2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2008 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 #include <sys/types.h>
20 #include <sys/socket.h>
22 #include <linux/ipsec.h>
23 #include <linux/pfkeyv2.h>
24 #include <linux/udp.h>
29 #include "kernel_pfkey_ipsec.h"
32 #include <utils/host.h>
33 #include <utils/mutex.h>
34 #include <processing/jobs/callback_job.h>
35 #include <processing/jobs/acquire_job.h>
36 #include <processing/jobs/migrate_job.h>
37 #include <processing/jobs/rekey_child_sa_job.h>
38 #include <processing/jobs/delete_child_sa_job.h>
39 #include <processing/jobs/update_sa_job.h>
41 /** from linux/in.h */
42 #ifndef IP_IPSEC_POLICY
43 #define IP_IPSEC_POLICY 16
46 /* missing on uclibc */
47 #ifndef IPV6_IPSEC_POLICY
48 #define IPV6_IPSEC_POLICY 34
49 #endif /*IPV6_IPSEC_POLICY*/
51 /** default priority of installed policies */
53 #define PRIO_HIGH 2000
55 /** buffer size for PF_KEY messages */
56 #define PFKEY_BUFFER_SIZE 4096
58 /** PF_KEY messages are 64 bit aligned */
59 #define PFKEY_ALIGNMENT 8
60 /** aligns len to 64 bits */
61 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
62 /** calculates the properly padded length in 64 bit chunks */
63 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
64 /** calculates user mode length i.e. in bytes */
65 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
67 /** given a PF_KEY message header and an extension this updates the length in the header */
68 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
69 /** given a PF_KEY message header this returns a pointer to the next extension */
70 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
71 /** copy an extension and append it to a PF_KEY message */
72 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
73 /** given a PF_KEY extension this returns a pointer to the next extension */
74 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
75 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
76 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
77 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
78 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
79 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
80 (ext)->sadb_ext_len <= (len))
82 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t
;
85 * Private variables and functions of kernel_pfkey class.
87 struct private_kernel_pfkey_ipsec_t
90 * Public part of the kernel_pfkey_t object.
92 kernel_pfkey_ipsec_t
public;
95 * mutex to lock access to various lists
100 * List of installed policies (policy_entry_t)
102 linked_list_t
*policies
;
105 * whether to install routes along policies
110 * job receiving PF_KEY events
115 * mutex to lock access to the PF_KEY socket
117 mutex_t
*mutex_pfkey
;
120 * PF_KEY socket to communicate with the kernel
125 * PF_KEY socket to receive acquire and expire events
130 * sequence number for messages sent to the kernel
135 typedef struct route_entry_t route_entry_t
;
138 * installed routing entry
140 struct route_entry_t
{
141 /** Name of the interface the route is bound to */
144 /** Source ip of the route */
147 /** gateway for this route */
150 /** Destination net */
153 /** Destination net prefixlen */
158 * destroy an route_entry_t object
160 static void route_entry_destroy(route_entry_t
*this)
163 this->src_ip
->destroy(this->src_ip
);
164 this->gateway
->destroy(this->gateway
);
165 chunk_free(&this->dst_net
);
169 typedef struct policy_entry_t policy_entry_t
;
172 * installed kernel policy.
174 struct policy_entry_t
{
176 /** reqid of this policy */
179 /** index assigned by the kernel */
182 /** direction of this policy: in, out, forward */
185 /** parameters of installed policy */
187 /** subnet and port */
195 /** associated route installed for this policy */
196 route_entry_t
*route
;
198 /** by how many CHILD_SA's this policy is used */
203 * create a policy_entry_t object
205 static policy_entry_t
*create_policy_entry(traffic_selector_t
*src_ts
,
206 traffic_selector_t
*dst_ts
, policy_dir_t dir
, u_int32_t reqid
)
208 policy_entry_t
*policy
= malloc_thing(policy_entry_t
);
209 policy
->reqid
= reqid
;
211 policy
->direction
= dir
;
212 policy
->route
= NULL
;
213 policy
->refcount
= 0;
215 src_ts
->to_subnet(src_ts
, &policy
->src
.net
, &policy
->src
.mask
);
216 dst_ts
->to_subnet(dst_ts
, &policy
->dst
.net
, &policy
->dst
.mask
);
218 /* src or dest proto may be "any" (0), use more restrictive one */
219 policy
->src
.proto
= max(src_ts
->get_protocol(src_ts
), dst_ts
->get_protocol(dst_ts
));
220 policy
->src
.proto
= policy
->src
.proto ? policy
->src
.proto
: IPSEC_PROTO_ANY
;
221 policy
->dst
.proto
= policy
->src
.proto
;
227 * destroy a policy_entry_t object
229 static void policy_entry_destroy(policy_entry_t
*this)
231 DESTROY_IF(this->src
.net
);
232 DESTROY_IF(this->dst
.net
);
235 route_entry_destroy(this->route
);
241 * compares two policy_entry_t
243 static inline bool policy_entry_equals(policy_entry_t
*current
, policy_entry_t
*policy
)
245 return current
->direction
== policy
->direction
&&
246 current
->src
.proto
== policy
->src
.proto
&&
247 current
->dst
.proto
== policy
->dst
.proto
&&
248 current
->src
.mask
== policy
->src
.mask
&&
249 current
->dst
.mask
== policy
->dst
.mask
&&
250 current
->src
.net
->equals(current
->src
.net
, policy
->src
.net
) &&
251 current
->dst
.net
->equals(current
->dst
.net
, policy
->dst
.net
);
255 * compare the given kernel index with that of a policy
257 static inline bool policy_entry_match_byindex(policy_entry_t
*current
, u_int32_t
*index
)
259 return current
->index
== *index
;
262 typedef struct pfkey_msg_t pfkey_msg_t
;
267 * PF_KEY message base
269 struct sadb_msg
*msg
;
273 * PF_KEY message extensions
276 struct sadb_ext
*ext
[SADB_EXT_MAX
+ 1];
278 struct sadb_ext
*reserved
; /* SADB_EXT_RESERVED */
279 struct sadb_sa
*sa
; /* SADB_EXT_SA */
280 struct sadb_lifetime
*lft_current
; /* SADB_EXT_LIFETIME_CURRENT */
281 struct sadb_lifetime
*lft_hard
; /* SADB_EXT_LIFETIME_HARD */
282 struct sadb_lifetime
*lft_soft
; /* SADB_EXT_LIFETIME_SOFT */
283 struct sadb_address
*src
; /* SADB_EXT_ADDRESS_SRC */
284 struct sadb_address
*dst
; /* SADB_EXT_ADDRESS_DST */
285 struct sadb_address
*proxy
; /* SADB_EXT_ADDRESS_PROXY */
286 struct sadb_key
*key_auth
; /* SADB_EXT_KEY_AUTH */
287 struct sadb_key
*key_encr
; /* SADB_EXT_KEY_ENCRYPT */
288 struct sadb_ident
*id_src
; /* SADB_EXT_IDENTITY_SRC */
289 struct sadb_ident
*id_dst
; /* SADB_EXT_IDENTITY_DST */
290 struct sadb_sens
*sensitivity
