xref: /system/netd/server/XfrmController.cpp

/*
 *
 * Copyright (C) 2017 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <string>
#include <vector>

#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <inttypes.h>

#include <arpa/inet.h>
#include <netinet/in.h>

#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <linux/in.h>
#include <linux/netlink.h>
#include <linux/xfrm.h>

#include "android-base/stringprintf.h"
#include "android-base/strings.h"
#include "android-base/unique_fd.h"
#define LOG_TAG "XfrmController"
#include "NetdConstants.h"
#include "NetlinkCommands.h"
#include "ResponseCode.h"
#include "XfrmController.h"
#include <cutils/log.h>
#include <cutils/properties.h>
#include <logwrap/logwrap.h>

#define VDBG 1 // STOPSHIP if true

namespace android {
namespace net {

namespace {

constexpr uint32_t ALGO_MASK_AUTH_ALL = ~0;
constexpr uint32_t ALGO_MASK_CRYPT_ALL = ~0;

constexpr uint8_t REPLAY_WINDOW_SIZE = 4;

constexpr uint32_t RAND_SPI_MIN = 1;
constexpr uint32_t RAND_SPI_MAX = 0xFFFFFFFE;

constexpr uint32_t INVALID_SPI = 0;

#define XFRM_MSG_TRANS(x)                                                                          \
    case x:                                                                                        \
        return #x;

const char* xfrmMsgTypeToString(uint16_t msg) {
    switch (msg) {
        XFRM_MSG_TRANS(XFRM_MSG_NEWSA)
        XFRM_MSG_TRANS(XFRM_MSG_DELSA)
        XFRM_MSG_TRANS(XFRM_MSG_GETSA)
        XFRM_MSG_TRANS(XFRM_MSG_NEWPOLICY)
        XFRM_MSG_TRANS(XFRM_MSG_DELPOLICY)
        XFRM_MSG_TRANS(XFRM_MSG_GETPOLICY)
        XFRM_MSG_TRANS(XFRM_MSG_ALLOCSPI)
        XFRM_MSG_TRANS(XFRM_MSG_ACQUIRE)
        XFRM_MSG_TRANS(XFRM_MSG_EXPIRE)
        XFRM_MSG_TRANS(XFRM_MSG_UPDPOLICY)
        XFRM_MSG_TRANS(XFRM_MSG_UPDSA)
        XFRM_MSG_TRANS(XFRM_MSG_POLEXPIRE)
        XFRM_MSG_TRANS(XFRM_MSG_FLUSHSA)
        XFRM_MSG_TRANS(XFRM_MSG_FLUSHPOLICY)
        XFRM_MSG_TRANS(XFRM_MSG_NEWAE)
        XFRM_MSG_TRANS(XFRM_MSG_GETAE)
        XFRM_MSG_TRANS(XFRM_MSG_REPORT)
        XFRM_MSG_TRANS(XFRM_MSG_MIGRATE)
        XFRM_MSG_TRANS(XFRM_MSG_NEWSADINFO)
        XFRM_MSG_TRANS(XFRM_MSG_GETSADINFO)
        XFRM_MSG_TRANS(XFRM_MSG_GETSPDINFO)
        XFRM_MSG_TRANS(XFRM_MSG_NEWSPDINFO)
        XFRM_MSG_TRANS(XFRM_MSG_MAPPING)
        default:
            return "XFRM_MSG UNKNOWN";
    }
}

// actually const but cannot be declared as such for reasons
uint8_t kPadBytesArray[] = {0, 0, 0};
void* kPadBytes = static_cast<void*>(kPadBytesArray);

