rta->rta_len is NOT the payload data length, use RTA_PAYLOAD(rta) instead!
[strongswan.git] / src / charon / plugins / kernel_netlink / kernel_netlink_ipsec.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2008 Andreas Steffen
5 * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
6 * Copyright (C) 2006 Daniel Roethlisberger
7 * Copyright (C) 2005 Jan Hutter
8 * Hochschule fuer Technik Rapperswil
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 *
20 * $Id$
21 */
22
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 #include <sys/time.h>
26 #include <stdint.h>
27 #include <linux/ipsec.h>
28 #include <linux/netlink.h>
29 #include <linux/rtnetlink.h>
30 #include <linux/xfrm.h>
31 #include <linux/udp.h>
32 #include <pthread.h>
33 #include <unistd.h>
34 #include <errno.h>
35 #include <string.h>
36
37 #include "kernel_netlink_ipsec.h"
38 #include "kernel_netlink_shared.h"
39
40 #include <daemon.h>
41 #include <utils/mutex.h>
42 #include <utils/linked_list.h>
43 #include <processing/jobs/callback_job.h>
44 #include <processing/jobs/acquire_job.h>
45 #include <processing/jobs/migrate_job.h>
46 #include <processing/jobs/rekey_child_sa_job.h>
47 #include <processing/jobs/delete_child_sa_job.h>
48 #include <processing/jobs/update_sa_job.h>
49
50 /** required for Linux 2.6.26 kernel and later */
51 #ifndef XFRM_STATE_AF_UNSPEC
52 #define XFRM_STATE_AF_UNSPEC 32
53 #endif
54
55 /** from linux/in.h */
56 #ifndef IP_IPSEC_POLICY
57 #define IP_IPSEC_POLICY 16
58 #endif
59
60 /** default priority of installed policies */
61 #define PRIO_LOW 3000
62 #define PRIO_HIGH 2000
63
64 /**
65 * Create ORable bitfield of XFRM NL groups
66 */
67 #define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1))
68
69 /**
70 * returns a pointer to the first rtattr following the nlmsghdr *nlh and the
71 * 'usual' netlink data x like 'struct xfrm_usersa_info'
72 */
73 #define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
74 /**
75 * returns a pointer to the next rtattr following rta.
76 * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
77 */
78 #define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
79 /**
80 * returns the total size of attached rta data
81 * (after 'usual' netlink data x like 'struct xfrm_usersa_info')
82 */
83 #define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
84
85 typedef struct kernel_algorithm_t kernel_algorithm_t;
86
87 /**
88 * Mapping of IKEv2 kernel identifier to linux crypto API names
89 */
90 struct kernel_algorithm_t {
91 /**
92 * Identifier specified in IKEv2
93 */
94 int ikev2;
95
96 /**
97 * Name of the algorithm in linux crypto API
98 */
99 char *name;
100 };
101
102 ENUM(xfrm_attr_type_names, XFRMA_UNSPEC, XFRMA_KMADDRESS,
103 "XFRMA_UNSPEC",
104 "XFRMA_ALG_AUTH",
105 "XFRMA_ALG_CRYPT",
106 "XFRMA_ALG_COMP",
107 "XFRMA_ENCAP",
108 "XFRMA_TMPL",
109 "XFRMA_SA",
110 "XFRMA_POLICY",
111 "XFRMA_SEC_CTX",
112 "XFRMA_LTIME_VAL",
113 "XFRMA_REPLAY_VAL",
114 "XFRMA_REPLAY_THRESH",
115 "XFRMA_ETIMER_THRESH",
116 "XFRMA_SRCADDR",
117 "XFRMA_COADDR",
118 "XFRMA_LASTUSED",
119 "XFRMA_POLICY_TYPE",
120 "XFRMA_MIGRATE",
121 "XFRMA_ALG_AEAD",
122 "XFRMA_KMADDRESS"
123 );
124
125 #define END_OF_LIST -1
126
127 /**
128 * Algorithms for encryption
129 */
130 static kernel_algorithm_t encryption_algs[] = {
131 /* {ENCR_DES_IV64, "***" }, */
132 {ENCR_DES, "des" },
133 {ENCR_3DES, "des3_ede" },
134 /* {ENCR_RC5, "***" }, */
135 /* {ENCR_IDEA, "***" }, */
136 {ENCR_CAST, "cast128" },
137 {ENCR_BLOWFISH, "blowfish" },
138 /* {ENCR_3IDEA, "***" }, */
139 /* {ENCR_DES_IV32, "***" }, */
140 {ENCR_NULL, "cipher_null" },
141 {ENCR_AES_CBC, "aes" },
142 /* {ENCR_AES_CTR, "***" }, */
143 {ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
144 {ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
145 {ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
146 {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
147 {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
148 {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
149 {END_OF_LIST, NULL },
150 };
151
152 /**
153 * Algorithms for integrity protection
154 */
155 static kernel_algorithm_t integrity_algs[] = {
156 {AUTH_HMAC_MD5_96, "md5" },
157 {AUTH_HMAC_SHA1_96, "sha1" },
158 {AUTH_HMAC_SHA2_256_128, "sha256" },
159 {AUTH_HMAC_SHA2_384_192, "sha384" },
160 {AUTH_HMAC_SHA2_512_256, "sha512" },
161 /* {AUTH_DES_MAC, "***" }, */
162 /* {AUTH_KPDK_MD5, "***" }, */
163 {AUTH_AES_XCBC_96, "xcbc(aes)" },
164 {END_OF_LIST, NULL },
165 };
166
167 /**
168 * Algorithms for IPComp
169 */
170 static kernel_algorithm_t compression_algs[] = {
171 /* {IPCOMP_OUI, "***" }, */
172 {IPCOMP_DEFLATE, "deflate" },
173 {IPCOMP_LZS, "lzs" },
174 {IPCOMP_LZJH, "lzjh" },
175 {END_OF_LIST, NULL },
176 };
177
178 /**
179 * Look up a kernel algorithm name and its key size
180 */
181 static char* lookup_algorithm(kernel_algorithm_t *list, int ikev2)
182 {
183 while (list->ikev2 != END_OF_LIST)
184 {
185 if (list->ikev2 == ikev2)
186 {
187 return list->name;
188 }
189 list++;
190 }
191 return NULL;
192 }
193
194 typedef struct route_entry_t route_entry_t;
195
196 /**
197 * installed routing entry
198 */
199 struct route_entry_t {
200 /** Name of the interface the route is bound to */
201 char *if_name;
202
203 /** Source ip of the route */
204 host_t *src_ip;
205
206 /** gateway for this route */
207 host_t *gateway;
208
209 /** Destination net */
210 chunk_t dst_net;
211
212 /** Destination net prefixlen */
213 u_int8_t prefixlen;
214 };
215
216 /**
217 * destroy an route_entry_t object
218 */
219 static void route_entry_destroy(route_entry_t *this)
220 {
221 free(this->if_name);
222 this->src_ip->destroy(this->src_ip);
223 this->gateway->destroy(this->gateway);
224 chunk_free(&this->dst_net);
225 free(this);
226 }
227
228 typedef struct policy_entry_t policy_entry_t;
229
230 /**
231 * installed kernel policy.
