projects / strongswan.git / blob
? search:


8c472f2ce8a72861b18878d4366c796765388139
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 *
20 * $Id$
21 */
22
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 #include <sys/time.h>
26 #include <stdint.h>
27 #include <linux/ipsec.h>
28 #include <linux/netlink.h>
29 #include <linux/rtnetlink.h>
30 #include <linux/xfrm.h>
31 #include <linux/udp.h>
32 #include <pthread.h>
33 #include <unistd.h>
34 #include <errno.h>
35 #include <string.h>
36
37 #include "kernel_netlink_ipsec.h"
38 #include "kernel_netlink_shared.h"
39
40 #include <daemon.h>
41 #include <utils/mutex.h>
42 #include <utils/hashtable.h>
43 #include <processing/jobs/callback_job.h>
44 #include <processing/jobs/acquire_job.h>
45 #include <processing/jobs/migrate_job.h>
46 #include <processing/jobs/rekey_child_sa_job.h>
47 #include <processing/jobs/delete_child_sa_job.h>
48 #include <processing/jobs/update_sa_job.h>
49
50 /** required for Linux 2.6.26 kernel and later */
51 #ifndef XFRM_STATE_AF_UNSPEC
52 #define XFRM_STATE_AF_UNSPEC 32
53 #endif
54
55 /** from linux/in.h */
56 #ifndef IP_IPSEC_POLICY
57 #define IP_IPSEC_POLICY 16
58 #endif
59
60 /* missing on uclibc */
61 #ifndef IPV6_IPSEC_POLICY
62 #define IPV6_IPSEC_POLICY 34
63 #endif /*IPV6_IPSEC_POLICY*/
64
65 /** default priority of installed policies */
66 #define PRIO_LOW 3000
67 #define PRIO_HIGH 2000
68
69 /**
70 * Create ORable bitfield of XFRM NL groups
71 */
72 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
73
74 /**
75 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
76 * 'usual' netlink data x like 'struct xfrm_usersa_info'
77 */
78 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
79 /**
80 * returns a pointer to the next rtattr following rta.
81 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
82 */
83 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
84 /**
85 * returns the total size of attached rta data
86 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
87 */
88 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
89
90 typedef struct kernel_algorithm_t kernel_algorithm_t;
91
92 /**
93 * Mapping of IKEv2 kernel identifier to linux crypto API names
94 */
95 struct kernel_algorithm_t {
96 /**
97 * Identifier specified in IKEv2
98 */
99 int ikev2;
100
101 /**
102 * Name of the algorithm in linux crypto API
103 */
104 char *name;
105 };
106
107 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
108 "XFRMA_UNSPEC",
109 "XFRMA_ALG_AUTH",
110 "XFRMA_ALG_CRYPT",
111 "XFRMA_ALG_COMP",
112 "XFRMA_ENCAP",
113 "XFRMA_TMPL",
114 "XFRMA_SA",
115 "XFRMA_POLICY",
116 "XFRMA_SEC_CTX",
117 "XFRMA_LTIME_VAL",
118 "XFRMA_REPLAY_VAL",
119 "XFRMA_REPLAY_THRESH",
120 "XFRMA_ETIMER_THRESH",
121 "XFRMA_SRCADDR",
122 "XFRMA_COADDR",
123 "XFRMA_LASTUSED",
124 "XFRMA_POLICY_TYPE",
125 "XFRMA_MIGRATE",
126 "XFRMA_ALG_AEAD",
127 "XFRMA_KMADDRESS"
128 );
129
130 #define END_OF_LIST -1
131
132 /**
133 * Algorithms for encryption
134 */
135 static kernel_algorithm_t encryption_algs[] = {
136 /* {ENCR_DES_IV64, "***" }, */
137 {ENCR_DES, "des" },
138 {ENCR_3DES, "des3_ede" },
139 /* {ENCR_RC5, "***" }, */
140 /* {ENCR_IDEA, "***" }, */
141 {ENCR_CAST, "cast128" },
142 {ENCR_BLOWFISH, "blowfish" },
143 /* {ENCR_3IDEA, "***" }, */
144 /* {ENCR_DES_IV32, "***" }, */
145 {ENCR_NULL, "cipher_null" },
146 {ENCR_AES_CBC, "aes" },
147 /* {ENCR_AES_CTR, "***" }, */
148 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
149 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
150 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
151 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
152 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
153 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
154 {END_OF_LIST, NULL },
155 };
156
157 /**
158 * Algorithms for integrity protection
159 */
160 static kernel_algorithm_t integrity_algs[] = {
161 {AUTH_HMAC_MD5_96, "md5" },
162 {AUTH_HMAC_SHA1_96, "sha1" },
163 {AUTH_HMAC_SHA2_256_128, "sha256" },
164 {AUTH_HMAC_SHA2_384_192, "sha384" },
165 {AUTH_HMAC_SHA2_512_256, "sha512" },
166 /* {AUTH_DES_MAC, "***" }, */
167 /* {AUTH_KPDK_MD5, "***" }, */
168 {AUTH_AES_XCBC_96, "xcbc(aes)" },
169 {END_OF_LIST, NULL },
170 };
171
172 /**
173 * Algorithms for IPComp
174 */
175 static kernel_algorithm_t compression_algs[] = {
176 /* {IPCOMP_OUI, "***" }, */
177 {IPCOMP_DEFLATE, "deflate" },
178 {IPCOMP_LZS, "lzs" },
179 {IPCOMP_LZJH, "lzjh" },
180 {END_OF_LIST, NULL },
181 };
182
183 /**
184 * Look up a kernel algorithm name and its key size
185 */
186 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
187 {
188 while (list->ikev2 != END_OF_LIST)
189 {
190 if (list->ikev2 == ikev2)
191 {
192 return list->name;
193 }
194 list++;
195 }
196 return NULL;
197 }
198
199 typedef struct route_entry_t route_entry_t;
200
201 /**
202 * installed routing entry
203 */
204 struct route_entry_t {
205 /** Name of the interface the route is bound to */
206 char *if_name;
207
208 /** Source ip of the route */
209 host_t *src_ip;
210
211 /** gateway for this route */
212 host_t *gateway;
213
214 /** Destination net */
215 chunk_t dst_net;
216
217 /** Destination net prefixlen */
218 u_int8_t prefixlen;
219 };
220
221 /**
222 * destroy an route_entry_t object
223 */
224 static void route_entry_destroy(route_entry_t *this)
225 {
226 free(this->if_name);
227 this->src_ip->destroy(this->src_ip);
228 this->gateway->destroy(this->gateway);
229 chunk_free(&this->dst_net);
230 free(this);
231 }
232
233 typedef struct policy_entry_t policy_entry_t;
234
235 /**
236 * installed kernel policy.