#if VDBG
#define LOG_HEX(__desc16__, __buf__, __len__) \
    do{ logHex(__desc16__, __buf__, __len__); }while(0)
#define LOG_IOV(__iov__, __iov_len__) \
    do{ logIov(__iov__, __iov_len__); }while(0)

void logHex(const char* desc16, const char* buf, size_t len) {
    char* printBuf = new char[len * 2 + 1 + 26]; // len->ascii, +newline, +prefix strlen
    int offset = 0;
    if (desc16) {
        sprintf(printBuf, "{%-16s}", desc16);
        offset += 18; // prefix string length
    }
    sprintf(printBuf + offset, "[%4.4u]: ", (len > 9999) ? 9999 : (unsigned)len);
    offset += 8;

    for (uint32_t j = 0; j < (uint32_t)len; j++) {
        sprintf(&printBuf[j * 2 + offset], "%0.2x", buf[j]);
    }
    ALOGD("%s", printBuf);
    delete[] printBuf;
}

void logIov(const iovec* iov, size_t iovLen) {
    for (uint32_t i = 0; i < (uint32_t)iovLen; i++) {
        const iovec* row = &iov[i];
        logHex(0, reinterpret_cast<char*>(row->iov_base), row->iov_len);
    }
}

#else
#define LOG_HEX(__desc16__, __buf__, __len__)
#define LOG_IOV(__iov__, __iov_len__)
#endif

class XfrmSocketImpl : public XfrmSocket {
private:
    static constexpr int NLMSG_DEFAULTSIZE = 8192;

    union NetlinkResponse {
        nlmsghdr hdr;
        struct _err_ {
            nlmsghdr hdr;
            nlmsgerr err;
        } err;

        struct _buf_ {
            nlmsghdr hdr;
            char buf[NLMSG_DEFAULTSIZE];
        } buf;
    };

public:
    virtual bool open() {
        mSock = openNetlinkSocket(NETLINK_XFRM);
        if (mSock <= 0) {
            ALOGW("Could not get a new socket, line=%d", __LINE__);
            return false;
        }

        return true;
    }

    static int validateResponse(NetlinkResponse response, size_t len) {
        if (len < sizeof(nlmsghdr)) {
            ALOGW("Invalid response message received over netlink");
            return -EBADMSG;
        }

        switch (response.hdr.nlmsg_type) {
            case NLMSG_NOOP:
            case NLMSG_DONE:
                return 0;
            case NLMSG_OVERRUN:
                ALOGD("Netlink request overran kernel buffer");
                return -EBADMSG;
            case NLMSG_ERROR:
                if (len < sizeof(NetlinkResponse::_err_)) {
                    ALOGD("Netlink message received malformed error response");
                    return -EBADMSG;
                }
                return response.err.err.error; // Netlink errors are negative errno.
            case XFRM_MSG_NEWSA:
                break;
        }

        if (response.hdr.nlmsg_type < XFRM_MSG_BASE /*== NLMSG_MIN_TYPE*/ ||
            response.hdr.nlmsg_type > XFRM_MSG_MAX) {
            ALOGD("Netlink message responded with an out-of-range message ID");
            return -EBADMSG;
        }

        // TODO Add more message validation here
        return 0;
    }

    virtual int sendMessage(uint16_t nlMsgType, uint16_t nlMsgFlags, uint16_t nlMsgSeqNum,
                            iovec* iov, int iovLen) const {
        nlmsghdr nlMsg = {
            .nlmsg_type = nlMsgType, .nlmsg_flags = nlMsgFlags, .nlmsg_seq = nlMsgSeqNum,
        };

        iov[0].iov_base = &nlMsg;
        iov[0].iov_len = NLMSG_HDRLEN;
        for (int i = 0; i < iovLen; ++i) {
            nlMsg.nlmsg_len += iov[i].iov_len;
        }

        ALOGD("Sending Netlink XFRM Message: %s", xfrmMsgTypeToString(nlMsgType));
        if (VDBG)
            LOG_IOV(iov, iovLen);

        int ret;

        if (writev(mSock, iov, iovLen) < 0) {
            ALOGE("netlink socket writev failed (%s)", strerror(errno));
            return -errno;
        }

        NetlinkResponse* response = new NetlinkResponse{};

        if ((ret = recv(mSock, response, sizeof(*response), 0)) < 0) {
            ALOGE("netlink response contains error (%s)", strerror(errno));
            delete response;
            return -errno;
        }

