passing chunks, not prf+, to kernel interface
[strongswan.git] / src / charon / plugins / kernel_pfkey / kernel_pfkey_ipsec.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <stdint.h>
21 #include <linux/ipsec.h>
22 #include <linux/pfkeyv2.h>
23 #include <linux/udp.h>
24 #include <unistd.h>
25 #include <pthread.h>
26 #include <errno.h>
27
28 #include "kernel_pfkey_ipsec.h"
29
30 #include <daemon.h>
31 #include <processing/jobs/callback_job.h>
32 #include <processing/jobs/acquire_job.h>
33 #include <processing/jobs/rekey_child_sa_job.h>
34 #include <processing/jobs/delete_child_sa_job.h>
35 #include <processing/jobs/update_sa_job.h>
36
37 /** default priority of installed policies */
38 #define PRIO_LOW 3000
39 #define PRIO_HIGH 2000
40
41 /** buffer size for PF_KEY messages */
42 #define PFKEY_BUFFER_SIZE 2048
43
44 /** PF_KEY messages are 64 bit aligned */
45 #define PFKEY_ALIGNMENT 8
46 /** aligns len to 64 bits */
47 #define PFKEY_ALIGN(len) (((len) + PFKEY_ALIGNMENT - 1) & ~(PFKEY_ALIGNMENT - 1))
48 /** calculates the properly padded length in 64 bit chunks */
49 #define PFKEY_LEN(len) ((PFKEY_ALIGN(len) / PFKEY_ALIGNMENT))
50 /** calculates user mode length i.e. in bytes */
51 #define PFKEY_USER_LEN(len) ((len) * PFKEY_ALIGNMENT)
52
53 /** given a PF_KEY message header and an extension this updates the length in the header */
54 #define PFKEY_EXT_ADD(msg, ext) ((msg)->sadb_msg_len += ((struct sadb_ext*)ext)->sadb_ext_len)
55 /** given a PF_KEY message header this returns a pointer to the next extension */
56 #define PFKEY_EXT_ADD_NEXT(msg) ((struct sadb_ext*)(((char*)(msg)) + PFKEY_USER_LEN((msg)->sadb_msg_len)))
57 /** copy an extension and append it to a PF_KEY message */
58 #define PFKEY_EXT_COPY(msg, ext) (PFKEY_EXT_ADD(msg, memcpy(PFKEY_EXT_ADD_NEXT(msg), ext, PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len))))
59 /** given a PF_KEY extension this returns a pointer to the next extension */
60 #define PFKEY_EXT_NEXT(ext) ((struct sadb_ext*)(((char*)(ext)) + PFKEY_USER_LEN(((struct sadb_ext*)ext)->sadb_ext_len)))
61 /** given a PF_KEY extension this returns a pointer to the next extension also updates len (len in 64 bit words) */
62 #define PFKEY_EXT_NEXT_LEN(ext,len) ((len) -= (ext)->sadb_ext_len, PFKEY_EXT_NEXT(ext))
63 /** true if ext has a valid length and len is large enough to contain ext (assuming len in 64 bit words) */
64 #define PFKEY_EXT_OK(ext,len) ((len) >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
65 (ext)->sadb_ext_len >= PFKEY_LEN(sizeof(struct sadb_ext)) && \
66 (ext)->sadb_ext_len <= (len))
67
68 typedef struct private_kernel_pfkey_ipsec_t private_kernel_pfkey_ipsec_t;
69
70 /**
71 * Private variables and functions of kernel_pfkey class.
72 */
73 struct private_kernel_pfkey_ipsec_t
74 {
75 /**
76 * Public part of the kernel_pfkey_t object.
77 */
78 kernel_pfkey_ipsec_t public;
79
80 /**
81 * mutex to lock access to various lists
82 */
83 pthread_mutex_t mutex;
84
85 /**
86 * List of installed policies (policy_entry_t)
87 */
88 linked_list_t *policies;
89
90 /**
91 * whether to install routes along policies
92 */
93 bool install_routes;
94
95 /**
96 * job receiving PF_KEY events
97 */
98 callback_job_t *job;
99
100 /**
101 * mutex to lock access to the PF_KEY socket
102 */
103 pthread_mutex_t mutex_pfkey;
104
105
106 /**
107 * PF_KEY socket to communicate with the kernel
108 */
109 int socket;
110
111
112 /**
113 * PF_KEY socket to receive acquire and expire events
114 */
115 int socket_events;
116
117
118 /**
119 * sequence number for messages sent to the kernel
120 */
121 int seq;
122 };
123
124 typedef struct route_entry_t route_entry_t;
125
126 /**
127 * installed routing entry
128 */
129 struct route_entry_t {
130 /** Name of the interface the route is bound to */
131 char *if_name;
132
133 /** Source ip of the route */
134 host_t *src_ip;
135
136 /** gateway for this route */
137 host_t *gateway;
138
139 /** Destination net */
140 chunk_t dst_net;
141
142 /** Destination net prefixlen */
143 u_int8_t prefixlen;
144 };
145
146 /**
147 * destroy an route_entry_t object
148 */
149 static void route_entry_destroy(route_entry_t *this)
150 {
151 free(this->if_name);
152 this->src_ip->destroy(this->src_ip);
153 this->gateway->destroy(this->gateway);
154 chunk_free(&this->dst_net);
155 free(this);
156 }
157
158 typedef struct policy_entry_t policy_entry_t;
159
160 /**
161 * installed kernel policy.
