1#!/usr/bin/python
2#
3# Copyright 2016 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17"""Partial implementation of xfrm netlink code and socket options."""
18
19# pylint: disable=g-bad-todo
20
21import errno
22import os
23from socket import *  # pylint: disable=wildcard-import
24import struct
25
26import csocket
27import cstruct
28import net_test
29import netlink
30
31# Base netlink constants. See include/uapi/linux/netlink.h.
32NETLINK_XFRM = 6
33
34# Netlink constants. See include/uapi/linux/xfrm.h.
35# Message types.
36XFRM_MSG_NEWSA = 16
37XFRM_MSG_DELSA = 17
38XFRM_MSG_GETSA = 18
39XFRM_MSG_NEWPOLICY = 19
40XFRM_MSG_DELPOLICY = 20
41XFRM_MSG_GETPOLICY = 21
42XFRM_MSG_ALLOCSPI = 22
43XFRM_MSG_ACQUIRE = 23
44XFRM_MSG_EXPIRE = 24
45XFRM_MSG_UPDPOLICY = 25
46XFRM_MSG_UPDSA = 26
47XFRM_MSG_POLEXPIRE = 27
48XFRM_MSG_FLUSHSA = 28
49XFRM_MSG_FLUSHPOLICY = 29
50XFRM_MSG_NEWAE = 30
51XFRM_MSG_GETAE = 31
52XFRM_MSG_REPORT = 32
53XFRM_MSG_MIGRATE = 33
54XFRM_MSG_NEWSADINFO = 34
55XFRM_MSG_GETSADINFO = 35
56XFRM_MSG_NEWSPDINFO = 36
57XFRM_MSG_GETSPDINFO = 37
58XFRM_MSG_MAPPING = 38
59
60# Attributes.
61XFRMA_UNSPEC = 0
62XFRMA_ALG_AUTH = 1
63XFRMA_ALG_CRYPT = 2
64XFRMA_ALG_COMP = 3
65XFRMA_ENCAP = 4
66XFRMA_TMPL = 5
67XFRMA_SA = 6
68XFRMA_POLICY = 7
69XFRMA_SEC_CTX = 8
70XFRMA_LTIME_VAL = 9
71XFRMA_REPLAY_VAL = 10
72XFRMA_REPLAY_THRESH = 11
73XFRMA_ETIMER_THRESH = 12
74XFRMA_SRCADDR = 13
75XFRMA_COADDR = 14
76XFRMA_LASTUSED = 15
77XFRMA_POLICY_TYPE = 16
78XFRMA_MIGRATE = 17
79XFRMA_ALG_AEAD = 18
80XFRMA_KMADDRESS = 19
81XFRMA_ALG_AUTH_TRUNC = 20
82XFRMA_MARK = 21
83XFRMA_TFCPAD = 22
84XFRMA_REPLAY_ESN_VAL = 23
85XFRMA_SA_EXTRA_FLAGS = 24
86XFRMA_PROTO = 25
87XFRMA_ADDRESS_FILTER = 26
88XFRMA_PAD = 27
89
90# Other netlink constants. See include/uapi/linux/xfrm.h.
91
92# Directions.
93XFRM_POLICY_IN = 0
94XFRM_POLICY_OUT = 1
95XFRM_POLICY_FWD = 2
96XFRM_POLICY_MASK = 3
97
98# Policy sharing.
99XFRM_SHARE_ANY     = 0  #  /* No limitations */
100XFRM_SHARE_SESSION = 1  #  /* For this session only */
101XFRM_SHARE_USER    = 2  #  /* For this user only */
102XFRM_SHARE_UNIQUE  = 3  #  /* Use once */
103
104# Modes.
105XFRM_MODE_TRANSPORT = 0
106XFRM_MODE_TUNNEL = 1
107XFRM_MODE_ROUTEOPTIMIZATION = 2
108XFRM_MODE_IN_TRIGGER = 3
109XFRM_MODE_BEET = 4
110XFRM_MODE_MAX = 5
111
112# Actions.
113XFRM_POLICY_ALLOW = 0
114XFRM_POLICY_BLOCK = 1
115
116# Flags.