        LOG_HEX("netlink msg resp", reinterpret_cast<char*>(response), ret);

        ret = validateResponse(*response, ret);
        delete response;
        if (ret < 0)
            ALOGE("netlink response contains error (%s)", strerror(-ret));
        return ret;
    }
};

int convertToXfrmAddr(const std::string& strAddr, xfrm_address_t* xfrmAddr) {
    if (strAddr.length() == 0) {
        memset(xfrmAddr, 0, sizeof(*xfrmAddr));
        return AF_UNSPEC;
    }

    if (inet_pton(AF_INET6, strAddr.c_str(), reinterpret_cast<void*>(xfrmAddr))) {
        return AF_INET6;
    } else if (inet_pton(AF_INET, strAddr.c_str(), reinterpret_cast<void*>(xfrmAddr))) {
        return AF_INET;
    } else {
        return -EAFNOSUPPORT;
    }
}

void fillXfrmNlaHdr(nlattr* hdr, uint16_t type, uint16_t len) {
    hdr->nla_type = type;
    hdr->nla_len = len;
}

void fillXfrmCurLifetimeDefaults(xfrm_lifetime_cur* cur) {
    memset(reinterpret_cast<char*>(cur), 0, sizeof(*cur));
}
void fillXfrmLifetimeDefaults(xfrm_lifetime_cfg* cfg) {
    cfg->soft_byte_limit = XFRM_INF;
    cfg->hard_byte_limit = XFRM_INF;
    cfg->soft_packet_limit = XFRM_INF;
    cfg->hard_packet_limit = XFRM_INF;
}

/*
 * Allocate SPIs within an (inclusive) range of min-max.
 * returns 0 (INVALID_SPI) once the entire range has been parsed.
 */
class RandomSpi {
public:
    RandomSpi(int min, int max) : mMin(min) {
        time_t t;
        srand((unsigned int)time(&t));
        // TODO: more random random
        mNext = rand();
        mSize = max - min + 1;
        mCount = mSize;
    }

    uint32_t next() {
        if (!mCount)
            return 0;
        mCount--;
        return (mNext++ % mSize) + mMin;
    }

private:
    uint32_t mNext;
    uint32_t mSize;
    uint32_t mMin;
    uint32_t mCount;
};

} // namespace

//
// Begin XfrmController Impl
//
//
XfrmController::XfrmController(void) {}

int XfrmController::ipSecAllocateSpi(int32_t transformId, int32_t direction,
                                     const std::string& localAddress,
                                     const std::string& remoteAddress, int32_t inSpi,
                                     int32_t* outSpi) {

    ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__);
    ALOGD("transformId=%d", transformId);
    ALOGD("direction=%d", direction);
    ALOGD("localAddress=%s", localAddress.c_str());
    ALOGD("remoteAddress=%s", remoteAddress.c_str());
    ALOGD("inSpi=%0.8x", inSpi);

    XfrmSaInfo saInfo{};
    int ret;

    if ((ret = fillXfrmSaId(direction, localAddress, remoteAddress, INVALID_SPI, &saInfo)) < 0) {
        return ret;
    }

    XfrmSocketImpl sock;
    if (!sock.open()) {
        ALOGD("Sock open failed for XFRM, line=%d", __LINE__);
        return -1; // TODO: return right error; for whatever reason the sock
                   // failed to open
    }

    int minSpi = RAND_SPI_MIN, maxSpi = RAND_SPI_MAX;

    if (inSpi)
        minSpi = maxSpi = inSpi;
    ret = allocateSpi(saInfo, minSpi, maxSpi, reinterpret_cast<uint32_t*>(outSpi), sock);
    if (ret < 0) {
        ALOGD("Failed to Allocate an SPI, line=%d", __LINE__);
        *outSpi = INVALID_SPI;
    }

    return ret;
}

int XfrmController::ipSecAddSecurityAssociation(
    int32_t transformId, int32_t mode, int32_t direction, const std::string& localAddress,
    const std::string& remoteAddress, int64_t /* underlyingNetworkHandle */, int32_t spi,
    const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits,
    const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits,
    int32_t encapType, int32_t encapLocalPort, int32_t encapRemotePort, int32_t* allocatedSpi) {
    android::RWLock::AutoWLock lock(mLock);

    ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__);
    ALOGD("transformId=%d", transformId);
    ALOGD("mode=%d", mode);
    ALOGD("direction=%d", direction);
    ALOGD("localAddress=%s", localAddress.c_str());
    ALOGD("remoteAddress=%s", remoteAddress.c_str());
    ALOGD("spi=%0.8x", spi);
    ALOGD("authAlgo=%s", authAlgo.c_str());
    ALOGD("authTruncBits=%d", authTruncBits);
    ALOGD("cryptAlgo=%s", cryptAlgo.c_str());
    ALOGD("cryptTruncBits=%d,", cryptTruncBits);
    ALOGD("encapType=%d", encapType);
    ALOGD("encapLocalPort=%d", encapLocalPort);
    ALOGD("encapRemotePort=%d", encapRemotePort);

    XfrmSaInfo saInfo{};
    int ret;

    if ((ret = fillXfrmSaId(direction, localAddress, remoteAddress, spi, &saInfo)) < 0) {
        return ret;
    }

    saInfo.transformId = transformId;

    // STOPSHIP : range check the key lengths to prevent puncturing and overflow
    saInfo.auth = XfrmAlgo{
        .name = authAlgo, .key = authKey, .truncLenBits = static_cast<uint16_t>(authTruncBits)};

    saInfo.crypt = XfrmAlgo{
        .name = cryptAlgo, .key = cryptKey, .truncLenBits = static_cast<uint16_t>(cryptTruncBits)};

    saInfo.direction = static_cast<XfrmDirection>(direction);

    switch (static_cast<XfrmMode>(mode)) {
        case XfrmMode::TRANSPORT:
        case XfrmMode::TUNNEL:
            saInfo.mode = static_cast<XfrmMode>(mode);
            break;
        default:
            return -EINVAL;
    }

    XfrmSocketImpl sock;
    if (!sock.open()) {
        ALOGD("Sock open failed for XFRM, line=%d", __LINE__);
        return -1; // TODO: return right error; for whatever reason the sock
                   // failed to open
    }

    ret = createTransportModeSecurityAssociation(saInfo, sock);
    if (ret < 0) {
        ALOGD("Failed creating a Security Association, line=%d", __LINE__);
        return ret; // something went wrong creating the SA
    }

    *allocatedSpi = spi;
    return 0;
}

int XfrmController::ipSecDeleteSecurityAssociation(int32_t transformId, int32_t direction,
                                                   const std::string& localAddress,
                                                   const std::string& remoteAddress, int32_t spi) {

    ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__);
    ALOGD("transformId=%d", transformId);
    ALOGD("direction=%d", direction);
    ALOGD("localAddress=%s", localAddress.c_str());
    ALOGD("remoteAddress=%s", remoteAddress.c_str());
    ALOGD("spi=%0.8x", spi);

    XfrmSaId saId;
    int ret;

    if ((ret = fillXfrmSaId(direction, localAddress, remoteAddress, spi, &saId)) < 0) {
        return ret;
    }

    XfrmSocketImpl sock;
    if (!sock.open()) {
        ALOGD("Sock open failed for XFRM, line=%d", __LINE__);
        return -1; // TODO: return right error; for whatever reason the sock
                   // failed to open
    }

    ret = deleteSecurityAssociation(saId, sock);
    if (ret < 0) {
        ALOGD("Failed to delete Security Association, line=%d", __LINE__);
        return ret; // something went wrong deleting the SA
    }

    return ret;
}

int XfrmController::fillXfrmSaId(int32_t direction, const std::string& localAddress,
                                 const std::string& remoteAddress, int32_t spi, XfrmSaId* xfrmId) {
    xfrm_address_t localXfrmAddr{}, remoteXfrmAddr{};

    int addrFamilyLocal, addrFamilyRemote;
    addrFamilyRemote = convertToXfrmAddr(remoteAddress, &remoteXfrmAddr);
    addrFamilyLocal = convertToXfrmAddr(localAddress, &localXfrmAddr);
    if (addrFamilyRemote < 0 || addrFamilyLocal < 0) {
        return -EINVAL;
    }

    if (addrFamilyRemote == AF_UNSPEC ||
        (addrFamilyLocal != AF_UNSPEC && addrFamilyLocal != addrFamilyRemote)) {
        ALOGD("Invalid or Mismatched Address Families, %d != %d, line=%d", addrFamilyLocal,
              addrFamilyRemote, __LINE__);
        return -EINVAL;
    }

