bf74f8e8200007778c8763cc9f95f3a5408467aa
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 *
20 * $Id$
21 */
22
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 #include <sys/time.h>
26 #include <stdint.h>
27 #include <linux/ipsec.h>
28 #include <linux/netlink.h>
29 #include <linux/rtnetlink.h>
30 #include <linux/xfrm.h>
31 #include <linux/udp.h>
32 #include <pthread.h>
33 #include <unistd.h>
34 #include <errno.h>
35 #include <string.h>
36
37 #include "kernel_netlink_ipsec.h"
38 #include "kernel_netlink_shared.h"
39
40 #include <daemon.h>
41 #include <utils/mutex.h>
42 #include <utils/linked_list.h>
43 #include <processing/jobs/callback_job.h>
44 #include <processing/jobs/acquire_job.h>
45 #include <processing/jobs/migrate_job.h>
46 #include <processing/jobs/rekey_child_sa_job.h>
47 #include <processing/jobs/delete_child_sa_job.h>
48 #include <processing/jobs/update_sa_job.h>
49
50 /** required for Linux 2.6.26 kernel and later */
51 #ifndef XFRM_STATE_AF_UNSPEC
52 #define XFRM_STATE_AF_UNSPEC 32
53 #endif
54
55 /** from linux/in.h */
56 #ifndef IP_IPSEC_POLICY
57 #define IP_IPSEC_POLICY 16
58 #endif
59
60 /* missing on uclibc */
61 #ifndef IPV6_IPSEC_POLICY
62 #define IPV6_IPSEC_POLICY 34
63 #endif /*IPV6_IPSEC_POLICY*/
64
65 /** default priority of installed policies */
66 #define PRIO_LOW 3000
67 #define PRIO_HIGH 2000
68
69 /**
70 * Create ORable bitfield of XFRM NL groups
71 */
72 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
73
74 /**
75 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
76 * 'usual' netlink data x like 'struct xfrm_usersa_info'
77 */
78 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
79 /**
80 * returns a pointer to the next rtattr following rta.
81 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
82 */
83 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
84 /**
85 * returns the total size of attached rta data
86 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
87 */
88 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
89
90 typedef struct kernel_algorithm_t kernel_algorithm_t;
91
92 /**
93 * Mapping of IKEv2 kernel identifier to linux crypto API names
94 */
95 struct kernel_algorithm_t {
96 /**
97 * Identifier specified in IKEv2
98 */
99 int ikev2;
100
101 /**
102 * Name of the algorithm in linux crypto API
103 */
104 char *name;
105 };
106
107 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
108 "XFRMA_UNSPEC",
109 "XFRMA_ALG_AUTH",
110 "XFRMA_ALG_CRYPT",
111 "XFRMA_ALG_COMP",
112 "XFRMA_ENCAP",
113 "XFRMA_TMPL",
114 "XFRMA_SA",
115 "XFRMA_POLICY",
116 "XFRMA_SEC_CTX",
117 "XFRMA_LTIME_VAL",
118 "XFRMA_REPLAY_VAL",
119 "XFRMA_REPLAY_THRESH",
120 "XFRMA_ETIMER_THRESH",
121 "XFRMA_SRCADDR",
122 "XFRMA_COADDR",
123 "XFRMA_LASTUSED",
124 "XFRMA_POLICY_TYPE",
125 "XFRMA_MIGRATE",
126 "XFRMA_ALG_AEAD",
127 "XFRMA_KMADDRESS"
128 );
129
130 #define END_OF_LIST -1
131
132 /**
133 * Algorithms for encryption
134 */
135 static kernel_algorithm_t encryption_algs[] = {
136 /* {ENCR_DES_IV64, "***" }, */
137 {ENCR_DES, "des" },
138 {ENCR_3DES, "des3_ede" },
139 /* {ENCR_RC5, "***" }, */
140 /* {ENCR_IDEA, "***" }, */
141 {ENCR_CAST, "cast128" },
142 {ENCR_BLOWFISH, "blowfish" },
143 /* {ENCR_3IDEA, "***" }, */
144 /* {ENCR_DES_IV32, "***" }, */
145 {ENCR_NULL, "cipher_null" },
146 {ENCR_AES_CBC, "aes" },
147 /* {ENCR_AES_CTR, "***" }, */
148 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
149 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
150 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
151 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
152 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
153 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
154 {END_OF_LIST, NULL },
155 };
156
157 /**
158 * Algorithms for integrity protection
159 */
160 static kernel_algorithm_t integrity_algs[] = {
161 {AUTH_HMAC_MD5_96, "md5" },
162 {AUTH_HMAC_SHA1_96, "sha1" },
163 {AUTH_HMAC_SHA2_256_128, "sha256" },
164 {AUTH_HMAC_SHA2_384_192, "sha384" },
165 {AUTH_HMAC_SHA2_512_256, "sha512" },
166 /* {AUTH_DES_MAC, "***" }, */
167 /* {AUTH_KPDK_MD5, "***" }, */
168 {AUTH_AES_XCBC_96, "xcbc(aes)" },
169 {END_OF_LIST, NULL },
170 };
171
172 /**
173 * Algorithms for IPComp
174 */
175 static kernel_algorithm_t compression_algs[] = {
176 /* {IPCOMP_OUI, "***" }, */
177 {IPCOMP_DEFLATE, "deflate" },
178 {IPCOMP_LZS, "lzs" },
179 {IPCOMP_LZJH, "lzjh" },
180 {END_OF_LIST, NULL },
181 };
182
183 /**
184 * Look up a kernel algorithm name and its key size
185 */
186 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
187 {
188 while (list->ikev2 != END_OF_LIST)
189 {
190 if (list->ikev2 == ikev2)
191 {
192 return list->name;
193 }
194 list++;
195 }
196 return NULL;
197 }
198
199 typedef struct route_entry_t route_entry_t;
200
201 /**
202 * installed routing entry
203 */
204 struct route_entry_t {
205 /** Name of the interface the route is bound to */
206 char *if_name;
207
208 /** Source ip of the route */
209 host_t *src_ip;
210
211 /** gateway for this route */
212 host_t *gateway;
213
214 /** Destination net */
215 chunk_t dst_net;
216
217 /** Destination net prefixlen */
218 u_int8_t prefixlen;
219 };
220
221 /**
222 * destroy an route_entry_t object
223 */
224 static void route_entry_destroy(route_entry_t *this)
225 {
226 free(this->if_name);
227 this->src_ip->destroy(this->src_ip);
228 this->gateway->destroy(this->gateway);
229 chunk_free(&this->dst_net);
230 free(this);
231 }
232
233 typedef struct policy_entry_t policy_entry_t;
234
235 /**
236 * installed kernel policy.