162 */
163 struct policy_entry_t {
164
165 /** reqid of this policy */
166 u_int32_t reqid;
167
168 /** index assigned by the kernel */
169 u_int32_t index;
170
171 /** direction of this policy: in, out, forward */
172 u_int8_t direction;
173
174 /** parameters of installed policy */
175 struct {
176 /** subnet and port */
177 host_t *net;
178 /** subnet mask */
179 u_int8_t mask;
180 /** protocol */
181 u_int8_t proto;
182 } src, dst;
183
184 /** associated route installed for this policy */
185 route_entry_t *route;
186
187 /** by how many CHILD_SA's this policy is used */
188 u_int refcount;
189 };
190
191 /**
192 * create a policy_entry_t object
193 */
194 static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
195 traffic_selector_t *dst_ts, policy_dir_t dir, u_int32_t reqid)
196 {
197 policy_entry_t *policy = malloc_thing(policy_entry_t);
198 policy->reqid = reqid;
199 policy->index = 0;
200 policy->direction = dir;
201 policy->route = NULL;
202 policy->refcount = 0;
203
204 src_ts->to_subnet(src_ts, &policy->src.net, &policy->src.mask);
205 dst_ts->to_subnet(dst_ts, &policy->dst.net, &policy->dst.mask);
206
207 /* src or dest proto may be "any" (0), use more restrictive one */
208 policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
209 policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
210 policy->dst.proto = policy->src.proto;
211
212 return policy;
213 }
214
215 /**
216 * destroy a policy_entry_t object
217 */
218 static void policy_entry_destroy(policy_entry_t *this)
219 {
220 DESTROY_IF(this->src.net);
221 DESTROY_IF(this->dst.net);
222 if (this->route)
223 {
224 route_entry_destroy(this->route);
225 }
226 free(this);
227 }
228
229 /**
230 * compares two policy_entry_t
231 */
232 static inline bool policy_entry_equals(policy_entry_t *current, policy_entry_t *policy)
233 {
234 return current->direction == policy->direction &&
235 current->src.proto == policy->src.proto &&
236 current->dst.proto == policy->dst.proto &&
237 current->src.mask == policy->src.mask &&
238 current->dst.mask == policy->dst.mask &&
239 current->src.net->equals(current->src.net, policy->src.net) &&
240 current->dst.net->equals(current->dst.net, policy->dst.net);
241 }
242
243 /**
244 * compare the given kernel index with that of a policy
245 */
246 static inline bool policy_entry_match_byindex(policy_entry_t *current, u_int32_t *index)
247 {
248 return current->index == *index;
249 }
250
251 typedef struct pfkey_msg_t pfkey_msg_t;
252
253 struct pfkey_msg_t
254 {
255 /**
256 * PF_KEY message base
257 */
258 struct sadb_msg *msg;
259
260
261 /**
262 * PF_KEY message extensions
263 */
264 union {
265 struct sadb_ext *ext[SADB_EXT_MAX + 1];
266 struct {
267 struct sadb_ext *reserved; /* SADB_EXT_RESERVED */
268 struct sadb_sa *sa; /* SADB_EXT_SA */
269 struct sadb_lifetime *lft_current; /* SADB_EXT_LIFETIME_CURRENT */
270 struct sadb_lifetime *lft_hard; /* SADB_EXT_LIFETIME_HARD */
271 struct sadb_lifetime *lft_soft; /* SADB_EXT_LIFETIME_SOFT */
272 struct sadb_address *src; /* SADB_EXT_ADDRESS_SRC */
273 struct sadb_address *dst; /* SADB_EXT_ADDRESS_DST */
274 struct sadb_address *proxy; /* SADB_EXT_ADDRESS_PROXY */
275 struct sadb_key *key_auth; /* SADB_EXT_KEY_AUTH */
276 struct sadb_key *key_encr; /* SADB_EXT_KEY_ENCRYPT */
277 struct sadb_ident *id_src; /* SADB_EXT_IDENTITY_SRC */
278 struct sadb_ident *id_dst; /* SADB_EXT_IDENTITY_DST */
279 struct sadb_sens *sensitivity; /* SADB_EXT_SENSITIVITY */
280 struct sadb_prop *proposal; /* SADB_EXT_PROPOSAL */
281 struct sadb_supported *supported_auth; /* SADB_EXT_SUPPORTED_AUTH */
282 struct sadb_supported *supported_encr; /* SADB_EXT_SUPPORTED_ENCRYPT */
283 struct sadb_spirange *spirange; /* SADB_EXT_SPIRANGE */
284 struct sadb_x_kmprivate *x_kmprivate; /* SADB_X_EXT_KMPRIVATE */
285 struct sadb_x_policy *x_policy; /* SADB_X_EXT_POLICY */
286 struct sadb_x_sa2 *x_sa2; /* SADB_X_EXT_SA2 */
287 struct sadb_x_nat_t_type *x_natt_type; /* SADB_X_EXT_NAT_T_TYPE */
288 struct sadb_x_nat_t_port *x_natt_sport; /* SADB_X_EXT_NAT_T_SPORT */
289 struct sadb_x_nat_t_port *x_natt_dport; /* SADB_X_EXT_NAT_T_DPORT */
290 struct sadb_address *x_natt_oa; /* SADB_X_EXT_NAT_T_OA */
291 struct sadb_x_sec_ctx *x_sec_ctx; /* SADB_X_EXT_SEC_CTX */
292 } __attribute__((__packed__));
293 };
294 };
295
296 /**
297 * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
298 */
299 static u_int8_t proto_ike2satype(protocol_id_t proto)
300 {
301 switch (proto)
302 {
303 case PROTO_ESP:
304 return SADB_SATYPE_ESP;
305 case PROTO_AH:
306 return SADB_SATYPE_AH;
307 case IPPROTO_COMP:
308 return SADB_X_SATYPE_IPCOMP;
309 default:
310 return proto;
311 }
312 }
313
314 /**
315 * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
316 */
317 static protocol_id_t proto_satype2ike(u_int8_t proto)
318 {
319 switch (proto)
320 {
321 case SADB_SATYPE_ESP:
322 return PROTO_ESP;
323 case SADB_SATYPE_AH:
324 return PROTO_AH;
325 case SADB_X_SATYPE_IPCOMP:
326 return IPPROTO_COMP;
327 default:
328 return proto;
329 }
330 }
331
332 /**
333 * convert a IKEv2 specific protocol identifier to the IP protocol identifier
334 */
335 static u_int8_t proto_ike2ip(protocol_id_t proto)
336 {
337 switch (proto)
338 {
339 case PROTO_ESP:
340 return IPPROTO_ESP;
341 case PROTO_AH:
342 return IPPROTO_AH;
343 default:
344 return proto;
345 }
346 }
347
348 /**
349 * convert the general ipsec mode to the one defined in ipsec.h
350 */
351 static u_int8_t mode2kernel(ipsec_mode_t mode)
352 {
353 switch (mode)
354 {
355 case MODE_TRANSPORT:
356 return IPSEC_MODE_TRANSPORT;
357 case MODE_TUNNEL:
358 return IPSEC_MODE_TUNNEL;
359 case MODE_BEET:
360 return IPSEC_MODE_BEET;
361 default:
362 return mode;
363 }
364 }
365
366 /**
367 * convert the general policy direction to the one defined in ipsec.h
368 */
369 static u_int8_t dir2kernel(policy_dir_t dir)
370 {
371 switch (dir)
372 {
373 case POLICY_IN:
374 return IPSEC_DIR_INBOUND;
375 case POLICY_OUT:
376 return IPSEC_DIR_OUTBOUND;
377 case POLICY_FWD:
378 return IPSEC_DIR_FWD;
379 default:
380 return dir;
381 }
382 }
383
384 typedef struct kernel_algorithm_t kernel_algorithm_t;
385
386 /**
387 * Mapping of IKEv2 algorithms to PF_KEY algorithms
388 */
389 struct kernel_algorithm_t {
390 /**
391 * Identifier specified in IKEv2
392 */
393 int ikev2;
394
395 /**
396 * Identifier as defined in pfkeyv2.h
397 */
398 int kernel;
399 };
400
401 #define END_OF_LIST -1
402
403 /**
404 * Algorithms for encryption
405 */
406 static kernel_algorithm_t encryption_algs[] = {
407 /* {ENCR_DES_IV64, 0 }, */
408 {ENCR_DES, SADB_EALG_DESCBC },
409 {ENCR_3DES, SADB_EALG_3DESCBC },
410 /* {ENCR_RC5, 0 }, */
411 /* {ENCR_IDEA, 0 }, */
412 {ENCR_CAST, SADB_X_EALG_CASTCBC },
413 {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
414 /* {ENCR_3IDEA, 0 }, */
415 /* {ENCR_DES_IV32, 0 }, */