    xfrmId->addrFamily = addrFamilyRemote;

    xfrmId->spi = htonl(spi);

    switch (static_cast<XfrmDirection>(direction)) {
        case XfrmDirection::IN:
            xfrmId->dstAddr = localXfrmAddr;
            xfrmId->srcAddr = remoteXfrmAddr;
            break;

        case XfrmDirection::OUT:
            xfrmId->dstAddr = remoteXfrmAddr;
            xfrmId->srcAddr = localXfrmAddr;
            break;

        default:
            ALOGD("Invalid XFRM direction, line=%d", __LINE__);
            // Invalid direction for Transport mode transform: time to bail
            return -EINVAL;
    }
    return 0;
}

int XfrmController::ipSecApplyTransportModeTransform(const android::base::unique_fd& socket,
                                                     int32_t transformId, int32_t direction,
                                                     const std::string& localAddress,
                                                     const std::string& remoteAddress,
                                                     int32_t spi) {
    ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__);
    ALOGD("transformId=%d", transformId);
    ALOGD("direction=%d", direction);
    ALOGD("localAddress=%s", localAddress.c_str());
    ALOGD("remoteAddress=%s", remoteAddress.c_str());
    ALOGD("spi=%0.8x", spi);

    struct sockaddr_storage saddr;

    socklen_t len = sizeof(saddr);
    int err;
    int userSocket = socket.get();

    if ((err = getsockname(userSocket, reinterpret_cast<struct sockaddr*>(&saddr), &len)) < 0) {
        ALOGE("Failed to get socket info in %s", __FUNCTION__);
        return -err;
    }

    XfrmSaInfo saInfo{};
    saInfo.transformId = transformId;
    saInfo.direction = static_cast<XfrmDirection>(direction);
    saInfo.spi = spi;

    if ((err = fillXfrmSaId(direction, localAddress, remoteAddress, spi, &saInfo)) < 0) {
        ALOGE("Couldn't build SA ID %s", __FUNCTION__);
        return -err;
    }

    if (saInfo.addrFamily != saddr.ss_family) {
        ALOGE("Transform address family(%d) differs from socket address "
                "family(%d)!",
                saInfo.addrFamily, saddr.ss_family);
        return -EINVAL;
    }

    struct {
        xfrm_userpolicy_info info;
        xfrm_user_tmpl tmpl;
    } policy{};

    fillTransportModeUserSpInfo(saInfo, &policy.info);
    fillUserTemplate(saInfo, &policy.tmpl);

    LOG_HEX("XfrmUserPolicy", reinterpret_cast<char*>(&policy), sizeof(policy));

    int sockOpt, sockLayer;
    switch (saInfo.addrFamily) {
        case AF_INET:
            sockOpt = IP_XFRM_POLICY;
            sockLayer = SOL_IP;
            break;
        case AF_INET6:
            sockOpt = IPV6_XFRM_POLICY;
            sockLayer = SOL_IPV6;
            break;
        default:
            return -EAFNOSUPPORT;
    }

    err = setsockopt(userSocket, sockLayer, sockOpt, &policy, sizeof(policy));
    if (err < 0) {
        err = errno;
        ALOGE("Error setting socket option for XFRM! (%s)", strerror(err));
    }

    return -err;
}

int XfrmController::ipSecRemoveTransportModeTransform(const android::base::unique_fd& socket) {
    (void)socket;
    return 0;
}

void XfrmController::fillTransportModeSelector(const XfrmSaInfo& record, xfrm_selector* selector) {
    selector->family = record.addrFamily;
    selector->proto = AF_UNSPEC;      // TODO: do we need to match the protocol? it's
                                      // possible via the socket
    selector->ifindex = record.netId; // TODO : still need to sort this out
}

int XfrmController::createTransportModeSecurityAssociation(const XfrmSaInfo& record,
                                                           const XfrmSocket& sock) {
    xfrm_usersa_info usersa{};
    nlattr_algo_crypt crypt{};
    nlattr_algo_auth auth{};

    enum { NLMSG_HDR, USERSA, USERSA_PAD, CRYPT, CRYPT_PAD, AUTH, AUTH_PAD, iovLen };

