1#!/usr/bin/python 2# 3# Copyright 2016 The Android Open Source Project 4# 5# Licensed under the Apache License, Version 2.0 (the "License"); 6# you may not use this file except in compliance with the License. 7# You may obtain a copy of the License at 8# 9# http://www.apache.org/licenses/LICENSE-2.0 10# 11# Unless required by applicable law or agreed to in writing, software 12# distributed under the License is distributed on an "AS IS" BASIS, 13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14# See the License for the specific language governing permissions and 15# limitations under the License. 16 17"""Partial implementation of xfrm netlink code and socket options.""" 18 19# pylint: disable=g-bad-todo 20 21import os 22from socket import * # pylint: disable=wildcard-import 23import struct 24 25import net_test 26import csocket 27import cstruct 28import netlink 29 30 31# Netlink constants. See include/uapi/linux/xfrm.h. 32# Message types. 33XFRM_MSG_NEWSA = 16 34XFRM_MSG_DELSA = 17 35XFRM_MSG_GETSA = 18 36XFRM_MSG_NEWPOLICY = 19 37XFRM_MSG_DELPOLICY = 20 38XFRM_MSG_GETPOLICY = 21 39XFRM_MSG_ALLOCSPI = 22 40XFRM_MSG_ACQUIRE = 23 41XFRM_MSG_EXPIRE = 24 42XFRM_MSG_UPDPOLICY = 25 43XFRM_MSG_UPDSA = 26 44XFRM_MSG_POLEXPIRE = 27 45XFRM_MSG_FLUSHSA = 28 46XFRM_MSG_FLUSHPOLICY = 29 47XFRM_MSG_NEWAE = 30 48XFRM_MSG_GETAE = 31 49XFRM_MSG_REPORT = 32 50XFRM_MSG_MIGRATE = 33 51XFRM_MSG_NEWSADINFO = 34 52XFRM_MSG_GETSADINFO = 35 53XFRM_MSG_NEWSPDINFO = 36 54XFRM_MSG_GETSPDINFO = 37 55XFRM_MSG_MAPPING = 38 56 57# Attributes. 58XFRMA_UNSPEC = 0 59XFRMA_ALG_AUTH = 1 60XFRMA_ALG_CRYPT = 2 61XFRMA_ALG_COMP = 3 62XFRMA_ENCAP = 4 63XFRMA_TMPL = 5 64XFRMA_SA = 6 65XFRMA_POLICY = 7 66XFRMA_SEC_CTX = 8 67XFRMA_LTIME_VAL = 9 68XFRMA_REPLAY_VAL = 10 69XFRMA_REPLAY_THRESH = 11 70XFRMA_ETIMER_THRESH = 12 71XFRMA_SRCADDR = 13 72XFRMA_COADDR = 14 73XFRMA_LASTUSED = 15 74XFRMA_POLICY_TYPE = 16 75XFRMA_MIGRATE = 17 76XFRMA_ALG_AEAD = 18 77XFRMA_KMADDRESS = 19 78XFRMA_ALG_AUTH_TRUNC = 20 79XFRMA_MARK = 21 80XFRMA_TFCPAD = 22 81XFRMA_REPLAY_ESN_VAL = 23 82XFRMA_SA_EXTRA_FLAGS = 24 83XFRMA_PROTO = 25 84XFRMA_ADDRESS_FILTER = 26 85XFRMA_PAD = 27 86XFRMA_OFFLOAD_DEV = 28 87XFRMA_OUTPUT_MARK = 29 88XFRMA_INPUT_MARK = 30 89XFRMA_IF_ID = 31 90 91# Other netlink constants. See include/uapi/linux/xfrm.h. 92 93# Directions. 94XFRM_POLICY_IN = 0 95XFRM_POLICY_OUT = 1 96XFRM_POLICY_FWD = 2 97XFRM_POLICY_MASK = 3 98 99# Policy sharing. 100XFRM_SHARE_ANY = 0 # /* No limitations */ 101XFRM_SHARE_SESSION = 1 # /* For this session only */ 102XFRM_SHARE_USER = 2 # /* For this user only */ 103XFRM_SHARE_UNIQUE = 3 # /* Use once */ 104 105# Modes. 106XFRM_MODE_TRANSPORT = 0 107XFRM_MODE_TUNNEL = 1 108XFRM_MODE_ROUTEOPTIMIZATION = 2 109XFRM_MODE_IN_TRIGGER = 3 110XFRM_MODE_BEET = 4 111XFRM_MODE_MAX = 5 112 113# Actions. 114XFRM_POLICY_ALLOW = 0 115XFRM_POLICY_BLOCK = 1 116 117# Policy flags. 118XFRM_POLICY_LOCALOK = 1 119XFRM_POLICY_ICMP = 2 120 121# State flags. 122XFRM_STATE_AF_UNSPEC = 32 123 124# XFRM algorithm names, as defined in net/xfrm/xfrm_algo.c. 125XFRM_EALG_CBC_AES = "cbc(aes)" 126XFRM_EALG_CTR_AES = "rfc3686(ctr(aes))" 127XFRM_AALG_HMAC_MD5 = "hmac(md5)" 128XFRM_AALG_HMAC_SHA1 = "hmac(sha1)" 129XFRM_AALG_HMAC_SHA256 = "hmac(sha256)" 130XFRM_AALG_HMAC_SHA384 = "hmac(sha384)" 131XFRM_AALG_HMAC_SHA512 = "hmac(sha512)" 132XFRM_AALG_AUTH_XCBC_AES = "xcbc(aes)" 133XFRM_AEAD_GCM_AES = "rfc4106(gcm(aes))" 134XFRM_AEAD_CHACHA20_POLY1305 = "rfc7539esp(chacha20,poly1305)" 135 136# Data structure formats. 