; /* SADB_EXT_SENSITIVITY */
291 struct sadb_prop
*proposal
; /* SADB_EXT_PROPOSAL */
292 struct sadb_supported
*supported_auth
; /* SADB_EXT_SUPPORTED_AUTH */
293 struct sadb_supported
*supported_encr
; /* SADB_EXT_SUPPORTED_ENCRYPT */
294 struct sadb_spirange
*spirange
; /* SADB_EXT_SPIRANGE */
295 struct sadb_x_kmprivate
*x_kmprivate
; /* SADB_X_EXT_KMPRIVATE */
296 struct sadb_x_policy
*x_policy
; /* SADB_X_EXT_POLICY */
297 struct sadb_x_sa2
*x_sa2
; /* SADB_X_EXT_SA2 */
298 struct sadb_x_nat_t_type
*x_natt_type
; /* SADB_X_EXT_NAT_T_TYPE */
299 struct sadb_x_nat_t_port
*x_natt_sport
; /* SADB_X_EXT_NAT_T_SPORT */
300 struct sadb_x_nat_t_port
*x_natt_dport
; /* SADB_X_EXT_NAT_T_DPORT */
301 struct sadb_address
*x_natt_oa
; /* SADB_X_EXT_NAT_T_OA */
302 struct sadb_x_sec_ctx
*x_sec_ctx
; /* SADB_X_EXT_SEC_CTX */
303 struct sadb_x_kmaddress
*x_kmaddress
; /* SADB_X_EXT_KMADDRESS */
304 } __attribute__((__packed__
));
308 ENUM(sadb_ext_type_names
, SADB_EXT_RESERVED
, SADB_X_EXT_KMADDRESS
,
311 "SADB_EXT_LIFETIME_CURRENT",
312 "SADB_EXT_LIFETIME_HARD",
313 "SADB_EXT_LIFETIME_SOFT",
314 "SADB_EXT_ADDRESS_SRC",
315 "SADB_EXT_ADDRESS_DST",
316 "SADB_EXT_ADDRESS_PROXY",
318 "SADB_EXT_KEY_ENCRYPT",
319 "SADB_EXT_IDENTITY_SRC",
320 "SADB_EXT_IDENTITY_DST",
321 "SADB_EXT_SENSITIVITY",
323 "SADB_EXT_SUPPORTED_AUTH",
324 "SADB_EXT_SUPPORTED_ENCRYPT",
326 "SADB_X_EXT_KMPRIVATE",
329 "SADB_X_EXT_NAT_T_TYPE",
330 "SADB_X_EXT_NAT_T_SPORT",
331 "SADB_X_EXT_NAT_T_DPORT",
332 "SADB_X_EXT_NAT_T_OA",
333 "SADB_X_EXT_SEC_CTX",
334 "SADB_X_EXT_KMADDRESS"
337 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
339 static u_int8_t
proto_ike2satype(protocol_id_t proto
)
344 return SADB_SATYPE_ESP
;
346 return SADB_SATYPE_AH
;
348 return SADB_X_SATYPE_IPCOMP
;
355 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
357 static protocol_id_t
proto_satype2ike(u_int8_t proto
)
361 case SADB_SATYPE_ESP
:
365 case SADB_X_SATYPE_IPCOMP
:
373 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
375 static u_int8_t
proto_ike2ip(protocol_id_t proto
)
389 * convert the general ipsec mode to the one defined in ipsec.h
391 static u_int8_t
mode2kernel(ipsec_mode_t mode
)
396 return IPSEC_MODE_TRANSPORT
;
398 return IPSEC_MODE_TUNNEL
;
400 return IPSEC_MODE_BEET
;
407 * convert the general policy direction to the one defined in ipsec.h
409 static u_int8_t
dir2kernel(policy_dir_t dir
)
414 return IPSEC_DIR_INBOUND
;
416 return IPSEC_DIR_OUTBOUND
;
418 return IPSEC_DIR_FWD
;
425 * convert the policy direction in ipsec.h to the general one.
427 static policy_dir_t
kernel2dir(u_int8_t dir
)
431 case IPSEC_DIR_INBOUND
:
433 case IPSEC_DIR_OUTBOUND
:
441 typedef struct kernel_algorithm_t kernel_algorithm_t
;
444 * Mapping of IKEv2 algorithms to PF_KEY algorithms
446 struct kernel_algorithm_t
{
448 * Identifier specified in IKEv2
453 * Identifier as defined in pfkeyv2.h
458 #define END_OF_LIST -1
461 * Algorithms for encryption
463 static kernel_algorithm_t encryption_algs
[] = {
464 /* {ENCR_DES_IV64, 0 }, */
465 {ENCR_DES
, SADB_EALG_DESCBC
},
466 {ENCR_3DES
, SADB_EALG_3DESCBC
},
467 /* {ENCR_RC5, 0 }, */
468 /* {ENCR_IDEA, 0 }, */
469 {ENCR_CAST
, SADB_X_EALG_CASTCBC
},
470 {ENCR_BLOWFISH
, SADB_X_EALG_BLOWFISHCBC
},
471 /* {ENCR_3IDEA, 0 }, */
472 /* {ENCR_DES_IV32, 0 }, */
473 {ENCR_NULL
, SADB_EALG_NULL
},
474 {ENCR_AES_CBC
, SADB_X_EALG_AESCBC
},
475 /* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
476 /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
477 /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
478 /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
479 /* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
480 /* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
481 /* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
486 * Algorithms for integrity protection
488 static kernel_algorithm_t integrity_algs
[] = {
489 {AUTH_HMAC_MD5_96
, SADB_AALG_MD5HMAC
},
490 {AUTH_HMAC_SHA1_96
, SADB_AALG_SHA1HMAC
},
491 {AUTH_HMAC_SHA2_256_128
, SADB_X_AALG_SHA2_256HMAC
},
492 {AUTH_HMAC_SHA2_384_192
, SADB_X_AALG_SHA2_384HMAC
},
493 {AUTH_HMAC_SHA2_512_256
, SADB_X_AALG_SHA2_512HMAC
},
494 /* {AUTH_DES_MAC, 0, }, */
495 /* {AUTH_KPDK_MD5, 0, }, */
496 {AUTH_AES_XCBC_96
, SADB_X_AALG_AES_XCBC_MAC
, },
502 * Algorithms for IPComp, unused yet
504 static kernel_algorithm_t compression_algs
[] = {
505 /* {IPCOMP_OUI, 0 }, */
506 {IPCOMP_DEFLATE
, SADB_X_CALG_DEFLATE
},
507 {IPCOMP_LZS
, SADB_X_CALG_LZS
},
508 {IPCOMP_LZJH
, SADB_X_CALG_LZJH
},
514 * Look up a kernel algorithm ID and its key size
516 static int lookup_algorithm(kernel_algorithm_t
*list
, int ikev2
)
518 while (list
->ikev2
!= END_OF_LIST
)
520 if (ikev2
== list
->ikev2
)
530 * add a host behind a sadb_address extension
532 static void host2ext(host_t
*host
, struct sadb_address
*ext
)
534 sockaddr_t
*host_addr
= host
->get_sockaddr(host
);
535 socklen_t
*len
= host
->get_sockaddr_len(host
);
536 memcpy((char*)(ext
+ 1), host_addr
, *len
);
537 ext
->sadb_address_len
= PFKEY_LEN(sizeof(*ext
) + *len
);
541 * add udp encap extensions to a sadb_msg
543 static void add_encap_ext(struct sadb_msg
*msg
, host_t
*src
, host_t
*dst
)
545 struct sadb_x_nat_t_type
* nat_type
;
546 struct sadb_x_nat_t_port
* nat_port
;
548 nat_type
= (struct sadb_x_nat_t_type
*)PFKEY_EXT_ADD_NEXT(msg
);
549 nat_type
->sadb_x_nat_t_type_exttype
= SADB_X_EXT_NAT_T_TYPE
;
550 nat_type
->sadb_x_nat_t_type_len
= PFKEY_LEN(sizeof(struct sadb_x_nat_t_type
));
551 nat_type
->sadb_x_nat_t_type_type
= UDP_ENCAP_ESPINUDP
;
552 PFKEY_EXT_ADD(msg
, nat_type
);
554 nat_port
= (struct sadb_x_nat_t_port
*)PFKEY_EXT_ADD_NEXT(msg
);
555 nat_port
->sadb_x_nat_t_port_exttype
= SADB_X_EXT_NAT_T_SPORT
;
556 nat_port
->sadb_x_nat_t_port_len
= PFKEY_LEN(sizeof(struct sadb_x_nat_t_port
));
557 nat_port
->sadb_x_nat_t_port_port
= htons(src
->get_port(src
));
558 PFKEY_EXT_ADD(msg
, nat_port
);
560 nat_port
= (struct sadb_x_nat_t_port
*)PFKEY_EXT_ADD_NEXT(msg
);
561 nat_port
->sadb_x_nat_t_port_exttype
= SADB_X_EXT_NAT_T_DPORT
;
562 nat_port
->sadb_x_nat_t_port_len
= PFKEY_LEN(sizeof(struct sadb_x_nat_t_port
));
563 nat_port
->sadb_x_nat_t_port_port
= htons(dst
->get_port(dst
));
564 PFKEY_EXT_ADD(msg
, nat_port
);
568 * Convert a sadb_address to a traffic_selector
570 static traffic_selector_t
* sadb_address2ts(struct sadb_address
*address
)
572 traffic_selector_t
*ts
;
575 /* The Linux 2.6 kernel does not set the protocol and port information
576 * in the src and dst sadb_address extensions of the SADB_ACQUIRE message.