237 */
238 struct policy_entry_t {
239
240 /** direction of this policy: in, out, forward */
241 u_int8_t direction;
242
243 /** parameters of installed policy */
244 struct xfrm_selector sel;
245
246 /** associated route installed for this policy */
247 route_entry_t *route;
248
249 /** by how many CHILD_SA's this policy is used */
250 u_int refcount;
251 };
252
253 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
254
255 /**
256 * Private variables and functions of kernel_netlink class.
257 */
258 struct private_kernel_netlink_ipsec_t {
259 /**
260 * Public part of the kernel_netlink_t object.
261 */
262 kernel_netlink_ipsec_t public;
263
264 /**
265 * mutex to lock access to various lists
266 */
267 mutex_t *mutex;
268
269 /**
270 * List of installed policies (policy_entry_t)
271 */
272 linked_list_t *policies;
273
274 /**
275 * job receiving netlink events
276 */
277 callback_job_t *job;
278
279 /**
280 * Netlink xfrm socket (IPsec)
281 */
282 netlink_socket_t *socket_xfrm;
283
284 /**
285 * netlink xfrm socket to receive acquire and expire events
286 */
287 int socket_xfrm_events;
288
289 /**
290 * whether to install routes along policies
291 */
292 bool install_routes;
293 };
294
295 /**
296 * convert a IKEv2 specific protocol identifier to the kernel one
297 */
298 static u_int8_t proto_ike2kernel(protocol_id_t proto)
299 {
300 switch (proto)
301 {
302 case PROTO_ESP:
303 return IPPROTO_ESP;
304 case PROTO_AH:
305 return IPPROTO_AH;
306 default:
307 return proto;
308 }
309 }
310
311 /**
312 * reverse of ike2kernel
313 */
314 static protocol_id_t proto_kernel2ike(u_int8_t proto)
315 {
316 switch (proto)
317 {
318 case IPPROTO_ESP:
319 return PROTO_ESP;
320 case IPPROTO_AH:
321 return PROTO_AH;
322 default:
323 return proto;
324 }
325 }
326
327 /**
328 * convert a host_t to a struct xfrm_address
329 */
330 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
331 {
332 chunk_t chunk = host->get_address(host);
333 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
334 }
335
336 /**
337 * convert a struct xfrm_address to a host_t
338 */
339 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
340 {
341 chunk_t chunk;
342
343 switch (family)
344 {
345 case AF_INET:
346 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
347 break;
348 case AF_INET6:
349 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
350 break;
351 default:
352 return NULL;
353 }
354 return host_create_from_chunk(family, chunk, ntohs(port));
355 }
356
357 /**
358 * convert a traffic selector address range to subnet and its mask.
359 */
360 static void ts2subnet(traffic_selector_t* ts,
361 xfrm_address_t *net, u_int8_t *mask)
362 {
363 host_t *net_host;
364 chunk_t net_chunk;
365
366 ts->to_subnet(ts, &net_host, mask);
367 net_chunk = net_host->get_address(net_host);
368 memcpy(net, net_chunk.ptr, net_chunk.len);
369 net_host->destroy(net_host);
370 }
371
372 /**
373 * convert a traffic selector port range to port/portmask
374 */
375 static void ts2ports(traffic_selector_t* ts,
376 u_int16_t *port, u_int16_t *mask)
377 {
378 /* linux does not seem to accept complex portmasks. Only
379 * any or a specific port is allowed. We set to any, if we have
380 * a port range, or to a specific, if we have one port only.
381 */
382 u_int16_t from, to;
383
384 from = ts->get_from_port(ts);
385 to = ts->get_to_port(ts);
386
387 if (from == to)
388 {
389 *port = htons(from);
390 *mask = ~0;
391 }
392 else
393 {
394 *port = 0;
395 *mask = 0;
396 }
397 }
398
399 /**
400 * convert a pair of traffic_selectors to a xfrm_selector
401 */
402 static struct xfrm_selector ts2selector(traffic_selector_t *src,
403 traffic_selector_t *dst)
404 {
405 struct xfrm_selector sel;
406
407 memset(&sel, 0, sizeof(sel));
408 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
409 /* src or dest proto may be "any" (0), use more restrictive one */
410 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
411 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
412 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
413 ts2ports(dst, &sel.dport, &sel.dport_mask);
414 ts2ports(src, &sel.sport, &sel.sport_mask);
415 sel.ifindex = 0;
416 sel.user = 0;
417
418 return sel;
419 }
420
421 /**
422 * convert a xfrm_selector to a src|dst traffic_selector
423 */
424 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
425 {
426 int family;
427 chunk_t addr;
428 u_int8_t prefixlen;
429 u_int16_t port, port_mask;
430 host_t *host;
431 traffic_selector_t *ts;
432
433 if (src)
434 {
435 addr.ptr = (u_char*)&sel->saddr;
436 prefixlen = sel->prefixlen_s;
437 port = sel->sport;
438 port_mask = sel->sport_mask;
439 }
440 else
441 {
442 addr.ptr = (u_char*)&sel->daddr;
443 prefixlen = sel->prefixlen_d;
444 port = sel->dport;
445 port_mask = sel->dport_mask;
446 }
447
448 /* The Linux 2.6 kernel does not set the selector's family field,
449 * so as a kludge we additionally test the prefix length.