137# These aren't constants, they're classes. So, pylint: disable=invalid-name 138XfrmSelector = cstruct.Struct( 139 "XfrmSelector", "=16s16sHHHHHBBBxxxiI", 140 "daddr saddr dport dport_mask sport sport_mask " 141 "family prefixlen_d prefixlen_s proto ifindex user") 142 143XfrmMigrate = cstruct.Struct( 144 "XfrmMigrate", "=16s16s16s16sBBxxIHH", 145 "old_daddr old_saddr new_daddr new_saddr proto " 146 "mode reqid old_family new_family") 147 148XfrmLifetimeCfg = cstruct.Struct( 149 "XfrmLifetimeCfg", "=QQQQQQQQ", 150 "soft_byte hard_byte soft_packet hard_packet " 151 "soft_add_expires hard_add_expires soft_use_expires hard_use_expires") 152 153XfrmLifetimeCur = cstruct.Struct( 154 "XfrmLifetimeCur", "=QQQQ", "bytes packets add_time use_time") 155 156XfrmAlgo = cstruct.Struct("XfrmAlgo", "=64AI", "name key_len") 157 158XfrmAlgoAuth = cstruct.Struct("XfrmAlgoAuth", "=64AII", 159 "name key_len trunc_len") 160 161XfrmAlgoAead = cstruct.Struct("XfrmAlgoAead", "=64AII", "name key_len icv_len") 162 163XfrmStats = cstruct.Struct( 164 "XfrmStats", "=III", "replay_window replay integrity_failed") 165 166XfrmId = cstruct.Struct("XfrmId", "!16sIBxxx", "daddr spi proto") 167 168XfrmUserTmpl = cstruct.Struct( 169 "XfrmUserTmpl", "=SHxx16sIBBBxIII", 170 "id family saddr reqid mode share optional aalgos ealgos calgos", 171 [XfrmId]) 172 173XfrmEncapTmpl = cstruct.Struct( 174 "XfrmEncapTmpl", "=HHHxx16s", "type sport dport oa") 175 176XfrmUsersaInfo = cstruct.Struct( 177 "XfrmUsersaInfo", "=SS16sSSSIIHBBB7x", 178 "sel id saddr lft curlft stats seq reqid family mode replay_window flags", 179 [XfrmSelector, XfrmId, XfrmLifetimeCfg, XfrmLifetimeCur, XfrmStats]) 180 181XfrmUserSpiInfo = cstruct.Struct( 182 "XfrmUserSpiInfo", "=SII", "info min max", [XfrmUsersaInfo]) 183 184# Technically the family is a 16-bit field, but only a few families are in use, 185# and if we pretend it's 8 bits (i.e., use "Bx" instead of "H") we can think 186# of the whole structure as being in network byte order. 187XfrmUsersaId = cstruct.Struct( 188 "XfrmUsersaId", "!16sIBxBx", "daddr spi family proto") 189 190# xfrm.h - struct xfrm_userpolicy_info 191XfrmUserpolicyInfo = cstruct.Struct( 192 "XfrmUserpolicyInfo", "=SSSIIBBBBxxxx", 193 "sel lft curlft priority index dir action flags share", 194 [XfrmSelector, XfrmLifetimeCfg, XfrmLifetimeCur]) 195 196XfrmUserpolicyId = cstruct.Struct( 197 "XfrmUserpolicyId", "=SIBxxx", "sel index dir", [XfrmSelector]) 198 199XfrmUsersaFlush = cstruct.Struct("XfrmUsersaFlush", "=B", "proto") 200 201XfrmMark = cstruct.Struct("XfrmMark", "=II", "mark mask") 202 203# Socket options. See include/uapi/linux/in.h. 204IP_IPSEC_POLICY = 16 205IP_XFRM_POLICY = 17 206IPV6_IPSEC_POLICY = 34 207IPV6_XFRM_POLICY = 35 208 209# UDP encapsulation constants. See include/uapi/linux/udp.h. 210UDP_ENCAP = 100 211UDP_ENCAP_ESPINUDP_NON_IKE = 1 212UDP_ENCAP_ESPINUDP = 2 213 214_INF = 2 ** 64 -1 215NO_LIFETIME_CFG = XfrmLifetimeCfg((_INF, _INF, _INF, _INF, 0, 0, 0, 0)) 216NO_LIFETIME_CUR = "\x00" * len(XfrmLifetimeCur) 217 218# IPsec constants. 219IPSEC_PROTO_ANY = 255 220 221# ESP header, not technically XFRM but we need a place for a protocol 222# header and this is the only one we have. 223# TODO: move this somewhere more appropriate when possible 224EspHdr = cstruct.Struct("EspHdr", "!II", "spi seqnum") 225 226# Local constants. 227_DEFAULT_REPLAY_WINDOW = 4 228ALL_ALGORITHMS = 0xffffffff 229 230# Policy-SA match method (for VTI/XFRM-I). 