578 host
= host_create_from_sockaddr((sockaddr_t
*)&address
[1]) ;
579 ts
= traffic_selector_create_from_subnet(host
, address
->sadb_address_prefixlen
,
580 address
->sadb_address_proto
, host
->get_port(host
));
585 * Parses a pfkey message received from the kernel
587 static status_t
parse_pfkey_message(struct sadb_msg
*msg
, pfkey_msg_t
*out
)
589 struct sadb_ext
* ext
;
592 memset(out
, 0, sizeof(pfkey_msg_t
));
595 len
= msg
->sadb_msg_len
;
596 len
-= PFKEY_LEN(sizeof(struct sadb_msg
));
598 ext
= (struct sadb_ext
*)(((char*)msg
) + sizeof(struct sadb_msg
));
600 while (len
>= PFKEY_LEN(sizeof(struct sadb_ext
)))
602 DBG2(DBG_KNL
, " %N", sadb_ext_type_names
, ext
->sadb_ext_type
);
603 if (ext
->sadb_ext_len
< PFKEY_LEN(sizeof(struct sadb_ext
)) ||
604 ext
->sadb_ext_len
> len
)
606 DBG1(DBG_KNL
, "length of %N extension is invalid",
607 sadb_ext_type_names
, ext
->sadb_ext_type
);
611 if ((ext
->sadb_ext_type
> SADB_EXT_MAX
) || (!ext
->sadb_ext_type
))
613 DBG1(DBG_KNL
, "type of PF_KEY extension (%d) is invalid", ext
->sadb_ext_type
);
617 if (out
->ext
[ext
->sadb_ext_type
])
619 DBG1(DBG_KNL
, "duplicate %N extension",
620 sadb_ext_type_names
, ext
->sadb_ext_type
);
624 out
->ext
[ext
->sadb_ext_type
] = ext
;
625 ext
= PFKEY_EXT_NEXT_LEN(ext
, len
);
630 DBG1(DBG_KNL
, "PF_KEY message length is invalid");
638 * Send a message to a specific PF_KEY socket and handle the response.
640 static status_t
pfkey_send_socket(private_kernel_pfkey_ipsec_t
*this, int socket
,
641 struct sadb_msg
*in
, struct sadb_msg
**out
, size_t *out_len
)
643 unsigned char buf
[PFKEY_BUFFER_SIZE
];
644 struct sadb_msg
*msg
;
647 this->mutex_pfkey
->lock(this->mutex_pfkey
);
649 in
->sadb_msg_seq
= ++this->seq
;
650 in
->sadb_msg_pid
= getpid();
652 in_len
= PFKEY_USER_LEN(in
->sadb_msg_len
);
656 len
= send(socket
, in
, in_len
, 0);
662 /* interrupted, try again */
665 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
666 DBG1(DBG_KNL
, "error sending to PF_KEY socket: %s", strerror(errno
));
674 msg
= (struct sadb_msg
*)buf
;
676 len
= recv(socket
, buf
, sizeof(buf
), 0);
682 DBG1(DBG_KNL
, "got interrupted");
683 /* interrupted, try again */
686 DBG1(DBG_KNL
, "error reading from PF_KEY socket: %s", strerror(errno
));
687 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
690 if (len
< sizeof(struct sadb_msg
) ||
691 msg
->sadb_msg_len
< PFKEY_LEN(sizeof(struct sadb_msg
)))
693 DBG1(DBG_KNL
, "received corrupted PF_KEY message");
694 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
697 if (msg
->sadb_msg_len
> len
/ PFKEY_ALIGNMENT
)
699 DBG1(DBG_KNL
, "buffer was too small to receive the complete PF_KEY message");
700 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
703 if (msg
->sadb_msg_pid
!= in
->sadb_msg_pid
)
705 DBG2(DBG_KNL
, "received PF_KEY message is not intended for us");
708 if (msg
->sadb_msg_seq
!= this->seq
)
710 DBG1(DBG_KNL
, "received PF_KEY message with invalid sequence number, "
711 "was %d expected %d", msg
->sadb_msg_seq
, this->seq
);
712 if (msg
->sadb_msg_seq
< this->seq
)
716 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
719 if (msg
->sadb_msg_type
!= in
->sadb_msg_type
)
721 DBG2(DBG_KNL
, "received PF_KEY message of wrong type, "
722 "was %d expected %d, ignoring",
723 msg
->sadb_msg_type
, in
->sadb_msg_type
);
729 *out
= (struct sadb_msg
*)malloc(len
);
730 memcpy(*out
, buf
, len
);
732 this->mutex_pfkey
->unlock(this->mutex_pfkey
);
738 * Send a message to the default PF_KEY socket and handle the response.
740 static status_t
pfkey_send(private_kernel_pfkey_ipsec_t
*this,
741 struct sadb_msg
*in
, struct sadb_msg
**out
, size_t *out_len
)
743 return pfkey_send_socket(this, this->socket
, in
, out
, out_len
);
747 * Process a SADB_ACQUIRE message from the kernel
749 static void process_acquire(private_kernel_pfkey_ipsec_t
*this, struct sadb_msg
* msg
)
751 pfkey_msg_t response
;
752 u_int32_t index
, reqid
= 0;
753 traffic_selector_t
*src_ts
, *dst_ts
;
754 policy_entry_t
*policy
;
757 switch (msg
->sadb_msg_satype
)
759 case SADB_SATYPE_UNSPEC
:
760 case SADB_SATYPE_ESP
:
764 /* acquire for AH/ESP only */
767 DBG2(DBG_KNL
, "received an SADB_ACQUIRE");
769 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
771 DBG1(DBG_KNL
, "parsing SADB_ACQUIRE from kernel failed");
775 index
= response
.x_policy
->sadb_x_policy_id
;
776 this->mutex
->lock(this->mutex
);
777 if (this->policies
->find_first(this->policies
,
778 (linked_list_match_t
)policy_entry_match_byindex
, (void**)&policy
, &index
) == SUCCESS
)
780 reqid
= policy
->reqid
;
784 DBG1(DBG_KNL
, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
787 src_ts
= sadb_address2ts(response
.src
);
788 dst_ts
= sadb_address2ts(response
.dst
);
789 this->mutex
->unlock(this->mutex
);
791 DBG1(DBG_KNL
, "creating acquire job for policy %R === %R with reqid {%u}",
792 src_ts
, dst_ts
, reqid
);
793 job
= (job_t
*)acquire_job_create(reqid
, src_ts
, dst_ts
);
794 charon
->processor
->queue_job(charon
->processor
, job
);
798 * Process a SADB_EXPIRE message from the kernel
800 static void process_expire(private_kernel_pfkey_ipsec_t
*this, struct sadb_msg
* msg
)
802 pfkey_msg_t response
;
803 protocol_id_t protocol
;
804 u_int32_t spi
, reqid
;
808 DBG2(DBG_KNL
, "received an SADB_EXPIRE");
810 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
812 DBG1(DBG_KNL
, "parsing SADB_EXPIRE from kernel failed");
816 protocol
= proto_satype2ike(msg
->sadb_msg_satype
);
817 spi
= response
.sa
->sadb_sa_spi
;
818 reqid
= response
.x_sa2
->sadb_x_sa2_reqid
;
819 hard
= response
.lft_hard
!= NULL
;
821 if (protocol
!= PROTO_ESP
&& protocol
!= PROTO_AH
)
823 DBG2(DBG_KNL
, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
824 "which is not a CHILD_SA", ntohl(spi
), reqid
);
828 DBG1(DBG_KNL
, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
829 hard ?
"delete" : "rekey", protocol_id_names
,
830 protocol
, ntohl(spi
), reqid
);
833 job
= (job_t
*)delete_child_sa_job_create(reqid
, protocol
, spi
);
837 job
= (job_t
*)rekey_child_sa_job_create(reqid
, protocol
, spi
);
839 charon
->processor
->queue_job(charon
->processor
, job
);
843 * Process a SADB_MIGRATE message from the kernel
845 static void process_migrate(private_kernel_pfkey_ipsec_t
*this, struct sadb_msg
* msg
)
847 pfkey_msg_t response
;
848 traffic_selector_t
*src_ts
, *dst_ts
;
851 host_t
*local
= NULL
, *remote
= NULL
;
854 DBG2(DBG_KNL
, "received an SADB_X_MIGRATE");
856 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
858 DBG1(DBG_KNL
, "parsing SADB_X_MIGRATE from kernel failed");
861 src_ts
= sadb_address2ts(response
.src
);
862 dst_ts
= sadb_address2ts(response
.dst
);
863 dir
= kernel2dir(response
.x_policy
->sadb_x_policy_dir
);
864 DBG2(DBG_KNL
, " policy %R === %R %N, id %u", src_ts
, dst_ts
,
865 policy_dir_names
, dir
);
867 /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
868 if (response
.x_kmaddress
)
870 sockaddr_t
*local_addr
, *remote_addr
;
873 local_addr
= (sockaddr_t
*)&response
.x_kmaddress
[1];
874 local
= host_create_from_sockaddr(local_addr
);
875 local_len
= (local_addr
->sa_family
== AF_INET6
)?
