa->sel, ntohs(sa_info->sel.dport_mask));
711  xfrmnl_sel_set_sport (sa->sel, ntohs(sa_info->sel.sport));
712  xfrmnl_sel_set_sportmask (sa->sel, ntohs(sa_info->sel.sport_mask));
713  xfrmnl_sel_set_family (sa->sel, sa_info->sel.family);
714  xfrmnl_sel_set_proto (sa->sel, sa_info->sel.proto);
715  xfrmnl_sel_set_ifindex (sa->sel, sa_info->sel.ifindex);
716  xfrmnl_sel_set_userid (sa->sel, sa_info->sel.user);
717  sa->ce_mask |= XFRM_SA_ATTR_SEL;
718 
719  if (sa_info->family == AF_INET)
720  sa->id.daddr = nl_addr_build (sa_info->family, &sa_info->id.daddr.a4, sizeof (sa_info->id.daddr.a4));
721  else
722  sa->id.daddr = nl_addr_build (sa_info->family, &sa_info->id.daddr.a6, sizeof (sa_info->id.daddr.a6));
723  sa->id.spi = ntohl(sa_info->id.spi);
724  sa->id.proto = sa_info->id.proto;
725  sa->ce_mask |= (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO);
726 
727  if (sa_info->family == AF_INET)
728  sa->saddr = nl_addr_build (sa_info->family, &sa_info->saddr.a4, sizeof (sa_info->saddr.a4));
729  else
730  sa->saddr = nl_addr_build (sa_info->family, &sa_info->saddr.a6, sizeof (sa_info->saddr.a6));
731  sa->ce_mask |= XFRM_SA_ATTR_SADDR;
732 
733  sa->lft->soft_byte_limit = sa_info->lft.soft_byte_limit;
734  sa->lft->hard_byte_limit = sa_info->lft.hard_byte_limit;
735  sa->lft->soft_packet_limit = sa_info->lft.soft_packet_limit;
736  sa->lft->hard_packet_limit = sa_info->lft.hard_packet_limit;
737  sa->lft->soft_add_expires_seconds = sa_info->lft.soft_add_expires_seconds;
738  sa->lft->hard_add_expires_seconds = sa_info->lft.hard_add_expires_seconds;
739  sa->lft->soft_use_expires_seconds = sa_info->lft.soft_use_expires_seconds;
740  sa->lft->hard_use_expires_seconds = sa_info->lft.hard_use_expires_seconds;
741  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
742 
743  sa->curlft.bytes = sa_info->curlft.bytes;
744  sa->curlft.packets = sa_info->curlft.packets;
745  sa->curlft.add_time = sa_info->curlft.add_time;
746  sa->curlft.use_time = sa_info->curlft.use_time;
747  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CUR;
748 
749  sa->stats.replay_window = sa_info->stats.replay_window;
750  sa->stats.replay = sa_info->stats.replay;
751  sa->stats.integrity_failed = sa_info->stats.integrity_failed;
752  sa->ce_mask |= XFRM_SA_ATTR_STATS;
753 
754  sa->seq = sa_info->seq;
755  sa->reqid = sa_info->reqid;
756  sa->family = sa_info->family;
757  sa->mode = sa_info->mode;
758  sa->replay_window = sa_info->replay_window;
759  sa->flags = sa_info->flags;
760  sa->ce_mask |= (XFRM_SA_ATTR_SEQ | XFRM_SA_ATTR_REQID |
761  XFRM_SA_ATTR_FAMILY | XFRM_SA_ATTR_MODE |
762  XFRM_SA_ATTR_REPLAY_WIN | XFRM_SA_ATTR_FLAGS);
763 
764  if (tb[XFRMA_ALG_AEAD]) {
765  struct xfrm_algo_aead* aead = nla_data(tb[XFRMA_ALG_AEAD]);
766  len = sizeof (struct xfrmnl_algo_aead) + ((aead->alg_key_len + 7) / 8);
767  if ((sa->aead = calloc (1, len)) == NULL)
768  {
769  err = -NLE_NOMEM;
770  goto errout;
771  }
772  memcpy ((void *)sa->aead, (void *)aead, len);
773  sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
774  }
775 
776  if (tb[XFRMA_ALG_AUTH_TRUNC]) {
777  struct xfrm_algo_auth* auth = nla_data(tb[XFRMA_ALG_AUTH_TRUNC]);
778  len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
779  if ((sa->auth = calloc (1, len)) == NULL)
780  {
781  err = -NLE_NOMEM;
782  goto errout;
783  }
784  memcpy ((void *)sa->auth, (void *)auth, len);
785  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
786  }
787 
788  if (tb[XFRMA_ALG_AUTH] && !sa->auth) {
789  struct xfrm_algo* auth = nla_data(tb[XFRMA_ALG_AUTH]);
790  len = sizeof (struct xfrmnl_algo_auth) + ((auth->alg_key_len + 7) / 8);
791  if ((sa->auth = calloc (1, len)) == NULL)
792  {
793  err = -NLE_NOMEM;
794  goto errout;
795  }
796  strcpy(sa->auth->alg_name, auth->alg_name);
797  memcpy(sa->auth->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
798  sa->auth->alg_key_len = auth->alg_key_len;
799  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
800  }
801 
802  if (tb[XFRMA_ALG_CRYPT]) {
803  struct xfrm_algo* crypt = nla_data(tb[XFRMA_ALG_CRYPT]);
804  len = sizeof (struct xfrmnl_algo) + ((crypt->alg_key_len + 7) / 8);
805  if ((sa->crypt = calloc (1, len)) == NULL)
806  {
807  err = -NLE_NOMEM;
808  goto errout;
809  }
810  memcpy ((void *)sa->crypt, (void *)crypt, len);
811  sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
812  }
813 
814  if (tb[XFRMA_ALG_COMP]) {
815  struct xfrm_algo* comp = nla_data(tb[XFRMA_ALG_COMP]);
816  len = sizeof (struct xfrmnl_algo) + ((comp->alg_key_len + 7) / 8);
817  if ((sa->comp = calloc (1, len)) == NULL)
818  {
819  err = -NLE_NOMEM;
820  goto errout;
821  }
822  memcpy ((void *)sa->comp, (void *)comp, len);
823  sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
824  }
825 
826  if (tb[XFRMA_ENCAP]) {
827  struct xfrm_encap_tmpl* encap = nla_data(tb[XFRMA_ENCAP]);
828  len = sizeof (struct xfrmnl_encap_tmpl);
829  if ((sa->encap = calloc (1, len)) == NULL)
830  {
831  err = -NLE_NOMEM;
832  goto errout;
833  }
834  sa->encap->encap_type = encap->encap_type;
835  sa->encap->encap_sport = ntohs(encap->encap_sport);
836  sa->encap->encap_dport = ntohs(encap->encap_dport);
837  if (sa_info->family == AF_INET)
838  sa->encap->encap_oa = nl_addr_build (sa_info->family, &encap->encap_oa.a4, sizeof (encap->encap_oa.a4));
839  else
840  sa->encap->encap_oa = nl_addr_build (sa_info->family, &encap->encap_oa.a6, sizeof (encap->encap_oa.a6));
841  sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
842  }
843 
844  if (tb[XFRMA_TFCPAD]) {
845  sa->tfcpad = *(uint32_t*)nla_data(tb[XFRMA_TFCPAD]);
846  sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
847  }
848 
849  if (tb[XFRMA_COADDR]) {
850  if (sa_info->family == AF_INET)
851  {
852  sa->coaddr = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
853  sizeof (uint32_t));
854  }
855  else
856  {
857  sa->coaddr = nl_addr_build(sa_info->family, nla_data(tb[XFRMA_COADDR]),
858  sizeof (uint32_t) * 4);
859  }
860  sa->ce_mask |= XFRM_SA_ATTR_COADDR;
861  }
862 
863  if (tb[XFRMA_MARK]) {
864  struct xfrm_mark* m = nla_data(tb[XFRMA_MARK]);
865  sa->mark.m = m->m;
866  sa->mark.v = m->v;
867  sa->ce_mask |= XFRM_SA_ATTR_MARK;
868  }
869 
870  if (tb[XFRMA_SEC_CTX]) {
871  struct xfrm_sec_ctx* sec_ctx = nla_data(tb[XFRMA_SEC_CTX]);
872  len = sizeof (struct xfrmnl_sec_ctx) + sec_ctx->ctx_len;