232 */
233 struct policy_entry_t {
234
235 /** direction of this policy: in, out, forward */
236 u_int8_t direction;
237
238 /** parameters of installed policy */
239 struct xfrm_selector sel;
240
241 /** associated route installed for this policy */
242 route_entry_t *route;
243
244 /** by how many CHILD_SA's this policy is used */
245 u_int refcount;
246 };
247
248 typedef struct private_kernel_netlink_ipsec_t private_kernel_netlink_ipsec_t;
249
250 /**
251 * Private variables and functions of kernel_netlink class.
252 */
253 struct private_kernel_netlink_ipsec_t {
254 /**
255 * Public part of the kernel_netlink_t object.
256 */
257 kernel_netlink_ipsec_t public;
258
259 /**
260 * mutex to lock access to various lists
261 */
262 mutex_t *mutex;
263
264 /**
265 * List of installed policies (policy_entry_t)
266 */
267 linked_list_t *policies;
268
269 /**
270 * job receiving netlink events
271 */
272 callback_job_t *job;
273
274 /**
275 * Netlink xfrm socket (IPsec)
276 */
277 netlink_socket_t *socket_xfrm;
278
279 /**
280 * netlink xfrm socket to receive acquire and expire events
281 */
282 int socket_xfrm_events;
283
284 /**
285 * whether to install routes along policies
286 */
287 bool install_routes;
288 };
289
290 /**
291 * convert a IKEv2 specific protocol identifier to the kernel one
292 */
293 static u_int8_t proto_ike2kernel(protocol_id_t proto)
294 {
295 switch (proto)
296 {
297 case PROTO_ESP:
298 return IPPROTO_ESP;
299 case PROTO_AH:
300 return IPPROTO_AH;
301 default:
302 return proto;
303 }
304 }
305
306 /**
307 * reverse of ike2kernel
308 */
309 static protocol_id_t proto_kernel2ike(u_int8_t proto)
310 {
311 switch (proto)
312 {
313 case IPPROTO_ESP:
314 return PROTO_ESP;
315 case IPPROTO_AH:
316 return PROTO_AH;
317 default:
318 return proto;
319 }
320 }
321
322 /**
323 * convert a host_t to a struct xfrm_address
324 */
325 static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
326 {
327 chunk_t chunk = host->get_address(host);
328 memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
329 }
330
331 /**
332 * convert a struct xfrm_address to a host_t
333 */
334 static host_t* xfrm2host(int family, xfrm_address_t *xfrm, u_int16_t port)
335 {
336 chunk_t chunk;
337
338 switch (family)
339 {
340 case AF_INET:
341 chunk = chunk_create((u_char*)&xfrm->a4, sizeof(xfrm->a4));
342 break;
343 case AF_INET6:
344 chunk = chunk_create((u_char*)&xfrm->a6, sizeof(xfrm->a6));
345 break;
346 default:
347 return NULL;
348 }
349 return host_create_from_chunk(family, chunk, ntohs(port));
350 }
351
352 /**
353 * convert a traffic selector address range to subnet and its mask.
354 */
355 static void ts2subnet(traffic_selector_t* ts,
356 xfrm_address_t *net, u_int8_t *mask)
357 {
358 host_t *net_host;
359 chunk_t net_chunk;
360
361 ts->to_subnet(ts, &net_host, mask);
362 net_chunk = net_host->get_address(net_host);
363 memcpy(net, net_chunk.ptr, net_chunk.len);
364 net_host->destroy(net_host);
365 }
366
367 /**
368 * convert a traffic selector port range to port/portmask
369 */
370 static void ts2ports(traffic_selector_t* ts,
371 u_int16_t *port, u_int16_t *mask)
372 {
373 /* linux does not seem to accept complex portmasks. Only
374 * any or a specific port is allowed. We set to any, if we have
375 * a port range, or to a specific, if we have one port only.
376 */
377 u_int16_t from, to;
378
379 from = ts->get_from_port(ts);
380 to = ts->get_to_port(ts);
381
382 if (from == to)
383 {
384 *port = htons(from);
385 *mask = ~0;
386 }
387 else
388 {
389 *port = 0;
390 *mask = 0;
391 }
392 }
393
394 /**
395 * convert a pair of traffic_selectors to a xfrm_selector
396 */
397 static struct xfrm_selector ts2selector(traffic_selector_t *src,
398 traffic_selector_t *dst)
399 {
400 struct xfrm_selector sel;
401
402 memset(&sel, 0, sizeof(sel));
403 sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
404 /* src or dest proto may be "any" (0), use more restrictive one */
405 sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
406 ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
407 ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
408 ts2ports(dst, &sel.dport, &sel.dport_mask);
409 ts2ports(src, &sel.sport, &sel.sport_mask);
410 sel.ifindex = 0;
411 sel.user = 0;
412
413 return sel;
414 }
415
416 /**
417 * convert a xfrm_selector to a src|dst traffic_selector
418 */
419 static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
420 {
421 int family;
422 chunk_t addr;
423 u_int8_t prefixlen;
424 u_int16_t port, port_mask;
425 host_t *host;
426 traffic_selector_t *ts;
427
428 if (src)
429 {
430 addr.ptr = (u_char*)&sel->saddr;
431 prefixlen = sel->prefixlen_s;
432 port = sel->sport;
433 port_mask = sel->sport_mask;
434 }
435 else
436 {
437 addr.ptr = (u_char*)&sel->daddr;
438 prefixlen = sel->prefixlen_d;
439 port = sel->dport;
440 port_mask = sel->dport_mask;
441 }
442
443 /* The Linux 2.6 kernel does not set the selector's family field,
444 * so as a kludge we additionally test the prefix length.