450 */
451 if (sel->family == AF_INET || sel->prefixlen_s == 32)
452 {
453 family = AF_INET;
454 addr.len = 4;
455 }
456 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
457 {
458 family = AF_INET6;
459 addr.len = 16;
460 }
461 else
462 {
463 return NULL;
464 }
465 host = host_create_from_chunk(family, addr, 0);
466 port = (port_mask == 0) ? 0 : ntohs(port);
467
468 ts = traffic_selector_create_from_subnet(host, prefixlen, sel->proto, port);
469 host->destroy(host);
470 return ts;
471 }
472
473 /**
474 * process a XFRM_MSG_ACQUIRE from kernel
475 */
476 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
477 {
478 u_int32_t reqid = 0;
479 int proto = 0;
480 traffic_selector_t *src_ts, *dst_ts;
481 struct xfrm_user_acquire *acquire;
482 struct rtattr *rta;
483 size_t rtasize;
484 job_t *job;
485
486 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
487 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
488 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
489
490 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
491
492 while (RTA_OK(rta, rtasize))
493 {
494 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
495
496 if (rta->rta_type == XFRMA_TMPL)
497 {
498 struct xfrm_user_tmpl* tmpl;
499
500 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
501 reqid = tmpl->reqid;
502 proto = tmpl->id.proto;
503 }
504 rta = RTA_NEXT(rta, rtasize);
505 }
506 switch (proto)
507 {
508 case 0:
509 case IPPROTO_ESP:
510 case IPPROTO_AH:
511 break;
512 default:
513 /* acquire for AH/ESP only, not for IPCOMP */
514 return;
515 }
516 src_ts = selector2ts(&acquire->sel, TRUE);
517 dst_ts = selector2ts(&acquire->sel, FALSE);
518 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
519 src_ts, dst_ts, reqid);
520 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
521 charon->processor->queue_job(charon->processor, job);
522 }
523
524 /**
525 * process a XFRM_MSG_EXPIRE from kernel
526 */
527 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
528 {
529 job_t *job;
530 protocol_id_t protocol;
531 u_int32_t spi, reqid;
532 struct xfrm_user_expire *expire;
533
534 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
535 protocol = proto_kernel2ike(expire->state.id.proto);
536 spi = expire->state.id.spi;
537 reqid = expire->state.reqid;
538
539 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
540
541 if (protocol != PROTO_ESP && protocol != PROTO_AH)
542 {
543 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
544 "which is not a CHILD_SA", ntohl(spi), reqid);
545 return;
546 }
547
548 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
549 expire->hard ? "delete" : "rekey", protocol_id_names,
550 protocol, ntohl(spi), reqid);
551 if (expire->hard)
552 {
553 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
554 }
555 else
556 {
557 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
558 }
559 charon->processor->queue_job(charon->processor, job);
560 }
561
562 /**
563 * process a XFRM_MSG_MIGRATE from kernel
564 */
565 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
566 {
567 traffic_selector_t *src_ts, *dst_ts;
568 host_t *local = NULL, *remote = NULL;
569 host_t *old_src = NULL, *old_dst = NULL;
570 host_t *new_src = NULL, *new_dst = NULL;
571 struct xfrm_userpolicy_id *policy_id;
572 struct rtattr *rta;
573 size_t rtasize;
574 u_int32_t reqid = 0;
575 policy_dir_t dir;
576 job_t *job;
577
578 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
579 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
580 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
581
582 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
583
584 src_ts = selector2ts(&policy_id->sel, TRUE);
585 dst_ts = selector2ts(&policy_id->sel, FALSE);
586 dir = (policy_dir_t)policy_id->dir;
587
588 DBG2(DBG_KNL, " policy: %R === %R %N", src_ts, dst_ts, policy_dir_names);
589
590 while (RTA_OK(rta, rtasize))
591 {
592 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
593 if (rta->rta_type == XFRMA_KMADDRESS)
594 {
595 struct xfrm_user_kmaddress *kmaddress;
596
597 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
598 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
599 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
600 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
601 }
602 else if (rta->rta_type == XFRMA_MIGRATE)
603 {
604 struct xfrm_user_migrate *migrate;
605 protocol_id_t proto;
606
607 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
608 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
609 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
610 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
611 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
612 proto = proto_kernel2ike(migrate->proto);
613 reqid = migrate->reqid;
614 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
615 protocol_id_names, proto, old_src, old_dst,
616 new_src, new_dst, reqid);
617 DESTROY_IF(old_src);
618 DESTROY_IF(old_dst);
619 DESTROY_IF(new_src);
620 DESTROY_IF(new_dst);
621 }
622 rta = RTA_NEXT(rta, rtasize);
623 }
624
625 if (src_ts && dst_ts && local && remote)
626 {
627 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
628 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
629 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
630 local, remote);
631 charon->processor->queue_job(charon->processor, job);
632 }
633 else
634 {
635 DESTROY_IF(src_ts);
636 DESTROY_IF(dst_ts);
637 DESTROY_IF(local);
638 DESTROY_IF(remote);
639 }
640 }
641
642 /**
643 * process a XFRM_MSG_MAPPING from kernel
644 */
645 static void process_mapping(private_kernel_netlink_ipsec_t *this,
646 struct nlmsghdr *hdr)
647 {
648 job_t *job;
649 u_int32_t spi, reqid;
650 struct xfrm_user_mapping *mapping;
651 host_t *host;
652
653 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
654 spi = mapping->id.spi;
655 reqid = mapping->reqid;
656
657 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
658
659 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
660 {
661 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
662 mapping->new_sport);
663 if (host)
664 {
665 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
666 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
667 job = (job_t*)update_sa_job_create(reqid, host);
668 charon->processor->queue_job(charon->processor, job);
669 }
670 }
671 }
672
673 /**
674 * Receives events from kernel
675 */
676 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
677 {
678 char response[1024];
679 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
680 struct sockaddr_nl addr;
681 socklen_t addr_len = sizeof(addr);
682 int len, oldstate;
683
684 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
685 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
686 (struct sockaddr*)&addr, &addr_len);
687 pthread_setcancelstate(oldstate, NULL);
688
689 if (len < 0)
690 {
691 switch (errno)
692 {
693 case EINTR:
694 /* interrupted, try again */
695 return JOB_REQUEUE_DIRECT;
696 case EAGAIN:
697 /* no data ready, select again */
698 return JOB_REQUEUE_DIRECT;
699 default:
700 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
701 sleep(1);
702 return JOB_REQUEUE_FAIR;
703 }
704 }
705
706 if (addr.nl_pid != 0)
707 { /* not from kernel. not interested, try another one */
708 return JOB_REQUEUE_DIRECT;
709 }
710
711 while (NLMSG_OK(hdr, len))
712 {
713 switch (hdr->nlmsg_type)
714 {
715 case XFRM_MSG_ACQUIRE:
716 process_acquire(this, hdr);
717 break;
718 case XFRM_MSG_EXPIRE:
719 process_expire(this, hdr);
720 break;
721 case XFRM_MSG_MIGRATE:
722 process_migrate(this, hdr);
723 break;
724 case XFRM_MSG_MAPPING:
725 process_mapping(this, hdr);
726 break;
727 default:
728 break;
729 }
730 hdr = NLMSG_NEXT(hdr, len);
731 }
732 return JOB_REQUEUE_DIRECT;
733 }
734
735 /**
736 * Get an SPI for a specific protocol from the kernel.