873  if ((sa->sec_ctx = calloc (1, len)) == NULL)
874  {
875  err = -NLE_NOMEM;
876  goto errout;
877  }
878  memcpy ((void *)sa->sec_ctx, (void *)sec_ctx, len);
879  sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
880  }
881 
882  if (tb[XFRMA_ETIMER_THRESH]) {
883  sa->replay_maxage = *(uint32_t*)nla_data(tb[XFRMA_ETIMER_THRESH]);
884  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
885  }
886 
887  if (tb[XFRMA_REPLAY_THRESH]) {
888  sa->replay_maxdiff = *(uint32_t*)nla_data(tb[XFRMA_REPLAY_THRESH]);
889  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
890  }
891 
892  if (tb[XFRMA_REPLAY_ESN_VAL]) {
893  struct xfrm_replay_state_esn* esn = nla_data (tb[XFRMA_REPLAY_ESN_VAL]);
894  len = sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * esn->bmp_len);
895  if ((sa->replay_state_esn = calloc (1, len)) == NULL)
896  {
897  err = -NLE_NOMEM;
898  goto errout;
899  }
900  memcpy ((void *)sa->replay_state_esn, (void *)esn, len);
901  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
902  }
903  else if (tb[XFRMA_REPLAY_VAL])
904  {
905  struct xfrm_replay_state* replay_state = nla_data (tb[XFRMA_REPLAY_VAL]);
906  sa->replay_state.oseq = replay_state->oseq;
907  sa->replay_state.seq = replay_state->seq;
908  sa->replay_state.bitmap = replay_state->bitmap;
909  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
910  sa->replay_state_esn = NULL;
911  }
912 
913  *result = sa;
914  return 0;
915 
916 errout:
917  xfrmnl_sa_put(sa);
918  return err;
919 }
920 
921 static int xfrm_sa_update_cache (struct nl_cache *cache, struct nl_object *obj,
922  change_func_t change_cb, void *data)
923 {
924  struct nl_object* old_sa;
925  struct xfrmnl_sa* sa = (struct xfrmnl_sa*)obj;
926 
927  if (nl_object_get_msgtype (obj) == XFRM_MSG_EXPIRE)
928  {
929  /* On hard expiry, the SA gets deleted too from the kernel state without any
930  * further delete event. On Expire message, we are only updating the cache with
931  * the SA object's new state. In absence of the explicit delete event, the cache will
932  * be out of sync with the kernel state. To get around this, expiry messages cache
933  * operations are handled here (installed with NL_ACT_UNSPEC action) instead of
934  * in Libnl Cache module. */
935 
936  /* Do we already have this object in the cache? */
937  old_sa = nl_cache_search(cache, obj);
938  if (old_sa)
939  {
940  /* Found corresponding SA object in cache. Delete it */
941  nl_cache_remove (old_sa);
942  }
943 
944  /* Handle the expiry event now */
945  if (sa->hard == 0)
946  {
947  /* Soft expiry event: Save the new object to the
948  * cache and notify application of the expiry event. */
949  nl_cache_move (cache, obj);
950 
951  if (old_sa == NULL && change_cb)
952  {
953  /* Application CB present, no previous instance of SA object present.
954  * Notify application CB as a NEW event */
955  change_cb (cache, obj, NL_ACT_NEW, data);
956  }
957  else if (old_sa)
958  {
959  /* Application CB present, a previous instance of SA object present.
960  * Notify application CB as a CHANGE1 event */
961  if (nl_object_diff (old_sa, obj) && change_cb)
962  change_cb (cache, obj, NL_ACT_CHANGE, data);
963  nl_object_put (old_sa);
964  }
965  }
966  else
967  {
968  /* Hard expiry event: Delete the object from the
969  * cache and notify application of the expiry event. */
970  if (change_cb)
971  change_cb (cache, obj, NL_ACT_DEL, data);
972  nl_object_put (old_sa);
973  }
974 
975  /* Done handling expire message */
976  return 0;
977  }
978  else
979  {
980  /* All other messages other than Expire, let the standard Libnl cache
981  * module handle it. */
982  return nl_cache_include (cache, obj, change_cb, data);
983  }
984 }
985 
986 static int xfrm_sa_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
987  struct nlmsghdr *n, struct nl_parser_param *pp)
988 {
989  struct xfrmnl_sa* sa;
990  int err;
991 
992  if ((err = xfrmnl_sa_parse(n, &sa)) < 0)
993  return err;
994 
995  err = pp->pp_cb((struct nl_object *) sa, pp);
996 
997  xfrmnl_sa_put(sa);
998  return err;
999 }
1000 
1001 /**
1002  * @name XFRM SA Get
1003  * @{
1004  */
1005 
1006 int xfrmnl_sa_build_get_request(struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct nl_msg **result)
1007 {
1008  struct nl_msg *msg;
1009  struct xfrm_usersa_id sa_id;
1010  struct xfrm_mark mark;
1011 
1012  if (!daddr || !spi)
1013  {
1014  fprintf(stderr, "APPLICATION BUG: %s:%d:%s: A valid destination address, spi must be specified\n",
1015  __FILE__, __LINE__, __PRETTY_FUNCTION__);
1016  assert(0);
1017  return -NLE_MISSING_ATTR;
1018  }
1019 
1020  memset(&sa_id, 0, sizeof(sa_id));
1021  memcpy (&sa_id.daddr, nl_addr_get_binary_addr (daddr), sizeof (uint8_t) * nl_addr_get_len (daddr));
1022  sa_id.family = nl_addr_get_family (daddr);
1023  sa_id.spi = htonl(spi);
1024  sa_id.proto = protocol;
1025 
1026  if (!(msg = nlmsg_alloc_simple(XFRM_MSG_GETSA, 0)))
1027  return -NLE_NOMEM;
1028 
1029  if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1030  goto nla_put_failure;
1031 
1032  if ((mark_m & mark_v) != 0)
1033  {
1034  memset(&mark, 0, sizeof(struct xfrm_mark));
1035  mark.m = mark_m;
1036  mark.v = mark_v;
1037 
1038  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &mark);
1039  }
1040 
1041  *result = msg;
1042  return 0;
1043 
1044 nla_put_failure:
1045  nlmsg_free(msg);
1046  return -NLE_MSGSIZE;
1047 }
1048 
1049 int xfrmnl_sa_get_kernel(struct nl_sock* sock, struct nl_addr* daddr, unsigned int spi, unsigned int protocol, unsigned int mark_v, unsigned int mark_m, struct xfrmnl_sa** result)
1050 {
1051  struct nl_msg *msg = NULL;
1052  struct nl_object *obj;
1053  int err;
1054 
1055  if ((err = xfrmnl_sa_build_get_request(daddr, spi, protocol, mark_m, mark_v, &msg)) < 0)
1056  return err;
1057 
1058  err = nl_send_auto(sock, msg);
1059  nlmsg_free(msg);
1060  if (err < 0)
1061  return err;
1062 
1063  if ((err = nl_pickup(sock, &xfrm_sa_msg_parser, &obj)) < 0)
1064  return err;
1065 
1066  /* We have used xfrm_sa_msg_parser(), object is definitely a xfrm sa */
1067  *result = (struct xfrmnl_sa *) obj;
1068 
1069  /* If an object has been returned, we also need to wait for the ACK */
1070  if (err == 0 && obj)
1071  nl_wait_for_ack(sock);
1072 
1073  return 0;
1074 }
1075 
1076 /** @} */
1077 