445 */
446 if (sel->family == AF_INET || sel->prefixlen_s == 32)
447 {
448 family = AF_INET;
449 addr.len = 4;
450 }
451 else if (sel->family == AF_INET6 || sel->prefixlen_s == 128)
452 {
453 family = AF_INET6;
454 addr.len = 16;
455 }
456 else
457 {
458 return NULL;
459 }
460 host = host_create_from_chunk(family, addr, 0);
461 port = (port_mask == 0) ? 0 : ntohs(port);
462
463 ts = traffic_selector_create_from_subnet(host, prefixlen, sel->proto, port);
464 host->destroy(host);
465 return ts;
466 }
467
468 /**
469 * process a XFRM_MSG_ACQUIRE from kernel
470 */
471 static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
472 {
473 u_int32_t reqid = 0;
474 int proto = 0;
475 traffic_selector_t *src_ts, *dst_ts;
476 struct xfrm_user_acquire *acquire;
477 struct rtattr *rta;
478 size_t rtasize;
479 job_t *job;
480
481 acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
482 rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
483 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
484
485 DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
486
487 while (RTA_OK(rta, rtasize))
488 {
489 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
490
491 if (rta->rta_type == XFRMA_TMPL)
492 {
493 struct xfrm_user_tmpl* tmpl;
494
495 tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
496 reqid = tmpl->reqid;
497 proto = tmpl->id.proto;
498 }
499 rta = RTA_NEXT(rta, rtasize);
500 }
501 switch (proto)
502 {
503 case 0:
504 case IPPROTO_ESP:
505 case IPPROTO_AH:
506 break;
507 default:
508 /* acquire for AH/ESP only, not for IPCOMP */
509 return;
510 }
511 src_ts = selector2ts(&acquire->sel, TRUE);
512 dst_ts = selector2ts(&acquire->sel, FALSE);
513 DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
514 src_ts, dst_ts, reqid);
515 job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
516 charon->processor->queue_job(charon->processor, job);
517 }
518
519 /**
520 * process a XFRM_MSG_EXPIRE from kernel
521 */
522 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
523 {
524 job_t *job;
525 protocol_id_t protocol;
526 u_int32_t spi, reqid;
527 struct xfrm_user_expire *expire;
528
529 expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
530 protocol = proto_kernel2ike(expire->state.id.proto);
531 spi = expire->state.id.spi;
532 reqid = expire->state.reqid;
533
534 DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
535
536 if (protocol != PROTO_ESP && protocol != PROTO_AH)
537 {
538 DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
539 "which is not a CHILD_SA", ntohl(spi), reqid);
540 return;
541 }
542
543 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
544 expire->hard ? "delete" : "rekey", protocol_id_names,
545 protocol, ntohl(spi), reqid);
546 if (expire->hard)
547 {
548 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
549 }
550 else
551 {
552 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
553 }
554 charon->processor->queue_job(charon->processor, job);
555 }
556
557 /**
558 * process a XFRM_MSG_MIGRATE from kernel
559 */
560 static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
561 {
562 traffic_selector_t *src_ts, *dst_ts;
563 host_t *local = NULL, *remote = NULL;
564 host_t *old_src = NULL, *old_dst = NULL;
565 host_t *new_src = NULL, *new_dst = NULL;
566 struct xfrm_userpolicy_id *policy_id;
567 struct rtattr *rta;
568 size_t rtasize;
569 u_int32_t reqid = 0;
570 policy_dir_t dir;
571 job_t *job;
572
573 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
574 rta = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
575 rtasize = XFRM_PAYLOAD(hdr, struct xfrm_userpolicy_id);
576
577 DBG2(DBG_KNL, "received a XFRM_MSG_MIGRATE");
578
579 src_ts = selector2ts(&policy_id->sel, TRUE);
580 dst_ts = selector2ts(&policy_id->sel, FALSE);
581 dir = (policy_dir_t)policy_id->dir;
582
583 DBG2(DBG_KNL, " policy: %R === %R %N, index %u", src_ts, dst_ts,
584 policy_dir_names, dir, policy_id->index);
585
586 while (RTA_OK(rta, rtasize))
587 {
588 DBG2(DBG_KNL, " %N", xfrm_attr_type_names, rta->rta_type);
589 if (rta->rta_type == XFRMA_KMADDRESS)
590 {
591 struct xfrm_user_kmaddress *kmaddress;
592
593 kmaddress = (struct xfrm_user_kmaddress*)RTA_DATA(rta);
594 local = xfrm2host(kmaddress->family, &kmaddress->local, 0);
595 remote = xfrm2host(kmaddress->family, &kmaddress->remote, 0);
596 DBG2(DBG_KNL, " kmaddress: %H...%H", local, remote);
597 }
598 else if (rta->rta_type == XFRMA_MIGRATE)
599 {
600 struct xfrm_user_migrate *migrate;
601 protocol_id_t proto;
602
603 migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
604 old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
605 old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
606 new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
607 new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
608 proto = proto_kernel2ike(migrate->proto);
609 reqid = migrate->reqid;
610 DBG2(DBG_KNL, " migrate %N %H...%H to %H...%H, reqid {%u}",
611 protocol_id_names, proto, old_src, old_dst,
612 new_src, new_dst, reqid);
613 DESTROY_IF(old_src);
614 DESTROY_IF(old_dst);
615 DESTROY_IF(new_src);
616 DESTROY_IF(new_dst);
617 }
618 rta = RTA_NEXT(rta, rtasize);
619 }
620
621 if (src_ts && dst_ts)
622 {
623 DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
624 src_ts, dst_ts, policy_dir_names, dir, reqid, local);
625 job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
626 local, remote);
627 charon->processor->queue_job(charon->processor, job);
628 }
629 else
630 {
631 DESTROY_IF(src_ts);
632 DESTROY_IF(dst_ts);
633 DESTROY_IF(local);
634 DESTROY_IF(remote);
635 }
636 }
637
638 /**
639 * process a XFRM_MSG_MAPPING from kernel
640 */
641 static void process_mapping(private_kernel_netlink_ipsec_t *this,
642 struct nlmsghdr *hdr)
643 {
644 job_t *job;
645 u_int32_t spi, reqid;
646 struct xfrm_user_mapping *mapping;
647 host_t *host;
648
649 mapping = (struct xfrm_user_mapping*)NLMSG_DATA(hdr);
650 spi = mapping->id.spi;
651 reqid = mapping->reqid;
652
653 DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
654
655 if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
656 {
657 host = xfrm2host(mapping->id.family, &mapping->new_saddr,
658 mapping->new_sport);
659 if (host)
660 {
661 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
662 "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
663 job = (job_t*)update_sa_job_create(reqid, host);
664 charon->processor->queue_job(charon->processor, job);
665 }
666 }
667 }
668
669 /**
670 * Receives events from kernel
671 */
672 static job_requeue_t receive_events(private_kernel_netlink_ipsec_t *this)
673 {
674 char response[1024];
675 struct nlmsghdr *hdr = (struct nlmsghdr*)response;
676 struct sockaddr_nl addr;
677 socklen_t addr_len = sizeof(addr);
678 int len, oldstate;
679
680 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
681 len = recvfrom(this->socket_xfrm_events, response, sizeof(response), 0,
682 (struct sockaddr*)&addr, &addr_len);
683 pthread_setcancelstate(oldstate, NULL);
684
685 if (len < 0)
686 {
687 switch (errno)
688 {
689 case EINTR:
690 /* interrupted, try again */
691 return JOB_REQUEUE_DIRECT;
692 case EAGAIN:
693 /* no data ready, select again */
694 return JOB_REQUEUE_DIRECT;
695 default:
696 DBG1(DBG_KNL, "unable to receive from xfrm event socket");
697 sleep(1);
698 return JOB_REQUEUE_FAIR;
699 }
700 }
701
702 if (addr.nl_pid != 0)
703 { /* not from kernel. not interested, try another one */
704 return JOB_REQUEUE_DIRECT;
705 }
706
707 while (NLMSG_OK(hdr, len))
708 {
709 switch (hdr->nlmsg_type)
710 {
711 case XFRM_MSG_ACQUIRE:
712 process_acquire(this, hdr);
713 break;
714 case XFRM_MSG_EXPIRE:
715 process_expire(this, hdr);
716 break;
717 case XFRM_MSG_MIGRATE:
718 process_migrate(this, hdr);
719 break;
720 case XFRM_MSG_MAPPING:
721 process_mapping(this, hdr);
722 break;
723 default:
724 break;
725 }
726 hdr = NLMSG_NEXT(hdr, len);
727 }
728 return JOB_REQUEUE_DIRECT;
729 }
730
731 /**
732 * Get an SPI for a specific protocol from the kernel.