237 */
238 struct policy_entry_t {
239
240 /** direction of this policy: in, out, forward */
241 u_int8_t direction;
242
243 /** parameters of installed policy */
244 struct xfrm_selector sel;
245
246 /** associated route installed for this policy */
247 route_entry_t *route;
248
249 /** by how many CHILD_SA's this policy is used */
250 u_int refcount;
251 };
252
253 /**
254 * Hash function for policy_entry_t objects
255 */
256 static u_int policy_hash(policy_entry_t *key)
257 {
258 chunk_t chunk = chunk_create((void*)&key->sel, sizeof(struct xfrm_selector));
259 return chunk_hash(chunk);
260 }
261
262 /**
263 * Equality function for policy_entry_t objects
264 */
265 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
266 {
267 return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) &&
268 key->direction == other_key->direction;
269 }
270
271 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
272
273 /**
274 * Private variables and functions of kernel_netlink class.
275 */
276 struct private_kernel_netlink_ipsec_t {
277 /**
278 * Public part of the kernel_netlink_t object.
279 */
280 kernel_netlink_ipsec_t public;
281
282 /**
283 * mutex to lock access to various lists
284 */
285 mutex_t *mutex;
286
287 /**
288 * Hash table of installed policies (policy_entry_t)
289 */
290 hashtable_t *policies;
291
292 /**
293 * job receiving netlink events
294 */
295 callback_job_t *job;
296
297 /**
298 * Netlink xfrm socket (IPsec)
299 */
300 netlink_socket_t *socket_xfrm;
301
302 /**
303 * netlink xfrm socket to receive acquire and expire events
304 */
305 int socket_xfrm_events;
306
307 /**
308 * whether to install routes along policies
309 */
310 bool install_routes;
311 };
312
313 /**
314 * convert a IKEv2 specific protocol identifier to the kernel one
315 */
316 static u_int8_t proto_ike2kernel(protocol_id_t proto)
317 {
318 switch (proto)
319 {
320 case PROTO_ESP:
321 return IPPROTO_ESP;
322 case PROTO_AH:
323 return IPPROTO_AH;
324 default:
325 return proto;
326 }
327 }
328
329 /**
330 * reverse of ike2kernel
331 */
332 static protocol_id_t proto_kernel2ike(u_int8_t proto)
333 {
334 switch (proto)
335 {
336 case IPPROTO_ESP:
337 return PROTO_ESP;
338 case IPPROTO_AH:
339 return PROTO_AH;
340 default:
341 return proto;
342 }
343 }
344
345 /**
346 * convert a host_t to a struct xfrm_address
347 */
348 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
349 {
350 chunk_t chunk = host->get_address(host);
351 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
352 }
353
354 /**
355 * convert a struct xfrm_address to a host_t
356 */
357 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
358 {
359 chunk_t chunk;
360
361 switch (family)
362 {
363 case AF_INET:
364 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
365 break;
366 case AF_INET6:
367 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
368 break;
369 default:
370 return NULL;
371 }
372 return host_create_from_chunk(family, chunk, ntohs(port));
373 }
374
375 /**
376 * convert a traffic selector address range to subnet and its mask.
377 */
378 static void ts2subnet(traffic_selector_t* ts,
379 xfrm_address_t *net, u_int8_t *mask)
380 {
381 host_t *net_host;
382 chunk_t net_chunk;
383
384 ts->to_subnet(ts, &net_host, mask);
385 net_chunk = net_host->get_address(net_host);
386 memcpy(net, net_chunk.ptr, net_chunk.len);
387 net_host->destroy(net_host);
388 }
389
390 /**
391 * convert a traffic selector port range to port/portmask
392 */
393 static void ts2ports(traffic_selector_t* ts,
394 u_int16_t *port, u_int16_t *mask)
395 {
396 /* linux does not seem to accept complex portmasks. Only
397 * any or a specific port is allowed. We set to any, if we have
398 * a port range, or to a specific, if we have one port only.
399 */
400 u_int16_t from, to;
401
402 from = ts->get_from_port(ts);
403 to = ts->get_to_port(ts);
404
405 if (from == to)
406 {
407 *port = htons(from);
408 *mask = ~0;
409 }
410 else
411 {
412 *port = 0;
413 *mask = 0;
414 }
415 }
416
417 /**
418 * convert a pair of traffic_selectors to a xfrm_selector
419 */
420 static struct xfrm_selector ts2selector(traffic_selector_t *src,
421 traffic_selector_t *dst)
422 {
423 struct xfrm_selector sel;
424
425 memset(&sel, 0, sizeof(sel));
426 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
427 /* src or dest proto may be "any" (0), use more restrictive one */
428 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
429 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
430 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
431 ts2ports(dst, &sel.dport, &sel.dport_mask);
432 ts2ports(src, &sel.sport, &sel.sport_mask);
433 sel.ifindex = 0;
434 sel.user = 0;
435
436 return sel;
437 }
438
439 /**
440 * convert a xfrm_selector to a src|dst traffic_selector
441 */
442 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
443 {
444 u_char *addr;
445 u_int8_t prefixlen;
446 u_int16_t port = 0;
447 host_t *host = NULL;
448
449 if (src)
450 {
451 addr = (u_char*)&sel->saddr;
452 prefixlen = sel->prefixlen_s;
453 if (sel->sport_mask)
454 {
455 port = htons(sel->sport);
456 }
457 }
458 else
459 {
460 addr = (u_char*)&sel->daddr;
461 prefixlen = sel->prefixlen_d;
462 if (sel->dport_mask)
463 {
464 port = htons(sel->dport);
465 }
466 }
467
468 /* The Linux 2.6 kernel does not set the selector's family field,
469 * so as a kludge we additionally test the prefix length.