1078 static int build_xfrm_sa_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1079 {
1080  struct nl_msg* msg;
1081  struct xfrm_usersa_info sa_info;
1082  uint32_t len;
1083  struct nl_addr* addr;
1084 
1085  if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1086  !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1087  !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1088  return -NLE_MISSING_ATTR;
1089 
1090  memset ((void*)&sa_info, 0, sizeof (sa_info));
1091  if (tmpl->ce_mask & XFRM_SA_ATTR_SEL)
1092  {
1093  addr = xfrmnl_sel_get_daddr (tmpl->sel);
1094  memcpy ((void*)&sa_info.sel.daddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1095  addr = xfrmnl_sel_get_saddr (tmpl->sel);
1096  memcpy ((void*)&sa_info.sel.saddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1097  sa_info.sel.dport = htons (xfrmnl_sel_get_dport (tmpl->sel));
1098  sa_info.sel.dport_mask = htons (xfrmnl_sel_get_dportmask (tmpl->sel));
1099  sa_info.sel.sport = htons (xfrmnl_sel_get_sport (tmpl->sel));
1100  sa_info.sel.sport_mask = htons (xfrmnl_sel_get_sportmask (tmpl->sel));
1101  sa_info.sel.family = xfrmnl_sel_get_family (tmpl->sel);
1102  sa_info.sel.prefixlen_d = xfrmnl_sel_get_prefixlen_d (tmpl->sel);
1103  sa_info.sel.prefixlen_s = xfrmnl_sel_get_prefixlen_s (tmpl->sel);
1104  sa_info.sel.proto = xfrmnl_sel_get_proto (tmpl->sel);
1105  sa_info.sel.ifindex = xfrmnl_sel_get_ifindex (tmpl->sel);
1106  sa_info.sel.user = xfrmnl_sel_get_userid (tmpl->sel);
1107  }
1108 
1109  memcpy (&sa_info.id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1110  sa_info.id.spi = htonl(tmpl->id.spi);
1111  sa_info.id.proto = tmpl->id.proto;
1112 
1113  if (tmpl->ce_mask & XFRM_SA_ATTR_SADDR)
1114  memcpy (&sa_info.saddr, nl_addr_get_binary_addr (tmpl->saddr), sizeof (uint8_t) * nl_addr_get_len (tmpl->saddr));
1115 
1116  if (tmpl->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1117  {
1118  sa_info.lft.soft_byte_limit = xfrmnl_ltime_cfg_get_soft_bytelimit (tmpl->lft);
1119  sa_info.lft.hard_byte_limit = xfrmnl_ltime_cfg_get_hard_bytelimit (tmpl->lft);
1120  sa_info.lft.soft_packet_limit = xfrmnl_ltime_cfg_get_soft_packetlimit (tmpl->lft);
1121  sa_info.lft.hard_packet_limit = xfrmnl_ltime_cfg_get_hard_packetlimit (tmpl->lft);
1122  sa_info.lft.soft_add_expires_seconds = xfrmnl_ltime_cfg_get_soft_addexpires (tmpl->lft);
1123  sa_info.lft.hard_add_expires_seconds = xfrmnl_ltime_cfg_get_hard_addexpires (tmpl->lft);
1124  sa_info.lft.soft_use_expires_seconds = xfrmnl_ltime_cfg_get_soft_useexpires (tmpl->lft);
1125  sa_info.lft.hard_use_expires_seconds = xfrmnl_ltime_cfg_get_hard_useexpires (tmpl->lft);
1126  }
1127 
1128  //Skip current lifetime: cur lifetime can be updated only via AE
1129  //Skip stats: stats cant be updated
1130  //Skip seq: seq cant be updated
1131 
1132  if (tmpl->ce_mask & XFRM_SA_ATTR_REQID)
1133  sa_info.reqid = tmpl->reqid;
1134 
1135  if (tmpl->ce_mask & XFRM_SA_ATTR_FAMILY)
1136  sa_info.family = tmpl->family;
1137 
1138  if (tmpl->ce_mask & XFRM_SA_ATTR_MODE)
1139  sa_info.mode = tmpl->mode;
1140 
1141  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1142  sa_info.replay_window = tmpl->replay_window;
1143 
1144  if (tmpl->ce_mask & XFRM_SA_ATTR_FLAGS)
1145  sa_info.flags = tmpl->flags;
1146 
1147  msg = nlmsg_alloc_simple(cmd, flags);
1148  if (!msg)
1149  return -NLE_NOMEM;
1150 
1151  if (nlmsg_append(msg, &sa_info, sizeof(sa_info), NLMSG_ALIGNTO) < 0)
1152  goto nla_put_failure;
1153 
1154  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AEAD) {
1155  len = sizeof (struct xfrm_algo_aead) + ((tmpl->aead->alg_key_len + 7) / 8);
1156  NLA_PUT (msg, XFRMA_ALG_AEAD, len, tmpl->aead);
1157  }
1158 
1159  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_AUTH) {
1160  /* kernel prefers XFRMA_ALG_AUTH_TRUNC over XFRMA_ALG_AUTH, so only
1161  * one of the attributes needs to be present */
1162  if (tmpl->auth->alg_trunc_len) {
1163  len = sizeof (struct xfrm_algo_auth) + ((tmpl->auth->alg_key_len + 7) / 8);
1164  NLA_PUT (msg, XFRMA_ALG_AUTH_TRUNC, len, tmpl->auth);
1165  } else {
1166  struct xfrm_algo *auth;
1167 
1168  len = sizeof (struct xfrm_algo) + ((tmpl->auth->alg_key_len + 7) / 8);
1169  auth = malloc(len);
1170  if (!auth) {
1171  nlmsg_free(msg);
1172  return -NLE_NOMEM;
1173  }
1174 
1175  strncpy(auth->alg_name, tmpl->auth->alg_name, sizeof(auth->alg_name));
1176  auth->alg_key_len = tmpl->auth->alg_key_len;
1177  memcpy(auth->alg_key, tmpl->auth->alg_key, (tmpl->auth->alg_key_len + 7) / 8);
1178  NLA_PUT(msg, XFRMA_ALG_AUTH, len, auth);
1179  free(auth);
1180  }
1181  }
1182 
1183  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_CRYPT) {
1184  len = sizeof (struct xfrm_algo) + ((tmpl->crypt->alg_key_len + 7) / 8);
1185  NLA_PUT (msg, XFRMA_ALG_CRYPT, len, tmpl->crypt);
1186  }
1187 
1188  if (tmpl->ce_mask & XFRM_SA_ATTR_ALG_COMP) {
1189  len = sizeof (struct xfrm_algo) + ((tmpl->comp->alg_key_len + 7) / 8);
1190  NLA_PUT (msg, XFRMA_ALG_COMP, len, tmpl->comp);
1191  }
1192 
1193  if (tmpl->ce_mask & XFRM_SA_ATTR_ENCAP) {
1194  struct xfrm_encap_tmpl* encap_tmpl;
1195  struct nlattr* encap_attr;
1196 
1197  len = sizeof (struct xfrm_encap_tmpl);
1198  encap_attr = nla_reserve(msg, XFRMA_ENCAP, len);
1199  if (!encap_attr)
1200  goto nla_put_failure;
1201  encap_tmpl = nla_data (encap_attr);
1202  encap_tmpl->encap_type = tmpl->encap->encap_type;
1203  encap_tmpl->encap_sport = htons (tmpl->encap->encap_sport);
1204  encap_tmpl->encap_dport = htons (tmpl->encap->encap_dport);
1205  memcpy (&encap_tmpl->encap_oa, nl_addr_get_binary_addr (tmpl->encap->encap_oa), sizeof (uint8_t) * nl_addr_get_len (tmpl->encap->encap_oa));
1206  }
1207 
1208  if (tmpl->ce_mask & XFRM_SA_ATTR_TFCPAD) {
1209  NLA_PUT_U32 (msg, XFRMA_TFCPAD, tmpl->tfcpad);
1210  }
1211 
1212  if (tmpl->ce_mask & XFRM_SA_ATTR_COADDR) {
1213  NLA_PUT (msg, XFRMA_COADDR, sizeof (xfrm_address_t), tmpl->coaddr);
1214  }
1215 
1216  if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1217  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1218  }
1219 
1220  if (tmpl->ce_mask & XFRM_SA_ATTR_SECCTX) {
1221  len = sizeof (struct xfrm_sec_ctx) + tmpl->sec_ctx->ctx_len;
1222  NLA_PUT (msg, XFRMA_SEC_CTX, len, tmpl->sec_ctx);
1223  }
1224 
1225  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE) {
1226  NLA_PUT_U32 (msg, XFRMA_ETIMER_THRESH, tmpl->replay_maxage);
