projects / strongswan.git / blob
? search:


dec43e2591b72045e0f6fbb9ec7eb6f64d189e5f
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <stdint.h>
21 #include <linux/ipsec.h>
22 #include <linux/pfkeyv2.h>
23 #include <linux/udp.h>
24 #include <unistd.h>
25 #include <pthread.h>
26 #include <errno.h>
27
28 #include "kernel_pfkey_ipsec.h"
29
30 #include <daemon.h>
31 #include <processing/jobs/callback_job.h>
32 #include <processing/jobs/acquire_job.h>
33 #include <processing/jobs/rekey_child_sa_job.h>
34 #include <processing/jobs/delete_child_sa_job.h>
35 #include <processing/jobs/update_sa_job.h>
36
37 /** default priority of installed policies */
38 #define PRIO_LOW 3000
39 #define PRIO_HIGH 2000
40
41 /** buffer size for PF_KEY messages */
42 #define PFKEY_BUFFER_SIZE 2048
43
44 /** PF_KEY messages are 64 bit aligned */
45 #define PFKEY_ALIGNMENT 8
46 /** aligns len to 64 bits */
47 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
48 /** calculates the properly padded length in 64 bit chunks */
49 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
50 /** calculates user mode length i.e. in bytes */
51 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
52
53 /** given a PF_KEY message header and an extension this updates the length in the header */
54 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
55 /** given a PF_KEY message header this returns a pointer to the next extension */
56 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
57 /** copy an extension and append it to a PF_KEY message */
58 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
59 /** given a PF_KEY extension this returns a pointer to the next extension */
60 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
61 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
62 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
63 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
64 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
65 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
66 (ext)->sadb_ext_len <= (len))
67
68 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
69
70 /**
71 * Private variables and functions of kernel_pfkey class.
72 */
73 struct private_kernel_pfkey_ipsec_t
74 {
75 /**
76 * Public part of the kernel_pfkey_t object.
77 */
78 kernel_pfkey_ipsec_t public;
79
80 /**
81 * mutex to lock access to various lists
82 */
83 pthread_mutex_t mutex;
84
85 /**
86 * List of installed policies (policy_entry_t)
87 */
88 linked_list_t *policies;
89
90 /**
91 * whether to install routes along policies
92 */
93 bool install_routes;
94
95 /**
96 * job receiving PF_KEY events
97 */
98 callback_job_t *job;
99
100 /**
101 * mutex to lock access to the PF_KEY socket
102 */
103 pthread_mutex_t mutex_pfkey;
104
105
106 /**
107 * PF_KEY socket to communicate with the kernel
108 */
109 int socket;
110
111
112 /**
113 * PF_KEY socket to receive acquire and expire events
114 */
115 int socket_events;
116
117
118 /**
119 * sequence number for messages sent to the kernel
120 */
121 int seq;
122 };
123
124 typedef struct route_entry_t route_entry_t;
125
126 /**
127 * installed routing entry
128 */
129 struct route_entry_t {
130 /** Name of the interface the route is bound to */
131 char *if_name;
132
133 /** Source ip of the route */
134 host_t *src_ip;
135
136 /** gateway for this route */
137 host_t *gateway;
138
139 /** Destination net */
140 chunk_t dst_net;
141
142 /** Destination net prefixlen */
143 u_int8_t prefixlen;
144 };
145
146 /**
147 * destroy an route_entry_t object
148 */
149 static void route_entry_destroy(route_entry_t *this)
150 {
151 free(this->if_name);
152 this->src_ip->destroy(this->src_ip);
153 this->gateway->destroy(this->gateway);
154 chunk_free(&this->dst_net);
155 free(this);
156 }
157
158 typedef struct policy_entry_t policy_entry_t;
159
160 /**
161 * installed kernel policy.
162 */
163 struct policy_entry_t {
164
165 /** reqid of this policy */
166 u_int32_t reqid;
167
168 /** index assigned by the kernel */
169 u_int32_t index;
170
171 /** direction of this policy: in, out, forward */
172 u_int8_t direction;
173
174 /** parameters of installed policy */
175 struct {
176 /** subnet and port */
177 host_t *net;
178 /** subnet mask */
179 u_int8_t mask;
180 /** protocol */
181 u_int8_t proto;
182 } src, dst;
183
184 /** associated route installed for this policy */
185 route_entry_t *route;
186
187 /** by how many CHILD_SA's this policy is used */
188 u_int refcount;
189 };
190
191 /**
192 * create a policy_entry_t object
193 */
194 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
195 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
196 {
197 policy_entry_t *policy = malloc_thing(policy_entry_t);
198 policy->reqid = reqid;
199 policy->index = 0;
200 policy->direction = dir;
201 policy->route = NULL;
202 policy->refcount = 0;
203
204 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
205 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
206
207 /* src or dest proto may be "any" (0), use more restrictive one */
208 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
209 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
210 policy->dst.proto = policy->src.proto;
211
212 return policy;
213 }
214
215 /**
216 * destroy a policy_entry_t object
217 */
218 static void policy_entry_destroy(policy_entry_t *this)
219 {
220 DESTROY_IF(this->src.net);
221 DESTROY_IF(this->dst.net);
222 if (this->route)
223 {
224 route_entry_destroy(this->route);
225 }
226 free(this);
227 }
228
229 /**
230 * compares two policy_entry_t
231 */
232 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
233 {
234 return current->direction == policy->direction &&
235 current->src.proto == policy->src.proto &&
236 current->dst.proto == policy->dst.proto &&
237 current->src.mask == policy->src.mask &&
238 current->dst.mask == policy->dst.mask &&