231MATCH_METHOD_ALL = "all" 232MATCH_METHOD_MARK = "mark" 233MATCH_METHOD_IFID = "ifid" 234 235 236def RawAddress(addr): 237 """Converts an IP address string to binary format.""" 238 family = AF_INET6 if ":" in addr else AF_INET 239 return inet_pton(family, addr) 240 241 242def PaddedAddress(addr): 243 """Converts an IP address string to binary format for InetDiagSockId.""" 244 padded = RawAddress(addr) 245 if len(padded) < 16: 246 padded += "\x00" * (16 - len(padded)) 247 return padded 248 249 250XFRM_ADDR_ANY = PaddedAddress("::") 251 252 253def EmptySelector(family): 254 """A selector that matches all packets of the specified address family.""" 255 return XfrmSelector(family=family) 256 257 258def SrcDstSelector(src, dst): 259 """A selector that matches packets between the specified IP addresses.""" 260 srcver = csocket.AddressVersion(src) 261 dstver = csocket.AddressVersion(dst) 262 if srcver != dstver: 263 raise ValueError("Cross-address family selector specified: %s -> %s" % 264 (src, dst)) 265 prefixlen = net_test.AddressLengthBits(srcver) 266 family = net_test.GetAddressFamily(srcver) 267 return XfrmSelector(saddr=PaddedAddress(src), daddr=PaddedAddress(dst), 268 prefixlen_s=prefixlen, prefixlen_d=prefixlen, family=family) 269 270 271def UserPolicy(direction, selector): 272 """Create an IPsec policy. 273 274 Args: 275 direction: XFRM_POLICY_IN or XFRM_POLICY_OUT 276 selector: An XfrmSelector, the packets to transform. 277 278 Return: a XfrmUserpolicyInfo cstruct. 279 """ 280 # Create a user policy that specifies that all packets in the specified 281 # direction matching the selector should be encrypted. 282 return XfrmUserpolicyInfo( 283 sel=selector, 284 lft=NO_LIFETIME_CFG, 285 curlft=NO_LIFETIME_CUR, 286 dir=direction, 287 action=XFRM_POLICY_ALLOW, 288 flags=XFRM_POLICY_LOCALOK, 289 share=XFRM_SHARE_UNIQUE) 290 291 292def UserTemplate(family, spi, reqid, tun_addrs): 293 """Create an ESP policy and template. 294 295 Args: 296 spi: 32-bit SPI in host byte order 297 reqid: 32-bit ID matched against SAs 298 tun_addrs: A tuple of (local, remote) addresses for tunnel mode, or None 299 to request a transport mode SA. 300 301 Return: a tuple of XfrmUserpolicyInfo, XfrmUserTmpl 302 """ 303 # For transport mode, set template source and destination are empty. 304 # For tunnel mode, explicitly specify source and destination addresses. 305 if tun_addrs is None: 306 mode = XFRM_MODE_TRANSPORT 307 saddr = XFRM_ADDR_ANY 308 daddr = XFRM_ADDR_ANY 309 else: 310 mode = XFRM_MODE_TUNNEL 311 saddr = PaddedAddress(tun_addrs[0]) 312 daddr = PaddedAddress(tun_addrs[1]) 313 314 # Create a template that specifies the SPI and the protocol. 315 xfrmid = XfrmId(daddr=daddr, spi=spi, proto=IPPROTO_ESP) 316 template = XfrmUserTmpl( 317 id=xfrmid, 318 family=family, 319 saddr=saddr, 320 reqid=reqid, 321 mode=mode, 322 share=XFRM_SHARE_UNIQUE, 323 optional=0, #require 324 aalgos=ALL_ALGORITHMS, 325 ealgos=ALL_ALGORITHMS, 326 calgos=ALL_ALGORITHMS) 327 328 return template 329 330 331def ExactMatchMark(mark): 332 """An XfrmMark that matches only the specified mark.""" 333 return XfrmMark((mark, 0xffffffff)) 334 335 336class Xfrm(netlink.NetlinkSocket): 337 """Netlink interface to xfrm.""" 338 339 DEBUG = False 340 341 def __init__(self): 342 super(Xfrm, self).