876 sizeof(struct sockaddr_in6
) : sizeof(struct sockaddr_in
);
877 remote_addr
= (sockaddr_t
*)((u_int8_t
*)local_addr
+ local_len
);
878 remote
= host_create_from_sockaddr(remote_addr
);
879 DBG2(DBG_KNL
, " kmaddress: %H...%H", local
, remote
);
882 if (src_ts
&& dst_ts
&& local
&& remote
)
884 DBG1(DBG_KNL
, "creating migrate job for policy %R === %R %N with reqid {%u}",
885 src_ts
, dst_ts
, policy_dir_names
, dir
, reqid
, local
);
886 job
= (job_t
*)migrate_job_create(reqid
, src_ts
, dst_ts
, dir
,
888 charon
->processor
->queue_job(charon
->processor
, job
);
900 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
902 static void process_mapping(private_kernel_pfkey_ipsec_t
*this, struct sadb_msg
* msg
)
904 pfkey_msg_t response
;
905 u_int32_t spi
, reqid
;
909 DBG2(DBG_KNL
, "received an SADB_X_NAT_T_NEW_MAPPING");
911 if (parse_pfkey_message(msg
, &response
) != SUCCESS
)
913 DBG1(DBG_KNL
, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
919 DBG1(DBG_KNL
, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
923 spi
= response
.sa
->sadb_sa_spi
;
924 reqid
= response
.x_sa2
->sadb_x_sa2_reqid
;
926 if (proto_satype2ike(msg
->sadb_msg_satype
) == PROTO_ESP
)
928 sockaddr_t
*sa
= (sockaddr_t
*)(response
.dst
+ 1);
929 switch (sa
->sa_family
)
933 struct sockaddr_in
*sin
= (struct sockaddr_in
*)sa
;
934 sin
->sin_port
= htons(response
.x_natt_dport
->sadb_x_nat_t_port_port
);
938 struct sockaddr_in6
*sin6
= (struct sockaddr_in6
*)sa
;
939 sin6
->sin6_port
= htons(response
.x_natt_dport
->sadb_x_nat_t_port_port
);
944 host
= host_create_from_sockaddr(sa
);
947 DBG1(DBG_KNL
, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
948 "reqid {%u} changed, queuing update job", ntohl(spi
), reqid
);
949 job
= (job_t
*)update_sa_job_create(reqid
, host
);
950 charon
->processor
->queue_job(charon
->processor
, job
);
956 * Receives events from kernel
958 static job_requeue_t
receive_events(private_kernel_pfkey_ipsec_t
*this)
960 unsigned char buf
[PFKEY_BUFFER_SIZE
];
961 struct sadb_msg
*msg
= (struct sadb_msg
*)buf
;
964 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE
, &oldstate
);
965 len
= recv(this->socket_events
, buf
, sizeof(buf
), 0);
966 pthread_setcancelstate(oldstate
, NULL
);
973 /* interrupted, try again */
974 return JOB_REQUEUE_DIRECT
;
976 /* no data ready, select again */
977 return JOB_REQUEUE_DIRECT
;
979 DBG1(DBG_KNL
, "unable to receive from PF_KEY event socket");
981 return JOB_REQUEUE_FAIR
;
985 if (len
< sizeof(struct sadb_msg
) ||
986 msg
->sadb_msg_len
< PFKEY_LEN(sizeof(struct sadb_msg
)))
988 DBG2(DBG_KNL
, "received corrupted PF_KEY message");
989 return JOB_REQUEUE_DIRECT
;
991 if (msg
->sadb_msg_pid
!= 0)
992 { /* not from kernel. not interested, try another one */
993 return JOB_REQUEUE_DIRECT
;
995 if (msg
->sadb_msg_len
> len
/ PFKEY_ALIGNMENT
)
997 DBG1(DBG_KNL
, "buffer was too small to receive the complete PF_KEY message");
998 return JOB_REQUEUE_DIRECT
;
1001 switch (msg
->sadb_msg_type
)
1004 process_acquire(this, msg
);
1007 process_expire(this, msg
);
1009 case SADB_X_MIGRATE
:
1010 process_migrate(this, msg
);
1012 case SADB_X_NAT_T_NEW_MAPPING
:
1013 process_mapping(this, msg
);
1019 return JOB_REQUEUE_DIRECT
;
1023 * Implementation of kernel_interface_t.get_spi.
1025 static status_t
get_spi(private_kernel_pfkey_ipsec_t
*this,
1026 host_t
*src
, host_t
*dst
,
1027 protocol_id_t protocol
, u_int32_t reqid
,
1030 unsigned char request
[PFKEY_BUFFER_SIZE
];
1031 struct sadb_msg
*msg
, *out
;
1032 struct sadb_x_sa2
*sa2
;
1033 struct sadb_address
*addr
;
1034 struct sadb_spirange
*range
;
1035 pfkey_msg_t response
;
1036 u_int32_t received_spi
= 0;
1039 memset(&request
, 0, sizeof(request
));
1041 msg
= (struct sadb_msg
*)request
;
1042 msg
->sadb_msg_version
= PF_KEY_V2
;
1043 msg
->sadb_msg_type
= SADB_GETSPI
;
1044 msg
->sadb_msg_satype
= proto_ike2satype(protocol
);
1045 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1047 sa2
= (struct sadb_x_sa2
*)PFKEY_EXT_ADD_NEXT(msg
);
1048 sa2
->sadb_x_sa2_exttype
= SADB_X_EXT_SA2
;
1049 sa2
->sadb_x_sa2_len
= PFKEY_LEN(sizeof(struct sadb_spirange
));
1050 sa2
->sadb_x_sa2_reqid
= reqid
;
1051 PFKEY_EXT_ADD(msg
, sa2
);
1053 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1054 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_SRC
;
1055 host2ext(src
, addr
);
1056 PFKEY_EXT_ADD(msg
, addr
);
1058 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1059 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_DST
;
1060 host2ext(dst
, addr
);
1061 PFKEY_EXT_ADD(msg
, addr
);
1063 range
= (struct sadb_spirange
*)PFKEY_EXT_ADD_NEXT(msg
);
1064 range
->sadb_spirange_exttype
= SADB_EXT_SPIRANGE
;
1065 range
->sadb_spirange_len
= PFKEY_LEN(sizeof(struct sadb_spirange
));
1066 range
->sadb_spirange_min
= 0xc0000000;
1067 range
->sadb_spirange_max
= 0xcFFFFFFF;
1068 PFKEY_EXT_ADD(msg
, range
);
1070 if (pfkey_send(this, msg
, &out
, &len
) == SUCCESS
)
1072 if (out
->sadb_msg_errno
)
1074 DBG1(DBG_KNL
, "allocating SPI failed: %s (%d)",
1075 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1077 else if (parse_pfkey_message(out
, &response
) == SUCCESS
)
1079 received_spi
= response
.sa
->sadb_sa_spi
;
1084 if (received_spi
== 0)
1089 *spi
= received_spi
;
1094 * Implementation of kernel_interface_t.get_cpi.
1096 static status_t
get_cpi(private_kernel_pfkey_ipsec_t
*this,
1097 host_t
*src
, host_t
*dst
,
1098 u_int32_t reqid
, u_int16_t
*cpi
)
1104 * Implementation of kernel_interface_t.add_sa.