470 */
471 if (sel->family == AF_INET || sel->prefixlen_s == 32)
472 {
473 host = host_create_from_chunk(AF_INET, chunk_create(addr, 4), 0);
474 }
475 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
476 {
477 host = host_create_from_chunk(AF_INET6, chunk_create(addr, 16), 0);
478 }
479
480 if (host)
481 {
482 return traffic_selector_create_from_subnet(host, prefixlen,
483 sel->proto, port);
484 }
485 return NULL;
486 }
487
488 /**
489 * process a XFRM_MSG_ACQUIRE from kernel
490 */
491 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
492 {
493 u_int32_t reqid = 0;
494 int proto = 0;
495 traffic_selector_t *src_ts, *dst_ts;
496 struct xfrm_user_acquire *acquire;
497 struct rtattr *rta;
498 size_t rtasize;
499 job_t *job;
500
501 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
502 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
503 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
504
505 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
506
507 while (RTA_OK(rta, rtasize))
508 {
509 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
510
511 if (rta->rta_type == XFRMA_TMPL)
512 {
513 struct xfrm_user_tmpl* tmpl;
514
515 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
516 reqid = tmpl->reqid;
517 proto = tmpl->id.proto;
518 }
519 rta = RTA_NEXT(rta, rtasize);
520 }
521 switch (proto)
522 {
523 case 0:
524 case IPPROTO_ESP:
525 case IPPROTO_AH:
526 break;
527 default:
528 /* acquire for AH/ESP only, not for IPCOMP */
529 return;
530 }
531 src_ts = selector2ts(&acquire->sel, TRUE);
532 dst_ts = selector2ts(&acquire->sel, FALSE);
533 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
534 src_ts, dst_ts, reqid);
535 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
536 charon->processor->queue_job(charon->processor, job);
537 }
538
539 /**
540 * process a XFRM_MSG_EXPIRE from kernel
541 */
542 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
543 {
544 job_t *job;
545 protocol_id_t protocol;
546 u_int32_t spi, reqid;
547 struct xfrm_user_expire *expire;
548
549 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
550 protocol = proto_kernel2ike(expire->state.id.proto);
551 spi = expire->state.id.spi;
552 reqid = expire->state.reqid;
553
554 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
555
556 if (protocol != PROTO_ESP && protocol != PROTO_AH)
557 {
558 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
559 "which is not a CHILD_SA", ntohl(spi), reqid);
560 return;
561 }
562
563 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
564 expire->hard ? "delete" : "rekey", protocol_id_names,
565 protocol, ntohl(spi), reqid);
566 if (expire->hard)
567 {
568 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
569 }
570 else
571 {
572 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
573 }
574 charon->processor->queue_job(charon->processor, job);
575 }
576
577 /**
578 * process a XFRM_MSG_MIGRATE from kernel
579 */
580 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
581 {
582 traffic_selector_t *src_ts, *dst_ts;
583 host_t *local = NULL, *remote = NULL;
584 host_t *old_src = NULL, *old_dst = NULL;
585 host_t *new_src = NULL, *new_dst = NULL;
586 struct xfrm_userpolicy_id *policy_id;
587 struct rtattr *rta;
588 size_t rtasize;
589 u_int32_t reqid = 0;
590 policy_dir_t dir;
591 job_t *job;
592
593 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
594 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
595 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
596
597 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
598
599 src_ts = selector2ts(&policy_id->sel, TRUE);
600 dst_ts = selector2ts(&policy_id->sel, FALSE);
601 dir = (policy_dir_t)policy_id->dir;
602
603 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
604
605 while (RTA_OK(rta, rtasize))
606 {
607 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
608 if (rta->rta_type == XFRMA_KMADDRESS)
609 {
610 struct xfrm_user_kmaddress *kmaddress;
611
612 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
613 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
614 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
615 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
616 }
617 else if (rta->rta_type == XFRMA_MIGRATE)
618 {
619 struct xfrm_user_migrate *migrate;
620 protocol_id_t proto;
621
622 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
623 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
624 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
625 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
626 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
627 proto = proto_kernel2ike(migrate->proto);
628 reqid = migrate->reqid;
629 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
630 protocol_id_names, proto, old_src, old_dst,
631 new_src, new_dst, reqid);
632 DESTROY_IF(old_src);
633 DESTROY_IF(old_dst);
634 DESTROY_IF(new_src);
635 DESTROY_IF(new_dst);
636 }
637 rta = RTA_NEXT(rta, rtasize);
638 }
639
640 if (src_ts && dst_ts && local && remote)
641 {
642 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
643 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
644 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
645 local, remote);
646 charon->processor->queue_job(charon->processor, job);
647 }
648 else
649 {
650 DESTROY_IF(src_ts);
651 DESTROY_IF(dst_ts);
652 DESTROY_IF(local);
653 DESTROY_IF(remote);
654 }
655 }
656
657 /**
658 * process a XFRM_MSG_MAPPING from kernel
659 */
660 static void process_mapping(private_kernel_netlink_ipsec_t *this,
661 struct nlmsghdr *hdr)
662 {
663 job_t *job;
664 u_int32_t spi, reqid;
665 struct xfrm_user_mapping *mapping;
666 host_t *host;
667
668 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
669 spi = mapping->id.spi;
670 reqid = mapping->reqid;
671
672 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
673
674 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
675 {
676 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
677 mapping->new_sport);
678 if (host)
679 {
680 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
681 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
682 job = (job_t*)update_sa_job_create(reqid, host);
683 charon->processor->queue_job(charon->processor, job);
684 }
685 }
686 }
687
688 /**
689 * Receives events from kernel
690 */
691 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
692 {
693 char response[1024];
694 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
695 struct sockaddr_nl addr;
696 socklen_t addr_len = sizeof(addr);
697 int len, oldstate;
698
699 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
700 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
701 (struct sockaddr*)&addr, &addr_len);
702 pthread_setcancelstate(oldstate, NULL);
703
704 if (len < 0)
705 {
706 switch (errno)
707 {
708 case EINTR:
709 /* interrupted, try again */
710 return JOB_REQUEUE_DIRECT;
711 case EAGAIN:
712 /* no data ready, select again */
713 return JOB_REQUEUE_DIRECT;
714 default:
715 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
716 sleep(1);
717 return JOB_REQUEUE_FAIR;
718 }
719 }
720
721 if (addr.nl_pid != 0)
722 { /* not from kernel. not interested, try another one */
723 return JOB_REQUEUE_DIRECT;
724 }
725
726 while (NLMSG_OK(hdr, len))
727 {
728 switch (hdr->nlmsg_type)
729 {
730 case XFRM_MSG_ACQUIRE:
731 process_acquire(this, hdr);
732 break;
733 case XFRM_MSG_EXPIRE:
734 process_expire(this, hdr);
735 break;
736 case XFRM_MSG_MIGRATE:
737 process_migrate(this, hdr);
738 break;
739 case XFRM_MSG_MAPPING:
740 process_mapping(this, hdr);
741 break;
742 default:
743 break;
744 }
745 hdr = NLMSG_NEXT(hdr, len);
746 }
747 return JOB_REQUEUE_DIRECT;
748 }
749
750 /**
751 * Get an SPI for a specific protocol from the kernel.