416 {ENCR_NULL, SADB_EALG_NULL },
417 {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
418 /* {ENCR_AES_CTR, 0 }, */
419 /* {ENCR_AES_CCM_ICV8, 0 }, */
420 /* {ENCR_AES_CCM_ICV12, 0 }, */
421 /* {ENCR_AES_CCM_ICV16, 0 }, */
422 /* {ENCR_AES_GCM_ICV8, 0 }, */
423 /* {ENCR_AES_GCM_ICV12, 0 }, */
424 /* {ENCR_AES_GCM_ICV16, 0 }, */
425 {END_OF_LIST, 0 },
426 };
427
428 /**
429 * Algorithms for integrity protection
430 */
431 static kernel_algorithm_t integrity_algs[] = {
432 {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
433 {AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
434 {AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
435 {AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
436 {AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
437 /* {AUTH_DES_MAC, 0, }, */
438 /* {AUTH_KPDK_MD5, 0, }, */
439 {AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
440 {END_OF_LIST, 0, },
441 };
442
443 /**
444 * Algorithms for IPComp
445 */
446 static kernel_algorithm_t compression_algs[] = {
447 /* {IPCOMP_OUI, 0 }, */
448 {IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
449 {IPCOMP_LZS, SADB_X_CALG_LZS },
450 {IPCOMP_LZJH, SADB_X_CALG_LZJH },
451 {END_OF_LIST, 0 },
452 };
453
454 /**
455 * Look up a kernel algorithm ID and its key size
456 */
457 static int lookup_algorithm(kernel_algorithm_t *list, int ikev2)
458 {
459 while (list->ikev2 != END_OF_LIST)
460 {
461 if (ikev2 == list->ikev2)
462 {
463 return list->kernel;
464 }
465 list++;
466 }
467 return 0;
468 }
469
470 /**
471 * add a host behind a sadb_address extension
472 */
473 static void host2ext(host_t *host, struct sadb_address *ext)
474 {
475 sockaddr_t *host_addr = host->get_sockaddr(host);
476 socklen_t *len = host->get_sockaddr_len(host);
477 memcpy((char*)(ext + 1), host_addr, *len);
478 ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
479 }
480
481 /**
482 * add udp encap extensions to a sadb_msg
483 */
484 static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
485 {
486 struct sadb_x_nat_t_type* nat_type;
487 struct sadb_x_nat_t_port* nat_port;
488
489 nat_type = (struct sadb_x_nat_t_type*)PFKEY_EXT_ADD_NEXT(msg);
490 nat_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
491 nat_type->sadb_x_nat_t_type_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_type));
492 nat_type->sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
493 PFKEY_EXT_ADD(msg, nat_type);
494
495 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
496 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
497 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
498 nat_port->sadb_x_nat_t_port_port = htons(src->get_port(src));
499 PFKEY_EXT_ADD(msg, nat_port);
500
501 nat_port = (struct sadb_x_nat_t_port*)PFKEY_EXT_ADD_NEXT(msg);
502 nat_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
503 nat_port->sadb_x_nat_t_port_len = PFKEY_LEN(sizeof(struct sadb_x_nat_t_port));
504 nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
505 PFKEY_EXT_ADD(msg, nat_port);
506 }
507
508 /**
509 * Parses a pfkey message received from the kernel
510 */
511 static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
512 {
513 struct sadb_ext* ext;
514 size_t len;
515
516 memset(out, 0, sizeof(pfkey_msg_t));
517 out->msg = msg;
518
519 len = msg->sadb_msg_len;
520 len -= PFKEY_LEN(sizeof(struct sadb_msg));
521
522 ext = (struct sadb_ext*)(((char*)msg) + sizeof(struct sadb_msg));
523
524 while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
525 {
526 if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
527 ext->sadb_ext_len > len)
528 {
529 DBG1(DBG_KNL, "length of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
530 break;
531 }
532
533 if ((ext->sadb_ext_type > SADB_EXT_MAX) || (!ext->sadb_ext_type))
534 {
535 DBG1(DBG_KNL, "type of PF_KEY extension (%d) is invalid", ext->sadb_ext_type);
536 break;
537 }
538
539 if (out->ext[ext->sadb_ext_type])
540 {
541 DBG1(DBG_KNL, "duplicate PF_KEY extension of type (%d)", ext->sadb_ext_type);
542 break;
543 }
544
545 out->ext[ext->sadb_ext_type] = ext;
546 ext = PFKEY_EXT_NEXT_LEN(ext, len);
547 }
548
549 if (len)
550 {
551 DBG1(DBG_KNL, "PF_KEY message length is invalid");
552 return FAILED;
553 }
554
555 return SUCCESS;
556 }
557
558 /**
559 * Send a message to a specific PF_KEY socket and handle the response.
560 */
561 static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket,
562 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
563 {
564 unsigned char buf[PFKEY_BUFFER_SIZE];
565 struct sadb_msg *msg;
566 int in_len, len;
567
568 pthread_mutex_lock(&this->mutex_pfkey);
569
570 in->sadb_msg_seq = ++this->seq;
571 in->sadb_msg_pid = getpid();
572
573 in_len = PFKEY_USER_LEN(in->sadb_msg_len);
574
575 while (TRUE)
576 {
577 len = send(socket, in, in_len, 0);
578
579 if (len != in_len)
580 {
581 if (errno == EINTR)
582 {
583 /* interrupted, try again */
584 continue;
585 }
586 pthread_mutex_unlock(&this->mutex_pfkey);
587 DBG1(DBG_KNL, "error sending to PF_KEY socket: %s", strerror(errno));
588 return FAILED;
589 }
590 break;
591 }
592
593 while (TRUE)
594 {
595 msg = (struct sadb_msg*)buf;
596
597 len = recv(socket, buf, sizeof(buf), 0);
598
599 if (len < 0)
600 {
601 if (errno == EINTR)
602 {
603 DBG1(DBG_KNL, "got interrupted");
604 /* interrupted, try again */
605 continue;
606 }
607 DBG1(DBG_KNL, "error reading from PF_KEY socket: %s", strerror(errno));
608 pthread_mutex_unlock(&this->mutex_pfkey);
609 return FAILED;
610 }
611 if (len < sizeof(struct sadb_msg) ||
612 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
613 {
614 DBG1(DBG_KNL, "received corrupted PF_KEY message");
615 pthread_mutex_unlock(&this->mutex_pfkey);
616 return FAILED;
617 }
618 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
619 {
620 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
621 pthread_mutex_unlock(&this->mutex_pfkey);
622 return FAILED;
623 }
624 if (msg->sadb_msg_pid != in->sadb_msg_pid)
625 {
626 DBG2(DBG_KNL, "received PF_KEY message is not intended for us");
627 continue;
628 }
629 if (msg->sadb_msg_seq != this->seq)
630 {
631 DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
632 "was %d expected %d", msg->sadb_msg_seq, this->seq);
633 if (msg->sadb_msg_seq < this->seq)
634 {
635 continue;
636 }
637 pthread_mutex_unlock(&this->mutex_pfkey);
638 return FAILED;
639 }
640 if (msg->sadb_msg_type != in->sadb_msg_type)
641 {
642 DBG2(DBG_KNL, "received PF_KEY message of wrong type, "
643 "was %d expected %d, ignoring",
644 msg->sadb_msg_type, in->sadb_msg_type);
645 }
646 break;
647 }
648
649 *out_len = len;
650 *out = (struct sadb_msg*)malloc(len);
651 memcpy(*out, buf, len);
652
653 pthread_mutex_unlock(&this->mutex_pfkey);
654
655 return SUCCESS;
656 }
657
658 /**
659 * Send a message to the default PF_KEY socket and handle the response.
