fixing a memory leak
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 *
20 * $Id$
21 */
22
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 #include <sys/time.h>
26 #include <stdint.h>
27 #include <linux/ipsec.h>
28 #include <linux/netlink.h>
29 #include <linux/rtnetlink.h>
30 #include <linux/xfrm.h>
31 #include <linux/udp.h>
32 #include <pthread.h>
33 #include <unistd.h>
34 #include <errno.h>
35 #include <string.h>
36
37 #include "kernel_netlink_ipsec.h"
38 #include "kernel_netlink_shared.h"
39
40 #include <daemon.h>
41 #include <utils/mutex.h>
42 #include <utils/linked_list.h>
43 #include <processing/jobs/callback_job.h>
44 #include <processing/jobs/acquire_job.h>
45 #include <processing/jobs/migrate_job.h>
46 #include <processing/jobs/rekey_child_sa_job.h>
47 #include <processing/jobs/delete_child_sa_job.h>
48 #include <processing/jobs/update_sa_job.h>
49
50 /** required for Linux 2.6.26 kernel and later */
51 #ifndef XFRM_STATE_AF_UNSPEC
52 #define XFRM_STATE_AF_UNSPEC 32
53 #endif
54
55 /** from linux/in.h */
56 #ifndef IP_IPSEC_POLICY
57 #define IP_IPSEC_POLICY 16
58 #endif
59
60 /** default priority of installed policies */
61 #define PRIO_LOW 3000
62 #define PRIO_HIGH 2000
63
64 /**
65 * Create ORable bitfield of XFRM NL groups
66 */
67 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
68
69 /**
70 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
71 * 'usual' netlink data x like 'struct xfrm_usersa_info'
72 */
73 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
74 /**
75 * returns a pointer to the next rtattr following rta.
76 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
77 */
78 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
79 /**
80 * returns the total size of attached rta data
81 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
82 */
83 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
84
85 typedef struct kernel_algorithm_t kernel_algorithm_t;
86
87 /**
88 * Mapping of IKEv2 kernel identifier to linux crypto API names
89 */
90 struct kernel_algorithm_t {
91 /**
92 * Identifier specified in IKEv2
93 */
94 int ikev2;
95
96 /**
97 * Name of the algorithm in linux crypto API
98 */
99 char *name;
100 };
101
102 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
103 "XFRMA_UNSPEC",
104 "XFRMA_ALG_AUTH",
105 "XFRMA_ALG_CRYPT",
106 "XFRMA_ALG_COMP",
107 "XFRMA_ENCAP",
108 "XFRMA_TMPL",
109 "XFRMA_SA",
110 "XFRMA_POLICY",
111 "XFRMA_SEC_CTX",
112 "XFRMA_LTIME_VAL",
113 "XFRMA_REPLAY_VAL",
114 "XFRMA_REPLAY_THRESH",
115 "XFRMA_ETIMER_THRESH",
116 "XFRMA_SRCADDR",
117 "XFRMA_COADDR",
118 "XFRMA_LASTUSED",
119 "XFRMA_POLICY_TYPE",
120 "XFRMA_MIGRATE",
121 "XFRMA_ALG_AEAD",
122 "XFRMA_KMADDRESS"
123 );
124
125 #define END_OF_LIST -1
126
127 /**
128 * Algorithms for encryption
129 */
130 static kernel_algorithm_t encryption_algs[] = {
131 /* {ENCR_DES_IV64, "***" }, */
132 {ENCR_DES, "des" },
133 {ENCR_3DES, "des3_ede" },
134 /* {ENCR_RC5, "***" }, */
135 /* {ENCR_IDEA, "***" }, */
136 {ENCR_CAST, "cast128" },
137 {ENCR_BLOWFISH, "blowfish" },
138 /* {ENCR_3IDEA, "***" }, */
139 /* {ENCR_DES_IV32, "***" }, */
140 {ENCR_NULL, "cipher_null" },
141 {ENCR_AES_CBC, "aes" },
142 /* {ENCR_AES_CTR, "***" }, */
143 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
144 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
145 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
146 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
147 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
148 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
149 {END_OF_LIST, NULL },
150 };
151
152 /**
153 * Algorithms for integrity protection
154 */
155 static kernel_algorithm_t integrity_algs[] = {
156 {AUTH_HMAC_MD5_96, "md5" },
157 {AUTH_HMAC_SHA1_96, "sha1" },
158 {AUTH_HMAC_SHA2_256_128, "sha256" },
159 {AUTH_HMAC_SHA2_384_192, "sha384" },
160 {AUTH_HMAC_SHA2_512_256, "sha512" },
161 /* {AUTH_DES_MAC, "***" }, */
162 /* {AUTH_KPDK_MD5, "***" }, */
163 {AUTH_AES_XCBC_96, "xcbc(aes)" },
164 {END_OF_LIST, NULL },
165 };
166
167 /**
168 * Algorithms for IPComp
169 */
170 static kernel_algorithm_t compression_algs[] = {
171 /* {IPCOMP_OUI, "***" }, */
172 {IPCOMP_DEFLATE, "deflate" },
173 {IPCOMP_LZS, "lzs" },
174 {IPCOMP_LZJH, "lzjh" },
175 {END_OF_LIST, NULL },
176 };
177
178 /**
179 * Look up a kernel algorithm name and its key size
180 */
181 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
182 {
183 while (list->ikev2 != END_OF_LIST)
184 {
185 if (list->ikev2 == ikev2)
186 {
187 return list->name;
188 }
189 list++;
190 }
191 return NULL;
192 }
193
194 typedef struct route_entry_t route_entry_t;
195
196 /**
197 * installed routing entry
198 */
199 struct route_entry_t {
200 /** Name of the interface the route is bound to */
201 char *if_name;
202
203 /** Source ip of the route */
204 host_t *src_ip;
205
206 /** gateway for this route */
207 host_t *gateway;
208
209 /** Destination net */
210 chunk_t dst_net;
211
212 /** Destination net prefixlen */
213 u_int8_t prefixlen;
214 };
215
216 /**
217 * destroy an route_entry_t object
218 */
219 static void route_entry_destroy(route_entry_t *this)
220 {
221 free(this->if_name);
222 this->src_ip->destroy(this->src_ip);
223 this->gateway->destroy(this->gateway);
224 chunk_free(&this->dst_net);
225 free(this);
226 }
227
228 typedef struct policy_entry_t policy_entry_t;
229
230 /**
231 * installed kernel policy.