737 */
738 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
739 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
740 u_int32_t reqid, u_int32_t *spi)
741 {
742 netlink_buf_t request;
743 struct nlmsghdr *hdr, *out;
744 struct xfrm_userspi_info *userspi;
745 u_int32_t received_spi = 0;
746 size_t len;
747
748 memset(&request, 0, sizeof(request));
749
750 hdr = (struct nlmsghdr*)request;
751 hdr->nlmsg_flags = NLM_F_REQUEST;
752 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
753 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
754
755 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
756 host2xfrm(src, &userspi->info.saddr);
757 host2xfrm(dst, &userspi->info.id.daddr);
758 userspi->info.id.proto = proto;
759 userspi->info.mode = TRUE; /* tunnel mode */
760 userspi->info.reqid = reqid;
761 userspi->info.family = src->get_family(src);
762 userspi->min = min;
763 userspi->max = max;
764
765 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
766 {
767 hdr = out;
768 while (NLMSG_OK(hdr, len))
769 {
770 switch (hdr->nlmsg_type)
771 {
772 case XFRM_MSG_NEWSA:
773 {
774 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
775 received_spi = usersa->id.spi;
776 break;
777 }
778 case NLMSG_ERROR:
779 {
780 struct nlmsgerr *err = NLMSG_DATA(hdr);
781
782 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
783 strerror(-err->error), -err->error);
784 break;
785 }
786 default:
787 hdr = NLMSG_NEXT(hdr, len);
788 continue;
789 case NLMSG_DONE:
790 break;
791 }
792 break;
793 }
794 free(out);
795 }
796
797 if (received_spi == 0)
798 {
799 return FAILED;
800 }
801
802 *spi = received_spi;
803 return SUCCESS;
804 }
805
806 /**
807 * Implementation of kernel_interface_t.get_spi.
808 */
809 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
810 host_t *src, host_t *dst,
811 protocol_id_t protocol, u_int32_t reqid,
812 u_int32_t *spi)
813 {
814 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
815
816 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
817 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
818 {
819 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
820 return FAILED;
821 }
822
823 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
824
825 return SUCCESS;
826 }
827
828 /**
829 * Implementation of kernel_interface_t.get_cpi.
830 */
831 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
832 host_t *src, host_t *dst,
833 u_int32_t reqid, u_int16_t *cpi)
834 {
835 u_int32_t received_spi = 0;
836
837 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
838
839 if (get_spi_internal(this, src, dst,
840 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
841 {
842 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
843 return FAILED;
844 }
845
846 *cpi = htons((u_int16_t)ntohl(received_spi));
847
848 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
849
850 return SUCCESS;
851 }
852
853 /**
854 * Implementation of kernel_interface_t.add_sa.
855 */
856 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
857 host_t *src, host_t *dst, u_int32_t spi,
858 protocol_id_t protocol, u_int32_t reqid,
859 u_int64_t expire_soft, u_int64_t expire_hard,
860 u_int16_t enc_alg, chunk_t enc_key,
861 u_int16_t int_alg, chunk_t int_key,
862 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
863 bool encap, bool inbound)
864 {
865 netlink_buf_t request;
866 char *alg_name;
867 struct nlmsghdr *hdr;
868 struct xfrm_usersa_info *sa;
869 u_int16_t icv_size = 64;
870
871 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
872 * we are in the recursive call below */
873 if (ipcomp != IPCOMP_NONE && cpi != 0)
874 {
875 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, 0, 0,
876 ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
877 mode, ipcomp, 0, FALSE, inbound);
878 ipcomp = IPCOMP_NONE;
879 }
880
881 memset(&request, 0, sizeof(request));
882
883 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
884 ntohl(spi), reqid);
885
886 hdr = (struct nlmsghdr*)request;
887 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
888 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
889 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
890
891 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
892 host2xfrm(src, &sa->saddr);
893 host2xfrm(dst, &sa->id.daddr);
894 sa->id.spi = spi;
895 sa->id.proto = proto_ike2kernel(protocol);
896 sa->family = src->get_family(src);
897 sa->mode = mode;
898 if (mode == MODE_TUNNEL)
899 {
900 sa->flags |= XFRM_STATE_AF_UNSPEC;
901 }
902 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
903 sa->reqid = reqid;
904 /* we currently do not expire SAs by volume/packet count */
905 sa->lft.soft_byte_limit = XFRM_INF;
906 sa->lft.hard_byte_limit = XFRM_INF;
907 sa->lft.soft_packet_limit = XFRM_INF;
908 sa->lft.hard_packet_limit = XFRM_INF;
909 /* we use lifetimes since added, not since used */
910 sa->lft.soft_add_expires_seconds = expire_soft;
911 sa->lft.hard_add_expires_seconds = expire_hard;
912 sa->lft.soft_use_expires_seconds = 0;
913 sa->lft.hard_use_expires_seconds = 0;
914
915 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
916
917 switch (enc_alg)
918 {
919 case ENCR_UNDEFINED:
920 /* no encryption */
921 break;
922 case ENCR_AES_CCM_ICV16:
923 case ENCR_AES_GCM_ICV16:
924 icv_size += 32;
925 /* FALL */
926 case ENCR_AES_CCM_ICV12:
927 case ENCR_AES_GCM_ICV12:
928 icv_size += 32;
929 /* FALL */
930 case ENCR_AES_CCM_ICV8:
931 case ENCR_AES_GCM_ICV8:
932 {
933 rthdr->rta_type = XFRMA_ALG_AEAD;
934 alg_name = lookup_algorithm(encryption_algs, enc_alg);
935 if (alg_name == NULL)
936 {
937 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
938 encryption_algorithm_names, enc_alg);
939 return FAILED;
940 }
941 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
942 encryption_algorithm_names, enc_alg, enc_key.len * 8);
943
944 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
945 hdr->nlmsg_len += rthdr->rta_len;
946 if (hdr->nlmsg_len > sizeof(request))
947 {
948 return FAILED;
949 }
950
951 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
952 algo->alg_key_len = enc_key.len * 8;
953 algo->alg_icv_len = icv_size;
954 strcpy(algo->alg_name, alg_name);
955 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
956
957 rthdr = XFRM_RTA_NEXT(rthdr);
958 break;
959 }
960 default:
961 {
962 rthdr->rta_type = XFRMA_ALG_CRYPT;
963 alg_name = lookup_algorithm(encryption_algs, enc_alg);
964 if (alg_name == NULL)
965 {
966 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
967 encryption_algorithm_names, enc_alg);
968 return FAILED;
969 }
970 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
971 encryption_algorithm_names, enc_alg, enc_key.len * 8);
972
973 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
974 hdr->nlmsg_len += rthdr->rta_len;
975 if (hdr->nlmsg_len > sizeof(request))