1106 static status_t
add_sa(private_kernel_pfkey_ipsec_t
*this,
1107 host_t
*src
, host_t
*dst
, u_int32_t spi
,
1108 protocol_id_t protocol
, u_int32_t reqid
,
1109 u_int64_t expire_soft
, u_int64_t expire_hard
,
1110 u_int16_t enc_alg
, chunk_t enc_key
,
1111 u_int16_t int_alg
, chunk_t int_key
,
1112 ipsec_mode_t mode
, u_int16_t ipcomp
, u_int16_t cpi
,
1113 bool encap
, bool inbound
)
1115 unsigned char request
[PFKEY_BUFFER_SIZE
];
1116 struct sadb_msg
*msg
, *out
;
1118 struct sadb_x_sa2
*sa2
;
1119 struct sadb_address
*addr
;
1120 struct sadb_lifetime
*lft
;
1121 struct sadb_key
*key
;
1124 memset(&request
, 0, sizeof(request
));
1126 DBG2(DBG_KNL
, "adding SAD entry with SPI %.8x and reqid {%u}", ntohl(spi
), reqid
);
1128 msg
= (struct sadb_msg
*)request
;
1129 msg
->sadb_msg_version
= PF_KEY_V2
;
1130 msg
->sadb_msg_type
= inbound ? SADB_UPDATE
: SADB_ADD
;
1131 msg
->sadb_msg_satype
= proto_ike2satype(protocol
);
1132 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1134 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
1135 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
1136 sa
->sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa
));
1137 sa
->sadb_sa_spi
= spi
;
1138 sa
->sadb_sa_replay
= (protocol
== IPPROTO_COMP
) ?
0 : 32;
1139 sa
->sadb_sa_auth
= lookup_algorithm(integrity_algs
, int_alg
);
1140 sa
->sadb_sa_encrypt
= lookup_algorithm(encryption_algs
, enc_alg
);
1141 PFKEY_EXT_ADD(msg
, sa
);
1143 sa2
= (struct sadb_x_sa2
*)PFKEY_EXT_ADD_NEXT(msg
);
1144 sa2
->sadb_x_sa2_exttype
= SADB_X_EXT_SA2
;
1145 sa2
->sadb_x_sa2_len
= PFKEY_LEN(sizeof(struct sadb_spirange
));
1146 sa2
->sadb_x_sa2_mode
= mode2kernel(mode
);
1147 sa2
->sadb_x_sa2_reqid
= reqid
;
1148 PFKEY_EXT_ADD(msg
, sa2
);
1150 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1151 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_SRC
;
1152 host2ext(src
, addr
);
1153 PFKEY_EXT_ADD(msg
, addr
);
1155 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1156 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_DST
;
1157 host2ext(dst
, addr
);
1158 PFKEY_EXT_ADD(msg
, addr
);
1160 lft
= (struct sadb_lifetime
*)PFKEY_EXT_ADD_NEXT(msg
);
1161 lft
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_SOFT
;
1162 lft
->sadb_lifetime_len
= PFKEY_LEN(sizeof(struct sadb_lifetime
));
1163 lft
->sadb_lifetime_addtime
= expire_soft
;
1164 PFKEY_EXT_ADD(msg
, lft
);
1166 lft
= (struct sadb_lifetime
*)PFKEY_EXT_ADD_NEXT(msg
);
1167 lft
->sadb_lifetime_exttype
= SADB_EXT_LIFETIME_HARD
;
1168 lft
->sadb_lifetime_len
= PFKEY_LEN(sizeof(struct sadb_lifetime
));
1169 lft
->sadb_lifetime_addtime
= expire_hard
;
1170 PFKEY_EXT_ADD(msg
, lft
);
1172 if (enc_alg
!= ENCR_UNDEFINED
)
1174 if (!sa
->sadb_sa_encrypt
)
1176 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1177 encryption_algorithm_names
, enc_alg
);
1180 DBG2(DBG_KNL
, " using encryption algorithm %N with key size %d",
1181 encryption_algorithm_names
, enc_alg
, enc_key
.len
* 8);
1183 key
= (struct sadb_key
*)PFKEY_EXT_ADD_NEXT(msg
);
1184 key
->sadb_key_exttype
= SADB_EXT_KEY_ENCRYPT
;
1185 key
->sadb_key_bits
= enc_key
.len
* 8;
1186 key
->sadb_key_len
= PFKEY_LEN(sizeof(struct sadb_key
) + enc_key
.len
);
1187 memcpy(key
+ 1, enc_key
.ptr
, enc_key
.len
);
1189 PFKEY_EXT_ADD(msg
, key
);
1192 if (int_alg
!= AUTH_UNDEFINED
)
1194 if (!sa
->sadb_sa_auth
)
1196 DBG1(DBG_KNL
, "algorithm %N not supported by kernel!",
1197 integrity_algorithm_names
, int_alg
);
1200 DBG2(DBG_KNL
, " using integrity algorithm %N with key size %d",
1201 integrity_algorithm_names
, int_alg
, int_key
.len
* 8);
1203 key
= (struct sadb_key
*)PFKEY_EXT_ADD_NEXT(msg
);
1204 key
->sadb_key_exttype
= SADB_EXT_KEY_AUTH
;
1205 key
->sadb_key_bits
= int_key
.len
* 8;
1206 key
->sadb_key_len
= PFKEY_LEN(sizeof(struct sadb_key
) + int_key
.len
);
1207 memcpy(key
+ 1, int_key
.ptr
, int_key
.len
);
1209 PFKEY_EXT_ADD(msg
, key
);
1212 if (ipcomp
!= IPCOMP_NONE
)
1219 add_encap_ext(msg
, src
, dst
);
1222 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1224 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x", ntohl(spi
));
1227 else if (out
->sadb_msg_errno
)
1229 DBG1(DBG_KNL
, "unable to add SAD entry with SPI %.8x: %s (%d)",
1230 ntohl(spi
), strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1240 * Implementation of kernel_interface_t.update_sa.
1242 static status_t
update_sa(private_kernel_pfkey_ipsec_t
*this,
1243 u_int32_t spi
, protocol_id_t protocol
, u_int16_t cpi
,
1244 host_t
*src
, host_t
*dst
,
1245 host_t
*new_src
, host_t
*new_dst
,
1246 bool encap
, bool new_encap
)
1248 unsigned char request
[PFKEY_BUFFER_SIZE
];
1249 struct sadb_msg
*msg
, *out
;
1251 struct sadb_address
*addr
;
1252 pfkey_msg_t response
;
1255 /* we can't update the SA if any of the ip addresses have changed.
1256 * that's because we can't use SADB_UPDATE and by deleting and readding the
1257 * SA the sequence numbers would get lost */
1258 if (!src
->ip_equals(src
, new_src
) ||
1259 !dst
->ip_equals(dst
, new_dst
))
1261 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x: address changes"
1262 " are not supported", ntohl(spi
));
1263 return NOT_SUPPORTED
;
1266 memset(&request
, 0, sizeof(request
));
1268 DBG2(DBG_KNL
, "querying SAD entry with SPI %.8x", ntohl(spi
));
1270 msg
= (struct sadb_msg
*)request
;
1271 msg
->sadb_msg_version
= PF_KEY_V2
;
1272 msg
->sadb_msg_type
= SADB_GET
;
1273 msg
->sadb_msg_satype
= proto_ike2satype(protocol
);
1274 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1276 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
1277 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
1278 sa
->sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa
));
1279 sa
->sadb_sa_spi
= spi
;
1280 PFKEY_EXT_ADD(msg
, sa
);
1282 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1283 * it is not used for anything, so we just send dst twice */
1284 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1285 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_SRC
;
1286 host2ext(dst
, addr
);
1287 PFKEY_EXT_ADD(msg
, addr
);
1289 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1290 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_DST
;
1291 host2ext(dst
, addr
);
1292 PFKEY_EXT_ADD(msg
, addr
);
1294 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1296 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x",
1300 else if (out
->sadb_msg_errno
)
1302 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x: %s (%d)",
1303 ntohl(spi
), strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1307 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
1309 DBG1(DBG_KNL
, "unable to query SAD entry with SPI %.8x: parsing response "
1310 "from kernel failed", ntohl(spi
));
1315 DBG2(DBG_KNL
, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1316 ntohl(spi
), src
, dst
, new_src
, new_dst
);
1318 memset(&request
, 0, sizeof(request
));
1320 msg
= (struct sadb_msg
*)request
;
1321 msg
->sadb_msg_version
= PF_KEY_V2
;
1322 msg
->sadb_msg_type
= SADB_UPDATE
;
1323 msg
->sadb_msg_satype
= proto_ike2satype(protocol
);
1324 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1326 PFKEY_EXT_COPY(msg
, response
.sa
);
1327 PFKEY_EXT_COPY(msg
, response
.x_sa2
);
1329 PFKEY_EXT_COPY(msg
, response
.src
);
1330 PFKEY_EXT_COPY(msg
, response
.dst
);
1332 PFKEY_EXT_COPY(msg
, response
.lft_soft
);
1333 PFKEY_EXT_COPY(msg
, response
.lft_hard
);
1335 if (response
.key_encr
)
1337 PFKEY_EXT_COPY(msg
, response
.key_encr
);
1340 if (response
.key_auth
)
1342 PFKEY_EXT_COPY(msg
, response
.key_auth
);
1347 add_encap_ext(msg
, new_src
, new_dst
);
1352 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1354 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x", ntohl(spi
));
1357 else if (out
->sadb_msg_errno
)
1359 DBG1(DBG_KNL
, "unable to update SAD entry with SPI %.8x: %s (%d)",
1360 ntohl(spi
), strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1370 * Implementation of kernel_interface_t.del_sa.