239 current->src.net->equals(current->src.net, policy->src.net) &&
240 current->dst.net->equals(current->dst.net, policy->dst.net);
241 }
242
243 /**
244 * compare the given kernel index with that of a policy
245 */
246 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
247 {
248 return current->index == *index;
249 }
250
251 typedef struct pfkey_msg_t pfkey_msg_t;
252
253 struct pfkey_msg_t
254 {
255 /**
256 * PF_KEY message base
257 */
258 struct sadb_msg *msg;
259
260
261 /**
262 * PF_KEY message extensions
263 */
264 union {
265 struct sadb_ext *ext[SADB_EXT_MAX + 1];
266 struct {
267 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
268 struct sadb_sa *sa; /* SADB_EXT_SA */
269 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
270 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
271 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
272 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
273 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
274 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
275 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
276 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
277 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
278 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
279 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
280 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
281 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
282 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
283 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
284 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
285 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
286 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
287 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
288 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
289 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
290 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
291 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
292 } __attribute__((__packed__));
293 };
294 };
295
296 /**
297 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
298 */
299 static u_int8_t proto_ike2satype(protocol_id_t proto)
300 {
301 switch (proto)
302 {
303 case PROTO_ESP:
304 return SADB_SATYPE_ESP;
305 case PROTO_AH:
306 return SADB_SATYPE_AH;
307 case IPPROTO_COMP:
308 return SADB_X_SATYPE_IPCOMP;
309 default:
310 return proto;
311 }
312 }
313
314 /**
315 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
316 */
317 static protocol_id_t proto_satype2ike(u_int8_t proto)
318 {
319 switch (proto)
320 {
321 case SADB_SATYPE_ESP:
322 return PROTO_ESP;
323 case SADB_SATYPE_AH:
324 return PROTO_AH;
325 case SADB_X_SATYPE_IPCOMP:
326 return IPPROTO_COMP;
327 default:
328 return proto;
329 }
330 }
331
332 /**
333 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
334 */
335 static u_int8_t proto_ike2ip(protocol_id_t proto)
336 {
337 switch (proto)
338 {
339 case PROTO_ESP:
340 return IPPROTO_ESP;
341 case PROTO_AH:
342 return IPPROTO_AH;
343 default:
344 return proto;
345 }
346 }
347
348 /**
349 * convert the general ipsec mode to the one defined in ipsec.h
350 */
351 static u_int8_t mode2kernel(ipsec_mode_t mode)
352 {
353 switch (mode)
354 {
355 case MODE_TRANSPORT:
356 return IPSEC_MODE_TRANSPORT;
357 case MODE_TUNNEL:
358 return IPSEC_MODE_TUNNEL;
359 case MODE_BEET:
360 return IPSEC_MODE_BEET;
361 default:
362 return mode;
363 }
364 }
365
366 /**
367 * convert the general policy direction to the one defined in ipsec.h
368 */
369 static u_int8_t dir2kernel(policy_dir_t dir)
370 {
371 switch (dir)
372 {
373 case POLICY_IN:
374 return IPSEC_DIR_INBOUND;
375 case POLICY_OUT:
376 return IPSEC_DIR_OUTBOUND;
377 case POLICY_FWD:
378 return IPSEC_DIR_FWD;
379 default:
380 return dir;
381 }
382 }
383
384 typedef struct kernel_algorithm_t kernel_algorithm_t;
385
386 /**
387 * Mapping from the algorithms defined in IKEv2 to
388 * kernel level algorithm identifiers and their key length
389 */
390 struct kernel_algorithm_t {
391 /**
392 * Identifier specified in IKEv2
393 */
394 int ikev2_id;
395
396 /**
397 * Identifier as defined in pfkeyv2.h
398 */
399 int kernel_id;
400
401 /**
402 * Key length in bits, if fixed size
403 */
404 u_int key_size;
405 };
406
407 #define END_OF_LIST -1
408
409 /**
410 * Algorithms for encryption
411 */
412 static kernel_algorithm_t encryption_algs[] = {
413 /* {ENCR_DES_IV64, 0, 0}, */
414 {ENCR_DES, SADB_EALG_DESCBC, 64},
415 {ENCR_3DES, SADB_EALG_3DESCBC, 192},
416 /* {ENCR_RC5, 0, 0}, */
417 /* {ENCR_IDEA, 0, 0}, */
418 {ENCR_CAST, SADB_X_EALG_CASTCBC, 0},
419 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC, 0},
420 /* {ENCR_3IDEA, 0, 0}, */
421 /* {ENCR_DES_IV32, 0, 0}, */
422 {ENCR_NULL, SADB_EALG_NULL, 0},
423 {ENCR_AES_CBC, SADB_X_EALG_AESCBC, 0},
424 /* {ENCR_AES_CTR, 0, 0}, */
425 /* {ENCR_AES_CCM_ICV8, 0, 64}, */ /* key_size = ICV size */
426 /* {ENCR_AES_CCM_ICV12, 0, 96}, */ /* key_size = ICV size */
427 /* {ENCR_AES_CCM_ICV16, 0, 128},*/ /* key_size = ICV size */
428 /* {ENCR_AES_GCM_ICV8, 0, 64}, */ /* key_size = ICV size */
429 /* {ENCR_AES_GCM_ICV12, 0, 96}, */ /* key_size = ICV size */
430 /* {ENCR_AES_GCM_ICV16, 0, 128},*/ /* key_size = ICV size */
431 {END_OF_LIST, 0, 0},
432 };
433
434 /**
435 * Algorithms for integrity protection
436 */
437 static kernel_algorithm_t integrity_algs[] = {
438 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC, 128},
439 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC, 160},
440 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC, 256},
441 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC, 384},
442 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC, 512},
443 /* {AUTH_DES_MAC, 0, 0}, */
444 /* {AUTH_KPDK_MD5, 0, 0}, */
445 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, 128},
446 {END_OF_LIST, 0, 0},