733 */
734 static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
735 host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
736 u_int32_t reqid, u_int32_t *spi)
737 {
738 unsigned char request[NETLINK_BUFFER_SIZE];
739 struct nlmsghdr *hdr, *out;
740 struct xfrm_userspi_info *userspi;
741 u_int32_t received_spi = 0;
742 size_t len;
743
744 memset(&request, 0, sizeof(request));
745
746 hdr = (struct nlmsghdr*)request;
747 hdr->nlmsg_flags = NLM_F_REQUEST;
748 hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
749 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
750
751 userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
752 host2xfrm(src, &userspi->info.saddr);
753 host2xfrm(dst, &userspi->info.id.daddr);
754 userspi->info.id.proto = proto;
755 userspi->info.mode = TRUE; /* tunnel mode */
756 userspi->info.reqid = reqid;
757 userspi->info.family = src->get_family(src);
758 userspi->min = min;
759 userspi->max = max;
760
761 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
762 {
763 hdr = out;
764 while (NLMSG_OK(hdr, len))
765 {
766 switch (hdr->nlmsg_type)
767 {
768 case XFRM_MSG_NEWSA:
769 {
770 struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
771 received_spi = usersa->id.spi;
772 break;
773 }
774 case NLMSG_ERROR:
775 {
776 struct nlmsgerr *err = NLMSG_DATA(hdr);
777
778 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
779 strerror(-err->error), -err->error);
780 break;
781 }
782 default:
783 hdr = NLMSG_NEXT(hdr, len);
784 continue;
785 case NLMSG_DONE:
786 break;
787 }
788 break;
789 }
790 free(out);
791 }
792
793 if (received_spi == 0)
794 {
795 return FAILED;
796 }
797
798 *spi = received_spi;
799 return SUCCESS;
800 }
801
802 /**
803 * Implementation of kernel_interface_t.get_spi.
804 */
805 static status_t get_spi(private_kernel_netlink_ipsec_t *this,
806 host_t *src, host_t *dst,
807 protocol_id_t protocol, u_int32_t reqid,
808 u_int32_t *spi)
809 {
810 DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
811
812 if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
813 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
814 {
815 DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
816 return FAILED;
817 }
818
819 DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
820
821 return SUCCESS;
822 }
823
824 /**
825 * Implementation of kernel_interface_t.get_cpi.
826 */
827 static status_t get_cpi(private_kernel_netlink_ipsec_t *this,
828 host_t *src, host_t *dst,
829 u_int32_t reqid, u_int16_t *cpi)
830 {
831 u_int32_t received_spi = 0;
832
833 DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
834
835 if (get_spi_internal(this, src, dst,
836 IPPROTO_COMP, 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
837 {
838 DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
839 return FAILED;
840 }
841
842 *cpi = htons((u_int16_t)ntohl(received_spi));
843
844 DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
845
846 return SUCCESS;
847 }
848
849 /**
850 * Implementation of kernel_interface_t.add_sa.
851 */
852 static status_t add_sa(private_kernel_netlink_ipsec_t *this,
853 host_t *src, host_t *dst, u_int32_t spi,
854 protocol_id_t protocol, u_int32_t reqid,
855 u_int64_t expire_soft, u_int64_t expire_hard,
856 u_int16_t enc_alg, chunk_t enc_key,
857 u_int16_t int_alg, chunk_t int_key,
858 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
859 bool encap, bool inbound)
860 {
861 unsigned char request[NETLINK_BUFFER_SIZE];
862 char *alg_name;
863 struct nlmsghdr *hdr;
864 struct xfrm_usersa_info *sa;
865 u_int16_t icv_size = 64;
866
867 /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
868 * we are in the recursive call below */
869 if (ipcomp != IPCOMP_NONE && cpi != 0)
870 {
871 add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, 0, 0,
872 ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
873 mode, ipcomp, 0, FALSE, inbound);
874 ipcomp = IPCOMP_NONE;
875 }
876
877 memset(&request, 0, sizeof(request));
878
879 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
880 ntohl(spi), reqid);
881
882 hdr = (struct nlmsghdr*)request;
883 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
884 hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
885 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
886
887 sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
888 host2xfrm(src, &sa->saddr);
889 host2xfrm(dst, &sa->id.daddr);
890 sa->id.spi = spi;
891 sa->id.proto = proto_ike2kernel(protocol);
892 sa->family = src->get_family(src);
893 sa->mode = mode;
894 if (mode == MODE_TUNNEL)
895 {
896 sa->flags |= XFRM_STATE_AF_UNSPEC;
897 }
898 sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
899 sa->reqid = reqid;
900 /* we currently do not expire SAs by volume/packet count */
901 sa->lft.soft_byte_limit = XFRM_INF;
902 sa->lft.hard_byte_limit = XFRM_INF;
903 sa->lft.soft_packet_limit = XFRM_INF;
904 sa->lft.hard_packet_limit = XFRM_INF;
905 /* we use lifetimes since added, not since used */
906 sa->lft.soft_add_expires_seconds = expire_soft;
907 sa->lft.hard_add_expires_seconds = expire_hard;
908 sa->lft.soft_use_expires_seconds = 0;
909 sa->lft.hard_use_expires_seconds = 0;
910
911 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
912
913 switch (enc_alg)
914 {
915 case ENCR_UNDEFINED:
916 /* no encryption */
917 break;
918 case ENCR_AES_CCM_ICV16:
919 case ENCR_AES_GCM_ICV16:
920 icv_size += 32;
921 /* FALL */
922 case ENCR_AES_CCM_ICV12:
923 case ENCR_AES_GCM_ICV12:
924 icv_size += 32;
925 /* FALL */
926 case ENCR_AES_CCM_ICV8:
927 case ENCR_AES_GCM_ICV8:
928 {
929 rthdr->rta_type = XFRMA_ALG_AEAD;
930 alg_name = lookup_algorithm(encryption_algs, enc_alg);
931 if (alg_name == NULL)
932 {
933 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
934 encryption_algorithm_names, enc_alg);
935 return FAILED;
936 }
937 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
938 encryption_algorithm_names, enc_alg, enc_key.len * 8);
939
940 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
941 hdr->nlmsg_len += rthdr->rta_len;
942 if (hdr->nlmsg_len > sizeof(request))
943 {
944 return FAILED;
945 }
946
947 struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
948 algo->alg_key_len = enc_key.len * 8;
949 algo->alg_icv_len = icv_size;
950 strcpy(algo->alg_name, alg_name);
951 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
952
953 rthdr = XFRM_RTA_NEXT(rthdr);
954 break;
955 }
956 default:
957 {
958 rthdr->rta_type = XFRMA_ALG_CRYPT;
959 alg_name = lookup_algorithm(encryption_algs, enc_alg);
960 if (alg_name == NULL)
961 {
962 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
963 encryption_algorithm_names, enc_alg);
964 return FAILED;
965 }
966 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
967 encryption_algorithm_names, enc_alg, enc_key.len * 8);
968
969 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
970 hdr->nlmsg_len += rthdr->rta_len;