976 {
977 return FAILED;
978 }
979
980 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
981 algo->alg_key_len = enc_key.len * 8;
982 strcpy(algo->alg_name, alg_name);
983 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
984
985 rthdr = XFRM_RTA_NEXT(rthdr);
986 break;
987 }
988 }
989
990 if (int_alg != AUTH_UNDEFINED)
991 {
992 rthdr->rta_type = XFRMA_ALG_AUTH;
993 alg_name = lookup_algorithm(integrity_algs, int_alg);
994 if (alg_name == NULL)
995 {
996 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
997 integrity_algorithm_names, int_alg);
998 return FAILED;
999 }
1000 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1001 integrity_algorithm_names, int_alg, int_key.len * 8);
1002
1003 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1004 hdr->nlmsg_len += rthdr->rta_len;
1005 if (hdr->nlmsg_len > sizeof(request))
1006 {
1007 return FAILED;
1008 }
1009
1010 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1011 algo->alg_key_len = int_key.len * 8;
1012 strcpy(algo->alg_name, alg_name);
1013 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1014
1015 rthdr = XFRM_RTA_NEXT(rthdr);
1016 }
1017
1018 if (ipcomp != IPCOMP_NONE)
1019 {
1020 rthdr->rta_type = XFRMA_ALG_COMP;
1021 alg_name = lookup_algorithm(compression_algs, ipcomp);
1022 if (alg_name == NULL)
1023 {
1024 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1025 ipcomp_transform_names, ipcomp);
1026 return FAILED;
1027 }
1028 DBG2(DBG_KNL, " using compression algorithm %N",
1029 ipcomp_transform_names, ipcomp);
1030
1031 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1032 hdr->nlmsg_len += rthdr->rta_len;
1033 if (hdr->nlmsg_len > sizeof(request))
1034 {
1035 return FAILED;
1036 }
1037
1038 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1039 algo->alg_key_len = 0;
1040 strcpy(algo->alg_name, alg_name);
1041
1042 rthdr = XFRM_RTA_NEXT(rthdr);
1043 }
1044
1045 if (encap)
1046 {
1047 rthdr->rta_type = XFRMA_ENCAP;
1048 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1049
1050 hdr->nlmsg_len += rthdr->rta_len;
1051 if (hdr->nlmsg_len > sizeof(request))
1052 {
1053 return FAILED;
1054 }
1055
1056 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1057 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1058 tmpl->encap_sport = htons(src->get_port(src));
1059 tmpl->encap_dport = htons(dst->get_port(dst));
1060 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1061 /* encap_oa could probably be derived from the
1062 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1063 * pluto does the same as we do here but it uses encap_oa in the
1064 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1065 * the kernel ignores it anyway
1066 * -> does that mean that NAT-T encap doesn't work in transport mode?
1067 * No. The reason the kernel ignores NAT-OA is that it recomputes
1068 * (or, rather, just ignores) the checksum. If packets pass
1069 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1070 rthdr = XFRM_RTA_NEXT(rthdr);
1071 }
1072
1073 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1074 {
1075 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1076 return FAILED;
1077 }
1078 return SUCCESS;
1079 }
1080
1081 /**
1082 * Get the replay state (i.e. sequence numbers) of an SA.
1083 */
1084 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1085 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1086 struct xfrm_replay_state *replay)
1087 {
1088 netlink_buf_t request;
1089 struct nlmsghdr *hdr, *out = NULL;
1090 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1091 size_t len;
1092 struct rtattr *rta;
1093 size_t rtasize;
1094
1095 memset(&request, 0, sizeof(request));
1096
1097 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1098
1099 hdr = (struct nlmsghdr*)request;
1100 hdr->nlmsg_flags = NLM_F_REQUEST;
1101 hdr->nlmsg_type = XFRM_MSG_GETAE;
1102 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1103
1104 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1105 aevent_id->flags = XFRM_AE_RVAL;
1106
1107 host2xfrm(dst, &aevent_id->sa_id.daddr);
1108 aevent_id->sa_id.spi = spi;
1109 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1110 aevent_id->sa_id.family = dst->get_family(dst);
1111
1112 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1113 {
1114 hdr = out;
1115 while (NLMSG_OK(hdr, len))
1116 {
1117 switch (hdr->nlmsg_type)
1118 {
1119 case XFRM_MSG_NEWAE:
1120 {
1121 out_aevent = NLMSG_DATA(hdr);
1122 break;
1123 }
1124 case NLMSG_ERROR:
1125 {
1126 struct nlmsgerr *err = NLMSG_DATA(hdr);
1127 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1128 strerror(-err->error), -err->error);
1129 break;
1130 }
1131 default:
1132 hdr = NLMSG_NEXT(hdr, len);
1133 continue;
1134 case NLMSG_DONE:
1135 break;
1136 }
1137 break;
1138 }
1139 }
1140
1141 if (out_aevent == NULL)
1142 {
1143 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1144 ntohl(spi));
1145 free(out);
1146 return FAILED;
1147 }
1148
1149 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1150 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1151 while(RTA_OK(rta, rtasize))
1152 {
1153 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1154 RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
1155 {
1156 memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1157 free(out);
1158 return SUCCESS;
1159 }
1160 rta = RTA_NEXT(rta, rtasize);
1161 }
1162
1163 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1164 ntohl(spi));
1165 free(out);
1166 return FAILED;
1167 }
1168
1169 /**
1170 * Implementation of kernel_interface_t.del_sa.
1171 */
1172 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1173 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1174 {
1175 netlink_buf_t request;
1176 struct nlmsghdr *hdr;
1177 struct xfrm_usersa_id *sa_id;
1178
1179 /* if IPComp was used, we first delete the additional IPComp SA */
1180 if (cpi)
1181 {
1182 del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
1183 }
1184
1185 memset(&request, 0, sizeof(request));
1186
1187 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1188
1189 hdr = (struct nlmsghdr*)request;
1190 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1191 hdr->nlmsg_type = XFRM_MSG_DELSA;
1192 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1193
1194 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1195 host2xfrm(dst, &sa_id->daddr);
1196 sa_id->spi = spi;
1197 sa_id->proto = proto_ike2kernel(protocol);
1198 sa_id->family = dst->get_family(dst);
1199
1200 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1201 {
1202 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1203 return FAILED;
1204 }
1205 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1206 return SUCCESS;
1207 }
1208
1209 /**
1210 * Implementation of kernel_interface_t.update_sa.