1372 static status_t
del_sa(private_kernel_pfkey_ipsec_t
*this, host_t
*dst
,
1373 u_int32_t spi
, protocol_id_t protocol
, u_int16_t cpi
)
1375 unsigned char request
[PFKEY_BUFFER_SIZE
];
1376 struct sadb_msg
*msg
, *out
;
1378 struct sadb_address
*addr
;
1381 memset(&request
, 0, sizeof(request
));
1383 DBG2(DBG_KNL
, "deleting SAD entry with SPI %.8x", ntohl(spi
));
1385 msg
= (struct sadb_msg
*)request
;
1386 msg
->sadb_msg_version
= PF_KEY_V2
;
1387 msg
->sadb_msg_type
= SADB_DELETE
;
1388 msg
->sadb_msg_satype
= proto_ike2satype(protocol
);
1389 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1391 sa
= (struct sadb_sa
*)PFKEY_EXT_ADD_NEXT(msg
);
1392 sa
->sadb_sa_exttype
= SADB_EXT_SA
;
1393 sa
->sadb_sa_len
= PFKEY_LEN(sizeof(struct sadb_sa
));
1394 sa
->sadb_sa_spi
= spi
;
1395 PFKEY_EXT_ADD(msg
, sa
);
1397 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1398 * it is not used for anything, so we just send dst twice */
1399 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1400 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_SRC
;
1401 host2ext(dst
, addr
);
1402 PFKEY_EXT_ADD(msg
, addr
);
1404 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1405 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_DST
;
1406 host2ext(dst
, addr
);
1407 PFKEY_EXT_ADD(msg
, addr
);
1409 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1411 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x", ntohl(spi
));
1414 else if (out
->sadb_msg_errno
)
1416 DBG1(DBG_KNL
, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1417 ntohl(spi
), strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1422 DBG2(DBG_KNL
, "deleted SAD entry with SPI %.8x", ntohl(spi
));
1428 * Implementation of kernel_interface_t.add_policy.
1430 static status_t
add_policy(private_kernel_pfkey_ipsec_t
*this,
1431 host_t
*src
, host_t
*dst
,
1432 traffic_selector_t
*src_ts
,
1433 traffic_selector_t
*dst_ts
,
1434 policy_dir_t direction
, u_int32_t spi
,
1435 protocol_id_t protocol
, u_int32_t reqid
,
1436 ipsec_mode_t mode
, u_int16_t ipcomp
, u_int16_t cpi
,
1439 unsigned char request
[PFKEY_BUFFER_SIZE
];
1440 struct sadb_msg
*msg
, *out
;
1441 struct sadb_x_policy
*pol
;
1442 struct sadb_address
*addr
;
1443 struct sadb_x_ipsecrequest
*req
;
1444 policy_entry_t
*policy
, *found
= NULL
;
1445 pfkey_msg_t response
;
1448 /* create a policy */
1449 policy
= create_policy_entry(src_ts
, dst_ts
, direction
, reqid
);
1451 /* find a matching policy */
1452 this->mutex
->lock(this->mutex
);
1453 if (this->policies
->find_first(this->policies
,
1454 (linked_list_match_t
)policy_entry_equals
, (void**)&found
, policy
) == SUCCESS
)
1456 /* use existing policy */
1458 DBG2(DBG_KNL
, "policy %R === %R %N already exists, increasing "
1459 "refcount", src_ts
, dst_ts
,
1460 policy_dir_names
, direction
);
1461 policy_entry_destroy(policy
);
1466 /* apply the new one, if we have no such policy */
1467 this->policies
->insert_last(this->policies
, policy
);
1468 policy
->refcount
= 1;
1471 memset(&request
, 0, sizeof(request
));
1473 DBG2(DBG_KNL
, "adding policy %R === %R %N", src_ts
, dst_ts
,
1474 policy_dir_names
, direction
);
1476 msg
= (struct sadb_msg
*)request
;
1477 msg
->sadb_msg_version
= PF_KEY_V2
;
1478 msg
->sadb_msg_type
= found ? SADB_X_SPDUPDATE
: SADB_X_SPDADD
;
1479 msg
->sadb_msg_satype
= 0;
1480 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1482 pol
= (struct sadb_x_policy
*)PFKEY_EXT_ADD_NEXT(msg
);
1483 pol
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
1484 pol
->sadb_x_policy_len
= PFKEY_LEN(sizeof(struct sadb_x_policy
));
1485 pol
->sadb_x_policy_id
= 0;
1486 pol
->sadb_x_policy_dir
= dir2kernel(direction
);
1487 /* calculate priority based on source selector size, small size = high prio */
1488 pol
->sadb_x_policy_priority
= routed ? PRIO_LOW
: PRIO_HIGH
;
1489 pol
->sadb_x_policy_priority
-= policy
->src
.mask
* 10;
1490 pol
->sadb_x_policy_priority
-= policy
->src
.proto
!= IPSEC_PROTO_ANY ?
2 : 0;
1491 pol
->sadb_x_policy_priority
-= policy
->src
.net
->get_port(policy
->src
.net
) ?
1 : 0;
1492 pol
->sadb_x_policy_type
= IPSEC_POLICY_IPSEC
;
1494 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1495 req
= (struct sadb_x_ipsecrequest
*)(pol
+ 1);
1496 req
->sadb_x_ipsecrequest_proto
= proto_ike2ip(protocol
);
1497 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1498 req
->sadb_x_ipsecrequest_len
= sizeof(struct sadb_x_ipsecrequest
);
1499 req
->sadb_x_ipsecrequest_mode
= mode2kernel(mode
);
1500 req
->sadb_x_ipsecrequest_reqid
= reqid
;
1501 req
->sadb_x_ipsecrequest_level
= IPSEC_LEVEL_UNIQUE
;
1502 if (mode
== MODE_TUNNEL
)
1506 sa
= src
->get_sockaddr(src
);
1507 sl
= *src
->get_sockaddr_len(src
);
1508 memcpy(req
+ 1, sa
, sl
);
1509 sa
= dst
->get_sockaddr(dst
);
1510 memcpy((u_int8_t
*)(req
+ 1) + sl
, sa
, sl
);
1511 req
->sadb_x_ipsecrequest_len
+= sl
* 2;
1514 pol
->sadb_x_policy_len
+= PFKEY_LEN(req
->sadb_x_ipsecrequest_len
);
1515 PFKEY_EXT_ADD(msg
, pol
);
1517 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1518 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_SRC
;
1519 addr
->sadb_address_proto
= policy
->src
.proto
;
1520 addr
->sadb_address_prefixlen
= policy
->src
.mask
;
1521 host2ext(policy
->src
.net
, addr
);
1522 PFKEY_EXT_ADD(msg
, addr
);
1524 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1525 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_DST
;
1526 addr
->sadb_address_proto
= policy
->dst
.proto
;
1527 addr
->sadb_address_prefixlen
= policy
->dst
.mask
;
1528 host2ext(policy
->dst
.net
, addr
);
1529 PFKEY_EXT_ADD(msg
, addr
);
1531 this->mutex
->unlock(this->mutex
);
1533 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1535 DBG1(DBG_KNL
, "unable to add policy %R === %R %N", src_ts
, dst_ts
,
1536 policy_dir_names
, direction
);
1539 else if (out
->sadb_msg_errno
)
1541 DBG1(DBG_KNL
, "unable to add policy %R === %R %N: %s (%d)", src_ts
, dst_ts
,
1542 policy_dir_names
, direction
,
1543 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1547 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
1549 DBG1(DBG_KNL
, "unable to add policy %R === %R %N: parsing response "
1550 "from kernel failed", src_ts
, dst_ts
, policy_dir_names
, direction
);
1555 this->mutex
->lock(this->mutex
);
1557 /* we try to find the policy again and update the kernel index */
1558 if (this->policies
->find_last(this->policies
, NULL
, (void**)&policy
) != SUCCESS
)
1560 DBG2(DBG_KNL
, "unable to update index, the policy %R === %R %N is "
1561 "already gone, ignoring", src_ts
, dst_ts
, policy_dir_names
, direction
);
1562 this->mutex
->unlock(this->mutex
);
1566 policy
->index
= response
.x_policy
->sadb_x_policy_id
;
1569 /* install a route, if:
1570 * - we are NOT updating a policy
1571 * - this is a forward policy (to just get one for each child)
1572 * - we are in tunnel mode
1573 * - we are not using IPv6 (does not work correctly yet!)