660 */
661 static status_t pfkey_send(private_kernel_pfkey_ipsec_t *this,
662 struct sadb_msg *in, struct sadb_msg **out, size_t *out_len)
663 {
664 return pfkey_send_socket(this, this->socket, in, out, out_len);
665 }
666
667 /**
668 * Process a SADB_ACQUIRE message from the kernel
669 */
670 static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
671 {
672 pfkey_msg_t response;
673 u_int32_t index, reqid;
674 policy_entry_t *policy;
675 job_t *job;
676
677 switch (msg->sadb_msg_satype)
678 {
679 case SADB_SATYPE_UNSPEC:
680 case SADB_SATYPE_ESP:
681 case SADB_SATYPE_AH:
682 break;
683 default:
684 /* acquire for AH/ESP only */
685 return;
686 }
687
688 if (parse_pfkey_message(msg, &response) != SUCCESS)
689 {
690 DBG1(DBG_KNL, "parsing SADB_ACQUIRE from kernel failed");
691 return;
692 }
693
694 index = response.x_policy->sadb_x_policy_id;
695 DBG2(DBG_KNL, "received an SADB_ACQUIRE, %d", index);
696 pthread_mutex_lock(&this->mutex);
697 if (this->policies->find_first(this->policies,
698 (linked_list_match_t)policy_entry_match_byindex, (void**)&policy, &index) != SUCCESS)
699 {
700 DBG1(DBG_KNL, "received an SADB_ACQUIRE, but found no matching policy");
701 pthread_mutex_unlock(&this->mutex);
702 return;
703 }
704 reqid = policy->reqid;
705 DBG2(DBG_KNL, "received an SADB_ACQUIRE, %d", reqid);
706 pthread_mutex_unlock(&this->mutex);
707
708 DBG2(DBG_KNL, "received an SADB_ACQUIRE");
709 DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
710 job = (job_t*)acquire_job_create(reqid);
711 charon->processor->queue_job(charon->processor, job);
712 }
713
714 /**
715 * Process a SADB_EXPIRE message from the kernel
716 */
717 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
718 {
719 pfkey_msg_t response;
720 protocol_id_t protocol;
721 u_int32_t spi, reqid;
722 bool hard;
723 job_t *job;
724
725 DBG2(DBG_KNL, "received an SADB_EXPIRE");
726
727 if (parse_pfkey_message(msg, &response) != SUCCESS)
728 {
729 DBG1(DBG_KNL, "parsing SADB_EXPIRE from kernel failed");
730 return;
731 }
732
733 protocol = proto_satype2ike(msg->sadb_msg_satype);
734 spi = response.sa->sadb_sa_spi;
735 reqid = response.x_sa2->sadb_x_sa2_reqid;
736 hard = response.lft_hard != NULL;
737
738 if (protocol != PROTO_ESP && protocol != PROTO_AH)
739 {
740 DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%d} "
741 "which is not a CHILD_SA", ntohl(spi), reqid);
742 return;
743 }
744
745 DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
746 hard ? "delete" : "rekey", protocol_id_names,
747 protocol, ntohl(spi), reqid);
748 if (hard)
749 {
750 job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
751 }
752 else
753 {
754 job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
755 }
756 charon->processor->queue_job(charon->processor, job);
757 }
758
759 /**
760 * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
761 */
762 static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
763 {
764 pfkey_msg_t response;
765 u_int32_t spi, reqid;
766 host_t *host;
767 job_t *job;
768
769 DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
770
771 if (parse_pfkey_message(msg, &response) != SUCCESS)
772 {
773 DBG1(DBG_KNL, "parsing SADB_X_NAT_T_NEW_MAPPING from kernel failed");
774 return;
775 }
776
777 if (!response.x_sa2)
778 {
779 DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
780 return;
781 }
782
783 spi = response.sa->sadb_sa_spi;
784 reqid = response.x_sa2->sadb_x_sa2_reqid;
785
786 if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
787 {
788 sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
789 switch (sa->sa_family)
790 {
791 case AF_INET:
792 {
793 struct sockaddr_in *sin = (struct sockaddr_in*)sa;
794 sin->sin_port = response.x_natt_dport->sadb_x_nat_t_port_port;
795 }
796 case AF_INET6:
797 {
798 struct sockaddr_in6 *sin6 = (struct sockaddr_in6*)sa;
799 sin6->sin6_port = response.x_natt_dport->sadb_x_nat_t_port_port;
800 }
801 default:
802 break;
803 }
804 host = host_create_from_sockaddr(sa);
805 if (host)
806 {
807 DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
808 "reqid {%d} changed, queuing update job", ntohl(spi), reqid);
809 job = (job_t*)update_sa_job_create(reqid, host);
810 charon->processor->queue_job(charon->processor, job);
811 }
812 }
813 }
814
815 /**
816 * Receives events from kernel
817 */
818 static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
819 {
820 unsigned char buf[PFKEY_BUFFER_SIZE];
821 struct sadb_msg *msg = (struct sadb_msg*)buf;
822 int len, oldstate;
823
824 pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
825 len = recv(this->socket_events, buf, sizeof(buf), 0);
826 pthread_setcancelstate(oldstate, NULL);
827
828 if (len < 0)
829 {
830 switch (errno)
831 {
832 case EINTR:
833 /* interrupted, try again */
834 return JOB_REQUEUE_DIRECT;
835 case EAGAIN:
836 /* no data ready, select again */
837 return JOB_REQUEUE_DIRECT;
838 default:
839 DBG1(DBG_KNL, "unable to receive from PF_KEY event socket");
840 sleep(1);
841 return JOB_REQUEUE_FAIR;
842 }
843 }
844
845 if (len < sizeof(struct sadb_msg) ||
846 msg->sadb_msg_len < PFKEY_LEN(sizeof(struct sadb_msg)))
847 {
848 DBG2(DBG_KNL, "received corrupted PF_KEY message");
849 return JOB_REQUEUE_DIRECT;
850 }
851 if (msg->sadb_msg_pid != 0)
852 { /* not from kernel. not interested, try another one */
853 return JOB_REQUEUE_DIRECT;
854 }
855 if (msg->sadb_msg_len > len / PFKEY_ALIGNMENT)
856 {
857 DBG1(DBG_KNL, "buffer was too small to receive the complete PF_KEY message");
858 return JOB_REQUEUE_DIRECT;
859 }
860
861 switch (msg->sadb_msg_type)
862 {
863 case SADB_ACQUIRE:
864 process_acquire(this, msg);
865 break;
866 case SADB_EXPIRE:
867 process_expire(this, msg);
868 break;
869 case SADB_X_NAT_T_NEW_MAPPING:
870 process_mapping(this, msg);
871 break;
872 default:
873 break;
874 }
875
876 return JOB_REQUEUE_DIRECT;
877 }
878
879 /**
880 * Implementation of kernel_interface_t.get_spi.