752 */
753 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
754 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
755 u_int32_t reqid, u_int32_t *spi)
756 {
757 netlink_buf_t request;
758 struct nlmsghdr *hdr, *out;
759 struct xfrm_userspi_info *userspi;
760 u_int32_t received_spi = 0;
761 size_t len;
762
763 memset(&request, 0, sizeof(request));
764
765 hdr = (struct nlmsghdr*)request;
766 hdr->nlmsg_flags = NLM_F_REQUEST;
767 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
768 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
769
770 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
771 host2xfrm(src, &userspi->info.saddr);
772 host2xfrm(dst, &userspi->info.id.daddr);
773 userspi->info.id.proto = proto;
774 userspi->info.mode = TRUE; /* tunnel mode */
775 userspi->info.reqid = reqid;
776 userspi->info.family = src->get_family(src);
777 userspi->min = min;
778 userspi->max = max;
779
780 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
781 {
782 hdr = out;
783 while (NLMSG_OK(hdr, len))
784 {
785 switch (hdr->nlmsg_type)
786 {
787 case XFRM_MSG_NEWSA:
788 {
789 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
790 received_spi = usersa->id.spi;
791 break;
792 }
793 case NLMSG_ERROR:
794 {
795 struct nlmsgerr *err = NLMSG_DATA(hdr);
796
797 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
798 strerror(-err->error), -err->error);
799 break;
800 }
801 default:
802 hdr = NLMSG_NEXT(hdr, len);
803 continue;
804 case NLMSG_DONE:
805 break;
806 }
807 break;
808 }
809 free(out);
810 }
811
812 if (received_spi == 0)
813 {
814 return FAILED;
815 }
816
817 *spi = received_spi;
818 return SUCCESS;
819 }
820
821 /**
822 * Implementation of kernel_interface_t.get_spi.
823 */
824 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
825 host_t *src, host_t *dst,
826 protocol_id_t protocol, u_int32_t reqid,
827 u_int32_t *spi)
828 {
829 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
830
831 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
832 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
833 {
834 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
835 return FAILED;
836 }
837
838 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
839
840 return SUCCESS;
841 }
842
843 /**
844 * Implementation of kernel_interface_t.get_cpi.
845 */
846 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
847 host_t *src, host_t *dst,
848 u_int32_t reqid, u_int16_t *cpi)
849 {
850 u_int32_t received_spi = 0;
851
852 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
853
854 if (get_spi_internal(this, src, dst,
855 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
856 {
857 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
858 return FAILED;
859 }
860
861 *cpi = htons((u_int16_t)ntohl(received_spi));
862
863 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
864
865 return SUCCESS;
866 }
867
868 /**
869 * Implementation of kernel_interface_t.add_sa.
870 */
871 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
872 host_t *src, host_t *dst, u_int32_t spi,
873 protocol_id_t protocol, u_int32_t reqid,
874 u_int64_t expire_soft, u_int64_t expire_hard,
875 u_int16_t enc_alg, chunk_t enc_key,
876 u_int16_t int_alg, chunk_t int_key,
877 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
878 bool encap, bool inbound)
879 {
880 netlink_buf_t request;
881 char *alg_name;
882 struct nlmsghdr *hdr;
883 struct xfrm_usersa_info *sa;
884 u_int16_t icv_size = 64;
885
886 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
887 * we are in the recursive call below */
888 if (ipcomp != IPCOMP_NONE && cpi != 0)
889 {
890 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, 0, 0,
891 ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
892 mode, ipcomp, 0, FALSE, inbound);
893 ipcomp = IPCOMP_NONE;
894 }
895
896 memset(&request, 0, sizeof(request));
897
898 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
899 ntohl(spi), reqid);
900
901 hdr = (struct nlmsghdr*)request;
902 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
903 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
904 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
905
906 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
907 host2xfrm(src, &sa->saddr);
908 host2xfrm(dst, &sa->id.daddr);
909 sa->id.spi = spi;
910 sa->id.proto = proto_ike2kernel(protocol);
911 sa->family = src->get_family(src);
912 sa->mode = mode;
913 if (mode == MODE_TUNNEL)
914 {
915 sa->flags |= XFRM_STATE_AF_UNSPEC;
916 }
917 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
918 sa->reqid = reqid;
919 /* we currently do not expire SAs by volume/packet count */
920 sa->lft.soft_byte_limit = XFRM_INF;
921 sa->lft.hard_byte_limit = XFRM_INF;
922 sa->lft.soft_packet_limit = XFRM_INF;
923 sa->lft.hard_packet_limit = XFRM_INF;
924 /* we use lifetimes since added, not since used */
925 sa->lft.soft_add_expires_seconds = expire_soft;
926 sa->lft.hard_add_expires_seconds = expire_hard;
927 sa->lft.soft_use_expires_seconds = 0;
928 sa->lft.hard_use_expires_seconds = 0;
929
930 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
931
932 switch (enc_alg)
933 {
934 case ENCR_UNDEFINED:
935 /* no encryption */
936 break;
937 case ENCR_AES_CCM_ICV16:
938 case ENCR_AES_GCM_ICV16:
939 icv_size += 32;
940 /* FALL */
941 case ENCR_AES_CCM_ICV12:
942 case ENCR_AES_GCM_ICV12:
943 icv_size += 32;
944 /* FALL */
945 case ENCR_AES_CCM_ICV8:
946 case ENCR_AES_GCM_ICV8:
947 {
948 rthdr->rta_type = XFRMA_ALG_AEAD;
949 alg_name = lookup_algorithm(encryption_algs, enc_alg);
950 if (alg_name == NULL)
951 {
952 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
953 encryption_algorithm_names, enc_alg);
954 return FAILED;
955 }
956 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
957 encryption_algorithm_names, enc_alg, enc_key.len * 8);
958
959 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
960 hdr->nlmsg_len += rthdr->rta_len;
961 if (hdr->nlmsg_len > sizeof(request))
962 {
963 return FAILED;
964 }
965
966 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
967 algo->alg_key_len = enc_key.len * 8;
968 algo->alg_icv_len = icv_size;
969 strcpy(algo->alg_name, alg_name);
970 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
971
972 rthdr = XFRM_RTA_NEXT(rthdr);
973 break;
974 }
975 default:
976 {
977 rthdr->rta_type = XFRMA_ALG_CRYPT;
978 alg_name = lookup_algorithm(encryption_algs, enc_alg);
979 if (alg_name == NULL)
980 {
981 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
982 encryption_algorithm_names, enc_alg);
983 return FAILED;
984 }
985 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
986 encryption_algorithm_names, enc_alg, enc_key.len * 8);
987
988 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
989 hdr->nlmsg_len += rthdr->rta_len;
990 if (hdr->nlmsg_len > sizeof(request))