971 if (hdr->nlmsg_len > sizeof(request))
972 {
973 return FAILED;
974 }
975
976 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
977 algo->alg_key_len = enc_key.len * 8;
978 strcpy(algo->alg_name, alg_name);
979 memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
980
981 rthdr = XFRM_RTA_NEXT(rthdr);
982 break;
983 }
984 }
985
986 if (int_alg != AUTH_UNDEFINED)
987 {
988 rthdr->rta_type = XFRMA_ALG_AUTH;
989 alg_name = lookup_algorithm(integrity_algs, int_alg);
990 if (alg_name == NULL)
991 {
992 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
993 integrity_algorithm_names, int_alg);
994 return FAILED;
995 }
996 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
997 integrity_algorithm_names, int_alg, int_key.len * 8);
998
999 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len);
1000 hdr->nlmsg_len += rthdr->rta_len;
1001 if (hdr->nlmsg_len > sizeof(request))
1002 {
1003 return FAILED;
1004 }
1005
1006 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1007 algo->alg_key_len = int_key.len * 8;
1008 strcpy(algo->alg_name, alg_name);
1009 memcpy(algo->alg_key, int_key.ptr, int_key.len);
1010
1011 rthdr = XFRM_RTA_NEXT(rthdr);
1012 }
1013
1014 if (ipcomp != IPCOMP_NONE)
1015 {
1016 rthdr->rta_type = XFRMA_ALG_COMP;
1017 alg_name = lookup_algorithm(compression_algs, ipcomp);
1018 if (alg_name == NULL)
1019 {
1020 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1021 ipcomp_transform_names, ipcomp);
1022 return FAILED;
1023 }
1024 DBG2(DBG_KNL, " using compression algorithm %N",
1025 ipcomp_transform_names, ipcomp);
1026
1027 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo));
1028 hdr->nlmsg_len += rthdr->rta_len;
1029 if (hdr->nlmsg_len > sizeof(request))
1030 {
1031 return FAILED;
1032 }
1033
1034 struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
1035 algo->alg_key_len = 0;
1036 strcpy(algo->alg_name, alg_name);
1037
1038 rthdr = XFRM_RTA_NEXT(rthdr);
1039 }
1040
1041 if (encap)
1042 {
1043 rthdr->rta_type = XFRMA_ENCAP;
1044 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1045
1046 hdr->nlmsg_len += rthdr->rta_len;
1047 if (hdr->nlmsg_len > sizeof(request))
1048 {
1049 return FAILED;
1050 }
1051
1052 struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
1053 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1054 tmpl->encap_sport = htons(src->get_port(src));
1055 tmpl->encap_dport = htons(dst->get_port(dst));
1056 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1057 /* encap_oa could probably be derived from the
1058 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation
1059 * pluto does the same as we do here but it uses encap_oa in the
1060 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates
1061 * the kernel ignores it anyway
1062 * -> does that mean that NAT-T encap doesn't work in transport mode?
1063 * No. The reason the kernel ignores NAT-OA is that it recomputes
1064 * (or, rather, just ignores) the checksum. If packets pass
1065 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
1066 rthdr = XFRM_RTA_NEXT(rthdr);
1067 }
1068
1069 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1070 {
1071 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1072 return FAILED;
1073 }
1074 return SUCCESS;
1075 }
1076
1077 /**
1078 * Get the replay state (i.e. sequence numbers) of an SA.
1079 */
1080 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
1081 u_int32_t spi, protocol_id_t protocol, host_t *dst,
1082 struct xfrm_replay_state *replay)
1083 {
1084 unsigned char request[NETLINK_BUFFER_SIZE];
1085 struct nlmsghdr *hdr, *out = NULL;
1086 struct xfrm_aevent_id *out_aevent = NULL, *aevent_id;
1087 size_t len;
1088 struct rtattr *rta;
1089 size_t rtasize;
1090
1091 memset(&request, 0, sizeof(request));
1092
1093 DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi));
1094
1095 hdr = (struct nlmsghdr*)request;
1096 hdr->nlmsg_flags = NLM_F_REQUEST;
1097 hdr->nlmsg_type = XFRM_MSG_GETAE;
1098 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
1099
1100 aevent_id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
1101 aevent_id->flags = XFRM_AE_RVAL;
1102
1103 host2xfrm(dst, &aevent_id->sa_id.daddr);
1104 aevent_id->sa_id.spi = spi;
1105 aevent_id->sa_id.proto = proto_ike2kernel(protocol);
1106 aevent_id->sa_id.family = dst->get_family(dst);
1107
1108 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1109 {
1110 hdr = out;
1111 while (NLMSG_OK(hdr, len))
1112 {
1113 switch (hdr->nlmsg_type)
1114 {
1115 case XFRM_MSG_NEWAE:
1116 {
1117 out_aevent = NLMSG_DATA(hdr);
1118 break;
1119 }
1120 case NLMSG_ERROR:
1121 {
1122 struct nlmsgerr *err = NLMSG_DATA(hdr);
1123 DBG1(DBG_KNL, "querying replay state from SAD entry failed: %s (%d)",
1124 strerror(-err->error), -err->error);
1125 break;
1126 }
1127 default:
1128 hdr = NLMSG_NEXT(hdr, len);
1129 continue;
1130 case NLMSG_DONE:
1131 break;
1132 }
1133 break;
1134 }
1135 }
1136
1137 if (out_aevent == NULL)
1138 {
1139 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1140 ntohl(spi));
1141 free(out);
1142 return FAILED;
1143 }
1144
1145 rta = XFRM_RTA(out, struct xfrm_aevent_id);
1146 rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
1147 while(RTA_OK(rta, rtasize))
1148 {
1149 if (rta->rta_type == XFRMA_REPLAY_VAL &&
1150 RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state))
1151 {
1152 memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
1153 free(out);
1154 return SUCCESS;
1155 }
1156 rta = RTA_NEXT(rta, rtasize);
1157 }
1158
1159 DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x",
1160 ntohl(spi));
1161 free(out);
1162 return FAILED;
1163 }
1164
1165 /**
1166 * Implementation of kernel_interface_t.del_sa.
1167 */
1168 static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
1169 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
1170 {
1171 unsigned char request[NETLINK_BUFFER_SIZE];
1172 struct nlmsghdr *hdr;
1173 struct xfrm_usersa_id *sa_id;
1174
1175 /* if IPComp was used, we first delete the additional IPComp SA */
1176 if (cpi)
1177 {
1178 del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
1179 }
1180
1181 memset(&request, 0, sizeof(request));
1182
1183 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1184
1185 hdr = (struct nlmsghdr*)request;
1186 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1187 hdr->nlmsg_type = XFRM_MSG_DELSA;
1188 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1189
1190 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1191 host2xfrm(dst, &sa_id->daddr);
1192 sa_id->spi = spi;
1193 sa_id->proto = proto_ike2kernel(protocol);
1194 sa_id->family = dst->get_family(dst);
1195
1196 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1197 {
1198 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1199 return FAILED;
1200 }
1201 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1202 return SUCCESS;
1203 }
1204
1205 /**
1206 * Implementation of kernel_interface_t.update_sa.