1211 */
1212 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
1213 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1214 host_t *src, host_t *dst,
1215 host_t *new_src, host_t *new_dst,
1216 bool old_encap, bool new_encap)
1217 {
1218 netlink_buf_t request;
1219 u_char *pos;
1220 struct nlmsghdr *hdr, *out = NULL;
1221 struct xfrm_usersa_id *sa_id;
1222 struct xfrm_usersa_info *out_sa = NULL, *sa;
1223 size_t len;
1224 struct rtattr *rta;
1225 size_t rtasize;
1226 struct xfrm_encap_tmpl* tmpl = NULL;
1227 bool got_replay_state = FALSE;
1228 struct xfrm_replay_state replay;
1229
1230 /* if IPComp is used, we first update the IPComp SA */
1231 if (cpi)
1232 {
1233 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1234 src, dst, new_src, new_dst, FALSE, FALSE);
1235 }
1236
1237 memset(&request, 0, sizeof(request));
1238
1239 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1240
1241 /* query the existing SA first */
1242 hdr = (struct nlmsghdr*)request;
1243 hdr->nlmsg_flags = NLM_F_REQUEST;
1244 hdr->nlmsg_type = XFRM_MSG_GETSA;
1245 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1246
1247 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1248 host2xfrm(dst, &sa_id->daddr);
1249 sa_id->spi = spi;
1250 sa_id->proto = proto_ike2kernel(protocol);
1251 sa_id->family = dst->get_family(dst);
1252
1253 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1254 {
1255 hdr = out;
1256 while (NLMSG_OK(hdr, len))
1257 {
1258 switch (hdr->nlmsg_type)
1259 {
1260 case XFRM_MSG_NEWSA:
1261 {
1262 out_sa = NLMSG_DATA(hdr);
1263 break;
1264 }
1265 case NLMSG_ERROR:
1266 {
1267 struct nlmsgerr *err = NLMSG_DATA(hdr);
1268 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1269 strerror(-err->error), -err->error);
1270 break;
1271 }
1272 default:
1273 hdr = NLMSG_NEXT(hdr, len);
1274 continue;
1275 case NLMSG_DONE:
1276 break;
1277 }
1278 break;
1279 }
1280 }
1281 if (out_sa == NULL)
1282 {
1283 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1284 free(out);
1285 return FAILED;
1286 }
1287
1288 /* try to get the replay state */
1289 if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
1290 {
1291 got_replay_state = TRUE;
1292 }
1293
1294 /* delete the old SA (without affecting the IPComp SA) */
1295 if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
1296 {
1297 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1298 free(out);
1299 return FAILED;
1300 }
1301
1302 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1303 ntohl(spi), src, dst, new_src, new_dst);
1304 /* copy over the SA from out to request */
1305 hdr = (struct nlmsghdr*)request;
1306 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1307 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1308 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1309 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1310 sa = NLMSG_DATA(hdr);
1311 sa->family = new_dst->get_family(new_dst);
1312
1313 if (!src->ip_equals(src, new_src))
1314 {
1315 host2xfrm(new_src, &sa->saddr);
1316 }
1317 if (!dst->ip_equals(dst, new_dst))
1318 {
1319 host2xfrm(new_dst, &sa->id.daddr);
1320 }
1321
1322 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1323 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1324 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1325 while(RTA_OK(rta, rtasize))
1326 {
1327 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1328 if (rta->rta_type != XFRMA_ENCAP || new_encap)
1329 {
1330 if (rta->rta_type == XFRMA_ENCAP)
1331 { /* update encap tmpl */
1332 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1333 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1334 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1335 }
1336 memcpy(pos, rta, rta->rta_len);
1337 pos += RTA_ALIGN(rta->rta_len);
1338 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1339 }
1340 rta = RTA_NEXT(rta, rtasize);
1341 }
1342
1343 rta = (struct rtattr*)pos;
1344 if (tmpl == NULL && new_encap)
1345 { /* add tmpl if we are enabling it */
1346 rta->rta_type = XFRMA_ENCAP;
1347 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1348
1349 hdr->nlmsg_len += rta->rta_len;
1350 if (hdr->nlmsg_len > sizeof(request))
1351 {
1352 return FAILED;
1353 }
1354
1355 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1356 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1357 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1358 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1359 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1360
1361 rta = XFRM_RTA_NEXT(rta);
1362 }
1363
1364 if (got_replay_state)
1365 { /* copy the replay data if available */
1366 rta->rta_type = XFRMA_REPLAY_VAL;
1367 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1368
1369 hdr->nlmsg_len += rta->rta_len;
1370 if (hdr->nlmsg_len > sizeof(request))
1371 {
1372 return FAILED;
1373 }
1374 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1375
1376 rta = XFRM_RTA_NEXT(rta);
1377 }
1378
1379 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1380 {
1381 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1382 free(out);
1383 return FAILED;
1384 }
1385 free(out);
1386
1387 return SUCCESS;
1388 }
1389
1390 /**
1391 * Implementation of kernel_interface_t.add_policy.