991 {
992 return FAILED;
993 }
994
995 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
996 algo->alg_key_len = enc_key.len * 8;
997 strcpy(algo->alg_name, alg_name);
998 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
999
1000 rthdr = XFRM_RTA_NEXT(rthdr);
1001 break;
1002 }
1003 }
1004
1005 if (int_alg != AUTH_UNDEFINED)
1006 {
1007 rthdr->rta_type = XFRMA_ALG_AUTH;
1008 alg_name = lookup_algorithm(integrity_algs, int_alg);
1009 if (alg_name == NULL)
1010 {
1011 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1012 integrity_algorithm_names, int_alg);
1013 return FAILED;
1014 }
1015 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1016 integrity_algorithm_names, int_alg, int_key.len * 8);
1017
1018 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1019 hdr->nlmsg_len += rthdr->rta_len;
1020 if (hdr->nlmsg_len > sizeof(request))
1021 {
1022 return FAILED;
1023 }
1024
1025 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1026 algo->alg_key_len = int_key.len * 8;
1027 strcpy(algo->alg_name, alg_name);
1028 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1029
1030 rthdr = XFRM_RTA_NEXT(rthdr);
1031 }
1032
1033 if (ipcomp != IPCOMP_NONE)
1034 {
1035 rthdr->rta_type = XFRMA_ALG_COMP;
1036 alg_name = lookup_algorithm(compression_algs, ipcomp);
1037 if (alg_name == NULL)
1038 {
1039 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1040 ipcomp_transform_names, ipcomp);
1041 return FAILED;
1042 }
1043 DBG2(DBG_KNL, " using compression algorithm %N",
1044 ipcomp_transform_names, ipcomp);
1045
1046 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1047 hdr->nlmsg_len += rthdr->rta_len;
1048 if (hdr->nlmsg_len > sizeof(request))
1049 {
1050 return FAILED;
1051 }
1052
1053 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1054 algo->alg_key_len = 0;
1055 strcpy(algo->alg_name, alg_name);
1056
1057 rthdr = XFRM_RTA_NEXT(rthdr);
1058 }
1059
1060 if (encap)
1061 {
1062 rthdr->rta_type = XFRMA_ENCAP;
1063 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1064
1065 hdr->nlmsg_len += rthdr->rta_len;
1066 if (hdr->nlmsg_len > sizeof(request))
1067 {
1068 return FAILED;
1069 }
1070
1071 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1072 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1073 tmpl->encap_sport = htons(src->get_port(src));
1074 tmpl->encap_dport = htons(dst->get_port(dst));
1075 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1076 /* encap_oa could probably be derived from the
1077 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1078 * pluto does the same as we do here but it uses encap_oa in the
1079 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1080 * the kernel ignores it anyway
1081 * -> does that mean that NAT-T encap doesn't work in transport mode?
1082 * No. The reason the kernel ignores NAT-OA is that it recomputes
1083 * (or, rather, just ignores) the checksum. If packets pass
1084 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1085 rthdr = XFRM_RTA_NEXT(rthdr);
1086 }
1087
1088 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1089 {
1090 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1091 return FAILED;
1092 }
1093 return SUCCESS;
1094 }
1095
1096 /**
1097 * Get the replay state (i.e. sequence numbers) of an SA.
1098 */
1099 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1100 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1101 struct xfrm_replay_state *replay)
1102 {
1103 netlink_buf_t request;
1104 struct nlmsghdr *hdr, *out = NULL;
1105 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1106 size_t len;
1107 struct rtattr *rta;
1108 size_t rtasize;
1109
1110 memset(&request, 0, sizeof(request));
1111
1112 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1113
1114 hdr = (struct nlmsghdr*)request;
1115 hdr->nlmsg_flags = NLM_F_REQUEST;
1116 hdr->nlmsg_type = XFRM_MSG_GETAE;
1117 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1118
1119 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1120 aevent_id->flags = XFRM_AE_RVAL;
1121
1122 host2xfrm(dst, &aevent_id->sa_id.daddr);
1123 aevent_id->sa_id.spi = spi;
1124 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1125 aevent_id->sa_id.family = dst->get_family(dst);
1126
1127 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1128 {
1129 hdr = out;
1130 while (NLMSG_OK(hdr, len))
1131 {
1132 switch (hdr->nlmsg_type)
1133 {
1134 case XFRM_MSG_NEWAE:
1135 {
1136 out_aevent = NLMSG_DATA(hdr);
1137 break;
1138 }
1139 case NLMSG_ERROR:
1140 {
1141 struct nlmsgerr *err = NLMSG_DATA(hdr);
1142 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1143 strerror(-err->error), -err->error);
1144 break;
1145 }
1146 default:
1147 hdr = NLMSG_NEXT(hdr, len);
1148 continue;
1149 case NLMSG_DONE:
1150 break;
1151 }
1152 break;
1153 }
1154 }
1155
1156 if (out_aevent == NULL)
1157 {
1158 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1159 ntohl(spi));
1160 free(out);
1161 return FAILED;
1162 }
1163
1164 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1165 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1166 while(RTA_OK(rta, rtasize))
1167 {
1168 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1169 RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
1170 {
1171 memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1172 free(out);
1173 return SUCCESS;
1174 }
1175 rta = RTA_NEXT(rta, rtasize);
1176 }
1177
1178 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1179 ntohl(spi));
1180 free(out);
1181 return FAILED;
1182 }
1183
1184 /**
1185 * Implementation of kernel_interface_t.del_sa.
1186 */
1187 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1188 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1189 {
1190 netlink_buf_t request;
1191 struct nlmsghdr *hdr;
1192 struct xfrm_usersa_id *sa_id;
1193
1194 /* if IPComp was used, we first delete the additional IPComp SA */
1195 if (cpi)
1196 {
1197 del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
1198 }
1199
1200 memset(&request, 0, sizeof(request));
1201
1202 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1203
1204 hdr = (struct nlmsghdr*)request;
1205 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1206 hdr->nlmsg_type = XFRM_MSG_DELSA;
1207 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1208
1209 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1210 host2xfrm(dst, &sa_id->daddr);
1211 sa_id->spi = spi;
1212 sa_id->proto = proto_ike2kernel(protocol);
1213 sa_id->family = dst->get_family(dst);
1214
1215 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1216 {
1217 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1218 return FAILED;
1219 }
1220 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1221 return SUCCESS;
1222 }
1223
1224 /**
1225 * Implementation of kernel_interface_t.update_sa.