232 */
233 struct policy_entry_t {
234
235 /** direction of this policy: in, out, forward */
236 u_int8_t direction;
237
238 /** parameters of installed policy */
239 struct xfrm_selector sel;
240
241 /** associated route installed for this policy */
242 route_entry_t *route;
243
244 /** by how many CHILD_SA's this policy is used */
245 u_int refcount;
246 };
247
248 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
249
250 /**
251 * Private variables and functions of kernel_netlink class.
252 */
253 struct private_kernel_netlink_ipsec_t {
254 /**
255 * Public part of the kernel_netlink_t object.
256 */
257 kernel_netlink_ipsec_t public;
258
259 /**
260 * mutex to lock access to various lists
261 */
262 mutex_t *mutex;
263
264 /**
265 * List of installed policies (policy_entry_t)
266 */
267 linked_list_t *policies;
268
269 /**
270 * job receiving netlink events
271 */
272 callback_job_t *job;
273
274 /**
275 * Netlink xfrm socket (IPsec)
276 */
277 netlink_socket_t *socket_xfrm;
278
279 /**
280 * netlink xfrm socket to receive acquire and expire events
281 */
282 int socket_xfrm_events;
283
284 /**
285 * whether to install routes along policies
286 */
287 bool install_routes;
288 };
289
290 /**
291 * convert a IKEv2 specific protocol identifier to the kernel one
292 */
293 static u_int8_t proto_ike2kernel(protocol_id_t proto)
294 {
295 switch (proto)
296 {
297 case PROTO_ESP:
298 return IPPROTO_ESP;
299 case PROTO_AH:
300 return IPPROTO_AH;
301 default:
302 return proto;
303 }
304 }
305
306 /**
307 * reverse of ike2kernel
308 */
309 static protocol_id_t proto_kernel2ike(u_int8_t proto)
310 {
311 switch (proto)
312 {
313 case IPPROTO_ESP:
314 return PROTO_ESP;
315 case IPPROTO_AH:
316 return PROTO_AH;
317 default:
318 return proto;
319 }
320 }
321
322 /**
323 * convert a host_t to a struct xfrm_address
324 */
325 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
326 {
327 chunk_t chunk = host->get_address(host);
328 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
329 }
330
331 /**
332 * convert a struct xfrm_address to a host_t
333 */
334 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
335 {
336 chunk_t chunk;
337
338 switch (family)
339 {
340 case AF_INET:
341 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
342 break;
343 case AF_INET6:
344 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
345 break;
346 default:
347 return NULL;
348 }
349 return host_create_from_chunk(family, chunk, ntohs(port));
350 }
351
352 /**
353 * convert a traffic selector address range to subnet and its mask.
354 */
355 static void ts2subnet(traffic_selector_t* ts,
356 xfrm_address_t *net, u_int8_t *mask)
357 {
358 host_t *net_host;
359 chunk_t net_chunk;
360
361 ts->to_subnet(ts, &net_host, mask);
362 net_chunk = net_host->get_address(net_host);
363 memcpy(net, net_chunk.ptr, net_chunk.len);
364 net_host->destroy(net_host);
365 }
366
367 /**
368 * convert a traffic selector port range to port/portmask
369 */
370 static void ts2ports(traffic_selector_t* ts,
371 u_int16_t *port, u_int16_t *mask)
372 {
373 /* linux does not seem to accept complex portmasks. Only
374 * any or a specific port is allowed. We set to any, if we have
375 * a port range, or to a specific, if we have one port only.
376 */
377 u_int16_t from, to;
378
379 from = ts->get_from_port(ts);
380 to = ts->get_to_port(ts);
381
382 if (from == to)
383 {
384 *port = htons(from);
385 *mask = ~0;
386 }
387 else
388 {
389 *port = 0;
390 *mask = 0;
391 }
392 }
393
394 /**
395 * convert a pair of traffic_selectors to a xfrm_selector
396 */
397 static struct xfrm_selector ts2selector(traffic_selector_t *src,
398 traffic_selector_t *dst)
399 {
400 struct xfrm_selector sel;
401
402 memset(&sel, 0, sizeof(sel));
403 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
404 /* src or dest proto may be "any" (0), use more restrictive one */
405 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
406 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
407 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
408 ts2ports(dst, &sel.dport, &sel.dport_mask);
409 ts2ports(src, &sel.sport, &sel.sport_mask);
410 sel.ifindex = 0;
411 sel.user = 0;
412
413 return sel;
414 }
415
416 /**
417 * convert a xfrm_selector to a src|dst traffic_selector
418 */
419 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
420 {
421 int family;
422 chunk_t addr;
423 u_int8_t prefixlen;
424 u_int16_t port, port_mask;
425 host_t *host;
426 traffic_selector_t *ts;
427
428 if (src)
429 {
430 addr.ptr = (u_char*)&sel->saddr;
431 prefixlen = sel->prefixlen_s;
432 port = sel->sport;
433 port_mask = sel->sport_mask;
434 }
435 else
436 {
437 addr.ptr = (u_char*)&sel->daddr;
438 prefixlen = sel->prefixlen_d;
439 port = sel->dport;
440 port_mask = sel->dport_mask;
441 }
442
443 /* The Linux 2.6 kernel does not set the selector's family field,
444 * so as a kludge we additionally test the prefix length.