881 */
882 static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
883 host_t *src, host_t *dst,
884 protocol_id_t protocol, u_int32_t reqid,
885 u_int32_t *spi)
886 {
887 unsigned char request[PFKEY_BUFFER_SIZE];
888 struct sadb_msg *msg, *out;
889 struct sadb_sa *sa;
890 struct sadb_x_sa2 *sa2;
891 struct sadb_address *addr;
892 struct sadb_spirange *range;
893 pfkey_msg_t response;
894 u_int32_t received_spi = 0;
895 size_t len;
896
897 memset(&request, 0, sizeof(request));
898
899 msg = (struct sadb_msg*)request;
900 msg->sadb_msg_version = PF_KEY_V2;
901 msg->sadb_msg_type = SADB_GETSPI;
902 msg->sadb_msg_satype = proto_ike2satype(protocol);
903 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
904
905 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
906 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
907 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
908 sa2->sadb_x_sa2_reqid = reqid;
909 PFKEY_EXT_ADD(msg, sa2);
910
911 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
912 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
913 host2ext(src, addr);
914 PFKEY_EXT_ADD(msg, addr);
915
916 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
917 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
918 host2ext(dst, addr);
919 PFKEY_EXT_ADD(msg, addr);
920
921 range = (struct sadb_spirange*)PFKEY_EXT_ADD_NEXT(msg);
922 range->sadb_spirange_exttype = SADB_EXT_SPIRANGE;
923 range->sadb_spirange_len = PFKEY_LEN(sizeof(struct sadb_spirange));
924 range->sadb_spirange_min = 0xc0000000;
925 range->sadb_spirange_max = 0xcFFFFFFF;
926 PFKEY_EXT_ADD(msg, range);
927
928 if (pfkey_send(this, msg, &out, &len) == SUCCESS)
929 {
930 if (out->sadb_msg_errno)
931 {
932 DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
933 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
934 }
935 else if (parse_pfkey_message(out, &response) == SUCCESS)
936 {
937 received_spi = response.sa->sadb_sa_spi;
938 }
939 free(out);
940 }
941
942 if (received_spi == 0)
943 {
944 return FAILED;
945 }
946
947 *spi = received_spi;
948 return SUCCESS;
949 }
950
951 /**
952 * Implementation of kernel_interface_t.get_cpi.
953 */
954 static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
955 host_t *src, host_t *dst,
956 u_int32_t reqid, u_int16_t *cpi)
957 {
958 return FAILED;
959 }
960
961 /**
962 * Implementation of kernel_interface_t.add_sa.
963 */
964 static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
965 host_t *src, host_t *dst, u_int32_t spi,
966 protocol_id_t protocol, u_int32_t reqid,
967 u_int64_t expire_soft, u_int64_t expire_hard,
968 u_int16_t enc_alg, chunk_t enc_key,
969 u_int16_t int_alg, chunk_t int_key,
970 ipsec_mode_t mode, u_int16_t ipcomp, bool encap,
971 bool replace)
972 {
973 unsigned char request[PFKEY_BUFFER_SIZE];
974 struct sadb_msg *msg, *out;
975 struct sadb_sa *sa;
976 struct sadb_x_sa2 *sa2;
977 struct sadb_address *addr;
978 struct sadb_lifetime *lft;
979 struct sadb_key *key;
980 size_t len;
981
982 memset(&request, 0, sizeof(request));
983
984 DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%d}", ntohl(spi), reqid);
985
986 msg = (struct sadb_msg*)request;
987 msg->sadb_msg_version = PF_KEY_V2;
988 msg->sadb_msg_type = replace ? SADB_UPDATE : SADB_ADD;
989 msg->sadb_msg_satype = proto_ike2satype(protocol);
990 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
991
992 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
993 sa->sadb_sa_exttype = SADB_EXT_SA;
994 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
995 sa->sadb_sa_spi = spi;
996 sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
997 sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
998 sa->sadb_sa_encrypt = lookup_algorithm(encryption_algs, enc_alg);
999 PFKEY_EXT_ADD(msg, sa);
1000
1001 sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
1002 sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1003 sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
1004 sa2->sadb_x_sa2_mode = mode2kernel(mode);
1005 sa2->sadb_x_sa2_reqid = reqid;
1006 PFKEY_EXT_ADD(msg, sa2);
1007
1008 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1009 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1010 host2ext(src, addr);
1011 PFKEY_EXT_ADD(msg, addr);
1012
1013 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1014 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1015 host2ext(dst, addr);
1016 PFKEY_EXT_ADD(msg, addr);
1017
1018 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1019 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1020 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1021 lft->sadb_lifetime_addtime = expire_soft;
1022 PFKEY_EXT_ADD(msg, lft);
1023
1024 lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
1025 lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1026 lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
1027 lft->sadb_lifetime_addtime = expire_hard;
1028 PFKEY_EXT_ADD(msg, lft);
1029
1030 if (enc_alg != ENCR_UNDEFINED)
1031 {
1032 if (!sa->sadb_sa_encrypt)
1033 {
1034 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1035 encryption_algorithm_names, enc_alg);
1036 return FAILED;
1037 }
1038 DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
1039 encryption_algorithm_names, enc_alg, enc_key.len * 8);
1040
1041 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1042 key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1043 key->sadb_key_bits = enc_key.len * 8;
1044 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + enc_key.len);
1045 memcpy(key + 1, enc_key.ptr, enc_key.len);
1046
1047 PFKEY_EXT_ADD(msg, key);
1048 }
1049
1050 if (int_alg != AUTH_UNDEFINED)
1051 {
1052 if (!sa->sadb_sa_auth)
1053 {
1054 DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
1055 integrity_algorithm_names, int_alg);
1056 return FAILED;
1057 }
1058 DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
1059 integrity_algorithm_names, int_alg, int_key.len * 8);
1060
1061 key = (struct sadb_key*)PFKEY_EXT_ADD_NEXT(msg);
1062 key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
1063 key->sadb_key_bits = int_key.len * 8;
1064 key->sadb_key_len = PFKEY_LEN(sizeof(struct sadb_key) + int_key.len);
1065 memcpy(key + 1, int_key.ptr, int_key.len);
1066
1067 PFKEY_EXT_ADD(msg, key);
1068 }
1069
1070 if (ipcomp != IPCOMP_NONE)
1071 {
1072 /*TODO*/
1073 }
1074
1075 if (encap)
1076 {
1077 add_encap_ext(msg, src, dst);
1078 }
1079
1080 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1081 {
1082 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi));
1083 return FAILED;
1084 }
1085 else if (out->sadb_msg_errno)
1086 {
1087 DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x: %s (%d)",
1088 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1089 free(out);
1090 return FAILED;
1091 }
1092
1093 free(out);
1094 return SUCCESS;
1095 }
1096
1097 /**
1098 * Implementation of kernel_interface_t.update_sa.