1207 */
1208 static status_t update_sa(private_kernel_netlink_ipsec_t *this,
1209 u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
1210 host_t *src, host_t *dst,
1211 host_t *new_src, host_t *new_dst,
1212 bool encap, bool new_encap)
1213 {
1214 unsigned char request[NETLINK_BUFFER_SIZE], *pos;
1215 struct nlmsghdr *hdr, *out = NULL;
1216 struct xfrm_usersa_id *sa_id;
1217 struct xfrm_usersa_info *out_sa = NULL, *sa;
1218 size_t len;
1219 struct rtattr *rta;
1220 size_t rtasize;
1221 struct xfrm_encap_tmpl* tmpl = NULL;
1222 bool got_replay_state = FALSE;
1223 struct xfrm_replay_state replay;
1224
1225 /* if IPComp is used, we first update the IPComp SA */
1226 if (cpi)
1227 {
1228 update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0,
1229 src, dst, new_src, new_dst, FALSE, FALSE);
1230 }
1231
1232 memset(&request, 0, sizeof(request));
1233
1234 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x for update", ntohl(spi));
1235
1236 /* query the existing SA first */
1237 hdr = (struct nlmsghdr*)request;
1238 hdr->nlmsg_flags = NLM_F_REQUEST;
1239 hdr->nlmsg_type = XFRM_MSG_GETSA;
1240 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
1241
1242 sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
1243 host2xfrm(dst, &sa_id->daddr);
1244 sa_id->spi = spi;
1245 sa_id->proto = proto_ike2kernel(protocol);
1246 sa_id->family = dst->get_family(dst);
1247
1248 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1249 {
1250 hdr = out;
1251 while (NLMSG_OK(hdr, len))
1252 {
1253 switch (hdr->nlmsg_type)
1254 {
1255 case XFRM_MSG_NEWSA:
1256 {
1257 out_sa = NLMSG_DATA(hdr);
1258 break;
1259 }
1260 case NLMSG_ERROR:
1261 {
1262 struct nlmsgerr *err = NLMSG_DATA(hdr);
1263 DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
1264 strerror(-err->error), -err->error);
1265 break;
1266 }
1267 default:
1268 hdr = NLMSG_NEXT(hdr, len);
1269 continue;
1270 case NLMSG_DONE:
1271 break;
1272 }
1273 break;
1274 }
1275 }
1276 if (out_sa == NULL)
1277 {
1278 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1279 free(out);
1280 return FAILED;
1281 }
1282
1283 /* try to get the replay state */
1284 if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS)
1285 {
1286 got_replay_state = TRUE;
1287 }
1288
1289 /* delete the old SA (without affecting the IPComp SA) */
1290 if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
1291 {
1292 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1293 free(out);
1294 return FAILED;
1295 }
1296
1297 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1298 ntohl(spi), src, dst, new_src, new_dst);
1299 /* copy over the SA from out to request */
1300 hdr = (struct nlmsghdr*)request;
1301 memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
1302 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1303 hdr->nlmsg_type = XFRM_MSG_NEWSA;
1304 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
1305 sa = NLMSG_DATA(hdr);
1306 sa->family = new_dst->get_family(new_dst);
1307
1308 if (!src->ip_equals(src, new_src))
1309 {
1310 host2xfrm(new_src, &sa->saddr);
1311 }
1312 if (!dst->ip_equals(dst, new_dst))
1313 {
1314 host2xfrm(new_dst, &sa->id.daddr);
1315 }
1316
1317 rta = XFRM_RTA(out, struct xfrm_usersa_info);
1318 rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
1319 pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
1320 while(RTA_OK(rta, rtasize))
1321 {
1322 /* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
1323 if (rta->rta_type != XFRMA_ENCAP || encap)
1324 {
1325 if (rta->rta_type == XFRMA_ENCAP)
1326 { /* update encap tmpl */
1327 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1328 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1329 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1330 }
1331 memcpy(pos, rta, rta->rta_len);
1332 pos += RTA_ALIGN(rta->rta_len);
1333 hdr->nlmsg_len += RTA_ALIGN(rta->rta_len);
1334 }
1335 rta = RTA_NEXT(rta, rtasize);
1336 }
1337
1338 rta = (struct rtattr*)pos;
1339 if (tmpl == NULL && encap)
1340 { /* add tmpl if we are enabling it */
1341 rta->rta_type = XFRMA_ENCAP;
1342 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
1343
1344 hdr->nlmsg_len += rta->rta_len;
1345 if (hdr->nlmsg_len > sizeof(request))
1346 {
1347 return FAILED;
1348 }
1349
1350 tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
1351 tmpl->encap_type = UDP_ENCAP_ESPINUDP;
1352 tmpl->encap_sport = ntohs(new_src->get_port(new_src));
1353 tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
1354 memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
1355
1356 rta = XFRM_RTA_NEXT(rta);
1357 }
1358
1359 if (got_replay_state)
1360 { /* copy the replay data if available */
1361 rta->rta_type = XFRMA_REPLAY_VAL;
1362 rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
1363
1364 hdr->nlmsg_len += rta->rta_len;
1365 if (hdr->nlmsg_len > sizeof(request))
1366 {
1367 return FAILED;
1368 }
1369 memcpy(RTA_DATA(rta), &replay, sizeof(replay));
1370
1371 rta = XFRM_RTA_NEXT(rta);
1372 }
1373
1374 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1375 {
1376 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1377 free(out);
1378 return FAILED;
1379 }
1380 free(out);
1381
1382 return SUCCESS;
1383 }
1384
1385 /**
1386 * Implementation of kernel_interface_t.add_policy.