445 */
446 if (sel->family == AF_INET || sel->prefixlen_s == 32)
447 {
448 family = AF_INET;
449 addr.len = 4;
450 }
451 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
452 {
453 family = AF_INET6;
454 addr.len = 16;
455 }
456 else
457 {
458 return NULL;
459 }
460 host = host_create_from_chunk(family, addr, 0);
461 port = (port_mask == 0) ? 0 : ntohs(port);
462
463 ts = traffic_selector_create_from_subnet(host, prefixlen, sel->proto, port);
464 host->destroy(host);
465 return ts;
466 }
467
468 /**
469 * process a XFRM_MSG_ACQUIRE from kernel
470 */
471 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
472 {
473 u_int32_t reqid = 0;
474 int proto = 0;
475 traffic_selector_t *src_ts, *dst_ts;
476 struct xfrm_user_acquire *acquire;
477 struct rtattr *rta;
478 size_t rtasize;
479 job_t *job;
480
481 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
482 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
483 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
484
485 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
486
487 while (RTA_OK(rta, rtasize))
488 {
489 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
490
491 if (rta->rta_type == XFRMA_TMPL)
492 {
493 struct xfrm_user_tmpl* tmpl;
494
495 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
496 reqid = tmpl->reqid;
497 proto = tmpl->id.proto;
498 }
499 rta = RTA_NEXT(rta, rtasize);
500 }
501 switch (proto)
502 {
503 case 0:
504 case IPPROTO_ESP:
505 case IPPROTO_AH:
506 break;
507 default:
508 /* acquire for AH/ESP only, not for IPCOMP */
509 return;
510 }
511 src_ts = selector2ts(&acquire->sel, TRUE);
512 dst_ts = selector2ts(&acquire->sel, FALSE);
513 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
514 src_ts, dst_ts, reqid);
515 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
516 charon->processor->queue_job(charon->processor, job);
517 }
518
519 /**
520 * process a XFRM_MSG_EXPIRE from kernel
521 */
522 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
523 {
524 job_t *job;
525 protocol_id_t protocol;
526 u_int32_t spi, reqid;
527 struct xfrm_user_expire *expire;
528
529 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
530 protocol = proto_kernel2ike(expire->state.id.proto);
531 spi = expire->state.id.spi;
532 reqid = expire->state.reqid;
533
534 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
535
536 if (protocol != PROTO_ESP && protocol != PROTO_AH)
537 {
538 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
539 "which is not a CHILD_SA", ntohl(spi), reqid);
540 return;
541 }
542
543 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
544 expire->hard ? "delete" : "rekey", protocol_id_names,
545 protocol, ntohl(spi), reqid);
546 if (expire->hard)
547 {
548 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
549 }
550 else
551 {
552 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
553 }
554 charon->processor->queue_job(charon->processor, job);
555 }
556
557 /**
558 * process a XFRM_MSG_MIGRATE from kernel
559 */
560 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
561 {
562 traffic_selector_t *src_ts, *dst_ts;
563 host_t *local = NULL, *remote = NULL;
564 host_t *old_src = NULL, *old_dst = NULL;
565 host_t *new_src = NULL, *new_dst = NULL;
566 struct xfrm_userpolicy_id *policy_id;
567 struct rtattr *rta;
568 size_t rtasize;
569 u_int32_t reqid = 0;
570 policy_dir_t dir;
571 job_t *job;
572
573 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
574 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
575 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
576
577 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
578
579 src_ts = selector2ts(&policy_id->sel, TRUE);
580 dst_ts = selector2ts(&policy_id->sel, FALSE);
581 dir = (policy_dir_t)policy_id->dir;
582
583 DBG2(DBG_KNL, " policy: %R === %R %N, index %u", src_ts, dst_ts,
584 policy_dir_names, dir, policy_id->index);
585
586 while (RTA_OK(rta, rtasize))
587 {
588 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
589 if (rta->rta_type == XFRMA_KMADDRESS)
590 {
591 struct xfrm_user_kmaddress *kmaddress;
592
593 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
594 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
595 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
596 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
597 }
598 else if (rta->rta_type == XFRMA_MIGRATE)
599 {
600 struct xfrm_user_migrate *migrate;
601 protocol_id_t proto;
602
603 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
604 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
605 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
606 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
607 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
608 proto = proto_kernel2ike(migrate->proto);
609 reqid = migrate->reqid;
610 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
611 protocol_id_names, proto, old_src, old_dst,
612 new_src, new_dst, reqid);
613 DESTROY_IF(old_src);
614 DESTROY_IF(old_dst);
615 DESTROY_IF(new_src);
616 DESTROY_IF(new_dst);
617 }
618 rta = RTA_NEXT(rta, rtasize);
619 }
620
621 if (src_ts && dst_ts)
622 {
623 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
624 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
625 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
626 local, remote);
627 charon->processor->queue_job(charon->processor, job);
628 }
629 else
630 {
631 DESTROY_IF(src_ts);
632 DESTROY_IF(dst_ts);
633 DESTROY_IF(local);
634 DESTROY_IF(remote);
635 }
636 }
637
638 /**
639 * process a XFRM_MSG_MAPPING from kernel
640 */
641 static void process_mapping(private_kernel_netlink_ipsec_t *this,
642 struct nlmsghdr *hdr)
643 {
644 job_t *job;
645 u_int32_t spi, reqid;
646 struct xfrm_user_mapping *mapping;
647 host_t *host;
648
649 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
650 spi = mapping->id.spi;
651 reqid = mapping->reqid;
652
653 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
654
655 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
656 {
657 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
658 mapping->new_sport);
659 if (host)
660 {
661 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
662 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
663 job = (job_t*)update_sa_job_create(reqid, host);
664 charon->processor->queue_job(charon->processor, job);
665 }
666 }
667 }
668
669 /**
670 * Receives events from kernel
671 */
672 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
673 {
674 char response[1024];
675 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
676 struct sockaddr_nl addr;
677 socklen_t addr_len = sizeof(addr);
678 int len, oldstate;
679
680 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
681 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
682 (struct sockaddr*)&addr, &addr_len);
683 pthread_setcancelstate(oldstate, NULL);
684
685 if (len < 0)
686 {
687 switch (errno)
688 {
689 case EINTR:
690 /* interrupted, try again */
691 return JOB_REQUEUE_DIRECT;
692 case EAGAIN:
693 /* no data ready, select again */
694 return JOB_REQUEUE_DIRECT;
695 default:
696 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
697 sleep(1);
698 return JOB_REQUEUE_FAIR;
699 }
700 }
701
702 if (addr.nl_pid != 0)
703 { /* not from kernel. not interested, try another one */
704 return JOB_REQUEUE_DIRECT;
705 }
706
707 while (NLMSG_OK(hdr, len))
708 {
709 switch (hdr->nlmsg_type)
710 {
711 case XFRM_MSG_ACQUIRE:
712 process_acquire(this, hdr);
713 break;
714 case XFRM_MSG_EXPIRE:
715 process_expire(this, hdr);
716 break;
717 case XFRM_MSG_MIGRATE:
718 process_migrate(this, hdr);
719 break;
720 case XFRM_MSG_MAPPING:
721 process_mapping(this, hdr);
722 break;
723 default:
724 break;
725 }
726 hdr = NLMSG_NEXT(hdr, len);
727 }
728 return JOB_REQUEUE_DIRECT;
729 }
730
731 /**
732 * Get an SPI for a specific protocol from the kernel.