1226 */
1227 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
1228 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1229 host_t *src, host_t *dst,
1230 host_t *new_src, host_t *new_dst,
1231 bool old_encap, bool new_encap)
1232 {
1233 netlink_buf_t request;
1234 u_char *pos;
1235 struct nlmsghdr *hdr, *out = NULL;
1236 struct xfrm_usersa_id *sa_id;
1237 struct xfrm_usersa_info *out_sa = NULL, *sa;
1238 size_t len;
1239 struct rtattr *rta;
1240 size_t rtasize;
1241 struct xfrm_encap_tmpl* tmpl = NULL;
1242 bool got_replay_state = FALSE;
1243 struct xfrm_replay_state replay;
1244
1245 /* if IPComp is used, we first update the IPComp SA */
1246 if (cpi)
1247 {
1248 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1249 src, dst, new_src, new_dst, FALSE, FALSE);
1250 }
1251
1252 memset(&request, 0, sizeof(request));
1253
1254 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1255
1256 /* query the existing SA first */
1257 hdr = (struct nlmsghdr*)request;
1258 hdr->nlmsg_flags = NLM_F_REQUEST;
1259 hdr->nlmsg_type = XFRM_MSG_GETSA;
1260 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1261
1262 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1263 host2xfrm(dst, &sa_id->daddr);
1264 sa_id->spi = spi;
1265 sa_id->proto = proto_ike2kernel(protocol);
1266 sa_id->family = dst->get_family(dst);
1267
1268 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1269 {
1270 hdr = out;
1271 while (NLMSG_OK(hdr, len))
1272 {
1273 switch (hdr->nlmsg_type)
1274 {
1275 case XFRM_MSG_NEWSA:
1276 {
1277 out_sa = NLMSG_DATA(hdr);
1278 break;
1279 }
1280 case NLMSG_ERROR:
1281 {
1282 struct nlmsgerr *err = NLMSG_DATA(hdr);
1283 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1284 strerror(-err->error), -err->error);
1285 break;
1286 }
1287 default:
1288 hdr = NLMSG_NEXT(hdr, len);
1289 continue;
1290 case NLMSG_DONE:
1291 break;
1292 }
1293 break;
1294 }
1295 }
1296 if (out_sa == NULL)
1297 {
1298 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1299 free(out);
1300 return FAILED;
1301 }
1302
1303 /* try to get the replay state */
1304 if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
1305 {
1306 got_replay_state = TRUE;
1307 }
1308
1309 /* delete the old SA (without affecting the IPComp SA) */
1310 if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
1311 {
1312 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1313 free(out);
1314 return FAILED;
1315 }
1316
1317 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1318 ntohl(spi), src, dst, new_src, new_dst);
1319 /* copy over the SA from out to request */
1320 hdr = (struct nlmsghdr*)request;
1321 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1322 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1323 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1324 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1325 sa = NLMSG_DATA(hdr);
1326 sa->family = new_dst->get_family(new_dst);
1327
1328 if (!src->ip_equals(src, new_src))
1329 {
1330 host2xfrm(new_src, &sa->saddr);
1331 }
1332 if (!dst->ip_equals(dst, new_dst))
1333 {
1334 host2xfrm(new_dst, &sa->id.daddr);
1335 }
1336
1337 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1338 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1339 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1340 while(RTA_OK(rta, rtasize))
1341 {
1342 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1343 if (rta->rta_type != XFRMA_ENCAP || new_encap)
1344 {
1345 if (rta->rta_type == XFRMA_ENCAP)
1346 { /* update encap tmpl */
1347 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1348 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1349 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1350 }
1351 memcpy(pos, rta, rta->rta_len);
1352 pos += RTA_ALIGN(rta->rta_len);
1353 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1354 }
1355 rta = RTA_NEXT(rta, rtasize);
1356 }
1357
1358 rta = (struct rtattr*)pos;
1359 if (tmpl == NULL && new_encap)
1360 { /* add tmpl if we are enabling it */
1361 rta->rta_type = XFRMA_ENCAP;
1362 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1363
1364 hdr->nlmsg_len += rta->rta_len;
1365 if (hdr->nlmsg_len > sizeof(request))
1366 {
1367 return FAILED;
1368 }
1369
1370 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1371 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1372 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1373 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1374 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1375
1376 rta = XFRM_RTA_NEXT(rta);
1377 }
1378
1379 if (got_replay_state)
1380 { /* copy the replay data if available */
1381 rta->rta_type = XFRMA_REPLAY_VAL;
1382 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1383
1384 hdr->nlmsg_len += rta->rta_len;
1385 if (hdr->nlmsg_len > sizeof(request))
1386 {
1387 return FAILED;
1388 }
1389 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1390
1391 rta = XFRM_RTA_NEXT(rta);
1392 }
1393
1394 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1395 {
1396 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1397 free(out);
1398 return FAILED;
1399 }
1400 free(out);
1401
1402 return SUCCESS;
1403 }
1404
1405 /**
1406 * Implementation of kernel_interface_t.add_policy.