1099 */
1100 static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
1101 u_int32_t spi, protocol_id_t protocol,
1102 host_t *src, host_t *dst,
1103 host_t *new_src, host_t *new_dst, bool encap)
1104 {
1105 unsigned char request[PFKEY_BUFFER_SIZE];
1106 struct sadb_msg *msg, *out;
1107 struct sadb_sa *sa;
1108 struct sadb_address *addr;
1109 pfkey_msg_t response;
1110 size_t len;
1111
1112 memset(&request, 0, sizeof(request));
1113
1114 DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
1115
1116 msg = (struct sadb_msg*)request;
1117 msg->sadb_msg_version = PF_KEY_V2;
1118 msg->sadb_msg_type = SADB_GET;
1119 msg->sadb_msg_satype = proto_ike2satype(protocol);
1120 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1121
1122 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1123 sa->sadb_sa_exttype = SADB_EXT_SA;
1124 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1125 sa->sadb_sa_spi = spi;
1126 PFKEY_EXT_ADD(msg, sa);
1127
1128 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1129 * it is not used for anything, so we just send dst twice */
1130 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1131 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1132 host2ext(dst, addr);
1133 PFKEY_EXT_ADD(msg, addr);
1134
1135 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1136 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1137 host2ext(dst, addr);
1138 PFKEY_EXT_ADD(msg, addr);
1139
1140 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1141 {
1142 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x",
1143 ntohl(spi));
1144 return FAILED;
1145 }
1146 else if (out->sadb_msg_errno)
1147 {
1148 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
1149 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1150 free(out);
1151 return FAILED;
1152 }
1153 else if (parse_pfkey_message(out, &response) != SUCCESS)
1154 {
1155 DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: parsing response "
1156 "from kernel failed", ntohl(spi));
1157 free(out);
1158 return FAILED;
1159 }
1160
1161 /* delete the old SA */
1162 if (this->public.interface.del_sa(&this->public.interface, dst, spi, protocol) != SUCCESS)
1163 {
1164 DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
1165 free(out);
1166 return FAILED;
1167 }
1168
1169 DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
1170 ntohl(spi), src, dst, new_src, new_dst);
1171
1172 memset(&request, 0, sizeof(request));
1173
1174 msg = (struct sadb_msg*)request;
1175 msg->sadb_msg_version = PF_KEY_V2;
1176 msg->sadb_msg_type = SADB_ADD;
1177 msg->sadb_msg_satype = proto_ike2satype(protocol);
1178 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1179
1180 PFKEY_EXT_COPY(msg, response.sa);
1181 PFKEY_EXT_COPY(msg, response.x_sa2);
1182
1183 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1184 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1185 host2ext(new_src, addr);
1186 PFKEY_EXT_ADD(msg, addr);
1187
1188 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1189 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1190 host2ext(new_dst, addr);
1191 PFKEY_EXT_ADD(msg, addr);
1192
1193 PFKEY_EXT_COPY(msg, response.lft_soft);
1194 PFKEY_EXT_COPY(msg, response.lft_hard);
1195
1196 if (response.key_encr)
1197 {
1198 PFKEY_EXT_COPY(msg, response.key_encr);
1199 }
1200
1201 if (response.key_auth)
1202 {
1203 PFKEY_EXT_COPY(msg, response.key_auth);
1204 }
1205
1206 if (encap)
1207 {
1208 add_encap_ext(msg, new_src, new_dst);
1209 }
1210
1211 free(out);
1212
1213 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1214 {
1215 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi));
1216 return FAILED;
1217 }
1218 else if (out->sadb_msg_errno)
1219 {
1220 DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x: %s (%d)",
1221 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1222 free(out);
1223 return FAILED;
1224 }
1225 free(out);
1226
1227 return SUCCESS;
1228 }
1229
1230 /**
1231 * Implementation of kernel_interface_t.del_sa.
1232 */
1233 static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
1234 u_int32_t spi, protocol_id_t protocol)
1235 {
1236 unsigned char request[PFKEY_BUFFER_SIZE];
1237 struct sadb_msg *msg, *out;
1238 struct sadb_sa *sa;
1239 struct sadb_address *addr;
1240 size_t len;
1241
1242 memset(&request, 0, sizeof(request));
1243
1244 DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi));
1245
1246 msg = (struct sadb_msg*)request;
1247 msg->sadb_msg_version = PF_KEY_V2;
1248 msg->sadb_msg_type = SADB_DELETE;
1249 msg->sadb_msg_satype = proto_ike2satype(protocol);
1250 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1251
1252 sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
1253 sa->sadb_sa_exttype = SADB_EXT_SA;
1254 sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
1255 sa->sadb_sa_spi = spi;
1256 PFKEY_EXT_ADD(msg, sa);
1257
1258 /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
1259 * it is not used for anything, so we just send dst twice */
1260 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1261 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1262 host2ext(dst, addr);
1263 PFKEY_EXT_ADD(msg, addr);
1264
1265 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1266 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1267 host2ext(dst, addr);
1268 PFKEY_EXT_ADD(msg, addr);
1269
1270 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1271 {
1272 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi));
1273 return FAILED;
1274 }
1275 else if (out->sadb_msg_errno)
1276 {
1277 DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x: %s (%d)",
1278 ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1279 free(out);
1280 return FAILED;
1281 }
1282
1283 DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi));
1284 free(out);
1285 return SUCCESS;
1286 }
1287
1288 /**
1289 * Implementation of kernel_interface_t.add_policy.
1290 */
1291 static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
1292 host_t *src, host_t *dst,
1293 traffic_selector_t *src_ts,
1294 traffic_selector_t *dst_ts,
1295 policy_dir_t direction, protocol_id_t protocol,
1296 u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
1297 u_int16_t ipcomp)
1298 {
1299 unsigned char request[PFKEY_BUFFER_SIZE];
1300 struct sadb_msg *msg, *out;
1301 struct sadb_x_policy *pol;
1302 struct sadb_address *addr;
1303 struct sadb_x_ipsecrequest *req;
1304 policy_entry_t *policy, *found = NULL;
1305 pfkey_msg_t response;
1306 size_t len;
1307
1308 /* create a policy */
1309 policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
1310
1311 /* find a matching policy */
1312 pthread_mutex_lock(&this->mutex);
1313 if (this->policies->find_first(this->policies,
1314 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1315 {
1316 /* use existing policy */
1317 found->refcount++;
1318 DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing "
1319 "refcount", src_ts, dst_ts,
1320 policy_dir_names, direction);
1321 policy_entry_destroy(policy);
1322 policy = found;
1323 }
1324 else
1325 {
1326 /* apply the new one, if we have no such policy */
1327 this->policies->insert_last(this->policies, policy);
1328 policy->refcount = 1;
1329 }
1330
1331 memset(&request, 0, sizeof(request));
1332
1333 DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
1334 policy_dir_names, direction);
1335
1336 msg = (struct sadb_msg*)request;
1337 msg->sadb_msg_version = PF_KEY_V2;
1338 msg->sadb_msg_type = found ? SADB_X_SPDUPDATE : SADB_X_SPDADD;
1339 msg->sadb_msg_satype = 0;
1340 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1341
1342 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1343 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1344 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1345 pol->sadb_x_policy_id = 0;
1346 pol->sadb_x_policy_dir = dir2kernel(direction);
1347 /* calculate priority based on source selector size, small size = high prio */
1348 pol->sadb_x_policy_priority = high_prio ? PRIO_HIGH : PRIO_LOW;