733 */
734 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
735 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
736 u_int32_t reqid, u_int32_t *spi)
737 {
738 unsigned char request[NETLINK_BUFFER_SIZE];
739 struct nlmsghdr *hdr, *out;
740 struct xfrm_userspi_info *userspi;
741 u_int32_t received_spi = 0;
742 size_t len;
743
744 memset(&request, 0, sizeof(request));
745
746 hdr = (struct nlmsghdr*)request;
747 hdr->nlmsg_flags = NLM_F_REQUEST;
748 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
749 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
750
751 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
752 host2xfrm(src, &userspi->info.saddr);
753 host2xfrm(dst, &userspi->info.id.daddr);
754 userspi->info.id.proto = proto;
755 userspi->info.mode = TRUE; /* tunnel mode */
756 userspi->info.reqid = reqid;
757 userspi->info.family = src->get_family(src);
758 userspi->min = min;
759 userspi->max = max;
760
761 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
762 {
763 hdr = out;
764 while (NLMSG_OK(hdr, len))
765 {
766 switch (hdr->nlmsg_type)
767 {
768 case XFRM_MSG_NEWSA:
769 {
770 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
771 received_spi = usersa->id.spi;
772 break;
773 }
774 case NLMSG_ERROR:
775 {
776 struct nlmsgerr *err = NLMSG_DATA(hdr);
777
778 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
779 strerror(-err->error), -err->error);
780 break;
781 }
782 default:
783 hdr = NLMSG_NEXT(hdr, len);
784 continue;
785 case NLMSG_DONE:
786 break;
787 }
788 break;
789 }
790 free(out);
791 }
792
793 if (received_spi == 0)
794 {
795 return FAILED;
796 }
797
798 *spi = received_spi;
799 return SUCCESS;
800 }
801
802 /**
803 * Implementation of kernel_interface_t.get_spi.
804 */
805 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
806 host_t *src, host_t *dst,
807 protocol_id_t protocol, u_int32_t reqid,
808 u_int32_t *spi)
809 {
810 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
811
812 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
813 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
814 {
815 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
816 return FAILED;
817 }
818
819 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
820
821 return SUCCESS;
822 }
823
824 /**
825 * Implementation of kernel_interface_t.get_cpi.
826 */
827 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
828 host_t *src, host_t *dst,
829 u_int32_t reqid, u_int16_t *cpi)
830 {
831 u_int32_t received_spi = 0;
832
833 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
834
835 if (get_spi_internal(this, src, dst,
836 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
837 {
838 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
839 return FAILED;
840 }
841
842 *cpi = htons((u_int16_t)ntohl(received_spi));
843
844 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
845
846 return SUCCESS;
847 }
848
849 /**
850 * Implementation of kernel_interface_t.add_sa.
851 */
852 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
853 host_t *src, host_t *dst, u_int32_t spi,
854 protocol_id_t protocol, u_int32_t reqid,
855 u_int64_t expire_soft, u_int64_t expire_hard,
856 u_int16_t enc_alg, chunk_t enc_key,
857 u_int16_t int_alg, chunk_t int_key,
858 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
859 bool encap, bool inbound)
860 {
861 unsigned char request[NETLINK_BUFFER_SIZE];
862 char *alg_name;
863 struct nlmsghdr *hdr;
864 struct xfrm_usersa_info *sa;
865 u_int16_t icv_size = 64;
866
867 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
868 * we are in the recursive call below */
869 if (ipcomp != IPCOMP_NONE && cpi != 0)
870 {
871 this->public.interface.add_sa(&this->public.interface,
872 src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, 0, 0,
873 ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
874 mode, ipcomp, 0, FALSE, inbound);
875 ipcomp = IPCOMP_NONE;
876 }
877
878 memset(&request, 0, sizeof(request));
879
880 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
881 ntohl(spi), reqid);
882
883 hdr = (struct nlmsghdr*)request;
884 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
885 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
886 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
887
888 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
889 host2xfrm(src, &sa->saddr);
890 host2xfrm(dst, &sa->id.daddr);
891 sa->id.spi = spi;
892 sa->id.proto = proto_ike2kernel(protocol);
893 sa->family = src->get_family(src);
894 sa->mode = mode;
895 if (mode == MODE_TUNNEL)
896 {
897 sa->flags |= XFRM_STATE_AF_UNSPEC;
898 }
899 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
900 sa->reqid = reqid;
901 /* we currently do not expire SAs by volume/packet count */
902 sa->lft.soft_byte_limit = XFRM_INF;
903 sa->lft.hard_byte_limit = XFRM_INF;
904 sa->lft.soft_packet_limit = XFRM_INF;
905 sa->lft.hard_packet_limit = XFRM_INF;
906 /* we use lifetimes since added, not since used */
907 sa->lft.soft_add_expires_seconds = expire_soft;
908 sa->lft.hard_add_expires_seconds = expire_hard;
909 sa->lft.soft_use_expires_seconds = 0;
910 sa->lft.hard_use_expires_seconds = 0;
911
912 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
913
914 switch (enc_alg)
915 {
916 case ENCR_UNDEFINED:
917 /* no encryption */
918 break;
919 case ENCR_AES_CCM_ICV16:
920 case ENCR_AES_GCM_ICV16:
921 icv_size += 32;
922 /* FALL */
923 case ENCR_AES_CCM_ICV12:
924 case ENCR_AES_GCM_ICV12:
925 icv_size += 32;
926 /* FALL */
927 case ENCR_AES_CCM_ICV8:
928 case ENCR_AES_GCM_ICV8:
929 {
930 rthdr->rta_type = XFRMA_ALG_AEAD;
931 alg_name = lookup_algorithm(encryption_algs, enc_alg);
932 if (alg_name == NULL)
933 {
934 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
935 encryption_algorithm_names, enc_alg);
936 return FAILED;
937 }
938 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
939 encryption_algorithm_names, enc_alg, enc_key.len * 8);
940
941 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
942 hdr->nlmsg_len += rthdr->rta_len;
943 if (hdr->nlmsg_len > sizeof(request))
944 {
945 return FAILED;
946 }
947
948 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
949 algo->alg_key_len = enc_key.len * 8;