1407 */
1408 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1409 host_t *src, host_t *dst,
1410 traffic_selector_t *src_ts,
1411 traffic_selector_t *dst_ts,
1412 policy_dir_t direction, u_int32_t spi,
1413 protocol_id_t protocol, u_int32_t reqid,
1414 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1415 bool routed)
1416 {
1417 policy_entry_t *current, *policy;
1418 bool found = FALSE;
1419 netlink_buf_t request;
1420 struct xfrm_userpolicy_info *policy_info;
1421 struct nlmsghdr *hdr;
1422
1423 /* create a policy */
1424 policy = malloc_thing(policy_entry_t);
1425 memset(policy, 0, sizeof(policy_entry_t));
1426 policy->sel = ts2selector(src_ts, dst_ts);
1427 policy->direction = direction;
1428
1429 /* find the policy, which matches EXACTLY */
1430 this->mutex->lock(this->mutex);
1431 current = this->policies->get(this->policies, policy);
1432 if (current)
1433 {
1434 /* use existing policy */
1435 current->refcount++;
1436 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1437 "refcount", src_ts, dst_ts,
1438 policy_dir_names, direction);
1439 free(policy);
1440 policy = current;
1441 found = TRUE;
1442 }
1443 else
1444 { /* apply the new one, if we have no such policy */
1445 this->policies->put(this->policies, policy, policy);
1446 policy->refcount = 1;
1447 }
1448
1449 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1450 policy_dir_names, direction);
1451
1452 memset(&request, 0, sizeof(request));
1453 hdr = (struct nlmsghdr*)request;
1454 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1455 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1456 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1457
1458 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1459 policy_info->sel = policy->sel;
1460 policy_info->dir = policy->direction;
1461 /* calculate priority based on source selector size, small size = high prio */
1462 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1463 policy_info->priority -= policy->sel.prefixlen_s * 10;
1464 policy_info->priority -= policy->sel.proto ? 2 : 0;
1465 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1466 policy_info->action = XFRM_POLICY_ALLOW;
1467 policy_info->share = XFRM_SHARE_ANY;
1468 this->mutex->unlock(this->mutex);
1469
1470 /* policies don't expire */
1471 policy_info->lft.soft_byte_limit = XFRM_INF;
1472 policy_info->lft.soft_packet_limit = XFRM_INF;
1473 policy_info->lft.hard_byte_limit = XFRM_INF;
1474 policy_info->lft.hard_packet_limit = XFRM_INF;
1475 policy_info->lft.soft_add_expires_seconds = 0;
1476 policy_info->lft.hard_add_expires_seconds = 0;
1477 policy_info->lft.soft_use_expires_seconds = 0;
1478 policy_info->lft.hard_use_expires_seconds = 0;
1479
1480 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1481 rthdr->rta_type = XFRMA_TMPL;
1482 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1483
1484 hdr->nlmsg_len += rthdr->rta_len;
1485 if (hdr->nlmsg_len > sizeof(request))
1486 {
1487 return FAILED;
1488 }
1489
1490 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1491
1492 if (ipcomp != IPCOMP_NONE)
1493 {
1494 tmpl->reqid = reqid;
1495 tmpl->id.proto = IPPROTO_COMP;
1496 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1497 tmpl->mode = mode;
1498 tmpl->optional = direction != POLICY_OUT;
1499 tmpl->family = src->get_family(src);
1500
1501 host2xfrm(src, &tmpl->saddr);
1502 host2xfrm(dst, &tmpl->id.daddr);
1503
1504 /* add an additional xfrm_user_tmpl */
1505 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1506 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1507 if (hdr->nlmsg_len > sizeof(request))
1508 {
1509 return FAILED;
1510 }
1511
1512 tmpl++;
1513 }
1514
1515 tmpl->reqid = reqid;
1516 tmpl->id.proto = proto_ike2kernel(protocol);
1517 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1518 tmpl->mode = mode;
1519 tmpl->family = src->get_family(src);
1520
1521 host2xfrm(src, &tmpl->saddr);
1522 host2xfrm(dst, &tmpl->id.daddr);
1523
1524 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1525 {
1526 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1527 policy_dir_names, direction);
1528 return FAILED;
1529 }
1530
1531 /* install a route, if:
1532 * - we are NOT updating a policy
1533 * - this is a forward policy (to just get one for each child)
1534 * - we are in tunnel mode
1535 * - we are not using IPv6 (does not work correctly yet!)
1536 * - routing is not disabled via strongswan.conf
1537 */
1538 if (policy->route == NULL && direction == POLICY_FWD &&
1539 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1540 this->install_routes)
1541 {
1542 route_entry_t *route = malloc_thing(route_entry_t);
1543
1544 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1545 dst_ts, &route->src_ip) == SUCCESS)
1546 {
1547 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1548 route->gateway = charon->kernel_interface->get_nexthop(
1549 charon->kernel_interface, src);
1550 route->if_name = charon->kernel_interface->get_interface(
1551 charon->kernel_interface, dst);
1552 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1553 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1554 route->prefixlen = policy->sel.prefixlen_s;
1555
1556 if (route->if_name)
1557 {
1558 switch (charon->kernel_interface->add_route(
1559 charon->kernel_interface, route->dst_net,
1560 route->prefixlen, route->gateway,
1561 route->src_ip, route->if_name))
1562 {
1563 default:
1564 DBG1(DBG_KNL, "unable to install source route for %H",
1565 route->src_ip);
1566 /* FALL */
1567 case ALREADY_DONE:
1568 /* route exists, do not uninstall */
1569 route_entry_destroy(route);
1570 break;
1571 case SUCCESS:
1572 /* cache the installed route */
1573 policy->route = route;
1574 break;
1575 }
1576 }
1577 else
1578 {
1579 route_entry_destroy(route);
1580 }
1581 }
1582 else
1583 {
1584 free(route);
1585 }
1586 }
1587 return SUCCESS;
1588 }
1589
1590 /**
1591 * Implementation of kernel_interface_t.query_policy.
1592 */
1593 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1594 traffic_selector_t *src_ts,
1595 traffic_selector_t *dst_ts,
1596 policy_dir_t direction, u_int32_t *use_time)
1597 {
1598 netlink_buf_t request;
1599 struct nlmsghdr *out = NULL, *hdr;
1600 struct xfrm_userpolicy_id *policy_id;
1601 struct xfrm_userpolicy_info *policy = NULL;
1602 size_t len;
1603
1604 memset(&request, 0, sizeof(request));
1605
1606 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1607 policy_dir_names, direction);
1608
1609 hdr = (struct nlmsghdr*)request;
1610 hdr->nlmsg_flags = NLM_F_REQUEST;
1611 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1612 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1613
1614 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1615 policy_id->sel = ts2selector(src_ts, dst_ts);
1616 policy_id->dir = direction;
1617
1618 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1619 {
1620 hdr = out;
1621 while (NLMSG_OK(hdr, len))
1622 {
1623 switch (hdr->nlmsg_type)
1624 {
1625 case XFRM_MSG_NEWPOLICY:
1626 {
1627 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1628 break;
1629 }
1630 case NLMSG_ERROR:
1631 {
1632 struct nlmsgerr *err = NLMSG_DATA(hdr);
1633 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1634 strerror(-err->error), -err->error);
1635 break;
1636 }
1637 default:
1638 hdr = NLMSG_NEXT(hdr, len);
1639 continue;
1640 case NLMSG_DONE:
1641 break;
1642 }
1643 break;
1644 }
1645 }
1646
1647 if (policy == NULL)
1648 {
1649 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1650 policy_dir_names, direction);
1651 free(out);
1652 return FAILED;
1653 }
1654 *use_time = (time_t)policy->curlft.use_time;
1655
1656 free(out);
1657 return SUCCESS;
1658 }
1659
1660 /**
1661 * Implementation of kernel_interface_t.del_policy.