1574 * - routing is not disabled via strongswan.conf
1576 if (policy
->route
== NULL
&& direction
== POLICY_FWD
&&
1577 mode
!= MODE_TRANSPORT
&& src
->get_family(src
) != AF_INET6
&&
1578 this->install_routes
)
1580 route_entry_t
*route
= malloc_thing(route_entry_t
);
1582 if (charon
->kernel_interface
->get_address_by_ts(charon
->kernel_interface
,
1583 dst_ts
, &route
->src_ip
) == SUCCESS
)
1585 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1586 route
->gateway
= charon
->kernel_interface
->get_nexthop(
1587 charon
->kernel_interface
, src
);
1588 route
->if_name
= charon
->kernel_interface
->get_interface(
1589 charon
->kernel_interface
, dst
);
1590 route
->dst_net
= chunk_clone(policy
->src
.net
->get_address(policy
->src
.net
));
1591 route
->prefixlen
= policy
->src
.mask
;
1593 switch (charon
->kernel_interface
->add_route(charon
->kernel_interface
,
1594 route
->dst_net
, route
->prefixlen
, route
->gateway
,
1595 route
->src_ip
, route
->if_name
))
1598 DBG1(DBG_KNL
, "unable to install source route for %H",
1602 /* route exists, do not uninstall */
1603 route_entry_destroy(route
);
1606 /* cache the installed route */
1607 policy
->route
= route
;
1617 this->mutex
->unlock(this->mutex
);
1623 * Implementation of kernel_interface_t.query_policy.
1625 static status_t
query_policy(private_kernel_pfkey_ipsec_t
*this,
1626 traffic_selector_t
*src_ts
,
1627 traffic_selector_t
*dst_ts
,
1628 policy_dir_t direction
, u_int32_t
*use_time
)
1630 unsigned char request
[PFKEY_BUFFER_SIZE
];
1631 struct sadb_msg
*msg
, *out
;
1632 struct sadb_x_policy
*pol
;
1633 struct sadb_address
*addr
;
1634 policy_entry_t
*policy
, *found
= NULL
;
1635 pfkey_msg_t response
;
1638 DBG2(DBG_KNL
, "querying policy %R === %R %N", src_ts
, dst_ts
,
1639 policy_dir_names
, direction
);
1641 /* create a policy */
1642 policy
= create_policy_entry(src_ts
, dst_ts
, direction
, 0);
1644 /* find a matching policy */
1645 this->mutex
->lock(this->mutex
);
1646 if (this->policies
->find_first(this->policies
,
1647 (linked_list_match_t
)policy_entry_equals
, (void**)&found
, policy
) != SUCCESS
)
1649 DBG1(DBG_KNL
, "querying policy %R === %R %N failed, not found", src_ts
,
1650 dst_ts
, policy_dir_names
, direction
);
1651 policy_entry_destroy(policy
);
1652 this->mutex
->unlock(this->mutex
);
1655 policy_entry_destroy(policy
);
1658 memset(&request
, 0, sizeof(request
));
1660 msg
= (struct sadb_msg
*)request
;
1661 msg
->sadb_msg_version
= PF_KEY_V2
;
1662 msg
->sadb_msg_type
= SADB_X_SPDGET
;
1663 msg
->sadb_msg_satype
= 0;
1664 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1666 pol
= (struct sadb_x_policy
*)PFKEY_EXT_ADD_NEXT(msg
);
1667 pol
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
1668 pol
->sadb_x_policy_id
= policy
->index
;
1669 pol
->sadb_x_policy_len
= PFKEY_LEN(sizeof(struct sadb_x_policy
));
1670 pol
->sadb_x_policy_dir
= dir2kernel(direction
);
1671 pol
->sadb_x_policy_type
= IPSEC_POLICY_IPSEC
;
1672 PFKEY_EXT_ADD(msg
, pol
);
1674 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1675 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_SRC
;
1676 addr
->sadb_address_proto
= policy
->src
.proto
;
1677 addr
->sadb_address_prefixlen
= policy
->src
.mask
;
1678 host2ext(policy
->src
.net
, addr
);
1679 PFKEY_EXT_ADD(msg
, addr
);
1681 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1682 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_DST
;
1683 addr
->sadb_address_proto
= policy
->dst
.proto
;
1684 addr
->sadb_address_prefixlen
= policy
->dst
.mask
;
1685 host2ext(policy
->dst
.net
, addr
);
1686 PFKEY_EXT_ADD(msg
, addr
);
1688 this->mutex
->unlock(this->mutex
);
1690 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1692 DBG1(DBG_KNL
, "unable to query policy %R === %R %N", src_ts
, dst_ts
,
1693 policy_dir_names
, direction
);
1696 else if (out
->sadb_msg_errno
)
1698 DBG1(DBG_KNL
, "unable to query policy %R === %R %N: %s (%d)", src_ts
,
1699 dst_ts
, policy_dir_names
, direction
,
1700 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1704 else if (parse_pfkey_message(out
, &response
) != SUCCESS
)
1706 DBG1(DBG_KNL
, "unable to query policy %R === %R %N: parsing response "
1707 "from kernel failed", src_ts
, dst_ts
, policy_dir_names
, direction
);
1712 *use_time
= response
.lft_current
->sadb_lifetime_usetime
;
1720 * Implementation of kernel_interface_t.del_policy.
1722 static status_t
del_policy(private_kernel_pfkey_ipsec_t
*this,
1723 traffic_selector_t
*src_ts
,
1724 traffic_selector_t
*dst_ts
,
1725 policy_dir_t direction
, bool unrouted
)
1727 unsigned char request
[PFKEY_BUFFER_SIZE
];
1728 struct sadb_msg
*msg
, *out
;
1729 struct sadb_x_policy
*pol
;
1730 struct sadb_address
*addr
;
1731 policy_entry_t
*policy
, *found
= NULL
;
1732 route_entry_t
*route
;
1735 DBG2(DBG_KNL
, "deleting policy %R === %R %N", src_ts
, dst_ts
,
1736 policy_dir_names
, direction
);
1738 /* create a policy */
1739 policy
= create_policy_entry(src_ts
, dst_ts
, direction
, 0);
1741 /* find a matching policy */
1742 this->mutex
->lock(this->mutex
);
1743 if (this->policies
->find_first(this->policies
,
1744 (linked_list_match_t
)policy_entry_equals
, (void**)&found
, policy
) == SUCCESS
)
1746 if (--found
->refcount
> 0)
1748 /* is used by more SAs, keep in kernel */
1749 DBG2(DBG_KNL
, "policy still used by another CHILD_SA, not removed");
1750 policy_entry_destroy(policy
);
1751 this->mutex
->unlock(this->mutex
);
1754 /* remove if last reference */
1755 this->policies
->remove(this->policies
, found
, NULL
);
1756 policy_entry_destroy(policy
);
1761 DBG1(DBG_KNL
, "deleting policy %R === %R %N failed, not found", src_ts
,
1762 dst_ts
, policy_dir_names
, direction
);
1763 policy_entry_destroy(policy
);
1764 this->mutex
->unlock(this->mutex
);
1767 this->mutex
->unlock(this->mutex
);
1769 memset(&request
, 0, sizeof(request
));
1771 msg
= (struct sadb_msg
*)request
;
1772 msg
->sadb_msg_version
= PF_KEY_V2
;
1773 msg
->sadb_msg_type
= SADB_X_SPDDELETE
;
1774 msg
->sadb_msg_satype
= 0;
1775 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1777 pol
= (struct sadb_x_policy
*)PFKEY_EXT_ADD_NEXT(msg
);
1778 pol
->sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
1779 pol
->sadb_x_policy_len
= PFKEY_LEN(sizeof(struct sadb_x_policy
));
1780 pol
->sadb_x_policy_dir
= dir2kernel(direction
);
1781 pol
->sadb_x_policy_type
= IPSEC_POLICY_IPSEC
;
1782 PFKEY_EXT_ADD(msg
, pol
);
1784 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1785 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_SRC
;
1786 addr