950 algo->alg_icv_len = icv_size;
951 strcpy(algo->alg_name, alg_name);
952 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
953
954 rthdr = XFRM_RTA_NEXT(rthdr);
955 break;
956 }
957 default:
958 {
959 rthdr->rta_type = XFRMA_ALG_CRYPT;
960 alg_name = lookup_algorithm(encryption_algs, enc_alg);
961 if (alg_name == NULL)
962 {
963 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
964 encryption_algorithm_names, enc_alg);
965 return FAILED;
966 }
967 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
968 encryption_algorithm_names, enc_alg, enc_key.len * 8);
969
970 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
971 hdr->nlmsg_len += rthdr->rta_len;
972 if (hdr->nlmsg_len > sizeof(request))
973 {
974 return FAILED;
975 }
976
977 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
978 algo->alg_key_len = enc_key.len * 8;
979 strcpy(algo->alg_name, alg_name);
980 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
981
982 rthdr = XFRM_RTA_NEXT(rthdr);
983 break;
984 }
985 }
986
987 if (int_alg != AUTH_UNDEFINED)
988 {
989 rthdr->rta_type = XFRMA_ALG_AUTH;
990 alg_name = lookup_algorithm(integrity_algs, int_alg);
991 if (alg_name == NULL)
992 {
993 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
994 integrity_algorithm_names, int_alg);
995 return FAILED;
996 }
997 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
998 integrity_algorithm_names, int_alg, int_key.len * 8);
999
1000 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1001 hdr->nlmsg_len += rthdr->rta_len;
1002 if (hdr->nlmsg_len > sizeof(request))
1003 {
1004 return FAILED;
1005 }
1006
1007 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1008 algo->alg_key_len = int_key.len * 8;
1009 strcpy(algo->alg_name, alg_name);
1010 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1011
1012 rthdr = XFRM_RTA_NEXT(rthdr);
1013 }
1014
1015 if (ipcomp != IPCOMP_NONE)
1016 {
1017 rthdr->rta_type = XFRMA_ALG_COMP;
1018 alg_name = lookup_algorithm(compression_algs, ipcomp);
1019 if (alg_name == NULL)
1020 {
1021 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1022 ipcomp_transform_names, ipcomp);
1023 return FAILED;
1024 }
1025 DBG2(DBG_KNL, " using compression algorithm %N",
1026 ipcomp_transform_names, ipcomp);
1027
1028 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1029 hdr->nlmsg_len += rthdr->rta_len;
1030 if (hdr->nlmsg_len > sizeof(request))
1031 {
1032 return FAILED;
1033 }
1034
1035 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1036 algo->alg_key_len = 0;
1037 strcpy(algo->alg_name, alg_name);
1038
1039 rthdr = XFRM_RTA_NEXT(rthdr);
1040 }
1041
1042 if (encap)
1043 {
1044 rthdr->rta_type = XFRMA_ENCAP;
1045 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1046
1047 hdr->nlmsg_len += rthdr->rta_len;
1048 if (hdr->nlmsg_len > sizeof(request))
1049 {
1050 return FAILED;
1051 }
1052
1053 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1054 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1055 tmpl->encap_sport = htons(src->get_port(src));
1056 tmpl->encap_dport = htons(dst->get_port(dst));
1057 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1058 /* encap_oa could probably be derived from the
1059 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1060 * pluto does the same as we do here but it uses encap_oa in the
1061 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1062 * the kernel ignores it anyway
1063 * -> does that mean that NAT-T encap doesn't work in transport mode?
1064 * No. The reason the kernel ignores NAT-OA is that it recomputes
1065 * (or, rather, just ignores) the checksum. If packets pass
1066 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1067 rthdr = XFRM_RTA_NEXT(rthdr);
1068 }
1069
1070 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1071 {
1072 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1073 return FAILED;
1074 }
1075 return SUCCESS;
1076 }
1077
1078 /**
1079 * Get the replay state (i.e. sequence numbers) of an SA.
1080 */
1081 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1082 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1083 struct xfrm_replay_state *replay)
1084 {
1085 unsigned char request[NETLINK_BUFFER_SIZE];
1086 struct nlmsghdr *hdr, *out = NULL;
1087 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1088 size_t len;
1089 struct rtattr *rta;
1090 size_t rtasize;
1091
1092 memset(&request, 0, sizeof(request));
1093
1094 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1095
1096 hdr = (struct nlmsghdr*)request;
1097 hdr->nlmsg_flags = NLM_F_REQUEST;
1098 hdr->nlmsg_type = XFRM_MSG_GETAE;
1099 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1100
1101 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1102 aevent_id->flags = XFRM_AE_RVAL;
1103
1104 host2xfrm(dst, &aevent_id->sa_id.daddr);
1105 aevent_id->sa_id.spi = spi;
1106 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1107 aevent_id->sa_id.family = dst->get_family(dst);
1108
1109 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1110 {
1111 hdr = out;
1112 while (NLMSG_OK(hdr, len))
1113 {
1114 switch (hdr->nlmsg_type)
1115 {
1116 case XFRM_MSG_NEWAE:
1117 {
1118 out_aevent = NLMSG_DATA(hdr);
1119 break;
1120 }
1121 case NLMSG_ERROR:
1122 {
1123 struct nlmsgerr *err = NLMSG_DATA(hdr);
1124 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1125 strerror(-err->error), -err->error);
1126 break;
1127 }
1128 default:
1129 hdr = NLMSG_NEXT(hdr, len);
1130 continue;
1131 case NLMSG_DONE:
1132 break;
1133 }
1134 break;
1135 }
1136 }
1137
1138 if (out_aevent == NULL)
1139 {
1140 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1141 ntohl(spi));
1142 free(out);
1143 return FAILED;
1144 }
1145
1146 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1147 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1148 while(RTA_OK(rta, rtasize))
1149 {
1150 if (rta->rta_type == XFRMA_REPLAY_VAL)
1151 {
1152 memcpy(replay, RTA_DATA(rta), rta->rta_len);
1153 free(out);
1154 return SUCCESS;
1155 }
1156 rta = RTA_NEXT(rta, rtasize);
1157 }
1158
1159 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1160 ntohl(spi));
1161 free(out);
1162 return FAILED;
1163 }
1164
1165 /**
1166 * Implementation of kernel_interface_t.update_sa.