1349 pol->sadb_x_policy_priority -= policy->src.mask * 10;
1350 pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
1351 pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
1352 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1353
1354 /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
1355 req = (struct sadb_x_ipsecrequest*)(pol + 1);
1356 req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
1357 /* !!! the length of this struct MUST be in octets instead of 64 bit words */
1358 req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
1359 req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
1360 req->sadb_x_ipsecrequest_reqid = reqid;
1361 req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
1362 if (mode == MODE_TUNNEL)
1363 {
1364 sockaddr_t *sa;
1365 socklen_t sl;
1366 sa = src->get_sockaddr(src);
1367 sl = *src->get_sockaddr_len(src);
1368 memcpy(req + 1, sa, sl);
1369 sa = dst->get_sockaddr(dst);
1370 memcpy((u_int8_t*)(req + 1) + sl, sa, sl);
1371 req->sadb_x_ipsecrequest_len += sl * 2;
1372 }
1373
1374 pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len);
1375 PFKEY_EXT_ADD(msg, pol);
1376
1377 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1378 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1379 addr->sadb_address_proto = policy->src.proto;
1380 addr->sadb_address_prefixlen = policy->src.mask;
1381 host2ext(policy->src.net, addr);
1382 PFKEY_EXT_ADD(msg, addr);
1383
1384 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1385 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1386 addr->sadb_address_proto = policy->dst.proto;
1387 addr->sadb_address_prefixlen = policy->dst.mask;
1388 host2ext(policy->dst.net, addr);
1389 PFKEY_EXT_ADD(msg, addr);
1390
1391 pthread_mutex_unlock(&this->mutex);
1392
1393 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1394 {
1395 DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
1396 policy_dir_names, direction);
1397 return FAILED;
1398 }
1399 else if (out->sadb_msg_errno)
1400 {
1401 DBG1(DBG_KNL, "unable to add policy %R === %R %N: %s (%d)", src_ts, dst_ts,
1402 policy_dir_names, direction,
1403 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1404 free(out);
1405 return FAILED;
1406 }
1407 else if (parse_pfkey_message(out, &response) != SUCCESS)
1408 {
1409 DBG1(DBG_KNL, "unable to add policy %R === %R %N: parsing response "
1410 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1411 free(out);
1412 return FAILED;
1413 }
1414
1415 pthread_mutex_lock(&this->mutex);
1416
1417 /* we try to find the policy again and update the kernel index */
1418 if (this->policies->find_last(this->policies, NULL, (void**)&policy) != SUCCESS)
1419 {
1420 DBG2(DBG_KNL, "unable to update index, the policy %R === %R %N is "
1421 "already gone, ignoring", src_ts, dst_ts, policy_dir_names, direction);
1422 pthread_mutex_unlock(&this->mutex);
1423 free(out);
1424 return SUCCESS;
1425 }
1426 policy->index = response.x_policy->sadb_x_policy_id;
1427 free(out);
1428
1429 /* install a route, if:
1430 * - we are NOT updating a policy
1431 * - this is a forward policy (to just get one for each child)
1432 * - we are in tunnel mode
1433 * - we are not using IPv6 (does not work correctly yet!)
1434 * - routing is not disabled via strongswan.conf
1435 */
1436 if (policy->route == NULL && direction == POLICY_FWD &&
1437 mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
1438 this->install_routes)
1439 {
1440 route_entry_t *route = malloc_thing(route_entry_t);
1441
1442 if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
1443 dst_ts, &route->src_ip) == SUCCESS)
1444 {
1445 /* get the nexthop to src (src as we are in POLICY_FWD).*/
1446 route->gateway = charon->kernel_interface->get_nexthop(
1447 charon->kernel_interface, src);
1448 route->if_name = charon->kernel_interface->get_interface(
1449 charon->kernel_interface, dst);
1450 route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
1451 route->prefixlen = policy->src.mask;
1452
1453 switch (charon->kernel_interface->add_route(charon->kernel_interface,
1454 route->dst_net, route->prefixlen, route->gateway,
1455 route->src_ip, route->if_name))
1456 {
1457 default:
1458 DBG1(DBG_KNL, "unable to install source route for %H",
1459 route->src_ip);
1460 /* FALL */
1461 case ALREADY_DONE:
1462 /* route exists, do not uninstall */
1463 route_entry_destroy(route);
1464 break;
1465 case SUCCESS:
1466 /* cache the installed route */
1467 policy->route = route;
1468 break;
1469 }
1470 }
1471 else
1472 {
1473 free(route);
1474 }
1475 }
1476
1477 pthread_mutex_unlock(&this->mutex);
1478
1479 return SUCCESS;
1480 }
1481
1482 /**
1483 * Implementation of kernel_interface_t.query_policy.
1484 */
1485 static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
1486 traffic_selector_t *src_ts,
1487 traffic_selector_t *dst_ts,
1488 policy_dir_t direction, u_int32_t *use_time)
1489 {
1490 unsigned char request[PFKEY_BUFFER_SIZE];
1491 struct sadb_msg *msg, *out;
1492 struct sadb_x_policy *pol;
1493 struct sadb_address *addr;
1494 policy_entry_t *policy, *found = NULL;
1495 pfkey_msg_t response;
1496 size_t len;
1497
1498 DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
1499 policy_dir_names, direction);
1500
1501 /* create a policy */
1502 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1503
1504 /* find a matching policy */
1505 pthread_mutex_lock(&this->mutex);
1506 if (this->policies->find_first(this->policies,
1507 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) != SUCCESS)
1508 {
1509 DBG1(DBG_KNL, "querying policy %R === %R %N failed, not found", src_ts,
1510 dst_ts, policy_dir_names, direction);
1511 policy_entry_destroy(policy);
1512 pthread_mutex_unlock(&this->mutex);
1513 return NOT_FOUND;
1514 }
1515 policy_entry_destroy(policy);
1516 policy = found;
1517
1518 memset(&request, 0, sizeof(request));
1519
1520 msg = (struct sadb_msg*)request;
1521 msg->sadb_msg_version = PF_KEY_V2;
1522 msg->sadb_msg_type = SADB_X_SPDGET;
1523 msg->sadb_msg_satype = 0;
1524 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1525
1526 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1527 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1528 pol->sadb_x_policy_id = policy->index;
1529 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1530 pol->sadb_x_policy_dir = dir2kernel(direction);
1531 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1532 PFKEY_EXT_ADD(msg, pol);
1533
1534 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1535 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1536 addr->sadb_address_proto = policy->src.proto;
1537 addr->sadb_address_prefixlen = policy->src.mask;
1538 host2ext(policy->src.net, addr);
1539 PFKEY_EXT_ADD(msg, addr);
1540
1541 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1542 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1543 addr->sadb_address_proto = policy->dst.proto;
1544 addr->sadb_address_prefixlen = policy->dst.mask;
1545 host2ext(policy->dst.net, addr);
1546 PFKEY_EXT_ADD(msg, addr);
1547
1548 pthread_mutex_unlock(&this->mutex);
1549
1550 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1551 {
1552 DBG1(DBG_KNL, "unable to query policy %R === %R %N", src_ts, dst_ts,
1553 policy_dir_names, direction);
1554 return FAILED;
1555 }
1556 else if (out->sadb_msg_errno)
1557 {
1558 DBG1(DBG_KNL, "unable to query policy %R === %R %N: %s (%d)", src_ts,
1559 dst_ts, policy_dir_names, direction,
1560 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1561 free(out);
1562 return FAILED;
1563 }
1564 else if (parse_pfkey_message(out, &response) != SUCCESS)
1565 {
1566 DBG1(DBG_KNL, "unable to query policy %R === %R %N: parsing response "
1567 "from kernel failed", src_ts, dst_ts, policy_dir_names, direction);
1568 free(out);
1569 return FAILED;
1570 }
1571
1572 *use_time = response.lft_current->sadb_lifetime_usetime;
1573
1574 free(out);
1575
1576 return SUCCESS;
1577 }
1578
1579 /**
1580 * Implementation of kernel_interface_t.del_policy.