1392 */
1393 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1394 host_t *src, host_t *dst,
1395 traffic_selector_t *src_ts,
1396 traffic_selector_t *dst_ts,
1397 policy_dir_t direction, u_int32_t spi,
1398 protocol_id_t protocol, u_int32_t reqid,
1399 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1400 bool routed)
1401 {
1402 iterator_t *iterator;
1403 policy_entry_t *current, *policy;
1404 bool found = FALSE;
1405 netlink_buf_t request;
1406 struct xfrm_userpolicy_info *policy_info;
1407 struct nlmsghdr *hdr;
1408
1409 /* create a policy */
1410 policy = malloc_thing(policy_entry_t);
1411 memset(policy, 0, sizeof(policy_entry_t));
1412 policy->sel = ts2selector(src_ts, dst_ts);
1413 policy->direction = direction;
1414
1415 /* find the policy, which matches EXACTLY */
1416 this->mutex->lock(this->mutex);
1417 iterator = this->policies->create_iterator(this->policies, TRUE);
1418 while (iterator->iterate(iterator, (void**)&current))
1419 {
1420 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
1421 policy->direction == current->direction)
1422 {
1423 /* use existing policy */
1424 current->refcount++;
1425 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1426 "refcount", src_ts, dst_ts,
1427 policy_dir_names, direction);
1428 free(policy);
1429 policy = current;
1430 found = TRUE;
1431 break;
1432 }
1433 }
1434 iterator->destroy(iterator);
1435 if (!found)
1436 { /* apply the new one, if we have no such policy */
1437 this->policies->insert_last(this->policies, policy);
1438 policy->refcount = 1;
1439 }
1440
1441 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1442 policy_dir_names, direction);
1443
1444 memset(&request, 0, sizeof(request));
1445 hdr = (struct nlmsghdr*)request;
1446 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1447 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1448 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1449
1450 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1451 policy_info->sel = policy->sel;
1452 policy_info->dir = policy->direction;
1453 /* calculate priority based on source selector size, small size = high prio */
1454 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1455 policy_info->priority -= policy->sel.prefixlen_s * 10;
1456 policy_info->priority -= policy->sel.proto ? 2 : 0;
1457 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1458 policy_info->action = XFRM_POLICY_ALLOW;
1459 policy_info->share = XFRM_SHARE_ANY;
1460 this->mutex->unlock(this->mutex);
1461
1462 /* policies don't expire */
1463 policy_info->lft.soft_byte_limit = XFRM_INF;
1464 policy_info->lft.soft_packet_limit = XFRM_INF;
1465 policy_info->lft.hard_byte_limit = XFRM_INF;
1466 policy_info->lft.hard_packet_limit = XFRM_INF;
1467 policy_info->lft.soft_add_expires_seconds = 0;
1468 policy_info->lft.hard_add_expires_seconds = 0;
1469 policy_info->lft.soft_use_expires_seconds = 0;
1470 policy_info->lft.hard_use_expires_seconds = 0;
1471
1472 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1473 rthdr->rta_type = XFRMA_TMPL;
1474 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1475
1476 hdr->nlmsg_len += rthdr->rta_len;
1477 if (hdr->nlmsg_len > sizeof(request))
1478 {
1479 return FAILED;
1480 }
1481
1482 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1483
1484 if (ipcomp != IPCOMP_NONE)
1485 {
1486 tmpl->reqid = reqid;
1487 tmpl->id.proto = IPPROTO_COMP;
1488 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1489 tmpl->mode = mode;
1490 tmpl->optional = direction != POLICY_OUT;
1491 tmpl->family = src->get_family(src);
1492
1493 host2xfrm(src, &tmpl->saddr);
1494 host2xfrm(dst, &tmpl->id.daddr);
1495
1496 /* add an additional xfrm_user_tmpl */
1497 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1498 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1499 if (hdr->nlmsg_len > sizeof(request))
1500 {
1501 return FAILED;
1502 }
1503
1504 tmpl++;
1505 }
1506
1507 tmpl->reqid = reqid;
1508 tmpl->id.proto = proto_ike2kernel(protocol);
1509 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1510 tmpl->mode = mode;
1511 tmpl->family = src->get_family(src);
1512
1513 host2xfrm(src, &tmpl->saddr);
1514 host2xfrm(dst, &tmpl->id.daddr);
1515
1516 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1517 {
1518 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1519 policy_dir_names, direction);
1520 return FAILED;
1521 }
1522
1523 /* install a route, if:
1524 * - we are NOT updating a policy
1525 * - this is a forward policy (to just get one for each child)
1526 * - we are in tunnel mode
1527 * - we are not using IPv6 (does not work correctly yet!)
1528 * - routing is not disabled via strongswan.conf
1529 */
1530 if (policy->route == NULL && direction == POLICY_FWD &&
1531 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1532 this->install_routes)
1533 {
1534 route_entry_t *route = malloc_thing(route_entry_t);
1535
1536 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1537 dst_ts, &route->src_ip) == SUCCESS)
1538 {
1539 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1540 route->gateway = charon->kernel_interface->get_nexthop(
1541 charon->kernel_interface, src);
1542 route->if_name = charon->kernel_interface->get_interface(
1543 charon->kernel_interface, dst);
1544 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1545 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1546 route->prefixlen = policy->sel.prefixlen_s;
1547
1548 if (route->if_name)
1549 {
1550 switch (charon->kernel_interface->add_route(
1551 charon->kernel_interface, route->dst_net,
1552 route->prefixlen, route->gateway,
1553 route->src_ip, route->if_name))
1554 {
1555 default:
1556 DBG1(DBG_KNL, "unable to install source route for %H",
1557 route->src_ip);
1558 /* FALL */
1559 case ALREADY_DONE:
1560 /* route exists, do not uninstall */
1561 route_entry_destroy(route);
1562 break;
1563 case SUCCESS:
1564 /* cache the installed route */
1565 policy->route = route;
1566 break;
1567 }
1568 }
1569 else
1570 {
1571 route_entry_destroy(route);
1572 }
1573 }
1574 else
1575 {
1576 free(route);
1577 }
1578 }
1579 return SUCCESS;
1580 }
1581
1582 /**
1583 * Implementation of kernel_interface_t.query_policy.
1584 */
1585 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1586 traffic_selector_t *src_ts,
1587 traffic_selector_t *dst_ts,
1588 policy_dir_t direction, u_int32_t *use_time)
1589 {
1590 netlink_buf_t request;
1591 struct nlmsghdr *out = NULL, *hdr;
1592 struct xfrm_userpolicy_id *policy_id;
1593 struct xfrm_userpolicy_info *policy = NULL;
1594 size_t len;
1595
1596 memset(&request, 0, sizeof(request));
1597
1598 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1599 policy_dir_names, direction);
1600
1601 hdr = (struct nlmsghdr*)request;
1602 hdr->nlmsg_flags = NLM_F_REQUEST;
1603 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1604 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1605
1606 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1607 policy_id->sel = ts2selector(src_ts, dst_ts);
1608 policy_id->dir = direction;
1609
1610 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1611 {
1612 hdr = out;
1613 while (NLMSG_OK(hdr, len))
1614 {
1615 switch (hdr->nlmsg_type)
1616 {
1617 case XFRM_MSG_NEWPOLICY:
1618 {
1619 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1620 break;
1621 }
1622 case NLMSG_ERROR:
1623 {
1624 struct nlmsgerr *err = NLMSG_DATA(hdr);
1625 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1626 strerror(-err->error), -err->error);
1627 break;
1628 }
1629 default:
1630 hdr = NLMSG_NEXT(hdr, len);
1631 continue;
1632 case NLMSG_DONE:
1633 break;
1634 }
1635 break;
1636 }
1637 }
1638
1639 if (policy == NULL)
1640 {
1641 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1642 policy_dir_names, direction);
1643 free(out);
1644 return FAILED;
1645 }
1646 *use_time = (time_t)policy->curlft.use_time;
1647
1648 free(out);
1649 return SUCCESS;
1650 }
1651
1652 /**
1653 * Implementation of kernel_interface_t.del_policy.