__init__(netlink.NETLINK_XFRM) 343 344 def _GetConstantName(self, value, prefix): 345 return super(Xfrm, self)._GetConstantName(__name__, value, prefix) 346 347 def MaybeDebugCommand(self, command, flags, data): 348 if "ALL" not in self.NL_DEBUG and "XFRM" not in self.NL_DEBUG: 349 return 350 351 if command == XFRM_MSG_GETSA: 352 if flags & netlink.NLM_F_DUMP: 353 struct_type = XfrmUsersaInfo 354 else: 355 struct_type = XfrmUsersaId 356 elif command == XFRM_MSG_DELSA: 357 struct_type = XfrmUsersaId 358 elif command == XFRM_MSG_ALLOCSPI: 359 struct_type = XfrmUserSpiInfo 360 elif command == XFRM_MSG_NEWPOLICY: 361 struct_type = XfrmUserpolicyInfo 362 else: 363 struct_type = None 364 365 cmdname = self._GetConstantName(command, "XFRM_MSG_") 366 if struct_type: 367 print("%s %s" % (cmdname, str(self._ParseNLMsg(data, struct_type)))) 368 else: 369 print("%s" % cmdname) 370 371 def _Decode(self, command, unused_msg, nla_type, nla_data): 372 """Decodes netlink attributes to Python types.""" 373 name = self._GetConstantName(nla_type, "XFRMA_") 374 375 if name in ["XFRMA_ALG_CRYPT", "XFRMA_ALG_AUTH"]: 376 data = cstruct.Read(nla_data, XfrmAlgo)[0] 377 elif name == "XFRMA_ALG_AUTH_TRUNC": 378 data = cstruct.Read(nla_data, XfrmAlgoAuth)[0] 379 elif name == "XFRMA_ENCAP": 380 data = cstruct.Read(nla_data, XfrmEncapTmpl)[0] 381 elif name == "XFRMA_MARK": 382 data = cstruct.Read(nla_data, XfrmMark)[0] 383 elif name == "XFRMA_OUTPUT_MARK": 384 data = struct.unpack("=I", nla_data)[0] 385 elif name == "XFRMA_TMPL": 386 data = cstruct.Read(nla_data, XfrmUserTmpl)[0] 387 elif name == "XFRMA_IF_ID": 388 data = struct.unpack("=I", nla_data)[0] 389 else: 390 data = nla_data 391 392 return name, data 393 394 def _UpdatePolicyInfo(self, msg, policy, tmpl, mark, xfrm_if_id): 395 """Send a policy to the Security Policy Database""" 396 nlattrs = [] 397 if tmpl is not None: 398 nlattrs.append((XFRMA_TMPL, tmpl)) 399 if mark is not None: 400 nlattrs.append((XFRMA_MARK, mark)) 401 if xfrm_if_id is not None: 402 nlattrs.append((XFRMA_IF_ID, struct.pack("=I", xfrm_if_id))) 403 self.SendXfrmNlRequest(msg, policy, nlattrs) 404 405 def AddPolicyInfo(self, policy, tmpl, mark, xfrm_if_id=None): 406 """Add a new policy to the Security Policy Database 407 408 If the policy exists, then return an error (EEXIST). 409 410 Args: 411 policy: an unpacked XfrmUserpolicyInfo 412 tmpl: an unpacked XfrmUserTmpl 413 mark: an unpacked XfrmMark 414 xfrm_if_id: the XFRM interface ID as an integer, or None 415 """ 416 self._UpdatePolicyInfo(XFRM_MSG_NEWPOLICY, policy, tmpl, mark, xfrm_if_id) 417 418 def UpdatePolicyInfo(self, policy, tmpl, mark, xfrm_if_id): 419 """Update an existing policy in the Security Policy Database 420 421 If the policy does not exist, then create it; otherwise, update the 422 existing policy record. 423 424 Args: 425 policy: an unpacked XfrmUserpolicyInfo 426 tmpl: an unpacked XfrmUserTmpl to update 427 mark: an unpacked XfrmMark to match the existing policy or None 428 xfrm_if_id: an XFRM interface ID or None 429 """ 430 self._UpdatePolicyInfo(XFRM_MSG_UPDPOLICY, policy, tmpl, mark, xfrm_if_id) 431 432 def DeletePolicyInfo(self, selector, direction, mark, xfrm_if_id=None): 433 """Delete a policy from the Security Policy Database 434 435 Args: 436 selector: an XfrmSelector matching the policy to delete 437 direction: policy direction 438 mark: an unpacked XfrmMark to match the policy or None 439 """ 440 nlattrs = [] 441 if mark is not None: 442 nlattrs.append((XFRMA_MARK, mark)) 443 if xfrm_if_id is not None: 444 nlattrs.append((XFRMA_IF_ID, struct.pack("=I", xfrm_if_id))) 445 self.SendXfrmNlRequest(XFRM_MSG_DELPOLICY, 446 XfrmUserpolicyId(sel=selector, dir=direction), 447 nlattrs) 448 449 # TODO: this function really needs to be in netlink.py 450 def SendXfrmNlRequest(self, msg_type, req, nlattrs=None, 451 flags=netlink.NLM_F_ACK|netlink.NLM_F_REQUEST): 452 """Sends a netlink request message 453 454 Args: 455 msg_type: an XFRM_MSG_* type 456 req: an unpacked netlink request message body cstruct 457 nlattrs: an unpacked list of two-tuples of (NLATTR_* type, body) where 458 the body is an unpacked cstruct 459 flags: a list of flags for the expected handling; if no flags are 460 provided, an ACK response is assumed. 