1167 */
1168 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
1169 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1170 host_t *src, host_t *dst,
1171 host_t *new_src, host_t *new_dst,
1172 bool encap, bool new_encap)
1173 {
1174 unsigned char request[NETLINK_BUFFER_SIZE], *pos;
1175 struct nlmsghdr *hdr, *out = NULL;
1176 struct xfrm_usersa_id *sa_id;
1177 struct xfrm_usersa_info *out_sa = NULL, *sa;
1178 size_t len;
1179 struct rtattr *rta;
1180 size_t rtasize;
1181 struct xfrm_encap_tmpl* tmpl = NULL;
1182 bool got_replay_state;
1183 struct xfrm_replay_state replay;
1184
1185 /* if IPComp is used, we first update the IPComp SA */
1186 if (cpi)
1187 {
1188 this->public.interface.update_sa(&this->public.interface,
1189 htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1190 src, dst, new_src, new_dst, FALSE, FALSE);
1191 }
1192
1193 memset(&request, 0, sizeof(request));
1194
1195 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1196
1197 /* query the existing SA first */
1198 hdr = (struct nlmsghdr*)request;
1199 hdr->nlmsg_flags = NLM_F_REQUEST;
1200 hdr->nlmsg_type = XFRM_MSG_GETSA;
1201 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1202
1203 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1204 host2xfrm(dst, &sa_id->daddr);
1205 sa_id->spi = spi;
1206 sa_id->proto = proto_ike2kernel(protocol);
1207 sa_id->family = dst->get_family(dst);
1208
1209 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1210 {
1211 hdr = out;
1212 while (NLMSG_OK(hdr, len))
1213 {
1214 switch (hdr->nlmsg_type)
1215 {
1216 case XFRM_MSG_NEWSA:
1217 {
1218 out_sa = NLMSG_DATA(hdr);
1219 break;
1220 }
1221 case NLMSG_ERROR:
1222 {
1223 struct nlmsgerr *err = NLMSG_DATA(hdr);
1224 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1225 strerror(-err->error), -err->error);
1226 break;
1227 }
1228 default:
1229 hdr = NLMSG_NEXT(hdr, len);
1230 continue;
1231 case NLMSG_DONE:
1232 break;
1233 }
1234 break;
1235 }
1236 }
1237 if (out_sa == NULL)
1238 {
1239 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1240 free(out);
1241 return FAILED;
1242 }
1243
1244 /* try to get the replay state */
1245 got_replay_state = (get_replay_state(
1246 this, spi, protocol, dst, &replay) == SUCCESS);
1247
1248 /* delete the old SA (without affecting the IPComp SA) */
1249 if (this->public.interface.del_sa(&this->public.interface, dst, spi,
1250 protocol, 0) != SUCCESS)
1251 {
1252 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1253 free(out);
1254 return FAILED;
1255 }
1256
1257 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1258 ntohl(spi), src, dst, new_src, new_dst);
1259
1260 /* copy over the SA from out to request */
1261 hdr = (struct nlmsghdr*)request;
1262 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1263 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1264 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1265 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1266 sa = NLMSG_DATA(hdr);
1267 sa->family = new_dst->get_family(new_dst);
1268
1269 if (!src->ip_equals(src, new_src))
1270 {
1271 host2xfrm(new_src, &sa->saddr);
1272 }
1273 if (!dst->ip_equals(dst, new_dst))
1274 {
1275 host2xfrm(new_dst, &sa->id.daddr);
1276 }
1277
1278 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1279 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1280 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1281 while(RTA_OK(rta, rtasize))
1282 {
1283 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1284 if (rta->rta_type != XFRMA_ENCAP || encap)
1285 {
1286 if (rta->rta_type == XFRMA_ENCAP)
1287 { /* update encap tmpl */
1288 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1289 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1290 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1291 }
1292 memcpy(pos, rta, rta->rta_len);
1293 pos += RTA_ALIGN(rta->rta_len);
1294 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1295 }
1296 rta = RTA_NEXT(rta, rtasize);
1297 }
1298
1299 rta = (struct rtattr*)pos;
1300 if (tmpl == NULL && encap)
1301 { /* add tmpl if we are enabling it */
1302 rta->rta_type = XFRMA_ENCAP;
1303 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1304
1305 hdr->nlmsg_len += rta->rta_len;
1306 if (hdr->nlmsg_len > sizeof(request))
1307 {
1308 return FAILED;
1309 }
1310
1311 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1312 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1313 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1314 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1315 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1316
1317 rta = XFRM_RTA_NEXT(rta);
1318 }
1319
1320 if (got_replay_state)
1321 { /* copy the replay data if available */
1322 rta->rta_type = XFRMA_REPLAY_VAL;
1323 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1324
1325 hdr->nlmsg_len += rta->rta_len;
1326 if (hdr->nlmsg_len > sizeof(request))
1327 {
1328 return FAILED;
1329 }
1330 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1331
1332 rta = XFRM_RTA_NEXT(rta);
1333 }
1334
1335 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1336 {
1337 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1338 free(out);
1339 return FAILED;
1340 }
1341 free(out);
1342
1343 return SUCCESS;
1344 }
1345
1346 /**
1347 * Implementation of kernel_interface_t.del_sa.
1348 */
1349 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1350 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1351 {
1352 unsigned char request[NETLINK_BUFFER_SIZE];
1353 struct nlmsghdr *hdr;
1354 struct xfrm_usersa_id *sa_id;
1355
1356 /* if IPComp was used, we first delete the additional IPComp SA */
1357 if (cpi)
1358 {
1359 this->public.interface.del_sa(&this->public.interface, dst,
1360 htonl(ntohs(cpi)), IPPROTO_COMP, 0);
1361 }
1362
1363 memset(&request, 0, sizeof(request));
1364
1365 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1366
1367 hdr = (struct nlmsghdr*)request;
1368 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1369 hdr->nlmsg_type = XFRM_MSG_DELSA;
1370 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1371
1372 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1373 host2xfrm(dst, &sa_id->daddr);
1374 sa_id->spi = spi;
1375 sa_id->proto = proto_ike2kernel(protocol);
1376 sa_id->family = dst->get_family(dst);
1377
1378 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1379 {
1380 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1381 return FAILED;
1382 }
1383 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1384 return SUCCESS;
1385 }
1386
1387 /**
1388 * Implementation of kernel_interface_t.add_policy.