117XFRM_POLICY_LOCALOK = 1
118XFRM_POLICY_ICMP = 2
119
120# Data structure formats.
121# These aren't constants, they're classes. So, pylint: disable=invalid-name
122XfrmSelector = cstruct.Struct(
123    "XfrmSelector", "=16s16sHHHHHBBBxxxiI",
124    "daddr saddr dport dport_mask sport sport_mask "
125    "family prefixlen_d prefixlen_s proto ifindex user")
126
127XfrmLifetimeCfg = cstruct.Struct(
128    "XfrmLifetimeCfg", "=QQQQQQQQ",
129    "soft_byte hard_byte soft_packet hard_packet "
130    "soft_add_expires hard_add_expires soft_use_expires hard_use_expires")
131
132XfrmLifetimeCur = cstruct.Struct(
133    "XfrmLifetimeCur", "=QQQQ", "bytes packets add_time use_time")
134
135XfrmAlgo = cstruct.Struct("XfrmAlgo", "=64AI", "name key_len")
136
137XfrmAlgoAuth = cstruct.Struct("XfrmAlgo", "=64AII", "name key_len trunc_len")
138
139XfrmAlgoAead = cstruct.Struct("XfrmAlgoAead", "=64AII", "name key_len icv_len")
140
141XfrmStats = cstruct.Struct(
142    "XfrmStats", "=III", "replay_window replay integrity_failed")
143
144XfrmId = cstruct.Struct("XfrmId", "=16sIBxxx", "daddr spi proto")
145
146XfrmUserTmpl = cstruct.Struct(
147    "XfrmUserTmpl", "=SHxx16sIBBBxIII",
148    "id family saddr reqid mode share optional aalgos ealgos calgos",
149    [XfrmId])
150
151XfrmEncapTmpl = cstruct.Struct(
152    "XfrmEncapTmpl", "=HHHxx16s", "type sport dport oa")
153
154XfrmUsersaInfo = cstruct.Struct(
155    "XfrmUsersaInfo", "=SS16sSSSIIHBBB7x",
156    "sel id saddr lft curlft stats seq reqid family mode replay_window flags",
157    [XfrmSelector, XfrmId, XfrmLifetimeCfg, XfrmLifetimeCur, XfrmStats])
158
159XfrmUsersaId = cstruct.Struct(
160    "XfrmUsersaInfo", "=16sIHBx", "daddr spi family proto")
161
162XfrmUserpolicyInfo = cstruct.Struct(
163    "XfrmUserpolicyInfo", "=SSSIIBBBBxxxx",
164    "sel lft curlft priority index dir action flags share",
165    [XfrmSelector, XfrmLifetimeCfg, XfrmLifetimeCur])
166
167# Socket options. See include/uapi/linux/in.h.
168IP_IPSEC_POLICY = 16
169IP_XFRM_POLICY = 17
170IPV6_IPSEC_POLICY = 34
171IPV6_XFRM_POLICY = 35
172
173# UDP encapsulation constants. See include/uapi/linux/udp.h.
174UDP_ENCAP = 100
175UDP_ENCAP_ESPINUDP_NON_IKE = 1
176UDP_ENCAP_ESPINUDP = 2
177
178_INF = 2 ** 64 -1
179NO_LIFETIME_CFG = XfrmLifetimeCfg((_INF, _INF, _INF, _INF, 0, 0, 0, 0))
180NO_LIFETIME_CUR = "\x00" * len(XfrmLifetimeCur)
181
182
183def RawAddress(addr):
184  """Converts an IP address string to binary format."""
185  family = AF_INET6 if ":" in addr else AF_INET
186  return inet_pton(family, addr)
187
188
189def PaddedAddress(addr):
190  """Converts an IP address string to binary format for InetDiagSockId."""
191  padded = RawAddress(addr)
192  if len(padded) < 16:
193    padded += "\x00" * (16 - len(padded))
194  return padded
195
196
197class Xfrm(netlink.NetlinkSocket):
198  """Netlink interface to xfrm."""