447 };
448
449 /**
450 * Algorithms for IPComp
451 */
452 static kernel_algorithm_t compression_algs[] = {
453 /* {IPCOMP_OUI, 0, 0}, */
454 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE, 0},
455 {IPCOMP_LZS, SADB_X_CALG_LZS, 0},
456 {IPCOMP_LZJH, SADB_X_CALG_LZJH, 0},
457 {END_OF_LIST, 0, 0},
458 };
459
460 /**
461 * Look up a kernel algorithm ID and its key size
462 */
463 static int lookup_algorithm(kernel_algorithm_t *kernel_algo,
464 u_int16_t ikev2_algo, u_int16_t *key_size)
465 {
466 while (kernel_algo->ikev2_id != END_OF_LIST)
467 {
468 if (ikev2_algo == kernel_algo->ikev2_id)
469 {
470 /* match, evaluate key length */
471 if (key_size && *key_size == 0)
472 { /* update key size if not set */
473 *key_size = kernel_algo->key_size;
474 }
475 return kernel_algo->kernel_id;
476 }
477 kernel_algo++;
478 }
479 return 0;
480 }
481
482 /**
483 * add a host behind a sadb_address extension
484 */
485 static void host2ext(host_t *host, struct sadb_address *ext)
486 {
487 sockaddr_t *host_addr = host->get_sockaddr(host);
488 socklen_t *len = host->get_sockaddr_len(host);
489 memcpy((char*)(ext + 1), host_addr, *len);
490 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
491 }
492
493 /**
494 * add udp encap extensions to a sadb_msg
495 */
496 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
497 {
498 struct sadb_x_nat_t_type* nat_type;
499 struct sadb_x_nat_t_port* nat_port;
500
501 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
502 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
503 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
504 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
505 PFKEY_EXT_ADD(msg, nat_type);
506
507 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
508 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
509 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
510 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
511 PFKEY_EXT_ADD(msg, nat_port);
512
513 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
514 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
515 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
516 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
517 PFKEY_EXT_ADD(msg, nat_port);
518 }
519
520 /**
521 * Parses a pfkey message received from the kernel
522 */
523 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
524 {
525 struct sadb_ext* ext;
526 size_t len;
527
528 memset(out, 0, sizeof(pfkey_msg_t));
529 out->msg = msg;
530
531 len = msg->sadb_msg_len;
532 len -= PFKEY_LEN(sizeof(struct sadb_msg));
533
534 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
535
536 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
537 {
538 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
539 ext->sadb_ext_len > len)
540 {
541 DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
542 break;
543 }
544
545 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
546 {
547 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
548 break;
549 }
550
551 if (out->ext[ext->sadb_ext_type])
552 {
553 DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
554 break;
555 }
556
557 out->ext[ext->sadb_ext_type] = ext;
558 ext = PFKEY_EXT_NEXT_LEN(ext, len);
559 }
560
561 if (len)
562 {
563 DBG1(DBG_KNL, "PF_KEY message length is invalid");
564 return FAILED;
565 }
566
567 return SUCCESS;
568 }
569
570 /**
571 * Send a message to a specific PF_KEY socket and handle the response.
572 */
573 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
574 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
575 {
576 unsigned char buf[PFKEY_BUFFER_SIZE];
577 struct sadb_msg *msg;
578 int in_len, len;
579
580 pthread_mutex_lock(&this->mutex_pfkey);
581
582 in->sadb_msg_seq = ++this->seq;
583 in->sadb_msg_pid = getpid();
584
585 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
586
587 while (TRUE)
588 {
589 len = send(socket, in, in_len, 0);
590
591 if (len != in_len)
592 {
593 if (errno == EINTR)
594 {
595 /* interrupted, try again */
596 continue;
597 }
598 pthread_mutex_unlock(&this->mutex_pfkey);
599 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
600 return FAILED;
601 }
602 break;
603 }
604
605 while (TRUE)
606 {
607 msg = (struct sadb_msg*)buf;
608
609 len = recv(socket, buf, sizeof(buf), 0);
610
611 if (len < 0)
612 {
613 if (errno == EINTR)
614 {
615 DBG1(DBG_KNL, "got interrupted");
616 /* interrupted, try again */
617 continue;
618 }
619 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
620 pthread_mutex_unlock(&this->mutex_pfkey);
621 return FAILED;
622 }
623 if (len < sizeof(struct sadb_msg) ||
624 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
625 {
626 DBG1(DBG_KNL, "received corrupted PF_KEY message");
627 pthread_mutex_unlock(&this->mutex_pfkey);
628 return FAILED;
629 }
630 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
631 {
632 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
633 pthread_mutex_unlock(&this->mutex_pfkey);
634 return FAILED;
635 }
636 if (msg->sadb_msg_pid != in->sadb_msg_pid)
637 {
638 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
639 continue;
640 }
641 if (msg->sadb_msg_seq != this->seq)
642 {
643 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
644 "was %d expected %d", msg->sadb_msg_seq, this->seq);
645 if (msg->sadb_msg_seq < this->seq)
646 {
647 continue;
648 }
649 pthread_mutex_unlock(&this->mutex_pfkey);
650 return FAILED;
651 }
652 if (msg->sadb_msg_type != in->sadb_msg_type)
653 {
654 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
655 "was %d expected %d, ignoring",
656 msg->sadb_msg_type, in->sadb_msg_type);
657 }
658 break;
659 }
660
661 *out_len = len;
662 *out = (struct sadb_msg*)malloc(len);
663 memcpy(*out, buf, len);
664
665 pthread_mutex_unlock(&this->mutex_pfkey);
666
667 return SUCCESS;
668 }
669
670 /**
671 * Send a message to the default PF_KEY socket and handle the response.