1389 */
1390 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1391 host_t *src, host_t *dst,
1392 traffic_selector_t *src_ts,
1393 traffic_selector_t *dst_ts,
1394 policy_dir_t direction, u_int32_t spi,
1395 protocol_id_t protocol, u_int32_t reqid,
1396 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1397 bool routed)
1398 {
1399 iterator_t *iterator;
1400 policy_entry_t *current, *policy;
1401 bool found = FALSE;
1402 unsigned char request[NETLINK_BUFFER_SIZE];
1403 struct xfrm_userpolicy_info *policy_info;
1404 struct nlmsghdr *hdr;
1405
1406 /* create a policy */
1407 policy = malloc_thing(policy_entry_t);
1408 memset(policy, 0, sizeof(policy_entry_t));
1409 policy->sel = ts2selector(src_ts, dst_ts);
1410 policy->direction = direction;
1411
1412 /* find the policy, which matches EXACTLY */
1413 this->mutex->lock(this->mutex);
1414 iterator = this->policies->create_iterator(this->policies, TRUE);
1415 while (iterator->iterate(iterator, (void**)&current))
1416 {
1417 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
1418 policy->direction == current->direction)
1419 {
1420 /* use existing policy */
1421 current->refcount++;
1422 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1423 "refcount", src_ts, dst_ts,
1424 policy_dir_names, direction);
1425 free(policy);
1426 policy = current;
1427 found = TRUE;
1428 break;
1429 }
1430 }
1431 iterator->destroy(iterator);
1432 if (!found)
1433 { /* apply the new one, if we have no such policy */
1434 this->policies->insert_last(this->policies, policy);
1435 policy->refcount = 1;
1436 }
1437
1438 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1439 policy_dir_names, direction);
1440
1441 memset(&request, 0, sizeof(request));
1442 hdr = (struct nlmsghdr*)request;
1443 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1444 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1445 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1446
1447 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1448 policy_info->sel = policy->sel;
1449 policy_info->dir = policy->direction;
1450 /* calculate priority based on source selector size, small size = high prio */
1451 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1452 policy_info->priority -= policy->sel.prefixlen_s * 10;
1453 policy_info->priority -= policy->sel.proto ? 2 : 0;
1454 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1455 policy_info->action = XFRM_POLICY_ALLOW;
1456 policy_info->share = XFRM_SHARE_ANY;
1457 this->mutex->unlock(this->mutex);
1458
1459 /* policies don't expire */
1460 policy_info->lft.soft_byte_limit = XFRM_INF;
1461 policy_info->lft.soft_packet_limit = XFRM_INF;
1462 policy_info->lft.hard_byte_limit = XFRM_INF;
1463 policy_info->lft.hard_packet_limit = XFRM_INF;
1464 policy_info->lft.soft_add_expires_seconds = 0;
1465 policy_info->lft.hard_add_expires_seconds = 0;
1466 policy_info->lft.soft_use_expires_seconds = 0;
1467 policy_info->lft.hard_use_expires_seconds = 0;
1468
1469 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1470 rthdr->rta_type = XFRMA_TMPL;
1471 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1472
1473 hdr->nlmsg_len += rthdr->rta_len;
1474 if (hdr->nlmsg_len > sizeof(request))
1475 {
1476 return FAILED;
1477 }
1478
1479 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1480
1481 if (ipcomp != IPCOMP_NONE)
1482 {
1483 tmpl->reqid = reqid;
1484 tmpl->id.proto = IPPROTO_COMP;
1485 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1486 tmpl->mode = mode;
1487 tmpl->optional = direction != POLICY_OUT;
1488 tmpl->family = src->get_family(src);
1489
1490 host2xfrm(src, &tmpl->saddr);
1491 host2xfrm(dst, &tmpl->id.daddr);
1492
1493 /* add an additional xfrm_user_tmpl */
1494 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1495 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1496 if (hdr->nlmsg_len > sizeof(request))
1497 {
1498 return FAILED;
1499 }
1500
1501 tmpl++;
1502 }
1503
1504 tmpl->reqid = reqid;
1505 tmpl->id.proto = proto_ike2kernel(protocol);
1506 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1507 tmpl->mode = mode;
1508 tmpl->family = src->get_family(src);
1509
1510 host2xfrm(src, &tmpl->saddr);
1511 host2xfrm(dst, &tmpl->id.daddr);
1512
1513 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1514 {
1515 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1516 policy_dir_names, direction);
1517 return FAILED;
1518 }
1519
1520 /* install a route, if:
1521 * - we are NOT updating a policy
1522 * - this is a forward policy (to just get one for each child)
1523 * - we are in tunnel mode
1524 * - we are not using IPv6 (does not work correctly yet!)
1525 * - routing is not disabled via strongswan.conf
1526 */
1527 if (policy->route == NULL && direction == POLICY_FWD &&
1528 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1529 this->install_routes)
1530 {
1531 route_entry_t *route = malloc_thing(route_entry_t);
1532
1533 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1534 dst_ts, &route->src_ip) == SUCCESS)
1535 {
1536 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1537 route->gateway = charon->kernel_interface->get_nexthop(
1538 charon->kernel_interface, src);
1539 route->if_name = charon->kernel_interface->get_interface(
1540 charon->kernel_interface, dst);
1541 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1542 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1543 route->prefixlen = policy->sel.prefixlen_s;
1544
1545 if (route->if_name)
1546 {
1547 switch (charon->kernel_interface->add_route(
1548 charon->kernel_interface, route->dst_net,
1549 route->prefixlen, route->gateway,
1550 route->src_ip, route->if_name))
1551 {
1552 default:
1553 DBG1(DBG_KNL, "unable to install source route for %H",
1554 route->src_ip);
1555 /* FALL */
1556 case ALREADY_DONE:
1557 /* route exists, do not uninstall */
1558 route_entry_destroy(route);
1559 break;
1560 case SUCCESS:
1561 /* cache the installed route */
1562 policy->route = route;
1563 break;
1564 }
1565 }
1566 else
1567 {
1568 route_entry_destroy(route);
1569 }
1570 }
1571 else
1572 {
1573 free(route);
1574 }
1575 }
1576 return SUCCESS;
1577 }
1578
1579 /**
1580 * Implementation of kernel_interface_t.query_policy.
1581 */
1582 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1583 traffic_selector_t *src_ts,
1584 traffic_selector_t *dst_ts,
1585 policy_dir_t direction, u_int32_t *use_time)
1586 {
1587 unsigned char request[NETLINK_BUFFER_SIZE];
1588 struct nlmsghdr *out = NULL, *hdr;
1589 struct xfrm_userpolicy_id *policy_id;
1590 struct xfrm_userpolicy_info *policy = NULL;
1591 size_t len;
1592
1593 memset(&request, 0, sizeof(request));
1594
1595 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1596 policy_dir_names, direction);
1597
1598 hdr = (struct nlmsghdr*)request;
1599 hdr->nlmsg_flags = NLM_F_REQUEST;
1600 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1601 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1602
1603 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1604 policy_id->sel = ts2selector(src_ts, dst_ts);
1605 policy_id->dir = direction;
1606
1607 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1608 {
1609 hdr = out;
1610 while (NLMSG_OK(hdr, len))
1611 {
1612 switch (hdr->nlmsg_type)
1613 {
1614 case XFRM_MSG_NEWPOLICY:
1615 {
1616 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1617 break;
1618 }
1619 case NLMSG_ERROR:
1620 {
1621 struct nlmsgerr *err = NLMSG_DATA(hdr);
1622 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1623 strerror(-err->error), -err->error);
1624 break;
1625 }
1626 default:
1627 hdr = NLMSG_NEXT(hdr, len);
1628 continue;
1629 case NLMSG_DONE:
1630 break;
1631 }
1632 break;
1633 }
1634 }
1635
1636 if (policy == NULL)
1637 {
1638 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1639 policy_dir_names, direction);
1640 free(out);
1641 return FAILED;
1642 }
1643 *use_time = (time_t)policy->curlft.use_time;
1644
1645 free(out);
1646 return SUCCESS;
1647 }
1648
1649 /**
1650 * Implementation of kernel_interface_t.del_policy.