1227  }
1228 
1229  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF) {
1230  NLA_PUT_U32 (msg, XFRMA_REPLAY_THRESH, tmpl->replay_maxdiff);
1231  }
1232 
1233  if (tmpl->ce_mask & XFRM_SA_ATTR_REPLAY_STATE) {
1234  if (tmpl->replay_state_esn) {
1235  len = sizeof (struct xfrm_replay_state_esn) + (sizeof (uint32_t) * tmpl->replay_state_esn->bmp_len);
1236  NLA_PUT (msg, XFRMA_REPLAY_ESN_VAL, len, tmpl->replay_state_esn);
1237  }
1238  else {
1239  NLA_PUT (msg, XFRMA_REPLAY_VAL, sizeof (struct xfrm_replay_state), &tmpl->replay_state);
1240  }
1241  }
1242 
1243  *result = msg;
1244  return 0;
1245 
1246 nla_put_failure:
1247  nlmsg_free(msg);
1248  return -NLE_MSGSIZE;
1249 }
1250 
1251 /**
1252  * @name XFRM SA Add
1253  * @{
1254  */
1255 
1256 int xfrmnl_sa_build_add_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1257 {
1258  return build_xfrm_sa_message (tmpl, XFRM_MSG_NEWSA, flags, result);
1259 }
1260 
1261 int xfrmnl_sa_add(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1262 {
1263  int err;
1264  struct nl_msg *msg;
1265 
1266  if ((err = xfrmnl_sa_build_add_request(tmpl, flags, &msg)) < 0)
1267  return err;
1268 
1269  err = nl_send_auto_complete(sk, msg);
1270  nlmsg_free(msg);
1271  if (err < 0)
1272  return err;
1273 
1274  return nl_wait_for_ack(sk);
1275 }
1276 
1277 /**
1278  * @name XFRM SA Update
1279  * @{
1280  */
1281 
1282 int xfrmnl_sa_build_update_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1283 {
1284  return build_xfrm_sa_message (tmpl, XFRM_MSG_UPDSA, flags, result);
1285 }
1286 
1287 int xfrmnl_sa_update(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1288 {
1289  int err;
1290  struct nl_msg *msg;
1291 
1292  if ((err = xfrmnl_sa_build_update_request(tmpl, flags, &msg)) < 0)
1293  return err;
1294 
1295  err = nl_send_auto_complete(sk, msg);
1296  nlmsg_free(msg);
1297  if (err < 0)
1298  return err;
1299 
1300  return nl_wait_for_ack(sk);
1301 }
1302 
1303 /** @} */
1304 
1305 static int build_xfrm_sa_delete_message(struct xfrmnl_sa *tmpl, int cmd, int flags, struct nl_msg **result)
1306 {
1307  struct nl_msg* msg;
1308  struct xfrm_usersa_id sa_id;
1309 
1310  if (!(tmpl->ce_mask & XFRM_SA_ATTR_DADDR) ||
1311  !(tmpl->ce_mask & XFRM_SA_ATTR_SPI) ||
1312  !(tmpl->ce_mask & XFRM_SA_ATTR_PROTO))
1313  return -NLE_MISSING_ATTR;
1314 
1315  memcpy (&sa_id.daddr, nl_addr_get_binary_addr (tmpl->id.daddr),
1316  sizeof (uint8_t) * nl_addr_get_len (tmpl->id.daddr));
1317  sa_id.family = nl_addr_get_family (tmpl->id.daddr);
1318  sa_id.spi = htonl(tmpl->id.spi);
1319  sa_id.proto = tmpl->id.proto;
1320 
1321  msg = nlmsg_alloc_simple(cmd, flags);
1322  if (!msg)
1323  return -NLE_NOMEM;
1324 
1325  if (nlmsg_append(msg, &sa_id, sizeof(sa_id), NLMSG_ALIGNTO) < 0)
1326  goto nla_put_failure;
1327 
1328  if (tmpl->ce_mask & XFRM_SA_ATTR_MARK) {
1329  NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
1330  }
1331 
1332  *result = msg;
1333  return 0;
1334 
1335 nla_put_failure:
1336  nlmsg_free(msg);
1337  return -NLE_MSGSIZE;
1338 }
1339 
1340 /**
1341  * @name XFRM SA Delete
1342  * @{
1343  */
1344 
1345 int xfrmnl_sa_build_delete_request(struct xfrmnl_sa* tmpl, int flags, struct nl_msg **result)
1346 {
1347  return build_xfrm_sa_delete_message (tmpl, XFRM_MSG_DELSA, flags, result);
1348 }
1349 
1350 int xfrmnl_sa_delete(struct nl_sock* sk, struct xfrmnl_sa* tmpl, int flags)
1351 {
1352  int err;
1353  struct nl_msg *msg;
1354 
1355  if ((err = xfrmnl_sa_build_delete_request(tmpl, flags, &msg)) < 0)
1356  return err;
1357 
1358  err = nl_send_auto_complete(sk, msg);
1359  nlmsg_free(msg);
1360  if (err < 0)
1361  return err;
1362 
1363  return nl_wait_for_ack(sk);
1364 }
1365 
1366 /** @} */
1367 
1368 
1369 /**
1370  * @name Attributes
1371  * @{
1372  */
1373 
1374 struct xfrmnl_sel* xfrmnl_sa_get_sel (struct xfrmnl_sa* sa)
1375 {
1376  if (sa->ce_mask & XFRM_SA_ATTR_SEL)
1377  return sa->sel;
1378  else
1379  return NULL;
1380 }
1381 
1382 int xfrmnl_sa_set_sel (struct xfrmnl_sa* sa, struct xfrmnl_sel* sel)
1383 {
1384  /* Release any previously held selector object from the SA */
1385  if (sa->sel)
1386  xfrmnl_sel_put (sa->sel);
1387 
1388  /* Increment ref count on new selector and save it in the SA */
1389  xfrmnl_sel_get (sel);
1390  sa->sel = sel;
1391  sa->ce_mask |= XFRM_SA_ATTR_SEL;
1392 
1393  return 0;
1394 }
1395 
1396 static inline int __assign_addr(struct xfrmnl_sa* sa, struct nl_addr **pos,
1397  struct nl_addr *new, int flag, int nocheck)
1398 {
1399  if (!nocheck)
1400  {
1401  if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1402  {
1403  if (nl_addr_get_family (new) != sa->family)
1404  return -NLE_AF_MISMATCH;
1405  }
1406  }
1407 
1408  if (*pos)
1409  nl_addr_put(*pos);
1410 
1411  nl_addr_get(new);
1412  *pos = new;
1413 
1414  sa->ce_mask |= flag;
1415 
1416  return 0;
1417 }
1418 
1419 
1420 struct nl_addr* xfrmnl_sa_get_daddr (struct xfrmnl_sa* sa)
1421 {
1422  if (sa->ce_mask & XFRM_SA_ATTR_DADDR)
1423  return sa->id.daddr;
1424  else
1425  return NULL;
1426 }
1427 
1428 int xfrmnl_sa_set_daddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1429 {
1430  return __assign_addr(sa, &sa->id.daddr, addr, XFRM_SA_ATTR_DADDR, 0);
1431 }
1432 
1433 int xfrmnl_sa_get_spi (struct xfrmnl_sa* sa)
1434 {
1435  if (sa->ce_mask & XFRM_SA_ATTR_SPI)
1436  return sa->id.spi;
1437  else
1438  return -1;
1439 }
1440 
1441 int xfrmnl_sa_set_spi (struct xfrmnl_sa* sa, unsigned int spi)
1442 {
1443  sa->id.spi = spi;
1444  sa->ce_mask |= XFRM_SA_ATTR_SPI;
1445 
1446  return 0;
1447 }
1448 
1449 int xfrmnl_sa_get_proto (struct xfrmnl_sa* sa)
1450 {
1451  if (sa->ce_mask & XFRM_SA_ATTR_PROTO)
1452  return sa->id.proto;
1453  else
1454  return -1;
1455 }
1456 
1457 int xfrmnl_sa_set_proto (struct xfrmnl_sa* sa, unsigned int protocol)
1458 {
1459  sa->id.proto = protocol;
1460  sa->ce_mask |= XFRM_SA_ATTR_PROTO;
1461 
1462  return 0;
1463 }
1464 
1465 struct nl_addr* xfrmnl_sa_get_saddr (struct xfrmnl_sa* sa)
1466 {
1467  if (sa->ce_mask & XFRM_SA_ATTR_SADDR)
1468  return sa->saddr;
1469  else
1470  return NULL;
1471 }
1472 
1473 int xfrmnl_sa_set_saddr (struct xfrmnl_sa* sa, struct nl_addr* addr)
1474 {
1475  return __assign_addr(sa, &sa->saddr, addr, XFRM_SA_ATTR_SADDR, 1);
1476 }
1477 
1478 struct xfrmnl_ltime_cfg* xfrmnl_sa_get_lifetime_cfg (struct xfrmnl_sa* sa)