461 """ 462 msg = req.Pack() 463 if nlattrs is None: 464 nlattrs = [] 465 for attr_type, attr_msg in nlattrs: 466 # TODO: find a better way to deal with the fact that many XFRM messages 467 # use nlattrs that aren't cstructs. 468 # 469 # This code allows callers to pass in either something that has a Pack() 470 # method or a packed netlink attr, but not other types of attributes. 471 # Alternatives include: 472 # 473 # 1. Require callers to marshal netlink attributes themselves and call 474 # _SendNlRequest directly. Delete this method. 475 # 2. Rename this function to _SendXfrmNlRequestCstructOnly (or other name 476 # that makes it clear that this only takes cstructs). Switch callers 477 # that need non-cstruct elements to calling _SendNlRequest directly. 478 # 3. Make this function somehow automatically detect what to do for 479 # all types of XFRM attributes today and in the future. This may be 480 # feasible because all XFRM attributes today occupy the same number 481 # space, but what about nested attributes? It is unlikley feasible via 482 # things like "if isinstance(attr_msg, str): ...", because that would 483 # not be able to determine the right size or byte order for non-struct 484 # types such as int. 485 # 4. Define fictitious cstructs which have no correspondence to actual 486 # kernel structs such as the following to represent a raw integer. 487 # XfrmAttrOutputMark = cstruct.Struct("=I", mark) 488 if hasattr(attr_msg, "Pack"): 489 attr_msg = attr_msg.Pack() 490 msg += self._NlAttr(attr_type, attr_msg) 491 return self._SendNlRequest(msg_type, msg, flags) 492 493 def AddSaInfo(self, src, dst, spi, mode, reqid, encryption, auth_trunc, aead, 494 encap, mark, output_mark, is_update=False, xfrm_if_id=None): 495 """Adds an IPsec security association. 496 497 Args: 498 src: A string, the source IP address. May be a wildcard in transport mode. 499 dst: A string, the destination IP address. Forms part of the XFRM ID, and 500 must match the destination address of the packets sent by this SA. 501 spi: An integer, the SPI. 502 mode: An IPsec mode such as XFRM_MODE_TRANSPORT. 503 reqid: A request ID. Can be used in policies to match the SA. 504 encryption: A tuple of an XfrmAlgo and raw key bytes, or None. 505 auth_trunc: A tuple of an XfrmAlgoAuth and raw key bytes, or None. 506 aead: A tuple of an XfrmAlgoAead and raw key bytes, or None. 507 encap: An XfrmEncapTmpl structure, or None. 508 mark: A mark match specifier, such as returned by ExactMatchMark(), or 509 None for an SA that matches all possible marks. 510 output_mark: An integer, the output mark. 0 means unset. 511 is_update: If true, update an existing SA otherwise create a new SA. For 512 compatibility reasons, this value defaults to False. 