1581 */
1582 static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
1583 traffic_selector_t *src_ts,
1584 traffic_selector_t *dst_ts,
1585 policy_dir_t direction)
1586 {
1587 unsigned char request[PFKEY_BUFFER_SIZE];
1588 struct sadb_msg *msg, *out;
1589 struct sadb_x_policy *pol;
1590 struct sadb_address *addr;
1591 policy_entry_t *policy, *found = NULL;
1592 route_entry_t *route;
1593 size_t len;
1594
1595 DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
1596 policy_dir_names, direction);
1597
1598 /* create a policy */
1599 policy = create_policy_entry(src_ts, dst_ts, direction, 0);
1600
1601 /* find a matching policy */
1602 pthread_mutex_lock(&this->mutex);
1603 if (this->policies->find_first(this->policies,
1604 (linked_list_match_t)policy_entry_equals, (void**)&found, policy) == SUCCESS)
1605 {
1606 if (--found->refcount > 0)
1607 {
1608 /* is used by more SAs, keep in kernel */
1609 DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
1610 policy_entry_destroy(policy);
1611 pthread_mutex_unlock(&this->mutex);
1612 return SUCCESS;
1613 }
1614 /* remove if last reference */
1615 this->policies->remove(this->policies, found, NULL);
1616 policy_entry_destroy(policy);
1617 policy = found;
1618 }
1619 else
1620 {
1621 DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts,
1622 dst_ts, policy_dir_names, direction);
1623 policy_entry_destroy(policy);
1624 pthread_mutex_unlock(&this->mutex);
1625 return NOT_FOUND;
1626 }
1627 pthread_mutex_unlock(&this->mutex);
1628
1629 memset(&request, 0, sizeof(request));
1630
1631 msg = (struct sadb_msg*)request;
1632 msg->sadb_msg_version = PF_KEY_V2;
1633 msg->sadb_msg_type = SADB_X_SPDDELETE;
1634 msg->sadb_msg_satype = 0;
1635 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1636
1637 pol = (struct sadb_x_policy*)PFKEY_EXT_ADD_NEXT(msg);
1638 pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
1639 pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
1640 pol->sadb_x_policy_dir = dir2kernel(direction);
1641 pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
1642 PFKEY_EXT_ADD(msg, pol);
1643
1644 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1645 addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1646 addr->sadb_address_proto = policy->src.proto;
1647 addr->sadb_address_prefixlen = policy->src.mask;
1648 host2ext(policy->src.net, addr);
1649 PFKEY_EXT_ADD(msg, addr);
1650
1651 addr = (struct sadb_address*)PFKEY_EXT_ADD_NEXT(msg);
1652 addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1653 addr->sadb_address_proto = policy->dst.proto;
1654 addr->sadb_address_prefixlen = policy->dst.mask;
1655 host2ext(policy->dst.net, addr);
1656 PFKEY_EXT_ADD(msg, addr);
1657
1658 route = policy->route;
1659 policy->route = NULL;
1660 policy_entry_destroy(policy);
1661
1662 if (pfkey_send(this, msg, &out, &len) != SUCCESS)
1663 {
1664 DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts,
1665 policy_dir_names, direction);
1666 return FAILED;
1667 }
1668 else if (out->sadb_msg_errno)
1669 {
1670 DBG1(DBG_KNL, "unable to delete policy %R === %R %N: %s (%d)", src_ts,
1671 dst_ts, policy_dir_names, direction,
1672 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1673 free(out);
1674 return FAILED;
1675 }
1676 free(out);
1677
1678 if (route)
1679 {
1680 if (charon->kernel_interface->del_route(charon->kernel_interface,
1681 route->dst_net, route->prefixlen, route->gateway,
1682 route->src_ip, route->if_name) != SUCCESS)
1683 {
1684 DBG1(DBG_KNL, "error uninstalling route installed with "
1685 "policy %R === %R %N", src_ts, dst_ts,
1686 policy_dir_names, direction);
1687 }
1688 route_entry_destroy(route);
1689 }
1690
1691 return SUCCESS;
1692 }
1693
1694 /**
1695 * Register a socket for AQUIRE/EXPIRE messages
1696 */
1697 static status_t register_pfkey_socket(private_kernel_pfkey_ipsec_t *this, u_int8_t satype)
1698 {
1699 unsigned char request[PFKEY_BUFFER_SIZE];
1700 struct sadb_msg *msg, *out;
1701 struct sadb_x_policy *pol;
1702 struct sadb_address *addr;
1703 policy_entry_t *policy, *found = NULL;
1704 pfkey_msg_t response;
1705 size_t len;
1706
1707 memset(&request, 0, sizeof(request));
1708
1709 msg = (struct sadb_msg*)request;
1710 msg->sadb_msg_version = PF_KEY_V2;
1711 msg->sadb_msg_type = SADB_REGISTER;
1712 msg->sadb_msg_satype = satype;
1713 msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
1714
1715 if (pfkey_send_socket(this, this->socket_events, msg, &out, &len) != SUCCESS)
1716 {
1717 DBG1(DBG_KNL, "unable to register PF_KEY socket");
1718 return FAILED;
1719 }
1720 else if (out->sadb_msg_errno)
1721 {
1722 DBG1(DBG_KNL, "unable to register PF_KEY socket: %s (%d)",
1723 strerror(out->sadb_msg_errno), out->sadb_msg_errno);
1724 free(out);
1725 return FAILED;
1726 }
1727 free(out);
1728 return SUCCESS;
1729 }
1730
1731 /**
1732 * Implementation of kernel_interface_t.destroy.
1733 */
1734 static void destroy(private_kernel_pfkey_ipsec_t *this)
1735 {
1736 this->job->cancel(this->job);
1737 close(this->socket);
1738 close(this->socket_events);
1739 this->policies->destroy_function(this->policies, (void*)policy_entry_destroy);
1740 free(this);
1741 }
1742
1743 /*
1744 * Described in header.
1745 */
1746 kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
1747 {
1748 private_kernel_pfkey_ipsec_t *this = malloc_thing(private_kernel_pfkey_ipsec_t);
1749
1750 /* public functions */
1751 this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
1752 this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
1753 this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,bool,bool))add_sa;
1754 this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
1755 this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
1756 this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,ipsec_mode_t,u_int16_t))add_policy;
1757 this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
1758 this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
1759
1760 this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy;
1761
1762 /* private members */
1763 this->policies = linked_list_create();
1764 pthread_mutex_init(&this->mutex, NULL);
1765 this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
1766 pthread_mutex_init(&this->mutex_pfkey, NULL);
1767 this->seq = 0;
1768
1769 /* create a PF_KEY socket to communicate with the kernel */
1770 this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1771 if (this->socket <= 0)
1772 {
1773 charon->kill(charon, "unable to create PF_KEY socket");
1774 }
1775
1776 /* create a PF_KEY socket for ACQUIRE & EXPIRE */
1777 this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1778 if (this->socket_events <= 0)
1779 {
1780 charon->kill(charon, "unable to create PF_KEY event socket");
1781 }
1782
1783 /* register the event socket */
1784 if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
1785 register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
1786 {
1787 charon->kill(charon, "unable to register PF_KEY event socket");
1788 }
1789
1790 this->job = callback_job_create((callback_job_cb_t)receive_events,
1791 this, NULL, NULL);
1792 charon->processor->queue_job(charon->processor, (job_t*)this->job);
1793
1794 return &this->public;
1795 }