1479 {
1480  if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CFG)
1481  return sa->lft;
1482  else
1483  return NULL;
1484 }
1485 
1486 int xfrmnl_sa_set_lifetime_cfg (struct xfrmnl_sa* sa, struct xfrmnl_ltime_cfg* ltime)
1487 {
1488  /* Release any previously held lifetime cfg object from the SA */
1489  if (sa->lft)
1490  xfrmnl_ltime_cfg_put (sa->lft);
1491 
1492  /* Increment ref count on new lifetime object and save it in the SA */
1493  xfrmnl_ltime_cfg_get (ltime);
1494  sa->lft = ltime;
1495  sa->ce_mask |= XFRM_SA_ATTR_LTIME_CFG;
1496 
1497  return 0;
1498 }
1499 
1500 int xfrmnl_sa_get_curlifetime (struct xfrmnl_sa* sa, unsigned long long int* curr_bytes,
1501  unsigned long long int* curr_packets, unsigned long long int* curr_add_time, unsigned long long int* curr_use_time)
1502 {
1503  if (sa == NULL || curr_bytes == NULL || curr_packets == NULL || curr_add_time == NULL || curr_use_time == NULL)
1504  return -1;
1505 
1506  if (sa->ce_mask & XFRM_SA_ATTR_LTIME_CUR)
1507  {
1508  *curr_bytes = sa->curlft.bytes;
1509  *curr_packets = sa->curlft.packets;
1510  *curr_add_time = sa->curlft.add_time;
1511  *curr_use_time = sa->curlft.use_time;
1512  }
1513  else
1514  return -1;
1515 
1516  return 0;
1517 }
1518 
1519 int xfrmnl_sa_get_stats (struct xfrmnl_sa* sa, unsigned long long int* replay_window,
1520  unsigned long long int* replay, unsigned long long int* integrity_failed)
1521 {
1522  if (sa == NULL || replay_window == NULL || replay == NULL || integrity_failed == NULL)
1523  return -1;
1524 
1525  if (sa->ce_mask & XFRM_SA_ATTR_STATS)
1526  {
1527  *replay_window = sa->stats.replay_window;
1528  *replay = sa->stats.replay;
1529  *integrity_failed = sa->stats.integrity_failed;
1530  }
1531  else
1532  return -1;
1533 
1534  return 0;
1535 }
1536 
1537 int xfrmnl_sa_get_seq (struct xfrmnl_sa* sa)
1538 {
1539  if (sa->ce_mask & XFRM_SA_ATTR_SEQ)
1540  return sa->seq;
1541  else
1542  return -1;
1543 }
1544 
1545 int xfrmnl_sa_get_reqid (struct xfrmnl_sa* sa)
1546 {
1547  if (sa->ce_mask & XFRM_SA_ATTR_REQID)
1548  return sa->reqid;
1549  else
1550  return -1;
1551 }
1552 
1553 int xfrmnl_sa_set_reqid (struct xfrmnl_sa* sa, unsigned int reqid)
1554 {
1555  sa->reqid = reqid;
1556  sa->ce_mask |= XFRM_SA_ATTR_REQID;
1557 
1558  return 0;
1559 }
1560 
1561 int xfrmnl_sa_get_family (struct xfrmnl_sa* sa)
1562 {
1563  if (sa->ce_mask & XFRM_SA_ATTR_FAMILY)
1564  return sa->family;
1565  else
1566  return -1;
1567 }
1568 
1569 int xfrmnl_sa_set_family (struct xfrmnl_sa* sa, unsigned int family)
1570 {
1571  sa->family = family;
1572  sa->ce_mask |= XFRM_SA_ATTR_FAMILY;
1573 
1574  return 0;
1575 }
1576 
1577 int xfrmnl_sa_get_mode (struct xfrmnl_sa* sa)
1578 {
1579  if (sa->ce_mask & XFRM_SA_ATTR_MODE)
1580  return sa->mode;
1581  else
1582  return -1;
1583 }
1584 
1585 int xfrmnl_sa_set_mode (struct xfrmnl_sa* sa, unsigned int mode)
1586 {
1587  sa->mode = mode;
1588  sa->ce_mask |= XFRM_SA_ATTR_MODE;
1589 
1590  return 0;
1591 }
1592 
1593 int xfrmnl_sa_get_replay_window (struct xfrmnl_sa* sa)
1594 {
1595  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_WIN)
1596  return sa->replay_window;
1597  else
1598  return -1;
1599 }
1600 
1601 int xfrmnl_sa_set_replay_window (struct xfrmnl_sa* sa, unsigned int replay_window)
1602 {
1603  sa->replay_window = replay_window;
1604  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_WIN;
1605 
1606  return 0;
1607 }
1608 
1609 int xfrmnl_sa_get_flags (struct xfrmnl_sa* sa)
1610 {
1611  if (sa->ce_mask & XFRM_SA_ATTR_FLAGS)
1612  return sa->flags;
1613  else
1614  return -1;
1615 }
1616 
1617 int xfrmnl_sa_set_flags (struct xfrmnl_sa* sa, unsigned int flags)
1618 {
1619  sa->flags = flags;
1620  sa->ce_mask |= XFRM_SA_ATTR_FLAGS;
1621 
1622  return 0;
1623 }
1624 
1625 /**
1626  * Get the aead-params
1627  * @arg sa the xfrmnl_sa object
1628  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1629  * @arg key_len an optional output value for the key length in bits.
1630  * @arg icv_len an optional output value for the alt-icv-len.
1631  * @arg key an optional buffer large enough for the key. It must contain at least
1632  * ((@key_len + 7) / 8) bytes.
1633  *
1634  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1635  * call xfrmnl_sa_get_aead_params() without @key argument to query only the required buffer size.
1636  *
1637  * @return 0 on success or a negative error code.
1638  */
1639 int xfrmnl_sa_get_aead_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* icv_len, char* key)
1640 {
1641  if (sa->ce_mask & XFRM_SA_ATTR_ALG_AEAD)
1642  {
1643  if (alg_name)
1644  strcpy (alg_name, sa->aead->alg_name);
1645  if (key_len)
1646  *key_len = sa->aead->alg_key_len;
1647  if (icv_len)
1648  *icv_len = sa->aead->alg_icv_len;
1649  if (key)
1650  memcpy (key, sa->aead->alg_key, ((sa->aead->alg_key_len + 7)/8));
1651  }
1652  else
1653  return -1;
1654 
1655  return 0;
1656 }
1657 
1658 int xfrmnl_sa_set_aead_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int icv_len, const char* key)
1659 {
1660  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1661  uint32_t newlen = sizeof (struct xfrmnl_algo_aead) + keysize;
1662 
1663  /* Free up the old key and allocate memory to hold new key */
1664  if (sa->aead)
1665  free (sa->aead);
1666  if (strlen (alg_name) >= sizeof (sa->aead->alg_name) || (sa->aead = calloc (1, newlen)) == NULL)
1667  return -1;
1668 
1669  /* Save the new info */
1670  strcpy (sa->aead->alg_name, alg_name);
1671  sa->aead->alg_key_len = key_len;
1672  sa->aead->alg_icv_len = icv_len;
1673  memcpy (sa->aead->alg_key, key, keysize);
1674 
1675  sa->ce_mask |= XFRM_SA_ATTR_ALG_AEAD;
1676 
1677  return 0;
1678 }
1679 
1680 /**
1681  * Get the auth-params
1682  * @arg sa the xfrmnl_sa object
1683  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1684  * @arg key_len an optional output value for the key length in bits.
1685  * @arg trunc_len an optional output value for the alg-trunc-len.
1686  * @arg key an optional buffer large enough for the key. It must contain at least
1687  * ((@key_len + 7) / 8) bytes.
1688  *
1689  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1690  * call xfrmnl_sa_get_auth_params() without @key argument to query only the required buffer size.
1691  *
1692  * @return 0 on success or a negative error code.