->sadb_address_proto
= policy
->src
.proto
;
1787 addr
->sadb_address_prefixlen
= policy
->src
.mask
;
1788 host2ext(policy
->src
.net
, addr
);
1789 PFKEY_EXT_ADD(msg
, addr
);
1791 addr
= (struct sadb_address
*)PFKEY_EXT_ADD_NEXT(msg
);
1792 addr
->sadb_address_exttype
= SADB_EXT_ADDRESS_DST
;
1793 addr
->sadb_address_proto
= policy
->dst
.proto
;
1794 addr
->sadb_address_prefixlen
= policy
->dst
.mask
;
1795 host2ext(policy
->dst
.net
, addr
);
1796 PFKEY_EXT_ADD(msg
, addr
);
1798 route
= policy
->route
;
1799 policy
->route
= NULL
;
1800 policy_entry_destroy(policy
);
1802 if (pfkey_send(this, msg
, &out
, &len
) != SUCCESS
)
1804 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N", src_ts
, dst_ts
,
1805 policy_dir_names
, direction
);
1808 else if (out
->sadb_msg_errno
)
1810 DBG1(DBG_KNL
, "unable to delete policy %R === %R %N: %s (%d)", src_ts
,
1811 dst_ts
, policy_dir_names
, direction
,
1812 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1820 if (charon
->kernel_interface
->del_route(charon
->kernel_interface
,
1821 route
->dst_net
, route
->prefixlen
, route
->gateway
,
1822 route
->src_ip
, route
->if_name
) != SUCCESS
)
1824 DBG1(DBG_KNL
, "error uninstalling route installed with "
1825 "policy %R === %R %N", src_ts
, dst_ts
,
1826 policy_dir_names
, direction
);
1828 route_entry_destroy(route
);
1835 * Register a socket for AQUIRE/EXPIRE messages
1837 static status_t
register_pfkey_socket(private_kernel_pfkey_ipsec_t
*this, u_int8_t satype
)
1839 unsigned char request
[PFKEY_BUFFER_SIZE
];
1840 struct sadb_msg
*msg
, *out
;
1843 memset(&request
, 0, sizeof(request
));
1845 msg
= (struct sadb_msg
*)request
;
1846 msg
->sadb_msg_version
= PF_KEY_V2
;
1847 msg
->sadb_msg_type
= SADB_REGISTER
;
1848 msg
->sadb_msg_satype
= satype
;
1849 msg
->sadb_msg_len
= PFKEY_LEN(sizeof(struct sadb_msg
));
1851 if (pfkey_send_socket(this, this->socket_events
, msg
, &out
, &len
) != SUCCESS
)
1853 DBG1(DBG_KNL
, "unable to register PF_KEY socket");
1856 else if (out
->sadb_msg_errno
)
1858 DBG1(DBG_KNL
, "unable to register PF_KEY socket: %s (%d)",
1859 strerror(out
->sadb_msg_errno
), out
->sadb_msg_errno
);
1868 * Implementation of kernel_interface_t.destroy.
1870 static void destroy(private_kernel_pfkey_ipsec_t
*this)
1872 this->job
->cancel(this->job
);
1873 close(this->socket
);
1874 close(this->socket_events
);
1875 this->policies
->destroy_function(this->policies
, (void*)policy_entry_destroy
);
1876 this->mutex
->destroy(this->mutex
);
1877 this->mutex_pfkey
->destroy(this->mutex_pfkey
);
1882 * Add bypass policies for IKE on the sockets of charon
1884 static bool add_bypass_policies(private_kernel_pfkey_ipsec_t
*this)
1886 int fd
, family
, port
;
1887 enumerator_t
*sockets
;
1890 sockets
= charon
->socket
->create_enumerator(charon
->socket
);
1891 while (sockets
->enumerate(sockets
, &fd
, &family
, &port
))
1893 struct sadb_x_policy policy
;
1894 u_int sol
, ipsec_policy
;
1900 ipsec_policy
= IP_IPSEC_POLICY
;
1905 ipsec_policy
= IPV6_IPSEC_POLICY
;
1910 memset(&policy
, 0, sizeof(policy
));
1911 policy
.sadb_x_policy_len
= sizeof(policy
) / sizeof(u_int64_t
);
1912 policy
.sadb_x_policy_exttype
= SADB_X_EXT_POLICY
;
1913 policy
.sadb_x_policy_type
= IPSEC_POLICY_BYPASS
;
1915 policy
.sadb_x_policy_dir
= IPSEC_DIR_OUTBOUND
;
1916 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
1918 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
1923 policy
.sadb_x_policy_dir
= IPSEC_DIR_INBOUND
;
1924 if (setsockopt(fd
, sol
, ipsec_policy
, &policy
, sizeof(policy
)) < 0)
1926 DBG1(DBG_KNL
, "unable to set IPSEC_POLICY on socket: %s",
1932 sockets
->destroy(sockets
);
1937 * Described in header.
1939 kernel_pfkey_ipsec_t
*kernel_pfkey_ipsec_create()
1941 private_kernel_pfkey_ipsec_t
*this = malloc_thing(private_kernel_pfkey_ipsec_t
);
1943 /* public functions */
1944 this->public.interface
.get_spi
= (status_t(*)(kernel_ipsec_t
*,host_t
*,host_t
*,protocol_id_t
,u_int32_t
,u_int32_t
*))get_spi
;
1945 this->public.interface
.get_cpi
= (status_t(*)(kernel_ipsec_t
*,host_t
*,host_t
*,u_int32_t
,u_int16_t
*))get_cpi
;
1946 this->public.interface
.add_sa
= (status_t(*)(kernel_ipsec_t
*,host_t
*,host_t
*,u_int32_t
,protocol_id_t
,u_int32_t
,u_int64_t
,u_int64_t
,u_int16_t
,chunk_t
,u_int16_t
,chunk_t
,ipsec_mode_t
,u_int16_t
,u_int16_t
,bool,bool))add_sa
;
1947 this->public.interface
.update_sa
= (status_t(*)(kernel_ipsec_t
*,u_int32_t
,protocol_id_t
,u_int16_t
,host_t
*,host_t
*,host_t
*,host_t
*,bool,bool))update_sa
;
1948 this->public.interface
.del_sa
= (status_t(*)(kernel_ipsec_t
*,host_t
*,u_int32_t
,protocol_id_t
,u_int16_t
))del_sa
;
1949 this->public.interface
.add_policy
= (status_t(*)(kernel_ipsec_t
*,host_t
*,host_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,u_int32_t
,protocol_id_t
,u_int32_t
,ipsec_mode_t
,u_int16_t
,u_int16_t
,bool))add_policy
;
1950 this->public.interface
.query_policy
= (status_t(*)(kernel_ipsec_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,u_int32_t
*))query_policy
;
1951 this->public.interface
.del_policy
= (status_t(*)(kernel_ipsec_t
*,traffic_selector_t
*,traffic_selector_t
*,policy_dir_t
,bool))del_policy
;
1953 this->public.interface
.destroy
= (void(*)(kernel_ipsec_t
*)) destroy
;
1955 /* private members */
1956 this->policies
= linked_list_create();
1957 this->mutex
= mutex_create(MUTEX_DEFAULT
);
1958 this->mutex_pfkey
= mutex_create(MUTEX_DEFAULT
);
1959 this->install_routes
= lib
->settings
->get_bool(lib
->settings
,
1960 "charon.install_routes", TRUE
);
1963 /* create a PF_KEY socket to communicate with the kernel */
1964 this->socket
= socket(PF_KEY
, SOCK_RAW
, PF_KEY_V2
);
1965 if (this->socket
<= 0)
1967 charon
->kill(charon
, "unable to create PF_KEY socket");
1970 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1971 this->socket_events
= socket(PF_KEY
, SOCK_RAW
, PF_KEY_V2
);
1972 if (this->socket_events
<= 0)
1974 charon
->kill(charon
, "unable to create PF_KEY event socket");
1977 /* add bypass policies on the sockets used by charon */
1978 if (!add_bypass_policies(this))
1980 charon
->kill(charon
, "unable to add bypass policies on sockets");
1983 /* register the event socket */
1984 if (register_pfkey_socket(this, SADB_SATYPE_ESP
) != SUCCESS
||
1985 register_pfkey_socket(this, SADB_SATYPE_AH
) != SUCCESS
)
1987 charon
->kill(charon
, "unable to register PF_KEY event socket");
1990 this->job
= callback_job_create((callback_job_cb_t
)receive_events
,
1992 charon
->processor
->queue_job(charon
->processor
, (job_t
*)this->job
);
1994 return &this->public;