1651 */
1652 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1653 traffic_selector_t *src_ts,
1654 traffic_selector_t *dst_ts,
1655 policy_dir_t direction, bool unrouted)
1656 {
1657 policy_entry_t *current, policy, *to_delete = NULL;
1658 route_entry_t *route;
1659 unsigned char request[NETLINK_BUFFER_SIZE];
1660 struct nlmsghdr *hdr;
1661 struct xfrm_userpolicy_id *policy_id;
1662 enumerator_t *enumerator;
1663
1664 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1665 policy_dir_names, direction);
1666
1667 /* create a policy */
1668 memset(&policy, 0, sizeof(policy_entry_t));
1669 policy.sel = ts2selector(src_ts, dst_ts);
1670 policy.direction = direction;
1671
1672 /* find the policy */
1673 this->mutex->lock(this->mutex);
1674 enumerator = this->policies->create_enumerator(this->policies);
1675 while (enumerator->enumerate(enumerator, &current))
1676 {
1677 if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
1678 policy.direction == current->direction)
1679 {
1680 to_delete = current;
1681 if (--to_delete->refcount > 0)
1682 {
1683 /* is used by more SAs, keep in kernel */
1684 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1685 this->mutex->unlock(this->mutex);
1686 enumerator->destroy(enumerator);
1687 return SUCCESS;
1688 }
1689 /* remove if last reference */
1690 this->policies->remove_at(this->policies, enumerator);
1691 break;
1692 }
1693 }
1694 this->mutex->unlock(this->mutex);
1695 enumerator->destroy(enumerator);
1696 if (!to_delete)
1697 {
1698 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1699 dst_ts, policy_dir_names, direction);
1700 return NOT_FOUND;
1701 }
1702
1703 memset(&request, 0, sizeof(request));
1704
1705 hdr = (struct nlmsghdr*)request;
1706 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1707 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1708 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1709
1710 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1711 policy_id->sel = to_delete->sel;
1712 policy_id->dir = direction;
1713
1714 route = to_delete->route;
1715 free(to_delete);
1716
1717 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1718 {
1719 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1720 policy_dir_names, direction);
1721 return FAILED;
1722 }
1723
1724 if (route)
1725 {
1726 if (charon->kernel_interface->del_route(charon->kernel_interface,
1727 route->dst_net, route->prefixlen, route->gateway,
1728 route->src_ip, route->if_name) != SUCCESS)
1729 {
1730 DBG1(DBG_KNL, "error uninstalling route installed with "
1731 "policy %R === %R %N", src_ts, dst_ts,
1732 policy_dir_names, direction);
1733 }
1734 route_entry_destroy(route);
1735 }
1736 return SUCCESS;
1737 }
1738
1739 /**
1740 * Implementation of kernel_interface_t.destroy.
1741 */
1742 static void destroy(private_kernel_netlink_ipsec_t *this)
1743 {
1744 this->job->cancel(this->job);
1745 close(this->socket_xfrm_events);
1746 this->socket_xfrm->destroy(this->socket_xfrm);
1747 this->policies->destroy(this->policies);
1748 this->mutex->destroy(this->mutex);
1749 free(this);
1750 }
1751
1752 /**
1753 * Add bypass policies for IKE on the sockets used by charon
1754 */
1755 static bool add_bypass_policies()
1756 {
1757 int fd, family, port;
1758 enumerator_t *sockets;
1759 bool status = TRUE;
1760
1761 /* we open an AF_KEY socket to autoload the af_key module. Otherwise
1762 * setsockopt(IPSEC_POLICY) won't work. */
1763 fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
1764 if (fd == 0)
1765 {
1766 DBG1(DBG_KNL, "could not open AF_KEY socket");
1767 return FALSE;
1768 }
1769 close(fd);
1770
1771 sockets = charon->socket->create_enumerator(charon->socket);
1772 while (sockets->enumerate(sockets, &fd, &family, &port))
1773 {
1774 struct sadb_x_policy policy;
1775 u_int sol, ipsec_policy;
1776
1777 switch (family)
1778 {
1779 case AF_INET:
1780 sol = SOL_IP;
1781 ipsec_policy = IP_IPSEC_POLICY;
1782 break;
1783 case AF_INET6:
1784 {
1785 sol = SOL_IPV6;
1786 ipsec_policy = IPV6_IPSEC_POLICY;
1787 break;
1788 }
1789 }
1790
1791 memset(&policy, 0, sizeof(policy));
1792 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
1793 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1794 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
1795
1796 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
1797 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1798 {
1799 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1800 strerror(errno));
1801 status = FALSE;
1802 break;
1803 }
1804 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1805 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1806 {
1807 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1808 strerror(errno));
1809 status = FALSE;
1810 break;
1811 }
1812 }
1813 sockets->destroy(sockets);
1814 return status;
1815 }
1816
1817 /*
1818 * Described in header.
1819 */
1820 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1821 {
1822 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1823 struct sockaddr_nl addr;
1824
1825 /* public functions */
1826 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1827 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1828 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1829 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1830 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1831 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
1832 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1833 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
1834 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1835
1836 /* private members */
1837 this->policies = linked_list_create();
1838 this->mutex = mutex_create(MUTEX_DEFAULT);
1839 this->install_routes = lib->settings->get_bool(lib->settings,
1840 "charon.install_routes", TRUE);
1841
1842 /* add bypass policies on the sockets used by charon */
1843 if (!add_bypass_policies())
1844 {
1845 charon->kill(charon, "unable to add bypass policies on sockets");
1846 }
1847
1848 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1849
1850 memset(&addr, 0, sizeof(addr));
1851 addr.nl_family = AF_NETLINK;
1852
1853 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
1854 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1855 if (this->socket_xfrm_events <= 0)
1856 {
1857 charon->kill(charon, "unable to create XFRM event socket");
1858 }
1859 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
1860 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
1861 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1862 {
1863 charon->kill(charon, "unable to bind XFRM event socket");
1864 }
1865
1866 this->job = callback_job_create((callback_job_cb_t)receive_events,
1867 this, NULL, NULL);
1868 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1869
1870 return &this->public;
1871 }