1693  */
1694 int xfrmnl_sa_get_auth_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, unsigned int* trunc_len, char* key)
1695 {
1696  if (sa->ce_mask & XFRM_SA_ATTR_ALG_AUTH)
1697  {
1698  if (alg_name)
1699  strcpy (alg_name, sa->auth->alg_name);
1700  if (key_len)
1701  *key_len = sa->auth->alg_key_len;
1702  if (trunc_len)
1703  *trunc_len = sa->auth->alg_trunc_len;
1704  if (key)
1705  memcpy (key, sa->auth->alg_key, (sa->auth->alg_key_len + 7)/8);
1706  }
1707  else
1708  return -1;
1709 
1710  return 0;
1711 }
1712 
1713 int xfrmnl_sa_set_auth_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, unsigned int trunc_len, const char* key)
1714 {
1715  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1716  uint32_t newlen = sizeof (struct xfrmnl_algo_auth) + keysize;
1717 
1718  /* Free up the old auth data and allocate new one */
1719  if (sa->auth)
1720  free (sa->auth);
1721  if (strlen (alg_name) >= sizeof (sa->auth->alg_name) || (sa->auth = calloc (1, newlen)) == NULL)
1722  return -1;
1723 
1724  /* Save the new info */
1725  strcpy (sa->auth->alg_name, alg_name);
1726  sa->auth->alg_key_len = key_len;
1727  sa->auth->alg_trunc_len = trunc_len;
1728  memcpy (sa->auth->alg_key, key, keysize);
1729 
1730  sa->ce_mask |= XFRM_SA_ATTR_ALG_AUTH;
1731 
1732  return 0;
1733 }
1734 
1735 /**
1736  * Get the crypto-params
1737  * @arg sa the xfrmnl_sa object
1738  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1739  * @arg key_len an optional output value for the key length in bits.
1740  * @arg key an optional buffer large enough for the key. It must contain at least
1741  * ((@key_len + 7) / 8) bytes.
1742  *
1743  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1744  * call xfrmnl_sa_get_crypto_params() without @key argument to query only the required buffer size.
1745  *
1746  * @return 0 on success or a negative error code.
1747  */
1748 int xfrmnl_sa_get_crypto_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1749 {
1750  if (sa->ce_mask & XFRM_SA_ATTR_ALG_CRYPT)
1751  {
1752  if (alg_name)
1753  strcpy (alg_name, sa->crypt->alg_name);
1754  if (key_len)
1755  *key_len = sa->crypt->alg_key_len;
1756  if (key)
1757  memcpy (key, sa->crypt->alg_key, ((sa->crypt->alg_key_len + 7)/8));
1758  }
1759  else
1760  return -1;
1761 
1762  return 0;
1763 }
1764 
1765 int xfrmnl_sa_set_crypto_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1766 {
1767  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1768  uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1769 
1770  /* Free up the old crypto and allocate new one */
1771  if (sa->crypt)
1772  free (sa->crypt);
1773  if (strlen (alg_name) >= sizeof (sa->crypt->alg_name) || (sa->crypt = calloc (1, newlen)) == NULL)
1774  return -1;
1775 
1776  /* Save the new info */
1777  strcpy (sa->crypt->alg_name, alg_name);
1778  sa->crypt->alg_key_len = key_len;
1779  memcpy (sa->crypt->alg_key, key, keysize);
1780 
1781  sa->ce_mask |= XFRM_SA_ATTR_ALG_CRYPT;
1782 
1783  return 0;
1784 }
1785 
1786 /**
1787  * Get the comp-params
1788  * @arg sa the xfrmnl_sa object
1789  * @arg alg_name an optional output buffer for the algorithm name. Must be at least 64 bytes.
1790  * @arg key_len an optional output value for the key length in bits.
1791  * @arg key an optional buffer large enough for the key. It must contain at least
1792  * ((@key_len + 7) / 8) bytes.
1793  *
1794  * Warning: you must ensure that @key is large enough. If you don't know the key_len before-hand,
1795  * call xfrmnl_sa_get_comp_params() without @key argument to query only the required buffer size.
1796  *
1797  * @return 0 on success or a negative error code.
1798  */
1799 int xfrmnl_sa_get_comp_params (struct xfrmnl_sa* sa, char* alg_name, unsigned int* key_len, char* key)
1800 {
1801  if (sa->ce_mask & XFRM_SA_ATTR_ALG_COMP)
1802  {
1803  if (alg_name)
1804  strcpy (alg_name, sa->comp->alg_name);
1805  if (key_len)
1806  *key_len = sa->comp->alg_key_len;
1807  if (key)
1808  memcpy (key, sa->comp->alg_key, ((sa->comp->alg_key_len + 7)/8));
1809  }
1810  else
1811  return -1;
1812 
1813  return 0;
1814 }
1815 
1816 int xfrmnl_sa_set_comp_params (struct xfrmnl_sa* sa, const char* alg_name, unsigned int key_len, const char* key)
1817 {
1818  size_t keysize = sizeof (uint8_t) * ((key_len + 7)/8);
1819  uint32_t newlen = sizeof (struct xfrmnl_algo) + keysize;
1820 
1821  /* Free up the old compression algo params and allocate new one */
1822  if (sa->comp)
1823  free (sa->comp);
1824  if (strlen (alg_name) >= sizeof (sa->comp->alg_name) || (sa->comp = calloc (1, newlen)) == NULL)
1825  return -1;
1826 
1827  /* Save the new info */
1828  strcpy (sa->comp->alg_name, alg_name);
1829  sa->comp->alg_key_len = key_len;
1830  memcpy (sa->comp->alg_key, key, keysize);
1831 
1832  sa->ce_mask |= XFRM_SA_ATTR_ALG_COMP;
1833 
1834  return 0;
1835 }
1836 
1837 int xfrmnl_sa_get_encap_tmpl (struct xfrmnl_sa* sa, unsigned int* encap_type, unsigned int* encap_sport, unsigned int* encap_dport, struct nl_addr** encap_oa)
1838 {
1839  if (sa->ce_mask & XFRM_SA_ATTR_ENCAP)
1840  {
1841  *encap_type = sa->encap->encap_type;
1842  *encap_sport = sa->encap->encap_sport;
1843  *encap_dport = sa->encap->encap_dport;
1844  *encap_oa = nl_addr_clone (sa->encap->encap_oa);
1845  }
1846  else
1847  return -1;
1848 
1849  return 0;
1850 }
1851 
1852 int xfrmnl_sa_set_encap_tmpl (struct xfrmnl_sa* sa, unsigned int encap_type, unsigned int encap_sport, unsigned int encap_dport, struct nl_addr* encap_oa)
1853 {
1854  if (sa->encap) {
1855  /* Free up the old encap OA */
1856  if (sa->encap->encap_oa)
1857  nl_addr_put(sa->encap->encap_oa);
1858  memset(sa->encap, 0, sizeof (*sa->encap));
1859  } else if ((sa->encap = calloc(1, sizeof(*sa->encap))) == NULL)
1860  return -1;
1861 
1862  /* Save the new info */
1863  sa->encap->encap_type = encap_type;
1864  sa->encap->encap_sport = encap_sport;
1865  sa->encap->encap_dport = encap_dport;
1866  nl_addr_get (encap_oa);
1867  sa->encap->encap_oa = encap_oa;
1868 
1869  sa->ce_mask |= XFRM_SA_ATTR_ENCAP;
1870 
1871  return 0;
1872 }
1873 
1874 int xfrmnl_sa_get_tfcpad (struct xfrmnl_sa* sa)
1875 {
1876  if (sa->ce_mask & XFRM_SA_ATTR_TFCPAD)
1877  return sa->tfcpad;
1878  else
1879  return -1;
1880 }
1881 
1882 int xfrmnl_sa_set_tfcpad (struct xfrmnl_sa* sa, unsigned int tfcpad)
1883 {
1884  sa->tfcpad = tfcpad;
1885  sa->ce_mask |= XFRM_SA_ATTR_TFCPAD;
1886 
1887  return 0;
1888 }
1889 
1890 struct nl_addr* xfrmnl_sa_get_coaddr (struct xfrmnl_sa* sa)
1891 {
1892  if (sa->ce_mask & XFRM_SA_ATTR_COADDR)
1893  return sa->coaddr;
1894  else
1895  return NULL;
1896 }
1897 
1898 int xfrmnl_sa_set_coaddr (struct xfrmnl_sa* sa, struct nl_addr* coaddr)
1899 {
1900  /* Free up the old coaddr */
1901  if (sa->coaddr)
1902  nl_addr_put (sa->coaddr);
1903 
1904  /* Save the new info */
1905  nl_addr_get (coaddr);
1906  sa->coaddr = coaddr;
1907 
1908  sa->ce_mask |= XFRM_SA_ATTR_COADDR;
1909 
1910  return 0;
1911 }
1912 
1913 int xfrmnl_sa_get_mark (struct xfrmnl_sa* sa, unsigned int* mark_mask, unsigned int* mark_value)
1914 {
1915  if (mark_mask == NULL || mark_value == NULL)
1916  return -1;
1917 
1918  if (sa->ce_mask & XFRM_SA_ATTR_MARK)
1919  {
1920  *mark_mask = sa->mark.m;
1921  *mark_value = sa->mark.v;
1922 
1923  return 0;
1924  }
1925  else
1926  return -1;
1927 }
1928 