672 */
673 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
674 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
675 {
676 return pfkey_send_socket(this, this->socket, in, out, out_len);
677 }
678
679 /**
680 * Process a SADB_ACQUIRE message from the kernel
681 */
682 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
683 {
684 pfkey_msg_t response;
685 u_int32_t index, reqid;
686 policy_entry_t *policy;
687 job_t *job;
688
689 switch (msg->sadb_msg_satype)
690 {
691 case SADB_SATYPE_UNSPEC:
692 case SADB_SATYPE_ESP:
693 case SADB_SATYPE_AH:
694 break;
695 default:
696 /* acquire for AH/ESP only */
697 return;
698 }
699
700 if (parse_pfkey_message(msg, &response) != SUCCESS)
701 {
702 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
703 return;
704 }
705
706 index = response.x_policy->sadb_x_policy_id;
707 DBG2(DBG_KNL, "received an SADB_ACQUIRE, %d", index);
708 pthread_mutex_lock(&this->mutex);
709 if (this->policies->find_first(this->policies,
710 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) != SUCCESS)
711 {
712 DBG1(DBG_KNL, "received an SADB_ACQUIRE, but found no matching policy");
713 pthread_mutex_unlock(&this->mutex);
714 return;
715 }
716 reqid = policy->reqid;
717 DBG2(DBG_KNL, "received an SADB_ACQUIRE, %d", reqid);
718 pthread_mutex_unlock(&this->mutex);
719
720 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
721 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
722 job = (job_t*)acquire_job_create(reqid);
723 charon->processor->queue_job(charon->processor, job);
724 }
725
726 /**
727 * Process a SADB_EXPIRE message from the kernel
728 */
729 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
730 {
731 pfkey_msg_t response;
732 protocol_id_t protocol;
733 u_int32_t spi, reqid;
734 bool hard;
735 job_t *job;
736
737 DBG2(DBG_KNL, "received an SADB_EXPIRE");
738
739 if (parse_pfkey_message(msg, &response) != SUCCESS)
740 {
741 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
742 return;
743 }
744
745 protocol = proto_satype2ike(msg->sadb_msg_satype);
746 spi = response.sa->sadb_sa_spi;
747 reqid = response.x_sa2->sadb_x_sa2_reqid;
748 hard = response.lft_hard != NULL;
749
750 if (protocol != PROTO_ESP && protocol != PROTO_AH)
751 {
752 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%d} "
753 "which is not a CHILD_SA", ntohl(spi), reqid);
754 return;
755 }
756
757 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
758 hard ? "delete" : "rekey", protocol_id_names,
759 protocol, ntohl(spi), reqid);
760 if (hard)
761 {
762 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
763 }
764 else
765 {
766 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
767 }
768 charon->processor->queue_job(charon->processor, job);
769 }
770
771 /**
772 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
773 */
774 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
775 {
776 pfkey_msg_t response;
777 u_int32_t spi, reqid;
778 host_t *host;
779 job_t *job;
780
781 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
782
783 if (parse_pfkey_message(msg, &response) != SUCCESS)
784 {
785 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
786 return;
787 }
788
789 if (!response.x_sa2)
790 {
791 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
792 return;
793 }
794
795 spi = response.sa->sadb_sa_spi;
796 reqid = response.x_sa2->sadb_x_sa2_reqid;
797
798 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
799 {
800 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
801 switch (sa->sa_family)
802 {
803 case AF_INET:
804 {
805 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
806 sin->sin_port = response.x_natt_dport->sadb_x_nat_t_port_port;
807 }
808 case AF_INET6:
809 {
810 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
811 sin6->sin6_port = response.x_natt_dport->sadb_x_nat_t_port_port;
812 }
813 default:
814 break;
815 }
816 host = host_create_from_sockaddr(sa);
817 if (host)
818 {
819 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
820 "reqid {%d} changed, queuing update job", ntohl(spi), reqid);
821 job = (job_t*)update_sa_job_create(reqid, host);
822 charon->processor->queue_job(charon->processor, job);
823 }
824 }
825 }
826
827 /**
828 * Receives events from kernel
829 */
830 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
831 {
832 unsigned char buf[PFKEY_BUFFER_SIZE];
833 struct sadb_msg *msg = (struct sadb_msg*)buf;
834 int len, oldstate;
835
836 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
837 len = recv(this->socket_events, buf, sizeof(buf), 0);
838 pthread_setcancelstate(oldstate, NULL);
839
840 if (len < 0)
841 {
842 switch (errno)
843 {
844 case EINTR:
845 /* interrupted, try again */
846 return JOB_REQUEUE_DIRECT;
847 case EAGAIN:
848 /* no data ready, select again */
849 return JOB_REQUEUE_DIRECT;
850 default:
851 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
852 sleep(1);
853 return JOB_REQUEUE_FAIR;
854 }
855 }
856
857 if (len < sizeof(struct sadb_msg) ||
858 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
859 {
860 DBG2(DBG_KNL, "received corrupted PF_KEY message");
861 return JOB_REQUEUE_DIRECT;
862 }
863 if (msg->sadb_msg_pid != 0)
864 { /* not from kernel. not interested, try another one */
865 return JOB_REQUEUE_DIRECT;
866 }
867 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
868 {
869 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
870 return JOB_REQUEUE_DIRECT;
871 }
872
873 switch (msg->sadb_msg_type)
874 {
875 case SADB_ACQUIRE:
876 process_acquire(this, msg);
877 break;
878 case SADB_EXPIRE:
879 process_expire(this, msg);
880 break;
881 case SADB_X_NAT_T_NEW_MAPPING:
882 process_mapping(this, msg);
883 break;
884 default:
885 break;
886 }
887
888 return JOB_REQUEUE_DIRECT;
889 }
890
891 /**
892 * Implementation of kernel_interface_t.get_spi.
893 */
894 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
895 host_t *src, host_t *dst,
896 protocol_id_t protocol, u_int32_t reqid,
897 u_int32_t *spi)
898 {
899 unsigned char request[PFKEY_BUFFER_SIZE];
900 struct sadb_msg *msg, *out;
901 struct sadb_sa *sa;
902 struct sadb_x_sa2 *sa2;
903 struct sadb_address *addr;
904 struct sadb_spirange *range;
905 pfkey_msg_t response;
906 u_int32_t received_spi = 0;
907 size_t len;
908
909 memset(&request, 0, sizeof(request));
910
911 msg = (struct sadb_msg*)request;
912 msg->sadb_msg_version = PF_KEY_V2;
913 msg->sadb_msg_type = SADB_GETSPI;
914 msg->sadb_msg_satype = proto_ike2satype(protocol);
915 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
916
917 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
918 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
919 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
920 sa2->sadb_x_sa2_reqid = reqid;
921 PFKEY_EXT_ADD(msg, sa2);
922
923 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
924 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
925 host2ext(src, addr);
926 PFKEY_EXT_ADD(msg, addr);
927
928 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
929 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
930 host2ext(dst, addr);
931 PFKEY_EXT_ADD(msg, addr);
932
933 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
934 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
935 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
936 range->sadb_spirange_min = 0xc0000000;
937 range->sadb_spirange_max = 0xcFFFFFFF;
938 PFKEY_EXT_ADD(msg, range);
939
940 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
941 {
942 if (out->sadb_msg_errno)
943 {
944 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
945 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
946 }
947 else if (parse_pfkey_message(out, &response) == SUCCESS)
948 {
949 received_spi = response.sa->sadb_sa_spi;
950 }
951 free(out);
952 }
953
954 if (received_spi == 0)
955 {
956 return FAILED;
957 }
958
959 *spi = received_spi;
960 return SUCCESS;
961 }
962
963 /**
964 * Implementation of kernel_interface_t.get_cpi.