513 xfrm_if_id: The XFRM interface ID, or None. 514 """ 515 proto = IPPROTO_ESP 516 xfrm_id = XfrmId((PaddedAddress(dst), spi, proto)) 517 family = AF_INET6 if ":" in dst else AF_INET 518 519 nlattrs = "" 520 if encryption is not None: 521 enc, key = encryption 522 nlattrs += self._NlAttr(XFRMA_ALG_CRYPT, enc.Pack() + key) 523 524 if auth_trunc is not None: 525 auth, key = auth_trunc 526 nlattrs += self._NlAttr(XFRMA_ALG_AUTH_TRUNC, auth.Pack() + key) 527 528 if aead is not None: 529 aead_alg, key = aead 530 nlattrs += self._NlAttr(XFRMA_ALG_AEAD, aead_alg.Pack() + key) 531 532 # if a user provides either mark or mask, then we send the mark attribute 533 if mark is not None: 534 nlattrs += self._NlAttr(XFRMA_MARK, mark.Pack()) 535 if encap is not None: 536 nlattrs += self._NlAttr(XFRMA_ENCAP, encap.Pack()) 537 if output_mark is not None: 538 nlattrs += self._NlAttrU32(XFRMA_OUTPUT_MARK, output_mark) 539 if xfrm_if_id is not None: 540 nlattrs += self._NlAttrU32(XFRMA_IF_ID, xfrm_if_id) 541 542 # The kernel ignores these on input, so make them empty. 543 cur = XfrmLifetimeCur() 544 stats = XfrmStats() 545 seq = 0 546 replay = _DEFAULT_REPLAY_WINDOW 547 548 # The XFRM_STATE_AF_UNSPEC flag determines how AF_UNSPEC selectors behave. 549 # 550 # - If the flag is not set, an AF_UNSPEC selector has its family changed to 551 # the SA family, which in our case is the address family of dst. 552 # - If the flag is set, an AF_UNSPEC selector is left as is. In transport 553 # mode this fails with EPROTONOSUPPORT, but in tunnel mode, it results in 554 # a dual-stack SA that can tunnel both IPv4 and IPv6 packets. 555 # 556 # This allows us to pass an empty selector to the kernel regardless of which 557 # mode we're in: when creating transport mode SAs, the kernel will pick the 558 # selector family based on the SA family, and when creating tunnel mode SAs, 559 # we'll just create SAs that select both IPv4 and IPv6 traffic, and leave it 560 # up to the policy selectors to determine what traffic we actually want to 561 # transform. 562 flags = XFRM_STATE_AF_UNSPEC if mode == XFRM_MODE_TUNNEL else 0 563 selector = EmptySelector(AF_UNSPEC) 564 565 sa = XfrmUsersaInfo((selector, xfrm_id, PaddedAddress(src), NO_LIFETIME_CFG, 566 cur, stats, seq, reqid, family, mode, replay, flags)) 567 msg = sa.Pack() + nlattrs 568 flags = netlink.NLM_F_REQUEST | netlink.NLM_F_ACK 569 nl_msg_type = XFRM_MSG_UPDSA if is_update else XFRM_MSG_NEWSA 570 self._SendNlRequest(nl_msg_type, msg, flags) 571 572 def DeleteSaInfo(self, dst, spi, proto, mark=None, xfrm_if_id=None): 573 """Delete an SA from the SAD 574 575 Args: 576 dst: A string, the destination IP address. Forms part of the XFRM ID, and 577 must match the destination address of the packets sent by this SA. 578 spi: An integer, the SPI. 579 proto: The protocol DB of the SA, such as IPPROTO_ESP. 580 mark: A mark match specifier, such as returned by ExactMatchMark(), or 581 None for an SA without a Mark attribute. 582 """ 583 family = AF_INET6 if ":" in dst else AF_INET 584 usersa_id = XfrmUsersaId((PaddedAddress(dst), spi, family, proto)) 585 nlattrs = [] 586 if mark is not None: 587 nlattrs.append((XFRMA_MARK, mark)) 588 if xfrm_if_id is not None: 589 nlattrs.append((XFRMA_IF_ID, struct.pack("=I", xfrm_if_id))) 590 self.SendXfrmNlRequest(XFRM_MSG_DELSA, usersa_id, nlattrs) 591 592 def AllocSpi(self, dst, proto, min_spi, max_spi): 593 """Allocate (reserve) an SPI. 594 595 This sends an XFRM_MSG_ALLOCSPI message and returns the resulting 596 XfrmUsersaInfo struct. 597 598 Args: 599 dst: A string, the destination IP address. Forms part of the XFRM ID, and 600 must match the destination address of the packets sent by this SA. 601 proto: the protocol DB of the SA, such as IPPROTO_ESP. 602 min_spi: The minimum value of the acceptable SPI range (inclusive). 