1929 int xfrmnl_sa_set_mark (struct xfrmnl_sa* sa, unsigned int value, unsigned int mask)
1930 {
1931  sa->mark.v = value;
1932  sa->mark.m = mask;
1933  sa->ce_mask |= XFRM_SA_ATTR_MARK;
1934 
1935  return 0;
1936 }
1937 
1938 int xfrmnl_sa_get_sec_ctx (struct xfrmnl_sa* sa, unsigned int* doi, unsigned int* alg, unsigned int* len, unsigned int* sid, char* ctx_str)
1939 {
1940  if (sa->ce_mask & XFRM_SA_ATTR_SECCTX)
1941  {
1942  *doi = sa->sec_ctx->ctx_doi;
1943  *alg = sa->sec_ctx->ctx_alg;
1944  *len = sa->sec_ctx->ctx_len;
1945  *sid = sa->sec_ctx->ctx_sid;
1946  memcpy ((void *)ctx_str, (void *)sa->sec_ctx->ctx_str, sizeof (uint8_t) * sa->sec_ctx->ctx_len);
1947  }
1948  else
1949  return -1;
1950 
1951  return 0;
1952 }
1953 
1954 int xfrmnl_sa_set_sec_ctx (struct xfrmnl_sa* sa, unsigned int doi, unsigned int alg, unsigned int len, unsigned int sid, const char* ctx_str)
1955 {
1956  /* Free up the old context string and allocate new one */
1957  if (sa->sec_ctx)
1958  free (sa->sec_ctx);
1959  if ((sa->sec_ctx = calloc (1, sizeof (struct xfrmnl_sec_ctx) + (sizeof (uint8_t) * len))) == NULL)
1960  return -1;
1961 
1962  /* Save the new info */
1963  sa->sec_ctx->ctx_doi = doi;
1964  sa->sec_ctx->ctx_alg = alg;
1965  sa->sec_ctx->ctx_len = len;
1966  sa->sec_ctx->ctx_sid = sid;
1967  memcpy (sa->sec_ctx->ctx_str, ctx_str, sizeof (uint8_t) * len);
1968 
1969  sa->ce_mask |= XFRM_SA_ATTR_SECCTX;
1970 
1971  return 0;
1972 }
1973 
1974 
1975 int xfrmnl_sa_get_replay_maxage (struct xfrmnl_sa* sa)
1976 {
1977  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXAGE)
1978  return sa->replay_maxage;
1979  else
1980  return -1;
1981 }
1982 
1983 int xfrmnl_sa_set_replay_maxage (struct xfrmnl_sa* sa, unsigned int replay_maxage)
1984 {
1985  sa->replay_maxage = replay_maxage;
1986  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXAGE;
1987 
1988  return 0;
1989 }
1990 
1991 int xfrmnl_sa_get_replay_maxdiff (struct xfrmnl_sa* sa)
1992 {
1993  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_MAXDIFF)
1994  return sa->replay_maxdiff;
1995  else
1996  return -1;
1997 }
1998 
1999 int xfrmnl_sa_set_replay_maxdiff (struct xfrmnl_sa* sa, unsigned int replay_maxdiff)
2000 {
2001  sa->replay_maxdiff = replay_maxdiff;
2002  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_MAXDIFF;
2003 
2004  return 0;
2005 }
2006 
2007 int xfrmnl_sa_get_replay_state (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* bmp)
2008 {
2009  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2010  {
2011  if (sa->replay_state_esn == NULL)
2012  {
2013  *oseq = sa->replay_state.oseq;
2014  *seq = sa->replay_state.seq;
2015  *bmp = sa->replay_state.bitmap;
2016 
2017  return 0;
2018  }
2019  else
2020  {
2021  return -1;
2022  }
2023  }
2024  else
2025  return -1;
2026 }
2027 
2028 int xfrmnl_sa_set_replay_state (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq, unsigned int bitmap)
2029 {
2030  sa->replay_state.oseq = oseq;
2031  sa->replay_state.seq = seq;
2032  sa->replay_state.bitmap = bitmap;
2033  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2034 
2035  return 0;
2036 }
2037 
2038 int xfrmnl_sa_get_replay_state_esn (struct xfrmnl_sa* sa, unsigned int* oseq, unsigned int* seq, unsigned int* oseq_hi,
2039  unsigned int* seq_hi, unsigned int* replay_window, unsigned int* bmp_len, unsigned int* bmp)
2040 {
2041  if (sa->ce_mask & XFRM_SA_ATTR_REPLAY_STATE)
2042  {
2043  if (sa->replay_state_esn)
2044  {
2045  *oseq = sa->replay_state_esn->oseq;
2046  *seq = sa->replay_state_esn->seq;
2047  *oseq_hi= sa->replay_state_esn->oseq_hi;
2048  *seq_hi = sa->replay_state_esn->seq_hi;
2049  *replay_window = sa->replay_state_esn->replay_window;
2050  *bmp_len = sa->replay_state_esn->bmp_len; // In number of 32 bit words
2051  memcpy (bmp, sa->replay_state_esn->bmp, sa->replay_state_esn->bmp_len * sizeof (uint32_t));
2052 
2053  return 0;
2054  }
2055  else
2056  {
2057  return -1;
2058  }
2059  }
2060  else
2061  return -1;
2062 }
2063 
2064 int xfrmnl_sa_set_replay_state_esn (struct xfrmnl_sa* sa, unsigned int oseq, unsigned int seq,
2065  unsigned int oseq_hi, unsigned int seq_hi, unsigned int replay_window,
2066  unsigned int bmp_len, unsigned int* bmp)
2067 {
2068  /* Free the old replay state and allocate space to hold new one */
2069  if (sa->replay_state_esn)
2070  free (sa->replay_state_esn);
2071 
2072  if ((sa->replay_state_esn = calloc (1, sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * bmp_len))) == NULL)
2073  return -1;
2074  sa->replay_state_esn->oseq = oseq;
2075  sa->replay_state_esn->seq = seq;
2076  sa->replay_state_esn->oseq_hi = oseq_hi;
2077  sa->replay_state_esn->seq_hi = seq_hi;
2078  sa->replay_state_esn->replay_window = replay_window;
2079  sa->replay_state_esn->bmp_len = bmp_len; // In number of 32 bit words
2080  memcpy (sa->replay_state_esn->bmp, bmp, bmp_len * sizeof (uint32_t));
2081  sa->ce_mask |= XFRM_SA_ATTR_REPLAY_STATE;
2082 
2083  return 0;
2084 }
2085 
2086 
2087 int xfrmnl_sa_is_hardexpiry_reached (struct xfrmnl_sa* sa)
2088 {
2089  if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2090  return (sa->hard > 0 ? 1: 0);
2091  else
2092  return 0;
2093 }
2094 
2095 int xfrmnl_sa_is_expiry_reached (struct xfrmnl_sa* sa)
2096 {
2097  if (sa->ce_mask & XFRM_SA_ATTR_EXPIRE)
2098  return 1;
2099  else
2100  return 0;
2101 }
2102 
2103 /** @} */
2104 
2105 static struct nl_object_ops xfrm_sa_obj_ops = {
2106  .oo_name = "xfrm/sa",
2107  .oo_size = sizeof(struct xfrmnl_sa),
2108  .oo_constructor = xfrm_sa_alloc_data,
2109  .oo_free_data = xfrm_sa_free_data,
2110  .oo_clone = xfrm_sa_clone,
2111  .oo_dump = {
2112  [NL_DUMP_LINE] = xfrm_sa_dump_line,
2113  [NL_DUMP_DETAILS] = xfrm_sa_dump_details,
2114  [NL_DUMP_STATS] = xfrm_sa_dump_stats,
2115  },
2116  .oo_compare = xfrm_sa_compare,
2117  .oo_attrs2str = xfrm_sa_attrs2str,
2118  .oo_id_attrs = (XFRM_SA_ATTR_DADDR | XFRM_SA_ATTR_SPI | XFRM_SA_ATTR_PROTO),
2119 };
2120 
2121 static struct nl_af_group xfrm_sa_groups[] = {
2122  { AF_UNSPEC, XFRMNLGRP_SA },
2123  { AF_UNSPEC, XFRMNLGRP_EXPIRE },
2124  { END_OF_GROUP_LIST },
2125 };
2126 
2127 static struct nl_cache_ops xfrmnl_sa_ops = {
2128  .co_name = "xfrm/sa",
2129  .co_hdrsize = sizeof(struct xfrm_usersa_info),
2130  .co_msgtypes = {
2131  { XFRM_MSG_NEWSA, NL_ACT_NEW, "new" },
2132  { XFRM_MSG_DELSA, NL_ACT_DEL, "del" },
2133  { XFRM_MSG_GETSA, NL_ACT_GET, "get" },
2134  { XFRM_MSG_EXPIRE, NL_ACT_UNSPEC, "expire"},
2135  { XFRM_MSG_UPDSA, NL_ACT_NEW, "update"},
2136  END_OF_MSGTYPES_LIST,
2137  },
2138  .co_protocol = NETLINK_XFRM,
2139  .co_groups = xfrm_sa_groups,
2140  .co_request_update = xfrm_sa_request_update,
2141  .co_msg_parser = xfrm_sa_msg_parser,
2142  .co_obj_ops = &xfrm_sa_obj_ops,
2143  .co_include_event = &xfrm_sa_update_cache
2144 };
2145 
2146 /**
2147  * @name XFRM SA Cache Managament
2148  * @{
2149  */
2150 
2151 static void __attribute__ ((constructor)) xfrm_sa_init(void)
2152 {
2153  nl_cache_mngt_register(&xfrmnl_sa_ops);
2154 }
2155 
2156 static void __attribute__ ((destructor)) xfrm_sa_exit(void)
2157 {
2158  nl_cache_mngt_unregister(&xfrmnl_sa_ops);
2159 }
2160 
2161 /** @} */
int nl_send_auto_complete(struct nl_sock *sk, struct nl_msg *msg)
Definition: nl.c:1252
struct nl_addr * nl_addr_clone(const struct nl_addr *addr)
Clone existing abstract address object.