965 */
966 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
967 host_t *src, host_t *dst,
968 u_int32_t reqid, u_int16_t *cpi)
969 {
970 return FAILED;
971 }
972
973 /**
974 * Implementation of kernel_interface_t.add_sa.
975 */
976 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
977 host_t *src, host_t *dst, u_int32_t spi,
978 protocol_id_t protocol, u_int32_t reqid,
979 u_int64_t expire_soft, u_int64_t expire_hard,
980 u_int16_t enc_alg, u_int16_t enc_size,
981 u_int16_t int_alg, u_int16_t int_size,
982 prf_plus_t *prf_plus, ipsec_mode_t mode,
983 u_int16_t ipcomp, bool encap,
984 bool replace)
985 {
986 unsigned char request[PFKEY_BUFFER_SIZE];
987 struct sadb_msg *msg, *out;
988 struct sadb_sa *sa;
989 struct sadb_x_sa2 *sa2;
990 struct sadb_address *addr;
991 struct sadb_lifetime *lft;
992 struct sadb_key *key;
993 size_t len;
994
995 memset(&request, 0, sizeof(request));
996
997 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
998
999 msg = (struct sadb_msg*)request;
1000 msg->sadb_msg_version = PF_KEY_V2;
1001 msg->sadb_msg_type = replace ? SADB_UPDATE : SADB_ADD;
1002 msg->sadb_msg_satype = proto_ike2satype(protocol);
1003 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1004
1005 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1006 sa->sadb_sa_exttype = SADB_EXT_SA;
1007 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1008 sa->sadb_sa_spi = spi;
1009 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
1010 sa->sadb_sa_auth = lookup_algorithm(integrity_algs,
1011 int_alg, &int_size);
1012 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs,
1013 enc_alg, &enc_size);
1014 PFKEY_EXT_ADD(msg, sa);
1015
1016 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1017 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1018 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1019 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1020 sa2->sadb_x_sa2_reqid = reqid;
1021 PFKEY_EXT_ADD(msg, sa2);
1022
1023 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1024 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1025 host2ext(src, addr);
1026 PFKEY_EXT_ADD(msg, addr);
1027
1028 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1029 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1030 host2ext(dst, addr);
1031 PFKEY_EXT_ADD(msg, addr);
1032
1033 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1034 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1035 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1036 lft->sadb_lifetime_addtime = expire_soft;
1037 PFKEY_EXT_ADD(msg, lft);
1038
1039 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1040 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1041 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1042 lft->sadb_lifetime_addtime = expire_hard;
1043 PFKEY_EXT_ADD(msg, lft);
1044
1045 if (enc_alg != ENCR_UNDEFINED)
1046 {
1047 if (!sa->sadb_sa_encrypt)
1048 {
1049 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1050 encryption_algorithm_names, enc_alg);
1051 return FAILED;
1052 }
1053 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1054 encryption_algorithm_names, enc_alg, enc_size);
1055
1056 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1057 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1058 key->sadb_key_bits = enc_size;
1059 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_size / 8);
1060 prf_plus->get_bytes(prf_plus, enc_size / 8, (void*)(key + 1));
1061
1062 PFKEY_EXT_ADD(msg, key);
1063 }
1064
1065 if (int_alg != AUTH_UNDEFINED)
1066 {
1067 if (!sa->sadb_sa_auth)
1068 {
1069 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1070 integrity_algorithm_names, int_alg);
1071 return FAILED;
1072 }
1073 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1074 integrity_algorithm_names, int_alg, int_size);
1075
1076 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1077 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1078 key->sadb_key_bits = int_size;
1079 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_size / 8);
1080 prf_plus->get_bytes(prf_plus, int_size / 8, (void*)(key + 1));
1081
1082 PFKEY_EXT_ADD(msg, key);
1083 }
1084
1085 if (ipcomp != IPCOMP_NONE)
1086 {
1087 /*TODO*/
1088 }
1089
1090 if (encap)
1091 {
1092 add_encap_ext(msg, src, dst);
1093 }
1094
1095 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1096 {
1097 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1098 return FAILED;
1099 }
1100 else if (out->sadb_msg_errno)
1101 {
1102 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1103 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1104 free(out);
1105 return FAILED;
1106 }
1107
1108 free(out);
1109 return SUCCESS;
1110 }
1111
1112 /**
1113 * Implementation of kernel_interface_t.update_sa.