    iovec iov[] = {
        {NULL, 0},      // reserved for the eventual addition of a NLMSG_HDR
        {&usersa, 0},   // main usersa_info struct
        {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
        {&crypt, 0},    // adjust size if crypt algo is present
        {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
        {&auth, 0},     // adjust size if auth algo is present
        {kPadBytes, 0}, // up to NLATTR_ALIGNTO pad bytes
    };

    int len;
    len = iov[USERSA].iov_len = fillUserSaInfo(record, &usersa);
    iov[USERSA_PAD].iov_len = NLMSG_ALIGN(len) - len;

    len = iov[CRYPT].iov_len = fillNlAttrXfrmAlgoEnc(record.crypt, &crypt);
    iov[CRYPT_PAD].iov_len = NLA_ALIGN(len) - len;

    len = iov[AUTH].iov_len = fillNlAttrXfrmAlgoAuth(record.auth, &auth);
    iov[AUTH_PAD].iov_len = NLA_ALIGN(len) - len;

    return sock.sendMessage(XFRM_MSG_UPDSA, NETLINK_REQUEST_FLAGS, 0, iov, iovLen);
}

int XfrmController::fillNlAttrXfrmAlgoEnc(const XfrmAlgo& inAlgo, nlattr_algo_crypt* algo) {
    int len = NLA_HDRLEN + sizeof(xfrm_algo);
    strncpy(algo->crypt.alg_name, inAlgo.name.c_str(), sizeof(algo->crypt.alg_name));
    algo->crypt.alg_key_len = inAlgo.key.size() * 8;      // bits
    memcpy(algo->key, &inAlgo.key[0], inAlgo.key.size()); // FIXME :safety checks
    len += inAlgo.key.size();
    fillXfrmNlaHdr(&algo->hdr, XFRMA_ALG_CRYPT, len);
    return len;
}

int XfrmController::fillNlAttrXfrmAlgoAuth(const XfrmAlgo& inAlgo, nlattr_algo_auth* algo) {
    int len = NLA_HDRLEN + sizeof(xfrm_algo_auth);
    strncpy(algo->auth.alg_name, inAlgo.name.c_str(), sizeof(algo->auth.alg_name));
    algo->auth.alg_key_len = inAlgo.key.size() * 8; // bits

    // This is the extra field for ALG_AUTH_TRUNC
    algo->auth.alg_trunc_len = inAlgo.truncLenBits;

    memcpy(algo->key, &inAlgo.key[0], inAlgo.key.size()); // FIXME :safety checks
    len += inAlgo.key.size();

    fillXfrmNlaHdr(&algo->hdr, XFRMA_ALG_AUTH_TRUNC, len);
    return len;
}

int XfrmController::fillUserSaInfo(const XfrmSaInfo& record, xfrm_usersa_info* usersa) {
    fillTransportModeSelector(record, &usersa->sel);

    usersa->id.proto = IPPROTO_ESP;
    usersa->id.spi = record.spi;
    usersa->id.daddr = record.dstAddr;

    usersa->saddr = record.srcAddr;

    fillXfrmLifetimeDefaults(&usersa->lft);
    fillXfrmCurLifetimeDefaults(&usersa->curlft);
    memset(&usersa->stats, 0, sizeof(usersa->stats)); // leave stats zeroed out
    usersa->reqid = record.transformId;
    usersa->family = record.addrFamily;
    usersa->mode = static_cast<uint8_t>(record.mode);
    usersa->replay_window = REPLAY_WINDOW_SIZE;
    usersa->flags = 0; // TODO: should we actually set flags, XFRM_SA_XFLAG_DONT_ENCAP_DSCP?
    return sizeof(*usersa);
}

int XfrmController::fillUserSaId(const XfrmSaId& record, xfrm_usersa_id* said) {
    said->daddr = record.dstAddr;
    said->spi = record.spi;
    said->family = record.addrFamily;
    said->proto = IPPROTO_ESP;

    return sizeof(*said);
}

int XfrmController::deleteSecurityAssociation(const XfrmSaId& record, const XfrmSocket& sock) {
    xfrm_usersa_id said{};