199
200  FAMILY = NETLINK_XFRM
201  DEBUG = False
202
203  def __init__(self):
204    super(Xfrm, self).__init__()
205
206  def _GetConstantName(self, value, prefix):
207    return super(Xfrm, self)._GetConstantName(__name__, value, prefix)
208
209  def MaybeDebugCommand(self, command, flags, data):
210    if "ALL" not in self.NL_DEBUG and "XFRM" not in self.NL_DEBUG:
211      return
212
213    if command == XFRM_MSG_GETSA:
214      if flags & netlink.NLM_F_DUMP:
215        struct_type = XfrmUsersaInfo
216      else:
217        struct_type = XfrmUsersaId
218    elif command == XFRM_MSG_DELSA:
219      struct_type = XfrmUsersaId
220    else:
221      struct_type = None
222
223    cmdname = self._GetConstantName(command, "XFRM_MSG_")
224    if struct_type:
225      print "%s %s" % (cmdname, str(self._ParseNLMsg(data, struct_type)))
226    else:
227      print "%s" % cmdname
228
229  def _Decode(self, command, unused_msg, nla_type, nla_data):
230    """Decodes netlink attributes to Python types."""
231    name = self._GetConstantName(nla_type, "XFRMA_")
232
233    if name in ["XFRMA_ALG_CRYPT", "XFRMA_ALG_AUTH"]:
234      data = cstruct.Read(nla_data, XfrmAlgo)[0]
235    elif name == "XFRMA_ALG_AUTH_TRUNC":
236      data = cstruct.Read(nla_data, XfrmAlgoAuth)[0]
237    elif name == "XFRMA_ENCAP":
238      data = cstruct.Read(nla_data, XfrmEncapTmpl)[0]
239    else:
240      data = nla_data
241
242    return name, data
243
244  def AddSaInfo(self, selector, xfrm_id, saddr, lifetimes, reqid, family, mode,
245                replay_window, flags, nlattrs):
246    # The kernel ignores these on input.
247    cur = "\x00" * len(XfrmLifetimeCur)
248    stats = "\x00" * len(XfrmStats)
249    seq = 0
250    sa = XfrmUsersaInfo((selector, xfrm_id, saddr, lifetimes, cur, stats, seq,
251                         reqid, family, mode, replay_window, flags))
252    msg = sa.Pack() + nlattrs
253    flags = netlink.NLM_F_REQUEST | netlink.NLM_F_ACK
254    self._SendNlRequest(XFRM_MSG_NEWSA, msg, flags)
255
256  def AddMinimalSaInfo(self, src, dst, spi, proto, mode, reqid,
257                       encryption, encryption_key,
258                       auth_trunc, auth_trunc_key, encap):
259    selector = XfrmSelector("\x00" * len(XfrmSelector))
260    xfrm_id = XfrmId((PaddedAddress(dst), spi, proto))
261    family = AF_INET6 if ":" in dst else AF_INET
262    nlattrs = self._NlAttr(XFRMA_ALG_CRYPT,
263                           encryption.Pack() + encryption_key)
264    nlattrs += self._NlAttr(XFRMA_ALG_AUTH_TRUNC,
265                            auth_trunc.Pack() + auth_trunc_key)
266    if encap is not None:
267      nlattrs += self._NlAttr(XFRMA_ENCAP, encap.Pack())
268    self.AddSaInfo(selector, xfrm_id, PaddedAddress(src), NO_LIFETIME_CFG,
269                   reqid, family, mode, 4, 0, nlattrs)
270
271  def DeleteSaInfo(self, daddr, spi, proto):
272    # TODO: deletes take a mark as well.
273    family = AF_INET6 if ":" in daddr else AF_INET
274    usersa_id = XfrmUsersaId((PaddedAddress(daddr), spi, family, proto))
275    flags = netlink.NLM_F_REQUEST | netlink.NLM_F_ACK
276    self._SendNlRequest(XFRM_MSG_DELSA, usersa_id.Pack(), flags)
277
278  def DumpSaInfo(self):
279    return self._Dump(XFRM_MSG_GETSA, None, XfrmUsersaInfo, "")
280
281  def FindSaInfo(self, spi):
282    sainfo = [sa for sa, attrs in self.DumpSaInfo() if sa.id.spi == spi]
283    return sainfo[0] if sainfo else None
284
285
286if __name__ == "__main__":
287  x = Xfrm()
288  print x.DumpSaInfo()
289