1114 */
1115 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1116 u_int32_t spi, protocol_id_t protocol,
1117 host_t *src, host_t *dst,
1118 host_t *new_src, host_t *new_dst, bool encap)
1119 {
1120 unsigned char request[PFKEY_BUFFER_SIZE];
1121 struct sadb_msg *msg, *out;
1122 struct sadb_sa *sa;
1123 struct sadb_address *addr;
1124 pfkey_msg_t response;
1125 size_t len;
1126
1127 memset(&request, 0, sizeof(request));
1128
1129 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1130
1131 msg = (struct sadb_msg*)request;
1132 msg->sadb_msg_version = PF_KEY_V2;
1133 msg->sadb_msg_type = SADB_GET;
1134 msg->sadb_msg_satype = proto_ike2satype(protocol);
1135 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1136
1137 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1138 sa->sadb_sa_exttype = SADB_EXT_SA;
1139 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1140 sa->sadb_sa_spi = spi;
1141 PFKEY_EXT_ADD(msg, sa);
1142
1143 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1144 * it is not used for anything, so we just send dst twice */
1145 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1146 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1147 host2ext(dst, addr);
1148 PFKEY_EXT_ADD(msg, addr);
1149
1150 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1151 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1152 host2ext(dst, addr);
1153 PFKEY_EXT_ADD(msg, addr);
1154
1155 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1156 {
1157 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1158 ntohl(spi));
1159 return FAILED;
1160 }
1161 else if (out->sadb_msg_errno)
1162 {
1163 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1164 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1165 free(out);
1166 return FAILED;
1167 }
1168 else if (parse_pfkey_message(out, &response) != SUCCESS)
1169 {
1170 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1171 "from kernel failed", ntohl(spi));
1172 free(out);
1173 return FAILED;
1174 }
1175
1176 /* delete the old SA */
1177 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1178 {
1179 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1180 free(out);
1181 return FAILED;
1182 }
1183
1184 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1185 ntohl(spi), src, dst, new_src, new_dst);
1186
1187 memset(&request, 0, sizeof(request));
1188
1189 msg = (struct sadb_msg*)request;
1190 msg->sadb_msg_version = PF_KEY_V2;
1191 msg->sadb_msg_type = SADB_ADD;
1192 msg->sadb_msg_satype = proto_ike2satype(protocol);
1193 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1194
1195 PFKEY_EXT_COPY(msg, response.sa);
1196 PFKEY_EXT_COPY(msg, response.x_sa2);
1197
1198 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1199 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1200 host2ext(new_src, addr);
1201 PFKEY_EXT_ADD(msg, addr);
1202
1203 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1204 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1205 host2ext(new_dst, addr);
1206 PFKEY_EXT_ADD(msg, addr);
1207
1208 PFKEY_EXT_COPY(msg, response.lft_soft);
1209 PFKEY_EXT_COPY(msg, response.lft_hard);
1210
1211 if (response.key_encr)
1212 {
1213 PFKEY_EXT_COPY(msg, response.key_encr);
1214 }
1215
1216 if (response.key_auth)
1217 {
1218 PFKEY_EXT_COPY(msg, response.key_auth);
1219 }
1220
1221 if (encap)
1222 {
1223 add_encap_ext(msg, new_src, new_dst);
1224 }
1225
1226 free(out);
1227
1228 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1229 {
1230 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1231 return FAILED;
1232 }
1233 else if (out->sadb_msg_errno)
1234 {
1235 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1236 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1237 free(out);
1238 return FAILED;
1239 }
1240 free(out);
1241
1242 return SUCCESS;
1243 }
1244
1245 /**
1246 * Implementation of kernel_interface_t.del_sa.
1247 */
1248 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
1249 u_int32_t spi, protocol_id_t protocol)
1250 {
1251 unsigned char request[PFKEY_BUFFER_SIZE];
1252 struct sadb_msg *msg, *out;
1253 struct sadb_sa *sa;
1254 struct sadb_address *addr;
1255 size_t len;
1256
1257 memset(&request, 0, sizeof(request));
1258
1259 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1260
1261 msg = (struct sadb_msg*)request;
1262 msg->sadb_msg_version = PF_KEY_V2;
1263 msg->sadb_msg_type = SADB_DELETE;
1264 msg->sadb_msg_satype = proto_ike2satype(protocol);
1265 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1266
1267 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1268 sa->sadb_sa_exttype = SADB_EXT_SA;
1269 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1270 sa->sadb_sa_spi = spi;
1271 PFKEY_EXT_ADD(msg, sa);
1272
1273 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1274 * it is not used for anything, so we just send dst twice */
1275 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1276 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1277 host2ext(dst, addr);
1278 PFKEY_EXT_ADD(msg, addr);
1279
1280 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1281 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1282 host2ext(dst, addr);
1283 PFKEY_EXT_ADD(msg, addr);
1284
1285 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1286 {
1287 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1288 return FAILED;
1289 }
1290 else if (out->sadb_msg_errno)
1291 {
1292 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1293 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1294 free(out);
1295 return FAILED;
1296 }
1297
1298 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1299 free(out);
1300 return SUCCESS;
1301 }
1302
1303 /**
1304 * Implementation of kernel_interface_t.add_policy.
1305 */
1306 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1307 host_t *src, host_t *dst,
1308 traffic_selector_t *src_ts,
1309 traffic_selector_t *dst_ts,
1310 policy_dir_t direction, protocol_id_t protocol,
1311 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1312 u_int16_t ipcomp)
1313 {
1314 unsigned char request[PFKEY_BUFFER_SIZE];
1315 struct sadb_msg *msg, *out;
1316 struct sadb_x_policy *pol;
1317 struct sadb_address *addr;
1318 struct sadb_x_ipsecrequest *req;
1319 policy_entry_t *policy, *found = NULL;
1320 pfkey_msg_t response;
1321 size_t len;
1322
1323 /* create a policy */
1324 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1325
1326 /* find a matching policy */
1327 pthread_mutex_lock(&this->mutex);
1328 if (this->policies->find_first(this->policies,
1329 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1330 {
1331 /* use existing policy */
1332 found->refcount++;
1333 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1334 "refcount", src_ts, dst_ts,
1335 policy_dir_names, direction);
1336 policy_entry_destroy(policy);
1337 policy = found;
1338 }
1339 else
1340 {
1341 /* apply the new one, if we have no such policy */
1342 this->policies->insert_last(this->policies, policy);
1343 policy->refcount = 1;
1344 }
1345
1346 memset(&request, 0, sizeof(request));
1347
1348 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1349 policy_dir_names, direction);
1350
1351 msg = (struct sadb_msg*)request;
1352 msg->sadb_msg_version = PF_KEY_V2;
1353 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1354 msg->sadb_msg_satype = 0;
1355 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1356
1357 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1358 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1359 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1360 pol->sadb_x_policy_id = 0;
1361 pol->sadb_x_policy_dir = dir2kernel(direction);
1362 /* calculate priority based on source selector size, small size = high prio */