Definition: addr.c:471
Dump object briefly on one line.
Definition: types.h:22
void nl_addr_set_prefixlen(struct nl_addr *addr, int prefixlen)
Set the prefix length of an abstract address.
Definition: addr.c:917
void nlmsg_free(struct nl_msg *msg)
Release a reference from an netlink message.
Definition: msg.c:558
int nl_addr_cmp(const struct nl_addr *a, const struct nl_addr *b)
Compare abstract addresses.
Definition: addr.c:563
void * nlmsg_data(const struct nlmsghdr *nlh)
Return pointer to message payload.
Definition: msg.c:105
struct nl_object * nl_object_alloc(struct nl_object_ops *ops)
Allocate a new object of kind specified by the operations handle.
Definition: object.c:54
int nl_cache_mngt_unregister(struct nl_cache_ops *ops)
Unregister a set of cache operations.
Definition: cache_mngt.c:287
Attribute validation policy.
Definition: attr.h:67
void nl_object_get(struct nl_object *obj)
Acquire a reference on a object.
Definition: object.c:204
struct nl_addr * nl_addr_build(int family, const void *buf, size_t size)
Allocate abstract address based on a binary address.
Definition: addr.c:216
int nlmsg_parse(struct nlmsghdr *nlh, int hdrlen, struct nlattr *tb[], int maxtype, struct nla_policy *policy)
parse attributes of a netlink message
Definition: msg.c:213
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_clone(struct xfrmnl_ltime_cfg *ltime)
Clone existing lifetime config object.
Definition: lifetime.c:93
struct nlattr * nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
Reserve space for a attribute.
Definition: attr.c:456
struct nl_addr * nl_addr_get(struct nl_addr *addr)
Increase the reference counter of an abstract address.
Definition: addr.c:501
Dump all attributes but no statistics.
Definition: types.h:23
int nl_cache_mngt_register(struct nl_cache_ops *ops)
Register a set of cache operations.
Definition: cache_mngt.c:252
struct nl_object * nl_cache_search(struct nl_cache *cache, struct nl_object *needle)
Search object in cache.
Definition: cache.c:1063
#define NLA_PUT(msg, attrtype, attrlen, data)
Add unspecific attribute to netlink message.
Definition: attr.h:162
int nl_object_get_msgtype(const struct nl_object *obj)
Return the netlink message type the object was derived from.
Definition: object.c:529
void nl_cache_remove(struct nl_object *obj)
Remove object from cache.
Definition: cache.c:551
void * nla_data(const struct nlattr *nla)
Return pointer to the payload section.
Definition: attr.c:120
int xfrmnl_sel_cmp(struct xfrmnl_sel *a, struct xfrmnl_sel *b)
Compares two selector objects.
Definition: selector.c:160
#define NLA_PUT_U32(msg, attrtype, value)
Add 32 bit integer attribute to netlink message.
Definition: attr.h:233
uint16_t minlen
Minimal length of payload required.
Definition: attr.h:72
int nl_send_simple(struct nl_sock *sk, int type, int flags, void *buf, size_t size)
Construct and transmit a Netlink message.
Definition: nl.c:584
struct nl_object * nl_cache_get_next(struct nl_object *obj)
Return the next element in the cache.
Definition: cache.c:145
int nlmsg_append(struct nl_msg *n, void *data, size_t len, int pad)
Append data to tail of a netlink message.
Definition: msg.c:442
int nl_wait_for_ack(struct nl_sock *sk)
Wait for ACK.
Definition: nl.c:1117
void nl_object_put(struct nl_object *obj)
Release a reference from an object.
Definition: object.c:215
int nl_cache_move(struct nl_cache *cache, struct nl_object *obj)
Move object from one cache to another.
Definition: cache.c:523
void nl_addr_put(struct nl_addr *addr)
Decrease the reference counter of an abstract address.
Definition: addr.c:517
struct nl_msg * nlmsg_alloc_simple(int nlmsgtype, int flags)
Allocate a new netlink message.
Definition: msg.c:346
struct xfrmnl_sel * xfrmnl_sel_alloc()
Allocate new selector object.
Definition: selector.c:76
32 bit integer
Definition: attr.h:41
struct xfrmnl_sel * xfrmnl_sel_clone(struct xfrmnl_sel *sel)
Clone existing selector object.
Definition: selector.c:95
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_alloc()
Allocate new lifetime config object.
Definition: lifetime.c:74
Dumping parameters.
Definition: types.h:33
int xfrmnl_ltime_cfg_cmp(struct xfrmnl_ltime_cfg *a, struct xfrmnl_ltime_cfg *b)
Compares two lifetime config objects.
Definition: lifetime.c:154
int nl_pickup(struct nl_sock *sk, int(*parser)(struct nl_cache_ops *, struct sockaddr_nl *, struct nlmsghdr *, struct nl_parser_param *), struct nl_object **result)
Pickup netlink answer, parse is and return object.
Definition: nl.c:1183
void nl_dump(struct nl_dump_params *params, const char *fmt,...)
Dump a formatted character string.
Definition: utils.c:914
int nl_send_auto(struct nl_sock *sk, struct nl_msg *msg)
Finalize and transmit Netlink message.
Definition: nl.c:520
unsigned int nl_addr_get_len(const struct nl_addr *addr)
Get length of binary address of abstract address object.
Definition: addr.c:905
Dump all attributes including statistics.
Definition: types.h:24
struct nl_object * nl_cache_get_first(struct nl_cache *cache)
Return the first element in the cache.
Definition: cache.c:119
void * nl_addr_get_binary_addr(const struct nl_addr *addr)
Get binary address of abstract address object.
Definition: addr.c:893
int nl_cache_alloc_and_fill(struct nl_cache_ops *ops, struct nl_sock *sock, struct nl_cache **result)
Allocate new cache and fill it.
Definition: cache.c:233
uint32_t nl_object_diff(struct nl_object *a, struct nl_object *b)
Compute 32-bit bitmask representing difference in attribute values.
Definition: object.c:385
char * nl_addr2str(const struct nl_addr *addr, char *buf, size_t size)
Convert abstract address object to character string.
Definition: addr.c:951
int nl_addr_get_family(const struct nl_addr *addr)
Return address family.
Definition: addr.c:845