1387 */
1388 static status_t add_policy(private_kernel_netlink_ipsec_t *this,
1389 host_t *src, host_t *dst,
1390 traffic_selector_t *src_ts,
1391 traffic_selector_t *dst_ts,
1392 policy_dir_t direction, u_int32_t spi,
1393 protocol_id_t protocol, u_int32_t reqid,
1394 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
1395 bool routed)
1396 {
1397 iterator_t *iterator;
1398 policy_entry_t *current, *policy;
1399 bool found = FALSE;
1400 unsigned char request[NETLINK_BUFFER_SIZE];
1401 struct xfrm_userpolicy_info *policy_info;
1402 struct nlmsghdr *hdr;
1403
1404 /* create a policy */
1405 policy = malloc_thing(policy_entry_t);
1406 memset(policy, 0, sizeof(policy_entry_t));
1407 policy->sel = ts2selector(src_ts, dst_ts);
1408 policy->direction = direction;
1409
1410 /* find the policy, which matches EXACTLY */
1411 this->mutex->lock(this->mutex);
1412 iterator = this->policies->create_iterator(this->policies, TRUE);
1413 while (iterator->iterate(iterator, (void**)&current))
1414 {
1415 if (memeq(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) &&
1416 policy->direction == current->direction)
1417 {
1418 /* use existing policy */
1419 current->refcount++;
1420 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1421 "refcount", src_ts, dst_ts,
1422 policy_dir_names, direction);
1423 free(policy);
1424 policy = current;
1425 found = TRUE;
1426 break;
1427 }
1428 }
1429 iterator->destroy(iterator);
1430 if (!found)
1431 { /* apply the new one, if we have no such policy */
1432 this->policies->insert_last(this->policies, policy);
1433 policy->refcount = 1;
1434 }
1435
1436 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1437 policy_dir_names, direction);
1438
1439 memset(&request, 0, sizeof(request));
1440 hdr = (struct nlmsghdr*)request;
1441 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1442 hdr->nlmsg_type = found ? XFRM_MSG_UPDPOLICY : XFRM_MSG_NEWPOLICY;
1443 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
1444
1445 policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1446 policy_info->sel = policy->sel;
1447 policy_info->dir = policy->direction;
1448 /* calculate priority based on source selector size, small size = high prio */
1449 policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH;
1450 policy_info->priority -= policy->sel.prefixlen_s * 10;
1451 policy_info->priority -= policy->sel.proto ? 2 : 0;
1452 policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
1453 policy_info->action = XFRM_POLICY_ALLOW;
1454 policy_info->share = XFRM_SHARE_ANY;
1455 this->mutex->unlock(this->mutex);
1456
1457 /* policies don't expire */
1458 policy_info->lft.soft_byte_limit = XFRM_INF;
1459 policy_info->lft.soft_packet_limit = XFRM_INF;
1460 policy_info->lft.hard_byte_limit = XFRM_INF;
1461 policy_info->lft.hard_packet_limit = XFRM_INF;
1462 policy_info->lft.soft_add_expires_seconds = 0;
1463 policy_info->lft.hard_add_expires_seconds = 0;
1464 policy_info->lft.soft_use_expires_seconds = 0;
1465 policy_info->lft.hard_use_expires_seconds = 0;
1466
1467 struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
1468 rthdr->rta_type = XFRMA_TMPL;
1469 rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1470
1471 hdr->nlmsg_len += rthdr->rta_len;
1472 if (hdr->nlmsg_len > sizeof(request))
1473 {
1474 return FAILED;
1475 }
1476
1477 struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
1478
1479 if (ipcomp != IPCOMP_NONE)
1480 {
1481 tmpl->reqid = reqid;
1482 tmpl->id.proto = IPPROTO_COMP;
1483 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1484 tmpl->mode = mode;
1485 tmpl->optional = direction != POLICY_OUT;
1486 tmpl->family = src->get_family(src);
1487
1488 host2xfrm(src, &tmpl->saddr);
1489 host2xfrm(dst, &tmpl->id.daddr);
1490
1491 /* add an additional xfrm_user_tmpl */
1492 rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1493 hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
1494 if (hdr->nlmsg_len > sizeof(request))
1495 {
1496 return FAILED;
1497 }
1498
1499 tmpl++;
1500 }
1501
1502 tmpl->reqid = reqid;
1503 tmpl->id.proto = proto_ike2kernel(protocol);
1504 tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
1505 tmpl->mode = mode;
1506 tmpl->family = src->get_family(src);
1507
1508 host2xfrm(src, &tmpl->saddr);
1509 host2xfrm(dst, &tmpl->id.daddr);
1510
1511 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1512 {
1513 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1514 policy_dir_names, direction);
1515 return FAILED;
1516 }
1517
1518 /* install a route, if:
1519 * - we are NOT updating a policy
1520 * - this is a forward policy (to just get one for each child)
1521 * - we are in tunnel mode
1522 * - we are not using IPv6 (does not work correctly yet!)
1523 * - routing is not disabled via strongswan.conf
1524 */
1525 if (policy->route == NULL && direction == POLICY_FWD &&
1526 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1527 this->install_routes)
1528 {
1529 route_entry_t *route = malloc_thing(route_entry_t);
1530
1531 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1532 dst_ts, &route->src_ip) == SUCCESS)
1533 {
1534 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1535 route->gateway = charon->kernel_interface->get_nexthop(
1536 charon->kernel_interface, src);
1537 route->if_name = charon->kernel_interface->get_interface(
1538 charon->kernel_interface, dst);
1539 route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
1540 memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
1541 route->prefixlen = policy->sel.prefixlen_s;
1542
1543 if (route->if_name)
1544 {
1545 switch (charon->kernel_interface->add_route(
1546 charon->kernel_interface, route->dst_net,
1547 route->prefixlen, route->gateway,
1548 route->src_ip, route->if_name))
1549 {
1550 default:
1551 DBG1(DBG_KNL, "unable to install source route for %H",
1552 route->src_ip);
1553 /* FALL */
1554 case ALREADY_DONE:
1555 /* route exists, do not uninstall */
1556 route_entry_destroy(route);
1557 break;
1558 case SUCCESS:
1559 /* cache the installed route */
1560 policy->route = route;
1561 break;
1562 }
1563 }
1564 else
1565 {
1566 route_entry_destroy(route);
1567 }
1568 }
1569 else
1570 {
1571 free(route);
1572 }
1573 }
1574 return SUCCESS;
1575 }
1576
1577 /**
1578 * Implementation of kernel_interface_t.query_policy.
1579 */
1580 static status_t query_policy(private_kernel_netlink_ipsec_t *this,
1581 traffic_selector_t *src_ts,
1582 traffic_selector_t *dst_ts,
1583 policy_dir_t direction, u_int32_t *use_time)
1584 {
1585 unsigned char request[NETLINK_BUFFER_SIZE];
1586 struct nlmsghdr *out = NULL, *hdr;
1587 struct xfrm_userpolicy_id *policy_id;
1588 struct xfrm_userpolicy_info *policy = NULL;
1589 size_t len;
1590
1591 memset(&request, 0, sizeof(request));
1592
1593 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1594 policy_dir_names, direction);
1595
1596 hdr = (struct nlmsghdr*)request;
1597 hdr->nlmsg_flags = NLM_F_REQUEST;
1598 hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
1599 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1600
1601 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1602 policy_id->sel = ts2selector(src_ts, dst_ts);
1603 policy_id->dir = direction;
1604
1605 if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
1606 {
1607 hdr = out;
1608 while (NLMSG_OK(hdr, len))
1609 {
1610 switch (hdr->nlmsg_type)
1611 {
1612 case XFRM_MSG_NEWPOLICY:
1613 {
1614 policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
1615 break;
1616 }
1617 case NLMSG_ERROR:
1618 {
1619 struct nlmsgerr *err = NLMSG_DATA(hdr);
1620 DBG1(DBG_KNL, "querying policy failed: %s (%d)",
1621 strerror(-err->error), -err->error);
1622 break;
1623 }
1624 default:
1625 hdr = NLMSG_NEXT(hdr, len);
1626 continue;
1627 case NLMSG_DONE:
1628 break;
1629 }
1630 break;
1631 }
1632 }
1633
1634 if (policy == NULL)
1635 {
1636 DBG2(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1637 policy_dir_names, direction);
1638 free(out);
1639 return FAILED;
1640 }
1641 *use_time = (time_t)policy->curlft.use_time;
1642
1643 free(out);
1644 return SUCCESS;
1645 }
1646
1647 /**
1648 * Implementation of kernel_interface_t.del_policy.