1363 pol->sadb_x_policy_priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1364 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1365 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1366 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1367 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1368
1369 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1370 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1371 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1372 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1373 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1374 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1375 req->sadb_x_ipsecrequest_reqid = reqid;
1376 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1377 if (mode == MODE_TUNNEL)
1378 {
1379 sockaddr_t *sa;
1380 socklen_t sl;
1381 sa = src->get_sockaddr(src);
1382 sl = *src->get_sockaddr_len(src);
1383 memcpy(req + 1, sa, sl);
1384 sa = dst->get_sockaddr(dst);
1385 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1386 req->sadb_x_ipsecrequest_len += sl * 2;
1387 }
1388
1389 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1390 PFKEY_EXT_ADD(msg, pol);
1391
1392 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1393 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1394 addr->sadb_address_proto = policy->src.proto;
1395 addr->sadb_address_prefixlen = policy->src.mask;
1396 host2ext(policy->src.net, addr);
1397 PFKEY_EXT_ADD(msg, addr);
1398
1399 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1400 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1401 addr->sadb_address_proto = policy->dst.proto;
1402 addr->sadb_address_prefixlen = policy->dst.mask;
1403 host2ext(policy->dst.net, addr);
1404 PFKEY_EXT_ADD(msg, addr);
1405
1406 pthread_mutex_unlock(&this->mutex);
1407
1408 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1409 {
1410 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1411 policy_dir_names, direction);
1412 return FAILED;
1413 }
1414 else if (out->sadb_msg_errno)
1415 {
1416 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1417 policy_dir_names, direction,
1418 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1419 free(out);
1420 return FAILED;
1421 }
1422 else if (parse_pfkey_message(out, &response) != SUCCESS)
1423 {
1424 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1425 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1426 free(out);
1427 return FAILED;
1428 }
1429
1430 pthread_mutex_lock(&this->mutex);
1431
1432 /* we try to find the policy again and update the kernel index */
1433 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1434 {
1435 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1436 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1437 pthread_mutex_unlock(&this->mutex);
1438 free(out);
1439 return SUCCESS;
1440 }
1441 policy->index = response.x_policy->sadb_x_policy_id;
1442 free(out);
1443
1444 /* install a route, if:
1445 * - we are NOT updating a policy
1446 * - this is a forward policy (to just get one for each child)
1447 * - we are in tunnel mode
1448 * - we are not using IPv6 (does not work correctly yet!)
1449 * - routing is not disabled via strongswan.conf
1450 */
1451 if (policy->route == NULL && direction == POLICY_FWD &&
1452 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1453 this->install_routes)
1454 {
1455 route_entry_t *route = malloc_thing(route_entry_t);
1456
1457 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1458 dst_ts, &route->src_ip) == SUCCESS)
1459 {
1460 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1461 route->gateway = charon->kernel_interface->get_nexthop(
1462 charon->kernel_interface, src);
1463 route->if_name = charon->kernel_interface->get_interface(
1464 charon->kernel_interface, dst);
1465 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1466 route->prefixlen = policy->src.mask;
1467
1468 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1469 route->dst_net, route->prefixlen, route->gateway,
1470 route->src_ip, route->if_name))
1471 {
1472 default:
1473 DBG1(DBG_KNL, "unable to install source route for %H",
1474 route->src_ip);
1475 /* FALL */
1476 case ALREADY_DONE:
1477 /* route exists, do not uninstall */
1478 route_entry_destroy(route);
1479 break;
1480 case SUCCESS:
1481 /* cache the installed route */
1482 policy->route = route;
1483 break;
1484 }
1485 }
1486 else
1487 {
1488 free(route);
1489 }
1490 }
1491
1492 pthread_mutex_unlock(&this->mutex);
1493
1494 return SUCCESS;
1495 }
1496
1497 /**
1498 * Implementation of kernel_interface_t.query_policy.
1499 */
1500 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1501 traffic_selector_t *src_ts,
1502 traffic_selector_t *dst_ts,
1503 policy_dir_t direction, u_int32_t *use_time)
1504 {
1505 unsigned char request[PFKEY_BUFFER_SIZE];
1506 struct sadb_msg *msg, *out;
1507 struct sadb_x_policy *pol;
1508 struct sadb_address *addr;
1509 policy_entry_t *policy, *found = NULL;
1510 pfkey_msg_t response;
1511 size_t len;
1512
1513 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1514 policy_dir_names, direction);
1515
1516 /* create a policy */
1517 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1518
1519 /* find a matching policy */
1520 pthread_mutex_lock(&this->mutex);
1521 if (this->policies->find_first(this->policies,
1522 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1523 {
1524 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1525 dst_ts, policy_dir_names, direction);
1526 policy_entry_destroy(policy);
1527 pthread_mutex_unlock(&this->mutex);
1528 return NOT_FOUND;
1529 }
1530 policy_entry_destroy(policy);
1531 policy = found;
1532
1533 memset(&request, 0, sizeof(request));
1534
1535 msg = (struct sadb_msg*)request;
1536 msg->sadb_msg_version = PF_KEY_V2;
1537 msg->sadb_msg_type = SADB_X_SPDGET;
1538 msg->sadb_msg_satype = 0;
1539 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1540
1541 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1542 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1543 pol->sadb_x_policy_id = policy->index;
1544 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1545 pol->sadb_x_policy_dir = dir2kernel(direction);
1546 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1547 PFKEY_EXT_ADD(msg, pol);
1548
1549 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1550 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1551 addr->sadb_address_proto = policy->src.proto;
1552 addr->sadb_address_prefixlen = policy->src.mask;
1553 host2ext(policy->src.net, addr);
1554 PFKEY_EXT_ADD(msg, addr);
1555
1556 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1557 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1558 addr->sadb_address_proto = policy->dst.proto;
1559 addr->sadb_address_prefixlen = policy->dst.mask;
1560 host2ext(policy->dst.net, addr);
1561 PFKEY_EXT_ADD(msg, addr);
1562
1563 pthread_mutex_unlock(&this->mutex);
1564
1565 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1566 {
1567 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1568 policy_dir_names, direction);
1569 return FAILED;
1570 }
1571 else if (out->sadb_msg_errno)
1572 {
1573 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1574 dst_ts, policy_dir_names, direction,
1575 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1576 free(out);
1577 return FAILED;
1578 }
1579 else if (parse_pfkey_message(out, &response) != SUCCESS)
1580 {
1581 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1582 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1583 free(out);
1584 return FAILED;
1585 }
1586
1587 *use_time = response.lft_current->sadb_lifetime_usetime;
1588
1589 free(out);
1590
1591 return SUCCESS;
1592 }
1593
1594 /**
1595 * Implementation of kernel_interface_t.del_policy.