1662 */
1663 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1664 traffic_selector_t *src_ts,
1665 traffic_selector_t *dst_ts,
1666 policy_dir_t direction, bool unrouted)
1667 {
1668 policy_entry_t *current, policy, *to_delete = NULL;
1669 route_entry_t *route;
1670 netlink_buf_t request;
1671 struct nlmsghdr *hdr;
1672 struct xfrm_userpolicy_id *policy_id;
1673
1674 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1675 policy_dir_names, direction);
1676
1677 /* create a policy */
1678 memset(&policy, 0, sizeof(policy_entry_t));
1679 policy.sel = ts2selector(src_ts, dst_ts);
1680 policy.direction = direction;
1681
1682 /* find the policy */
1683 this->mutex->lock(this->mutex);
1684 current = this->policies->get(this->policies, &policy);
1685 if (current)
1686 {
1687 to_delete = current;
1688 if (--to_delete->refcount > 0)
1689 {
1690 /* is used by more SAs, keep in kernel */
1691 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1692 this->mutex->unlock(this->mutex);
1693 return SUCCESS;
1694 }
1695 /* remove if last reference */
1696 this->policies->remove(this->policies, to_delete);
1697 }
1698 this->mutex->unlock(this->mutex);
1699 if (!to_delete)
1700 {
1701 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1702 dst_ts, policy_dir_names, direction);
1703 return NOT_FOUND;
1704 }
1705
1706 memset(&request, 0, sizeof(request));
1707
1708 hdr = (struct nlmsghdr*)request;
1709 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1710 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1711 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1712
1713 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1714 policy_id->sel = to_delete->sel;
1715 policy_id->dir = direction;
1716
1717 route = to_delete->route;
1718 free(to_delete);
1719
1720 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1721 {
1722 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1723 policy_dir_names, direction);
1724 return FAILED;
1725 }
1726
1727 if (route)
1728 {
1729 if (charon->kernel_interface->del_route(charon->kernel_interface,
1730 route->dst_net, route->prefixlen, route->gateway,
1731 route->src_ip, route->if_name) != SUCCESS)
1732 {
1733 DBG1(DBG_KNL, "error uninstalling route installed with "
1734 "policy %R === %R %N", src_ts, dst_ts,
1735 policy_dir_names, direction);
1736 }
1737 route_entry_destroy(route);
1738 }
1739 return SUCCESS;
1740 }
1741
1742 /**
1743 * Implementation of kernel_interface_t.destroy.
1744 */
1745 static void destroy(private_kernel_netlink_ipsec_t *this)
1746 {
1747 enumerator_t *enumerator;
1748 policy_entry_t *policy;
1749
1750 this->job->cancel(this->job);
1751 close(this->socket_xfrm_events);
1752 this->socket_xfrm->destroy(this->socket_xfrm);
1753 enumerator = this->policies->create_enumerator(this->policies);
1754 while (enumerator->enumerate(enumerator, (void**)&policy))
1755 {
1756 free(policy);
1757 }
1758 enumerator->destroy(enumerator);
1759 this->policies->destroy(this->policies);
1760 this->mutex->destroy(this->mutex);
1761 free(this);
1762 }
1763
1764 /**
1765 * Add bypass policies for IKE on the sockets used by charon
1766 */
1767 static bool add_bypass_policies()
1768 {
1769 int fd, family, port;
1770 enumerator_t *sockets;
1771 bool status = TRUE;
1772
1773 /* we open an AF_KEY socket to autoload the af_key module. Otherwise
1774 * setsockopt(IPSEC_POLICY) won't work. */
1775 fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
1776 if (fd == 0)
1777 {
1778 DBG1(DBG_KNL, "could not open AF_KEY socket");
1779 return FALSE;
1780 }
1781 close(fd);
1782
1783 sockets = charon->socket->create_enumerator(charon->socket);
1784 while (sockets->enumerate(sockets, &fd, &family, &port))
1785 {
1786 struct sadb_x_policy policy;
1787 u_int sol, ipsec_policy;
1788
1789 switch (family)
1790 {
1791 case AF_INET:
1792 sol = SOL_IP;
1793 ipsec_policy = IP_IPSEC_POLICY;
1794 break;
1795 case AF_INET6:
1796 sol = SOL_IPV6;
1797 ipsec_policy = IPV6_IPSEC_POLICY;
1798 break;
1799 default:
1800 continue;
1801 }
1802
1803 memset(&policy, 0, sizeof(policy));
1804 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
1805 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1806 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
1807
1808 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
1809 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1810 {
1811 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1812 strerror(errno));
1813 status = FALSE;
1814 break;
1815 }
1816 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1817 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1818 {
1819 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1820 strerror(errno));
1821 status = FALSE;
1822 break;
1823 }
1824 }
1825 sockets->destroy(sockets);
1826 return status;
1827 }
1828
1829 /*
1830 * Described in header.
1831 */
1832 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1833 {
1834 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1835 struct sockaddr_nl addr;
1836
1837 /* public functions */
1838 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1839 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1840 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1841 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1842 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1843 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
1844 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1845 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
1846 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1847
1848 /* private members */
1849 this->policies = hashtable_create((hashtable_hash_t)policy_hash,
1850 (hashtable_equals_t)policy_equals, 1);
1851 this->mutex = mutex_create(MUTEX_DEFAULT);
1852 this->install_routes = lib->settings->get_bool(lib->settings,
1853 "charon.install_routes", TRUE);
1854
1855 /* add bypass policies on the sockets used by charon */
1856 if (!add_bypass_policies())
1857 {
1858 charon->kill(charon, "unable to add bypass policies on sockets");
1859 }
1860
1861 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1862
1863 memset(&addr, 0, sizeof(addr));
1864 addr.nl_family = AF_NETLINK;
1865
1866 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
1867 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1868 if (this->socket_xfrm_events <= 0)
1869 {
1870 charon->kill(charon, "unable to create XFRM event socket");
1871 }
1872 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
1873 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
1874 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1875 {
1876 charon->kill(charon, "unable to bind XFRM event socket");
1877 }
1878
1879 this->job = callback_job_create((callback_job_cb_t)receive_events,
1880 this, NULL, NULL);
1881 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1882
1883 return &this->public;
1884 }
strongSwan - IPsec VPN