603 max_spi: The maximum value of the acceptable SPI range (inclusive). 604 """ 605 spi = XfrmUserSpiInfo("\x00" * len(XfrmUserSpiInfo)) 606 spi.min = min_spi 607 spi.max = max_spi 608 spi.info.id.daddr = PaddedAddress(dst) 609 spi.info.id.proto = proto 610 spi.info.family = AF_INET6 if ":" in dst else AF_INET 611 612 msg = spi.Pack() 613 flags = netlink.NLM_F_REQUEST 614 self._SendNlRequest(XFRM_MSG_ALLOCSPI, msg, flags) 615 # Read the response message. 616 data = self._Recv() 617 nl_hdr, data = cstruct.Read(data, netlink.NLMsgHdr) 618 if nl_hdr.type == XFRM_MSG_NEWSA: 619 return XfrmUsersaInfo(data) 620 if nl_hdr.type == netlink.NLMSG_ERROR: 621 error = netlink.NLMsgErr(data).error 622 raise IOError(error, os.strerror(-error)) 623 raise ValueError("Unexpected netlink message type: %d" % nl_hdr.type) 624 625 def DumpSaInfo(self): 626 return self._Dump(XFRM_MSG_GETSA, None, XfrmUsersaInfo, "") 627 628 def DumpPolicyInfo(self): 629 return self._Dump(XFRM_MSG_GETPOLICY, None, XfrmUserpolicyInfo, "") 630 631 def FindSaInfo(self, spi): 632 sainfo = [sa for sa, attrs in self.DumpSaInfo() if sa.id.spi == spi] 633 return sainfo[0] if sainfo else None 634 635 def FlushPolicyInfo(self): 636 """Send a Netlink Request to Flush all records from the SPD""" 637 flags = netlink.NLM_F_REQUEST | netlink.NLM_F_ACK 638 self._SendNlRequest(XFRM_MSG_FLUSHPOLICY, "", flags) 639 640 def FlushSaInfo(self): 641 usersa_flush = XfrmUsersaFlush((IPSEC_PROTO_ANY,)) 642 flags = netlink.NLM_F_REQUEST | netlink.NLM_F_ACK 643 self._SendNlRequest(XFRM_MSG_FLUSHSA, usersa_flush.Pack(), flags) 644 645 def CreateTunnel(self, direction, selector, src, dst, spi, encryption, 646 auth_trunc, mark, output_mark, xfrm_if_id, match_method): 647 """Create an XFRM Tunnel Consisting of a Policy and an SA. 648 649 Create a unidirectional XFRM tunnel, which entails one Policy and one 650 security association. 651 652 Args: 653 direction: XFRM_POLICY_IN or XFRM_POLICY_OUT 654 selector: An XfrmSelector that specifies the packets to be transformed. 655 This is only applied to the policy; the selector in the SA is always 656 empty. If the passed-in selector is None, then the tunnel is made 657 dual-stack. This requires two policies, one for IPv4 and one for IPv6. 658 src: The source address of the tunneled packets 659 dst: The destination address of the tunneled packets 660 spi: The SPI for the IPsec SA that encapsulates the tunneled packet 661 encryption: A tuple (XfrmAlgo, key), the encryption parameters. 662 auth_trunc: A tuple (XfrmAlgoAuth, key), the authentication parameters. 663 mark: An XfrmMark, the mark used for selecting packets to be tunneled, and 664 for matching the security policy. None means unspecified. 665 output_mark: The mark used to select the underlying network for packets 666 outbound from xfrm. None means unspecified. 667 xfrm_if_id: The ID of the XFRM interface to use or None. 668 match_method: One of MATCH_METHOD_[MARK | ALL | IFID]. This determines how 669 SAs and policies are matched. 670 """ 671 outer_family = net_test.GetAddressFamily(net_test.GetAddressVersion(dst)) 672 673 # SA mark is currently unused due to UPDSA not updating marks. 674 # Kept as documentation of ideal/desired behavior. 