1654 */
1655 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1656 traffic_selector_t *src_ts,
1657 traffic_selector_t *dst_ts,
1658 policy_dir_t direction, bool unrouted)
1659 {
1660 policy_entry_t *current, policy, *to_delete = NULL;
1661 route_entry_t *route;
1662 netlink_buf_t request;
1663 struct nlmsghdr *hdr;
1664 struct xfrm_userpolicy_id *policy_id;
1665 enumerator_t *enumerator;
1666
1667 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1668 policy_dir_names, direction);
1669
1670 /* create a policy */
1671 memset(&policy, 0, sizeof(policy_entry_t));
1672 policy.sel = ts2selector(src_ts, dst_ts);
1673 policy.direction = direction;
1674
1675 /* find the policy */
1676 this->mutex->lock(this->mutex);
1677 enumerator = this->policies->create_enumerator(this->policies);
1678 while (enumerator->enumerate(enumerator, &current))
1679 {
1680 if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
1681 policy.direction == current->direction)
1682 {
1683 to_delete = current;
1684 if (--to_delete->refcount > 0)
1685 {
1686 /* is used by more SAs, keep in kernel */
1687 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1688 this->mutex->unlock(this->mutex);
1689 enumerator->destroy(enumerator);
1690 return SUCCESS;
1691 }
1692 /* remove if last reference */
1693 this->policies->remove_at(this->policies, enumerator);
1694 break;
1695 }
1696 }
1697 this->mutex->unlock(this->mutex);
1698 enumerator->destroy(enumerator);
1699 if (!to_delete)
1700 {
1701 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1702 dst_ts, policy_dir_names, direction);
1703 return NOT_FOUND;
1704 }
1705
1706 memset(&request, 0, sizeof(request));
1707
1708 hdr = (struct nlmsghdr*)request;
1709 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1710 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1711 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1712
1713 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1714 policy_id->sel = to_delete->sel;
1715 policy_id->dir = direction;
1716
1717 route = to_delete->route;
1718 free(to_delete);
1719
1720 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1721 {
1722 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1723 policy_dir_names, direction);
1724 return FAILED;
1725 }
1726
1727 if (route)
1728 {
1729 if (charon->kernel_interface->del_route(charon->kernel_interface,
1730 route->dst_net, route->prefixlen, route->gateway,
1731 route->src_ip, route->if_name) != SUCCESS)
1732 {
1733 DBG1(DBG_KNL, "error uninstalling route installed with "
1734 "policy %R === %R %N", src_ts, dst_ts,
1735 policy_dir_names, direction);
1736 }
1737 route_entry_destroy(route);
1738 }
1739 return SUCCESS;
1740 }
1741
1742 /**
1743 * Implementation of kernel_interface_t.destroy.
1744 */
1745 static void destroy(private_kernel_netlink_ipsec_t *this)
1746 {
1747 this->job->cancel(this->job);
1748 close(this->socket_xfrm_events);
1749 this->socket_xfrm->destroy(this->socket_xfrm);
1750 this->policies->destroy(this->policies);
1751 this->mutex->destroy(this->mutex);
1752 free(this);
1753 }
1754
1755 /**
1756 * Add bypass policies for IKE on the sockets used by charon
1757 */
1758 static bool add_bypass_policies()
1759 {
1760 int fd, family, port;
1761 enumerator_t *sockets;
1762 bool status = TRUE;
1763
1764 /* we open an AF_KEY socket to autoload the af_key module. Otherwise
1765 * setsockopt(IPSEC_POLICY) won't work. */
1766 fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
1767 if (fd == 0)
1768 {
1769 DBG1(DBG_KNL, "could not open AF_KEY socket");
1770 return FALSE;
1771 }
1772 close(fd);
1773
1774 sockets = charon->socket->create_enumerator(charon->socket);
1775 while (sockets->enumerate(sockets, &fd, &family, &port))
1776 {
1777 struct sadb_x_policy policy;
1778 u_int sol, ipsec_policy;
1779
1780 switch (family)
1781 {
1782 case AF_INET:
1783 sol = SOL_IP;
1784 ipsec_policy = IP_IPSEC_POLICY;
1785 break;
1786 case AF_INET6:
1787 sol = SOL_IPV6;
1788 ipsec_policy = IPV6_IPSEC_POLICY;
1789 break;
1790 default:
1791 continue;
1792 }
1793
1794 memset(&policy, 0, sizeof(policy));
1795 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
1796 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1797 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
1798
1799 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
1800 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1801 {
1802 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1803 strerror(errno));
1804 status = FALSE;
1805 break;
1806 }
1807 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1808 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1809 {
1810 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1811 strerror(errno));
1812 status = FALSE;
1813 break;
1814 }
1815 }
1816 sockets->destroy(sockets);
1817 return status;
1818 }
1819
1820 /*
1821 * Described in header.
1822 */
1823 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1824 {
1825 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1826 struct sockaddr_nl addr;
1827
1828 /* public functions */
1829 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1830 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1831 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1832 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1833 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1834 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
1835 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1836 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
1837 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1838
1839 /* private members */
1840 this->policies = linked_list_create();
1841 this->mutex = mutex_create(MUTEX_DEFAULT);
1842 this->install_routes = lib->settings->get_bool(lib->settings,
1843 "charon.install_routes", TRUE);
1844
1845 /* add bypass policies on the sockets used by charon */
1846 if (!add_bypass_policies())
1847 {
1848 charon->kill(charon, "unable to add bypass policies on sockets");
1849 }
1850
1851 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1852
1853 memset(&addr, 0, sizeof(addr));
1854 addr.nl_family = AF_NETLINK;
1855
1856 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
1857 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1858 if (this->socket_xfrm_events <= 0)
1859 {
1860 charon->kill(charon, "unable to create XFRM event socket");
1861 }
1862 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
1863 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
1864 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1865 {
1866 charon->kill(charon, "unable to bind XFRM event socket");
1867 }
1868
1869 this->job = callback_job_create((callback_job_cb_t)receive_events,
1870 this, NULL, NULL);
1871 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1872
1873 return &this->public;
1874 }