    enum { NLMSG_HDR, USERSAID, USERSAID_PAD, iovLen };

    iovec iov[] = {
        {NULL, 0},      // reserved for the eventual addition of a NLMSG_HDR
        {&said, 0},     // main usersa_info struct
        {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
    };

    int len;
    len = iov[USERSAID].iov_len = fillUserSaId(record, &said);
    iov[USERSAID_PAD].iov_len = NLMSG_ALIGN(len) - len;

    return sock.sendMessage(XFRM_MSG_DELSA, NETLINK_REQUEST_FLAGS, 0, iov, iovLen);
}

int XfrmController::allocateSpi(const XfrmSaInfo& record, uint32_t minSpi, uint32_t maxSpi,
                                uint32_t* outSpi, const XfrmSocket& sock) {
    xfrm_userspi_info spiInfo{};

    enum { NLMSG_HDR, USERSAID, USERSAID_PAD, iovLen };

    iovec iov[] = {
        {NULL, 0},      // reserved for the eventual addition of a NLMSG_HDR
        {&spiInfo, 0},  // main userspi_info struct
        {kPadBytes, 0}, // up to NLMSG_ALIGNTO pad bytes of padding
    };

    int len;
    if (fillUserSaInfo(record, &spiInfo.info) == 0) {
        ALOGE("Failed to fill transport SA Info");
    }

    len = iov[USERSAID].iov_len = sizeof(spiInfo);
    iov[USERSAID_PAD].iov_len = NLMSG_ALIGN(len) - len;

    RandomSpi spiGen = RandomSpi(minSpi, maxSpi);
    int spi, ret;
    while ((spi = spiGen.next()) != INVALID_SPI) {
        spiInfo.min = spi;
        spiInfo.max = spi;
        ret = sock.sendMessage(XFRM_MSG_ALLOCSPI, NETLINK_REQUEST_FLAGS, 0, iov, iovLen);

        /* If the SPI is in use, we'll get ENOENT */
        if (ret == -ENOENT)
            continue;

        if (ret == 0) {
            *outSpi = spi;
            ALOGD("Allocated an SPI: %d", *outSpi);
        } else {
            *outSpi = INVALID_SPI;
            ALOGE("SPI Allocation Failed with error %d", ret);
        }

        return ret;
    }

    // Should always be -ENOENT if we get here
    return ret;
}

int XfrmController::fillTransportModeUserSpInfo(const XfrmSaInfo& record,
                                                xfrm_userpolicy_info* usersp) {
    fillTransportModeSelector(record, &usersp->sel);
    fillXfrmLifetimeDefaults(&usersp->lft);
    fillXfrmCurLifetimeDefaults(&usersp->curlft);
    /* if (index) index & 0x3 == dir -- must be true xfrm_user.c:verify_newpolicy_info() */
    usersp->index = 0;
    usersp->dir = static_cast<uint8_t>(record.direction);
    usersp->action = XFRM_POLICY_ALLOW;
    usersp->flags = XFRM_POLICY_LOCALOK;
    usersp->share = XFRM_SHARE_UNIQUE;
    return sizeof(*usersp);
}

int XfrmController::fillUserTemplate(const XfrmSaInfo& record, xfrm_user_tmpl* tmpl) {
    tmpl->id.daddr = record.dstAddr;
    tmpl->id.spi = record.spi;
    tmpl->id.proto = IPPROTO_ESP;

    tmpl->family = record.addrFamily;
    tmpl->saddr = record.srcAddr;
    tmpl->reqid = record.transformId;
    tmpl->mode = static_cast<uint8_t>(record.mode);
    tmpl->share = XFRM_SHARE_UNIQUE;
    tmpl->optional = 0; // if this is true, then a failed state lookup will be considered OK:
                        // http://lxr.free-electrons.com/source/net/xfrm/xfrm_policy.c#L1492
    tmpl->aalgos = ALGO_MASK_AUTH_ALL;  // TODO: if there's a bitmask somewhere of
                                        // algos, we should find it and apply it.
                                        // I can't find one.
    tmpl->ealgos = ALGO_MASK_CRYPT_ALL; // TODO: if there's a bitmask somewhere...
    return 0;
}

} // namespace net
} // namespace android