675 if match_method == MATCH_METHOD_MARK: 676 # sa_mark = mark 677 tmpl_spi = 0 678 if_id = None 679 elif match_method == MATCH_METHOD_ALL: 680 # sa_mark = mark 681 tmpl_spi = spi 682 if_id = xfrm_if_id 683 elif match_method == MATCH_METHOD_IFID: 684 # sa_mark = None 685 tmpl_spi = 0 686 if_id = xfrm_if_id 687 else: 688 raise ValueError("Unknown match_method supplied: %s" % match_method) 689 690 # Device code does not use mark; during AllocSpi, the mark is unset, and 691 # UPDSA does not update marks at this time. Actual use case will have no 692 # mark set. Test this use case. 693 self.AddSaInfo(src, dst, spi, XFRM_MODE_TUNNEL, 0, encryption, auth_trunc, 694 None, None, None, output_mark, xfrm_if_id=xfrm_if_id) 695 696 if selector is None: 697 selectors = [EmptySelector(AF_INET), EmptySelector(AF_INET6)] 698 else: 699 selectors = [selector] 700 701 for selector in selectors: 702 policy = UserPolicy(direction, selector) 703 tmpl = UserTemplate(outer_family, tmpl_spi, 0, (src, dst)) 704 self.AddPolicyInfo(policy, tmpl, mark, xfrm_if_id=xfrm_if_id) 705 706 def DeleteTunnel(self, direction, selector, dst, spi, mark, xfrm_if_id): 707 if mark is not None: 708 mark = ExactMatchMark(mark) 709 710 self.DeleteSaInfo(dst, spi, IPPROTO_ESP, mark, xfrm_if_id) 711 if selector is None: 712 selectors = [EmptySelector(AF_INET), EmptySelector(AF_INET6)] 713 else: 714 selectors = [selector] 715 for selector in selectors: 716 self.DeletePolicyInfo(selector, direction, mark, xfrm_if_id) 717 718 def MigrateTunnel(self, direction, selector, old_saddr, old_daddr, 719 new_saddr, new_daddr, spi, 720 encryption, auth_trunc, aead, 721 encap, new_output_mark, xfrm_if_id): 722 """Update addresses and underlying network of Policies and an SA 723 724 Args: 725 direction: XFRM_POLICY_IN or XFRM_POLICY_OUT 726 selector: An XfrmSelector of the tunnel that needs to be updated. 727 If the passed-in selector is None, it means the tunnel is 728 dual-stack and thus both IPv4 and IPv6 policies will be updated. 729 old_saddr: the old (current) source address of the tunnel 730 old_daddr: the old (current) destination address of the tunnel 731 new_saddr: the new source address the IPsec SA will be migrated to 732 new_daddr: the new destination address the tunnel will be migrated to 733 spi: The SPI for the IPsec SA that encapsulates the tunneled packets 734 encryption: A tuple of an XfrmAlgo and raw key bytes, or None. 735 auth_trunc: A tuple of an XfrmAlgoAuth and raw key bytes, or None. 736 aead: A tuple of an XfrmAlgoAead and raw key bytes, or None. 737 encap: An XfrmEncapTmpl structure, or None. 738 new_output_mark: The mark used to select the new underlying network 739 for packets outbound from xfrm. None means unspecified. 740 xfrm_if_id: The XFRM interface ID 741 """ 742 743 if selector is None: 744 selectors = [EmptySelector(AF_INET), EmptySelector(AF_INET6)] 745 else: 746 selectors = [selector] 747 748 nlattrs = [] 749 xfrmMigrate = XfrmMigrate((PaddedAddress(old_daddr), PaddedAddress(old_saddr), 750 PaddedAddress(new_daddr), PaddedAddress(new_saddr), 751 IPPROTO_ESP, XFRM_MODE_TUNNEL, 0, 752 net_test.GetAddressFamily(net_test.GetAddressVersion(old_saddr)), 753 net_test.GetAddressFamily(net_test.GetAddressVersion(new_saddr)))) 754 nlattrs.append((XFRMA_MIGRATE, xfrmMigrate)) 755 756 for selector in selectors: 757 self.SendXfrmNlRequest(XFRM_MSG_MIGRATE, 758 XfrmUserpolicyId(sel=selector, dir=direction), nlattrs) 759 760 # UPDSA is called exclusively to update the set_mark=new_output_mark. 761 self.AddSaInfo(new_saddr, new_daddr, spi, XFRM_MODE_TUNNEL, 0, encryption, 762 auth_trunc, aead, encap, None, new_output_mark, True, xfrm_if_id) 763 764 765if __name__ == "__main__": 766 x = Xfrm() 767 print(x.DumpSaInfo()) 768 print(x.DumpPolicyInfo()) 769