1649 */
1650 static status_t del_policy(private_kernel_netlink_ipsec_t *this,
1651 traffic_selector_t *src_ts,
1652 traffic_selector_t *dst_ts,
1653 policy_dir_t direction, bool unrouted)
1654 {
1655 policy_entry_t *current, policy, *to_delete = NULL;
1656 route_entry_t *route;
1657 unsigned char request[NETLINK_BUFFER_SIZE];
1658 struct nlmsghdr *hdr;
1659 struct xfrm_userpolicy_id *policy_id;
1660 enumerator_t *enumerator;
1661
1662 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1663 policy_dir_names, direction);
1664
1665 /* create a policy */
1666 memset(&policy, 0, sizeof(policy_entry_t));
1667 policy.sel = ts2selector(src_ts, dst_ts);
1668 policy.direction = direction;
1669
1670 /* find the policy */
1671 this->mutex->lock(this->mutex);
1672 enumerator = this->policies->create_enumerator(this->policies);
1673 while (enumerator->enumerate(enumerator, &current))
1674 {
1675 if (memeq(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) &&
1676 policy.direction == current->direction)
1677 {
1678 to_delete = current;
1679 if (--to_delete->refcount > 0)
1680 {
1681 /* is used by more SAs, keep in kernel */
1682 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1683 this->mutex->unlock(this->mutex);
1684 enumerator->destroy(enumerator);
1685 return SUCCESS;
1686 }
1687 /* remove if last reference */
1688 this->policies->remove_at(this->policies, enumerator);
1689 break;
1690 }
1691 }
1692 this->mutex->unlock(this->mutex);
1693 enumerator->destroy(enumerator);
1694 if (!to_delete)
1695 {
1696 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1697 dst_ts, policy_dir_names, direction);
1698 return NOT_FOUND;
1699 }
1700
1701 memset(&request, 0, sizeof(request));
1702
1703 hdr = (struct nlmsghdr*)request;
1704 hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1705 hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
1706 hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
1707
1708 policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
1709 policy_id->sel = to_delete->sel;
1710 policy_id->dir = direction;
1711
1712 route = to_delete->route;
1713 free(to_delete);
1714
1715 if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
1716 {
1717 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1718 policy_dir_names, direction);
1719 return FAILED;
1720 }
1721
1722 if (route)
1723 {
1724 if (charon->kernel_interface->del_route(charon->kernel_interface,
1725 route->dst_net, route->prefixlen, route->gateway,
1726 route->src_ip, route->if_name) != SUCCESS)
1727 {
1728 DBG1(DBG_KNL, "error uninstalling route installed with "
1729 "policy %R === %R %N", src_ts, dst_ts,
1730 policy_dir_names, direction);
1731 }
1732 route_entry_destroy(route);
1733 }
1734 return SUCCESS;
1735 }
1736
1737 /**
1738 * Implementation of kernel_interface_t.destroy.
1739 */
1740 static void destroy(private_kernel_netlink_ipsec_t *this)
1741 {
1742 this->job->cancel(this->job);
1743 close(this->socket_xfrm_events);
1744 this->socket_xfrm->destroy(this->socket_xfrm);
1745 this->policies->destroy(this->policies);
1746 this->mutex->destroy(this->mutex);
1747 free(this);
1748 }
1749
1750 /**
1751 * Add bypass policies for IKE on the sockets used by charon
1752 */
1753 static bool add_bypass_policies()
1754 {
1755 int fd, family, port;
1756 enumerator_t *sockets;
1757 bool status = TRUE;
1758
1759 /* we open an AF_KEY socket to autoload the af_key module. Otherwise
1760 * setsockopt(IPSEC_POLICY) won't work. */
1761 fd = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
1762 if (fd == 0)
1763 {
1764 DBG1(DBG_KNL, "could not open AF_KEY socket");
1765 return FALSE;
1766 }
1767 close(fd);
1768
1769 sockets = charon->socket->create_enumerator(charon->socket);
1770 while (sockets->enumerate(sockets, &fd, &family, &port))
1771 {
1772 struct sadb_x_policy policy;
1773 u_int sol, ipsec_policy;
1774
1775 switch (family)
1776 {
1777 case AF_INET:
1778 sol = SOL_IP;
1779 ipsec_policy = IP_IPSEC_POLICY;
1780 break;
1781 case AF_INET6:
1782 sol = SOL_IPV6;
1783 ipsec_policy = IPV6_IPSEC_POLICY;
1784 break;
1785 default:
1786 continue;
1787 }
1788
1789 memset(&policy, 0, sizeof(policy));
1790 policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
1791 policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1792 policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
1793
1794 policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
1795 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1796 {
1797 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1798 strerror(errno));
1799 status = FALSE;
1800 break;
1801 }
1802 policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
1803 if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
1804 {
1805 DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
1806 strerror(errno));
1807 status = FALSE;
1808 break;
1809 }
1810 }
1811 sockets->destroy(sockets);
1812 return status;
1813 }
1814
1815 /*
1816 * Described in header.
1817 */
1818 kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
1819 {
1820 private_kernel_netlink_ipsec_t *this = malloc_thing(private_kernel_netlink_ipsec_t);
1821 struct sockaddr_nl addr;
1822
1823 /* public functions */
1824 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1825 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1826 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
1827 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
1828 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
1829 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
1830 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1831 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
1832 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1833
1834 /* private members */
1835 this->policies = linked_list_create();
1836 this->mutex = mutex_create(MUTEX_DEFAULT);
1837 this->install_routes = lib->settings->get_bool(lib->settings,
1838 "charon.install_routes", TRUE);
1839
1840 /* add bypass policies on the sockets used by charon */
1841 if (!add_bypass_policies())
1842 {
1843 charon->kill(charon, "unable to add bypass policies on sockets");
1844 }
1845
1846 this->socket_xfrm = netlink_socket_create(NETLINK_XFRM);
1847
1848 memset(&addr, 0, sizeof(addr));
1849 addr.nl_family = AF_NETLINK;
1850
1851 /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */
1852 this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
1853 if (this->socket_xfrm_events <= 0)
1854 {
1855 charon->kill(charon, "unable to create XFRM event socket");
1856 }
1857 addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) |
1858 XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING);
1859 if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
1860 {
1861 charon->kill(charon, "unable to bind XFRM event socket");
1862 }
1863
1864 this->job = callback_job_create((callback_job_cb_t)receive_events,
1865 this, NULL, NULL);
1866 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1867
1868 return &this->public;
1869 }