1596 */
1597 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1598 traffic_selector_t *src_ts,
1599 traffic_selector_t *dst_ts,
1600 policy_dir_t direction)
1601 {
1602 unsigned char request[PFKEY_BUFFER_SIZE];
1603 struct sadb_msg *msg, *out;
1604 struct sadb_x_policy *pol;
1605 struct sadb_address *addr;
1606 policy_entry_t *policy, *found = NULL;
1607 route_entry_t *route;
1608 size_t len;
1609
1610 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1611 policy_dir_names, direction);
1612
1613 /* create a policy */
1614 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1615
1616 /* find a matching policy */
1617 pthread_mutex_lock(&this->mutex);
1618 if (this->policies->find_first(this->policies,
1619 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1620 {
1621 if (--found->refcount > 0)
1622 {
1623 /* is used by more SAs, keep in kernel */
1624 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1625 policy_entry_destroy(policy);
1626 pthread_mutex_unlock(&this->mutex);
1627 return SUCCESS;
1628 }
1629 /* remove if last reference */
1630 this->policies->remove(this->policies, found, NULL);
1631 policy_entry_destroy(policy);
1632 policy = found;
1633 }
1634 else
1635 {
1636 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1637 dst_ts, policy_dir_names, direction);
1638 policy_entry_destroy(policy);
1639 pthread_mutex_unlock(&this->mutex);
1640 return NOT_FOUND;
1641 }
1642 pthread_mutex_unlock(&this->mutex);
1643
1644 memset(&request, 0, sizeof(request));
1645
1646 msg = (struct sadb_msg*)request;
1647 msg->sadb_msg_version = PF_KEY_V2;
1648 msg->sadb_msg_type = SADB_X_SPDDELETE;
1649 msg->sadb_msg_satype = 0;
1650 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1651
1652 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1653 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1654 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1655 pol->sadb_x_policy_dir = dir2kernel(direction);
1656 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1657 PFKEY_EXT_ADD(msg, pol);
1658
1659 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1660 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1661 addr->sadb_address_proto = policy->src.proto;
1662 addr->sadb_address_prefixlen = policy->src.mask;
1663 host2ext(policy->src.net, addr);
1664 PFKEY_EXT_ADD(msg, addr);
1665
1666 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1667 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1668 addr->sadb_address_proto = policy->dst.proto;
1669 addr->sadb_address_prefixlen = policy->dst.mask;
1670 host2ext(policy->dst.net, addr);
1671 PFKEY_EXT_ADD(msg, addr);
1672
1673 route = policy->route;
1674 policy->route = NULL;
1675 policy_entry_destroy(policy);
1676
1677 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1678 {
1679 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1680 policy_dir_names, direction);
1681 return FAILED;
1682 }
1683 else if (out->sadb_msg_errno)
1684 {
1685 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1686 dst_ts, policy_dir_names, direction,
1687 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1688 free(out);
1689 return FAILED;
1690 }
1691 free(out);
1692
1693 if (route)
1694 {
1695 if (charon->kernel_interface->del_route(charon->kernel_interface,
1696 route->dst_net, route->prefixlen, route->gateway,
1697 route->src_ip, route->if_name) != SUCCESS)
1698 {
1699 DBG1(DBG_KNL, "error uninstalling route installed with "
1700 "policy %R === %R %N", src_ts, dst_ts,
1701 policy_dir_names, direction);
1702 }
1703 route_entry_destroy(route);
1704 }
1705
1706 return SUCCESS;
1707 }
1708
1709 /**
1710 * Register a socket for AQUIRE/EXPIRE messages
1711 */
1712 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1713 {
1714 unsigned char request[PFKEY_BUFFER_SIZE];
1715 struct sadb_msg *msg, *out;
1716 struct sadb_x_policy *pol;
1717 struct sadb_address *addr;
1718 policy_entry_t *policy, *found = NULL;
1719 pfkey_msg_t response;
1720 size_t len;
1721
1722 memset(&request, 0, sizeof(request));
1723
1724 msg = (struct sadb_msg*)request;
1725 msg->sadb_msg_version = PF_KEY_V2;
1726 msg->sadb_msg_type = SADB_REGISTER;
1727 msg->sadb_msg_satype = satype;
1728 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1729
1730 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1731 {
1732 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1733 return FAILED;
1734 }
1735 else if (out->sadb_msg_errno)
1736 {
1737 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1738 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1739 free(out);
1740 return FAILED;
1741 }
1742 free(out);
1743 return SUCCESS;
1744 }
1745
1746 /**
1747 * Implementation of kernel_interface_t.destroy.
1748 */
1749 static void destroy(private_kernel_pfkey_ipsec_t *this)
1750 {
1751 this->job->cancel(this->job);
1752 close(this->socket);
1753 close(this->socket_events);
1754 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1755 free(this);
1756 }
1757
1758 /*
1759 * Described in header.
1760 */
1761 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1762 {
1763 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1764
1765 /* public functions */
1766 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1767 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1768 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,u_int16_t,u_int16_t,u_int16_t,prf_plus_t*,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1769 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1770 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1771 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1772 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1773 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1774
1775 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1776
1777 /* private members */
1778 this->policies = linked_list_create();
1779 pthread_mutex_init(&this->mutex, NULL);
1780 this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
1781 pthread_mutex_init(&this->mutex_pfkey, NULL);
1782 this->seq = 0;
1783
1784 /* create a PF_KEY socket to communicate with the kernel */
1785 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1786 if (this->socket <= 0)
1787 {
1788 charon->kill(charon, "unable to create PF_KEY socket");
1789 }
1790
1791 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1792 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1793 if (this->socket_events <= 0)
1794 {
1795 charon->kill(charon, "unable to create PF_KEY event socket");
1796 }
1797
1798 /* register the event socket */
1799 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
1800 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
1801 {
1802 charon->kill(charon, "unable to register PF_KEY event socket");
1803 }
1804
1805 this->job = callback_job_create((callback_job_cb_t)receive_events,
1806 this, NULL, NULL);
1807 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1808
1809 return &this->public;
1810 }
strongSwan - IPsec VPN